From 749859920eeb59dc46882a36f387a22058d9a0f0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 21 Apr 2021 21:57:17 +0100
Subject: [PATCH] Some fixes.

---
 apparmor.d/profiles-a-l/aa-notify           |  4 +++-
 apparmor.d/profiles-a-l/dkms                | 13 +++++++++----
 apparmor.d/profiles-m-z/polkit-agent-helper |  1 +
 apparmor.d/profiles-m-z/virt-manager        |  7 +++++--
 4 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/profiles-a-l/aa-notify b/apparmor.d/profiles-a-l/aa-notify
index 0c4d127b..e11bdd83 100644
--- a/apparmor.d/profiles-a-l/aa-notify
+++ b/apparmor.d/profiles-a-l/aa-notify
@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/aa-notify
 profile aa-notify @{exec_path} {
   include <abstractions/base>
-  include <abstractions/python>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
 
   capability sys_ptrace,
 
@@ -18,6 +18,8 @@ profile aa-notify @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}/bin/ r,
+
   /etc/apparmor/*.conf r,
   /etc/inputrc r,
 
diff --git a/apparmor.d/profiles-a-l/dkms b/apparmor.d/profiles-a-l/dkms
index a166ee29..f5707f9f 100644
--- a/apparmor.d/profiles-a-l/dkms
+++ b/apparmor.d/profiles-a-l/dkms
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,6 +12,11 @@ profile dkms @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability dac_read_search,
+  capability mknod,
+  capability setgid,
+  capability setuid,
+
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
 
@@ -48,15 +54,14 @@ profile dkms @{exec_path} {
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
 
   /{usr/,}lib/linux-kbuild-*/scripts/** rix,
-  capability setuid,
-  capability setgid,
-  /proc/sys/kernel/osrelease r,
+  /{usr/,}lib/modules/*/build/scripts/** rix,
   /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
 
   / r,
   /{usr/,}lib/modules/*/updates/ rw,
   /{usr/,}lib/modules/*/updates/dkms/ rw,
   /{usr/,}lib/modules/*/updates/dkms/*.ko rw,
+  /{usr/,}lib/modules/*/kernel/drivers/{,**.ko.xz} rw,
 
   /var/lib/dkms/ r,
   /var/lib/dkms/** rw,
@@ -84,7 +89,7 @@ profile dkms @{exec_path} {
   owner /tmp/* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
-
+        @{PROC}/sys/kernel/osrelease r,
 
   profile kmod {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-m-z/polkit-agent-helper b/apparmor.d/profiles-m-z/polkit-agent-helper
index b8259ed5..35812d4f 100644
--- a/apparmor.d/profiles-m-z/polkit-agent-helper
+++ b/apparmor.d/profiles-m-z/polkit-agent-helper
@@ -16,6 +16,7 @@ profile polkit-agent-helper @{exec_path} {
   include <abstractions/deny-root-dir-access>
 
   signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
+  signal (receive) set=(term, kill) peer=gnome-shell,
   signal (receive) set=(term, kill) peer=pkexec,
 
   capability setgid,
diff --git a/apparmor.d/profiles-m-z/virt-manager b/apparmor.d/profiles-m-z/virt-manager
index b2890035..bc74550b 100644
--- a/apparmor.d/profiles-m-z/virt-manager
+++ b/apparmor.d/profiles-m-z/virt-manager
@@ -27,7 +27,6 @@ profile virt-manager @{exec_path} {
   include <abstractions/python>
   include <abstractions/devices-usb>
   include <abstractions/gstreamer>
-  include <abstractions/deny-dconf>
 
   network inet stream,
   network inet6 stream,
@@ -91,7 +90,11 @@ profile virt-manager @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  # Silecne the noise
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
+  # Silence the noise
   deny /usr/share/virt-manager/{,**} w,
 
   include if exists <local/virt-manager>