From 6911ca7c13251111536e299ae76ec17452c55569 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Thu, 23 Feb 2023 16:32:39 +0100
Subject: [PATCH] General update

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/apt/apt                | 1 +
 apparmor.d/groups/apt/apt-methods-gpgv   | 9 +++++++++
 apparmor.d/groups/apt/apt-methods-http   | 3 ++-
 apparmor.d/groups/freedesktop/pulseaudio | 7 ++++++-
 apparmor.d/groups/virt/containerd        | 3 ++-
 apparmor.d/groups/virt/k3s               | 2 +-
 apparmor.d/profiles-m-r/run-parts        | 1 +
 7 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 7a86245b..80de7a69 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -70,6 +70,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/gdbus      rix,
   /{usr/,}bin/id         rix,
   /{usr/,}bin/ischroot   rix,
+  /{usr/,}bin/systemctl  rix,
   /{usr/,}bin/test       rix,
   /{usr/,}bin/touch      rix,
 
diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv
index cefb8e4d..a33c3c2a 100644
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@@ -84,6 +84,15 @@ profile apt-methods-gpgv @{exec_path} {
   owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
   owner /tmp/apt.{conf,sig,data}.* rw,
 
+        /var/lib/apt/lists/{,**} r,
+  owner {/var/lib/ubuntu-advantage/apt-esm,}/var/lib/apt/lists/* rw,
+  owner /var/lib/apt/lists/partial/* rw,
+
+  /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/tupletable r,
+
+  /var/lib/dpkg/arch r,
+
   @{PROC}/@{pid}/fd/ r,
 
   # file_inherit
diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http
index c4c19a59..f202581a 100644
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@@ -54,8 +54,9 @@ profile apt-methods-http @{exec_path} {
   /var/log/cron-apt/temp w,
 
         /var/lib/apt/lists/{,**} r,
-  owner /var/lib/apt/lists/* rw,
+  owner {/var/lib/ubuntu-advantage/apt-esm,}/var/lib/apt/lists/* rw,
   owner /var/lib/apt/lists/partial/* rw,
+  owner /var/lib/apt/lists/{,**} rw,
 
   # For package building
   @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index d32be3ca..787bd6fa 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -42,7 +42,7 @@ profile pulseaudio @{exec_path} {
 
   dbus receive bus=system path=/Client0/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
-       member=StateChanged
+       member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
        peer=(name=org.freedesktop.Avahi),
 
   dbus send bus=session path=/org/freedesktop/DBus
@@ -108,6 +108,11 @@ profile pulseaudio @{exec_path} {
        member=Get
        peer=(name=/org/freedesktop/hostname[0-9]),
 
+  dbus send bus=system path=/org/freedesktop/hostname[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.hostname[0-9])
+
   @{exec_path} mrix,
 
   @{libexec}/pulse/gsettings-helper mrix,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 112383cf..e2e193fa 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -88,7 +88,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   owner /var/tmp/** rwkl,
   owner /tmp/** rwkl,
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/{data/,} rw,
+        /tmp/ctd-volume[0-9]*/{,**} rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
@@ -96,6 +96,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/@{pid}/task/@{tid}/ns/net rw,
   owner @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/uid_map r,
   owner @{PROC}/@{pids}/mountinfo r,
         @{PROC}/sys/net/core/somaxconn r,
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 09ee2295..7e4e2803 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{local/,}bin/k3s
-profile k3s @{exec_path} {
+profile k3s @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index 0a5e940a..1f66cdc6 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -145,6 +145,7 @@ profile run-parts @{exec_path} {
 
     /var/cache/motd-news r,
     /var/lib/update-notifier/updates-available r,
+    /var/lib/ubuntu-advantage/messages/motd-esm-announce r,
 
     @{run}/motd.d/{,*} r,