From ab5958c51144ad999d83ca5664b15e96944326b5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 29 Jun 2021 19:55:56 +0100
Subject: [PATCH] Update profiles.

---
 apparmor.d/groups/bus/dbus-run-session       | 1 +
 apparmor.d/groups/gnome/gio-launch-desktop   | 2 ++
 apparmor.d/groups/gnome/gnome-session-binary | 4 ++--
 apparmor.d/groups/gnome/gnome-shell          | 1 +
 apparmor.d/groups/gnome/tracker-miner        | 2 ++
 apparmor.d/groups/gpg/dirmngr                | 3 +++
 apparmor.d/groups/systemd/coredumpctl        | 4 +++-
 apparmor.d/groups/systemd/systemd-coredump   | 7 ++-----
 apparmor.d/profiles-a-l/browserpass          | 2 +-
 apparmor.d/profiles-a-l/git                  | 5 +++--
 apparmor.d/profiles-m-z/rngd                 | 8 +++++++-
 apparmor.d/profiles-m-z/virt-manager         | 1 +
 apparmor.d/profiles-m-z/xdg-mime             | 1 +
 13 files changed, 29 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session
index 9d577afa..74f17b24 100644
--- a/apparmor.d/groups/bus/dbus-run-session
+++ b/apparmor.d/groups/bus/dbus-run-session
@@ -12,6 +12,7 @@ profile dbus-run-session @{exec_path} {
 
   signal (receive) set=term peer=gdm,
   signal (receive) set=(term, kill) peer=gdm-wayland-session,
+  signal (send) set=term peer=dbus-daemon,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 85e9f585..5080693e 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -15,6 +15,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/app-launcher-user>
   include <abstractions/consoles>
   include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
   include <abstractions/trash>
 
   @{exec_path} mr,
@@ -33,6 +34,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   # Required by many gio command
   owner @{HOME}/{,**} rw,
+  owner /tmp/wl-copy-buffer-*/{,**} rw,
 
   /dev/dri/card[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 4cc8792a..da00008d 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -35,8 +35,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/evolution-data-server/evolution-alarm-notify rPx,
   /{usr/,}lib/gsd-*                                        rPx,
 
-  /{usr/,}bin/pkcs11-register                              rUx,
-  /{usr/,}bin/start-pulseaudio-x11                         rUx,
+  /{usr/,}bin/pkcs11-register                              rPx,
+  /{usr/,}bin/start-pulseaudio-x11                         rPx,
 
   /usr/share/applications/org.gnome.Shell.desktop r,
   /usr/share/gdm/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index a65d97a7..68cb269e 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -92,6 +92,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
   @{run}/systemd/users/@{uid} r,
+  @{run}/systemd/seats/seat[0-9]* r,
   @{run}/systemd/sessions/ r,
   @{run}/systemd/sessions/[0-9]* r,
   @{run}/systemd/inhibit/[0-9]*.ref rw,
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index 18e8c335..aae0df76 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -32,6 +32,8 @@ profile tracker-miner @{exec_path} {
   owner @{user_config_dirs}/tracker3/{,**} rwk,
   owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
 
+  @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/mounts r,
   @{PROC}/sys/fs/inotify/max_user_watches r,
 
   include <abstractions/dconf>
diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr
index 411c5e8c..1f8e7b29 100644
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -10,6 +11,7 @@ include <tunables/global>
 profile dirmngr @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
 
   network inet dgram,
@@ -29,6 +31,7 @@ profile dirmngr @{exec_path} {
 
   owner @{run}/user/@{uid}/gnupg/ rw,
   owner @{run}/user/@{uid}/gnupg/S.dirmngr rw,
+        @{run}/user/@{uid}/d.*/S.dirmngr rw,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index 5cffdc1f..7fadbcf7 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -44,6 +44,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
   profile gdb {
     include <abstractions/base>
     include <abstractions/python>
+    include <abstractions/openssl>
 
     ptrace (trace),
 
@@ -62,7 +63,8 @@ profile coredumpctl @{exec_path} flags=(complain) {
     /usr/share/glib-2.0/gdb/{,**} r,
     /usr/share/gcc-[0-9]*/python/{,**} r,
     /usr/share/gcc/** r,
-
+    /usr/share/terminfo/x/xterm-256color r,
+  
     owner /var/tmp/coredump-* rw,
 
