From 84e2a56eb9e52f14c4fe47fb741f8bb78b9f71ef Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 27 Feb 2022 12:18:10 +0000
Subject: [PATCH] Profiles update.

---
 apparmor.d/groups/browsers/chromium-chromium     |  1 +
 apparmor.d/groups/gnome/gnome-session-binary     |  2 +-
 apparmor.d/groups/gnome/tracker-miner            |  2 +-
 apparmor.d/groups/pacman/archlinux-java          |  8 ++++++++
 apparmor.d/groups/pacman/pacman                  |  3 +++
 apparmor.d/groups/pacman/pacman-key              |  8 +++++---
 apparmor.d/groups/virt/cockpit-bridge            |  1 +
 apparmor.d/profiles-a-f/borg                     |  9 +++------
 apparmor.d/profiles-a-f/browserpass              | 11 ++++-------
 apparmor.d/profiles-a-f/downloadhelper           |  1 +
 apparmor.d/profiles-s-z/udisksd                  |  3 ++-
 apparmor.d/profiles-s-z/xdg-desktop-portal       |  3 +--
 apparmor.d/profiles-s-z/xdg-desktop-portal-gnome |  2 ++
 apparmor.d/profiles-s-z/xorg                     |  8 ++------
 dists/flags/main.flags                           |  3 ++-
 15 files changed, 37 insertions(+), 28 deletions(-)

diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index dc8947656..2c6c343fd 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -175,6 +175,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   # Silencer
   deny @{CHROMIUM_INSTALLDIR}/** w,
+  deny @{user_share_dirs}/gvfs-metadata/* r,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 8e9859bb0..6ab260d24 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -57,7 +57,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm/.config/gnome-session/saved-session/ rw,
 
   owner @{user_config_dirs}/gnome-session/ rw,
-  owner @{user_config_dirs}/gnome-session/saved-session/ r,
+  owner @{user_config_dirs}/gnome-session/saved-session/ rw,
   owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
   owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,
 
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index c4ad39b9a..5345b4003 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -20,7 +20,7 @@ profile tracker-miner @{exec_path} {
   /usr/share/applications/{,mimeinfo.cache} r,
   /usr/share/mime/mime.cache r,
 
-  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
+  /var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
   owner /var/tmp/etilqs_[0-9a-f]* rw,
 
   # Allow to search user files
diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java
index 466d3336c..650924f0e 100644
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@@ -10,6 +10,8 @@ include <tunables/global>
 profile archlinux-java @{exec_path} {
   include <abstractions/base>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   /{usr/,}bin/basename  rix,
@@ -19,5 +21,11 @@ profile archlinux-java @{exec_path} {
   /{usr/,}bin/readlink  rix,
   /{usr/,}bin/unlink    rix,
 
+  /dev/tty rw,
+
+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/archlinux-java>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index f49991d19..506d5ab8c 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -139,6 +139,9 @@ profile pacman @{exec_path} {
 
     owner /etc/pacman.d/gnupg/ rw,
     owner /etc/pacman.d/gnupg/** rwkl,
+
+    deny network inet stream,
+    deny network inet6 stream,
   }
 
   include if exists <usr/pacman.d>
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 374d99365..d149d1ba1 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -9,7 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pacman-key
 profile pacman-key @{exec_path} {
   include <abstractions/base>
-  
+
   capability dac_read_search,
   capability mknod,
 
@@ -29,7 +29,7 @@ profile pacman-key @{exec_path} {
   /{usr/,}bin/wc           rix,
 
   /usr/share/makepkg/{,**} r,
-  /usr/share/pacman/keyrings/* r,
+  /usr/share/pacman/keyrings/{,*} r,
   /usr/share/terminfo/x/xterm-256color r,
 
   /dev/tty rw,
@@ -47,11 +47,13 @@ profile pacman-key @{exec_path} {
     /{usr/,}bin/gpg        mr,
     /{usr/,}bin/gpg-agent  rix,
 
-    /usr/share/pacman/keyrings/* r,
+    /usr/share/pacman/keyrings/{,*} r,
 
     /etc/pacman.d/gnupg/ rw,
     /etc/pacman.d/gnupg/** rwkl,
 
+    @{HOME}/.gnupg/gpg.conf r,
+
     owner @{PROC}/@{pid}/fd/ r,
 
     # Inherit Silencer
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index d4b4fa0c9..4bdf50963 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -48,6 +48,7 @@ profile cockpit-bridge @{exec_path} {
   owner @{PROC}/@{pid}/mounts r,
         @{PROC}/@{pids}/net/dev r,
         @{PROC}/1/cgroup r,
+        @{PROC}/cmdline r,
         @{PROC}/diskstats r,
         @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/uptime r,
diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
index 2a4cf4998..21a2459b5 100644
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@@ -12,14 +12,9 @@ profile borg @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
 
