From af8c66e9bf456a5770584bf03019548ee67d5020 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Jul 2025 22:14:25 +0200
Subject: [PATCH] feat(profile): upgrade cockpit profiles.

---
 apparmor.d/groups/virt/cockpit-certificate-helper | 1 +
 apparmor.d/groups/virt/cockpit-desktop            | 2 ++
 apparmor.d/groups/virt/cockpit-tls                | 3 +++
 apparmor.d/groups/virt/cockpit-ws                 | 4 +++-
 4 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index ac9dd5f6f..303fd074c 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -21,6 +21,7 @@ profile cockpit-certificate-helper @{exec_path} {
   @{bin}/openssl  rix,
   @{bin}/rm       rix,
   @{bin}/sscg     rix,
+  @{bin}/sync     rix,
   @{bin}/tr       rix,
 
   /etc/machine-id r,
diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop
index c2a7455ce..bb1ba03bf 100644
--- a/apparmor.d/groups/virt/cockpit-desktop
+++ b/apparmor.d/groups/virt/cockpit-desktop
@@ -10,6 +10,8 @@ include <tunables/global>
 profile cockpit-desktop @{exec_path} {
   include <abstractions/base>
 
+  userns,
+
   @{exec_path} mr,
 
   include if exists <local/cockpit-desktop>
diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls
index 0037b132c..7bf43ed4a 100644
--- a/apparmor.d/groups/virt/cockpit-tls
+++ b/apparmor.d/groups/virt/cockpit-tls
@@ -17,6 +17,9 @@ profile cockpit-tls @{exec_path} flags=(attach_disconnected) {
 
   /etc/cockpit/ws-certs.d/{,**} r,
 
+  @{att}/@{run}/cockpit/wsinstance/https@@{hex64}.sock r,
+  @{att}/@{run}/cockpit/wsinstance/https-factory.sock rw,
+
   owner @{run}/cockpit/tls/{,**} rw,
 
   include if exists <local/cockpit-tls>
diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws
index 7b0779119..8e3478072 100644
--- a/apparmor.d/groups/virt/cockpit-ws
+++ b/apparmor.d/groups/virt/cockpit-ws
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-ws
-profile cockpit-ws @{exec_path} {
+profile cockpit-ws @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -21,6 +21,8 @@ profile cockpit-ws @{exec_path} {
   /usr/share/pixmaps/{,**} r,
   /etc/cockpit/ws-certs.d/ r,
 
+  @{run}/cockpit/wsinstance/https@@{hex64}.sock r,
+
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,