From c006371e5beb653adf9678411e0dbf8cbb583fb7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 6 Feb 2024 22:41:12 +0100
Subject: [PATCH] feat(fsp): rewrite systemd-user profile.

Works fine when fsp is not enabled, still has issue in fsp mode.
---
 apparmor.d/groups/_full/systemd-user | 61 ++++++++++++++++++++++------
 systemd/full/system/user@.service    |  5 +--
 2 files changed, 51 insertions(+), 15 deletions(-)

diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index 19696bdb..f1116122 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -4,7 +4,7 @@
 
 # Profile for 'systemd --user', not PID 1 but the user manager for any UID.
 # It does not specify an attachment path because it is intended to be used only
-# via "Px -> systemd-user" exec transitions from the systemd profile.
+# via "AppArmorProfile=systemd-user" from a systemd unit file.
 
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.
@@ -18,26 +18,25 @@ include <tunables/global>
 @{exec_path} = @{lib}/systemd/systemd
 profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
-  include <abstractions/bus-accessibility>
-  include <abstractions/bus-session>
-  include <abstractions/bus-system>
+  include <abstractions/audio>
   include <abstractions/nameservice-strict>
+  include <abstractions/video>
 
   network netlink raw,
 
-  ptrace (read),
-
   signal (send) set=(term, cont, kill),
   signal (receive) set=(hup) peer=@{systemd},
 
+  ptrace (read),
 
   @{exec_path} mr,
 
+  @{bin}/dbus-broker-launch         rix,  # To avoid issue as in #74, #80 & #235
   @{bin}/systemctl                  rCx -> systemctl,
   @{lib}/systemd/systemd-executor   rix,
 
-  audit @{lib}/** Pix,
-  audit @{bin}/** Pix,
+  @{bin}/** Pix,
+  @{lib}/** Pix,
 
   @{bin}/pipewire                   rPx -> systemd-user//&pipewire,
   @{bin}/pipewire-media-session     rPx -> systemd-user//&pipewire-media-session,
@@ -46,22 +45,51 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   @{bin}/wireplumber                rPx -> systemd-user//&wireplumber,
 
   /usr/ r,
+  /usr/share/alsa-card-profile/{,**} r,
+  /usr/share/dbus-1/{,**} r,
+  /usr/share/defaults/**.conf r,
+  /usr/share/pipewire/{,**} r,
+  /usr/share/pulseaudio/{,**} r,
+  /usr/share/spa-*/bluez@{int}/{,*} r,
+  /usr/share/wireplumber/{,**} r,
+
+  /etc/pipewire/{,**} r,
+  /etc/machine-id r,
 
   /etc/systemd/user.conf r,
   /etc/systemd/user.conf.d/{,**} r,
   /etc/systemd/user/{,**} r,
 
+  / r,
+
+  /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
+
+  owner @{HOME}/.local/ w,
+
   owner @{user_config_dirs}/systemd/user/{,**} r,
 
-  owner @{run}/user/@{uid}/{,*/,*} rw,
-  owner @{run}/user/@{uid}/*/* rw,
-  owner @{run}/user/@{uid}/systemd/{,**} rwl,
+  owner @{user_state_dirs}/ w,
+  owner @{user_state_dirs}/wireplumber/{,**} rw,
+
+        @{run}/systemd/users/@{uid} r,
+  owner @{run}/user/@{uid}/ rw,
+  owner @{run}/user/@{uid}/** rwkl,
 
   @{run}/mount/utab r,
   @{run}/systemd/notify w,
-  @{run}/udev/data/* r,
+  @{run}/udev/data/+module:configfs r,
+  @{run}/udev/data/+module:fuse r,
+  @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
+  @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+  @{run}/udev/data/n@{int} r,
   @{run}/udev/tags/systemd/ r,
 
+  @{sys}/bus/ r,
+  @{sys}/devices/**/sound/**/pcm_class r,
+
         @{sys}/devices/**/uevent r,
         @{sys}/devices/virtual/dmi/id/product_name r,
         @{sys}/devices/virtual/dmi/id/sys_vendor r,
@@ -78,14 +106,23 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/swaps r,
         @{PROC}/sys/fs/nr_open r,
         @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
         @{PROC}/sys/kernel/pid_max r,
         @{PROC}/sys/kernel/threads-max r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
+  owner @{PROC}/@{pid}/gid_map r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/uid_map r,
   owner @{PROC}/@{pids}/attr/apparmor/exec w,
   owner @{PROC}/@{pids}/fd/ r,
   owner @{PROC}/@{pids}/mountinfo r,
   owner @{PROC}/@{pids}/oom_score_adj rw,
 
+  /dev/media@{int} rw,
+  /dev/snd/ r,
+  /dev/tty rw,
+
   profile systemctl {
     include <abstractions/base>
 
diff --git a/systemd/full/system/user@.service b/systemd/full/system/user@.service
index 05023d01..2b9dc485 100644
--- a/systemd/full/system/user@.service
+++ b/systemd/full/system/user@.service
@@ -1,3 +1,2 @@
-# TODO: works as intended on server, does not work on desktop
-# [Service]
-# AppArmorProfile=systemd-user
\ No newline at end of file
+[Service]
+AppArmorProfile=systemd-user