From be3d625b7f25562172cdcdf7823f4744fc73c15d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 16 Mar 2024 19:41:27 +0000
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/bus/ibus-daemon            | 20 +++++++++++-------
 apparmor.d/groups/bus/ibus-dconf             |  5 +++--
 apparmor.d/groups/bus/ibus-x11               | 11 ++--------
 apparmor.d/groups/gnome/deja-dup-monitor     |  2 +-
 apparmor.d/groups/gnome/gnome-extension-ding |  6 +-----
 apparmor.d/groups/gnome/gnome-initial-setup  | 22 +++++++++++++++++---
 apparmor.d/groups/kde/kwalletmanager         |  1 -
 apparmor.d/profiles-g-l/logrotate            | 14 ++-----------
 8 files changed, 41 insertions(+), 40 deletions(-)

diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon
index a14e13b8..4381538e 100644
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@@ -24,6 +24,15 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
   # dbus: own bus=session name=org.freedesktop.portal.IBus
   # dbus: own bus=session name=org.freedesktop.IBus
 
+  dbus send bus=session path=/org/freedesktop/IBus
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.portal.IBus),
+  dbus send bus=session path=/org/freedesktop/IBus
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.portal.IBus, label=ibus-portal),
+
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
@@ -35,16 +44,13 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
   @{lib}/{,ibus/}ibus-*  rPUx,
 
   /usr/share/ibus/{,**} r,
-  /usr/share/ibus-table/tables/ r,
+  /usr/share/ibus-table/{,**} r,
 
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+  owner /var/lib/gdm{3,}/.cache/ibus/{,**} rw,
+  owner /var/lib/gdm{3,}/.config/ibus/{,**} rw,
 
   owner @{user_cache_dirs}/ibus/{,**} rw,
-
-  /var/lib/gdm{3,}/.config/ibus/{,**} rw,
-  /var/lib/gdm{3,}/.cache/ibus/{,**} rw,
-  /var/lib/gdm{3,}/.config/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/ibus/{,**} rw,
 
   owner @{PROC}/@{pids}/fd/ r,
 
diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf
index 3ad8898b..36078854 100644
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@@ -32,12 +32,13 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
   /etc/dconf/db/ibus r,
   /etc/dconf/profile/ibus r,
 
-  /var/lib/gdm{3,}/.config/ibus/bus/ r,
-  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
   /var/lib/gdm{3,}/.cache/dconf/ w,
   /var/lib/gdm{3,}/.cache/dconf/user rw,
+  /var/lib/gdm{3,}/.cache/ibus/dbus-@{rand8} rw,
   /var/lib/gdm{3,}/.config/dconf/ w,
   /var/lib/gdm{3,}/.config/dconf/user rw,
+  /var/lib/gdm{3,}/.config/ibus/bus/ r,
+  /var/lib/gdm{3,}/.config/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
   owner @{user_cache_dirs}/ibus/dbus-@{rand8} rw,
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index 2383fc3c..ddde2eb0 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -12,13 +12,9 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
 
   unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
 
@@ -44,9 +40,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
   owner /dev/tty@{int} rw,
 
   include if exists <local/ibus-x11>
diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor
index 3b0cdef1..179e2d2d 100644
--- a/apparmor.d/groups/gnome/deja-dup-monitor
+++ b/apparmor.d/groups/gnome/deja-dup-monitor
@@ -19,7 +19,7 @@ profile deja-dup-monitor @{exec_path} {
   network netlink raw,
 
   # dbus: own bus=session name=org.gnome.DejaDup.Monitor
-  # dbus: talk bus=session name=org.gnome.DejaDup label=xdg-desktop-portal
+  # dbus: talk bus=session name=org.gnome.DejaDup label=deja-dup
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Properties
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 9899face..92210f47 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -24,9 +24,7 @@ profile gnome-extension-ding @{exec_path} {
   include <abstractions/bus/org.gtk.vfs.Metadata>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
 
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
@@ -62,8 +60,6 @@ profile gnome-extension-ding @{exec_path} {
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,app/}* r,
   /usr/share/thumbnailers/{,*.thumbnailer} r,
 
-  /var/lib/snapd/desktop/icons/{,**} r,
-
   owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
 
diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup
index 878c5309..08225960 100644
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@@ -9,14 +9,18 @@ include <tunables/global>
 @{exec_path} = @{lib}/gnome-initial-setup
 profile gnome-initial-setup @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus-system>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.Accounts>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
+  include <abstractions/disks-read>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
   network inet6 dgram,
@@ -38,15 +42,27 @@ profile gnome-initial-setup @{exec_path} {
   @{lib}/gnome-initial-setup-goa-helper rix,
 
   /usr/share/dconf/profile/gdm r,
+  /usr/share/gnome-initial-setup/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,
 
+  /etc/timezone r,
+
   /var/lib/gdm{,3}/greeter-dconf-defaults r,
 
-  @{run}/systemd/sessions/@{int} r,
-  @{run}/systemd/users/@{uid} r,
+  owner @{user_config_dirs}/gnome-initial-setup-done w,
+  owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6}BQK2 rw,
 
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
 
+  @{run}/systemd/sessions/@{int} r,
+  @{run}/systemd/users/@{uid} r,
+
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/bios_version r,
+  @{sys}/devices/virtual/dmi/id/product_family r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
   include if exists <local/gnome-initial-setup>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager
index 2cb334f5..c49c4b3e 100644
--- a/apparmor.d/groups/kde/kwalletmanager
+++ b/apparmor.d/groups/kde/kwalletmanager
@@ -14,7 +14,6 @@ profile kwalletmanager @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
-  include <abstractions/gtk>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 6cc9d916..4c2876a5 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -86,20 +86,10 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
 
   profile systemctl flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/wutmp>
+    include <abstractions/systemctl>
 
+    capability net_admin,
     capability sys_ptrace,
-    ptrace (read),
-
-    @{bin}/systemctl mr,
-
-    owner @{PROC}/@{pid}/stat r,
-          @{PROC}/1/environ r,
-          @{PROC}/1/sched r,
-          @{PROC}/cmdline r,
-          @{PROC}/sys/kernel/osrelease r,
-
-    /dev/kmsg rw,
 
     include if exists <local/logrotate_systemctl>
   }