From bfe41958d2b97ab7d91c3070eb25ad4cdbbd46c4 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Wed, 22 Jun 2022 19:14:43 +0000
Subject: [PATCH] Update spectre-meltdown-checker

---
 .../profiles-s-z/spectre-meltdown-checker     | 24 ++++++++++++-------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker
index 572d2936a..fe56f8c90 100644
--- a/apparmor.d/profiles-s-z/spectre-meltdown-checker
+++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker
@@ -64,6 +64,7 @@ profile spectre-meltdown-checker @{exec_path} {
   /{usr/,}bin/xargs      rix,
   /{usr/,}bin/readlink   rix,
   /{usr/,}bin/nproc      rix,
+  /{usr/,}bin/date       rix,
   
   /{usr/,}bin/pgrep      rCx -> pgrep,
   /{usr/,}bin/ccache     rCx -> ccache,
@@ -74,13 +75,12 @@ profile spectre-meltdown-checker @{exec_path} {
   /{usr/,}bin/sqlite3    rCx -> mcedb,
   owner /tmp/mcedb-* rw,
   owner /tmp/smc-* rw,
-  owner /tmp/intelfw-*/ rw,
-  owner /tmp/intelfw-*/fw.zip rw,
-  owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/ rw,
-  owner /tmp/intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-master/** rw,
+  owner /tmp/{,smc-}intelfw-*/ rw,
+  owner /tmp/{,smc-}intelfw-*/fw.zip rw,
+  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
+  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,
 
   owner @{HOME}/.mcedb rw,
-  owner @{exec_path} w,
 
         /tmp/ r,
   owner /tmp/{config,kernel}-* rw,
@@ -113,7 +113,6 @@ profile spectre-meltdown-checker @{exec_path} {
   /root/ r,
   /etc/ r,
 
-
   profile ccache {
     include <abstractions/base>
 
@@ -152,15 +151,24 @@ profile spectre-meltdown-checker @{exec_path} {
     include <abstractions/openssl>
     include <abstractions/ssl_certs>
 
+    deny capability net_admin,
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
+
     /{usr/,}bin/wget mr,
     /{usr/,}bin/sqlite3 mr,
 
     /etc/wgetrc r,
     owner @{HOME}/.wget-hsts rwk,
+    owner @{HOME}/.mcedb rw,
 
           /tmp/ r,
-    owner /tmp/mcedb-* rwk,
-    owner /tmp/intelfw-*/fw.zip rw,
+    owner /tmp/{,smc-}mcedb-* rwk,
+    owner /tmp/{,smc-}intelfw-*/fw.zip rw,
 
     /usr/share/publicsuffix/public_suffix_list.* r,