From 5fdbc2d00e7daa540174b68f692c2401edc24b72 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 18 Oct 2022 19:20:12 +0100
Subject: [PATCH] fix(profiles): minor bug fixes.

---
 apparmor.d/groups/gnome/nautilus         | 6 ++++--
 apparmor.d/groups/pacman/pacman          | 1 +
 apparmor.d/groups/systemd/systemd-logind | 2 +-
 apparmor.d/profiles-g-l/lsblk            | 5 +++--
 apparmor.d/profiles-m-r/man              | 4 ++++
 apparmor.d/profiles-s-z/steam            | 6 ++++--
 apparmor.d/profiles-s-z/steam-game       | 7 ++++++-
 apparmor.d/profiles-s-z/which            | 1 +
 8 files changed, 24 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 5fdefc64..e664d219 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -36,8 +36,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
        name=org.freedesktop.FileManager1,
 
   @{exec_path} mr,
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}lib/gio-launch-desktop rPx -> child-open,
+
+  /{usr/,}bin/{,ba,da}sh          rix,
+  /{usr/,}bin/firejail           rPUx,
+  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
 
   /usr/share/nautilus/{,**} r,
   /usr/share/poppler/{,**} r,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 8f32f262..6d795cbc 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -68,6 +68,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/iscsi-iname                 rix,
   /{usr/,}bin/killall                     rix,
   /{usr/,}bin/ln                          rix,
+  /{usr/,}bin/pkill                       rix,
   /{usr/,}bin/rm                          rix,
   /{usr/,}bin/sed                         rix,
   /{usr/,}bin/setcap                      rix,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 3afc0562..b462f246 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -113,7 +113,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{run}/systemd/users/@{uid} rw,
 
   @{sys}/class/drm/ r,
-  @{sys}/devices/**/{uevent,enabled,status} r,
+  @{sys}/devices/** r,
   @{sys}/devices/**/brightness rw,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk
index 3144bb97..3593617d 100644
--- a/apparmor.d/profiles-g-l/lsblk
+++ b/apparmor.d/profiles-g-l/lsblk
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,8 +14,8 @@ profile lsblk @{exec_path} {
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
 
-       capability dac_read_search,
-  deny capability dac_override,
+  capability dac_read_search,
+  audit capability dac_override,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man
index 6318a569..7cfce7c5 100644
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@@ -42,6 +42,10 @@ profile man @{exec_path} {
   /{usr/,}bin/less       rPx -> child-pager,
   /{usr/,}bin/more       rPx -> child-pager,
 
+  /{usr/,}bin/locale rix,
+
+  /usr/share/groff/{,**} r,
+
   /usr/**/man/{,**} r,
   /var/**/man/{,**} r,
   /var/cache/man/index.db rk,
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index b365ced0..0708a206 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -47,6 +47,7 @@ profile steam @{exec_path} {
   /{usr/,}bin/cat                    rix,
   /{usr/,}bin/cmp                    rix,
   /{usr/,}bin/cp                     rix,
+  /{usr/,}bin/timeout                rix,
   /{usr/,}bin/cut                    rix,
   /{usr/,}bin/dirname                rix,
   /{usr/,}bin/{m,g,}awk              rix,
@@ -74,6 +75,7 @@ profile steam @{exec_path} {
   /{usr/,}bin/xz                     rix,
   /{usr/,}bin/zenity                 rix,
   /{usr/,}lib{32,64}/ld-linux.so*    rix,
+  /{usr/,}bin/lsb_release            rPx -> lsb_release,
 
   @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
   @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
@@ -144,7 +146,7 @@ profile steam @{exec_path} {
   owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
   owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
   owner /tmp/miles_image_* mrw,
-  owner /tmp/runtime-info.txt.* rw,
+  owner /tmp/runtime-info.txt.* rwk,
   owner /tmp/sh-thd.* rw,
   owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
 
@@ -174,7 +176,7 @@ profile steam @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
   @{sys}/devices/system/cpu/** r,
   @{sys}/devices/system/node/ r,
-  @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
+  @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} rk,
   @{sys}/devices/virtual/dmi/id/product_{name,version} r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/net/*/ r,
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index a891ab7e..19d86069 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -72,6 +72,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/python3.[0-9]*                      rix,
   /{usr/,}bin/readlink                            rix,
   /{usr/,}bin/steam-runtime-launcher-interface-*  rix,
+  /{usr/,}bin/steam-runtime-system-info           rix,
   /{usr/,}bin/timeout                             rix,
   /{usr/,}bin/true                                rix,
   /{usr/,}bin/uname                               rix,
@@ -79,8 +80,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-adverb rix,
   /{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
-  /{usr/,}lib/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
   /{usr/,}lib/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
+  /{usr/,}lib/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
+  /{usr/,}libexec/steam-runtime-tools*/* mrix,
 
   @{steamruntime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
   @{steamruntime}/pressure-vessel/bin/pressure-vessel-wrap rix,
@@ -160,6 +162,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
   owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
 
+        @{run}/host/ r,
+        @{run}/host/container-manager r,
         @{run}/host/fonts/{,**} r,
         @{run}/host/share/{,**} r,
         @{run}/host/usr/{,**} r,
@@ -226,6 +230,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
 
   /dev/hidraw[0-9]* rw,
   /dev/input/ r,
+  /dev/uinput rw,
   /dev/tty rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
index 32635f41..312a45e4 100644
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/which{.debianutils,} 
 profile which @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,