From 00327dfae17112aac14ab572ddb1ed026797465c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 17 May 2025 18:38:48 +0200
Subject: [PATCH] feat(profile): minor improvements.

---
 apparmor.d/groups/apt/apt                          |  2 +-
 apparmor.d/groups/apt/apt-systemd-daily            |  2 +-
 apparmor.d/groups/apt/aptitude-create-state-bundle |  2 +-
 apparmor.d/groups/apt/unattended-upgrade           |  7 +++++--
 apparmor.d/groups/grub/update-grub                 |  5 +++--
 apparmor.d/profiles-a-f/acpi                       |  1 -
 apparmor.d/profiles-a-f/evince                     |  5 +++--
 apparmor.d/profiles-g-l/kmod                       | 14 +++++++++++++-
 apparmor.d/profiles-m-r/mkinitramfs                |  6 ++++++
 apparmor.d/profiles-s-z/spice-vdagent              |  2 ++
 10 files changed, 35 insertions(+), 11 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 5c33a1866..947dba149 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
     @{bin}/                      r,
     @{sh_path}                   rix,
     @{pager_path}               rmix,
-    @{bin}/which{,.debianutils}  rix,
+    @{bin}/which                 rix,
 
     /root/ r,  # For shell pwd
 
diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily
index 04907876e..08e1400b2 100644
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} {
   @{bin}/touch      rix,
   @{bin}/uniq       rix,
   @{bin}/wc         rix,
-  @{bin}/which{,.debianutils}      rix,
+  @{bin}/which      rix,
   @{bin}/xargs      rix,
 
   @{bin}/apt-config         rPx,
diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle
index c700e325f..59f7a54f6 100644
--- a/apparmor.d/groups/apt/aptitude-create-state-bundle
+++ b/apparmor.d/groups/apt/aptitude-create-state-bundle
@@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} {
   @{exec_path} r,
   @{sh_path}        rix,
 
-  @{bin}/which{,.debianutils}      rix,
+  @{bin}/which      rix,
   @{bin}/tar        rix,
   @{bin}/bzip2      rix,
   @{bin}/gzip       rix,
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 3e60798e9..8413d9975 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -10,13 +10,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/unattended-upgrade
 profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/common/apt>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.PackageKit>
+  include <abstractions/common/apt>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
+  include <abstractions/perl>
   include <abstractions/python>
 
   capability chown,
@@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   @{etc_ro}/login.defs r,
   @{etc_ro}/security/capability.conf r,
-  /etc/apport/report-ignore/ r,
+  /etc/apport/report-ignore/{,**} r,
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
   /etc/debian_version r,
@@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/vmware-tools/* r,
 
   /var/log/unattended-upgrades/{,**} rw,
+  /var/crash/*.crash w,
 
   /var/lib/apt/periodic/unattended-upgrades-stamp w,
+  /var/lib/dpkg/info/ r,
   /var/lib/dpkg/lock rwk,
   /var/lib/dpkg/lock-frontend rwk,
   /var/lib/dpkg/updates/ r,
diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub
index 1996b346b..ff17c160a 100644
--- a/apparmor.d/groups/grub/update-grub
+++ b/apparmor.d/groups/grub/update-grub
@@ -14,8 +14,9 @@ profile update-grub @{exec_path} {
   capability dac_read_search,
 
   @{exec_path} mr,
-  @{sh_path}        rix,
-  @{sbin}/grub-mkconfig rPx,
+
+  @{sh_path}             rix,
+  @{sbin}/grub-mkconfig  rPx,
 
   /dev/tty@{int} rw,
 
diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi
index 2914180e6..3b42be234 100644
--- a/apparmor.d/profiles-a-f/acpi
+++ b/apparmor.d/profiles-a-f/acpi
@@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) {
   @{sys}/devices/**/power_supply/{,**} r,
   @{sys}/devices/virtual/thermal/{,**} r,
 
-
   include if exists <local/acpi>
 }
 
diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince
index 5ae754138..b7b087309 100644
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@@ -44,13 +44,14 @@ profile evince @{exec_path} {
   /usr/share/poppler/{,**} r,
   /usr/share/thumbnailers/{,*} r,
 
-  owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_config_dirs}/evince/{,*} rw,
 
+  owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/*.pdf r,
   owner @{tmp}/evince-@{int}/{,**} rw,
-  owner @{tmp}/gtkprint* rw,
+  owner @{tmp}/gtkprint_@{rand6} rw,
+  owner @{tmp}/gtkprint@{rand6} rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod
index 0338e3975..ccc8d6913 100644
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   @{bin}/basename    rix,
   @{bin}/false       rix,
   @{bin}/id          rix,
-  @{sbin}/sysctl     rPx,
+  @{sbin}/sysctl     rCx -> sysctl,
   @{bin}/true        rix,
 
   @{lib}/modprobe.d/{,*.conf} r,
@@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   deny @{user_share_dirs}/gvfs-metadata/* r,
   deny unix (receive) type=stream,
 
+  profile sysctl {
+    include <abstractions/base>
+
+    @{sbin}/sysctl mr,
+
+    /etc/sysctl.conf r,
+    /etc/sysctl.d/{,**} r,
+    /usr/lib/sysctl.d/{,**} r,
+
+    include if exists <local/kmod_sysctl>
+  }
+
   include if exists <local/kmod>
 }
 
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index ad626192c..eaf5645f3 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} {
   owner /var/tmp/mkinitramfs-@{rand6} rw,
   owner /var/tmp/mkinitramfs-*_@{rand6} rw,
 
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
+
   @{sys}/devices/platform/ r,
   @{sys}/devices/platform/**/ r,
   @{sys}/devices/platform/**/modalias r,
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index 9562fec75..c73f5f678 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
+  /dev/udmabuf rw,
+
   include if exists <local/spice-vdagent>
 }