From 04683eeccb2f6a38ad749a9cfbeda5a58514def7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 11 Feb 2024 12:44:40 +0000
Subject: [PATCH] feat(profile): general update.

---
 .../bus/org.kde.StatusNotifierWatcher         |  2 +-
 apparmor.d/groups/_full/systemd               | 11 +-----
 apparmor.d/groups/_full/systemd-service       |  9 +++--
 apparmor.d/groups/apps/calibre                |  1 -
 apparmor.d/groups/apt/apt-helper              |  1 +
 apparmor.d/groups/freedesktop/dconf-service   |  1 +
 .../polkit-kde-authentication-agent           | 38 ++++++-------------
 apparmor.d/groups/freedesktop/xdg-settings    |  1 +
 apparmor.d/groups/freedesktop/xorg            |  1 +
 apparmor.d/groups/gnome/gnome-session-binary  |  3 +-
 apparmor.d/groups/pacman/pacman               |  2 +-
 apparmor.d/groups/ssh/gcr-ssh-agent           | 16 ++++++++
 apparmor.d/groups/virt/dockerd                |  2 +-
 apparmor.d/profiles-a-f/flatpak               |  2 +-
 apparmor.d/profiles-g-l/gsettings             |  1 +
 apparmor.d/profiles-s-z/spice-vdagent         |  4 +-
 apparmor.d/tunables/multiarch.d/paths         |  2 +-
 17 files changed, 51 insertions(+), 46 deletions(-)
 create mode 100644 apparmor.d/groups/ssh/gcr-ssh-agent

diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
index 77e41efde..28ccc4a4b 100644
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@@ -10,7 +10,7 @@
   dbus send bus=session path=/StatusNotifierWatcher
        interface=org.kde.StatusNotifierWatcher
        member=RegisterStatusNotifierItem
-       peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell), 
+       peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
 
   dbus send bus=session path=/StatusNotifierWatcher
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index dd398ba07..b2a7cf344 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -141,20 +141,12 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /etc/machine-id r,
   /etc/modules-load.d/ r,
   /etc/networkd-dispatcher/{,**} r,
-  /etc/pipewire/** r,
-  /etc/polkit*/** r,
   /etc/systemd/{,**} r,
   /etc/udev/hwdb.d/{,*} r,
 
-  /var/lib/gdm{3,}/.config/pulse/{,**} rw,
-  /var/lib/gdm{3,}/.config/pulse/cookie k,
-  /var/lib/gdm{3,}/.config/dconf/user r,
-
         /var/lib/systemd/{,**} rw,
   owner /var/tmp/systemd-private-*/{,**} rw,
 
-  @{user_config_dirs}/pulse/{,**} rw,
-
   /tmp/namespace-dev-@{rand6}/{,**} rw,
   /tmp/systemd-private-*/{,**} rw,
 
@@ -173,7 +165,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
-  @{sys}/class/power_supply r,
+  @{sys}/class/power_supply/ r,
   @{sys}/class/sound/ r,
   @{sys}/devices/@{pci}/** r,
   @{sys}/devices/**/net/** r,
@@ -219,6 +211,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
         /dev/ r,
         /dev/bus/usb/ r,
         /dev/hwrng r,
+        /dev/kmsg w,
         /dev/rfkill rw,
         /dev/shm/ rw,
         /dev/tty rw,
diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service
index c65ab1e28..1b660489b 100644
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@@ -14,12 +14,15 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  capability sys_admin,
-
+  @{bin}/ldconfig      rix,
+  @{bin}/savelog       rix,
   @{bin}/systemctl     rix,
   @{coreutils_path}    rix,
   @{shells_path}      rmix,
-  @{bin}/ldconfig      rix,
+
+  # shadow.service
+  @{bin}/pwck          rPx,
+  @{bin}/grpck         rPx,
 
   @{bin}/grub-editenv  rPx,
   @{bin}/ibus-daemon   rPx,
diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/groups/apps/calibre
index e9ccda94b..c4e4b8942 100644
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@@ -69,7 +69,6 @@ profile calibre @{exec_path} {
   /usr/share/hwdata/pnp.ids r,
   /usr/share/qt5/**.pak r,
   /usr/share/qt5ct/** r,
-  /usr/share/zoneinfo-icu/**.res r,
 
   /etc/fstab r,
   /etc/inputrc r,
diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper
index 805d3e34a..3d52177e2 100644
--- a/apparmor.d/groups/apt/apt-helper
+++ b/apparmor.d/groups/apt/apt-helper
@@ -15,6 +15,7 @@ profile apt-helper @{exec_path} {
 
   @{bin}/nm-online rPx,
   @{bin}/systemctl rPx -> child-systemctl,
+  @{lib}/systemd/systemd-networkd-wait-online rPx,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service
index d074a30ef..160ef5e67 100644
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@@ -13,6 +13,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/dconf-write>
 
+  signal (receive) set=(cont, term) peer=systemd-user,
   signal (receive) set=(term kill hup) peer=dbus-daemon,
   signal (receive) set=(term hup) peer=gdm*,
 
