From 4c689dbad9af8a910725805926b26784282ebade Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 27 Nov 2023 19:25:34 +0000
Subject: [PATCH] feat(profile): add gdm init profiles.

---
 apparmor.d/groups/gnome/gdm-generate-config | 43 +++++++++++++++++++++
 apparmor.d/groups/gnome/gnome-initial-setup | 32 +++++++++++++++
 dists/flags/main.flags                      |  1 +
 3 files changed, 76 insertions(+)
 create mode 100644 apparmor.d/groups/gnome/gdm-generate-config
 create mode 100644 apparmor.d/groups/gnome/gnome-initial-setup

diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config
new file mode 100644
index 00000000..7c677974
--- /dev/null
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/gdm/generate-config
+profile gdm-generate-config @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/dconf       rix,
+  @{bin}/install     rix,
+  @{bin}/pgrep       rix,
+  @{bin}/pkill       rix,
+  @{bin}/setpriv     rix,
+  @{bin}/setsid      rix,
+
+  /etc/gdm{3,}/* r,
+  /usr/share/gdm/{,**} r,
+
+  /var/lib/ r,
+  /var/lib/gdm{3,}/{,**} r,
+
+  @{PROC}/ r,
+  @{PROC}/@{pid}/cgroup  r,
+  @{PROC}/@{pid}/cmdline r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/uptime r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
+  include if exists <local/gdm-generate-config>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup
new file mode 100644
index 00000000..938b35e8
--- /dev/null
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/gnome-initial-setup
+profile gnome-initial-setup @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome>
+  include <abstractions/mesa>
+
+  network netlink raw,
+
+  dbus bind bus=session name=org.gnome.InitialSetup,
+
+  @{exec_path} mr,
+
+  @{bin}/df      rPx,
+  @{bin}/dpkg    rPx -> child-dpkg,
+  @{bin}/lscpu   rPx,
+  @{bin}/lspci   rPx,
+  @{bin}/xrandr  rPx,
+
+  @{lib}/gnome-initial-setup-goa-helper rix,
+
+  include if exists <local/gnome-initial-setup>
+}
\ No newline at end of file
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 66a0bfcd..5af41d10 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -113,6 +113,7 @@ fsck-ext4 complain
 fuse-overlayfs complain
 fusermount complain
 gdisk complain
+gdm-generate-config complain
 gdm-runtime-config complain
 gdm-x-session attach_disconnected,complain
 gdm-xsession complain