update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/profiles-s-z/smplayer

@@ -69,6 +69,7 @@ profile smplayer @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/openssl>
   include <abstractions/deny-root-dir-access>
 

apparmor.d/profiles-s-z/tune2fs

@@ -11,6 +11,8 @@ profile tune2fs @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
   include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
 
   network inet stream,
   network inet6 stream,
@@ -26,8 +28,10 @@ profile tune2fs @{exec_path} {
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
   # Image files
-  @{HOME}/** rw,
-  @{MOUNTS}/*/** rw,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} rw,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw,
+  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw,
+  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw,
 
   include if exists <local/tune2fs>
 }

apparmor.d/profiles-s-z/ucf

@@ -55,10 +55,9 @@ profile ucf @{exec_path} flags=(complain) {
 
   # For md5sum
   /etc/** r,
-  /usr/share/*/conffiles/* r,
+  /usr/share/** r,
   @{run}/** r,
 
-
   # For writing new config files
   /etc/** rw,
 

apparmor.d/profiles-s-z/umount

@@ -33,6 +33,7 @@ profile umount @{exec_path} flags=(complain) {
   @{HOME}/ r,
   @{HOME}/*/ r,
   @{HOME}/*/*/ r,
+  @{HOME}/.cache/*/*/ r,
   @{MOUNTS}/*/ r,
   @{MOUNTS}/*/*/ r,
 

apparmor.d/profiles-s-z/uscan

@@ -38,6 +38,9 @@ profile uscan @{exec_path} {
   # To run custom maintainer scripts
   owner @{user_build_dirs}/**/debian/* rPUx,
 
+  /usr/share/*/debian/ r,
+  /usr/share/*/debian/changelog r,
+
   /{usr/,}bin/gpg       rCx -> gpg,
   /{usr/,}bin/gpgv      rCx -> gpg,
 
@@ -49,7 +52,6 @@ profile uscan @{exec_path} {
   # For package building
   owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
 
-
   # For GPG keys
   owner /tmp/*/ rw,
   owner /tmp/*/trustedkeys.gpg w,

apparmor.d/profiles-s-z/useradd

@@ -63,11 +63,10 @@ profile useradd @{exec_path} {
   /var/log/faillog rw,
   /var/log/lastlog rw,
 
-  # To create user dirs
+  # To create user dirs and copy files from /etc/skel/ to them
   @{HOME}/ rw,
-
-  # To copy files from /etc/skel/ to user dirs
   @{HOME}/.* w,
+  /var/lib/*/{,*} rw,
   /etc/skel/{,.*} r,
 
 

apparmor.d/profiles-s-z/userdel

@@ -55,11 +55,10 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   /etc/.pwd.lock rwk,
 
   # To remove user home files
-  @{HOME}/ rw,
-  @{HOME}/** w,
-
-  # To remove user mail
-  /var/mail/* w,
+  @{HOME}/{,**}    rw,
+  /var/            r,
+  /var/lib/        r,
+  /var/lib/*/{,**} rw,
 
   include if exists <local/userdel>
 }

apparmor.d/profiles-s-z/usermod

@@ -58,8 +58,10 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
   @{PROC}/@{pids}/task/ r,
 
   # To create and move user dirs
-  @{HOME}/{,**} rw,
-  /var/{,**}    rw,
+  @{HOME}/{,**}    rw,
+  /var/            r,
+  /var/lib/        r,
+  /var/lib/*/{,**} rw,
 
   include if exists <local/usermod>
 }

apparmor.d/profiles-s-z/vidcutter

@@ -45,12 +45,12 @@ profile vidcutter @{exec_path} {
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-shader-cache>
   include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/audio>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/deny-dconf>
   include <abstractions/deny-root-dir-access>
 
   @{exec_path} r,
@@ -92,6 +92,10 @@ profile vidcutter @{exec_path} {
   owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
   owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   owner @{user_config_dirs}/qt5ct/{,**} r,
   /usr/share/qt5ct/** r,
 

apparmor.d/profiles-s-z/vnstat

@@ -63,6 +63,8 @@ profile vnstat @{exec_path} {
   deny @{PROC}/loadavg r,
   deny @{sys}/devices/**/hwmon/**/temp*_input r,
   owner /dev/tty[0-9]* rw,
+  deny network inet dgram,
+  deny network inet6 dgram,
 
   include if exists <local/vnstat>
 }

apparmor.d/profiles-s-z/wireshark

@@ -21,6 +21,7 @@ profile wireshark @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/gtk>
   include <abstractions/user-download-strict>
+  include <abstractions/private-files-strict>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
   include <abstractions/qt5-compose-cache-write>
@@ -84,7 +85,6 @@ profile wireshark @{exec_path} {
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
 
 
   profile open {

apparmor.d/profiles-s-z/xrandr

@@ -14,6 +14,8 @@ profile xrandr @{exec_path} {
 
   owner @{HOME}/.Xauthority r,
 
+  /usr/share/X11/XErrorDB r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
 

apparmor.d/profiles-s-z/youtube-dl

@@ -51,6 +51,7 @@ profile youtube-dl @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
   include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),

apparmor.d/profiles-s-z/ytdl

@@ -45,6 +45,7 @@ profile ytdl @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
   include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill),