From 8bb5b064d13d016c73007ffa0301730a12a90e68 Mon Sep 17 00:00:00 2001
From: nobody43 <nobody43@users.noreply.github.com>
Date: Fri, 13 Jan 2023 01:01:08 +0300
Subject: [PATCH] fixes

---
 apparmor.d/profiles-a-f/btop     | 20 +++++++++-----------
 apparmor.d/profiles-m-r/murmurd  | 14 +++++---------
 apparmor.d/profiles-m-r/rustdesk | 28 ++++++++++++----------------
 3 files changed, 26 insertions(+), 36 deletions(-)

diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop
index cd615a7d..a71ec4a6 100644
--- a/apparmor.d/profiles-a-f/btop
+++ b/apparmor.d/profiles-a-f/btop
@@ -8,6 +8,7 @@ include <tunables/global>
 @{exec_path} = /{,usr/}{,local/}bin/btop
 profile btop @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
 
   capability sys_ptrace,
@@ -19,9 +20,6 @@ profile btop @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/fstab r,
-  /etc/passwd r,
-
   owner @{user_config_dirs}/btop/{,**} rw,
 
   @{sys}/class/power_supply/ r,
@@ -30,19 +28,19 @@ profile btop @{exec_path} {
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/hwmon[0-9]*/{,*} r,
   @{sys}/devices/platform/coretemp.[0-9]*/hwmon/hwmon[0-9]*/{,*} r,
-  @{sys}/devices/pci*/*/*/host[0-9]*/*/*/block/*/*/stat r,
   @{sys}/devices/virtual/block/dm-[0-9]*/stat r,
-  @{sys}/devices/{pci*,virtual}/{,**/}net/*/statistics/{rx,tx}_bytes r,
-  @{sys}/devices/{pci*,virtual}/{,*/*/}net/*/address r,
-  @{sys}/devices/pci*/*/*/usb3/*/*/*/*/power_supply/hidpp_battery_[0-9]*/{,hwmon[0-9]*/} r,
+  @{sys}/devices/pci[0-9]*/**/host[0-9]*/*/*/block/*/*/stat r,
+  @{sys}/devices/{pci[0-9]*,virtual}/{,**/}net/*/statistics/{rx,tx}_bytes r,
+  @{sys}/devices/{pci[0-9]*,virtual}/{,**/}net/*/address r,
+  @{sys}/devices/pci[0-9]*/*/*/usb[0-9]*/**/power_supply/hidpp_battery_[0-9]*/{,hwmon[0-9]*/} r,
 
         @{PROC} r,
         @{PROC}/loadavg r,
         @{PROC}/uptime r,
-        @{PROC}/@{pid}/comm r,
-        @{PROC}/@{pid}/cmdline r,
-        @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pid}/io r,
+        @{PROC}/@{pids}/comm r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/io r,
   owner @{PROC}/@{pid}/mounts r,
 
   include if exists <local/btop>
diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd
index 5e8b94ac..c096573b 100644
--- a/apparmor.d/profiles-m-r/murmurd
+++ b/apparmor.d/profiles-m-r/murmurd
@@ -22,15 +22,17 @@ profile murmurd @{exec_path} {
   network inet dgram,
   network inet6 dgram,
 
-  @{exec_path} mr,
-
-  /{,usr/}bin/lsb_release Px -> lsb_release,
+  unix (send, receive) type=stream addr=none peer=(label=lsb_release),
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Peer
        member=Ping
        peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
 
+  @{exec_path} mr,
+
+  /{,usr/}bin/lsb_release Px -> lsb_release,
+
   /etc/mumble-server.ini r,
 
   owner /var/lib/mumble-server/{,**}    rw,
@@ -42,12 +44,6 @@ profile murmurd @{exec_path} {
 
   # Silencer
   deny / r,
-  deny /usr/{,local/}lib/ r,
-  deny /usr/lib32/ r,
-  deny /usr/lib64/ r,
-
-  # file_inherit
-  unix (send, receive) type=stream addr=none peer=(label=lsb_release),
 
   include if exists <local/murmurd>
 }
diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk
index 8fd30049..3649ce9b 100644
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@@ -24,15 +24,6 @@ profile rustdesk @{exec_path} {
   network inet6 stream,
   network netlink raw,  # discovery
 
-  @{exec_path} mrix,
-
-  /{,usr/}bin/ps       rPx,
-  /{,usr/}bin/whoami   rPx,
-  /{,usr/}bin/loginctl rPx,
-  /{,usr/}bin/curl     rix,
-
-  /{,usr/}bin/python3.[0-9]* rCx -> python,
-
   dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.a11y.atspi.Socket
        member=Embed
@@ -53,13 +44,20 @@ profile rustdesk @{exec_path} {
        member=Set
        peer=(name=:*),
 
+  @{exec_path} mrix,
+
+  /{,usr/}bin/ps       rPx,
+  /{,usr/}bin/whoami   rPx,
+  /{,usr/}bin/loginctl rPx,
+  /{,usr/}bin/curl     rix,
+
+  /{,usr/}bin/python3.[0-9]* rCx -> python,
+
   owner /tmp/[rR]ust[dD]esk/{,**} rw,
 
   owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw,
   owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw,
 
-  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
-
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_{cur,min,max}_freq r,
 
         @{PROC}/uptime r,
@@ -113,7 +111,7 @@ profile rustdesk @{exec_path} {
 
     owner @{PROC}/@{pid}/fd/ r,
 
-    /usr/share/rustdesk/files/{,**} r,
+    /usr/share/[rR]ust[dD]esk/files/{,**} r,
     owner /tmp/[rR]ust[dD]esk/ w,
     owner /tmp/[rR]ust[dD]esk/pynput_service rw,
 
@@ -122,11 +120,9 @@ profile rustdesk @{exec_path} {
     owner @{HOME}/.xsession-errors w,
     owner @{HOME}/.Xauthority r,
 
-    # python.d?
-    /usr/share/dpkg/cputable r,
-
-    # Silencer
+    # Unknown yet
     deny /etc/apt/{,**} r,
+    /usr/share/dpkg/cputable r,
 
     include if exists <local/rustdesk_python>
   }