From 5af6cda32873cb806953b0a0b809a68dabc8d0d7 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 18 Jul 2022 17:58:01 +0200
Subject: [PATCH] Allow dbus messages and user database reading.

---
 apparmor.d/groups/virt/k3s         |  1 -
 apparmor.d/profiles-m-r/pkttyagent | 25 +++++++++++++++++++++++--
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 9d7b02b26..184ed0520 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -40,7 +40,6 @@ profile k3s @{exec_path} flags=(complain) {
   /{usr/,}bin/mount rPx,
   /{usr/,}bin/systemd-run rix,
 
-  # Does not seem to work.
   # These are all symbolic links to xtables-nft-multi on Ubuntu 22.04
   /{usr/,}{s,}bin/iptables rPx -> xtables-nft-multi,
   /etc/alternatives/iptables rPx -> xtables-nft-multi,
diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent
index 728735362..3b7440e93 100644
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,15 +13,35 @@ profile pkttyagent @{exec_path} {
   include <abstractions/dbus-strict>
 
   capability sys_nice,
+  capability audit_write,
 
   ptrace (read),
-  signal (receive),
+  signal (send,receive),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=RegisterAuthenticationAgentWithOptions,
+  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent
+       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
+       member=BeginAuthentication,
+  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=Changed,
 
   @{exec_path} mr,
 
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
+
   owner @{PROC}/@{pids}/stat r,
 
   /dev/tty rw,
 
   include if exists <local/pkttyagent>
-}
\ No newline at end of file
+}