From 969c989aedf657f34b2b6621313562aa10876a91 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 11 Aug 2025 19:38:24 +0200
Subject: [PATCH] feat(profile): fwupd: allow access to dbx

---
 apparmor.d/profiles-a-f/fwupd | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index ff9af895d..7a00455a6 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -83,7 +83,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   owner /var/lib/fwupd/ rw,
   owner /var/lib/fwupd/** rwk,
 
-  # In order to get to this file, the attach_disconnected flag has to be set
+        @{att}/@{user_cache_dirs}/gnome-software/fwupd/{,**} r,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
   owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r,
 
@@ -97,6 +97,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/firmware/efi/** r,
   @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
   @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/dbx-@{uuid} rw,
   @{sys}/firmware/efi/efivars/fwupd-* rw,
   @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
   @{sys}/kernel/security/lockdown r,