feat(abs): add pcscd

apparmor.d/abstractions/app/chromium

@@ -42,6 +42,7 @@
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/notifications>
+  include <abstractions/pcscd>
   include <abstractions/screensaver>
   include <abstractions/secrets-service>
   include <abstractions/ssl_certs>
@@ -107,7 +108,6 @@
 
   /etc/@{name}/{,**} r,
   /etc/fstab r,
-  /etc/{,opensc/}opensc.conf r,
 
   / r,
   owner @{HOME}/ r,

apparmor.d/abstractions/app/firefox

@@ -37,6 +37,7 @@
   include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
+  include <abstractions/pcscd>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
@@ -80,7 +81,6 @@
   /usr/share/webext/{,**} r,
   /usr/share/xul-ext/kwallet5/* r,
 
-  /etc/{,opensc/}opensc.conf r,
   /etc/@{name}/{,**} r,
   /etc/fstab r,
   /etc/lsb-release r,

apparmor.d/abstractions/pcscd

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows interacting with PC/SC Smart Card Daemon
+
+  abi <abi/4.0>,
+
+  # Configuration file for OPENSC
+  /etc/opensc.conf r,
+  /etc/opensc/opensc.conf r,
+
+  # Socket for communication between PCSCD and PS/SC API library
+  @{run}/pcscd/pcscd.comm rw,
+
+  include if exists <abstractions/pcscd.d>
+
+# vim:syntax=apparmor

apparmor.d/groups/gnome/gsd-smartcard

@@ -9,13 +9,14 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-smartcard
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
+  include <abstractions/gschemas>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
-  include <abstractions/gschemas>
+  include <abstractions/pcscd>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -31,7 +32,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
 
-  /etc/{,opensc/}opensc.conf r,
   /etc/tpm2-tss/* rk,
 
   /var/tmp/ r,

apparmor.d/groups/gnome/seahorse

@@ -19,6 +19,7 @@ profile seahorse @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/p11-kit>
+  include <abstractions/pcscd>
   include <abstractions/secrets-service>
   include <abstractions/ssl_certs>
 
@@ -34,7 +35,6 @@ profile seahorse @{exec_path} {
 
   /etc/pki/trust/blocklist/ r,
   /etc/gcrypt/hwf.deny r,
-  /etc/{,opensc/}opensc.conf r,
 
   owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
 

apparmor.d/profiles-m-r/pkcs11-register

@@ -9,11 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/pkcs11-register
 profile pkcs11-register @{exec_path} {
   include <abstractions/base>
+  include <abstractions/pcscd>
 
   @{exec_path} mr,
 
-  /etc/{,opensc/}opensc.conf r,
-
   owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw,
   owner @{HOME}/.mozilla/firefox/profiles.ini r,
   owner @{HOME}/.pki/nssdb/pkcs11.txt r,

apparmor.d/profiles-m-r/rngd

@@ -12,6 +12,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/devices-usb>
   include <abstractions/nameservice-strict>
+  include <abstractions/pcscd>
 
   capability dac_read_search,
   capability net_admin,
@@ -24,7 +25,6 @@ profile rngd @{exec_path} flags=(attach_disconnected) {
 
   /etc/conf.d/rngd r,
   /etc/machine-id r,
-  /etc/{,opensc/}opensc.conf r,
   /var/lib/dbus/machine-id r,
 
   @{sys}/devices/virtual/misc/hw_random/rng_available r,