feat(profile): improve general integration

See #407

apparmor.d/groups/freedesktop/xdg-user-dir

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dir
 profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/xhost

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xhost
-profile xhost @{exec_path} {
+profile xhost @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>

apparmor.d/groups/systemd/systemd-generator-fstab

@@ -13,6 +13,7 @@ profile systemd-generator-fstab @{exec_path} {
 
   capability dac_override,
   capability dac_read_search,
+  capability mknod,
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-generator-user-autostart

@@ -16,6 +16,8 @@ profile systemd-generator-user-autostart @{exec_path} {
 
   @{exec_path} mr,
 
+  @{system_share_dirs}/applications/*.desktop r,
+
   @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   owner @{user_config_dirs}/autostart/{,*.desktop} r,

apparmor.d/groups/systemd/systemd-machined

@@ -49,6 +49,9 @@ profile systemd-machined @{exec_path} {
   @{PROC}/pressure/io r,
   @{PROC}/pressure/memory r,
 
+  /dev/ptmx rw,
+  /dev/pts/@{int} rw,
+
   include if exists <local/systemd-machined>
 }
 

apparmor.d/profiles-a-f/dunst

@@ -17,10 +17,13 @@ profile dunst @{exec_path} {
   @{exec_path} mr,
 
   /etc/xdg/dunst/dunstrc r,
+
   owner @{user_config_dirs}/dunst/dunstrc r,
 
   owner @{HOME}/.Xauthority r,
 
+  owner /dev/shm/dunst-@{rand6} rw,
+
   include if exists <local/dunst>
 }
 

apparmor.d/profiles-g-l/id

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/id
-profile id @{exec_path} {
+profile id @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-g-l/lspci

@@ -37,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/** r,
   @{sys}/module/compression r,
 
+  @{PROC}/bus/pci/devices r,
   @{PROC}/cmdline r,
   @{PROC}/ioports r,
 

apparmor.d/profiles-m-r/nemo

@@ -11,15 +11,31 @@ include <tunables/global>
 profile nemo @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/desktop>
   include <abstractions/nameservice-strict>
+  include <abstractions/trash-strict>
 
   network inet stream,
   network inet6 stream,
 
   @{exec_path} mr,
 
-#   @{lib}/@{multiarch}/nemo/** mrix,
+  /usr/share/nemo/** r,
+
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{bin}/ r,
+  @{lib}/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rw,
+  owner @{HOME}/{,**} rw,
+  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{tmp}/{,**} rw,
+
+  @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-m-r/pkexec

@@ -35,13 +35,10 @@ profile pkexec @{exec_path} {
 
   @{exec_path} mr,
 
-  # Apps to be run via pkexec
+  @{bin}/*       PUx,
-  @{bin}/*            rPUx,
+  @{lib}/**      PUx,
-  @{lib}/{,gvfs/}gvfsd-admin    rPx,
+  /opt/*/**      PUx,
-  @{lib}/cc-remote-login-helper rPx,
+  /usr/share/**  PUx,
-  @{lib}/update-notifier/package-system-locked  rPx,
-  /usr/share/apport/apport-gtk rPx,
-  #aa:exec polkit-agent-helper
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*} r,

apparmor.d/profiles-m-r/run-parts

@@ -14,7 +14,9 @@ profile run-parts @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  @{exec_path} mr,
+  capability mknod,
+
+  @{exec_path} mrix,
   
   @{sh_path}         rix,
   @{bin}/anacron     rix,
@@ -29,6 +31,7 @@ profile run-parts @{exec_path} {
   /etc/ r,
   /etc/anacrontab                                      r,
   /etc/conf.d/snapper{,**}                             r,
+  /etc/default/*                                       r,
   /etc/snapper/configs/root                            r,
 
   # Crontab
@@ -134,8 +137,12 @@ profile run-parts @{exec_path} {
 
   /usr/share/landscape/landscape-sysinfo.wrapper rPUx,
 
+  /root/ r,
+
+  /var/spool/anacron/cron.daily k,
+
   owner @{tmp}/#@{int} rw,
-  owner @{tmp}/$anacron* rw,
+  owner @{tmp}/$anacron@{rand6} rw,
   owner @{tmp}/file@{rand6} rw,
 
   owner @{sys}/class/power_supply/            r,

apparmor.d/profiles-s-z/strawberry

@@ -8,10 +8,11 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/strawberry
-profile strawberry @{exec_path} flags=(attach_disconnected) {
+profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/consoles>
+  include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>

apparmor.d/profiles-s-z/virt-manager

@@ -84,8 +84,12 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
   @{sys}/devices/virtual/drm/ttm/uevent r,
+  @{sys}/fs/cgroup/user.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
 
         @{PROC}/@{pids}/net/route r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

dists/flags/main.flags

@@ -306,6 +306,7 @@ steam-launch attach_disconnected,complain
 steam-launcher attach_disconnected,complain
 steam-runtime attach_disconnected,complain
 steamerrorreporter attach_disconnected,complain
+strawberry attach_disconnected,mediate_deleted,complain
 sulogin complain
 switcherooctl complain
 swtpm complain