From 9ad8ec165d4755bafe2704396ec9dc3130a824a3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Jun 2021 14:55:17 +0100
Subject: [PATCH] Profiles update.

---
 apparmor.d/groups/browsers/chromium           |  2 +-
 apparmor.d/groups/browsers/chromium-chromium  |  5 +++++
 apparmor.d/groups/browsers/firefox            |  2 +-
 .../groups/browsers/firefox-crashreporter     |  1 +
 apparmor.d/groups/pacman/arch-audit           |  1 +
 apparmor.d/groups/pacman/paccache             | 19 ++++++++++++-------
 apparmor.d/groups/systemd/child-systemctl     |  3 +++
 apparmor.d/groups/systemd/systemd-coredump    | 17 +++++++++--------
 apparmor.d/groups/systemd/systemd-detect-virt |  5 +++++
 apparmor.d/groups/systemd/systemd-sysusers    |  4 ++++
 apparmor.d/groups/systemd/systemd-tmpfiles    |  4 ++++
 apparmor.d/groups/systemd/systemd-udevd       |  4 ++++
 .../profiles-a-l/gdk-pixbuf-query-loaders     |  4 ++++
 apparmor.d/profiles-a-l/gio-querymodules      |  4 ++++
 apparmor.d/profiles-a-l/install-info          |  4 ++++
 apparmor.d/profiles-a-l/logrotate             |  1 +
 .../profiles-m-z/update-desktop-database      |  4 ++++
 apparmor.d/profiles-m-z/xdg-mime              |  1 +
 18 files changed, 68 insertions(+), 17 deletions(-)

diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium
index 8e7481ca..84fd618b 100644
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@@ -11,7 +11,7 @@ include <tunables/global>
 @{CHROMIUM_CACHEDIR} = @{user_cache_dirs}/chromium
 
 @{exec_path} = /{usr/,}bin/chromium
-profile chromium @{exec_path} {
+profile chromium @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/deny-root-dir-access>
diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index 72c6e561..5325b726 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -191,6 +191,11 @@ profile chromium-chromium @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
 
+  # Video support
+  /dev/ r,
+  /dev/video[0-9]* rw,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r,
+
   /etc/opensc.conf r,
 
   include <abstractions/dconf>
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 50e1fa9a..33957a48 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -12,7 +12,7 @@ include <tunables/global>
 @{MOZ_CACHEDIR} = @{user_cache_dirs}/mozilla
 
 @{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
-profile firefox @{exec_path} {
+profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/wayland>
   include <abstractions/opencl-intel>
diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter
index 6ac2b8ec..8f44a74d 100644
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@@ -62,6 +62,7 @@ profile firefox-crashreporter @{exec_path} {
   # file_inherit
   owner @{MOZ_CACHEDIR}/firefox/*.*/** r,
   owner @{MOZ_HOMEDIR}/firefox/*.*/extensions/*.xpi r,
+  owner @{MOZ_HOMEDIR}/firefox/*.*/.parentlock rw,
   owner @{HOME}/.xsession-errors w,
   /dev/dri/renderD128 rw,
 
diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit
index 62f23ae3..3e23bb05 100644
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@@ -10,6 +10,7 @@ include <tunables/global>
 profile arch-audit @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
   capability dac_read_search,
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index 6e1f7595..82c9713f 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -15,20 +15,25 @@ profile paccache @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/cat          rix,
-  /{usr/,}bin/gettext      rix,
-  /{usr/,}bin/pacman-conf  rPx,
-  /{usr/,}bin/pacman       rPUx,
-  /{usr/,}bin/tput         rix,
-  /{usr/,}bin/pacsort      rix,
-  /{usr/,}bin/gawk         rix,
   /{usr/,}bin/bash         rix,
+  /{usr/,}bin/cat          rix,
+  /{usr/,}bin/gawk         rix,
+  /{usr/,}bin/gettext      rix,
+  /{usr/,}bin/pacman       rPUx,
+  /{usr/,}bin/pacman-conf  rPx,
+  /{usr/,}bin/pacsort      rix,
+  /{usr/,}bin/rm           rix,
+  /{usr/,}bin/stat         rix,
+  /{usr/,}bin/tput         rix,
+  /{usr/,}bin/xargs        rix,
 
   /usr/share/makepkg/util/*.sh r,
   /usr/share/terminfo/x/xterm-256color r,
 
   /var/cache/pacman/pkg/{,*} rw,
 
+  owner @{PROC}/@{pid}/fd/ r,
+
   /dev/tty rw,
 
   include if exists <local/paccache>
diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl
index 7d3c078b..080136f3 100644
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@@ -23,6 +23,9 @@ profile child-systemctl {
 
   ptrace (read),
 
+  network inet stream,
+  network inet6 stream,
+
   /{usr/,}bin/systemctl mr,
 
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index 1a359805..2e2246e8 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -10,29 +10,30 @@ include <tunables/global>
 @{exec_path}  = /{usr/,}lib/systemd/systemd-coredump
 profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/systemd-common>
-  include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+  capability setgid,
   capability setpcap,
   capability setuid,
-  capability setgid,
-  capability dac_read_search,
   capability sys_ptrace,
   # Needed?
-  deny capability net_admin,
+  # deny capability net_admin,
 
