From acf423fd8678651512a5b59adca0927d3ba8db99 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 23 Mar 2025 14:19:02 +0100
Subject: [PATCH] feat(profile): add support for qemu-img in gnome-boxes

fix #698
---
 apparmor.d/groups/gnome/gnome-boxes | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes
index 41ebab653..2462c2071 100644
--- a/apparmor.d/groups/gnome/gnome-boxes
+++ b/apparmor.d/groups/gnome/gnome-boxes
@@ -32,8 +32,9 @@ profile gnome-boxes @{exec_path} {
 
   @{open_path}  rPx -> child-open,
 
-  @{bin}/virtqemud  rPUx,
+  @{bin}/qemu-img   rix,
   @{bin}/virsh      rCx -> virsh,
+  @{bin}/virtqemud  rPUx,
 
   /usr/share/osinfo/{,**} r,
   /usr/share/gnome-boxes/{,**} r,
@@ -63,6 +64,8 @@ profile gnome-boxes @{exec_path} {
 
   @{run}/mount/utab r,
 
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r,
 
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
@@ -70,6 +73,10 @@ profile gnome-boxes @{exec_path} {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+
+  /dev/media@{int} rw,
+  /dev/video@{int} rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,