From 079100e67afb0abc46f5f7f5535e3fafa8c23e06 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 20 Nov 2021 14:13:45 +0000
Subject: [PATCH] Update profiles.

---
 apparmor.d/groups/browsers/firefox         | 170 +++++++++------------
 apparmor.d/groups/gnome/gdm-session-worker |   1 +
 apparmor.d/groups/gnome/gsd-xsettings      |   4 +-
 apparmor.d/groups/pacman/mkinitcpio        |   4 +-
 apparmor.d/groups/pacman/pacman            |  13 +-
 apparmor.d/groups/pacman/pacman-conf       |   1 +
 apparmor.d/groups/pacman/pacman-key        |  26 +++-
 7 files changed, 107 insertions(+), 112 deletions(-)

diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 8e15f157..1965fd09 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -12,11 +12,11 @@ include <tunables/global>
 @{MOZ_LIBDIR} = /{usr/,}lib/firefox{,-esr}
 @{MOZ_HOMEDIR} = @{HOME}/.mozilla
 @{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla
-
 @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
 profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/dconf>
   include <abstractions/deny-root-dir-access>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
@@ -25,6 +25,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/nvidia>
   include <abstractions/opencl-intel>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
@@ -32,7 +33,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/user-read>
   include <abstractions/vulkan>
   include <abstractions/wayland>
-  ##include <abstractions/nvidia>
+
+  # Needed only when the kernel.unprivileged_userns_clone option is set to "1".
+  capability sys_admin,
+  capability sys_chroot,
 
   ptrace peer=@{profile_name},
 
@@ -47,39 +51,58 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
-  # to "1".
-  capability sys_admin,
-  capability sys_chroot,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
-
   /{usr/,}bin/{,ba,da}sh          rix,
 
-  # Firefox files
-  @{MOZ_LIBDIR}/{,**}  r,
-  @{MOZ_LIBDIR}/*.so  mr,
+  @{MOZ_LIBDIR}/{,**}             r,
+  @{MOZ_LIBDIR}/*.so              mr,
   @{MOZ_LIBDIR}/crashreporter     rPx,
   @{MOZ_LIBDIR}/minidump-analyzer rPx,
   @{MOZ_LIBDIR}/pingsender        rPx,
   @{MOZ_LIBDIR}/plugin-container  rPx,
-  /usr/share/firefox/{,**} r,
-  /etc/firefox/{,**} r,
 
-  # Firefox plugins & extensions
+  @{libexec}/gvfsd-metadata       rPx -> gvfsd-metadata,
+  /{usr/,}bin/browserpass         rPx,
+  /{usr/,}bin/gpa                 rPUx,
+  /{usr/,}bin/keepassxc-proxy     rPUx,
+  /{usr/,}bin/lsb_release         rPx -> lsb_release,
+
+  # Allowed apps to open
+  /{usr/,}bin/xdg-open                                    rCx -> open,
+  /{usr/,}bin/exo-open                                    rCx -> open,
+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
+  /{usr/,}bin/engrampa         rPx,
+  /{usr/,}bin/geany            rPx,
+  /{usr/,}bin/okular           rPx,
+  /{usr/,}bin/qbittorrent      rPx,
+  /{usr/,}bin/qpdfview         rPx,
+  /{usr/,}bin/smplayer         rPx,
+  /{usr/,}bin/spacefm          rPx,
+  /{usr/,}bin/telegram-desktop rPx,
+  /{usr/,}bin/thunderbird      rPx,
+  /{usr/,}bin/viewnior        rPUx,
+  /{usr/,}bin/vlc              rPx,
+  /{usr/,}bin/xarchiver        rPx,
+
   /{usr/,}lib/mozilla/plugins/ r,
   /{usr/,}lib/mozilla/plugins/libvlcplugin.so mr,
+  /usr/share/doc/{,**} r,
+  /usr/share/firefox/{,**} r,
   /usr/share/mozilla/extensions/{,**} r,
   /usr/share/webext/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-  # To be able to read docs
-  /usr/share/doc/{,**} r,
+  /etc/firefox/{,**} r,
+  /etc/fstab r,
+  /etc/libva.conf r,
+  /etc/mailcap r,
+  /etc/mime.types r,
+  /etc/opensc.conf r,
 
-  #
-  @{libexec}/gvfsd-metadata rPx -> gvfsd-metadata,
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  owner @{HOME}/ r,
 
-  # Firefox home files
   owner @{MOZ_HOMEDIR}/ rw,
   owner @{MOZ_HOMEDIR}/{extensions,systemextensionsdev}/ rw,
   owner @{MOZ_HOMEDIR}/firefox/ rw,
@@ -87,17 +110,22 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner @{MOZ_HOMEDIR}/firefox/profiles.ini rw,
   owner @{MOZ_HOMEDIR}/firefox/*/ rw,
   owner @{MOZ_HOMEDIR}/firefox/*/** rwk,
-  # For keepassxc integration
   owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
 
