update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/profiles-a-f/adduser

@@ -49,16 +49,11 @@ profile adduser @{exec_path} {
 
   /etc/adduser.conf r,
 
-  # To create user dirs
+  # To create user dirs and copy files from /etc/skel/ to them
   @{HOME}/ rw,
-
-  # To copy files from /etc/skel/ to user dirs
   @{HOME}/.* w,
+  /var/lib/*/{,*} rw,
   /etc/skel/{,.*} r,
 
-  # What's this for? (#FIXME#)
-  /var/lib/lightdm/{,*} w,
-  /var/lib/sddm/{,*} w,
-
   include if exists <local/adduser>
 }

apparmor.d/profiles-a-f/amixer

@@ -10,15 +10,20 @@ include <tunables/global>
 profile amixer @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
+  /usr/share/pipewire/client.conf r,
+
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
   owner @{HOME}/.Xauthority r,
 
-  owner @{user_config_dirs}/pulse/ r,
+  owner @{HOME}/.config/pulse/ r,
+
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,

apparmor.d/profiles-a-f/badblocks

@@ -18,7 +18,7 @@ profile badblocks @{exec_path} {
         @{PROC}/swaps r,
 
   # A place for a list of already existing known bad blocks
-  @{HOME}/** rwk,
+  @{HOME}/* rwk,
   @{MOUNTS}/*/** rwk,
 
   include if exists <local/badblocks>

apparmor.d/profiles-a-f/blkid

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -30,8 +30,10 @@ profile blkid @{exec_path} {
   @{PROC}/partitions r,
 
   # Image files
-  @{HOME}/** r,
-  @{MOUNTS}/*/** r,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
+  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
+  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
 
   include if exists <local/blkid>
 }

apparmor.d/profiles-a-f/conky

@@ -18,8 +18,12 @@ profile conky @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/deny-root-dir-access>
 
+  # To get the external IP address
+  # For samba share mounts
   network inet dgram,
   network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
 
   # For dig
   #network inet stream,

apparmor.d/profiles-a-f/df

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/df
 profile df @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 

apparmor.d/profiles-a-f/dfc

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/dfc
 profile dfc @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/profiles-a-f/dumpe2fs

@@ -18,8 +18,10 @@ profile dumpe2fs @{exec_path} {
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   # Image files
-  @{HOME}/** r,
-  @{MOUNTS}/** r,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
+  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
+  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
 
   include if exists <local/dumpe2fs>
 }

apparmor.d/profiles-a-f/ffmpeg

@@ -50,6 +50,7 @@ profile ffmpeg @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/deny-root-dir-access>
 
   network inet dgram,

apparmor.d/profiles-a-f/ffplay

@@ -43,6 +43,8 @@ profile ffplay @{exec_path} {
   include <abstractions/X>
   include <abstractions/freedesktop.org>
   include <abstractions/audio>
+  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,

apparmor.d/profiles-a-f/ffprobe

@@ -41,6 +41,8 @@ include <tunables/global>
 profile ffprobe @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
+  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/deny-root-dir-access>
 
   @{exec_path} mr,