Update profile from #25.

apparmor.d/abstractions/disks-write

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/3.0>,
@@ -43,6 +44,11 @@
   @{sys}/devices/virtual/block/zram[0-9]*/ r,
   @{sys}/devices/virtual/block/zram[0-9]*/** r,
 
+  # Floppy disks
+  /dev/fd[0-9]* rwk,
+  @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/ r,
+  @{sys}/devices/platform/floppy.[0-9]*/block/fd[0-9]/** r,
+
   # CD-ROM
   /dev/sr[0-9]* rwk,
 
@@ -78,6 +84,7 @@
   @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
   @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
   @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b2:[0-9]*   r, # for /dev/fd*
 
   @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
 

apparmor.d/groups/bus/dbus-daemon

@@ -17,9 +17,11 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   capability setuid,
   capability sys_resource,
 
-  signal (receive) set=(term hup kill) peer=gdm*,
   signal (receive) set=(term hup kill) peer=at-spi-bus-launcher,
+  signal (receive) set=(term hup kill) peer=dbus-run-session,
+  signal (receive) set=(term hup kill) peer=gdm*,
   signal (send)    set=(term hup kill) peer=at-spi-bus-launcher,
+  signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-permission-store,
 
   network netlink raw,
@@ -38,6 +40,8 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
 
   /etc/dbus-1/{,**} r,
+  /etc/machine-id r,
+
   /usr/share/dbus-1/{,**} r,
   /usr/share/defaults/**.conf r,
 

apparmor.d/groups/desktop/accounts-daemon

@@ -30,8 +30,9 @@ profile accounts-daemon @{exec_path} {
   /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
 
   /etc/gdm/custom.conf r,
-  /etc/shells r,
+  /etc/machine-id r,
   /etc/shadow r,
+  /etc/shells r,
 
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/1/environ r,

apparmor.d/groups/desktop/dconf-service

@@ -13,6 +13,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
   # Needed?
   deny capability sys_nice,
 
+  signal (receive) set=(term kill hup) peer=dbus-daemon,
   signal (receive) set=(term hup) peer=gdm*,
 
   @{exec_path} mr,

apparmor.d/groups/gnome/gdm

@@ -47,6 +47,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
 
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/1/environ r,

apparmor.d/groups/gnome/gdm-session-worker

@@ -32,7 +32,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   signal (send) set=hup peer=gsd-*,
   signal (send) set=hup peer=ibus-*,
   signal (send) set=hup peer=xwayland,
-  signal (send) set=term peer=gdm-wayland-session,
+  signal (send) set=term peer=gdm-*-session,
 
   network netlink raw,
 
@@ -43,13 +43,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/gdm-x-session          rPx,
   /etc/gdm/{Pre,Post}Session/Default rix,
 
-  /etc/motd r,
-  /etc/motd.d/ r,
-  /etc/shells r,
-  /etc/locale.conf r,
   /etc/environment r,
   /etc/gdm/custom.conf r,
+  /etc/locale.conf r,
+  /etc/machine-id r,
+  /etc/motd r,
+  /etc/motd.d/ r,
   /etc/security/limits.d/{,*.conf} r,
+  /etc/shells r,
 
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,

apparmor.d/groups/gnome/gdm-x-session

@@ -10,6 +10,9 @@ include <tunables/global>
 profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  signal (receive) set=term peer=gdm*,
+  signal (send) set=term peer=unconfined,
+
   @{exec_path} mr,
 
   /{usr/,}bin/Xorg              rUx,
@@ -18,7 +21,9 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
 
   /etc/gdm/custom.conf r,
   /usr/share/gdm/gdm.schemas r,
+
   /var/lib/gdm/.cache/gdm/Xauthority rw,
+  /var/lib/gdm/.cache/gdm/ rw,
   
   owner @{run}/user/@{uid}/gdm/ w,
   owner @{run}/user/@{uid}/gdm/Xauthority rw,

apparmor.d/groups/gnome/gnome-session-binary

@@ -21,6 +21,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/{,z,ba,da}sh                                 rix,
   /{usr/,}bin/env                                          rix,
+  /{usr/,}bin/grep                                         rix,
+  /{usr/,}bin/mkdir                                        rix,
+  /{usr/,}bin/touch                                        rix,
+  /{usr/,}bin/gsettings                                    rix,
   /{usr/,}bin/xdg-user-dirs-gtk-update                     rix,
   /{usr/,}lib/gnome-session-check-accelerated              rix,
   /{usr/,}lib/gnome-session-check-accelerated-gl-helper    rix,
@@ -42,14 +46,17 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /usr/share/applications/org.gnome.Shell.desktop r,
   /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/glvnd/egl_vendor.d/ r,
   /usr/share/gnome-session/hardware-compatibility r,
   /usr/share/gnome-session/sessions/*.session r,
   /usr/share/icons/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
+  /var/lib/gdm/.cache/mesa_shader_cache/index rw,
   /var/lib/gdm/.config/gnome-session/ rw,
   /var/lib/gdm/.config/gnome-session/saved-session/ rw,
 
