From 2ea53a9dc3238ee9301b508abfd63e09142ea011 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 23 Feb 2024 20:21:22 +0000
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/_full/systemd                         | 5 ++---
 apparmor.d/groups/_full/systemd-service                 | 2 +-
 apparmor.d/groups/_full/systemd-user                    | 2 +-
 apparmor.d/groups/cron/cron-ntp                         | 2 +-
 apparmor.d/groups/systemd/systemd-generator-cloud-init  | 1 +
 apparmor.d/groups/systemd/systemd-generator-ds-identify | 7 +++++--
 apparmor.d/groups/systemd/systemd-logind                | 1 +
 apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot     | 2 +-
 apparmor.d/groups/virt/cockpit-certificate-helper       | 3 +++
 apparmor.d/groups/virt/cockpit-session                  | 2 ++
 apparmor.d/groups/virt/libvirtd                         | 2 +-
 apparmor.d/groups/whonix/torbrowser                     | 3 ++-
 apparmor.d/profiles-g-l/ip                              | 7 ++++---
 apparmor.d/profiles-m-r/pkttyagent                      | 1 +
 14 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index 45372b49..2920a65c 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{bin}/mandb                      rPx -> systemd-service,
   @{bin}/savelog                    rPx -> systemd-service,
   @{coreutils_path}                 rPx -> systemd-service,
-  @{shells_path}                    rPx -> systemd-service,
+  @{sh_path}                        rPx -> systemd-service,
 
   @{bin}/**                         PUx,
   @{lib}/**                         PUx,
@@ -128,8 +128,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /var/tmp/ r,
   @{lib}/ r,
 
-  /usr/share/** r,
-
   /etc/binfmt.d/{,**} r,
   /etc/conf.d/{,**} r,
   /etc/credstore.encrypted/{,**} r,
@@ -139,6 +137,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /etc/machine-id r,
   /etc/modules-load.d/{,**} r,
   /etc/systemd/{,**} r,
+  /etc/udev/hwdb.d/{,**} r,
 
         /var/lib/systemd/{,**} rw,
   owner /var/tmp/systemd-private-*/{,**} rw,
diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service
index 459bd196..bc8f1ede 100644
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@@ -23,7 +23,7 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
   @{bin}/systemctl     rix,
   @{bin}/gzip          rix,
   @{coreutils_path}    rix,
-  @{shells_path}      rmix,
+  @{sh_path}          rmix,
 
   # shadow.service
   @{bin}/pwck          rPx,
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index beb89315..1926f45d 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -4,7 +4,7 @@
 
 # Profile for 'systemd --user', not PID 1 but the user manager for any UID.
 # It does not specify an attachment path because it is intended to be used only
-# via "AppArmorProfile=systemd-user" from a systemd unit file.
+# via "px -> systemd-user" exec transitions from the `systemd` profile.
 
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.
diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp
index d222c51a..b8aa50ab 100644
--- a/apparmor.d/groups/cron/cron-ntp
+++ b/apparmor.d/groups/cron/cron-ntp
@@ -12,7 +12,7 @@ profile cron-ntp @{exec_path} {
 
   @{exec_path} r,
 
-  @{shells_path} rix,
+  @{sh_path}     rix,
   @{bin}/cat     rix,
   @{bin}/grep    rix,
   @{bin}/sed     rix,
diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd/systemd-generator-cloud-init
index dd89ddf2..e83f4c9d 100644
--- a/apparmor.d/groups/systemd/systemd-generator-cloud-init
+++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init
@@ -15,6 +15,7 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sh_path}                     rix,
+  @{bin}/mkdir                   rix,
   @{bin}/systemd-detect-virt     rPx,
   @{lib}/cloud-init/ds-identify rPUx,
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify
index f0a2b930..e78ab606 100644
--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@@ -14,8 +14,11 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{sh_path}        r,
-  @{bin}/uname rix,
+  @{sh_path}                     rix,
+  @{bin}/blkid                   rPx,
+  @{bin}/systemd-detect-virt     rPx,
+  @{bin}/tr                      rix,
+  @{bin}/uname                   rix,
 
   @{run}/cloud-init/.ds-identify.result r,
 
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 4b4bf896..33447191 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -113,6 +113,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
   @{sys}/fs/cgroup/memory.max r,
   @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
+  @{sys}/kernel/kexec_loaded r,
   @{sys}/module/vt/parameters/default_utf8 r,
   @{sys}/power/{state,resume_offset,resume,disk} r,
 
diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
index 283e4e5f..6850fb01 100644
--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@@ -39,7 +39,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
     @{sys}/devices/virtual/block/**/ r,
     @{sys}/devices/virtual/block/**/autoclear r,
     @{sys}/devices/virtual/block/**/backing_file r,
-    @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
+    @{sys}/devices/virtual/block/dm-@{int}/dm/name r,
 
     @{PROC}/@{pid}/mountinfo r,
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index e4b79abc..5d37ce71 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -10,6 +10,7 @@ include <tunables/global>
 profile cockpit-certificate-helper @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   @{exec_path} mr,
 
@@ -18,11 +19,13 @@ profile cockpit-certificate-helper @{exec_path} {
   @{bin}/id rix,
   @{bin}/mkdir rix,
   @{bin}/mv rix,
+  @{bin}/openssl rix,
   @{bin}/rm rix,
   @{bin}/sscg rix,
   @{bin}/tr rix,
 
   /etc/machine-id r,
+  /etc/cockpit/ws-certs.d/* w,
 
   owner @{run}/cockpit/certificate-helper/{,**} rw,
 
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index a4c1adb0..73d9243d 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -24,6 +24,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/unix_chkpwd rPx,
+
   @{bin}/{,z,ba,da}sh    rix,
   @{bin}/cockpit-bridge  rPx,
   @{lib}/cockpit/cockpit-pcp  rPx,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 22f3ca68..1ba9582a 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -115,7 +115,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{bin}/virtiofsd                            rux, # TODO: WIP
   @{bin}/virtlogd                             rPx,
 
-  @{shells_path}                rix,
+  @{sh_path}                    rix,
   @{bin}/ip                     rix,
   @{bin}/qemu-img               rUx, # TODO: Integration with virt-aa-helper
   @{bin}/qemu-system*           rUx, # TODO: Integration with virt-aa-helper
diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/whonix/torbrowser
index ed104af7..dcc48911 100644
--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/whonix/torbrowser
@@ -27,12 +27,13 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics-full>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
+  include <abstractions/user-read>
 
   # userns,
 
diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip
index 75825661..33f0c57d 100644
--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@@ -30,16 +30,17 @@ profile ip @{exec_path} flags=(attach_disconnected) {
   umount /sys/,
 
   @{exec_path} mrix,
-  @{shells_path} rix,
+  @{sh_path} rix,
 
   / r,
 
   /etc/iproute2/{,**} r,
   /etc/netns/*/ r,
 
-  owner @{run}/netns/ rwk,
+  /usr/share/iproute2/{,**} r,
+
         @{run}/netns/* rw,
-  owner @{run}/netns/ rw,
+  owner @{run}/netns/ rwk,
 
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/net/dev_mcast r,
diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent
index 57a1b3da..ce290da5 100644
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@@ -26,6 +26,7 @@ profile pkttyagent @{exec_path} {
   @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]  rPx,
   @{lib}/polkit-agent-helper-[0-9]               rPx,
 
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pids}/stat r,
 
   /dev/tty rw,