update apparmor profiles

apparmor.d/accounts-daemon

@@ -13,7 +13,8 @@
 
 #include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/accountsservice/accounts-daemon /usr/libexec/accounts-daemon
+@{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
+@{exec_path} += /usr/libexec/accounts-daemon
 profile accounts-daemon @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/wutmp>

apparmor.d/at-spi-bus-launcher

@@ -13,7 +13,8 @@
 
 #include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher /usr/libexec/at-spi-bus-launcher
+@{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi-bus-launcher
+@{exec_path} += /usr/libexec/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/nameservice-strict>

apparmor.d/at-spi2-registryd

@@ -13,7 +13,8 @@
 
 #include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/at-spi2-core/at-spi2-registryd /usr/libexec/at-spi2-registryd
+@{exec_path}  = /{usr/,}lib/at-spi2-core/at-spi2-registryd
+@{exec_path} += /usr/libexec/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/nameservice-strict>

apparmor.d/bluetoothd

@@ -14,6 +14,7 @@
 #include <tunables/global>
 
 @{exec_path}  = /{usr/,}lib/bluetooth/bluetoothd
+@{exec_path} += /usr/libexec/bluetooth/bluetoothd
 profile bluetoothd @{exec_path} {
   #include <abstractions/base>
 

apparmor.d/colord-sane

@@ -13,7 +13,8 @@
 
 #include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/colord/colord-sane /usr/libexec/colord-sane
+@{exec_path}  = /{usr/,}lib/colord/colord-sane
+@{exec_path} += /usr/libexec/colord-sane
 profile colord-sane @{exec_path} flags=(complain) {
   #include <abstractions/base>
 

apparmor.d/dh

@@ -32,6 +32,10 @@ profile dh @{exec_path} flags=(complain) {
   /{usr/,}bin/rm    rix,
   /{usr/,}bin/mkdir rix,
 
+  /usr/share/python/pyversions.py   rCx -> python,
+  /usr/share/python3/py3versions.py rCx -> python,
+  /usr/share/dh-python/*            rCx -> python,
+
   # What to do with it? The "rules" file is just a make file and can use any tool. (#FIXME#)
   owner @{BUILD_DIR}/**/debian/rules rcx -> debian-rules,
   owner @{BUILD_DIR}/**              rcx -> debian-rules,
@@ -72,5 +76,37 @@ profile dh @{exec_path} flags=(complain) {
 
   }
 
+  profile python flags=(complain) {
+    #include <abstractions/base>
+    #include <abstractions/python>
+
+    /usr/share/python/pyversions.py   mr,
+    /usr/share/python3/py3versions.py mr,
+    /usr/share/dh-python/*            mr,
+
+    /{usr/,}bin/python2.[0-9]*       rix,
+    /{usr/,}bin/python3.[0-9]*       rix,
+
+    /usr/share/python/ r,
+    /usr/share/python/debian_defaults r,
+    /usr/share/python3/ r,
+    /usr/share/python3/debian_defaults r,
+
+    /usr/share/dh-python/ r,
+    /usr/share/dh-python/** r,
+
+    /{usr/,}bin/which                rix,
+    /{usr/,}bin/dash                 rix,
+    /{usr/,}bin/dpkg-architecture    rPx,
+    /{usr/,}bin/git                  rPx,
+
+    owner /media/debuilder/** r,
+    owner /media/debuilder/**/.pybuild/ rw,
+    owner /media/debuilder/**/.pybuild/** rw,
+
+    owner @{PROC}/@{pid}/fd/ r,
+
+  }
+
   #include if exists <local/dh>
 }

apparmor.d/dkms

@@ -50,7 +50,7 @@ profile dkms @{exec_path} {
 
   /{usr/,}bin/make                             rix,
   /{usr/,}bin/{,@{multiarch}-}*                rix,
-  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
+  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/*        rix,
 
   /{usr/,}bin/kmod        rCx -> kmod,
   /{usr/,}bin/lsb_release rPx -> child-lsb_release,
@@ -85,7 +85,7 @@ profile dkms @{exec_path} {
 
   owner @{HOME}/ r,
 
-  owner /tmp/cc*.s rw,
+  owner /tmp/cc* rw,
   owner /tmp/dkms.*/ rw,
   owner /tmp/tmp.* rw,
   owner /tmp/sh-thd.* rw,

apparmor.d/dnscrypt-proxy

@@ -47,6 +47,11 @@ profile dnscrypt-proxy @{exec_path} {
   owner /etc/dnscrypt-proxy/relays.md.minisig rw,
   owner /etc/dnscrypt-proxy/public-resolvers.md rw,
   owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,
+  owner /var/cache/dnscrypt-proxy/sf-*.tmp rw,
+  owner /var/cache/dnscrypt-proxy/relays.md rw,
+  owner /var/cache/dnscrypt-proxy/relays.md.minisig rw,
+  owner /var/cache/dnscrypt-proxy/public-resolvers.md rw,
+  owner /var/cache/dnscrypt-proxy/public-resolvers.md.minisig rw,
 
   @{PROC}/sys/net/core/somaxconn r,
   @{PROC}/sys/kernel/hostname r,

apparmor.d/engrampa

@@ -67,6 +67,8 @@ profile engrampa @{exec_path} {
 
   owner @{HOME}/.config/mimeapps.list{,.*} rw,
 
+  owner @{HOME}/.local/share/ r,
+
   /usr/share/engrampa/{,**} r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,

apparmor.d/git

@@ -18,6 +18,7 @@
 @{exec_path} = /{usr/,}bin/git
 profile git @{exec_path} {
   #include <abstractions/base>
+  #include <abstractions/consoles>
   #include <abstractions/ssl_certs>
   #include <abstractions/nameservice-strict>
 
