From 9c08b361825a3f675bcd250f8a316494f99be8d1 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 18 Jul 2023 22:28:30 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 1 +
 apparmor.d/groups/freedesktop/xdg-email                | 1 +
 apparmor.d/groups/gnome/gnome-shell                    | 2 +-
 apparmor.d/groups/gnome/gnome-software                 | 2 +-
 apparmor.d/groups/gnome/mutter-x11-frames              | 3 +++
 apparmor.d/groups/network/mullvad-gui                  | 1 +
 apparmor.d/groups/pacman/pacman                        | 1 +
 apparmor.d/groups/systemd/systemd-backlight            | 2 ++
 apparmor.d/groups/ubuntu/software-properties-gtk       | 2 ++
 apparmor.d/groups/virt/libvirtd                        | 4 ++++
 apparmor.d/profiles-a-f/agetty                         | 1 +
 apparmor.d/profiles-a-f/cupsd                          | 1 +
 apparmor.d/profiles-m-r/molly-guard                    | 2 +-
 13 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index ccec152f..faace6eb 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
+  include <abstractions/nvidia>
   include <abstractions/user-download>
   include <abstractions/vulkan>
   include <abstractions/wayland>
diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email
index 19bcb29e..1ad83002 100644
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@@ -16,6 +16,7 @@ profile xdg-email @{exec_path} flags=(complain) {
   @{bin}/{,ba,da}sh  rix,
   @{bin}/{,e}grep    rix,
   @{bin}/basename    rix,
+  @{bin}/cut         rix,
   @{bin}/gio         rPx,
   @{bin}/readlink    rix,
   @{bin}/sed         rix,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 8d8a572e..fa9e7405 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -590,7 +590,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
-  owner @{run}/user//@{uid}/wayland-[0-9]* rwk,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rwk,
 
   owner /dev/shm/.org.chromium.Chromium.* rw,
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 3f60b6f1..254d8c7d 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -75,7 +75,7 @@ profile gnome-software @{exec_path} {
 
   owner @{HOME}/.var/app/{,**} rw,
 
-  owner @{user_cache_dirs}/flatpak/{,**} rw,
+  owner @{user_cache_dirs}/flatpak/{,**} rwl,
   owner @{user_cache_dirs}/gnome-software/{,**} rw,
 
   owner @{user_config_dirs}/pulse/*.conf r,
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index 450526b6..0e3e4dc9 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -16,10 +16,13 @@ profile mutter-x11-frames @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/vulkan>
   include <abstractions/wayland>
 
   @{exec_path} mr,
 
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+
   include if exists <local/mutter-x11-frames>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index 0eab9fa2..1105e296 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -18,6 +18,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected)  {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/nvidia>
   include <abstractions/vulkan>
 
   capability sys_chroot,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 82f894bb..0bf4f792 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -139,6 +139,7 @@ profile pacman @{exec_path} {
   owner /tmp/checkup-db-[0-9]*/db.lck rw,
 
         @{PROC}/@{pids}/ r,
+        @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,
diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight
index 48717f24..2d4e48be 100644
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@@ -31,9 +31,11 @@ profile systemd-backlight @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/backlight/**/{uevent,type} r,
   @{sys}/devices/pci[0-9]*/**/backlight/**/brightness rw,
   @{sys}/devices/pci[0-9]*/**/class r,
+  @{sys}/devices/pci[0-9]*/**/drm/**/ r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{max_brightness,actual_brightness} r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/{uevent,type} r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/brightness rw,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/ r,
   @{sys}/devices/pci[0-9]*/**/uevent r,
 
   @{sys}/devices/platform/**/leds/*backlight*/brightness rw,
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index e8c4fae6..4fa437c9 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -14,6 +14,7 @@ profile software-properties-gtk @{exec_path} {
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
@@ -39,6 +40,7 @@ profile software-properties-gtk @{exec_path} {
 
   @{bin}/ r,
 
+  @{bin}/{,da,ba}sh               rix,
   @{bin}/aplay                    rPx,
   @{bin}/apt-key                  rPx,
   @{bin}/dpkg                     rPx -> child-dpkg,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 6a307639..b7cc408f 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -105,6 +105,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/dmidecode                            rPx,
   @{bin}/dnsmasq                              rPx,
+  @{bin}/kmod                                 rPx,
   @{bin}/lvm                                 rPUx,
   @{bin}/mdevctl                              rPx,
   @{bin}/swtpm                                rPx,
@@ -192,10 +193,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/n[0-9]* r,
 
   @{sys}/bus/[a-z]*/devices/ r,
+  @{sys}/bus/pci/drivers_probe w,
+  @{sys}/bus/pci/drivers/*/unbind w,
   @{sys}/class/[a-z]*/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/{class,revision,subsystem_vendor,subsystem_device} r,
   @{sys}/devices/pci[0-9]*/**/{config,numa_node,device,vendor} r,
+  @{sys}/devices/pci[0-9]*/**/driver_override w,
   @{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r,
   @{sys}/devices/pci[0-9]*/**/mdev_supported_types/*/create w,
   @{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty
index 4396afc3..76a3789c 100644
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@@ -30,6 +30,7 @@ profile agetty @{exec_path} {
   /{etc,run,lib,usr/lib}/issue r,
   /{etc,run,lib,usr/lib}/issue.d/{,*} r,
   /etc/inittab r,
+  /etc/login.defs r,
   /etc/os-release r,
 
         @{run}/resolvconf/resolv.conf r,
diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd
index 7ca3d5fd..dbfa1580 100644
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@@ -51,6 +51,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
   @{bin}/chmod               rix,
   @{bin}/cp                  rix,
   @{bin}/grep                rix,
+  @{bin}/gs                  rix,
   @{bin}/gsc                 rix,
   @{bin}/hostname            rix,
   @{bin}/ippfind             rix,
diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard
index 35a11274..edfe6271 100644
--- a/apparmor.d/profiles-m-r/molly-guard
+++ b/apparmor.d/profiles-m-r/molly-guard
@@ -18,8 +18,8 @@ profile molly-guard @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/{,ba,da}sh  rix,
-  @{bin}/hostname    rix,
   @{bin}/{,e,p}grep  rix,
+  @{bin}/hostname    rix,
   @{bin}/run-parts   rix,
   @{bin}/systemctl   rPx -> child-systemctl,
   @{bin}/tr          rix,