update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/abstractions/libvirt-qemu

@@ -79,13 +79,13 @@
   # access to firmware's etc
   /usr/share/AAVMF/** r,
   /usr/share/bochs/** r,
-  /usr/share/edk2-ovmf/** r,
+  /usr/share/edk2-ovmf/** rk,
   /usr/share/kvm/** r,
   /usr/share/misc/sgabios.bin r,
   /usr/share/openbios/** r,
   /usr/share/openhackware/** r,
-  /usr/share/OVMF/** r,
+  /usr/share/OVMF/** rk,
-  /usr/share/ovmf/** r,
+  /usr/share/ovmf/** rk,
   /usr/share/proll/** r,
   /usr/share/qemu-efi/** r,
   /usr/share/qemu-kvm/** r,
@@ -247,4 +247,9 @@
   / r, # harmless on any lsb compliant system
   /sys/bus/nd/devices/{,**/} r,
 
+  # required for QEMU accessing UEFI nvram variables
+  owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
+  owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,
+
+  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/abstractions/libvirt-qemu>

apparmor.d/groups/apps/android-studio

@@ -33,10 +33,14 @@ profile android-studio @{exec_path} {
 
   signal (send) set=(term, kill) peer=android-studio//lsb-release,
 
+  ptrace (read) peer=android-studio//*,
+
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
+  network inet raw,
+  network inet6 raw,
   network netlink raw,
 
   @{exec_path} r,
@@ -129,6 +133,9 @@ profile android-studio @{exec_path} {
   owner "@{user_cache_dirs}/Android Open Source Project/" rw,
   owner "@{user_cache_dirs}/Android Open Source Project/**" rw,
 
+  owner @{user_cache_dirs}/main.kts.compiled.cache/ rw,
+  owner @{user_cache_dirs}/main.kts.compiled.cache/** rw,
+
   owner @{user_cache_dirs}/Google/ rw,
   owner @{user_cache_dirs}/Google/** rwk,
   # To remove the following error:
@@ -178,11 +185,12 @@ profile android-studio @{exec_path} {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/coredump_filter rw,
   owner @{PROC}/@{pid}/mem r,
   owner @{PROC}/@{pid}/oom_{,score_}adj rw,
   owner @{PROC}/@{pids}/task/ r,
   owner @{PROC}/@{pids}/task/@{tid}/status r,
-  owner @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/stat r,
         @{PROC}/sys/net/core/somaxconn r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
@@ -201,6 +209,8 @@ profile android-studio @{exec_path} {
 
   /usr/share/hwdata/pnp.ids r,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 

apparmor.d/groups/apt/apt-forktracer

@@ -1,13 +1,6 @@
-# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
-# ------------------------------------------------------------------
-#
 # Copyright (C) 2021 Mikhail Morfikov
-#
+# SPDX-License-Identifier: GPL-2.0-only
-#    This program is free software; you can redistribute it and/or
-#    modify it under the terms of version 2 of the GNU General Public
-#    License published by the Free Software Foundation.
-#
-# ------------------------------------------------------------------
 
 abi <abi/3.0>,
 
@@ -23,6 +16,7 @@ profile apt-forktracer @{exec_path} {
 
   /{usr/,}bin/ r,
   /{usr/,}bin/dpkg      rPx -> child-dpkg,
+  /{usr/,}bin/apt-cache rPx,
 
   /usr/share/apt-forktracer/{,**} r,
 
@@ -38,5 +32,8 @@ profile apt-forktracer @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  /etc/dpkg/origins/debian r,
+  /etc/debian_version r,
+
   include if exists <local/apt-forktracer>
 }

apparmor.d/groups/apt/apt-methods-gpgv

@@ -35,6 +35,7 @@ profile apt-methods-gpgv @{exec_path} {
   /{usr/,}bin/find              rix,
   /{usr/,}bin/gpgv              rix,
 
+  /{usr/,}bin/head      rix,
   /{usr/,}bin/cat       rix,
   /{usr/,}bin/chmod     rix,
   /{usr/,}bin/cmp       rix,
@@ -79,8 +80,8 @@ profile apt-methods-gpgv @{exec_path} {
   @{PROC}/@{pid}/fd/ r,
 