+  owner @{user_config_dirs}/gnome-session/ rw,
   owner @{user_config_dirs}/gnome-session/saved-session/ r,
   owner @{user_config_dirs}/gtk-3.0/bookmarks rw,
   owner @{user_config_dirs}/gtk-3.0/bookmarks.[0-9A-Z]* rw,

apparmor.d/groups/gnome/gnome-shell

@@ -63,21 +63,24 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
+  /var/lib/gdm/.config/ibus/ rw,
+  /var/lib/gdm/.config/ibus/bus/ rw,
+  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
   /var/lib/gdm/.config/pulse/ r,
   /var/lib/gdm/.config/pulse/client.conf r,
   /var/lib/gdm/.config/pulse/cookie rw,
-  /var/lib/gdm/.local/share/gnome-shell/ rw,
   /var/lib/gdm/.local/share/applications/{,**} r,
+  /var/lib/gdm/.local/share/gnome-shell/ rw,
 
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
   owner @{HOME}/@{XDG_MUSIC_DIR}/**/*.jpg r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_config_dirs}/.goutputstream{,*} rw,
-  owner @{user_config_dirs}/ibus/* r,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
+  owner @{user_config_dirs}/ibus/ rw,
+  owner @{user_config_dirs}/ibus/bus/ rw,
+  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
   owner @{user_config_dirs}/monitors.xml{,~} rwl,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
 
   owner @{user_share_dirs}/backgrounds/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/{,**} rw,

apparmor.d/groups/gnome/gsd-housekeeping

@@ -23,6 +23,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   owner @{user_cache_dirs}/thumbnails/{,**} rw,
+  owner @{user_share_dirs}/applications/ rw,
 
   include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,

apparmor.d/groups/gnome/gsd-keyboard

@@ -22,6 +22,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   /usr/share/icons/{,**} r,
   /usr/share/X11/xkb/** r,
 
+  owner @{user_share_dirs}/gnome-settings-daemon/ rw,
+
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   include <abstractions/dconf>

apparmor.d/groups/gnome/gsd-media-keys

@@ -30,6 +30,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   /usr/share/sounds/freedesktop/stereo/*.oga r,
   /usr/share/X11/xkb/** r,
 
+  owner @{user_config_dirs}/pulse/ rw,
+
   owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
   owner @{user_share_dirs}/recently-used.xbel{,.*} rw,

apparmor.d/groups/gnome/gsd-sound

@@ -19,6 +19,8 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/gdm/.local/share/sounds/ rw,
 
+  owner @{user_share_dirs}/sounds/ rw,
+
   include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,

apparmor.d/groups/gnome/gsd-xsettings

@@ -29,6 +29,7 @@ profile gsd-xsettings @{exec_path} {
   /{usr/,}bin/xrdb   rPx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/gdm/greeter-dconf-defaults r,
 
   /etc/xdg/Xwayland-session.d/ r,
   /etc/xdg/Xwayland-session.d/* rix,

apparmor.d/groups/pacman/mkinitcpio

@@ -36,6 +36,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/ldconfig            rix,
   /{usr/,}bin/ldd                 rix,
   /{usr/,}bin/ln                  rix,
+  /{usr/,}bin/loadkeys            rix,
   /{usr/,}bin/mktemp              rix,
   /{usr/,}bin/readlink            rix,
   /{usr/,}bin/rm                  rix,
@@ -59,10 +60,13 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   /etc/fstab r,
   /etc/lvm/lvm.conf r,
+  /etc/vconsole.conf r,
+  /etc/locale.conf r,
   /etc/mkinitcpio.conf r,
   /etc/mkinitcpio.d/{,**} r,
   /etc/modprobe.d/{,*} r,
 
+  /usr/share/kbd/keymaps/{,**} r,
   /usr/share/terminfo/x/xterm-256color r,
 
   # Can copy any program to the initframs

apparmor.d/groups/pacman/pacman

@@ -52,6 +52,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/dot                         rix,
   /{usr/,}bin/env                         rix,
   /{usr/,}bin/filecap                     rix,
+  /{usr/,}bin/find                        rix,
   /{usr/,}bin/getent                      rix,
   /{usr/,}bin/gettext                     rix,
   /{usr/,}bin/ghc-pkg-*                   rix,
@@ -64,6 +65,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/arch-audit                  rPx,
   /{usr/,}bin/archlinux-java              rPx,
   /{usr/,}bin/bootctl                     rPx,
+  /{usr/,}bin/dconf                       rPx,
   /{usr/,}bin/fc-cache                    rPx,
   /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
   /{usr/,}bin/glib-compile-schemas        rPx,

apparmor.d/groups/pacman/pacman-hook-fontconfig

@@ -21,6 +21,8 @@ profile pacman-hook-fontconfig @{exec_path} {
   /etc/fonts/conf.d/* rwl,
   /usr/share/fontconfig/conf.default/* r,
 
