From 86ac65eb5c2a7da368c3cc5d9ebd6dbc9e1963b3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 1 May 2021 21:22:23 +0100
Subject: [PATCH] Update profiles.

---
 apparmor.d/groups/glib/glib-pacrunner      | 2 ++
 apparmor.d/groups/gnome/gio-launch-desktop | 4 +++-
 apparmor.d/groups/gnome/gsd-housekeeping   | 1 +
 apparmor.d/groups/gnome/nautilus           | 1 +
 apparmor.d/groups/gvfs/gvfsd               | 2 ++
 apparmor.d/groups/systemd/systemd-hwdb     | 5 +++++
 apparmor.d/profiles-a-l/dkms               | 1 +
 apparmor.d/profiles-a-l/kmod               | 3 +++
 8 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/glib/glib-pacrunner b/apparmor.d/groups/glib/glib-pacrunner
index 866ff6a1..8dd1a0f3 100644
--- a/apparmor.d/groups/glib/glib-pacrunner
+++ b/apparmor.d/groups/glib/glib-pacrunner
@@ -13,6 +13,8 @@ profile glib-pacrunner @{exec_path} {
 
   network inet dgram,
   network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
   network netlink raw,
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 3aae1786..85e9f585 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -10,7 +10,7 @@ include <tunables/global>
 @{exec_path}  = /{usr/,}bin/gio
 @{exec_path} += /{usr/,}bin/gio-launch-desktop
 @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
-profile gio-launch-desktop @{exec_path} {
+profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
   include <abstractions/consoles>
@@ -34,5 +34,7 @@ profile gio-launch-desktop @{exec_path} {
   # Required by many gio command
   owner @{HOME}/{,**} rw,
 
+  /dev/dri/card[0-9]* rw,
+
   include if exists <local/gio-launch-desktop>
 }
diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping
index dce09a26..6c119e60 100644
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@@ -12,6 +12,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   include <abstractions/thumbnails-cache-read>
 
   signal (receive) set=(term, hup) peer=gdm*,
+  signal (receive) set=(term, hup) peer=gnome*,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index eb92eab0..193e6262 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -34,6 +34,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   deny /opt rw,
   deny /root rw,
   deny /tmp/.* rw,
+  deny /tmp/.*/ rw,
 
   include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 312c26f0..b4c47177 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -22,6 +23,7 @@ profile gvfsd @{exec_path} {
   /usr/share/gvfs/{,**} r,
 
   owner @{run}/user/@{uid}/gvfs/ rw,
+  owner @{run}/user/@{uid}/gvfsd/ rw,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index e5a2833b..06901e6d 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -12,6 +12,11 @@ profile systemd-hwdb @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
+  /usr/lib/udev/hwdb.bin w,
+
+  /etc/udev/hwdb.d/{,*} r,
+
   owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/systemd-hwdb>
diff --git a/apparmor.d/profiles-a-l/dkms b/apparmor.d/profiles-a-l/dkms
index f5707f9f..4d33a625 100644
--- a/apparmor.d/profiles-a-l/dkms
+++ b/apparmor.d/profiles-a-l/dkms
@@ -56,6 +56,7 @@ profile dkms @{exec_path} {
   /{usr/,}lib/linux-kbuild-*/scripts/** rix,
   /{usr/,}lib/modules/*/build/scripts/** rix,
   /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
+  /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
 
   / r,
   /{usr/,}lib/modules/*/updates/ rw,
diff --git a/apparmor.d/profiles-a-l/kmod b/apparmor.d/profiles-a-l/kmod
index 7592542c..a0dcb19b 100644
--- a/apparmor.d/profiles-a-l/kmod
+++ b/apparmor.d/profiles-a-l/kmod
@@ -26,6 +26,9 @@ profile kmod @{exec_path} {
   # than to standard error.
   capability syslog,
 
+  unix (receive) type=stream peer=(label=depmod),
+  unix (receive) type=stream peer=(label=modprobe),
+
   @{exec_path} mr,
 
   /{usr/,}lib/modprobe.d/{,*.conf} r,