From 2aa0d89f84ac2ad51b021568ce52243c9fc595a8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 12 Aug 2025 12:45:55 +0200
Subject: [PATCH] feat(profile): update firefox stack.

---
 apparmor.d/groups/browsers/firefox-glxtest    | 2 +-
 apparmor.d/groups/browsers/torbrowser-glxtest | 4 +++-
 apparmor.d/profiles-s-z/thunderbird           | 6 +++---
 apparmor.d/profiles-s-z/thunderbird-glxtest   | 4 +++-
 4 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 97e5645b9..30281f2f4 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -16,8 +16,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/X-strict>
   include <abstractions/wayland>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest
index 4939edfbf..2d8697259 100644
--- a/apparmor.d/groups/browsers/torbrowser-glxtest
+++ b/apparmor.d/groups/browsers/torbrowser-glxtest
@@ -17,11 +17,13 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/X-strict>
   include <abstractions/wayland>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
+  / r,
+
   owner @{PROC}/@{pid}/cmdline r,
 
   deny @{config_dirs}/.parentlock rw,
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 02046580c..da163c2ae 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -13,7 +13,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}/
 
 @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
-profile thunderbird @{exec_path} {
+profile thunderbird @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
   include <abstractions/user-download-strict>
@@ -23,8 +23,8 @@ profile thunderbird @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{lib_dirs}/glxtest    rPx,
-  @{lib_dirs}/vaapitest  rPx,
+  @{lib_dirs}/glxtest    rPx -> thunderbird//&thunderbird-glxtest,
+  @{lib_dirs}/vaapitest  rPx -> thunderbird//&thunderbird-vaapitest,
 
   @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
   @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest
index 626896a09..4f25e0862 100644
--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@@ -15,11 +15,13 @@ profile thunderbird-glxtest @{exec_path} {
   include <abstractions/base>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/X-strict>
   include <abstractions/wayland>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
+  / r,
+
   owner @{config_dirs}/*/.parentlock rw,
 
   owner @{tmp}/thunderbird/.parentlock rw,