Merge branch 'roddhjav:main' into main

apparmor.d/abstractions/app/sudo

@@ -36,8 +36,6 @@
   @{bin}/sudo     mr,
   @{lib}/sudo/**  mr,
 
-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
   @{etc_ro}/sudo.conf r,
   @{etc_ro}/sudoers r,
   @{etc_ro}/sudoers.d/{,*} r,
@@ -46,15 +44,15 @@
   /etc/machine-id r,
 
         /var/db/sudo/lectured/ r,
-  owner /var/lib/sudo/ts/ rw,   
+  owner /var/lib/sudo/ts/ rw,
   owner /var/lib/sudo/ts/@{uid} rwk,
   owner /var/log/sudo.log wk,
 
   owner @{HOME}/.sudo_as_admin_successful rw,
 
   # yubikey support
-  owner @{HOME}/.yubico/challenge-* rw,
         @{HOME}/.yubico/ r,
+  owner @{HOME}/.yubico/challenge-* rw,
 
         @{run}/faillock/ rw,
         @{run}/faillock/@{user} rwk,

apparmor.d/abstractions/app/systemctl

@@ -8,9 +8,9 @@
   include <abstractions/bus-system>
   include <abstractions/consoles>
 
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,
+  unix bind type=stream addr=@@{hex16}/bus/systemctl/,
 
   @{bin}/systemctl mr,
 

apparmor.d/abstractions/audio-server

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Provide access to audio devices. It should only be used by audio servers that
-# need direct access to them. 
+# need direct access to them.
 
   abi <abi/4.0>,
 

apparmor.d/abstractions/bus/org.freedesktop.GeoClue2

@@ -18,7 +18,7 @@
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(name="@{busname}", label=geoclue),
-  
+
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll

apparmor.d/abstractions/common/bwrap

@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# A minimal set of rules for sandboxed programs using bwrap. 
+# A minimal set of rules for sandboxed programs using bwrap.
 # A profile using this abstraction still needs to set:
 # - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'
@@ -44,17 +44,16 @@
   owner /tmp/newroot/ w,
   owner /tmp/oldroot/ w,
 
+               @{PROC}/sys/kernel/overflowgid r,
+               @{PROC}/sys/kernel/overflowuid r,
         @{att}/@{PROC}/sys/user/max_user_namespaces rw,
   owner @{att}/@{PROC}/@{pid}/cgroup r,
+  owner @{att}/@{PROC}/@{pid}/fd/ r,
   owner @{att}/@{PROC}/@{pid}/gid_map rw,
   owner @{att}/@{PROC}/@{pid}/mountinfo r,
   owner @{att}/@{PROC}/@{pid}/setgroups rw,
   owner @{att}/@{PROC}/@{pid}/uid_map rw,
 
-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
-  owner @{PROC}/@{pid}/fd/ r,
-
   include if exists <abstractions/common/bwrap.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/common/electron

@@ -2,8 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Minimal set of rules for all electron based UI application. It works as a 
-# *function* and requires some variables to be provided as *arguments* and set 
+# Minimal set of rules for all electron based UI application. It works as a
+# *function* and requires some variables to be provided as *arguments* and set
 # in the header of the calling profile. Example:
 #
 # @{name} = spotify

apparmor.d/abstractions/common/steam-game

@@ -23,7 +23,7 @@
   owner @{share_dirs}/logs/* rwk,
   owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
   owner @{share_dirs}/steamapps/ r,
-  owner @{share_dirs}/steamapps/appmanifest_* rw, 
+  owner @{share_dirs}/steamapps/appmanifest_* rw,
   owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
 
   owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,

apparmor.d/abstractions/desktop

@@ -21,7 +21,7 @@
 
     dbus receive bus=session
          interface=org.freedesktop.DBus.Introspectable
-         member=Introspect 
+         member=Introspect
          peer=(name=:*, label=gnome-shell),
 
