Update various profiles

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>

apparmor.d/profiles-a-f/bluetoothd

@@ -11,6 +11,7 @@ include <tunables/global>
 profile bluetoothd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.hostname1>
 
   # Needed for configuring HCI interfaces
   capability net_admin,
@@ -24,6 +25,31 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
 
   # dbus: own bus=system name=org.bluez
 
+  dbus receive bus=system path=/
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label={brave,NetworkManager,pulseaudio,upowerd}),
+
+  dbus send bus=system path=/MediaEndpoint
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=pulseaudio),
+
+  dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/*
+       interface=org.bluez.MediaEndpoint1
+       member=Release
+       peer=(name=:*, label=pulseaudio),
+
+  dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile}
+       interface=org.bluez.MediaEndpoint1
+       member=Release
+       peer=(name=:*, label=pulseaudio),
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.ObjectManager
+       member=InterfacesRemoved
+       peer=(name=org.freedesktop.DBus, label={fwupd,NetworkManager,pulseaudio,upowerd),
+
   @{exec_path} mr,
 
   @{lib}/@{multiarch}/bluetooth/plugins/*.so mr,
@@ -32,11 +58,12 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/bluetooth/{,**} rw,
 
-  @{run}/sdp rw,
-  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+        @{run}/sdp rw,
+  owner @{run}/systemd/notify w,
+        @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
 
   @{sys}/devices/@{pci}/rfkill@{int}/name r,
-  @{sys}/devices/@{pci}/bluetooth/**/{uevent,name} r,
+  @{sys}/devices/@{pci}/**/{uevent,name} r,
   @{sys}/devices/platform/**/rfkill/**/name r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
 

apparmor.d/profiles-a-f/boltd

@@ -19,6 +19,15 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
 
   # dbus: own bus=system name=org.freedesktop.bolt
 
+  dbus receive bus=system path=/org/freedesktop/bolt
+       interface=org.freedesktop.bolt1.Manager
+       member=ListDevices
+       peer(name=:*, label=kded5),
+
+  dbus (send,receive) bus=system path=/org/freedesktop/bolt{,/**}
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
   @{exec_path} mr,
 
   /var/lib/boltd/{,**} rw,
@@ -34,10 +43,12 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
   @{sys}/bus/wmi/devices/ r,
   @{sys}/class/ r,
   @{sys}/devices/@{pci}/device  r,
+  @{sys}/devices/@{pci}/domain[0-9]*/boot_acl rw,
   @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r,
   @{sys}/devices/@{pci}/domain@{int}/**/ r,
   @{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r,
   @{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r,
+  @{sys}/devices/@{pci}/domain@{int}/**/{boot,rx_lanes,rx_speed,tx_lanes,tx_speed} r,
   @{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r,
   @{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r,
   @{sys}/devices/platform/**/uevent r,

apparmor.d/profiles-a-f/firewalld

@@ -9,6 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/firewalld
 profile firewalld @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
@@ -21,6 +25,21 @@ profile firewalld @{exec_path} {
   network inet6 raw,
   network netlink raw,
 
+  dbus receive bus=system path=/org/fedoraproject/FirewallD1
+       interface=org.fedoraproject.FirewallD1.direct
+       member=passthrough
+       peer=(name=:*, label=libvirtd),
+
+  dbus receive bus=system path=/org/fedoraproject/FirewallD1
+       interface=org.fedoraproject.FirewallD1.zone
+       member={changeZoneOfInterface,getZones}
+       peer=(name=:*, label=libvirtd),
+
+  dbus receive bus=system path=/org/fedoraproject/FirewallD1
+       interface=org.fedoraproject.FirewallD1.zone
+       member={changeZoneOfInterface,removeInterface}
+       peer=(name=:*, label=libvirtd),
+
   @{exec_path} mr,
 
   @{bin}/ r,
@@ -33,6 +52,8 @@ profile firewalld @{exec_path} {
   @{bin}/xtables-legacy-multi     rix,
   @{bin}/xtables-nft-multi        rix,
 
+  /usr/local/lib/python3.10/dist-packages/ r,
+
   /usr/share/libalternatives/ r,
   /usr/share/libalternatives/ebtables*/{,*} r,
   /usr/share/libalternatives/ip{,4,6}tables*/{,*} r,

apparmor.d/profiles-a-f/flatpak

@@ -10,6 +10,7 @@ include <tunables/global>
 profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.Accounts>
   include <abstractions/consoles>
   include <abstractions/dconf-write>

apparmor.d/profiles-a-f/frontend

@@ -28,6 +28,7 @@ profile frontend @{exec_path} flags=(complain) {
   @{bin}/locale      rix,
   @{bin}/lsb_release rPx -> lsb_release,
   @{bin}/stty        rix,
+  @{bin}/update-secureboot-policy rPx,
 
   # debconf apps
   @{bin}/adequate                     rPx,

apparmor.d/profiles-a-f/fusermount

@@ -23,6 +23,7 @@ profile fusermount @{exec_path} {
   mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
   mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/,
   mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/,
+  mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/,
 
   umount @{HOME}/*/,
   umount @{HOME}/*/*/,