From f76051f1141d317a97f55911f3b3704abc763fdc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 29 Feb 2024 21:15:59 +0000
Subject: [PATCH] feat(profile): add some unix rules with local address.

---
 apparmor.d/groups/bus/ibus-dconf            | 1 +
 apparmor.d/groups/bus/ibus-x11              | 2 ++
 apparmor.d/groups/freedesktop/plymouthd     | 1 +
 apparmor.d/groups/gnome/gdm-session-worker  | 2 ++
 apparmor.d/groups/ssh/gcr-ssh-agent         | 2 ++
 apparmor.d/groups/ssh/ssh-agent             | 1 +
 apparmor.d/groups/systemd/busctl            | 2 ++
 apparmor.d/groups/systemd/systemd-localed   | 2 ++
 apparmor.d/groups/systemd/systemd-timesyncd | 1 +
 9 files changed, 14 insertions(+)

diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf
index 23528d790..d85231dd1 100644
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@@ -14,6 +14,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
   signal (receive) set=term peer=ibus-daemon,
 
   unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????",          label=ibus-daemon),
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index 2383fc3c1..74ee525fb 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -20,6 +20,8 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
 
   network inet stream,
diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd
index b89fd996c..1eaa24943 100644
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@@ -19,6 +19,7 @@ profile plymouthd @{exec_path} {
   network netlink raw,
 
   signal (send) peer=unconfined,
+  signal (send) set=(rtmin+23) peer=@{systemd},
   signal (send) set=(rtmin+23) peer=systemd-shutdown,
 
   ptrace (read) peer=plymouth,
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index d3eee909f..0ce36eeab 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -47,6 +47,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   signal (send) set=hup peer=xwayland,
   signal (send) set=term peer=gdm-*-session,
 
+  unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,
+
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=*Session
diff --git a/apparmor.d/groups/ssh/gcr-ssh-agent b/apparmor.d/groups/ssh/gcr-ssh-agent
index 9d556ada6..5c5722eed 100644
--- a/apparmor.d/groups/ssh/gcr-ssh-agent
+++ b/apparmor.d/groups/ssh/gcr-ssh-agent
@@ -10,6 +10,8 @@ include <tunables/global>
 profile gcr-ssh-agent @{exec_path} {
   include <abstractions/base>
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   include if exists <local/gcr-ssh-agent>
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index 0070d955a..6cb27bba0 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -13,6 +13,7 @@ profile ssh-agent @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
+  signal (receive) set=(cont term) peer=@{systemd_user},
   signal (receive) set=term peer=cockpit-bridge,
   signal (receive) set=term peer=gnome-keyring-daemon,
 
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index 869e3089a..69777e4e0 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -17,6 +17,8 @@ profile busctl @{exec_path} {
 
   ptrace (read),
 
+  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
+
   @{exec_path} mr,
 
   @{bin}/less  rPx -> child-pager,
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index 7b635eb80..2156e8d6c 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -17,6 +17,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   # Needed?
   audit capability net_admin,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-localed/system,
+
   # dbus: own bus=system name=org.freedesktop.locale1
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd
index 3bafe890e..64acd8699 100644
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@@ -22,6 +22,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
 
   unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
+  unix (send, receive) type=dgram addr=none peer=(label=@{systemd}, addr=none),
 
   # dbus: own bus=system name=org.freedesktop.timesync1