From a789d518b2d689242fb6a599bdf8f050b9701f79 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 8 Apr 2021 22:41:05 +0100
Subject: [PATCH] Fix openvpn integration with network manager.

---
 apparmor.d/groups/network/NetworkManager     | 15 +++++++++++----
 apparmor.d/groups/network/nm-openvpn-service |  5 ++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index e6adfc7ae..43bdde4d6 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -22,11 +22,16 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
   network packet dgram,
 
-  capability net_admin,
-  capability net_raw,
-  capability net_bind_service,
-  capability dac_override,
   capability audit_write,
+  capability dac_override,
+  capability kill,
+  capability net_admin,
+  capability net_bind_service,
+  capability net_raw,
+  capability setgid,
+  capability setuid,
+  capability sys_chroot,
+  capability sys_module,
 
   @{exec_path} mr,
 
@@ -41,6 +46,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/systemctl rPx -> child-systemctl,
   /{usr/,}bin/{,ba,da}sh rix,
 
+  /dev/rfkill rw,
+
   / r,
   /etc/ r,
   /etc/resolv.conf rw,
diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service
index 055b221ff..4f948c5f9 100644
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@@ -11,7 +11,10 @@ profile nm-openvpn-service @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  signal peer=openvpn,
+  capability kill,
+  capability net_admin,
+
+  signal (send) set=(term) peer=openvpn,
 
   @{exec_path} mr,