diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest index 74761a2bf..85300a7e0 100644 --- a/apparmor.d/groups/browsers/firefox-vaapitest +++ b/apparmor.d/groups/browsers/firefox-vaapitest @@ -25,13 +25,14 @@ profile firefox-vaapitest @{exec_path} { /etc/igfx_user_feature{,_next}.txt w, /etc/libva.conf r, - deny owner @{config_dirs}/firefox/*/.parentlock rw, - deny owner @{config_dirs}/firefox/*/startupCache/** r, - deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, - owner /tmp/firefox/.parentlock rw, - @{sys}/devices/pci[0-9]*/**/{irq,revision,resource} r, + @{sys}/devices/@{pci}/{irq,revision,resource} r, + @{sys}/devices/@{pci}/config r, + + deny @{config_dirs}/firefox/*/.parentlock rw, + deny @{config_dirs}/firefox/*/startupCache/** r, + deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r, include if exists } \ No newline at end of file diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal index 818ecff8e..7c70c1f74 100644 --- a/apparmor.d/groups/freedesktop/xdg-desktop-portal +++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal @@ -123,10 +123,13 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) { /usr/share/xdg-desktop-portal/** r, /etc/pipewire/client.conf.d/ r, + /etc/sysconfig/proxy r, /var/lib/flatpak/exports/share/mime/mime.cache r, /var/lib/flatpak/exports/share/applications/{**,} r, + @{user_config_dirs}/kioslaverc r, + owner /tmp/icon* rw, owner @{run}/user/@{uid}/.flatpak/{,*/*} r, diff --git a/apparmor.d/groups/kde/kwalletd5 b/apparmor.d/groups/kde/kwalletd5 index 5c7d125cd..77e755ce6 100644 --- a/apparmor.d/groups/kde/kwalletd5 +++ b/apparmor.d/groups/kde/kwalletd5 @@ -12,6 +12,7 @@ profile kwalletd5 @{exec_path} { include include include + include include include include diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell index b72c03d7e..e5d3e44c0 100644 --- a/apparmor.d/groups/kde/plasmashell +++ b/apparmor.d/groups/kde/plasmashell @@ -92,6 +92,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) { /etc/sensors.d/ r, /etc/xdg/** r, + @{HOME}/ r, owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r, owner @{user_templates_dirs}/ r, diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher index 9bae1db20..5172c71e0 100644 --- a/apparmor.d/groups/network/nm-dispatcher +++ b/apparmor.d/groups/network/nm-dispatcher @@ -18,6 +18,8 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) { capability sys_nice, capability sys_ptrace, + ptrace (read) peer=unconfined, + dbus send bus=system path=/org/freedesktop/DBus interface=org.freedesktop.DBus member={RequestName,ReleaseName}, diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11 index 0a6c7f36e..1146d9543 100644 --- a/apparmor.d/profiles-s-z/start-pulseaudio-x11 +++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11 @@ -18,6 +18,8 @@ profile start-pulseaudio-x11 @{exec_path} { @{bin}/plasmashell rPx, @{bin}/sed rix, + /etc/sysconfig/sound r, + /dev/tty rw, include if exists diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest index 7739c01e5..909ebc218 100644 --- a/apparmor.d/profiles-s-z/thunderbird-vaapitest +++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest @@ -28,7 +28,8 @@ profile thunderbird-vaapitest @{exec_path} { owner /tmp/thunderbird/.parentlock rw, - @{sys}/devices/@{pci}/{irq,resource,revision} r, + @{sys}/devices/@{pci}/{irq,revision,resource} r, + @{sys}/devices/@{pci}/config r, deny @{cache_dirs}/*/startupCache/** r, deny @{config_dirs}/*/.parentlock rw,