From 0478e62f56d238d82e873b4174645597249ade77 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 17 Jun 2025 00:19:43 +0200
Subject: [PATCH] feat(fsp): sd/sdu: improve integration with stacked profiles.

---
 apparmor.d/groups/_full/sd  |  5 +++--
 apparmor.d/groups/_full/sdu | 16 ++++++++++++++--
 2 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/groups/_full/sd b/apparmor.d/groups/_full/sd
index 44b3a9b7d..48172638e 100644
--- a/apparmor.d/groups/_full/sd
+++ b/apparmor.d/groups/_full/sd
@@ -165,6 +165,7 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   @{lib}/{,**} r,
   @{sbin}/{,*} r,
   /usr/share/** r,
+  /etc/*/ w,
   /etc/** rk,
   /home/ r,
 
@@ -181,8 +182,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   /var/log/** rw,
   /var/log/journal/** rwl -> /var/log/journal/**,
 
-  @{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
-  @{user_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,
 
   @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
   @{att}/@{run}/systemd/notify rw,
diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu
index 411a8c3ad..c9338fd22 100644
--- a/apparmor.d/groups/_full/sdu
+++ b/apparmor.d/groups/_full/sdu
@@ -24,6 +24,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
+  include <abstractions/xdg-desktop>
 
   network netlink raw,
 
@@ -71,16 +72,27 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
   owner @{run}/user/@{uid}/pulse/pid rw,
 
-  owner @{user_state_dirs}/wireplumber/ r,
+  owner @{user_state_dirs}/wireplumber/ rw,
   owner @{user_state_dirs}/wireplumber/stream-properties rw,
   owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw,
 
   @{run}/systemd/users/@{uid} r,
   @{run}/systemd/users/@{int} r,
 
-  @{run}/udev/data/c116:@{int} r,         # for ALSA
+  @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)
+  @{run}/udev/data/c81:@{int} r,          # For video4linux
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/bus/ r,
+  @{sys}/bus/media/devices/ r,
+  @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
+  @{sys}/devices/**/device:*/{,**/}path r,
+  @{sys}/devices/**/sound/**/pcm_class r,
+  @{sys}/devices/**/sound/**/uevent r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/sound/seq/uevent r,