From 19ada552fe4a8d18deca7fc1a70fa8b7ceb8e100 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 31 Jul 2021 18:41:54 +0100
Subject: [PATCH] Profiles update.

---
 apparmor.d/groups/gnome/gnome-shell            | 5 ++++-
 apparmor.d/groups/gvfs/gvfsd-http              | 8 ++++++++
 apparmor.d/profiles-a-l/groupdel               | 1 +
 apparmor.d/profiles-m-z/pipewire               | 5 +++++
 apparmor.d/profiles-m-z/pipewire-media-session | 6 ++++++
 apparmor.d/profiles-m-z/udisksd                | 1 +
 6 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index e5bc9e93..9a57847b 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -67,11 +67,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
 
-  owner @{user_config_dirs}/monitors.xml r,
+  owner @{user_config_dirs}/.goutputstream{,*} rw,
   owner @{user_config_dirs}/ibus/* r,
   owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r,
+  owner @{user_config_dirs}/monitors.xml rw,
   /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-wayland-[0-9] r,
 
+  owner @{user_share_dirs}/backgrounds/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
 
@@ -112,6 +114,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c13:[0-9]* r,    # for /dev/input/*
   @{run}/udev/data/c189:[0-9]*  r,  # for /dev/bus/usb/**
   @{run}/udev/data/c226:[0-9]* r,   # for /dev/dri/card* 
+  @{run}/udev/data/n[0-9]* r,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http
index f4717cef..99c0ff42 100644
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,6 +13,7 @@ profile gvfsd-http @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
 
   network inet stream,
   network inet6 stream,
@@ -23,5 +25,11 @@ profile gvfsd-http @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
+  owner @{run}/user/@{uid}/gvfsd/socket-* rw,
+
   include if exists <local/gvfsd-http>
 }
diff --git a/apparmor.d/profiles-a-l/groupdel b/apparmor.d/profiles-a-l/groupdel
index e85807f1..df0f7018 100644
--- a/apparmor.d/profiles-a-l/groupdel
+++ b/apparmor.d/profiles-a-l/groupdel
@@ -22,6 +22,7 @@ profile groupdel @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
+  /{usr/,}{s,}bin/nscd rix,
 
   /etc/login.defs r,
 
diff --git a/apparmor.d/profiles-m-z/pipewire b/apparmor.d/profiles-m-z/pipewire
index 34412b15..2f29e141 100644
--- a/apparmor.d/profiles-m-z/pipewire
+++ b/apparmor.d/profiles-m-z/pipewire
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2015-2020 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -19,6 +20,8 @@ profile pipewire @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/pipewire/pipewire.conf r,
+
   /etc/pipewire/pipewire.conf r,
   /etc/pipewire/client.conf r,
 
@@ -45,5 +48,7 @@ profile pipewire @{exec_path} {
 
   / r,
 
+  /dev/video[0-9]* rw,
+
   include if exists <local/pipewire>
 }
diff --git a/apparmor.d/profiles-m-z/pipewire-media-session b/apparmor.d/profiles-m-z/pipewire-media-session
index 6037dfd4..6a4966bc 100644
--- a/apparmor.d/profiles-m-z/pipewire-media-session
+++ b/apparmor.d/profiles-m-z/pipewire-media-session
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2015-2020 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -15,6 +16,7 @@ profile pipewire-media-session @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/pipewire/media-session.d/{,**} r,
   /etc/pipewire/media-session.d/*.conf r,
 
   owner @{user_config_dirs}/pipewire/ rw,
@@ -41,8 +43,10 @@ profile pipewire-media-session @{exec_path} {
   @{sys}/class/video4linux/ r,
 
   @{sys}/devices/**/sound/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
 
   @{run}/udev/data/+sound:card[0-9]* r, # For sound
+  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
   @{run}/udev/data/c116:[0-9]* r,       # For ALSA
 
   @{run}/systemd/users/@{uid} r,
@@ -50,5 +54,7 @@ profile pipewire-media-session @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/meminfo r,
 
+  /dev/video[0-9]* rw,
+
   include if exists <local/pipewire-media-session>
 }
diff --git a/apparmor.d/profiles-m-z/udisksd b/apparmor.d/profiles-m-z/udisksd
index 8301782b..5e49c159 100644
--- a/apparmor.d/profiles-m-z/udisksd
+++ b/apparmor.d/profiles-m-z/udisksd
@@ -89,6 +89,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
         @{PROC}/devices r,
 
   # To be able to initialize device-mapper disk devices
+  /dev/mapper/ r,
   /dev/mapper/control rw,
 
   # The special /dev/loop-control file can be used to create and destroy loop devices or to find