From aaed7a25da242c8f2a85a5427c0df5d0acde9e83 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Sun, 10 Sep 2023 12:59:26 +0200
Subject: [PATCH] Various updates (#209)

---
 apparmor.d/groups/grub/grub-mkconfig    | 11 +++++++++--
 apparmor.d/groups/systemd/systemd-udevd |  4 ++++
 apparmor.d/profiles-a-f/blkid           |  4 +++-
 apparmor.d/profiles-a-f/btrfs           |  9 ++++-----
 apparmor.d/profiles-g-l/kmod            |  3 +++
 apparmor.d/profiles-g-l/lvm             |  4 +++-
 apparmor.d/profiles-m-r/os-prober       |  8 +++++++-
 dists/flags/main.flags                  |  4 ++--
 8 files changed, 35 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index 99b79aa6..fb8148c8 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/grub-mkconfig
-profile grub-mkconfig @{exec_path} {
+profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
@@ -44,6 +44,7 @@ profile grub-mkconfig @{exec_path} {
   @{bin}/mktemp               rix,
   @{bin}/mount                rPx,
   @{bin}/mountpoint           rix,
+  @{bin}/mv                   rix,
   @{bin}/os-prober            rPx,
   @{bin}/paste                rix,
   @{bin}/readlink             rix,
@@ -59,6 +60,10 @@ profile grub-mkconfig @{exec_path} {
   @{bin}/which{.debianutils,} rix,
   /etc/grub.d/{**,}           rix,
 
+  @{lib}/gconv/gconv-modules r,
+  @{lib}/gconv/gconv-modules.d/{,gconv-modules-extra.conf} r,
+  @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
+
   /boot/{**,} r,
   /boot/grub/{**,} rw,
 
@@ -67,7 +72,7 @@ profile grub-mkconfig @{exec_path} {
   /etc/default/grub.d/{*,} r,
 
   /usr/share/grub/{**,} r,
-  /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/terminfo/{,x/xterm-256color} r,
 
   /.zfs/snapshot/*/boot/ r,
   /.zfs/snapshot/*/etc/{machine-id,} r,
@@ -83,5 +88,7 @@ profile grub-mkconfig @{exec_path} {
 
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/grub-mkconfig>
 }
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 43fcdf62..8dfa3dd3 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -48,6 +48,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   @{bin}/lvm               rPx,
   @{bin}/mknod             rPx,
   @{bin}/multipath         rPx,
+  @{bin}/nfsrahead         rix,
   @{bin}/nohup             rix,
   @{bin}/perl              rix,
   @{bin}/readlink          rix,
@@ -76,6 +77,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   /etc/default/* r,
 
+  /etc/nfs.conf rk,
+
   /etc/udev/ r,
   /etc/udev/udev.conf r,
   /etc/udev/rules.d/ r,
@@ -108,6 +111,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
         @{PROC}/driver/nvidia/gpus/*/information r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
+        @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
 
   /dev/ rw,
diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid
index fe57ea88..02f94108 100644
--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/blkid
-profile blkid @{exec_path} {
+profile blkid @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>
@@ -35,5 +35,7 @@ profile blkid @{exec_path} {
   # For the EVALUATE=scan method
   @{PROC}/partitions r,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/blkid>
 }
diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs
index 8f43838b..8326bcab 100644
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/{btrfs,btrfsck}
-profile btrfs @{exec_path} {
+profile btrfs @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/disks-write>
   include <abstractions/user-download-strict>
@@ -47,10 +47,9 @@ profile btrfs @{exec_path} {
         @{PROC}/partitions r,
   owner @{PROC}/@{pid}/mounts r,
 
-        /dev/btrfs-control rw,
-        /dev/tty@{int} rw,
-  owner /dev/pts/@{int} rw,
-
+  /dev/btrfs-control rw,
+  /dev/tty@{int} rw,
+  
 
   include if exists <local/btrfs>
 }
diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod
index 4cc9c3af..f6dcec6e 100644
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@@ -15,6 +15,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
+  capability dac_read_search,
   capability dac_override,
   capability mknod,
   capability net_admin,
@@ -70,6 +71,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   @{PROC}/cmdline r,
   @{PROC}/modules r,
 
+  /dev/tty@{int} rw,
+
   deny /apparmor/.null rw,
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm
index 58b4d5ba..b6fdeced 100644
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/lvm
-profile lvm @{exec_path} {
+profile lvm @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
@@ -43,5 +43,7 @@ profile lvm @{exec_path} {
   /dev/**/ r,
   /dev/mapper/control rw,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/lvm>
 }
diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober
index 646b7595..bba20dec 100644
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@@ -21,6 +21,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   @{bin}/{,ba,da}sh        rix,
   @{bin}/{e,f,}grep        rix,
   @{bin}/blkid             rPx,
+  @{bin}/btrfs             rPx,
   @{bin}/cat               rix,
   @{bin}/cut               rix,
   @{bin}/dmraid           rPUx,
@@ -35,6 +36,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   @{bin}/lvm               rPx,
   @{bin}/mkdir             rix,
   @{bin}/mktemp            rix,
+  @{bin}/mount             rix,
   @{bin}/multipath         rPx,
   @{bin}/readlink          rix,
   @{bin}/rm                rix,
@@ -43,6 +45,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   @{bin}/udevadm           rPx,
   @{bin}/umount            rix,
   @{bin}/uname             rix,
+  @{bin}/which             rix,
   @{lib}/newns             rix,
   @{lib}/os-prober/*       rix,
   @{lib}/os-probes/{,**}   rix,
@@ -65,7 +68,10 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/block/*/ r,
 
         @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/os-prober>
-}
\ No newline at end of file
+}
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index fe53d3cd..14a67e81 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -120,7 +120,7 @@ grub-glue-efi complain
 grub-kbdcomp complain
 grub-macbless complain
 grub-menulst2cfg complain
-grub-mkconfig complain
+grub-mkconfig attach_disconnected,complain
 grub-mkdevicemap complain
 grub-mkfont complain
 grub-mkimage complain
@@ -188,7 +188,7 @@ locale-gen complain
 localectl complain
 login attach_disconnected,complain
 loginctl complain
-lvm complain
+lvm attach_disconnected,complain
 lvmconfig complain
 lvmdump complain
 lvmpolld complain