-  # Cache
-  owner @{user_cache_dirs}/ rw,
   owner @{MOZ_CACHEDIR}/ rw,
   owner @{MOZ_CACHEDIR}/** rwk,
-
+  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/gstreamer-[0-9]*/ rw,
   owner @{user_cache_dirs}/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
 
+  owner @{user_share_dirs}/ r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
+       @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
+       @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
   deny @{sys}/devices/system/cpu/present r,
   deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
   deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
@@ -115,26 +143,13 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   deny owner @{PROC}/@{pids}/environ r,
        owner @{PROC}/@{pid}/task/ r,
   deny owner @{PROC}/@{pid}/task/@{tid}/stat r,
-  # To remove the following error:
-  #  GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
-  #  (g-file-error-quark, 2)
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
-  # About:memory
   deny owner @{PROC}/@{pid}/statm r,
   deny owner @{PROC}/@{pid}/smaps r,
-  # Link Monitor (since 49.0.1)
              @{PROC}/@{pid}/net/arp r,
-             @{PROC}/@{pid}/net/route r,
-  #
              @{PROC}/@{pid}/net/if_inet6 r,
-
-  /etc/mime.types r,
-  /etc/mailcap r,
-
-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
+             @{PROC}/@{pid}/net/route r,
 
   # Set default browser
   /{usr/,}bin/update-mime-database rPx,
@@ -151,11 +166,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   # For wayland
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
     /var/tmp/ r,
         /tmp/ r,
   owner /tmp/* rw,
@@ -172,53 +182,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner /dev/shm/org.chromium.* rw,
   owner /dev/shm/org.mozilla.ipc.@{pid}.[0-9]* rw,
 
-  /etc/fstab r,
+  # Needed only when the kernel.unprivileged_userns_clone option is set to "1".
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
+  # File Inherit
+  owner /dev/tty[0-9]* rw,
+  owner /dev/dri/card[0-9]* rw,
 
   # Silencer
   deny /{usr/,}lib/firefox/** w,
-
-  /{usr/,}bin/gpa              rPUx,
-  /{usr/,}bin/keepassxc-proxy  rPUx, # For storing passwords externally
-  /{usr/,}bin/browserpass       rPx,
-
-  /{usr/,}bin/lsb_release       rPx -> lsb_release,
-
-  /{usr/,}bin/xdg-open                                    rCx -> open,
-  /{usr/,}bin/exo-open                                    rCx -> open,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
-
-  # Allowed apps to open
-  /{usr/,}bin/vlc              rPx,
-  /{usr/,}bin/qbittorrent      rPx,
-  /{usr/,}bin/smplayer         rPx,
-  /{usr/,}bin/geany            rPx,
-  /{usr/,}bin/okular           rPx,
-  /{usr/,}bin/viewnior        rPUx,
-  /{usr/,}bin/xarchiver        rPx,
-  /{usr/,}bin/engrampa         rPx,
-  /{usr/,}bin/thunderbird      rPx,
-  /{usr/,}bin/telegram-desktop rPx,
-  /{usr/,}bin/spacefm          rPx,
-  /{usr/,}bin/qpdfview         rPx,
-
-  # file_inherit
-  owner /dev/tty[0-9]* rw,
-  /dev/dri/card[0-9]* rw,
-
-  /etc/opensc.conf r,
-
-  owner @{HOME}/ r,
-  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
-  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
-
-  owner @{user_share_dirs}/ r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
-  # Silencer
   deny capability sys_ptrace,
   deny owner @{HOME}/.* r,
 
@@ -240,19 +214,19 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
     owner @{run}/user/@{uid}/ r,
 
     # Allowed apps to open
-    /{usr/,}bin/vlc              rPx,
-    /{usr/,}bin/qbittorrent      rPx,
-    /{usr/,}bin/smplayer         rPx,
+    /{usr/,}bin/engrampa         rPx,
+    /{usr/,}bin/evince           rPx,
     /{usr/,}bin/geany            rPx,
     /{usr/,}bin/okular           rPx,
-    /{usr/,}bin/viewnior        rPUx,
-    /{usr/,}bin/xarchiver        rPx,
-    /{usr/,}bin/engrampa         rPx,
-    /{usr/,}bin/thunderbird      rPx,
-    /{usr/,}bin/telegram-desktop rPx,
-    /{usr/,}bin/spacefm          rPx,
+    /{usr/,}bin/qbittorrent      rPx,
     /{usr/,}bin/qpdfview         rPx,
-    /{usr/,}bin/evince           rPx,
+    /{usr/,}bin/smplayer         rPx,
+    /{usr/,}bin/spacefm          rPx,
+    /{usr/,}bin/telegram-desktop rPx,
+    /{usr/,}bin/thunderbird      rPx,
+    /{usr/,}bin/viewnior        rPUx,
+    /{usr/,}bin/vlc              rPx,
+    /{usr/,}bin/xarchiver        rPx,
     /usr/share/xfce4/exo/exo-compose-mail rPx,
 
