From 04f2d2c9a386c8c41a54ccbc941d61d2b004c64a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 7 Apr 2021 18:05:15 +0100
Subject: [PATCH] Rules fix.

---
 apparmor.d/groups/desktop/accounts-daemon  | 2 ++
 apparmor.d/groups/gvfs/gvfsd-fuse          | 2 ++
 apparmor.d/groups/systemd/systemd-rfkill   | 1 +
 apparmor.d/groups/systemd/systemd-tmpfiles | 1 +
 apparmor.d/profiles-a-l/browserpass        | 4 ++--
 apparmor.d/profiles-a-l/git                | 1 +
 apparmor.d/profiles-a-l/gitstatusd         | 2 +-
 apparmor.d/profiles-m-z/polkitd            | 1 +
 apparmor.d/profiles-m-z/udisksd            | 3 +++
 9 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/desktop/accounts-daemon b/apparmor.d/groups/desktop/accounts-daemon
index f8430b97..243f1e87 100644
--- a/apparmor.d/groups/desktop/accounts-daemon
+++ b/apparmor.d/groups/desktop/accounts-daemon
@@ -14,6 +14,8 @@ profile accounts-daemon @{exec_path} {
   include <abstractions/nameservice-strict>
 
   # Needed?
+  capability dac_read_search,
+  capability sys_ptrace,
   deny capability sys_nice,
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index 5adfe8a3..51757cae 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -19,6 +20,7 @@ profile gvfsd-fuse @{exec_path} {
 
   /dev/fuse rw,
 
+  @{PROC}/sys/fs/pipe-max-size r,
 
   profile fusermount {
     include <abstractions/base>
diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill
index a3cbc4e1..acbb572e 100644
--- a/apparmor.d/groups/systemd/systemd-rfkill
+++ b/apparmor.d/groups/systemd/systemd-rfkill
@@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} {
   include <abstractions/systemd-common>
 
   capability net_admin,
+  capability sys_ptrace,
 
   network netlink raw,
 
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index bf032621..8bbbc170 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -21,6 +21,7 @@ profile systemd-tmpfiles @{exec_path} {
   @{exec_path} mr,
 
   /etc/machine-id r,
+  /etc/brlapi.key w,
   /usr/share/factory/{,**} r,
 
   # Config file locations
diff --git a/apparmor.d/profiles-a-l/browserpass b/apparmor.d/profiles-a-l/browserpass
index f2663065..728adc2d 100644
--- a/apparmor.d/profiles-a-l/browserpass
+++ b/apparmor.d/profiles-a-l/browserpass
@@ -22,8 +22,8 @@ profile browserpass @{exec_path} {
   owner @{HOME}/.password-store/{,**} r,
   owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw,
   owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/apparmor.d/profiles-a-l/git b/apparmor.d/profiles-a-l/git
index 836bf678..d463cb34 100644
--- a/apparmor.d/profiles-a-l/git
+++ b/apparmor.d/profiles-a-l/git
@@ -18,6 +18,7 @@ include <tunables/global>
 profile git @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/profiles-a-l/gitstatusd b/apparmor.d/profiles-a-l/gitstatusd
index 5aee10b9..efdbc758 100644
--- a/apparmor.d/profiles-a-l/gitstatusd
+++ b/apparmor.d/profiles-a-l/gitstatusd
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/share/zsh-theme-powerlevel10k/gitstatus/usrbin/gitstatusd{,-*}
+@{exec_path} = /usr/share/zsh-theme-powerlevel[0-9]*k/gitstatus/usrbin/gitstatusd{,-*}
 profile gitstatusd @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-m-z/polkitd b/apparmor.d/profiles-m-z/polkitd
index f2e064ad..a3f81fe4 100644
--- a/apparmor.d/profiles-m-z/polkitd
+++ b/apparmor.d/profiles-m-z/polkitd
@@ -16,6 +16,7 @@ profile polkitd @{exec_path} {
   capability setgid,
 
   # Needed?
+  capability sys_ptrace,
   audit deny capability net_admin,
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd
index 8afd1367..a8c8ce2f 100644
--- a/apparmor.d/profiles-m-z/udisksd
+++ b/apparmor.d/profiles-m-z/udisksd
@@ -23,6 +23,9 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   #  Error mounting /dev/sd* at /media/*/*: Operation not permitted.
   capability sys_admin,
 
+  capability dac_read_search,
+  capability dac_override,
+
   # Needed?
   deny capability sys_nice,