From 14680e736dacbff38f233747fa4a92c71b91b882 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 16 Mar 2024 21:46:02 +0000
Subject: [PATCH] feat(profile): mirnor cleanup on the new dbus profiles.

---
 apparmor.d/groups/bus/dbus-accessibility | 12 +++++++-----
 apparmor.d/groups/bus/dbus-session       |  5 +++--
 apparmor.d/groups/bus/dbus-system        |  4 +++-
 3 files changed, 13 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index 06791f53..755414b7 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -43,20 +43,22 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
-  /var/lib/gdm{3,}/.config/dconf/user r,
-  /var/lib/gdm{3,}/greeter-dconf-defaults r,
+  owner /var/lib/gdm{3,}/.config/dconf/user r,
+  owner /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/users/@{uid} r,
+        @{run}/systemd/users/@{uid} r,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   @{sys}/kernel/security/apparmor/.access rw,
 
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/oom_score_adj r,
-        @{PROC}/sys/kernel/random/boot_id r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  owner /dev/tty@{int} rw,
+
   include if exists <local/dbus-accessibility>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index 1c291cd2..bae0a24d 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -44,7 +44,9 @@ profile dbus-session flags=(attach_disconnected) {
   /var/lib/snapd/dbus-1/{,**} r,
   @{system_share_dirs}/dbus-1/{,**} r,
 
-        @{run}/systemd/userd/b/ r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
         @{run}/systemd/users/@{uid} r,
   owner @{run}/user/@{uid}/dbus-1/ rw,
   owner @{run}/user/@{uid}/dbus-1/services/ rw,
@@ -54,7 +56,6 @@ profile dbus-session flags=(attach_disconnected) {
   @{sys}/kernel/security/apparmor/features/dbus/mask r,
   @{sys}/module/apparmor/parameters/enabled r,
 
-        @{PROC}/sys/kernel/random/boot_id r,
   owner @{PROC}/@{pid}/attr/apparmor/current r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index e17d7ff0..55387709 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -35,12 +35,14 @@ profile dbus-system flags=(attach_disconnected) {
   @{lib}/**                         PUx,
   /usr/share/*/**                   PUx,
 
-  /etc/machine-id r,
   /etc/dbus-1/{,**} r,
   /usr/share/dbus-1/{,**} r,
   /var/lib/snapd/dbus-1/{,**} r,
   @{system_share_dirs}/dbus-1/{,**} r,
 
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
   @{user_share_dirs}/icc/ r,
   @{user_share_dirs}/icc/edid-@{md5}.icc r,
   /var/lib/gdm{,3}/.local/share/icc/ r,