   # Local keyring storage
-  /etc/keyrings/ r,
+  /etc/apt/keyrings/ r,
-  /etc/keyrings/*.{gpg,asc} r,
+  /etc/apt/keyrings/*.{gpg,asc} r,
 
   # Extrepo keyring storage
   /var/lib/extrepo/keys/*.{gpg,asc} r,

apparmor.d/groups/apt/debsums

@@ -46,6 +46,7 @@ profile debsums @{exec_path} {
   /var/lib/{,**} r,
   /opt/{,**} r,
   /boot/{,**} r,
+  /lib*/{,**} r,
 
   include if exists <local/debsums>
 }

apparmor.d/groups/apt/dpkg

@@ -89,6 +89,9 @@ profile dpkg @{exec_path} {
   /usr/**  rwl -> /usr/**,
   /lib/    r,
   /lib/**  rwl -> /lib/** ,
+  # Fixme when more transitions will be available (#FIXME#)
+  /lib{,32,64,x64}/ r,
+  /lib{,32,64,x64}/** rwl,
   /bin/    r,
   /bin/*   rwl -> /bin/*,
   /sbin/   r,

apparmor.d/groups/apt/querybts

@@ -52,6 +52,9 @@ profile querybts @{exec_path} {
 
   /etc/fstab r,
 
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
   # Allowed apps to open
   /{usr/,}lib/firefox/firefox rPUx,
 

apparmor.d/groups/apt/reportbug

@@ -93,6 +93,8 @@ profile reportbug @{exec_path} {
 
   @{sys}/module/apparmor/parameters/enabled r,
 
+  /dev/ptmx rw,
+
   owner     /tmp/reportbug-*-[0-9]*-@{pid}-* rw,
   owner     /tmp/* rw,
   owner /var/tmp/*.bug{,~} rw,

apparmor.d/groups/bus/dbus-daemon

@@ -61,7 +61,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/inhibit/[0-9]*.ref rw,
         @{run}/systemd/sessions/[0-9]*.ref rw,
         @{run}/systemd/users/@{uid} r,
-  owner @{run}/user/@{uid}/at-spi/bus rw,
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
   owner @{run}/user/@{uid}/dbus-1/ rw,
   owner @{run}/user/@{uid}/dbus-1/services/ rw,
 

apparmor.d/groups/gpg/gpg

@@ -70,7 +70,7 @@ profile gpg @{exec_path} {
 
   # APT upstream/user keyrings
   /usr/share/keyrings/*.{gpg,asc} r,
-  /etc/keyrings/*.{gpg,asc} r,
+  /etc/apt/keyrings/*.{gpg,asc} r,
 
   # APT repositories
   /var/lib/apt/lists/*_InRelease r,

apparmor.d/profiles-a-f/appstreamcli

@@ -35,12 +35,17 @@ profile appstreamcli @{exec_path} flags=(complain) {
   
   /var/lib/app-info/yaml/ r,
   /var/lib/app-info/yaml/*_Components-*.yml.gz w,
+  /var/lib/app-info/ w,
   /var/lib/apt/lists/ r,
   /var/lib/apt/lists/*_Components-*.gz r,
+  /var/lib/swcatalog/ rw,
+  /var/lib/swcatalog/yaml/ rw,
+  /var/lib/swcatalog/yaml/*_Components-*.yml.gz w,
   /var/lib/flatpak/appstream/{,**} r,
 
         /var/cache/swcatalog/cache/{,**} rw,
   owner /var/cache/app-info/{,**} rw,
+  owner /var/cache/swcatalog/{,**} rw,
   owner /tmp/appstream-cache-*.mdb rw,
   owner /tmp/appstream/ rw,
   owner /tmp/appstream/appcache-*.mdb rw,

apparmor.d/profiles-a-f/atftpd

@@ -10,6 +10,8 @@ include <tunables/global>
 profile atftpd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice>
+  # For libwrap (TCP Wrapper) support
+  include <abstractions/hosts_access>
 
   # to run atftpd daemon as nobody/nogroup
   capability setgid,
@@ -21,8 +23,5 @@ profile atftpd @{exec_path} {
   /tftpboot/{,**} r,
   /srv/tftp/{,**} r,
 