+  /dev/tty rw,
+
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/systemd/child-systemctl

@@ -28,6 +28,8 @@ profile child-systemctl flags=(attach_disconnected) {
 
   /{usr/,}bin/systemctl mr,
 
+  /etc/systemd/user/{,**} rwl,
+
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/1/environ r,

apparmor.d/groups/systemd/journalctl

@@ -14,9 +14,10 @@ profile journalctl @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/systemd-common>
 
-  capability sys_resource,
-  capability dac_read_search,
   capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability sys_resource,
 
   signal (send) peer=child-pager,
 

apparmor.d/groups/systemd/systemd-hostnamed

@@ -28,8 +28,9 @@ profile systemd-hostnamed @{exec_path} {
   @{run}/udev/data/+dmi:id r,
   @{sys}/firmware/dmi/entries/*/raw r,
 
-  /etc/hostname rw,
   /etc/.#hostname* rw,
+  /etc/hostname rw,
+  /etc/machine-info r,
 
   @{run}/udev/data/+dmi:id r,
 

apparmor.d/groups/systemd/systemd-logind

@@ -22,10 +22,11 @@ profile systemd-logind @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /etc/systemd/sleep.conf r,
-  /etc/systemd/logind.conf r,
-  /etc/passwd r,
+  /etc/machine-id r,
   /etc/nsswitch.conf r,
+  /etc/passwd r,
+  /etc/systemd/logind.conf r,
+  /etc/systemd/sleep.conf r,
 
   /boot/{,**} r,
 

apparmor.d/groups/systemd/zram-generator

@@ -16,6 +16,8 @@ profile zram-generator @{exec_path} {
   /{usr/,}lib/systemd/systemd-makefs rPx,
   /{usr/,}bin/systemd-detect-virt rPx,
 
+  /etc/systemd/zram-generator.conf r,
+
   @{sys}/devices/virtual/block/zram[0-9]*/{disksize,reset} rw,
   @{sys}/block/zram[0-9]*/{disksize,reset} rw,
 

apparmor.d/profiles-a-f/auditd

@@ -25,6 +25,8 @@ profile auditd @{exec_path} {
 
   /var/log/audit/{,**} rw,
 
+  /etc/machine-id r,
+
   @{run}/auditd.pid rw,
   @{run}/systemd/userdb/ r,
 

apparmor.d/profiles-a-f/firecfg

@@ -31,6 +31,9 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
   /usr/share/applications/ r,
   /usr/share/applications/*.desktop r,
 
+  @{user_share_dirs}/applications/ r,
+  @{user_share_dirs}/applications/*.desktop r,
+
   /dev/tty rw,
 
   deny /apparmor/.null rw,

apparmor.d/profiles-m-r/mkfs-btrfs

@@ -17,6 +17,8 @@ profile mkfs-btrfs @{exec_path} {
 
   /dev/btrfs-control rw,
 
+  @{run}/blkid/blkid.* rw,
+
   owner @{PROC}/@{pid}/mounts r,
         @{PROC}/swaps r,
 

apparmor.d/profiles-s-z/sudo

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -42,12 +43,12 @@ profile sudo @{exec_path} {
   /{usr/,}{s,}bin/[a-z0-9]*           rPUx,
   /{usr/,}lib/cockpit/cockpit-askpass rPUx,
 
+  /etc/environment r,
+  /etc/machine-id r,
+  /etc/security/limits.d/{,*} r,
   /etc/sudo.conf r,
-
   /etc/sudoers r,
   /etc/sudoers.d/{,*} r,
-  /etc/environment r,
-  /etc/security/limits.d/{,*} r,
 
   /var/log/sudo.log wk,
 

apparmor.d/profiles-s-z/wireplumber

@@ -24,6 +24,7 @@ profile wireplumber @{exec_path} {
   /usr/share/spa-*/bluez[0-9]*/{,*} r,
   /usr/share/wireplumber/{,**} r,
 
+  owner @{HOME}/.local/state/ w,
   owner @{HOME}/.local/state/wireplumber/{,**} rw,
 
   @{run}/systemd/users/@{uid} r,

dists/ignore/main.ignore

@@ -8,3 +8,4 @@ apparmor.d/groups/_full
 apparmor.d/groups/apps
 
 anki
+man