From cbc1d8faf3d86703b23672ed6589f2775d8f24bb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 29 Mar 2023 23:55:43 +0100
Subject: [PATCH] feat(profiles): small profiles update.

---
 apparmor.d/groups/gnome/gjs-console            | 5 +++--
 apparmor.d/groups/gpg/gpg                      | 3 +++
 apparmor.d/groups/grub/grub-mkrelpath          | 5 +++++
 apparmor.d/groups/grub/grub-probe              | 2 ++
 apparmor.d/groups/network/mullvad-gui          | 7 +++++--
 apparmor.d/groups/virt/containerd-shim-runc-v2 | 1 +
 apparmor.d/profiles-a-f/augenrules             | 2 +-
 apparmor.d/profiles-m-r/os-prober              | 6 +++---
 8 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index 7f812cda..c1422f4b 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -86,10 +86,11 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   /usr/share/icu/{,**} r,
   /usr/share/X11/xkb/** r,
 
-  /var/lib/gdm{3,}/greeter-dconf-defaults r,
-  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
   /tmp/ r,
   /var/tmp/ r,
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index ac9ff3bc..1ab8a99f 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -45,6 +45,9 @@ profile gpg @{exec_path} {
   owner /var/lib/*/.gnupg/ rw,
   owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
 
+  owner /tmp/ostree-gpg-*/ r,
+  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+
   owner /tmp/tmp.[a-zA-Z0-9]* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath
index b540a56b..ce134e62 100644
--- a/apparmor.d/groups/grub/grub-mkrelpath
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@@ -21,6 +21,11 @@ profile grub-mkrelpath @{exec_path} {
   / r,
   /usr/share/grub/* r,
 
+  /boot/grub/themes/{,**} r,
+
+  /tmp/grub-btrfs.*/@snapshots/[0-9]*/snapshot/boot/ r,
+  /tmp/grub-btrfs.*/ r,
+
   @{PROC}/@{pids}/mountinfo r,
 
   include if exists <local/grub-mkrelpath>
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
index 2e1c5d1a..20a58e47 100644
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@@ -25,6 +25,8 @@ profile grub-probe @{exec_path} {
   / r,
   /usr/share/grub/* r,
 
+  /boot/grub/themes/{,**} r,
+
   @{PROC}/@{pids}/mountinfo r,
   @{PROC}/devices r,
   
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index d0df2371..f5fb7869 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /opt/Mullvad*/mullvad-gui
-profile mullvad-gui @{exec_path} {
+profile mullvad-gui @{exec_path} flags=(attach_disconnected)  {
   include <abstractions/base>
   include <abstractions/chromium-common>
   include <abstractions/dconf-write>
@@ -52,9 +52,12 @@ profile mullvad-gui @{exec_path} {
   owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
 
+  @{run}/systemd/inhibit/*.ref rw,
+
   @{sys}/bus/pci/devices/ r,
-  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config,resource,irq} r,
+  @{sys}/devices/system/cpu/** r,
+  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
 
         @{PROC}/ r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index 3fbe0542..2d54b708 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -48,6 +48,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/mountinfo r,
   @{PROC}/@{pids}/oom_score_adj rw,
   @{PROC}/sys/net/core/somaxconn r,
 
diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules
index 78ba55bd..7de0a43e 100644
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@@ -23,7 +23,7 @@ profile augenrules @{exec_path} {
   /{usr/,}bin/mktemp    rix,
   /{usr/,}bin/rm        rix,
 
-  /etc/audit/audit.rules r,
+  /etc/audit/audit.rules rw,
   /etc/audit/rules.d/ r,
 
   owner /tmp/aurules.* rw,
diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober
index 2d54eb27..47cedbe0 100644
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@@ -52,9 +52,9 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
 
   @{MOUNTS}/ r,
   / r,
-  /boot/ r,
-  /boot/EFI/ r,
-  /boot/EFI/*/ r,
+  /boot/{efi/,} r,
+  /boot/{efi/,}EFI/ r,
+  /boot/{efi/,}EFI/*/ r,
 
   owner /tmp/os-prober.*/{,**} rw,