-  # for libwrap (TCP Wrapper) support
-  /etc/hosts.{,allow,deny} r,
-
   include if exists <local/atftpd>
 }

apparmor.d/profiles-a-f/atril

@@ -30,8 +30,12 @@ profile atril @{exec_path} {
 
   @{exec_path} mr,
 
-  /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess rix,
+  /{usr/,}bin/{,ba,da}sh      rix,
-  /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess rix,
+
+  /{usr/,}bin/atril-previewer rPx,
+
+  /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
+  /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess     rix,
 
   # Which media files atril should be able to open
         / r,
@@ -52,6 +56,7 @@ profile atril @{exec_path} {
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
 
+       owner @{PROC}/@{pid}/fd/ r,
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
        owner @{PROC}/@{pid}/statm r,
@@ -59,24 +64,25 @@ profile atril @{exec_path} {
        owner @{PROC}/@{pid}/cgroup r,
              @{PROC}/zoneinfo r,
 
-  /sys/firmware/acpi/pm_profile r,
+  @{sys}/firmware/acpi/pm_profile r,
-  /sys/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
-  /sys/fs/cgroup/** r,
+  @{sys}/fs/cgroup/** r,
 
   /etc/fstab r,
 
-  /usr/share/poppler/** r,
+  /usr/share/poppler/{,**} r,
 
-  owner @{user_config_dirs}/atril/ rw,
+  owner @{user_config_dirs}/atril/{,*} rw,
-  owner @{user_config_dirs}/atril/* rw,
 
-  owner @{user_cache_dirs}/atril/ rw,
+  owner @{user_cache_dirs}/atril/{,**} rw,
-  owner @{user_cache_dirs}/atril/** rw,
 
   owner @{user_share_dirs}/gvfs-metadata/home r,
   owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
 
   owner /tmp/gtkprint_* rw,
+  owner /tmp/settings*.ini rw,
+  owner /tmp/settings*.ini.* rw,
+
   owner /tmp/atril-@{pid}/ rw,
   owner /tmp/atril-@{pid}/*/ rw,
   owner /tmp/atril-@{pid}/*/mimetype rw,

apparmor.d/profiles-a-f/conky

@@ -46,6 +46,7 @@ profile conky @{exec_path} {
   /{usr/,}bin/cat        rix,
   /{usr/,}bin/wc         rix,
   /{usr/,}bin/sed        rix,
+  /{usr/,}bin/sleep      rix,
 
   # For external IP address
   #/{usr/,}bin/dig        rix,

apparmor.d/profiles-a-f/ffplay

@@ -43,9 +43,15 @@ profile ffplay @{exec_path} {
   include <abstractions/X>
   include <abstractions/freedesktop.org>
   include <abstractions/audio>
+  include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
 
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   # Which media files ffplay should be able to open

apparmor.d/profiles-g-l/gajim

@@ -98,7 +98,7 @@ profile gajim @{exec_path} {
 
   # Silencer
   deny /usr/share/gajim/** w,
-
+  deny /usr/lib/python3/dist-packages/** w,
 
   profile ccache {
     include <abstractions/base>
@@ -117,6 +117,8 @@ profile gajim @{exec_path} {
 
     /media/ccache/*/** rw,
 
+    owner @{run}/user/@{uid}/ccache-tmp/ rw,
+
     /etc/debian_version r,
 
   }

apparmor.d/profiles-g-l/gparted

@@ -15,6 +15,7 @@ profile gparted @{exec_path} {
 
   /{usr/,}{s,}bin/           r,
   /{usr/,}{s,}bin/gpartedbin rPx,
+  @{libexec}/gpartedbin      rPx,
 
   /{usr/,}bin/            r,
   /{usr/,}bin/{,e}grep    rix,

apparmor.d/profiles-g-l/gpartedbin

@@ -7,6 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/gpartedbin
+@{exec_path} += @{libexec}/gpartedbin
 profile gpartedbin @{exec_path} {
   include <abstractions/base>
   include <abstractions/gtk>

apparmor.d/profiles-g-l/i3lock

@@ -19,10 +19,12 @@ profile i3lock @{exec_path} {
 
   @{exec_path} mr,
 
-  /usr/sbin/unix_chkpwd rPx,
+  /{usr/,}sbin/unix_chkpwd rPx,
 
   owner @{HOME}/.Xauthority r,
 
+  owner @{PROC}/@{pid}/fd/ r,
+
   # For background image.
   owner @{HOME}/*.png r,
   owner @{HOME}/*/*.png r,

apparmor.d/profiles-m-r/mkinitramfs

@@ -79,6 +79,7 @@ profile mkinitramfs @{exec_path} {
 
         /boot/ r,
   owner /boot/initrd.img-*.new rw,
+  owner /boot/config-* r,
 
         /var/tmp/ r,
   owner /var/tmp/mkinitramfs_*/ rw,

apparmor.d/profiles-m-r/mkvmerge

@@ -36,6 +36,7 @@ include <tunables/global>
 @{mkvmerge_ext} += [sS][rR][tT]
 @{mkvmerge_ext} += [tT][xX][tT]
 @{mkvmerge_ext} += [sS][uU][bB]
+@{mkvmerge_ext} += [mM][kK][sS]
 
 @{exec_path} = /{usr/,}bin/mkvmerge
 profile mkvmerge @{exec_path} {

apparmor.d/profiles-m-r/mkvtoolnix-gui

@@ -36,6 +36,7 @@ include <tunables/global>
 @{mkvtoolnix_ext} += [sS][rR][tT]
 @{mkvtoolnix_ext} += [tT][xX][tT]
 @{mkvtoolnix_ext} += [sS][uU][bB]
+@{mkvtoolnix_ext} += [mM][kK][sS]
 
 @{exec_path} = /{usr/,}bin/mkvtoolnix-gui
 profile mkvtoolnix-gui @{exec_path} {

apparmor.d/profiles-m-r/mtr

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/mtr
+profile mtr @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/gtk>
+  include <abstractions/fonts>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  signal (send) set=(term, kill) peer=mtr-packet,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/mtr-packet rPx,
+
+  include if exists <local/mtr>
+}

apparmor.d/profiles-m-r/mtr-packet

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/mtr-packet
+profile mtr-packet @{exec_path} {
+  include <abstractions/base>
+
+  capability net_raw,
+
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+
+  signal (receive) set=(kill, term) peer=mtr,
+
+  @{exec_path} mr,
+
+  include if exists <local/mtr-packet>
+}

apparmor.d/profiles-s-z/update-alternatives

@@ -28,5 +28,7 @@ profile update-alternatives @{exec_path} {
 
   /usr/** rw,
 
+  /lib/firmware/* rw,
+
   include if exists <local/update-alternatives>
 }

apparmor.d/profiles-s-z/uscan

@@ -28,10 +28,13 @@ profile uscan @{exec_path} {
   /{usr/,}bin/pwd        rix,
   /{usr/,}bin/find       rix,
   /{usr/,}bin/file       rix,
+  /{usr/,}bin/getconf    rix,
 
   /{usr/,}bin/tar        rix,
   /{usr/,}bin/gzip       rix,
   /{usr/,}bin/bzip2      rix,
+  /{usr/,}bin/gunzip     rix,
+  /{usr/,}bin/xz         rix,
 
   /{usr/,}bin/uupdate   rPUx,
 

apparmor.d/profiles-s-z/vsftpd

@@ -15,6 +15,9 @@ profile vsftpd @{exec_path} {
   # Only for local users authentication
   include <abstractions/authentication>
 
+  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
+  include <abstractions/hosts_access>
+
   # To be able to listen on ports < 1024
   capability net_bind_service,
 
@@ -48,9 +51,6 @@ profile vsftpd @{exec_path} {
   # List of users disallowed FTP access
   /etc/ftpusers r,
 
-  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
-  /etc/hosts.{allow,deny} r,
-
   # vsftpd config files
   /etc/vsftpd.conf r,
   /etc/vsftpd/**/ r,

apparmor.d/profiles-s-z/yt-dlp

@@ -65,7 +65,7 @@ profile yt-dlp @{exec_path} {
 
   # Which files yt-dlp should be able to open
   owner /media/**/ r,
-  owner /media/**.@{ytdlp_ext} rw,
+  owner /media/**.@{ytdlp_ext} rwk,
 
   owner @{HOME}/.cache/ rw,
   owner @{HOME}/.cache/yt-dlp/ rw,