From 887b2b0d62742af7744685447ed5a9c371a9c469 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 22 Oct 2024 13:27:18 +0100
Subject: [PATCH 1/3] build: various improvment to the makefile.

---
 Makefile | 47 +++++++++++++++++++++++++++--------------------
 1 file changed, 27 insertions(+), 20 deletions(-)

diff --git a/Makefile b/Makefile
index 8817b4f68..685649112 100644
--- a/Makefile
+++ b/Makefile
@@ -7,35 +7,35 @@ DESTDIR ?= /
 BUILD ?= .build
 PKGDEST ?= ${PWD}/.pkg
 PKGNAME := apparmor.d
-P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
-
-.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean
+PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 
+.PHONY: all
 all: build
 	@./${BUILD}/prebuild --complain
 
+.PHONY: build
 build:
 	@go build -o ${BUILD}/ ./cmd/aa-log
 	@go build -o ${BUILD}/ ./cmd/prebuild
 
+.PHONY: enforce
 enforce: build
 	@./${BUILD}/prebuild
 
+.PHONY: full
 full: build
 	@./${BUILD}/prebuild --complain --full
 
-SHARE = $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n")
-PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
-DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
+.PHONY: install
 install:
 	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
-	@for file in ${SHARE}; do \
+	@for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \
 		install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
 	done;
-	@for file in ${PROFILES}; do \
+	@for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \
 		install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
 	done;
-	@for file in ${DISABLES}; do \
+	@for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \
 		mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
 		cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
 	done;
@@ -48,19 +48,14 @@ install:
 		install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
 	done
 
-local:
-	@make
-	@sudo make install
-	@sudo systemctl restart apparmor || sudo systemctl status apparmor
 
-ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
-TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
-$(P):
+.PHONY: $(PROFILES)
+$(PROFILES):
 	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
-	@for file in ${ABSTRACTIONS}; do \
+	@for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \
 		install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
 	done;
-	@for file in ${TUNABLES}; do \
+	@for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \
 		install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
 	done;
 	@echo "Warning: profile dependencies fallback to unconfined."
@@ -69,34 +64,41 @@ $(P):
 		sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
 		install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
 	done;
-	@systemctl restart apparmor || systemctl status apparmor
+	@systemctl restart apparmor || sudo journalctl -xeu apparmor.service
 
+.PHONY: dev
 name ?= 
 dev:
 	@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
 	@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
-	@sudo systemctl restart apparmor || systemctl status apparmor
+	@sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
 
+.PHONY: package
 dist ?= archlinux
 package:
 	@bash dists/docker.sh ${dist}
 
+.PHONY: pkg
 pkg:
 	@makepkg --syncdeps --install --cleanbuild --force --noconfirm
 
+.PHONY: dpkg
 dpkg:
 	@bash dists/build.sh dpkg
 	@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
 
+.PHONY: rpm
 rpm:
 	@bash dists/build.sh rpm
 	@sudo rpm -ivh --force  ${PKGDEST}/${PKGNAME}-*.rpm
 
+.PHONY: tests
 tests:
 	@go test ./cmd/... -v -cover -coverprofile=coverage.out
 	@go test ./pkg/... -v -cover -coverprofile=coverage.out
 	@go tool cover -func=coverage.out
 
+.PHONY: lint
 lint:
 	@golangci-lint run
 	@make --directory=tests lint
@@ -105,6 +107,7 @@ lint:
 		tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
 		debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
 
+.PHONY: check
 check:
 	@bash tests/check.sh
 
@@ -112,15 +115,19 @@ check:
 bats:
 	@bats --print-output-on-failure tests/bats/
 
+.PHONY: manual
 manual:
 	@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
 
+.PHONY: docs
 docs:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
 
+.PHONY: serve
 serve:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
 
+.PHONY: clean
 clean:
 	@rm -rf \
 		debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \

From b72552bdf214319b14896ef1af5c8d9c6f7be271 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Tue, 22 Oct 2024 10:45:28 -0300
Subject: [PATCH 2/3] Create pypr

---
 apparmor.d/groups/hyprland/pypr | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 apparmor.d/groups/hyprland/pypr

diff --git a/apparmor.d/groups/hyprland/pypr b/apparmor.d/groups/hyprland/pypr
new file mode 100644
index 000000000..2f489e055
--- /dev/null
+++ b/apparmor.d/groups/hyprland/pypr
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pypr
+profile pypr @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/app-launcher-user>
+  include <abstractions/consoles>
+
+  signal send set=(term kill),
+
+  ptrace read,
+
+  @{exec_path} mr,
+
+  owner @{user_config_dirs}/hypr/pyprland.toml r,
+
+  owner @{run}/user/@{uid}/hypr/*/.pyprland.sock rw,
+
+  owner /dev/tty@{int} rw, # file_inherit
+
+  include if exists <local/pypr>
+}
+
+# vim:syntax=apparmor

From 88b362f7fb39ca6ce9a3e3f329d7c1d4821039b2 Mon Sep 17 00:00:00 2001
From: Besanon <m231009ts@mailfence.com>
Date: Tue, 22 Oct 2024 19:51:02 +0200
Subject: [PATCH 3/3] Create abstraction for lxqt desktop group (#572)

first file for the LXQT 2.0 desktop group
---
 apparmor.d/abstractions/lxqt | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 apparmor.d/abstractions/lxqt

diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt
new file mode 100644
index 000000000..c1633033f
--- /dev/null
+++ b/apparmor.d/abstractions/lxqt
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Besanon <m231009ts@mailfence.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-write>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/qt5>
+  include <abstractions/wayland>
+  include <abstractions/X-strict>
+  include <abstractions/xdg-desktop>
+
+  signal (receive) set=(kill, term) peer=lxqt-session,
+
+  /usr/share/hwdata/pnp.ids r,
+  /usr/share/icu/@{int}.@{int}/*.dat r,
+  /usr/share/lxqt/** r,
+ 
+  owner @{HOME}/.Xdefaults r,
+
+  owner @{user_cache_dirs}/lxqt-notificationd/* r,
+
+  owner @{user_config_dirs}/lxqt/*.conf rw,
+
+  include if exists <abstractions/lxqt.d>
+
+# vim:syntax=apparmor