From 1842f8a4d540cb4f8eddc710a4a4089ac2fe0928 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 7 May 2024 17:32:36 +0100
Subject: [PATCH] feat(profile): add some new profile (2).

---
 apparmor.d/profiles-a-f/console-setup   | 21 ++++++
 apparmor.d/profiles-a-f/fractal         | 43 ++++++++++++
 apparmor.d/profiles-g-l/issue-generator | 30 +++++++++
 apparmor.d/profiles-g-l/libreoffice     | 90 +++++++++++++++++++++++++
 apparmor.d/profiles-m-r/mullvad-setup   | 22 ++++++
 dists/flags/main.flags                  |  1 +
 6 files changed, 207 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/console-setup
 create mode 100644 apparmor.d/profiles-a-f/fractal
 create mode 100644 apparmor.d/profiles-g-l/issue-generator
 create mode 100644 apparmor.d/profiles-g-l/libreoffice
 create mode 100644 apparmor.d/profiles-m-r/mullvad-setup

diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup
new file mode 100644
index 000000000..a8bac3a11
--- /dev/null
+++ b/apparmor.d/profiles-a-f/console-setup
@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/console-setup/console-setup.sh
+profile console-setup @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{bin}/uname rPx,
+  @{bin}/mkdir rix,
+
+  @{run}/console-setup/boot_completed w,
+
+  include if exists <local/console-setup>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal
new file mode 100644
index 000000000..5e7d3d3b4
--- /dev/null
+++ b/apparmor.d/profiles-a-f/fractal
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/fractal
+profile fractal @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/common/gnome>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  owner @{tmp}/.@{rand6} rw, 
+  owner @{tmp}/.goutputstream-@{rand6} rw,
+  owner @{tmp}/@{rand6} rw,
+
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
+
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  /dev/ r,
+
+  include if exists <local/fractal>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator
new file mode 100644
index 000000000..f7b9fa5fe
--- /dev/null
+++ b/apparmor.d/profiles-g-l/issue-generator
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/issue-generator
+profile issue-generator @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{bin}/basename  rix,
+  @{bin}/cat       rix,
+  @{bin}/cmp       rix,
+  @{bin}/mktemp    rix,
+  @{bin}/rm        rix,
+  @{bin}/sort      rix,
+
+  /etc/issue.d/{,**} r,
+
+  @{run}/issue r,
+  @{run}/issue.@{rand10} rw,
+  @{run}/issue.d/{,**} r,
+
+  include if exists <local/issue-generator>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
new file mode 100644
index 000000000..cad2260bb
--- /dev/null
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -0,0 +1,90 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path}  = @{bin}/libreoffice @{bin}/soffice
+@{exec_path} += @{lib}/libreoffice/program/soffice
+profile libreoffice @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  #aa:dbus own bus=session name=org.libreoffice.LibreOfficeIpc0
+
+  @{exec_path} mr,
+
+  @{sh_path}        rix,
+  @{bin}/basename   rix,
+  @{bin}/dirname    rix,
+  @{bin}/grep       rix,
+  @{bin}/ls         rix,
+  @{bin}/paperconf  rix,
+  @{bin}/sed        rix,
+  @{bin}/uname      rix,
+
+  @{open_path}      rpx -> child-open-browsers,
+
+  @{bin}/gpgconf rPx,
+  @{bin}/gpgsm rPx, 
+  @{bin}/gpg rPx, 
+
+  @{lib}/libreoffice/program/javaldx      rix,
+  @{lib}/libreoffice/program/oosplash     rix,
+  @{lib}/libreoffice/program/soffice.bin  rix,
+  @{lib}/jvm/java*/bin/java              rix,
+  @{lib}/jvm/java*/lib/** rm,
+
+  @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,
+  @{lib}/libreoffice/{,**} rm,
+
+  /usr/share/libexttextcat/{,**} r,
+  /usr/share/liblangtag/{,**} r,
+
+  /etc/java-openjdk/{,**} r,
+  /etc/libreoffice/{,**} r,
+  /etc/paperspecs r,
+
+  owner @{user_config_dirs}/libreoffice/ rw,
+  owner @{user_config_dirs}/libreoffice/** rwk,
+
+  owner @{tmp}/@{rand6} rwk,
+  owner @{tmp}/*.tmp/{,**} rwk,
+  owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w,
+  owner @{tmp}/.java_pid@{int}{,.tmp} rw,
+  owner @{tmp}/hsperfdata_@{user}/  rw,
+  owner @{tmp}/hsperfdata_@{user}/@{int} rwk,
+
+        @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
+        @{sys}/devices/virtual/block/**/queue/rotational r,
+        @{sys}/kernel/mm/hugepages/ r,
+        @{sys}/kernel/mm/transparent_hugepage/enabled r,
+        @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r,
+
+        @{PROC}/cgroups r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/coredump_filter rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  /dev/tty rw,
+
+  deny owner @{HOME}/.thunderbird/** rwk,
+  deny owner @{HOME}/.mozilla/** rwk,
+
+  include if exists <local/libreoffice>
+}
diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup
new file mode 100644
index 000000000..befffe09f
--- /dev/null
+++ b/apparmor.d/profiles-m-r/mullvad-setup
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /opt/Mullvad*/resources/mullvad-setup
+profile mullvad-setup @{exec_path}  {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  # File Inherit
+  deny network inet stream,
+  deny network inet6 stream,
+
+  include if exists <local/mullvad-setup>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index f7a12592a..d938046b8 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -117,6 +117,7 @@ flatpak-session-helper attach_disconnected,complain
 flatpak-system-helper complain
 flatpak-validate-icon complain
 foliate attach_disconnected,complain
+fractal attach_disconnected,complain
 fuse-overlayfs complain
 fusermount complain
 gcr-ssh-agent complain