Update profiles.

apparmor.d/groups/browsers/chromium-chromium

@@ -1,7 +1,10 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Warning: Such a profile is limitted as it gives access to a lot of resources.
+
 abi <abi/3.0>,
 
 include <tunables/global>
@@ -164,14 +167,12 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
 
-  @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
-
-  # To remove the following error:
-  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
-  # The irq file is needed to render pages.
   @{sys}/devices/pci[0-9]*/**/irq r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]*/**/report_descriptor r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
+  @{sys}/devices/virtual/**/report_descriptor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
         /var/tmp/ r,
         /tmp/ r,

apparmor.d/groups/browsers/firefox

@@ -65,6 +65,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/gpa                 rPUx,
   /{usr/,}bin/keepassxc-proxy     rPUx,
   /{usr/,}bin/lsb_release         rPx -> lsb_release,
+  /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rPx,
 
   # Allowed apps to open
   /{usr/,}bin/xdg-open                                    rCx -> open,
@@ -132,10 +133,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
 
   # For Cryptographic Attestation of Personhood
-  #@{sys}/bus/ r,
+  @{sys}/bus/ r,
-  #@{sys}/class/ r,
+  @{sys}/class/ r,
-  #@{sys}/class/hidraw/ r,
+  @{sys}/class/hidraw/ r,
-  #@{run}/udev/data/c241:[0-9]* r,  # dynamic
+  @{run}/udev/data/c241:[0-9]* r,  # dynamic
 
        owner @{PROC}/@{pid}/fd/ r,
        owner @{PROC}/@{pid}/cgroup r,

apparmor.d/groups/gnome/gnome-shell

@@ -59,6 +59,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /usr/share/xsessions/{,*.desktop} r,
   /opt/*/**/*.png r,
 
+  /.flatpak-info r,
   /etc/fstab r,
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

apparmor.d/groups/gnome/tracker-extract

@@ -11,6 +11,7 @@ profile tracker-extract @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
   include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
 
@@ -20,11 +21,13 @@ profile tracker-extract @{exec_path} {
 
   /usr/share/applications/*.desktop r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/ladspa/rdf/{,**} r,
   /usr/share/mime/mime.cache r,
   /usr/share/osinfo/{,**} r,
   /usr/share/poppler/{,**} r,
   /usr/share/tracker3-miners/{,**} r,
   /usr/share/tracker3/{,**} r,
+  /usr/share/hwdata/*.ids r,
 
   /etc/libva.conf r,
 

apparmor.d/groups/gnome/tracker-miner

@@ -20,6 +20,7 @@ profile tracker-miner @{exec_path} {
   /usr/share/applications/{,mimeinfo.cache} r,
   /usr/share/mime/mime.cache r,
 
+  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
   owner /var/tmp/etilqs_[0-9a-f]* rw,
 
   # Allow to search user files

apparmor.d/groups/pacman/pacdiff

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pacdiff
-profile pacdiff @{exec_path} {
+profile pacdiff @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability dac_read_search,
@@ -38,5 +38,8 @@ profile pacdiff @{exec_path} {
 
   /dev/tty rw,
 
+  # Inherit Silencer
+  deny /apparmor/.null rw,
+
   include if exists <local/pacdiff>
 }

apparmor.d/groups/pacman/pacman

@@ -57,6 +57,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/gettext                     rix,
   /{usr/,}bin/ghc-pkg-*                   rix,
   /{usr/,}bin/grep                        rix,
+  /{usr/,}bin/killall                     rix,
   /{usr/,}bin/rm                          rix,
   /{usr/,}bin/setcap                      rix,
   /{usr/,}bin/vercmp                      rix,
@@ -73,7 +74,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
   /{usr/,}bin/install-info                rPx,
   /{usr/,}bin/journalctl                  rPx,
-  /{usr/,}bin/killall                     rPx,
+  /{usr/,}bin/locale-gen                  rPx,
   /{usr/,}bin/pacdiff                     rPx,
   /{usr/,}bin/pacman-key                  rPx,
   /{usr/,}bin/sysctl                      rPx,

apparmor.d/groups/pacman/pacman-conf

@@ -19,5 +19,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   /etc/pacman.d/mirrorlist r,
   /etc/pacman.d/*-mirrorlist r,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/pacman-conf>
 }

apparmor.d/profiles-a-f/askpass

@@ -10,6 +10,9 @@ include <tunables/global>
 profile askpass @{exec_path} {
   include <abstractions/base>
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh               rix,
@@ -18,5 +21,11 @@ profile askpass @{exec_path} {
   /{usr/,}bin/rm                       rix,
   /{usr/,}lib/electron[0-9]*/electron  rUx,
 
