From e55ace4e0a5646fd1e9ad786a4356689bb668d90 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 17 Aug 2025 00:07:53 +0200
Subject: [PATCH] fix(profile): issue with re-attached paths

- Add missing att on some profiles
- Fix alias / -> //
- Fix aa-log att variable resolution

fix #813 #814
---
 apparmor.d/abstractions/attached/base            | 2 ++
 apparmor.d/abstractions/common/bwrap             | 4 +++-
 apparmor.d/groups/flatpak/flatpak                | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-portal | 6 +++---
 apparmor.d/groups/freedesktop/xwayland           | 4 +---
 apparmor.d/groups/hyprland/hyprland              | 3 +++
 apparmor.d/tunables/multiarch.d/system           | 2 +-
 pkg/logs/logs.go                                 | 3 +--
 8 files changed, 15 insertions(+), 11 deletions(-)

diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
index e394c5b99..29c685f55 100644
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@@ -14,6 +14,8 @@
   @{att}/@{run}/systemd/journal/socket w,
   @{att}/@{run}/systemd/journal/stdout rw,
 
+  @{att}/dev/null  rw,
+
   /apparmor/.null rw,
   @{att}/apparmor/.null rw,
 
diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap
index f4630475d..da73b8217 100644
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@@ -38,12 +38,14 @@
   pivot_root oldroot=/newroot/ /newroot/,
   pivot_root oldroot=/tmp/oldroot/ /tmp/,
 
-  owner / r,
   owner /newroot/{,**} w,
 
   owner /tmp/newroot/ w,
   owner /tmp/oldroot/ w,
 
+  @{att}/ r,
+  @{att}/@{run}/.userns r,
+
         @{PROC}/sys/kernel/overflowgid r,
         @{PROC}/sys/kernel/overflowuid r,
         @{PROC}/sys/user/max_user_namespaces r,
diff --git a/apparmor.d/groups/flatpak/flatpak b/apparmor.d/groups/flatpak/flatpak
index c34ae962f..fca84002a 100644
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@@ -66,7 +66,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   /etc/flatpak/{,**} r,
   /etc/pulse/client.conf r,
 
-  / r,
+  @{att}/ r,
 
   /var/lib/flatpak/{,**} rwlk,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index bc975e4ea..5c62b0771 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -64,9 +64,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   @{lib}/xdg-desktop-portal-validate-icon rPx,
   @{open_path}                            rPx -> child-open,
 
-              / r,
-        @{att}/.flatpak-info r,
-  owner @{att}/ r,
+        / r,
+  @{att}/ r,
+  @{att}/.flatpak-info r,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/xdg-desktop-portal/** r,
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index 9b329e06a..e8c94916d 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/wayland>
@@ -41,9 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
 
   @{PROC}/@{pids}/cmdline r,
 
-  @{att}/dev/tty@{int} rw,
-  /dev/tty rw,
-
   include if exists <local/xwayland>
 }
 
diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 8c8c32da0..c1e6da4d8 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -62,6 +62,9 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/environ r,
 
+  @{att}/dev/dri/card@{int} rw,
+  @{att}/dev/input/event@{int} rw,
+
         /dev/input/event@{int} rw,
         /dev/tty r,
   owner /dev/tty@{int} rw,
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 06cb42000..e2f297045 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -74,6 +74,6 @@
 # See https://apparmor.pujol.io/development/internal/#re-attached-path
 @{att}=/
 
-alias // -> /,
+alias / -> //,
 
 # vim:syntax=apparmor
diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 2443eaace..b0ae58702 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -64,7 +64,7 @@ var (
 		`/home/[^/]+/`, `@{HOME}/`,
 
 		// Resolve system variables
-		`/att/[^/@]+`, `@{att}/`,
+		`/att/[^/]+/`, `@{att}/`,
 		`/usr/lib(32|64|exec)`, `@{lib}`,
 		`/usr/lib`, `@{lib}`,
 		`/usr/sbin`, `@{sbin}`,
@@ -86,7 +86,6 @@ var (
 		`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
 		`@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`,
 		`1000`, `@{uid}`,
-		`@{att}//`, `@{att}/`,
 
 		// Some system glob
 		`:not.active.yet`, `@{busname}`, // dbus unique bus name