From c9b87efebe10b52107ed7bb6c2676acc52e17d0b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 16 Mar 2024 19:27:45 +0000
Subject: [PATCH] chore: cosmetic.

---
 README.md                             | 25 ++++++-------------------
 apparmor.d/tunables/multiarch.d/paths |  1 -
 docs/development/guidelines.md        |  9 +++++----
 pkg/aa/profile_test.go                |  2 +-
 tests/string.aa                       |  2 +-
 5 files changed, 13 insertions(+), 26 deletions(-)

diff --git a/README.md b/README.md
index ba4d40c5f..3a62d5f0b 100644
--- a/README.md
+++ b/README.md
@@ -7,15 +7,12 @@
 **Full set of AppArmor profiles**
 
 > [!WARNING]
-> This project is still in its early development. Help is very 
-> welcome; see the [documentation website](https://apparmor.pujol.io/) including
-> its [development](https://apparmor.pujol.io/development) section.
+> This project is still in its early development. Help is very welcome; see the [documentation website](https://apparmor.pujol.io/) including its [development](https://apparmor.pujol.io/development) section.
 
 
 ## Description 
 
-**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine
-most Linux based applications and processes.
+**AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
 
 **Purpose**
 
@@ -40,29 +37,19 @@ most Linux based applications and processes.
 - Fully tested (Work in progress)
 
 
-> This project is originally based on the work from [Morfikov][upstream] and aims
-> to extend it to more Linux distributions and desktop environments.
+> This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
 
 ## Concepts
 
 *One profile a day keeps the hacker away*
 
-There are over 50000 Linux packages and even more applications. It is simply not
-possible to write an AppArmor profile for all of them. Therefore, a question arises:
+There are over 50000 Linux packages and even more applications. It is simply not possible to write an AppArmor profile for all of them. Therefore, a question arises:
 
 **What to confine and why?**
 
-We take inspiration from the [Android/ChromeOS Security Model][android_model] and
-we apply it to the Linux world. Modern [Linux security distributions][clipos] usually
-consider an immutable core base image with a carefully selected set of applications.
-Everything else should be sandboxed. Therefore, this project tries to confine all
-the *core* applications you will usually find in a Linux system: all systemd services,
-xwayland, network, bluetooth, your desktop environment... Non-core user applications
-are out of scope as they should be sandboxed using a dedicated tool (minijail,
-bubblewrap, toolbox...).
+We take inspiration from the [Android/ChromeOS Security Model][android_model], and we apply it to the Linux world. Modern [Linux security distributions][clipos] usually consider an immutable core base image with a carefully selected set of applications. Everything else should be sandboxed. Therefore, this project tries to confine all the *core* applications you will usually find in a Linux system: all systemd services, xwayland, network, Bluetooth, your desktop environment... Non-core user applications are out of scope as they should be sandboxed using a dedicated tool (minijail, bubblewrap, toolbox...).
 
-This is fundamentally different from how AppArmor is usually used on Linux servers
-as it is common to only confine the applications that face the internet and/or the users.
+This is fundamentally different from how AppArmor is usually used on Linux servers as it is common to only confine the applications that face the internet and/or the users.
 
 **Presentations**
 
diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index aaa8bae7f..0bc17e447 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -47,7 +47,6 @@
 @{open_path}  = @{bin}/exo-open @{bin}/xdg-open
 @{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
 
-# Experimental - May be modified/removed without notice
 # Coreutils programs that should not have dedicated profile
 @{coreutils}  = {,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
 @{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname du echo env expand
diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md
index 21bfebdcc..b25305f88 100644
--- a/docs/development/guidelines.md
+++ b/docs/development/guidelines.md
@@ -55,7 +55,7 @@ This rule order is taken from AppArmor with minor changes as we tend to:
 
 ### The file block
 
-The file block should be sorted as follow:
+The file block should be sorted as follows:
 
 | Order | Description | Example | Link |
 |:-----:|:-----------:|:-------:|:------:|
@@ -75,7 +75,7 @@ The file block should be sorted as follow:
 ### The dbus block
 
 
-The dbus block should be sorted as follow:
+The dbus block should be sorted as follows:
 
 - The system bus should be sorted *before* the session bus
 - The bind rules should be sorted *after* the send & receive rules
@@ -85,7 +85,7 @@ For DBus, try to determine peer's label when possible. E.g.:
 dbus send bus=session path=/org/freedesktop/DBus
      interface=org.freedesktop.DBus
      member={RequestName,ReleaseName}
-     peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+     peer=(name=org.freedesktop.DBus, label=dbus-session),
 ```
 If there is no predictable label it can be omitted.
 
@@ -106,7 +106,7 @@ If there is no predictable label it can be omitted.
 
 `Sub profile`
 
-:   Sub profile should comes at the end of a profile.
+:   Sub profile should come at the end of a profile.
 
 `Similar purpose`
 
@@ -121,6 +121,7 @@ If there is no predictable label it can be omitted.
 
 * [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
 * [The OpenSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
+* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
 * [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
 * [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
 * [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)
diff --git a/pkg/aa/profile_test.go b/pkg/aa/profile_test.go
index 30f0ec901..78206b26f 100644
--- a/pkg/aa/profile_test.go
+++ b/pkg/aa/profile_test.go
@@ -105,7 +105,7 @@ func TestAppArmorProfile_String(t *testing.T) {
 						},
 						&File{Path: "/opt/intel/oneapi/compiler/*/linux/lib/*.so./*", Access: "rm"},
 						&File{Path: "@{PROC}/@{pid}/task/@{tid}/comm", Access: "rw"},
-						&File{Path: "@{sys}/devices/pci[0-9]*/**/class", Access: "r"},
+						&File{Path: "@{sys}/devices/@{pci}/class", Access: "r"},
 						includeLocal1,
 					},
 				},
diff --git a/tests/string.aa b/tests/string.aa
index 333519d9b..896ac0b08 100644
--- a/tests/string.aa
+++ b/tests/string.aa
@@ -36,7 +36,7 @@ profile foo @{exec_path} xattrs=(security.tagged=allowed) flags=(complain attach
 
   /opt/intel/oneapi/compiler/*/linux/lib/*.so./* rm,
   @{PROC}/@{pid}/task/@{tid}/comm rw,
-  @{sys}/devices/pci[0-9]*/**/class r,
+  @{sys}/devices/@{pci}/class r,
 
   include if exists <local/foo>
 }