From 516a1fd36d9192c7cb580a6be43f0e52988f87ae Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 17 Sep 2024 12:55:08 +0100
Subject: [PATCH] fix(profile): multiple minor fixes.

fix #493 #480
---
 apparmor.d/groups/children/child-pager                |  2 ++
 apparmor.d/groups/pacman/archlinux-keyring-wkd-sync   |  2 +-
 .../groups/systemd/systemd-generator-user-environment |  2 ++
 apparmor.d/groups/systemd/systemd-journald            |  1 +
 apparmor.d/profiles-a-f/auditd                        |  1 +
 apparmor.d/profiles-g-l/login                         |  4 +++-
 apparmor.d/profiles-m-r/nft                           |  2 ++
 apparmor.d/profiles-m-r/pidof                         |  1 +
 apparmor.d/profiles-m-r/resolvconf                    | 11 +++++++++++
 9 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index ebaf6724..45ac2516 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -37,6 +37,8 @@ profile child-pager {
   owner @{user_state_dirs}/ r,
   owner @{user_state_dirs}/lesshs* rw,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/child-pager>
 }
 
diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
index 708d2b58..dab6a2ed 100644
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
   /etc/pacman.conf r,
   /etc/pacman.d/*-mirrorlist r,
   /etc/pacman.d/gnupg/ rw,
-  /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**,
+  /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**,
   /etc/pacman.d/mirrorlist r,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment
index 1abceb36..420ef84a 100644
--- a/apparmor.d/groups/systemd/systemd-generator-user-environment
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@@ -12,6 +12,8 @@ profile systemd-generator-user-environment @{exec_path} {
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   @{sh_path}         rix,
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 3d1fdfa6..6ac35cb6 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+acpi:*      r,
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+ieee80211:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+mdio_bus:* r,
   @{run}/udev/data/+pci:*       r,
diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd
index 4e93a5d2..935a84c6 100644
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@@ -31,6 +31,7 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
 
+        @{PROC}/@{pid}/ r,
   owner @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login
index c9355303..41fa293b 100644
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@@ -54,13 +54,15 @@ profile login @{exec_path} flags=(attach_disconnected) {
   /etc/security/pam_env.conf r,
   /etc/shells r,
 
+  /var/lib/faillock/@{user} rwk,
   /var/log/btmp{,.@{int}} r,
 
   owner @{user_cache_dirs}/motd.legal-displayed rw,
 
-  @{run}/motd.d/{,*} r,
+  @{run}/credentials/getty@tty@{int}.service/ r,
   @{run}/dbus/system_bus_socket rw,
   @{run}/faillock/@{user} rwk,
+  @{run}/motd.d/{,*} r,
   @{run}/motd.dynamic{,.new} rw,
   @{run}/systemd/sessions/*.ref rw,
 
diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft
index 1255ca40..3595bb4c 100644
--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@@ -20,6 +20,8 @@ profile nft @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/iproute2/{,**} r,
+
   /etc/iproute2/** r,
   /etc/nftables.conf r,
   /etc/nftables/{,**} r,
diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof
index e2ea46e5..a294705b 100644
--- a/apparmor.d/profiles-m-r/pidof
+++ b/apparmor.d/profiles-m-r/pidof
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pidof
 profile pidof @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability sys_ptrace,
 
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index 6dfe82b6..981af134 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -22,6 +22,7 @@ profile resolvconf @{exec_path} {
   @{bin}/rm          rix,
   @{bin}/run-parts   rix,
   @{bin}/sed         rix,
+  @{bin}/systemctl   rCx -> systemctl,
   @{lib}/resolvconf/list-records rix,
 
   /usr/lib/resolvconf/{,**} r,
@@ -35,6 +36,16 @@ profile resolvconf @{exec_path} {
 
   /dev/tty rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    include if exists <local/resolvconf_systemctl>
+  }
+  
   include if exists <local/resolvconf>
 }