     # Silencer
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index 7869ad46..495c6ac1 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -15,12 +15,11 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) {
   include <abstractions/systemd-common>
 
   capability dac_read_search,
+  capability net_admin,
   capability setgid,
   capability setpcap,
   capability setuid,
   capability sys_ptrace,
-  # Needed?
-  # deny capability net_admin,
 
   @{exec_path} mr,
 
@@ -31,9 +30,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected complain) {
   /etc/systemd/coredump.conf r,
 
   /var/lib/systemd/coredump/ r,
-  /var/lib/systemd/coredump/#[0-9]* rwl,
-  /var/lib/systemd/coredump/core.*.@{uid}.[0-9a-f]*.[0-9]*.[0-9]*.zst rwl,
-  /var/lib/systemd/coredump/core.*.@{uid}.[0-9a-f]*.[0-9]*.[0-9]* rwl,
+  /var/lib/systemd/coredump/** rwl,
 
   owner @{PROC}/@{pid}/setgroups r,
         @{PROC}/@{pids}/comm r,
diff --git a/apparmor.d/profiles-a-l/browserpass b/apparmor.d/profiles-a-l/browserpass
index 6af0ab91..b34a3f38 100644
--- a/apparmor.d/profiles-a-l/browserpass
+++ b/apparmor.d/profiles-a-l/browserpass
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/browserpass
-profile browserpass @{exec_path} {
+profile browserpass @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/profiles-a-l/git b/apparmor.d/profiles-a-l/git
index 21ea6791..db0ff790 100644
--- a/apparmor.d/profiles-a-l/git
+++ b/apparmor.d/profiles-a-l/git
@@ -75,6 +75,7 @@ profile git @{exec_path} {
   owner @{user_config_dirs}/git/{,*} rw,
 
   /usr/share/git-core/{,**} r,
+  /usr/share/terminfo/x/xterm-256color r,
 
   # For diffs
   owner /tmp/git-difftool.*/ rw,
@@ -91,8 +92,8 @@ profile git @{exec_path} {
   # For package building
   owner @{HOME}/*/                   rw,
   owner @{HOME}/*/**                 rwkl -> @{HOME}/*/**,
-  owner @{user_build_dirs}/**        rwkl -> @{user_build_dirs}/**,
-  owner @{user_build_dirs}/**/bin/*  rCx -> exec,
+  owner /tmp/**        rwkl -> /tmp/**,
+  owner /tmp/**/bin/*  rCx -> exec,
 
   /etc/mailname r,
 
diff --git a/apparmor.d/profiles-m-z/rngd b/apparmor.d/profiles-m-z/rngd
index 1464ba43..3fad4942 100644
--- a/apparmor.d/profiles-m-z/rngd
+++ b/apparmor.d/profiles-m-z/rngd
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-3.0-or-later
+# SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
@@ -17,6 +17,8 @@ profile rngd @{exec_path} {
   capability sys_nice,
   capability dac_read_search,
 
+  network netlink raw,
+
   /etc/opensc.conf r,
   /etc/conf.d/rngd r,
 
@@ -26,8 +28,12 @@ profile rngd @{exec_path} {
   @{PROC}/sys/kernel/random/poolsize r,
   @{PROC}/sys/kernel/random/write_wakeup_threshold rw,
 
+  /dev/ r,
   /dev/hwrng r,
   /dev/random w,
 
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+
   include if exists <local/rngd>
 }
diff --git a/apparmor.d/profiles-m-z/virt-manager b/apparmor.d/profiles-m-z/virt-manager
index e7c83963..c3f1546e 100644
--- a/apparmor.d/profiles-m-z/virt-manager
+++ b/apparmor.d/profiles-m-z/virt-manager
@@ -44,6 +44,7 @@ profile virt-manager @{exec_path} {
   /{usr/,}{s,}bin/libvirtd rPx,
 
   /usr/share/virt-manager/{,**} r,
+  /usr/share/virtio/{,*} r,
 
   owner @{HOME}/ r,
   owner @{user_cache_dirs}/ rw,
diff --git a/apparmor.d/profiles-m-z/xdg-mime b/apparmor.d/profiles-m-z/xdg-mime
index 180be189..bb4871cf 100644
--- a/apparmor.d/profiles-m-z/xdg-mime
+++ b/apparmor.d/profiles-m-z/xdg-mime
@@ -27,6 +27,7 @@ profile xdg-mime @{exec_path} {
   /{usr/,}bin/file       rix,
   /{usr/,}bin/tr         rix,
 
+  /{usr/,}bin/gio        rPx,
   /{usr/,}bin/mimetype   rPx,
   /{usr/,}bin/xprop      rPx,