From 79ab7e3eecabe4b47a4034f079cfe4c2d6862346 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 15 Sep 2021 20:40:47 +0100
Subject: [PATCH] Update profiles.

---
 apparmor.d/groups/gnome/gnome-shell       | 6 ++++--
 apparmor.d/groups/gpg/dirmngr             | 2 +-
 apparmor.d/groups/pacman/pacman           | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dkms | 2 ++
 apparmor.d/groups/systemd/systemd-logind  | 2 +-
 apparmor.d/profiles-a-f/dkms              | 2 +-
 apparmor.d/profiles-s-z/xdg-dbus-proxy    | 2 ++
 apparmor.d/tunables/extend                | 2 +-
 profiles.flags                            | 6 +-----
 9 files changed, 14 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 123a5033..b873a9fe 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -80,10 +80,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/gnome-shell/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
 
+  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
+  owner @{user_cache_dirs}/gnome-photos/{,**} r,
+  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
   owner @{user_cache_dirs}/libgweather/{,**} r,
   owner @{user_cache_dirs}/media-art/{,**} r,
-  owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
-  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
 
   include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,
@@ -113,6 +114,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+sound:card* r,  # for sound
   @{run}/udev/data/+usb* r,         # for USB mouse and keyboard
   @{run}/udev/data/+i2c:* r,
+  @{run}/udev/data/+hid* r,         # for HID-Compliant Keyboard
   @{run}/udev/data/c10:[0-9]* r,
   @{run}/udev/data/c13:[0-9]* r,    # for /dev/input/*
   @{run}/udev/data/c189:[0-9]*  r,  # for /dev/bus/usb/**
diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr
index 1f8e7b29..0a521bb3 100644
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@@ -31,7 +31,7 @@ profile dirmngr @{exec_path} {
 
   owner @{run}/user/@{uid}/gnupg/ rw,
   owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
-        @{run}/user/@{uid}/d.*/S.dirmngr rw,
+  owner @{run}/user/@{uid}/gnupg/d.*/S.dirmngr rw,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 87302762..0afc9e2f 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -42,7 +42,6 @@ profile pacman @{exec_path} {
   /{usr/,}bin/gpgconf      rCx -> gpg,
   /{usr/,}bin/gpgsm        rCx -> gpg,
 
-
   # Pacman hooks & install scripts
   /{usr/,}{s,}bin/ldconfig                rix,
   /{usr/,}bin/{,ba}sh                     rix,
@@ -50,6 +49,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/env                         rix,
   /{usr/,}bin/rm                          rix,
   /{usr/,}bin/vercmp                      rix,
+  /{usr/,}bin/xmlcatalog                  rix,
   /{usr/,}lib/ghc-*/bin/ghc-pkg           rix,
   /{usr/,}bin/arch-audit                  rPx,
   /{usr/,}bin/bootctl                     rPx,
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index 8c7f0beb..0fbbb5ab 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -12,6 +12,8 @@ profile pacman-hook-dkms @{exec_path} {
 
   capability dac_read_search,
 
+  unix (receive) type=stream,
+
   @{exec_path} mr,
 
   /{usr/,}bin/bash rix,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 3552776a..31ec8b5a 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -52,7 +52,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
   @{run}/systemd/seats/ rw,
   @{run}/systemd/seats/.#seat* rw,
   @{run}/systemd/seats/seat[0-9]* rw,
-  @{run}/systemd/inhibit/ r,
+  @{run}/systemd/inhibit/ rw,
   @{run}/systemd/inhibit/[0-9]*{,.ref} rw,
   @{run}/systemd/inhibit/.#* rw,
   @{run}/systemd/sessions/ rw,
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index 8f4526b1..62907013 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -65,7 +65,7 @@ profile dkms @{exec_path} {
   /{usr/,}lib/modules/*/updates/ rw,
   /{usr/,}lib/modules/*/updates/dkms/ rw,
   /{usr/,}lib/modules/*/updates/dkms/*.ko rw,
-  /{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz} rw,
+  /{usr/,}lib/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} rw,
 
   /var/lib/dkms/ r,
   /var/lib/dkms/** rw,
diff --git a/apparmor.d/profiles-s-z/xdg-dbus-proxy b/apparmor.d/profiles-s-z/xdg-dbus-proxy
index 9632d12a..c5e80ef9 100644
--- a/apparmor.d/profiles-s-z/xdg-dbus-proxy
+++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy
@@ -15,6 +15,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
   owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
   owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
 
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
+
   /dev/dri/card[0-9]* rw,
 
   include if exists <local/xdg-dbus-proxy>
diff --git a/apparmor.d/tunables/extend b/apparmor.d/tunables/extend
index 26fcbe44..5383b711 100644
--- a/apparmor.d/tunables/extend
+++ b/apparmor.d/tunables/extend
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Extended systemd directories definition
+# Extended system directories definition
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
diff --git a/profiles.flags b/profiles.flags
index 976a0e61..1495a1b8 100644
--- a/profiles.flags
+++ b/profiles.flags
@@ -12,7 +12,7 @@ bootctl complain
 borg complain
 cfdisk complain
 cgdisk complain
-chrome-gnome-shell complain
+
 dbus-daemon-launch-helper complain
 dbus-run-session complain
 dkms complain
@@ -40,7 +40,6 @@ glib-genmarshal complain
 glib-gettextize complain
 glib-mkenums complain
 gnome-calculator-search-provider complain
-gnome-calendar complain
 gnome-contacts complain
 gnome-contacts-search-provider complain
 gnome-control-center attach_disconnected,complain
@@ -73,8 +72,6 @@ gsd-screensaver-proxy attach_disconnected,complain
 gtk-query-immodules complain
 gvfsd-dav complain
 hostnamectl complain
-htop complain
-ibus-daemon attach_disconnected,complain
 install-info complain
 kernel-install complain
 kmod complain
@@ -92,7 +89,6 @@ ntfs-3g-probe complain
 obex-folder-listing complain
 obexautofs complain
 obexctl complain
-obexd complain
 obexfs complain
 obexpush-atd complain
 obexpushd complain