From 101248b37e235d9176918fc99b23fe370b773ffb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 20 Jul 2025 14:06:58 +0200
Subject: [PATCH] feat(profile): minor profile update.

---
 apparmor.d/abstractions/bus/org.freedesktop.systemd1        | 5 +++++
 apparmor.d/groups/freedesktop/wireplumber                   | 2 +-
 apparmor.d/groups/gnome/gnome-session-check                 | 5 +++++
 apparmor.d/groups/network/dhcpcd                            | 2 ++
 apparmor.d/groups/snap/snapd                                | 1 +
 apparmor.d/groups/ssh/sshd                                  | 1 +
 .../groups/systemd-generators/systemd-generator-import      | 4 ++--
 apparmor.d/groups/ubuntu/apport                             | 6 ++++--
 apparmor.d/groups/ubuntu/package-system-locked              | 2 +-
 apparmor.d/groups/utils/who                                 | 2 ++
 apparmor.d/groups/virt/libvirtd                             | 1 +
 11 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
index 46297b484..341cf58ce 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
@@ -11,6 +11,11 @@
        member={GetUnit,StartUnit,StartTransientUnit}
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
 
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=ListUnitsByPatterns
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
+
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member={GetUnit,StartUnit,StartTransientUnit}
diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber
index 0925bad91..debf19f25 100644
--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@@ -52,7 +52,7 @@ profile wireplumber @{exec_path} {
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
   owner @{run}/user/@{uid}/pipewire-@{int}-manager rw,
 
-        /dev/shm/lttng-ust-wait-@{int} r,
+        /dev/shm/lttng-ust-wait-@{int} rw,
   owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw,
   owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw,
 
diff --git a/apparmor.d/groups/gnome/gnome-session-check b/apparmor.d/groups/gnome/gnome-session-check
index 2a0b4965f..44755aef2 100644
--- a/apparmor.d/groups/gnome/gnome-session-check
+++ b/apparmor.d/groups/gnome/gnome-session-check
@@ -10,12 +10,17 @@ include <tunables/global>
 profile gnome-session-check @{exec_path} {
   include <abstractions/base>
   include <abstractions/graphics>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
   @{lib}/gnome-session-check-accelerated-gl-helper   ix,
   @{lib}/gnome-session-check-accelerated-gles-helper ix,
 
+  /usr/share/gnome-session/hardware-compatibility r,
+
+  @{PROC}/cmdline r,
+
   include if exists <local/gnome-session-check>
 }
 
diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd
index 7f47b9975..51cf215f9 100644
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@@ -40,6 +40,8 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed                      rix,
   @{lib}/dhcpcd/dhcpcd-run-hooks  rix,
 
+  /usr/share/dhcpcd/{,**} r,
+
   /etc/dhcpcd.conf r,
   /etc/resolv.conf rw,
 
diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd
index 1add6c1c4..5f0885693 100644
--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@@ -110,6 +110,7 @@ profile snapd @{exec_path} {
   /etc/modprobe.d/{,**/} r,
   /etc/modules-load.d/{,**/} r,
   /etc/modules-load.d/*snap* rw,
+  /etc/polkit-1/rules.d/{,**/} r,
   /etc/systemd/system/{,**/} r,
   /etc/systemd/system/snap* rw,
   /etc/systemd/user/{,**/} rw,
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index 2494dc2c2..63f2c1370 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -32,6 +32,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   capability dac_override,
   capability dac_read_search,
   capability fowner,
+  capability fsetid,
   capability kill,
   capability net_bind_service,
   capability setgid,
diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-import b/apparmor.d/groups/systemd-generators/systemd-generator-import
index 36ff4e5ff..de3753aaf 100644
--- a/apparmor.d/groups/systemd-generators/systemd-generator-import
+++ b/apparmor.d/groups/systemd-generators/systemd-generator-import
@@ -16,13 +16,13 @@ profile systemd-generator-import @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  / r,
+
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 
-  / r,
-
   /dev/kmsg w,
 
   include if exists <local/systemd-generator-import>
diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport
index 8219ef185..9f3fd2999 100644
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@@ -28,8 +28,8 @@ profile apport @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/{,e,f}grep   rix,
-  @{bin}/dpkg         rPx -> child-dpkg,
-  @{bin}/dpkg-divert  rPx -> child-dpkg-divert,
+  @{bin}/dpkg         rPx -> &child-dpkg,
+  @{bin}/dpkg-divert  rPx -> &child-dpkg-divert,
   @{bin}/gdbus        rix,
   @{bin}/md5sum       rix,
 
@@ -37,6 +37,8 @@ profile apport @{exec_path} flags=(attach_disconnected) {
 
   @{etc_ro}/login.defs r,
   /etc/apport/report-ignore/{,**} r,
+  /etc/dpkg/dpkg.cfg r,
+  /etc/dpkg/dpkg.cfg.d/{,**} r,
 
   /var/lib/dpkg/info/ r,
   /var/lib/dpkg/info/*.list r,
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index 7398fc404..8cf3ed885 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   network inet dgram,
   network inet6 dgram,
 
-  mqueue r type=posix /,
+  mqueue (read,getattr) type=posix /,
 
   ptrace (read),
 
diff --git a/apparmor.d/groups/utils/who b/apparmor.d/groups/utils/who
index 3da07f89d..fd49b2bec 100644
--- a/apparmor.d/groups/utils/who
+++ b/apparmor.d/groups/utils/who
@@ -18,6 +18,8 @@ profile who @{exec_path} {
 
   @{exec_path} mr,
 
+  @{run}/systemd/sessions/* r,
+
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   deny owner @{user_share_dirs}/zed/**/data.mdb rw,
 
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index a0d636883..c90e80af9 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -86,6 +86,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),
   unix (send, receive) type=stream addr=none peer=(label=unconfined addr=none),
   unix (send, receive) type=stream addr=none peer=(label=unconfined),
+  unix (send, receive) type=stream addr=none peer=(label=virt-manager),
 
   # Allow changing to our UUID-based named profiles
   change_profile -> libvirt-@{uuid},