From 0640a17b1a11a57e9a39c5f3767eb919604a5600 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sun, 27 Oct 2024 12:17:22 +0100
Subject: [PATCH] various improvements

---
 apparmor.d/abstractions/app/editor            |  2 +-
 apparmor.d/abstractions/app/firefox           |  2 +-
 apparmor.d/abstractions/audio-client          |  6 ++++
 apparmor.d/groups/gpg/scdaemon                |  1 +
 apparmor.d/profiles-g-l/git                   |  2 ++
 apparmor.d/profiles-g-l/libreoffice           |  1 +
 apparmor.d/profiles-m-r/mutt                  |  6 +++-
 apparmor.d/profiles-m-r/ouch                  |  1 +
 apparmor.d/profiles-m-r/pinentry-curses       |  2 ++
 apparmor.d/profiles-m-r/pinentry-gtk          | 29 +++++++++++++++++++
 .../signal-desktop-chrome-sandbox             |  4 +++
 apparmor.d/profiles-s-z/w3m                   |  2 +-
 12 files changed, 54 insertions(+), 4 deletions(-)
 create mode 100644 apparmor.d/profiles-m-r/pinentry-gtk

diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor
index 1d501eb9f..3992fb7b0 100644
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@@ -12,7 +12,7 @@
   @{sh_path}                  rix,
   @{bin}/nvim                 mix,
   @{bin}/sensible-editor       mr,
-  @{bin}/vim{,.*}             mix,
+  @{bin}/vim{,.*}             mrix,
   @{bin}/which{,.debianutils}  ix,
 
   /usr/share/nvim/{,**} r,
diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 2a2f612b7..c749bf253 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -92,7 +92,7 @@
   owner @{cache_dirs}/ rw,
   owner @{cache_dirs}/** rwk,
 
-        /tmp/ r,
+        /tmp/ rw,
         /var/tmp/ r,
   owner @{tmp}/@{name}/ rw,
   owner @{tmp}/@{name}/* rwk,
diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client
index d847c732c..203fb8c4b 100644
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@@ -11,8 +11,10 @@
   /usr/share/openal/hrtf/{,**} r,
   /usr/share/pipewire/client-rt.conf r,
   /usr/share/pipewire/client.conf r,
+  /usr/share/pipewire/jack.conf r,
   /usr/share/sounds/{,**} r,
 
+
   /etc/alsa/conf.d/{,**} r,
   /etc/asound.conf r,
   /etc/esound/esd.conf r,
@@ -24,6 +26,7 @@
   /etc/pulse/client.conf.d/{,**} r,
   /etc/wildmidi/wildmidi.cfg r,
 
+
   owner @{desktop_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,  # libcanberra
   owner @{desktop_config_dirs}/pulse/ rw,
   owner @{desktop_config_dirs}/pulse/client.conf r,
@@ -60,6 +63,9 @@
         /dev/shm/ r,
   owner /dev/shm/pulse-shm-@{int} rw,
 
+  /dev/snd/controlC0 r,
+  /dev/snd/controlC1 r,
+
   include if exists <abstractions/audio-client.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon
index e88f34d4b..5d2cafd95 100644
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@@ -16,6 +16,7 @@ profile scdaemon @{exec_path} {
   network netlink raw,
 
   signal (send) peer=gpg-agent,
+  signal send set=usr2 peer=unconfined,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 71bace3c3..fc05b8c1d 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -18,6 +18,8 @@ profile git @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
+  capability dac_read_search,
+
   network inet dgram,
   network inet6 dgram,
   network inet stream,
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 2198ad925..3978ac1a8 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -71,6 +71,7 @@ profile libreoffice @{exec_path} {
   /etc/libreoffice/{,**} r,
   /etc/paperspecs r,
   /etc/xdg/* r,
+  /etc/machine-id r,
 
   owner @{user_cache_dirs}/libreoffice/{,**} rw,
   owner @{user_config_dirs}/libreoffice/ rw,
diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt
index fb1e94c1f..28006f479 100644
--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@@ -62,6 +62,7 @@ profile mutt @{exec_path} {
   owner @{HOME}/.mutthistory rwk,
   owner @{HOME}/.muttrc* r,
   owner @{HOME}/.signature r,  # Mutt signature file
+  owner @{HOME}/ r,
 
   # User mbox
   # Could be a file or dir depending on mbox_type variable
@@ -91,11 +92,14 @@ profile mutt @{exec_path} {
     @{bin}/w3m     mrix,
     @{bin}/lynx    mrix,
 
-    owner @{HOME}/.w3m/* rw,
+    owner @{HOME}/.w3m/{,**} rw,
     owner @{user_mail_dirs}/{,**} r,
     owner @{user_mail_dirs}/tmp/{,**} rw,
     owner /{var/,}tmp/mutt* rw,
 
+    owner /tmp/w3m-@{rand6} rw,
+    owner /tmp/w3m-@{rand6}/{,**} rw,
+
     include if exists <local/mutt_html-renderer>
   }
 
diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch
index d0b75aae7..ef3ea4bee 100644
--- a/apparmor.d/profiles-m-r/ouch
+++ b/apparmor.d/profiles-m-r/ouch
@@ -15,6 +15,7 @@ profile ouch @{exec_path} {
   @{exec_path} mr,
 
   owner @{HOME}/.tmp@{rand6}/{,**} rw,
+  owner @{HOME}/.tmp-ouch@{rand6}/{,**} rw,
 
   @{sys}/fs/cgroup/user.slice/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses
index a3ec65c45..c14b41027 100644
--- a/apparmor.d/profiles-m-r/pinentry-curses
+++ b/apparmor.d/profiles-m-r/pinentry-curses
@@ -17,6 +17,8 @@ profile pinentry-curses @{exec_path} {
 
   /usr/share/terminfo/** r,
 
+  owner /dev/tty@{int} r,
+
   include if exists <local/pinentry-curses>
 }
 
diff --git a/apparmor.d/profiles-m-r/pinentry-gtk b/apparmor.d/profiles-m-r/pinentry-gtk
new file mode 100644
index 000000000..f7c05f3a9
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pinentry-gtk
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pinentry-gtk
+profile pinentry-gtk @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+
+  @{exec_path} mr,
+
+  /usr/share/** r,
+
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
+
+  owner /dev/tty@{int} r,
+
+  include if exists <local/pinentry-gtk>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index b9efca35a..6cf825ad7 100644
--- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -18,6 +18,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
 
   capability sys_admin,
   capability sys_chroot,
+  capability dac_override,
 
   @{exec_path} mr,
 
@@ -27,6 +28,9 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
   @{PROC}/@{pid}/oom_adj w,
   @{PROC}/@{pid}/oom_score_adj w,
 
+  # Silencer
+  deny /dev/pts/0 rw, # file_inherit
+
   include if exists <local/signal-desktop-chrome-sandbox>
 }
 
diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m
index 1a0e33418..ade896ea5 100644
--- a/apparmor.d/profiles-s-z/w3m
+++ b/apparmor.d/profiles-s-z/w3m
@@ -36,7 +36,7 @@ profile w3m @{exec_path} {
 
   owner @{user_config_dirs}/w3m/{,**} rw,
 
-  owner @{tmp}/@{rand6}/{,**} rw,
+  owner @{tmp}/w3m-@{rand6}/{,**} rw,
 
   include if exists <local/w3m>
 }