From 0a7860694fa07cf431469c7c48594e2f6b2ccc72 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 17 Apr 2022 23:13:53 +0100
Subject: [PATCH] feat: profile update.

---
 apparmor.d/groups/bus/ibus-dconf              |  2 +-
 apparmor.d/groups/gnome/gdm-runtime-config    | 19 ++++++++++++++++++
 apparmor.d/groups/gnome/gnome-control-center  |  2 ++
 apparmor.d/groups/gnome/gnome-session-binary  |  1 +
 apparmor.d/groups/gvfs/gvfsd-mtp              | 13 ++++++------
 apparmor.d/profiles-g-l/gtk-query-immodules   |  2 +-
 apparmor.d/profiles-g-l/gtk-update-icon-cache |  3 ++-
 apparmor.d/profiles-m-r/pass-import           |  2 +-
 apparmor.d/profiles-m-r/passwd                | 20 +++++++------------
 9 files changed, 40 insertions(+), 24 deletions(-)
 create mode 100644 apparmor.d/groups/gnome/gdm-runtime-config

diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf
index cc8aa793..895a174e 100644
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@@ -31,7 +31,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
   /var/lib/gdm/.cache/dconf/ w,
-  /var/lib/gdm/.config/dconf/user r,
+  /var/lib/gdm/.config/dconf/user rw,
 
   owner /dev/tty[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config
new file mode 100644
index 00000000..cf74acf2
--- /dev/null
+++ b/apparmor.d/groups/gnome/gdm-runtime-config
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/gdm-runtime-config
+profile gdm-runtime-config @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{run}/gdm/ r,
+  @{run}/gdm/custom.conf* rw,
+
+  include if exists <local/gdm-runtime-config>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 62ee3d0c..29e78d17 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -28,12 +28,14 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   signal (send) set=(kill) peer=unconfined,
+  signal (send) set=(kill) peer=passwd,
 
   @{exec_path} mr,
   /{usr/,}bin/bwrap      rPUx,
   /{usr/,}bin/gcm-viewer rix,
   /{usr/,}bin/locale     rix,
   /{usr/,}bin/openvpn    rPx,
+  /{usr/,}bin/passwd     rPx,
   /{usr/,}lib/gnome-control-center-print-renderer     rPx,
   /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 41d16ac1..819497c3 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -99,6 +99,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/users/@{uid} r,
 
   @{sys}/devices/**/{vendor,device} r,
+  @{sys}/devices/pci[0-9]*/**/revision r,
 
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/cmdline r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp
index 11896952..d5483993 100644
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dconf>
   include <abstractions/devices-usb>
   include <abstractions/freedesktop.org>
   include <abstractions/private-files-strict>
@@ -20,16 +21,14 @@ profile gvfsd-mtp @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
   owner @{HOME}/{,**} rw,
   owner @{MOUNTS}/*/{,**} rw,
 
-  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
-
-  include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
-
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
 
   include if exists <local/gvfsd-mtp>
 }
diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules
index a458d6af..3783e53a 100644
--- a/apparmor.d/profiles-g-l/gtk-query-immodules
+++ b/apparmor.d/profiles-g-l/gtk-query-immodules
@@ -11,7 +11,7 @@ profile gtk-query-immodules @{exec_path} {
   include <abstractions/base>
 
   capability dac_override,
-  capability dac_override,
+  capability dac_read_search,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache
index 40c3efe7..f0dd86d9 100644
--- a/apparmor.d/profiles-g-l/gtk-update-icon-cache
+++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache
@@ -18,8 +18,9 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
   /usr/share/icons/**/.icon-theme.cache rw,
   /usr/share/icons/**/icon-theme.cache rw,
 
-  /var/lib/flatpak/exports/share/icons/hicolor/ r,
+  /var/lib/flatpak/exports/share/icons/{,**/} r,
   /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw,
+  /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w,
 
   deny /apparmor/.null rw,
 
diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import
index 479ec147..d71e7f33 100644
--- a/apparmor.d/profiles-m-r/pass-import
+++ b/apparmor.d/profiles-m-r/pass-import
@@ -22,7 +22,7 @@ profile pass-import @{exec_path} {
   /{usr/,}bin/python3.[0-9]*   rix,
   /{usr/,}lib/gcc/**/collect2  rix,
 
-  /{usr/,}lib/python{2.[4-7],3,3.[0-9]}/** w,
+  /{usr/,}lib/python{2.[4-7],3,3.[0-9]*}/** w,
 
   /usr/share/file/misc/magic.mgc r,
 
diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd
index 4199ccfb..44e9dea5 100644
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,38 +10,31 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
   include <abstractions/base>
-  include <abstractions/wutmp>
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # To set the right permission to the files in the /etc/.
-  # Since passwd reads and writes from /etc/ directory, the write permissions are requried by it.
-  # Note that, /etc/shadow is never written by passwd. passwd actually writes to /etc/nshadow and
-  # renames /etc/nshadow to /etc/shadow.
   capability chown,
   capability fsetid,
-
   capability setuid,
 
   network netlink raw,
 
   @{exec_path} mr,
 
-  owner @{PROC}/@{pid}/loginuid r,
-
+  /etc/nshadow rw,
   /etc/shadow rw,
+  /etc/shadow- rw,
   /etc/shadow.[0-9]* rw,
   /etc/shadow.lock rwl,
-  /etc/shadow- rw,
   /etc/shadow+ rw,
-  /etc/nshadow rw,
 
   # A process first uses lckpwdf() to lock the lock file, thereby gaining exclusive rights to
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
+  owner @{PROC}/@{pid}/loginuid r,
+
   include if exists <local/passwd>
 }