From 0eeefb5f0967a78c74983ae4a71129c714faa805 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 11 Mar 2024 22:47:22 +0000
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/apt/apt-helper              |  9 +++-
 .../groups/freedesktop/xdg-permission-store   |  1 +
 apparmor.d/groups/gnome/gdm-xsession          |  2 +
 apparmor.d/groups/gnome/gnome-shell           |  2 +-
 apparmor.d/groups/gnome/gnome-software        |  2 -
 .../groups/gnome/org.gnome.NautilusPreviewer  |  2 +
 apparmor.d/groups/systemd/systemd-logind      |  2 +-
 apparmor.d/groups/systemd/systemd-networkd    |  2 +-
 apparmor.d/profiles-a-f/bluetoothd            |  1 +
 apparmor.d/profiles-s-z/utox                  | 47 ++++---------------
 apparmor.d/profiles-s-z/volumeicon            | 27 ++++-------
 11 files changed, 36 insertions(+), 61 deletions(-)

diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper
index 3d52177e..5b1c6911 100644
--- a/apparmor.d/groups/apt/apt-helper
+++ b/apparmor.d/groups/apt/apt-helper
@@ -14,10 +14,17 @@ profile apt-helper @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/nm-online rPx,
-  @{bin}/systemctl rPx -> child-systemctl,
+  @{bin}/systemctl rCx -> systemctl,
   @{lib}/systemd/systemd-networkd-wait-online rPx,
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+  
+    include if exists <local/apt-helper_systemctl>
+  }
+
   include if exists <local/apt-helper>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store
index cdddb22b..6c32af27 100644
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@@ -15,6 +15,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term hup kill) peer=dbus-daemon,
   signal (receive) set=(term hup kill) peer=gdm*,
+  signal (receive) set=(kill) peer=gdm-wayland-session//dbus,
 
   # dbus: own bus=session name=org.freedesktop.impl.portal.PermissionStore
 
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index 7f6b07bb..33c1908d 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -87,6 +87,8 @@ profile gdm-xsession @{exec_path} {
     include <abstractions/base>
     include <abstractions/systemctl>
 
+    owner /dev/tty@{int} rw,
+
     include if exists <local/gdm-xsession_systemctl>
   }
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index a0d7a733..4b213d6c 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/gnome-shell
-profile gnome-shell @{exec_path} flags=(attach_disconnected) {
+profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
   include <abstractions/audio>
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 77ba0fea..cff45ca7 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -27,8 +27,6 @@ profile gnome-software @{exec_path} {
   mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
   umount /var/tmp/flatpak-cache-*/*/,
 
-  signal (receive) set=(cont, term) peer=systemd-user,
-
   @{exec_path} mr,
 
   @{bin}/baobab              rPUx,
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index c364789b..5bc26f4d 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -17,6 +17,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/private-files-strict>
   include <abstractions/video>
+  include <abstractions/openssl>
 
   network netlink raw,
 
@@ -28,6 +29,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
 
   /usr/share/poppler/{,**} r,
   /usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r,
+  /usr/share/ladspa/rdf/{,**} r,
 
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index b4cd8b06..588afe3c 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-logind
-profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
+profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 61d41284..600ef78d 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-networkd
-profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
+profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.hostname1>
diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd
index 17f79222..460d586e 100644
--- a/apparmor.d/profiles-a-f/bluetoothd
+++ b/apparmor.d/profiles-a-f/bluetoothd
@@ -66,6 +66,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/**/{uevent,name} r,
   @{sys}/devices/platform/**/rfkill/**/name r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/devices/virtual/misc/uhid/**/uevent r,
 
   @{PROC}/sys/kernel/hostname r,
 
diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox
index 0a3c3494..4a738326 100644
--- a/apparmor.d/profiles-s-z/utox
+++ b/apparmor.d/profiles-s-z/utox
@@ -10,14 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/utox
 profile utox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/user-download-strict>
-  include <abstractions/nameservice-strict>
   include <abstractions/audio>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
   include <abstractions/video>
 
   network inet dgram,
@@ -28,43 +26,16 @@ profile utox @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/xdg-open    rCx -> open,
+  @{open_path} rCx -> child-open,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
 
   owner @{HOME}/ r,
   owner @{user_config_dirs}/tox/ rw,
   owner @{user_config_dirs}/tox/** rw,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   deny owner @{PROC}/@{pid}/cmdline r,
 
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-    @{bin}/viewnior        rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-    owner @{user_config_dirs}/tox/[0-9A-F].ftinfo w,
-    owner @{user_config_dirs}/tox/[0-9A-F].ftoutfo w,
-    deny /dev/video@{int} rw,
-
-  }
-
   include if exists <local/utox>
 }
diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon
index de174c14..988185e6 100644
--- a/apparmor.d/profiles-s-z/volumeicon
+++ b/apparmor.d/profiles-s-z/volumeicon
@@ -10,35 +10,28 @@ include <tunables/global>
 @{exec_path} = @{bin}/volumeicon
 profile volumeicon @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
   include <abstractions/audio>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/desktop>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/wayland>
 
   @{exec_path} mr,
 
-  # Volumeicon files
-  /usr/share/volumeicon/** r,
-
-  # Volumeicon config files
-  owner @{user_config_dirs}/volumeicon/ rw,
-  owner @{user_config_dirs}/volumeicon/volumeicon* rw,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   # Start the PulseAudio sound mixer
   @{sh_path}           rix,
   @{bin}/pavucontrol  rPUx,
   @{bin}/pulseeffects rPUx,
 
-  # file_inherit
+  /usr/share/volumeicon/** r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
+  owner @{user_config_dirs}/volumeicon/ rw,
+  owner @{user_config_dirs}/volumeicon/volumeicon* rw,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/volumeicon>