From 58c07e5ea5dbf4df2364d2eb8dfd9e97d88392f0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 20 Jun 2024 17:57:30 +0100
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/pacman/aurpublish             | 1 +
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio | 2 ++
 apparmor.d/groups/systemd/systemd-machined      | 1 +
 apparmor.d/profiles-a-f/check-bios-nx           | 3 +--
 apparmor.d/profiles-a-f/ddcutil                 | 2 ++
 apparmor.d/profiles-g-l/git                     | 1 +
 apparmor.d/profiles-g-l/glib-compile-schemas    | 8 ++++----
 apparmor.d/profiles-s-z/update-ca-trust         | 3 ++-
 8 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index 34a69460..8aba909e 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -45,6 +45,7 @@ profile aurpublish @{exec_path} {
   /usr/share/terminfo/** r,
 
   /etc/makepkg.conf r,
+  /etc/makepkg.conf.d/{,**} r,
 
   owner @{user_build_dirs}/**/ w,
   owner @{user_projects_dirs}/**/ r,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index fe579ee9..a182b23c 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -65,6 +65,8 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
     /var/lib/pacman/{,**} r,
 
+    @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
     include if exists <local/pacman-hook-mkinitcpio_pacman>
   }
 
diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined
index 4ff32fae..512fdde8 100644
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@@ -40,6 +40,7 @@ profile systemd-machined @{exec_path} {
   /var/lib/machines/{,**} rw,
   /etc/machine-id r,
 
+  @{run}/systemd/machine/{,**} rw,
   @{run}/systemd/machines/{,**} rw,
   @{run}/systemd/notify w,
 
diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx
index 9efa992f..877677bc 100644
--- a/apparmor.d/profiles-a-f/check-bios-nx
+++ b/apparmor.d/profiles-a-f/check-bios-nx
@@ -27,8 +27,7 @@ profile check-bios-nx @{exec_path} {
 
   @{bin}/rdmsr  rPx,
 
-  owner @{PROC}/@{pid}/fd/2 w,
-
+  owner @{PROC}/@{pid}/fd/@{int} rw,
 
   profile kmod {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil
index d8305f31..ee12dcd5 100644
--- a/apparmor.d/profiles-a-f/ddcutil
+++ b/apparmor.d/profiles-a-f/ddcutil
@@ -23,6 +23,8 @@ profile ddcutil @{exec_path} {
   @{bin}/xargs             rix,
   @{bin}/grep              rix,
 
+  / r,
+
   owner @{user_cache_dirs}/ddcutil/ rw,
   owner @{user_cache_dirs}/ddcutil/** rwlk,
 
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index c92f1865..d147d77b 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -56,6 +56,7 @@ profile git @{exec_path} {
   @{bin}/rm          rix,
   @{bin}/sed         rix,
   @{bin}/tar         rix,
+  @{bin}/true        rix,
   @{bin}/uname       rix,
   @{bin}/wc          rix,
   @{bin}/whoami      rix,
diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas
index a9004c22..5463405f 100644
--- a/apparmor.d/profiles-g-l/glib-compile-schemas
+++ b/apparmor.d/profiles-g-l/glib-compile-schemas
@@ -22,10 +22,10 @@ profile glib-compile-schemas @{exec_path} {
 
   /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
 
-  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/ r,
-  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/gschemas.compiled rw,
-  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/gschemas.compiled.@{rand6} rw,
-  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
+  owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/ r,
+  owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/gschemas.compiled rw,
+  owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/gschemas.compiled.@{rand6} rw,
+  owner @{user_share_dirs}/gnome-shell/extension{,-updates}/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
 
   include if exists <local/glib-compile-schemas>
 }
diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust
index a4434ad4..6ebcf7f8 100644
--- a/apparmor.d/profiles-s-z/update-ca-trust
+++ b/apparmor.d/profiles-s-z/update-ca-trust
@@ -15,9 +15,10 @@ profile update-ca-trust @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/bash   rix,
+  @{sh_path}    rix,
   @{bin}/find   rix,
   @{bin}/ln     rix,
+  @{bin}/mkdir  rix,
   @{bin}/trust  rix,
 
   / r,