   @{exec_path} mr,
 
   /{usr/,}bin/* r,
   /{usr/,}sbin/* r,
-  /usr/libexec/** r,
+  /usr/{lib,libexec}/** r,
 
   /etc/systemd/coredump.conf r,
 
-        /var/lib/systemd/coredump/ r,
-  owner /var/lib/systemd/coredump/#[0-9]* rw,
-  owner /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*{,.zst} rwl -> /var/lib/systemd/coredump/#[0-9]*,
+  /var/lib/systemd/coredump/ r,
+  /var/lib/systemd/coredump/#[0-9]* rwl,
+  /var/lib/systemd/coredump/core.*.@{uid}.[0-9a-f]*.[0-9]*.[0-9]*.zst rwl,
+  /var/lib/systemd/coredump/core.*.@{uid}.[0-9a-f]*.[0-9]*.[0-9]* rwl,
 
   owner @{PROC}/@{pid}/setgroups r,
         @{PROC}/@{pids}/comm r,
diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt
index 11357e94..df757bc6 100644
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -19,5 +20,9 @@ profile systemd-detect-virt @{exec_path} {
   @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/systemd-detect-virt>
 }
diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index e25108d4..43562915 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -37,5 +37,9 @@ profile systemd-sysusers @{exec_path} {
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/random/boot_id r,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/systemd-sysusers>
 }
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index b9ce3dfb..542c507e 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -48,5 +48,9 @@ profile systemd-tmpfiles @{exec_path} {
 
   @{PROC}/@{pid}/net/unix r,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/systemd-tmpfiles>
 }
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index e52b2b09..e4066dec 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -91,5 +91,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/systemd-udevd>
 }
diff --git a/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders
index c1fbc4ea..8793377a 100644
--- a/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders
+++ b/apparmor.d/profiles-a-l/gdk-pixbuf-query-loaders
@@ -10,9 +10,13 @@ include <tunables/global>
 profile gdk-pixbuf-query-loaders @{exec_path} {
   include <abstractions/base>
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/{,*}/loaders.cache.* rw,
+  /{usr/,}lib/gdk-pixbuf-[0-9].[0-9]*/*/loaders.cache rw,
 
   include if exists <local/gdk-pixbuf-query-loaders>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-l/gio-querymodules b/apparmor.d/profiles-a-l/gio-querymodules
index b01e0e3e..ee711c86 100644
--- a/apparmor.d/profiles-a-l/gio-querymodules
+++ b/apparmor.d/profiles-a-l/gio-querymodules
@@ -15,5 +15,9 @@ profile gio-querymodules @{exec_path} {
 
   /{usr/,}lib/gtk-{3,4}.0/**/giomodule.cache{,.[0-9A-Z]*} w,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/gio-querymodules>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-l/install-info b/apparmor.d/profiles-a-l/install-info
index 0e45e73b..41c679cc 100644
--- a/apparmor.d/profiles-a-l/install-info
+++ b/apparmor.d/profiles-a-l/install-info
@@ -22,5 +22,9 @@ profile install-info @{exec_path} {
 
   /dev/tty rw,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/install-info>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-l/logrotate b/apparmor.d/profiles-a-l/logrotate
index 6082990c..cc463544 100644
--- a/apparmor.d/profiles-a-l/logrotate
+++ b/apparmor.d/profiles-a-l/logrotate
@@ -32,6 +32,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
   /{usr/,}bin/{,ba,da}sh             rix,
   /{usr/,}bin/ls                     rix,
   /{usr/,}bin/gzip                   rix,
+  /{usr/,}bin/zstd                   rix,
   /{usr/,}{s,}bin/invoke-rc.d        rix,
   /{usr/,}lib/rsyslog/rsyslog-rotate rix,
 
diff --git a/apparmor.d/profiles-m-z/update-desktop-database b/apparmor.d/profiles-m-z/update-desktop-database
index 30b95980..9e50d44d 100644
--- a/apparmor.d/profiles-m-z/update-desktop-database
+++ b/apparmor.d/profiles-m-z/update-desktop-database
@@ -20,5 +20,9 @@ profile update-desktop-database @{exec_path} {
 
   /usr/share/*/*.desktop r,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/update-desktop-database>
 }
diff --git a/apparmor.d/profiles-m-z/xdg-mime b/apparmor.d/profiles-m-z/xdg-mime
index 152d3f87..180be189 100644
--- a/apparmor.d/profiles-m-z/xdg-mime
+++ b/apparmor.d/profiles-m-z/xdg-mime
@@ -53,6 +53,7 @@ profile xdg-mime @{exec_path} {
   # file_inherit
   @{MOUNTS}/** rw,
 
+  /dev/tty rw,
 
   profile dbus {
     include <abstractions/base>