@@ -61,6 +62,9 @@ profile git @{exec_path} {
   # Difftools
   /{usr/,}bin/meld       rPUx,
 
+  /{usr/,}bin/sensible-editor rCx -> editor,
+  /{usr/,}bin/vim.*           rCx -> editor,
+
   owner @{HOME}/.config/git/ rw,
   owner @{HOME}/.config/git/config rw,
 
@@ -126,5 +130,29 @@ profile git @{exec_path} {
 
   }
 
+  profile editor flags=(complain) {
+    #include <abstractions/base>
+    #include <abstractions/nameservice-strict>
+
+    /{usr/,}bin/sensible-editor mr,
+    /{usr/,}bin/vim.*           mrix,
+    /{usr/,}bin/dash             rix,
+    /{usr/,}bin/which            rix,
+
+    owner @{HOME}/.selected_editor r,
+
+    /usr/share/vim/{,**} r,
+    /etc/vim/{,**} r,
+    owner @{HOME}/.viminfo{,.tmp} rw,
+
+    owner @{HOME}/.fzf/plugin/ r,
+    owner @{HOME}/.fzf/plugin/fzf.vim r,
+
+    # The git repository files
+    owner /media/debuilder/ r,
+    owner /media/debuilder/** rw,
+
+  }
+
   #include if exists <local/git>
 }

apparmor.d/smartd

@@ -25,6 +25,8 @@ profile smartd @{exec_path} {
   #  Device: /dev/disk/by-id/ata-*, not available
   capability sys_rawio,
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   /etc/smartd.conf r,

apparmor.d/suid3num

@@ -0,0 +1,41 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Mikhail Morfikov
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+#abi <abi/3.0>,
+
+#include <tunables/global>
+
+@{exec_path}  = /{usr/,}bin/suid3num
+@{exec_path} += /{usr/,}bin/suid3num.py
+profile suid3num @{exec_path} {
+  #include <abstractions/base>
+  #include <abstractions/python>
+
+  capability sys_ptrace,
+
+  ptrace (read),
+
+  @{exec_path} r,
+  /{usr/,}bin/python3.[0-9]* r,
+
+  /usr/bin/dash rix,
+  /usr/bin/find rix,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  / r,
+  /**/ r,
+
+  deny /media/ r,
+  deny /media/**/ r,
+
+  #include if exists <local/suid3num>
+}

apparmor.d/systemd-modules-load

@@ -21,6 +21,8 @@ profile systemd-modules-load @{exec_path} {
   # To load kernel modules
   capability sys_module,
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   @{sys}/module/*/initstate r,

apparmor.d/systemd-rfkill

@@ -18,6 +18,8 @@ profile systemd-rfkill @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/systemd-common>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   /dev/rfkill rw,

apparmor.d/thunderbird

@@ -120,11 +120,13 @@ profile thunderbird @{exec_path} {
 
        owner @{PROC}/@{pid}/fd/ r,
        owner @{PROC}/@{pid}/cgroup r,
-  deny owner @{PROC}/@{pid}/stat r,
+       owner @{PROC}/@{pid}/stat r,
+       owner @{PROC}/@{pid}/statm r,
+       owner @{PROC}/@{pid}/smaps r,
   deny owner @{PROC}/@{pids}/cmdline r,
   deny owner @{PROC}/@{pids}/environ r,
        owner @{PROC}/@{pid}/task/ r,
-  deny owner @{PROC}/@{pid}/task/@{tid}/stat r,
+       owner @{PROC}/@{pid}/task/@{tid}/stat r,
   # To remove the following error:
   #  GLib-GIO-WARNING **: Error creating IO channel for /proc/self/mountinfo: Permission denied
   #  (g-file-error-quark, 2)

apparmor.d/udisksd

@@ -13,7 +13,8 @@
 
 #include <tunables/global>
 
-@{exec_path} = /{usr/,}lib/udisks2/udisksd /usr/libexec/udisks2/udisksd
+@{exec_path}  = /{usr/,}lib/udisks2/udisksd
+@{exec_path} += /usr/libexec/udisks2/udisksd
 profile udisksd @{exec_path} {
   #include <abstractions/base>
   #include <abstractions/nameservice-strict>

apparmor.d/upowerd

@@ -20,9 +20,11 @@ profile upowerd @{exec_path} {
   @{exec_path} mr,
 
   # UPower config file
+  /etc/UPower/ r,
   /etc/UPower/UPower.conf r,
 
   # The history data for the power device
+  /var/lib/upower/ r,
   /var/lib/upower/history-*.dat{,.*} rw,
 
   # Are all of these needed? (#FIXME#)

apparmor.d/virt-manager

@@ -43,6 +43,8 @@ profile virt-manager @{exec_path} flags=(complain) {
 
   /{usr/,}sbin/libvirtd rPx,
 
+  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner rPUx,
+
   /usr/share/virt-manager/{,**} r,
 
   owner @{HOME}/ r,
@@ -50,6 +52,9 @@ profile virt-manager @{exec_path} flags=(complain) {
   owner @{HOME}/.cache/virt-manager/ rw,
   owner @{HOME}/.cache/virt-manager/** rw,
 
+  owner @{HOME}/.cache/gstreamer-[0-9]*/ rw,
+  owner @{HOME}/.cache/gstreamer-[0-9]*/registry.x86_64.bin{,.tmp*} rw,
+
   # For disk images
   /media/ r,
   /media/*/ r,