From 2560e9645ff11d4fd24c69ef8145adf9bc8f817c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Dec 2024 00:05:36 +0100
Subject: [PATCH] feat(profile): various improvements and update.

---
 apparmor.d/groups/gnome/gnome-session                        | 2 ++
 apparmor.d/groups/gnome/gnome-software                       | 1 +
 apparmor.d/groups/network/mullvad-daemon                     | 1 +
 apparmor.d/groups/pacman/pacman-hook-systemd                 | 1 +
 apparmor.d/groups/systemd/bootctl                            | 2 +-
 apparmor.d/groups/systemd/busctl                             | 2 +-
 apparmor.d/groups/systemd/systemd-backlight                  | 2 +-
 apparmor.d/groups/systemd/systemd-cryptsetup                 | 2 +-
 apparmor.d/groups/systemd/systemd-generator-user-autostart   | 2 +-
 apparmor.d/groups/systemd/systemd-generator-user-environment | 2 +-
 apparmor.d/groups/systemd/systemd-journald                   | 2 +-
 apparmor.d/groups/systemd/systemd-machined                   | 2 +-
 apparmor.d/groups/systemd/systemd-random-seed                | 2 +-
 apparmor.d/groups/systemd/systemd-update-done                | 2 +-
 apparmor.d/groups/systemd/systemd-update-utmp                | 2 +-
 apparmor.d/groups/systemd/systemd-user-runtime-dir           | 2 +-
 apparmor.d/groups/systemd/systemd-user-sessions              | 2 +-
 apparmor.d/groups/virt/libvirtd                              | 1 +
 apparmor.d/profiles-a-f/flatpak-system-helper                | 3 ++-
 apparmor.d/profiles-a-f/fwupd                                | 3 +--
 20 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session
index 79886827..bec97e7d 100644
--- a/apparmor.d/groups/gnome/gnome-session
+++ b/apparmor.d/groups/gnome/gnome-session
@@ -58,6 +58,8 @@ profile gnome-session @{exec_path} {
   /etc/X11/xinit/xinputrc r,
   /etc/X11/Xsession.d/*im-config_launch r,
 
+  owner @{HOME}/ r,
+
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index a75cfee6..601e6b6d 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -39,6 +39,7 @@ profile gnome-software @{exec_path} {
 
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/{,**} r,
+  /usr/share/flatpak/remotes.d/ r,
   /usr/share/metainfo/{,**} r,
   /usr/share/swcatalog/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,
diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index ee98720b..6c4c41e6 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/@{uuid} rw,
   owner @{tmp}/talpid-openvpn-@{uuid} rw,
 
+        @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw,
         @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index 59acc34d..6f154269 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} {
     include <abstractions/app/systemctl>
 
     capability net_admin,
+    capability sys_resource,
 
     signal send set=term peer=systemd-tty-ask-password-agent,
 
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 05655d30..c7bb7b19 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/bootctl
-profile bootctl @{exec_path} {
+profile bootctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index 6516a500..826405d2 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/busctl
-profile busctl @{exec_path} {
+profile busctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight
index f67cb301..374e9c4a 100644
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-backlight
-profile systemd-backlight @{exec_path} {
+profile systemd-backlight @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 
diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup
index f8950c1f..090412ff 100644
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup
-profile systemd-cryptsetup @{exec_path} {
+profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/disks-write>
diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart
index c42548ef..8e3ebb6b 100644
--- a/apparmor.d/groups/systemd/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator
-profile systemd-generator-user-autostart @{exec_path} {
+profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment
index db128405..27db2207 100644
--- a/apparmor.d/groups/systemd/systemd-generator-user-environment
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/user-environment-generators/*
-profile systemd-generator-user-environment @{exec_path} {
+profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index cc1f541d..d63a4211 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-journald
-profile systemd-journald @{exec_path} {
+profile systemd-journald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/common/systemd>
diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined
index 3a111f7f..b37f2300 100644
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-machined
-profile systemd-machined @{exec_path} {
+profile systemd-machined @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed
index be33d39c..86ea02a0 100644
--- a/apparmor.d/groups/systemd/systemd-random-seed
+++ b/apparmor.d/groups/systemd/systemd-random-seed
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-random-seed
-profile systemd-random-seed @{exec_path} {
+profile systemd-random-seed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 
diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done
index c17be7ab..e7a44d01 100644
--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-update-done
-profile systemd-update-done @{exec_path} {
+profile systemd-update-done @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability net_admin,
diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp
index 9d512b49..1a2ff9a3 100644
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-update-utmp
-profile systemd-update-utmp @{exec_path} {
+profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/wutmp>
diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir
index 9c7fe975..363b9a32 100644
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir
-profile systemd-user-runtime-dir @{exec_path} {
+profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions
index 6f16b2f1..8de32dfe 100644
--- a/apparmor.d/groups/systemd/systemd-user-sessions
+++ b/apparmor.d/groups/systemd/systemd-user-sessions
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-user-sessions
-profile systemd-user-sessions @{exec_path} {
+profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index db6d5d37..06186671 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+leds:* r,
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+power_supply:* r,
   @{run}/udev/data/+rfkill:* r,
   @{run}/udev/data/+sound:card@{int} r,   # For sound card
   @{run}/udev/data/+thunderbolt:* r,
diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper
index 2268de06..60c41a6a 100644
--- a/apparmor.d/profiles-a-f/flatpak-system-helper
+++ b/apparmor.d/profiles-a-f/flatpak-system-helper
@@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} {
   /etc/flatpak/{,**} r,
   /etc/machine-id r,
 
-  /usr/share/mime/mime.cache r,
+  /usr/share/flatpak/remotes.d/ r,
   /usr/share/flatpak/triggers/ r,
+  /usr/share/mime/mime.cache r,
 
   /var/lib/flatpak/{,**} rwkl,
   /var/tmp/flatpak-cache-*/{,**} rw,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index aa95a00d..643bbe96 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/bus/org.freedesktop.UDisks2>
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/consoles>
-  include <abstractions/disks-read>
+  include <abstractions/disks-write>
   include <abstractions/fonts>
   include <abstractions/nameservice-strict>
 
@@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /dev/mei@{int} rw,
   /dev/mem r,
   /dev/mtd@{int} rw,
-  /dev/sd[a-z]* r,
   /dev/tpm@{int} rw,
   /dev/tpmrm@{int} rw,
   /dev/wmi/* r,