+  /usr/share/terminfo/x/xterm-256color r,
+
+  owner /tmp/tmp.* rw,
+
+  /dev/tty rw,
+
   include if exists <local/askpass>
 }

apparmor.d/profiles-g-l/git

@@ -39,24 +39,24 @@ profile git @{exec_path} {
   deny /usr/local/games/ r,
 
   # These are needed for "git submodule update"
-  /{usr/,}bin/basename    rix,
-  /{usr/,}bin/sed         rix,
-  /{usr/,}bin/gettext.sh  rix,
-  /{usr/,}bin/uname       rix,
-  /{usr/,}bin/envsubst    rix,
-  /{usr/,}bin/gettext     rix,
-
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/{,e}grep    rix,
+  /{usr/,}bin/basename    rix,
   /{usr/,}bin/cat         rix,
-  /{usr/,}bin/dirname     rix,
-
-  /{usr/,}bin/mv          rix,
-  /{usr/,}bin/whoami      rix,
-  /{usr/,}bin/hostname    rix,
-  /{usr/,}bin/rm          rix,
   /{usr/,}bin/cat         rix,
   /{usr/,}bin/date        rix,
+  /{usr/,}bin/dirname     rix,
+  /{usr/,}bin/envsubst    rix,
+  /{usr/,}bin/gettext     rix,
+  /{usr/,}bin/gettext.sh  rix,
+  /{usr/,}bin/hostname    rix,
+  /{usr/,}bin/mkdir       rix,
+  /{usr/,}bin/mv          rix,
+  /{usr/,}bin/rm          rix,
+  /{usr/,}bin/sed         rix,
+  /{usr/,}bin/uname       rix,
+  /{usr/,}bin/wc          rix,
+  /{usr/,}bin/whoami      rix,
 
   /{usr/,}bin/pager       rPx -> child-pager,
   /{usr/,}bin/less        rPx -> child-pager,

apparmor.d/profiles-m-r/pactl

@@ -13,7 +13,7 @@ profile pactl @{exec_path} {
   include <abstractions/audio>
   include <abstractions/deny-root-dir-access>
 
-  /{usr/,}bin/pactl mr,
+  @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,
 

apparmor.d/profiles-m-r/pipewire

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2015-2020 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -10,9 +10,9 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pipewire
 profile pipewire @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio>
   include <abstractions/nameservice-strict>
 
-  # Needed for all sound/music apps.
   ptrace (read),
 
   @{exec_path} mr,
@@ -21,24 +21,12 @@ profile pipewire @{exec_path} {
 
   /etc/machine-id r,
   /etc/pipewire/client.conf r,
+  /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
   /etc/pipewire/pipewire.conf r,
+  /etc/pipewire/pipewire.conf.d/{,*} r,
 
   owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
 
-  /dev/snd/controlC[0-9]* rw,
-  /dev/snd/pcmC[0-9]*D[0-9]*p rw,
-  /dev/snd/pcmC[0-9]*D[0-9]*c rw,
-
-  /usr/share/alsa/{,**} r,
-  /etc/alsa/{,**} r,
-
-  /dev/shm/ r,
-  @{run}/shm/ r,
-  /etc/pulse/{,**} r,
-  owner @{user_config_dirs}/pulse/ rw,
-  owner @{user_config_dirs}/pulse/cookie rwk,
-  owner @{run}/user/@{uid}/pulse/ r,
-
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/dmi/id/board_vendor r,
@@ -46,7 +34,6 @@ profile pipewire @{exec_path} {
 
   / r,
 
-  /dev/snd/seq rw,
   /dev/video[0-9]* rw,
 
   include if exists <local/pipewire>

apparmor.d/profiles-m-r/pipewire-pulse

@@ -8,8 +8,9 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pipewire-pulse
-profile pipewire-pulse @{exec_path} {
+profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/audio>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
@@ -18,10 +19,14 @@ profile pipewire-pulse @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/pactl rix,
+
+  /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
   /etc/pipewire/client.conf r,
   /etc/pipewire/pipewire-pulse.conf r,
+  /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
   /usr/share/pipewire/client.conf r,
   /usr/share/pipewire/pipewire-pulse.conf r,
 
@@ -33,6 +38,7 @@ profile pipewire-pulse @{exec_path} {
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
 
   / r,
+  /.flatpak-info r,
 
   include if exists <local/pipewire-pulse>
 }

apparmor.d/profiles-s-z/wireplumber

@@ -46,6 +46,7 @@ profile wireplumber @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/modalias r,
   @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
 
+  /dev/snd/ r,
   /dev/video[0-9]* rw,
 
   include if exists <local/wireplumber>