From 675a754d194e67b7bdd2ffe10cc1ba373e3e79c1 Mon Sep 17 00:00:00 2001
From: remph <lhr@disroot.org>
Date: Fri, 3 Jan 2025 06:41:22 +0000
Subject: [PATCH] Various fixes

* nvidia-strict: nvidia libraries get argv from /proc/self
* iwd:
  * sends lots of UDP on packet sockets
  * writes to accept_ra and optimistic_dad
  * DNS daemons other than systemd-resolvd may require iwd to use resolvconf
* lynx: now handles brotli'd HTML as well as gzipped
---
 apparmor.d/abstractions/nvidia-strict | 3 ++-
 apparmor.d/groups/network/iwd         | 6 ++++++
 apparmor.d/profiles-g-l/lynx          | 3 +--
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict
index 6069ddd9..470db0a0 100644
--- a/apparmor.d/abstractions/nvidia-strict
+++ b/apparmor.d/abstractions/nvidia-strict
@@ -26,7 +26,8 @@
         @{PROC}/sys/vm/max_map_count r,
         @{PROC}/sys/vm/mmap_min_addr r,
         @{PROC}/modules r,
-  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/{,task/*/}comm r,
+  owner @{PROC}/@{pid}/cmdline r,
 
   /dev/char/195:@{int} w,  # Nvidia graphics devices
   /dev/nvidia-modeset rw,
diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd
index 50827e77..bd88ad68 100644
--- a/apparmor.d/groups/network/iwd
+++ b/apparmor.d/groups/network/iwd
@@ -21,8 +21,10 @@ profile iwd @{exec_path} {
   network netlink raw,
   network netlink dgram,
   network alg seqpacket,
+  network packet dgram,
 
   @{exec_path} mr,
+  @{bin}/resolvconf rPx,
 
   /etc/iwd/{,**} r,
   /var/lib/iwd/{,**} rw,
@@ -33,9 +35,13 @@ profile iwd @{exec_path} {
   @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw,
 
   /dev/rfkill rw,
 
diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx
index 0fce66a9..a9613e7c 100644
--- a/apparmor.d/profiles-g-l/lynx
+++ b/apparmor.d/profiles-g-l/lynx
@@ -33,8 +33,7 @@ profile lynx @{exec_path} {
   /etc/mailcap r,
   /etc/mime.types r,
 
-  owner @{tmp}/lynxXXXX*/ rw,
-  owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw,
+  owner @{tmp}/lynxXXXX*/{,**} rw,
 
   include if exists <local/lynx>
 }