From ec04495c4ac8402e0009cae575b853d4277535a9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 20 Mar 2025 00:34:24 +0100
Subject: [PATCH] feat(profile): update for ubuntu/debian based systems.

---
 apparmor.d/groups/apt/dpkg-preconfigure        | 2 ++
 apparmor.d/groups/apt/unattended-upgrade       | 5 +++++
 apparmor.d/groups/bus/ibus-daemon              | 1 +
 apparmor.d/groups/bus/ibus-dconf               | 6 ++----
 apparmor.d/groups/bus/ibus-portal              | 1 +
 apparmor.d/groups/cron/cron-popularity-contest | 1 -
 apparmor.d/groups/gnome/gnome-initial-setup    | 4 ++++
 apparmor.d/groups/gnome/gnome-session-binary   | 1 +
 apparmor.d/groups/gnome/mutter-x11-frames      | 1 +
 apparmor.d/groups/gnome/nautilus               | 2 +-
 apparmor.d/groups/gnome/session-migration      | 2 ++
 11 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure
index 38fe3f005..f19a20d71 100644
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@@ -51,6 +51,8 @@ profile dpkg-preconfigure @{exec_path} {
 
   /var/lib/locales/supported.d/{,*} r,
 
+  /var/cache/debconf/tmp.ci/ w,
+
   owner @{tmp}/*.template.* rw,
   owner @{tmp}/*.config.* rwPUx,
 
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index dbbfb413e..8a7c9755f 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -62,10 +62,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/distro-info/* r,
 
+  @{etc_ro}/login.defs r,
   @{etc_ro}/security/capability.conf r,
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
   /etc/debian_version r,
+  /etc/default/apport r,
   /etc/default/grub.d/* r,
   /etc/dpkg/origins/{,debian,ubuntu} r,
   /etc/fwupd/{,**} r,
@@ -107,6 +109,9 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/apt-dpkg-install-*/{,*} rw,
 
+        @{PROC}/@{pid}/attr/current r,
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/environ r,
         @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/fd/ r,
diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon
index dca91e5f2..3fdab031b 100644
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@@ -55,6 +55,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/fd/ r,
 
+  owner @{att}/dev/tty@{int} rw,
   owner /dev/tty@{int} rw,
 
   include if exists <local/ibus-daemon>
diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf
index 8746e3795..6f66ec9b2 100644
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@@ -11,13 +11,11 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
 
-  signal (receive) set=term peer=ibus-daemon,
-
-  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????",          label=ibus-daemon),
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
+  signal receive set=term peer=ibus-daemon,
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal
index 5d96f359e..53edb4b00 100644
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@@ -27,6 +27,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
+  owner @{att}/dev/tty@{int} rw,
   owner /dev/tty@{int} rw,
 
   include if exists <local/ibus-portal>
diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest
index dd50a7494..21455fb7d 100644
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@@ -141,7 +141,6 @@ profile cron-popularity-contest @{exec_path} {
     network inet6 stream,
     network netlink raw,
 
-    @{bin}/perl r,
     @{bin}/gzip rix,
 
     /usr/share/popularity-contest/popcon-upload r,
diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup
index be73974c8..3f5cf6109 100644
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@@ -74,6 +74,10 @@ profile gnome-initial-setup @{exec_path} {
   @{run}/systemd/sessions/@{int} r,
   @{run}/systemd/users/@{uid} r,
 
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/gnome-initial-setup-first-login.service/memory.* r,
 
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index babd12c3d..f7cb96dea 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -103,6 +103,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   profile open flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/attached/consoles>
+    include <abstractions/consoles>
     include <abstractions/desktop>
 
     @{bin}/env rix,
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index d41ba2c7e..5cfbc5a09 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -14,6 +14,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 016a41bd5..373593440 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -38,7 +38,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
        interface=org.gtk.private.CommandLine
        member=Print
-       peer=(name=:*, label=nautilus),
+       peer=(name=@{busname}, label=nautilus),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration
index ac3009fc7..9af0d4714 100644
--- a/apparmor.d/groups/gnome/session-migration
+++ b/apparmor.d/groups/gnome/session-migration
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/session-migration
 profile session-migration @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dconf-write>
   include <abstractions/bus-session>
   include <abstractions/python>
 
@@ -19,6 +20,7 @@ profile session-migration @{exec_path} {
   @{bin}/gsettings rPx,
   /usr/share/session-migration/scripts/* rix,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/session-migration/{,**} r,
 
   owner @{gdm_share_dirs}/session_migration-* rw,