     # file_inherit
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 0c021622..0de67d75 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -44,6 +44,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /etc/gdm/{Pre,Post}Session/Default rix,
 
   /etc/motd r,
+  /etc/motd.d/ r,
   /etc/shells r,
   /etc/locale.conf r,
   /etc/environment r,
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index 1eefa24f..efdd7066 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -23,8 +23,10 @@ profile gsd-xsettings @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  /{usr/,}bin/xrdb   rPx,
+
+  /{usr/,}bin/busctl rPx,
   /{usr/,}bin/pactl  rPx,
+  /{usr/,}bin/xrdb   rPx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index abf707ca..6ba09354 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -55,9 +55,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/modprobe            rPx,
 
   /{usr/,}lib/initcpio/busybox    rix,
-  /{usr/,}lib/ld-*.so             rix,
-  /{usr/,}@{multiarch}/ld-*.so    rix,
-  /{usr/,}lib/@{multiarch}/ld-*.so  rix,
+  /{usr/,}lib{,32,64}/ld-*.so     rix,
 
   /etc/fstab r,
   /etc/lvm/lvm.conf r,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index bacf964e..fc2f8d08 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -48,13 +48,16 @@ profile pacman @{exec_path} {
   /{usr/,}bin/cat                         rix,
   /{usr/,}bin/dot                         rix,
   /{usr/,}bin/env                         rix,
+  /{usr/,}bin/gettext                     rix,
   /{usr/,}bin/ghc-pkg-*                   rix,
+  /{usr/,}bin/grep                        rix,
   /{usr/,}bin/rm                          rix,
   /{usr/,}bin/setcap                      rix,
   /{usr/,}bin/vercmp                      rix,
   /{usr/,}bin/xmlcatalog                  rix,
   /{usr/,}lib/ghc-*/bin/ghc-pkg           rix,
   /{usr/,}bin/arch-audit                  rPx,
+  /{usr/,}bin/archlinux-java              rPx,
   /{usr/,}bin/bootctl                     rPx,
   /{usr/,}bin/fc-cache                    rPx,
   /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
@@ -78,6 +81,7 @@ profile pacman @{exec_path} {
 
   # Install/update packages
   / r,
+  /*/ rwl,
   /boot/{,**} rwl,
   /etc/{,**} rwl,
   /opt/{,**} rwl,
@@ -85,12 +89,6 @@ profile pacman @{exec_path} {
   /usr/{,**} rwlk,
   /var/{,**} rwlk,
 
-  /bin/ rwl,
-  /home/ rw,
-  /lib/ rwl,
-  /lib64/ rwl,
-  /sbin/ rwl,
-
   @{PROC}/ r,
   @{run}/ r,
   @{sys}/{,**} r,
@@ -113,8 +111,7 @@ profile pacman @{exec_path} {
 
   # Silencer, 
   deny /tmp/ r,
-  deny @{HOME}/ r,
-  deny @{HOME}/@{XDG_PROJECTS_DIR}/** r,
+  deny @{HOME}/{,**} r,
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf
index 10f5fea5..20b3043a 100644
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@@ -17,6 +17,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
 
   /etc/pacman.conf r,
   /etc/pacman.d/mirrorlist r,
+  /etc/pacman.d/*-mirrorlist r,
 
   include if exists <local/pacman-conf>
 }
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 9d28e00e..285f3280 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -10,27 +10,49 @@ include <tunables/global>
 profile pacman-key @{exec_path} {
   include <abstractions/base>
   
+  capability dac_read_search,
+  capability mknod,
+
   @{exec_path} mr,
 
   /{usr/,}bin/basename     rix,
+  /{usr/,}bin/bash         rix,
+  /{usr/,}bin/gawk         rix,
   /{usr/,}bin/gettext      rix,
   /{usr/,}bin/gpg          rCx -> gpg,
   /{usr/,}bin/grep         rix,
   /{usr/,}bin/pacman-conf  rPx,
   /{usr/,}bin/tput         rix,
+  /{usr/,}bin/wc           rix,
 
   /usr/share/makepkg/{,**} r,
   /usr/share/terminfo/x/xterm-256color r,
 
   /dev/tty rw,
 
+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   profile gpg {
     include <abstractions/base>
 
-    /{usr/,}bin/gpg mr,
-  
+    capability dac_read_search,
+    capability mknod,
+
+    /{usr/,}bin/gpg        mr,
+    /{usr/,}bin/gpg-agent  mr,
+
+    /usr/share/pacman/keyrings/* r,
+
     /etc/pacman.d/gnupg/ rw,
     /etc/pacman.d/gnupg/** rwkl,
+
+    owner @{PROC}/@{pid}/fd/ r,
+
+    # Inherit Silencer
+    deny network inet6 stream,
+    deny network inet stream,
   }
 
   include if exists <local/pacman-key>