     /usr/{local/,}share/ r,
@@ -52,7 +52,7 @@
 
     owner @{user_cache_dirs}/#@{int} rw,
     owner @{user_cache_dirs}/icon-cache.kcache rw,
-    owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
+    owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk,
 
     owner @{user_config_dirs}/baloofilerc r,
     owner @{user_config_dirs}/dolphinrc r,
@@ -67,7 +67,7 @@
 
   # else if @{DE} == xfce
 
-    /usr/share/xfce4/ r,
+    /usr/share/xfce{,4}/ r,
 
     owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
     owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,

apparmor.d/abstractions/disks-read

@@ -76,7 +76,7 @@
   /dev/sr@{int} rk,
 
   # Lookup block device by major:minor numbers
-  # See: https://apparmor.pujol.io/development/structure/#udev-rules
+  # See: https://apparmor.pujol.io/development/internal/#udev-rules
 
   @{sys}/block/ r,
   @{sys}/class/block/ r,

apparmor.d/abstractions/dri

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # The Direct Rendering Infrastructure (DRI) is the framework comprising the modern
-# Linux graphics stack which allows unprivileged user-space programs to issue 
+# Linux graphics stack which allows unprivileged user-space programs to issue
 # commands to graphics hardware without conflicting with other programs.
 
   abi <abi/4.0>,

apparmor.d/abstractions/gnome-strict

@@ -13,7 +13,7 @@
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   /usr/share/desktop-base/{,**} r,

apparmor.d/abstractions/gstreamer

@@ -6,10 +6,9 @@
   abi <abi/4.0>,
 
   @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
-  @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
+  @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr,
   @{lib}/frei0r-@{int}/*.so mr,
 
-  # FIXME: not compatible with FSP mode due conflicting x modifiers 
   @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
   @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
   @{lib}/gstreamer-1.0/gst-plugin-scanner rix,
@@ -40,7 +39,7 @@
   @{run}/udev/data/+usb:* r,              # For /dev/bus/usb/**
 
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
-  @{run}/udev/data/c189:@{int} r,         # For USB serial converters 
+  @{run}/udev/data/c189:@{int} r,         # For USB serial converters
   @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
 
   @{sys}/bus/ r,

apparmor.d/abstractions/lxqt

@@ -18,7 +18,7 @@
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/lxqt/** r,
- 
+
   owner @{HOME}/.Xdefaults r,
 
   owner @{user_cache_dirs}/lxqt-notificationd/* r,

apparmor.d/abstractions/uim

@@ -6,12 +6,12 @@
   abi <abi/4.0>,
 
   /usr/share/uim/* r,
-  
+
   /var/lib/uim/* r,
-  
+
   owner @{HOME}/.uim.d/customs/* r,
   owner @{HOME}/.XCompose r,
-  
+
   owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
 
   include if exists <abstractions/uim.d>

apparmor.d/abstractions/xfce

@@ -11,7 +11,7 @@
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>
 
-  /usr/share/xfce4/ r,
+  /usr/share/xfce{,4}/ r,
 
   owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
   owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,

apparmor.d/groups/akonadi/akonadi_followupreminder_agent

@@ -22,7 +22,7 @@ profile akonadi_followupreminder_agent @{exec_path} {
   owner @{user_config_dirs}/akonadi_followupreminder_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
-  
+
   /dev/tty r,
 
   include if exists <local/akonadi_followupreminder_agent>

apparmor.d/groups/akonadi/akonadi_ical_resource

@@ -22,7 +22,7 @@ profile akonadi_ical_resource @{exec_path} {
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 
   owner @{user_share_dirs}/apps/korganizer/{,**} rw,
-  
+
   /dev/tty r,
 
   include if exists <local/akonadi_ical_resource>

apparmor.d/groups/akonadi/akonadi_mailfilter_agent

@@ -34,7 +34,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
   owner @{user_config_dirs}/emailidentities* rwl,
 
   owner @{user_config_dirs}/kmail2rc r,
-  
+
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/akonadi_mailfilter_agent.* rwl,
 

apparmor.d/groups/akonadi/akonadi_migration_agent

@@ -20,7 +20,7 @@ profile akonadi_migration_agent @{exec_path} {
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 
   owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw,
-  
+
   /dev/tty r,
 
   include if exists <local/akonadi_migration_agent>

apparmor.d/groups/apt/apt-helper

@@ -22,7 +22,7 @@ profile apt-helper @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     capability net_admin,
 
     include if exists <local/apt-helper_systemctl>

apparmor.d/groups/apt/apt-key

@@ -78,7 +78,7 @@ profile apt-key @{exec_path} {
     @{bin}/gpg-connect-agent rix,
 