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index 624126a0b..5ff1866f8 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -9,21 +9,20 @@ include <tunables/global>
 
 @{exec_path} = @{lib}/@{multiarch}/polkit-kde-authentication-agent-[0-9]
 @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
-profile polkit-kde-authentication-agent @{exec_path} {
+profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
+  include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
-  include <abstractions/qt5>
-  include <abstractions/vulkan>
-  include <abstractions/wayland>
-  include <abstractions/X>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -31,38 +30,25 @@ profile polkit-kde-authentication-agent @{exec_path} {
 
   @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
-  /usr/share/hwdata/pnp.ids r,
-  /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/qt5ct/** r,
 
   /etc/machine-id r,
-  /etc/xdg/kdeglobals r,
-  /etc/xdg/kwinrc r,
-
   /var/lib/dbus/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
-  owner @{user_config_dirs}/kdedefaults/* r,
-  owner @{user_config_dirs}/kdeglobals r,
-  owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/qt5ct/{,**} r,
 
   owner /tmp/#@{int} rw,
   owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
-  owner /tmp/xauth_@{rand6} r,
+  # owner /tmp/xauth_@{rand6} r,
+
+  /dev/shm/#@{int} rw,
 
   @{run}/systemd/users/@{uid} r,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,
-
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/@{pid}/cmdline r,
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/sys/kernel/core_pattern r,
 
-  /dev/shm/#@{int} rw,
-
   include if exists <local/polkit-kde-authentication-agent>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index ded4f4f72..80c8e657f 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -22,6 +22,7 @@ profile xdg-settings @{exec_path} {
   @{bin}/mktemp     rix,
   @{bin}/mv         rix,
   @{bin}/readlink   rix,
+  @{bin}/realpath   rix,
   @{bin}/sed        rix,
   @{bin}/sort       rix,
   @{bin}/uname      rix,
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index cc456b173..717178a5e 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -35,6 +35,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   signal (receive) peer=lightdm,
   signal (receive) peer=sddm,
   signal (receive) peer=xinit,
+  signal (receive) set=hup peer=gdm-session-worker,
   signal (receive) set=term peer=gdm{,-x-session},
 
   unix (bind, listen)          type=stream addr=@/tmp/.X11-unix/*,
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index d1f7fb82c..8cab4f36a 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -29,7 +29,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
-  signal (receive) set=(cont, term) peer=systemd-user,
+  signal (receive) set=(cont, term, hup) peer=systemd-user,
+  signal (receive) set=(hup) peer=@{systemd},
   signal (receive) set=(term, hup) peer=gdm*,
   signal (send) set=(term) peer=at-spi-bus-launcher,
   signal (send) set=(term) peer=gsd-*,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index a48b4eb12..f341c803f 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -162,7 +162,7 @@ profile pacman @{exec_path} {
         /dev/tty@{int} rw,
   owner /dev/pts/@{int} rw,
 
-  # Silencer, 
+  # Silencer,
   deny @{HOME}/ r,
   deny /tmp/ r,
 
diff --git a/apparmor.d/groups/ssh/gcr-ssh-agent b/apparmor.d/groups/ssh/gcr-ssh-agent
new file mode 100644
index 000000000..9d556ada6
--- /dev/null
+++ b/apparmor.d/groups/ssh/gcr-ssh-agent
@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/gcr-ssh-agent
+profile gcr-ssh-agent @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/gcr-ssh-agent>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index fcddbfba8..c2f1c41c2 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -13,7 +13,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  capability chown, 
+  capability chown,
   capability dac_override,
   capability dac_read_search,
   capability fowner,
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index 609f05092..42b5fce50 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -34,7 +34,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   @{exec_path} mr,
 
-  @{bin}/bwrap               rPx -> flatpak-app, 
+  @{bin}/bwrap               rPx -> flatpak-app,
   @{bin}/fusermount{,3}      rCx -> fusermount,
   @{bin}/gpg                 rCx -> gpg,
   @{bin}/gpgconf             rCx -> gpg,
diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings
index ba2b0ec7a..bdc14eeb1 100644
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@@ -18,6 +18,7 @@ profile gsettings @{exec_path} {
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
 
+  /var/lib/gdm{3,}/.cache/dconf/user rw,
   /var/lib/gdm{3,}/.config/dconf/user rw,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index bfe5e5c25..57d05adec 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/spice-vdagent
-profile spice-vdagent @{exec_path} {
+profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/bus-accessibility>
@@ -24,6 +24,8 @@ profile spice-vdagent @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
 
+  signal (receive) set=(cont, term) peer=systemd-user,
+
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Realtime
        member=MakeThreadRealtimeWithPID
diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index d2eedd85c..d5740d858 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -45,7 +45,7 @@
 
 # Experimental - May be modified/removed without notice
 # Coreutils programs that should not have dedicated profile
-@{coreutils}  = awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
+@{coreutils}  = {,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
 @{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname du echo env expand
 @{coreutils} += expr factor false find fmt fold gawk grep head hostid id install join link
 @{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt