From 387f2f91fc2e6908e685de95fe08214504a07aee Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Oct 2023 00:03:29 +0100
Subject: [PATCH] fix(profiles): fix brave entry point.

---
 apparmor.d/groups/browsers/brave              | 14 ++++----
 .../groups/browsers/brave-crashpad-handler    | 36 +++++++++++++++++++
 apparmor.d/groups/browsers/brave-wrapper      |  3 +-
 3 files changed, 46 insertions(+), 7 deletions(-)
 create mode 100644 apparmor.d/groups/browsers/brave-crashpad-handler

diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave
index 753e622a..70618143 100644
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@@ -9,11 +9,11 @@ include <tunables/global>
 
 @{name} = brave{,-beta,-dev,-bin}
 @{domain} = com.brave.Brave
-@{lib_dirs} = /opt/brave{-bin,.com}/@{name}
+@{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}}
 @{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 
-@{exec_path} = @{lib_dirs}{,/@{name}}
+@{exec_path} = @{lib_dirs}/@{name}
 profile brave @{exec_path} {
   include <abstractions/base>
   include <abstractions/chromium>
@@ -22,14 +22,11 @@ profile brave @{exec_path} {
 
   @{bin}/man  rPUx, #  For "brave --help"
 
-  @{lib_dirs}/swiftshader/libGLESv2.so mr,
-  @{lib_dirs}/swiftshader/libEGL.so mr,
-
   /usr/share/chromium/extensions/ r,
 
   /etc/opt/chrome/ r,
 
-  owner @{user_config_dirs}/BraveSoftware/ w,
+  owner @{user_config_dirs}/BraveSoftware/ rw,
   owner @{user_config_dirs}/menus/applications-merged/ r,
   owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
 
@@ -38,6 +35,11 @@ profile brave @{exec_path} {
 
   owner /tmp/net-export/ rw,  # For brave://net-export/
 
+  owner /tmp/.org.chromium.Chromium.* rwk,
+  owner /tmp/.org.chromium.Chromium*/{,**} rw,
+
+  owner /dev/shm/.org.chromium.Chromium.* rw,
+
   # Silencer
   deny /etc/opt/chrome/ w,
 
diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler
new file mode 100644
index 00000000..7f225c2e
--- /dev/null
+++ b/apparmor.d/groups/browsers/brave-crashpad-handler
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = brave{,-beta,-dev,-bin}
+@{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}}
+@{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
+
+@{exec_path} = @{lib_dirs}/chrome_crashpad_handler
+profile brave-crashpad-handler @{exec_path} {
+  include <abstractions/base>
+
+  capability sys_ptrace,
+
+  ptrace peer=brave,
+  signal (send) peer=brave,
+
+  @{exec_path} mrix,
+
+  owner "@{config_dirs}/Crash Reports/**" rwk,
+
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pids}/mem r,
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/task/ r,
+
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r,
+
+  include if exists <local/brave-crashpad-handler>
+}
diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper
index 90d447e6..53635a42 100644
--- a/apparmor.d/groups/browsers/brave-wrapper
+++ b/apparmor.d/groups/browsers/brave-wrapper
@@ -7,7 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{lib_dirs} = /opt/brave.com/brave{,-beta,-dev} /opt/brave-bin/brave{,-beta,-dev}
+@{name} = brave{,-beta,-dev,-bin}
+@{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}}
 
 @{exec_path} = @{lib_dirs}/brave-browser{,-beta,-dev}
 profile brave-wrapper @{exec_path} {