     /usr/share/gnupg/sks-keyservers.netCA.pem r,
-  
+
     /etc/hosts r,
     /etc/inputrc r,
 
@@ -96,7 +96,7 @@ profile apt-key @{exec_path} {
     owner @{tmp}/apt-key-gpghome.*/ rw,
     owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
     owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w,
-  
+
     owner @{run}/user/@{uid}/gnupg/d.*/ rw,
 
     owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/apt/debsign

@@ -34,7 +34,7 @@ profile debsign @{exec_path} {
   @{bin}/stty       rix,
 
   @{bin}/gpg{,2} rCx -> gpg,
-  
+
   /etc/devscripts.conf r,
 
   owner @{HOME}/.devscripts r,

apparmor.d/groups/apt/reportbug

@@ -108,7 +108,7 @@ profile reportbug @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/reportbug_systemctl>
   }
 

apparmor.d/groups/browsers/torbrowser-launcher

@@ -37,7 +37,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
   @{bin}/tail      ix,
 
   @{lib_dirs}/execdesktop       ix,
-  @{lib_dirs}/start-tor-browser Px, # torbrowser-start 
+  @{lib_dirs}/start-tor-browser Px, # torbrowser-start
   @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
 
   /usr/share/file/** r,

apparmor.d/groups/browsers/torbrowser-tor

@@ -9,7 +9,7 @@ include <tunables/global>
 @{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 @{data_dirs} = @{lib_dirs}/TorBrowser/Data/
 
-@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor 
+@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
 profile torbrowser-tor @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/bus/dbus-system

@@ -4,7 +4,7 @@
 
 # Profile for system dbus, regardless of the dbus implementation used.
 # It does not specify an attachment path as it would be the same than
-# "dbus-session". It is intended to be used only via "Px ->" or via 
+# "dbus-session". It is intended to be used only via "Px ->" or via
 # systemd drop-in AppArmorProfile= setting.
 
 abi <abi/4.0>,
@@ -16,7 +16,7 @@ include <tunables/global>
 profile dbus-system flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
-  include <abstractions/consoles>
+  include <abstractions/attached/consoles>
   include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
 

apparmor.d/groups/bus/ibus-memconf

@@ -18,7 +18,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,

apparmor.d/groups/children/child-modprobe-nvidia

@@ -9,7 +9,7 @@
 # and load the the nvidia kernel module.
 
 # Note: This profile does not specify an attachment path because it is
-# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions 
+# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions
 # from other profiles.
 
 abi <abi/4.0>,

apparmor.d/groups/children/child-open-any

@@ -31,7 +31,7 @@ profile child-open-any flags=(attach_disconnected) {
   /                             r,
   /usr/                         r,
   /usr/local/bin/               r,
-  
+
   /dev/tty rw,
 
   include if exists <usr/child-open-any.d>

apparmor.d/groups/cron/cron-cracklib

@@ -12,7 +12,7 @@ profile cron-cracklib @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  
+
   @{sh_path}               rix,
   @{bin}/logger            rix,
   @{bin}/update-cracklib  rPx,

apparmor.d/groups/cron/cron-etckeeper

@@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  
+
   @{sh_path}         rix,
   @{bin}/rm          rix,
   @{bin}/find        rix,

apparmor.d/groups/cron/cron-sysstat

@@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  
+
   @{sh_path}         rix,
   @{lib}/sysstat/sa2 rPx,
 

apparmor.d/groups/display-manager/lightdm-xsession

@@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     owner @{HOME}/.xsession-errors w,
 
     include if exists <local/lightdm-xsession_systemctl>