From 08beefe867a7a976ee52df82edb15bfd80440677 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 26 Jun 2022 23:05:09 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/groups/apt/apt                              |  7 +++++--
 apparmor.d/groups/bus/dbus-daemon-launch-helper        |  2 ++
 .../groups/gnome/gnome-calculator-search-provider      |  4 +++-
 apparmor.d/groups/gnome/gnome-control-center           |  1 +
 .../groups/gnome/gnome-control-center-search-provider  |  7 ++++++-
 apparmor.d/groups/gnome/gnome-terminal-server          |  3 ++-
 apparmor.d/groups/gnome/seahorse                       | 10 ++++++++++
 apparmor.d/groups/network/NetworkManager               |  4 +++-
 apparmor.d/groups/systemd/systemd-resolved             |  1 +
 apparmor.d/groups/systemd/systemd-timedated            |  6 +++++-
 apparmor.d/groups/ubuntu/apport-gtk                    |  5 +++--
 apparmor.d/groups/ubuntu/apt-esm-json-hook             |  1 +
 apparmor.d/profiles-a-f/apparmor_parser                |  1 +
 apparmor.d/profiles-m-r/needrestart                    |  1 +
 apparmor.d/profiles-m-r/run-parts                      |  2 ++
 apparmor.d/profiles-s-z/spice-vdagent                  |  1 +
 16 files changed, 47 insertions(+), 9 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 848ae80d..017fd58e 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -63,6 +63,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/apt-listchanges                 rPx,
   /{usr/,}bin/apt-show-versions               rPx,
   /{usr/,}bin/debtags                         rPx,
+  /{usr/,}bin/df                              rPx,
+  /{usr/,}bin/dmesg                           rPx,
   /{usr/,}bin/dpkg                            rPx,
   /{usr/,}bin/dpkg-source                     rcx -> dpkg-source,
   /{usr/,}bin/etckeeper                       rPx,
@@ -97,6 +99,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
+  /var/crash/{,*.@{uid}.crash} rw,
+
   /var/lib/apt/extended_states{,.*} rw,
   /var/lib/apt/lists/** rw,
   /var/lib/apt/lists/lock rwk,
@@ -105,8 +109,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /var/lib/dpkg/lock{,-frontend} rwk,
   /var/lib/update-notifier/dpkg-run-stamp rw,
 
-  /var/log/apt/{term,history}.log w,
-  /var/log/apt/eipp.log.xz w,
+  /var/log/apt/{,**} rw,
 
   # For package building
   @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
diff --git a/apparmor.d/groups/bus/dbus-daemon-launch-helper b/apparmor.d/groups/bus/dbus-daemon-launch-helper
index e0f71980..2c02babd 100644
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@@ -21,6 +21,8 @@ profile dbus-daemon-launch-helper @{exec_path} {
   /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
   /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism       rPx,
   /{usr/,}lib/software-properties/software-properties-dbus  rPx,
+  
+  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
 
   /usr/share/dbus-1/{,**} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider
index f34ebb82..d3a16fcf 100644
--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@@ -9,9 +9,10 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-calculator-search-provider
 profile gnome-calculator-search-provider @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
-  include <abstractions/gtk>
   include <abstractions/fonts>
+  include <abstractions/gtk>
 
   signal (send) set=kill peer=unconfined,
 
@@ -23,6 +24,7 @@ profile gnome-calculator-search-provider @{exec_path} {
   /usr/share/icons/{,**} r,
   
   owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pids}/cmdline r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 368061b1..ff76bcc6 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -148,6 +148,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/users/@{uid} r,
         @{run}/systemd/sessions/  r,
         @{run}/systemd/sessions/* r,
+        @{run}/cups/cups.sock rw,
 
   @{run}/udev/data/+dmi:* r,
   @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider
index 247eeeac..c99e15d4 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@@ -9,17 +9,22 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-control-center-search-provider
 profile gnome-control-center-search-provider @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
-  include <abstractions/fonts>
 
