From dd1d9107e8c5c52bfe5a56ed154357603ccf8469 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 3 Dec 2023 16:57:50 +0000
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/apt/apt                        |  4 ++--
 apparmor.d/groups/freedesktop/xdg-desktop-portal |  2 +-
 apparmor.d/groups/gnome/gnome-extension-ding     | 10 ++++++++++
 apparmor.d/groups/gnome/gnome-shell              |  3 ++-
 apparmor.d/groups/gnome/gnome-terminal-server    |  5 ++++-
 apparmor.d/groups/systemd/systemd-logind         |  1 +
 apparmor.d/groups/systemd/systemd-networkd       |  3 ++-
 apparmor.d/groups/ubuntu/apport                  | 13 +++++++++----
 apparmor.d/groups/ubuntu/apport-checkreports     |  4 +++-
 apparmor.d/profiles-a-f/e2scrub_all              |  1 +
 apparmor.d/profiles-s-z/snap                     |  4 ++--
 apparmor.d/profiles-s-z/spice-vdagent            |  3 ++-
 apparmor.d/profiles-s-z/wpa-supplicant           |  3 ++-
 13 files changed, 41 insertions(+), 15 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 20815485..c8bd6a76 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -12,12 +12,12 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/apt-common>
   include <abstractions/bus/polkit>
-  include <abstractions/dbus-strict>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   capability chown,
   capability dac_override,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 7dfcbbf5..b7188753 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -24,7 +24,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   dbus bind bus=session name=org.freedesktop.portal.Desktop,
   dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.portal.Settings
+       interface=org.freedesktop.portal.Settings,
   dbus (send, receive) bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.DBus.Properties
        peer=(name=:*),
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index ee671f95..3c1fb4fa 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -91,6 +91,9 @@ profile gnome-extension-ding @{exec_path} {
   /usr/share/thumbnailers/{,*.thumbnailer} r,
   /usr/share/X11/{,**} r,
 
+  /etc/pulse/client.conf r,
+  /etc/pulse/client.conf.d/{,*} r,
+
   /var/lib/snapd/desktop/icons/{,**} r,
 
   owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
@@ -98,6 +101,13 @@ profile gnome-extension-ding @{exec_path} {
 
   owner @{user_share_dirs}/nautilus/scripts/ r,
 
+  owner @{user_config_dirs}/pulse/cookie rk,
+
+  /dev/shm/ r,
+
+  owner @{run}/user/@{uid}/pulse/ r,
+  owner @{run}/user/@{uid}/pulse/native rw,
+
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 188e97a4..d7d01365 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -58,7 +58,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
   unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
   unix (send,receive) type=stream addr=none peer=(label=xwayland),
-  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
+  unix (send,receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -584,6 +584,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner /dev/shm/.org.chromium.Chromium.* rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
+        /tmp/dbus-@{rand8} rw,
   owner /tmp/.X[0-9]-lock rw,
   owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
   owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index f7d7f59c..8461112c 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -57,8 +57,10 @@ profile gnome-terminal-server @{exec_path} {
   /etc/pulse/client.conf.d/{,**} r,
   /etc/shells r,
 
+  owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
+
   owner @{user_config_dirs}/*xdg-terminals.list* rw,
-  owner @{user_config_dirs}/pulse/cookie r,
+  owner @{user_config_dirs}/pulse/cookie rk,
 
   owner @{run}/user/@{uid}/pulse/ r,
   owner @{run}/user/@{uid}/pulse/native rw,
@@ -67,6 +69,7 @@ profile gnome-terminal-server @{exec_path} {
   @{PROC}/@{pids}/cgroup r,
 
   /dev/ptmx rw,
+  /dev/shm/ r,
 
   include if exists <local/gnome-terminal-server>
 }
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 62319b44..7b44494a 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -126,6 +126,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
   @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
   @{sys}/fs/cgroup/memory.max r,
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 6c8099fc..390a8e86 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -14,8 +14,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/systemd-common>
 
   capability net_admin,
-  capability net_raw,
   capability net_bind_service,
+  capability net_broadcast,
+  capability net_raw,
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport
index d68fa71d..91dafb2a 100644
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@@ -16,6 +16,8 @@ profile apport @{exec_path} {
 
   capability fsetid,
 
+  ptrace (read) peer=snap.cups.cupsd,
+
   @{exec_path} mr,
 
   /usr/share/apport/ r,
@@ -23,10 +25,13 @@ profile apport @{exec_path} {
         /var/crash/ rw,
   owner /var/log/apport.log rw,
 
-  @{PROC}/sys/fs/suid_dumpable w,
-  @{PROC}/sys/kernel/core_pattern r,
-  @{PROC}/sys/kernel/core_pattern w,
-  @{PROC}/sys/kernel/core_pipe_limit w,
+  @{run}/apport.lock rwk,
+
+        @{PROC}/sys/fs/suid_dumpable w,
+        @{PROC}/sys/kernel/core_pattern r,
+        @{PROC}/sys/kernel/core_pattern w,
+        @{PROC}/sys/kernel/core_pipe_limit w,
+  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/apport>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports
index d1c9a8c2..f13fca37 100644
--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /usr/share/apport/apport-checkreports
-profile apport-checkreports @{exec_path} {
+profile apport-checkreports @{exec_path} flags=(attach_disconnected)  {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
@@ -27,5 +27,7 @@ profile apport-checkreports @{exec_path} {
 
   /var/crash/ r,
 
+  @{run}/apport.lock rwk,
+
   include if exists <local/apport-checkreports>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all
index 49cbf0d3..5cf979b0 100644
--- a/apparmor.d/profiles-a-f/e2scrub_all
+++ b/apparmor.d/profiles-a-f/e2scrub_all
@@ -10,6 +10,7 @@ include <tunables/global>
 profile e2scrub_all @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
 
   capability sys_admin,
   capability sys_rawio,
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index 2972c8e8..099e9bb0 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -50,8 +50,8 @@ profile snap @{exec_path} {
   @{bin}/systemctl        rPx -> child-systemctl,
 
   /snap/{,**} rw,
-  /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx,
-  @{lib}/snapd/snap-confine rPx,
+  /snap/snapd/@{int}/usr/lib/snapd/snap-confine rPx -> /snap/snapd/@{int}/usr/lib/snapd/snap-confine,
+  @{lib}/snapd/snap-confine rPx -> /usr/lib/snapd/snap-confine,
 
   @{lib_dirs}/snapd/snap-seccomp     rPx,
   @{lib_dirs}/snapd/snapd            rPx,
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index d988ffc4..512b444d 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -51,7 +51,8 @@ profile spice-vdagent @{exec_path} {
 
   owner @{user_config_dirs}/user-dirs.dirs r,
 
-  @{run}/spice-vdagentd/spice-vdagent-sock rw,
+        @{run}/spice-vdagentd/spice-vdagent-sock rw,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
 
   @{sys}/devices/@{pci}/{device,vendor} r,
 
diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant
index 941d64f6..ddcdab8b 100644
--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@@ -23,8 +23,9 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
   capability net_raw,
   capability sys_module,
 
-  network packet raw,
+  network netlink raw,
   network packet dgram,
+  network packet raw,
 
   dbus bind bus=system name=fi.w1.wpa_supplicant1,
   dbus receive bus=system path=/fi/w1/wpa_supplicant1