-  # For reading files of other users as root
   capability dac_read_search,
-
-  # Needed to mount backup files
-  capability sys_admin,
-
-  #
   capability fowner,
+  capability sys_admin,
 
   network inet dgram,
   network inet6 dgram,
@@ -60,11 +55,13 @@ profile borg @{exec_path} {
   owner /tmp/* rw,
   owner /tmp/tmp*/ rw,
   owner /tmp/tmp*/idx rw,
+  owner /tmp/tmp*/file rw,
   owner /tmp/borg-cache-*/ rw,
   owner /tmp/borg-cache-*/* rw,
   owner /var/tmp/* rw,
   owner /var/tmp/tmp*/ rw,
   owner /var/tmp/tmp*/idx rw,
+  owner /var/tmp/tmp*/file rw,
 
   # Dirs that can be backed up
   /            r,
diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass
index 82b916ca2..0346d461a 100644
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@@ -30,16 +30,13 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mountinfo r,
 
   # Inherit Silencer
-  deny network inet6 dgram,
-  deny network inet dgram,
-  deny network inet6 stream,
-  deny network inet stream,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} r,
+  deny network inet6,
+  deny network inet,
+  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} rw,
   deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
   deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
   deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
-  deny /dev/dri/card[0-9]* rw,
-  deny /dev/dri/renderD128 rw,
+  deny /dev/dri/* rw,
 
   include if exists <local/browserpass>
 }
diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper
index 3cbe7bc2e..f245b0f34 100644
--- a/apparmor.d/profiles-a-f/downloadhelper
+++ b/apparmor.d/profiles-a-f/downloadhelper
@@ -38,6 +38,7 @@ profile downloadhelper @{exec_path} {
   @{sys}/devices/system/node/node[0-9]*/meminfo r,
 
   deny @{PROC}/version r,
+  deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/downloadhelper>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index f3fcee461..e81880451 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -73,8 +73,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/swaps r,
+        @{PROC}/cmdline r,
         @{PROC}/devices r,
+        @{PROC}/swaps r,
 
   # To be able to initialize device-mapper disk devices
   /dev/mapper/ r,
diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal b/apparmor.d/profiles-s-z/xdg-desktop-portal
index f013309bc..fe8fb032e 100644
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal
@@ -10,7 +10,7 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
-  include <abstractions/freedesktop.org.d>
+  include <abstractions/freedesktop.org>
 
   capability sys_ptrace,
 
@@ -23,7 +23,6 @@ profile xdg-desktop-portal @{exec_path} {
   /{usr/,}lib/x r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/mime/mime.cache r,
   /usr/share/pipewire/client.conf r,
   /usr/share/xdg-desktop-portal/portals/{,*.portal} r,
 
diff --git a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
index 1c9e83389..9e8293e21 100644
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
@@ -11,11 +11,13 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
   include <abstractions/user-download>
 
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
   owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
diff --git a/apparmor.d/profiles-s-z/xorg b/apparmor.d/profiles-s-z/xorg
index 5777432f2..f2dbaaf8f 100644
--- a/apparmor.d/profiles-s-z/xorg
+++ b/apparmor.d/profiles-s-z/xorg
@@ -1,23 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-# The attach_disconnected flag is needed when xserver is started via startx, or the mouse/keyboard
-# won't work.
-#  operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="xorg"
-#  name="dev/dri/card*"
-#  operation="getattr" info="Failed name lookup - disconnected path" error=-13 profile="xorg"
-#  name="dev/input/event*"
 @{exec_path}  = /{usr/,}bin/X
 @{exec_path} += /{usr/,}bin/Xorg
 @{exec_path} += /{usr/,}lib/xorg/Xorg
 profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/opencl-intel>
+  include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 5a7577de4..5ae7bb347 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -61,7 +61,6 @@ gnome-shell attach_disconnected,complain
 gnome-shell-hotplug-sniffer complain
 gnome-system-monitor attach_disconnected,complain
 gnome-tweak-tool-lid-inhibitor complain
-gnome-tweak-tool-lid-inhibitor complain
 gnome-tweaks complain
 gpg complain
 groups complain
@@ -201,9 +200,11 @@ xbrlapi attach_disconnected,complain
 xdg-dbus-proxy attach_disconnected,complain
 xdg-desktop-icon complain
 xdg-desktop-portal complain
+xdg-desktop-portal-gnome complain
 xdg-desktop-portal-gtk complain
 xdg-document-portal complain
 xdg-permission-store attach_disconnected,complain
 xdg-user-dirs-gtk-update complain
 xhost complain
+xorg attach_disconnected,complain
 xset complain