From c53c2366483f189d03797d2dfacc391bc96f5744 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 23 Mar 2025 17:47:22 +0100
Subject: [PATCH] feat(profile): improve gnome profiles.

---
 .../gnome-extension/batteryhealthchargingctl  | 39 +++++++++++++++++++
 apparmor.d/groups/gnome/gnome-extension-ding  |  5 ---
 .../groups/gnome/gnome-remote-desktop-daemon  |  2 +-
 apparmor.d/groups/gnome/gnome-shell           | 20 +++++++++-
 apparmor.d/groups/gnome/gnome-text-editor     |  1 +
 5 files changed, 59 insertions(+), 8 deletions(-)
 create mode 100644 apparmor.d/groups/gnome-extension/batteryhealthchargingctl

diff --git a/apparmor.d/groups/gnome-extension/batteryhealthchargingctl b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl
new file mode 100644
index 000000000..4b1f7a138
--- /dev/null
+++ b/apparmor.d/groups/gnome-extension/batteryhealthchargingctl
@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/batteryhealthchargingctl{,-@{user}}
+@{exec_path} += /usr/local/bin/batteryhealthchargingctl{,-@{user}}
+profile batteryhealthchargingctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  @{sh_path}       rix,
+  @{bin}/env       rix,
+  @{bin}/cmp       rix,
+  @{bin}/cut       rix,
+  @{bin}/pkaction  rix,
+  @{bin}/sed       rix,
+  @{bin}/sort      rix,
+
+  /etc/polkit-1/rules.d/*.batteryhealthcharging.setthreshold-@{user}.rules r,
+
+  @{user_share_dirs}/gnome-shell/extensions/Battery-Health-Charging@maniacx.github.com/resources/** r,
+
+  @{sys}/class/power_supply/ r,
+  @{sys}/devices/**/power_supply/BAT@{int}/charge_control_end_threshold w,
+  @{sys}/devices/**/power_supply/BAT@{int}/charge_control_start_threshold w,
+  @{sys}/devices/**/power_supply/BAT@{int}/charge_types rw,
+
+  include if exists <local/batteryhealthchargingctl>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 72833a065..695be9f0d 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -47,11 +47,6 @@ profile gnome-extension-ding @{exec_path} {
        interface=org.freedesktop.DBus*
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
-  dbus send bus=session path=/org/gtk/vfs/metadata
-       interface=org.gtk.vfs.Metadata
-       member=Set
-       peer=(name=:*, label=gvfsd-metadata),
-
   @{exec_path} mr,
 
   @{sh_path}                   rix,
diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
index c092f9372..3debf61ed 100644
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@@ -20,7 +20,7 @@ profile gnome-remote-desktop-daemon @{exec_path} {
   network inet stream,
   network inet6 stream,
 
-  #aa:dbus own bus=session name=org.gnome.RemoteDesktop
+  #aa:dbus own bus=system name=org.gnome.RemoteDesktop
   #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index e21a54a76..15d8f7268 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -13,6 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/com.canonical.dbusmenu>
   include <abstractions/bus/net.hadess.PowerProfiles>
   include <abstractions/bus/net.hadess.SwitcherooControl>
   include <abstractions/bus/net.reactivated.Fprint>
@@ -160,17 +161,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{bin}/unzip                  rix,
 
+  @{bin}/flatpak                rPx,
   @{bin}/gjs-console            rPx,
   @{bin}/glib-compile-schemas   rPx,
   @{bin}/ibus-daemon            rPx,
-  @{bin}/Xwayland               rPx,
   @{bin}/tecla                  rPx,
-  @{bin}/flatpak rPx,
+  @{bin}/Xwayland               rPx,
   @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
   @{lib}/mutter-x11-frames      rPx,
   #aa:exec polkit-agent-helper
 
   @{sh_path}                                              rCx -> shell,
+  @{bin}/pkexec                                           rCx -> pkexec,
   @{lib}/gio-launch-desktop                               rCx -> open,
   @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
 
@@ -390,6 +392,20 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include if exists <local/gnome-shell_shell>
   }
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    ptrace read peer=gnome-shell,
+
+    @{bin}/pkexec mr,
+
+    /usr/local/bin/batteryhealthchargingctl{,-@{user}} rPx,
+    @{bin}/batteryhealthchargingctl{,-@{user}} rPx,
+
+    include if exists <local/gnome-shell_pkexec>
+  }
+
   profile open flags=(attach_disconnected,mediate_deleted,complain) {
     include <abstractions/base>
     include <abstractions/mesa>
diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor
index 22823753b..693b1618f 100644
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@@ -24,6 +24,7 @@ profile gnome-text-editor @{exec_path} {
   owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
 
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,