From 10ce0ba4a112c50259c0682b69fcd8a0538c5c43 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 10 Mar 2024 20:27:05 +0000
Subject: [PATCH] feat(profile): merge colord-sane into colord.

Required due to nnp flag enabled on colord-sane. As the profiles are similar it is easier to merge them.
---
 apparmor.d/groups/freedesktop/colord      | 21 ++++++----
 apparmor.d/groups/freedesktop/colord-sane | 47 -----------------------
 2 files changed, 14 insertions(+), 54 deletions(-)
 delete mode 100644 apparmor.d/groups/freedesktop/colord-sane

diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index 4927d8ff..cc54bd17 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/{,colord/}colord
+@{exec_path} = @{lib}/{,colord/}colord{,-sane}
 profile colord @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
@@ -28,21 +28,25 @@ profile colord @{exec_path} flags=(attach_disconnected) {
        member={GetConnectionUnixUser,GetConnectionUnixProcessID}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  @{exec_path} mr,
-
-  @{lib}/{,colord/}colord-sane  rPx -> colord//&colord-sane,
+  @{exec_path} mrix,
 
   /etc/machine-id r,
-  /etc/udev/hwdb.bin r,
   /etc/sane.d/{,**} r,
+  /etc/snmp/snmp.conf r,
+  /etc/udev/hwdb.bin r,
 
-  /usr/share/mime/mime.cache r,
   /usr/share/color/icc/{,**} r,
+  /usr/share/mime/mime.cache r,
+  /usr/share/snmp/mibs/{,*} r,
 
-  owner /var/lib/colord/** r,
   owner /var/lib/colord/.cache/ rw,
   owner /var/lib/colord/.cache/** rw,
   owner /var/lib/colord/{mapping,storage}.db{,-journal} rwk,
+  owner /var/lib/colord/** r,
+
+  owner /var/lib/snmp/{mib,cert}_indexes/ rw,
+  owner /var/lib/snmp/mibs/{iana,ietf}/ r,
+  owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
 
   /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
   /var/lib/flatpak/exports/share/mime/mime.cache r,
@@ -50,6 +54,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
 
   @{user_share_dirs}/icc/edid-*.icc r,
 
+  @{run}/systemd/journal/socket rw,
   @{run}/systemd/sessions/* r,
 
   @{run}/udev/data/+pci:* r,
@@ -70,5 +75,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pids}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/parport@{int} r,
+
   include if exists <local/colord>
 }
diff --git a/apparmor.d/groups/freedesktop/colord-sane b/apparmor.d/groups/freedesktop/colord-sane
deleted file mode 100644
index f8c8b62e..00000000
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ /dev/null
@@ -1,47 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{lib}/{,colord/}colord-sane
-profile colord-sane @{exec_path} flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Avahi>
-  include <abstractions/devices-usb>
-  include <abstractions/openssl>
-
-  network inet dgram,
-  network inet6 dgram,
-  network netlink raw,
-
-  # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
-
-  @{exec_path} mr,
-
-  /usr/share/snmp/mibs/{,*} r,
-
-  /etc/sane.d/{,**} r,
-  /etc/snmp/snmp.conf r,
-
-  /var/lib/snmp/{mib,cert}_indexes/ rw,
-  /var/lib/snmp/mibs/{iana,ietf}/ r,
-  /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
-
-  @{run}/systemd/journal/socket rw,
-
-  @{sys}/bus/scsi/devices/ r,
-  @{sys}/devices/@{pci}/{vendor,model,type} r,
-
-  @{PROC}/sys/dev/parport/ r,
-  @{PROC}/sys/dev/parport/parport@{int}/base-addr r,
-  @{PROC}/sys/dev/parport/parport@{int}/irq r,
-
-  /dev/parport@{int} r,
-
-  include if exists <local/colord-sane>
-}