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/ubuntu/applications/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
+  /etc/gnome/defaults.list r,
+
   owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   include if exists <local/gnome-control-center-search-provider>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index 51cd8765..bbf8f817 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -20,7 +20,8 @@ profile gnome-terminal-server @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  /{usr/,}bin/{,z,ba,da}sh rUx,
+  /{usr/,}bin/{,b,d,rb}ash         rUx,
+  /{usr/,}bin/{c,k,tc,z}sh         rUx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/X11/xkb/{,**} r,
diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse
index 811fbf81..f7429593 100644
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@@ -16,11 +16,21 @@ profile seahorse @{exec_path} {
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
 
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Avahi),
+
   dbus send bus=system path=/
        interface=org.freedesktop.Avahi.Server
        member={GetAPIVersion,GetState,ServiceBrowserNew}
        peer=(name=org.freedesktop.Avahi),
 
+  dbus send bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi),
+
   dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
        interface=org.freedesktop.Avahi.ServiceBrowser
        member={CacheExhausted,AllForNow},
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 3d4cc758..1637a5d7 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -97,7 +97,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/nm-openvpn-service                 rPx,
   /{usr/,}lib/nm-openvpn-service-openvpn-helper  rPx,
 
-  /dev/rfkill rw,
+  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
 
   / r,
   /etc/ r,
@@ -136,5 +136,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/** rw,
 
+  /dev/rfkill rw,
+
   include if exists <local/NetworkManager>
 }
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index f2e385d6..9b9e028b 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -50,6 +50,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/resolve/{,**} rw,
 
   @{PROC}/sys/kernel/hostname r,
+  @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
 
   include if exists <local/systemd-timesyncd>
 }
diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
index 6e898528..ddd2c425 100644
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@@ -19,9 +19,13 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus
        member={AddMatch,ReleaseName,RequestName},
 
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/unit/*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
   dbus receive bus=system path=/org/freedesktop/timedate[0-1]
        interface=org.freedesktop.DBus.Properties
-       member=Get,
+       member={Get,GetAll},
 
   dbus bind bus=system 
        name=org.freedesktop.timedate[0-9],
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 2f64f26c..4cb03377 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -69,16 +69,17 @@ profile apport-gtk @{exec_path} {
 
   /tmp/[a-z0-9]* rw,
   /tmp/apport_core_* rw,
-  /tmp/launchpadlib.cache.[a-z0-9]*/ w,
+  /tmp/launchpadlib.cache.[a-z0-9]*/ rw,
   /tmp/tmp[a-z0-9]*/{,**} rw,
 
-  owner @{PROC}/@{pid}/cgroup r,
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/fd/  r,
+        @{PROC}/@{pids}/mounts r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/modules r,
         @{PROC}/version_signature r,
+  owner @{PROC}/@{pid}/cgroup r,
 
   profile gdb {
     include <abstractions/base>
diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook
index 31af9923..9ba79f93 100644
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook
 profile apt-esm-json-hook @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser
index e75165f5..eb535fe5 100644
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/apparmor_parser
 profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability mac_admin,
 
diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
index 0eaa5148..6e0aeef5 100644
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@@ -25,6 +25,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/{,ba,da}sh                        rix,
   /{usr/,}bin/dpkg-query                        rpx,
+  /{usr/,}bin/fail2ban-server                   rPx,
   /{usr/,}bin/locale                            rix,
   /{usr/,}bin/python3.[0-9]*                    rix,
   /{usr/,}bin/stty                              rix,
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index ca903cf7..08cdcdfa 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -14,6 +14,8 @@ profile run-parts @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/update-notifier/notify-reboot-required rPx,
+
   # Crontrab
   /etc/cron.{hourly,daily,weekly,monthly}/                     r,
   /etc/cron.{hourly,daily,weekly,monthly}/0anacron             rPx,
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index 690023d7..17d71d8b 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -11,6 +11,7 @@ profile spice-vdagent @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/dbus-session-strict>
+  include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/X-strict>