From 08bb1b44a68cea634c38ca32b64be5008b58944c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 14 Jun 2022 19:25:45 +0100
Subject: [PATCH] style(profiles): small rules improvment.

---
 .../groups/freedesktop/xdg-desktop-portal     |  4 +++
 apparmor.d/groups/gnome/gnome-shell           |  4 +--
 apparmor.d/groups/network/ModemManager        |  2 +-
 apparmor.d/groups/network/nm-dispatcher       |  4 +++
 apparmor.d/groups/ssh/sshd                    |  3 +-
 apparmor.d/groups/systemd/journalctl          | 31 +++++++++----------
 apparmor.d/groups/systemd/systemd-makefs      |  7 ++---
 apparmor.d/groups/systemd/systemd-udevd       |  2 +-
 apparmor.d/profiles-a-f/fsck                  |  2 +-
 apparmor.d/profiles-m-r/needrestart           |  3 +-
 apparmor.d/profiles-s-z/switcheroo-control    |  3 +-
 11 files changed, 35 insertions(+), 30 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 3741b43b..1570e6b3 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -38,6 +38,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.NetworkManager
        member={StateChanged,CheckPermissions},
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 23adf357..fd6fbd6a 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -45,6 +45,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  
   unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
   unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
+  unix (send,receive) type=stream addr=none peer=(label=xwayland),
 
   dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
        interface=org.freedesktop.{DBus.Properties,login[0-9].*},
@@ -83,8 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   dbus send bus=system path=/org/gnome/DisplayManager/Manager
        interface=org.{freedesktop.DBus.Properties,gnome.DisplayManager.Manager}
-       member={RegisterSession,Get,GetAll,OpenReauthenticationChannel}
-       peer=(name=org.gnome.DisplayManager),
+       member={RegisterSession,Get,GetAll,OpenReauthenticationChannel},
 
   dbus send bus=system path=/net/hadess/{PackageKit,PowerProfiles,SwitcherooControl}
        interface=org.freedesktop.DBus.Properties
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 6c5778a2..9132ee3c 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -37,7 +37,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
-       member={UserNew,SessionNew,PrepareForShutdown},
+       member={UserNew,SessionNew,PrepareForShutdown,SeatNew},
 
   dbus bind bus=system
        name=org.freedesktop.ModemManager[0-9],
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index 0ca67990..11dfdf16 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -14,6 +14,10 @@ profile nm-dispatcher @{exec_path} {
 
   capability sys_nice,
 
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName},
+
   dbus receive bus=system path=/org/freedesktop/nm_dispatcher
        interface=org.freedesktop.nm_dispatcher,
 
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index 85c83573..ab522ceb 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -68,8 +68,9 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   /etc/default/locale r,
   /etc/environment r,
   /etc/gss/mech.d/{,*} r,
-  /etc/security/limits.d/ r,
+  /etc/issue.net r,
   /etc/motd r,
+  /etc/security/limits.d/{,*.conf} r,
 
   /etc/ssh/ssh_host_* r,
   /etc/ssh/sshd_config r,
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index 43d1890e..1768c1af 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -27,24 +27,23 @@ profile journalctl @{exec_path} {
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
 
-  /{run,var}/log/journal/ r,
-  /{run,var}/log/journal/[0-9a-f]*/ r,
-  /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
-  /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
-  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
-
-  @{run}/host/container-manager r,
-
-  # For --setup-keys and --verify
-  owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
-  owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
-  owner /var/tmp/#[0-9]* rw,
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
 
   /var/lib/systemd/catalog/database rw,
   /var/lib/systemd/catalog/.#database* rw,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+        /{run,var}/log/journal/ r,
+        /{run,var}/log/journal/[0-9a-f]*/ r,
+        /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
+        /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
+        /{run,var}/log/journal/[0-9a-f]*/user-[0-9a-f]*.journal* rw,
+  owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,
+  owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
+  owner /var/tmp/#[0-9]* rw,
+
+  @{run}/host/container-manager r,
+  @{run}/systemd/journal/io.systemd.journal rw,
 
   owner @{PROC}/@{pid}/cgroup r,
 
diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs
index 01962a1d..dd6751c7 100644
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-makefs
 profile systemd-makefs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/disks-read>
+  include <abstractions/systemd-common>
 
   capability net_admin,
   capability sys_resource,
@@ -18,10 +20,5 @@ profile systemd-makefs @{exec_path} {
   /{usr/,}{s,}bin/mkswap     rPx,
   /{usr/,}bin/mkfs.*         rPx,
 
-  @{sys}/devices/virtual/block/zram[0-9]*/ r,
-  @{sys}/devices/virtual/block/zram[0-9]*/** r,
-
-  /dev/zram[0-9]* rwk,
-
   include if exists <local/systemd-makefs>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 0a6a24fc..52a4981c 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -50,7 +50,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
   /{usr/,}{s,}bin/*             rPUx,
 
   /{usr,/}lib/pm-utils/power.d/*          rPUx,
-  /{usr,/}lib/snapd/snap-device-helper     rPx,  # TODO: but later
+  /{usr,/}lib/snapd/snap-device-helper     rPx,
   /{usr/,}lib/crda/*                      rPUx,
   /{usr/,}lib/gdm-runtime-config           rPx,
   /{usr/,}lib/systemd/systemd-*            rPx,
diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck
index 7d5adbfa..45a4c76a 100644
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@@ -33,7 +33,7 @@ profile fsck @{exec_path} {
   owner @{run}/blkid/blkid.tab{,-*} rw,
   owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
         @{run}/mount/utab r,
-        @{run}/systemd/fsck.progress w,
+        @{run}/systemd/fsck.progress rw,
 
   @{PROC}/@{pids}/mountinfo r,
   @{PROC}/partitions r,
diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
index 33176766..0eaa5148 100644
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@@ -41,8 +41,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   /etc/debconf.conf r,
   /etc/needrestart/{,**} r,
-  /etc/needrestart/hook.d/* rix,
-  /etc/needrestart/restart.d/* rix,
+  /etc/needrestart/*.d/* rix,
   /etc/shadow r,
 
   owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control
index 8bd1539a..7aef7a99 100644
--- a/apparmor.d/profiles-s-z/switcheroo-control
+++ b/apparmor.d/profiles-s-z/switcheroo-control
@@ -35,7 +35,8 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
   @{sys}/bus/ r,
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/boot_vga r,
+  @{sys}/devices/pci[0-9]*/**/uevent r,
 
   include if exists <local/switcheroo-control>
 }
\ No newline at end of file