From aaf435ece166d4fc0765fd96b2554293184f5bcc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Jul 2024 19:22:32 +0100
Subject: [PATCH] feat(profile): general update.

---
 .../abstractions/freedesktop.org.d/complete   |  2 --
 apparmor.d/groups/grub/grub-mkconfig          |  4 ++-
 apparmor.d/groups/grub/grub-probe             |  2 ++
 apparmor.d/groups/systemd/systemd-logind      |  2 ++
 apparmor.d/profiles-a-f/firewalld             | 27 ++++---------------
 apparmor.d/profiles-g-l/ifup                  |  6 ++---
 apparmor.d/profiles-m-r/os-prober             |  6 +++--
 apparmor.d/profiles-s-z/wsdd                  |  3 +++
 8 files changed, 21 insertions(+), 31 deletions(-)

diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete
index 3e669f4dc..ed4f067a5 100644
--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@@ -13,8 +13,6 @@
   @{system_share_dirs}/ r,
   @{system_share_dirs}/mime/ r,
 
-  /usr/share/mime/ r,
-
   /etc/gnome/defaults.list r,
   /etc/xfce4/defaults.list r,  
 
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index d44ffcf3d..cd9c825f6 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -32,6 +32,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   @{bin}/find                 rix,
   @{bin}/findmnt              rPx,
   @{bin}/gettext              rix,
+  @{bin}/grub-editenv         rPx,
   @{bin}/grub-mkrelpath       rPx,
   @{bin}/grub-probe           rPx,
   @{bin}/grub-script-check    rPx,
@@ -60,6 +61,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   @{bin}/zpool                rPx,
   /etc/grub.d/{,**}           rix,
 
+  @{lib}/grub-customizer/*      rix,
   @{lib}/grub/grub-sort-version rPx,
   @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
 
@@ -81,7 +83,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   /boot/{,**} r,
   /boot/grub/{,**} rw,
 
-  # owner /tmp/** rw,
+  /tmp/grub-*.@{rand10}/{,**} rw,
 
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
 
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
index f0bbf8e41..d0ef6b78b 100644
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@@ -13,6 +13,7 @@ profile grub-probe @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/disks-read>
 
+  capability dac_read_search,
   capability sys_admin,
 
   @{exec_path} mr,
@@ -36,6 +37,7 @@ profile grub-probe @{exec_path} {
   /dev/bus/ r,
   /dev/bus/usb/ r,
   /dev/bus/usb/@{int}/ r,
+  /dev/char/ r,
   /dev/cpu/ r,
   /dev/cpu/@{int}/ r,
   /dev/dma_heap/ r,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index d5c7b963e..9a0a2c7d7 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -79,7 +79,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+hid:* r,
   @{run}/udev/data/+i2c:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+wakeup:* r,
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c13:@{int} r,          # For /dev/input/*
diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld
index 1d683c327..ea083ed96 100644
--- a/apparmor.d/profiles-a-f/firewalld
+++ b/apparmor.d/profiles-a-f/firewalld
@@ -9,12 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/firewalld
 profile firewalld @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/app/kmod>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/nameservice-strict>
-  include <abstractions/app/kmod>
 
   capability dac_read_search,
   capability mknod,
@@ -27,21 +27,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   network inet6 raw,
   network netlink raw,
 
-  dbus receive bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.direct
-       member=passthrough
-       peer=(name=:*, label=libvirtd),
-
-  dbus receive bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.zone
-       member={changeZoneOfInterface,getZones}
-       peer=(name=:*, label=libvirtd),
-
-  dbus receive bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.zone
-       member={changeZoneOfInterface,removeInterface}
-       peer=(name=:*, label=libvirtd),
-
   #aa:dbus own bus=system name=org.fedoraproject.FirewallD1
 
   @{exec_path} mr,
@@ -53,7 +38,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   @{bin}/false                    rix,
   @{bin}/ipset                    rix,
   @{bin}/kmod                     rix,
-  @{bin}/modprobe                 rPx,
+  @{bin}/modprobe                 rix,
   @{bin}/xtables-legacy-multi     rix,
   @{bin}/xtables-nft-multi        rix,
 
@@ -76,11 +61,9 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   @{run}/xtables.lock rwk,
 
   @{sys}/module/compression r,
-  @{sys}/module/crc32c_{generic,intel}/initstate r,
+  @{sys}/module/crc32c_*/initstate r,
   @{sys}/module/libcrc32c/initstate r,
-  @{sys}/module/nf_conntrack{,_tftp}/initstate r,
-  @{sys}/module/nf_defrag_ipv{4,6}/initstate r,
-  @{sys}/module/nf_nat/initstate r,
+  @{sys}/module/nf_*/initstate r,
 
         @{PROC}/sys/kernel/modprobe r,
         @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup
index e621bd7f0..4788daeb6 100644
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@@ -106,10 +106,8 @@ profile ifup @{exec_path} {
   profile sysctl {
     include <abstractions/base>
 
-#    capability mac_admin,
-   capability net_admin,
-   capability sys_admin,
-#    capability sys_resource,
+    capability net_admin,
+    capability sys_admin,
 
     @{bin}/sysctl mr,
 
diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober
index 819c4c9bd..c9c9ea2df 100644
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@@ -10,6 +10,7 @@ include <tunables/global>
 profile os-prober @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/disks-read>
 
   capability dac_read_search,
   capability sys_admin,
@@ -59,11 +60,12 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   / r,
   /boot/{efi/,} r,
   /boot/{efi/,}EFI/ r,
-  /boot/{efi/,}EFI/*/ r,
+  /boot/{efi/,}EFI/**/ r,
 
   owner @{tmp}/os-prober.*/{,**} rw,
 
-  @{sys}/block/ r,
+  @{run}/mount/utab r,
+
   @{sys}/devices/@{pci}/block/*/ r,
   @{sys}/devices/virtual/block/*/ r,
 
diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd
index 92b0f360f..56a852d11 100644
--- a/apparmor.d/profiles-s-z/wsdd
+++ b/apparmor.d/profiles-s-z/wsdd
@@ -10,9 +10,12 @@ include <tunables/global>
 profile wsdd @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
+  network inet stream,
   network inet6 dgram,
+  network inet6 stream,
   network netlink raw,
 
   @{exec_path} mr,