From 352c444ae6b933b2c9c253a6e65e720499f7bf7c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Oct 2023 16:06:28 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/groups/bus/dbus-daemon                 | 4 +---
 apparmor.d/groups/freedesktop/xrandr              | 7 ++-----
 apparmor.d/groups/gnome/gnome-shell               | 1 +
 apparmor.d/groups/gnome/kgx                       | 2 ++
 apparmor.d/groups/gnome/tracker-extract           | 1 +
 apparmor.d/groups/pacman/pacman                   | 1 +
 apparmor.d/profiles-a-f/code-extension-git-editor | 2 ++
 apparmor.d/profiles-g-l/gsettings                 | 3 +--
 apparmor.d/profiles-m-r/protonmail-bridge         | 2 ++
 apparmor.d/profiles-s-z/thunderbird               | 4 ++--
 apparmor.d/profiles-s-z/udisksd                   | 8 ++++++++
 11 files changed, 23 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-daemon b/apparmor.d/groups/bus/dbus-daemon
index f9afae61..b0e0b76b 100644
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@@ -22,7 +22,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   capability sys_resource,
 
   network netlink raw,
-
+  network unix stream,
   network bluetooth stream,
   network bluetooth seqpacket,
 
@@ -36,8 +36,6 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
-  unix (send receive accept) type=stream,
-
   @{exec_path} mr,
 
   @{bin}/ r,
diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr
index b57f58d3..388f29b9 100644
--- a/apparmor.d/groups/freedesktop/xrandr
+++ b/apparmor.d/groups/freedesktop/xrandr
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,14 +10,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/xrandr
 profile xrandr @{exec_path} {
   include <abstractions/base>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
-  owner @{HOME}/.Xauthority r,
-
-  /usr/share/X11/XErrorDB r,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
   include if exists <local/xrandr>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index dccd508e..c756b5fa 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -12,6 +12,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/app-launcher-user>
   include <abstractions/audio>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-gtk>
   include <abstractions/dbus-network-manager-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx
index dbaeda05..7d351c5f 100644
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@@ -50,5 +50,7 @@ profile kgx @{exec_path} {
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
 
+  /dev/ptmx rw,
+
   include if exists <local/kgx>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index 90df3ce8..ed03d899 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -84,6 +84,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/drirc.d/{,*.conf} r,
+  /usr/share/gdm/greeter/applications/*.desktop r,
   /usr/share/gvfs/remote-volume-monitors/{,*} r,
   /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,**} r,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 12b72f99..3f86cd7e 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -35,6 +35,7 @@ profile pacman @{exec_path} {
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
+  network unix stream,
 
   ptrace (read),
 
diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor
index 63fd2c8c..2ac32b58 100644
--- a/apparmor.d/profiles-a-f/code-extension-git-editor
+++ b/apparmor.d/profiles-a-f/code-extension-git-editor
@@ -15,6 +15,8 @@ profile code-extension-git-editor @{exec_path} {
   @{bin}/{,ba,da}sh               rix,
   @{lib}/electron@{int}/electron  rix,
 
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
+
   /dev/tty rw,
 
   include if exists <local/code-extension-git-editor>
diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings
index 8ad1f814..a56839da 100644
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@@ -9,10 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/gsettings
 profile gsettings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
 
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/dbus-????????"),
-
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge
index 4a572a8f..38fc169c 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge
+++ b/apparmor.d/profiles-m-r/protonmail-bridge
@@ -26,6 +26,8 @@ profile protonmail-bridge @{exec_path}  {
   /etc/lsb-release r,
   /etc/machine-id r,
 
+  owner /var/tmp/etilqs_@{hex} rw,
+
   owner @{user_password_store_dirs}/protonmail-credentials/{,**} r,
 
   owner @{user_cache_dirs}/protonmail/{,**} rwk,
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index ed7a768f..0a5cd08f 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -80,8 +80,7 @@ profile thunderbird @{exec_path} {
        member=Introspect
        peer=(name=:*, label=gnome-shell),
 
-  dbus bind bus=session
-       name=org.mozilla.thunderbird.*,
+  dbus bind bus=session name=org.mozilla.thunderbird.*,
 
   @{exec_path} mrix,
 
@@ -146,6 +145,7 @@ profile thunderbird @{exec_path} {
   owner @{user_mail_dirs}/ rw,
   owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
 
+  owner @{config_dirs}/ rw,
   owner @{config_dirs}/*/ rw,
   owner @{config_dirs}/*/** rwk,
   owner @{config_dirs}/installs.ini rw,
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 3a20d615..334a45c7 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -135,11 +135,19 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/L* rwk,
 
+  @{run}/udev/data/+pci:* r,
+  @{run}/udev/data/+platform:* r,
+
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,
+
   @{sys}/bus/ r,
   @{sys}/bus/pci/slots/ r,
   @{sys}/class/ r,
   @{sys}/class/nvme-subsystem/ r,
   @{sys}/class/nvme/ r,
+  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
   @{sys}/devices/virtual/bdi/**/read_ahead_kb r,