update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/groups/apps/okular

@@ -19,6 +19,7 @@ profile okular @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/mesa>
   include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/dri-enumerate>
   include <abstractions/kde-icon-cache-write>

apparmor.d/groups/apps/vlc

@@ -67,6 +67,7 @@ profile vlc @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/vulkan>
   include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
   include <abstractions/deny-root-dir-access>

apparmor.d/groups/apt/apt-show-versions

@@ -15,8 +15,13 @@ profile apt-show-versions @{exec_path} {
 
   @{exec_path} r,
   /{usr/,}bin/perl r,
+  /{usr/,}bin/{,ba,da}sh rix,
 
-  /usr/bin/dpkg rPx -> child-dpkg,
+  /{usr/,}bin/dpkg       rPx -> child-dpkg,
+  /{usr/,}bin/apt-get    rPx,
+
+  # apt-helper gets "no new privs" so "rix" it
+  /{usr/,}lib/apt/apt-helper rix,
 
   owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
   owner /var/cache/apt-show-versions/files rw,

apparmor.d/groups/apt/cron-popularity-contest

@@ -46,6 +46,7 @@ profile cron-popularity-contest @{exec_path} {
   /var/log/ r,
   /var/log/popularity-contest{,.new} rw,
   /var/log/popularity-contest{,.new}.gpg rw,
+  /var/log/popularity-contest.[0-9]* rw,
 
   # Store last successful http submission timestamp
   /var/lib/popularity-contest/ rw,
@@ -118,6 +119,8 @@ profile cron-popularity-contest @{exec_path} {
 
     /var/log/popularity-contest.new r,
     /var/log/popularity-contest.new.gpg rw,
+    /var/log/popularity-contest.[0-9]* r,
+    /var/log/popularity-contest.[0-9]*.gpg rw,
 
     owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
 
@@ -144,6 +147,7 @@ profile cron-popularity-contest @{exec_path} {
 
     /var/log/ r,
     /var/log/popularity-contest.new.gpg r,
+    /var/log/popularity-contest.[0-9]*.gpg r,
 
     # file_inherit
     owner /tmp/#[0-9]*[0-9] rw,

apparmor.d/groups/apt/dpkg

@@ -71,11 +71,14 @@ profile dpkg @{exec_path} {
   /etc/dpkg/dpkg.cfg r,
 
   owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/sys/kernel/random/boot_id r,
 
   owner /tmp/apt-dpkg-install-*/ r,
 
   /var/log/dpkg.log w,
 
+  @{run}/systemd/userdb/ r,
+
   # For shell pwd
   /root/ r,
 
@@ -103,9 +106,15 @@ profile dpkg @{exec_path} {
   /var/local/**  rwl -> /var/local/**,
   /var/spool/    r,
   /var/spool/**  rwl -> /var/spool/**,
+  # Fixme when more transitions will be available (#FIXME#)
+  /var/www/      r,
+  /var/www/**    rwl,
   # To create log and cache dirs
   /var/log/**/   rw,
   /var/cache/**/ rw,
+  # To create dirs under var
+  /var/*.dpkg-new/ rw,
+  /var/*/ rw,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,

apparmor.d/groups/apt/dpkg-deb

@@ -14,6 +14,9 @@ profile dpkg-deb @{exec_path} {
 
   #capability sys_tty_config,
 
+  # For "mk-build-deps -i"
+  capability dac_override,
+
   @{exec_path} mr,
 
   /{usr/,}bin/tar rix,

apparmor.d/groups/apt/dpkg-genbuildinfo

@@ -11,6 +11,9 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/perl>
 
+  # For "mk-build-deps -i"
+  capability dac_override,
+
   @{exec_path} r,
   /{usr/,}bin/perl r,
 

apparmor.d/groups/apt/dpkg-trigger

@@ -16,7 +16,7 @@ profile dpkg-trigger @{exec_path} {
   /var/lib/dpkg/triggers/Lock rwk,
 
   /var/lib/dpkg/triggers/ r,
-  /var/lib/dpkg/triggers/Unincorp{,.new} rw,
+  /var/lib/dpkg/triggers/* rw,
 
   include if exists <local/dpkg-trigger>
 }

apparmor.d/groups/desktop/obex-folder-listing

@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/obex-folder-listing
 profile obex-folder-listing @{exec_path} {
   include <abstractions/base>
+  include <abstractions/private-files-strict>
+  include <abstractions/user-download-strict>
 
   @{exec_path} mr,
 

apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor

@@ -32,6 +32,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
   owner @{run}/user/@{uid}/dconf/ w,
   owner @{run}/user/@{uid}/dconf/user rw,
 
+  @{run}/systemd/sessions/[0-9]* r,
+
   /etc/fstab r,
 
   # Mount points

apparmor.d/groups/gvfs/gvfsd-mtp

@@ -11,8 +11,10 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
   include <abstractions/base>
-  include <abstractions/freedesktop.org>
   include <abstractions/devices-usb>
+  include <abstractions/freedesktop.org>
+  include <abstractions/private-files-strict>
+  include <abstractions/user-download-strict>
 
   network netlink raw,
 

apparmor.d/groups/ssh/ssh

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -28,7 +28,7 @@ profile ssh @{exec_path} {
 
   owner @{HOME}/@{XDG_SSH_DIR}/ r,
   owner @{HOME}/@{XDG_SSH_DIR}/config r,
-  owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw,
+  owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl,
   owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r,
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -30,4 +30,6 @@ profile systemd-hostnamed @{exec_path} {
   /etc/hostname rw,
   /etc/.#hostname* rw,
 
+  @{run}/udev/data/+dmi:id r,
+
 }