Update profiles.

apparmor.d/profiles-a-f/aa-enabled

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/aa-enabled
 profile aa-enabled @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/profiles-a-f/adb

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -10,15 +11,15 @@ include <tunables/global>
 @{exec_path} += /{usr/,}lib/android-sdk/platform-tools/adb
 profile adb @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
   include <abstractions/devices-usb>
+  include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
 
-  # For adb kill-server:
-  #  cannot connect to daemon at tcp:5037: Permission denied
   network inet stream,
   network inet6 stream,
 
+  signal (receive) set=(kill) peer=scrcpy,
+
   @{exec_path} mrix,
 
   /usr/share/scrcpy/scrcpy-server r,

apparmor.d/profiles-a-f/apparmor.systemd

@@ -13,14 +13,15 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh           rix,
-  /{usr/,}bin/getconf              rix,
-  /{usr/,}bin/{,e}grep             rix,
-  /{usr/,}bin/ls                   rix,
-  /{usr/,}bin/xargs                rix,
   /{usr/,}{s,}bin/aa-status        rPx,
   /{usr/,}{s,}bin/apparmor_parser  rPx,
-  
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/{,e}grep             rix,
+  /{usr/,}bin/getconf              rix,
+  /{usr/,}bin/ls                   rix,
+  /{usr/,}bin/systemd-detect-virt  rPx,
+  /{usr/,}bin/xargs                rix,
+
   /{usr/,}lib/apparmor/rc.apparmor.functions r,
 
   /etc/apparmor.d/ r,

apparmor.d/profiles-a-f/apparmor_parser

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}bin/apparmor_parser
+@{exec_path} = /{usr/,}{s,}bin/apparmor_parser
 profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
@@ -18,6 +18,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
   /etc/apparmor.d/{,**} r,
   /etc/apparmor.d/cache.d/{,**} rw,
 
+  /usr/share/apparmor-features/{,**} r,
   /usr/share/apparmor/{,**} r,
 
   owner /var/cache/apparmor/{,**} rw,

apparmor.d/profiles-a-f/dhclient-script

@@ -57,7 +57,8 @@ profile dhclient-script @{exec_path} {
   /{usr/,}bin/ip        rix,
 
   # For loadbalance
-  /etc/iproute2/** r,
+  /etc/iproute2/rt_tables r,
+  /etc/iproute2/rt_tables.d/{,*} r,
   owner @{PROC}/@{pid}/loginuid r,
 
   # For updating the /etc/resolv.conf file
@@ -90,8 +91,7 @@ profile dhclient-script @{exec_path} {
   @{run}/chrony-dhcp/ rw,
 
   # file_inherit
-  /var/lib/dhcp/*.leases r,
-
+  /var/lib/dhcp/dhclient.leases r,
 
   profile run-parts {
     include <abstractions/base>
@@ -101,7 +101,7 @@ profile dhclient-script @{exec_path} {
     /etc/dhcp/dhclient-{enter,exit}-hooks.d/ r,
 
     # file_inherit
-    /var/lib/dhcp/*.leases r,
+    owner /var/lib/dhcp/dhclient.leases r,
 
   }
 

apparmor.d/profiles-a-f/dmesg

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -23,5 +23,8 @@ profile dmesg @{exec_path} {
   /dev/kmsg r,
   /usr/share/terminfo/{,**} r,
 
+  deny /{usr/,}local/bin/ r,
+  deny /{usr/,}bin/{,*/} r,
+
   include if exists <local/dmesg>
 }

apparmor.d/profiles-a-f/exim4

@@ -67,6 +67,7 @@ profile exim4 @{exec_path} {
         @{run}/exim4/ r,
   owner @{run}/exim4/exim.pid rw,
 
+        @{run}/resolvconf/resolv.conf r,
   owner @{run}/dbus/system_bus_socket rw,
 
   # file_inherit