From e28f5a3bb4c54a7698495fa058b74b71c5464789 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 May 2022 17:25:31 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/groups/apt/unattended-upgrade   | 38 ++++++++++++++++------
 apparmor.d/groups/gvfs/gvfsd               |  1 +
 apparmor.d/groups/network/nm-dhcp-helper   |  1 +
 apparmor.d/groups/pacman/mkinitcpio        |  8 ++++-
 apparmor.d/groups/pacman/pacman-conf       |  1 +
 apparmor.d/groups/systemd/systemd-localed  |  1 +
 apparmor.d/groups/systemd/systemd-tmpfiles |  2 ++
 apparmor.d/profiles-g-l/logrotate          |  1 -
 8 files changed, 41 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index f0bf9ab9..787333c6 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -7,30 +7,43 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/unattended-upgrade
-profile unattended-upgrade @{exec_path} {
+profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/consoles>
 
   capability chown,
   capability dac_override,
   capability dac_read_search,
+  capability fsetid,
   capability kill,
+  capability net_admin,
   capability setgid,
   capability setuid,
   capability sys_nice,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /{usr/,}bin/ r,
 
-  /{usr/,}{s,}bin/on_ac_power       rPx,
-  /{usr/,}bin/dpkg                  rPx,
-  /{usr/,}bin/lsb_release           rPx -> lsb_release,
-  /{usr/,}bin/python3.[0-9]*        rix,
-  /{usr/,}bin/uname                 rix,
-  /{usr/,}lib/apt/methods/http{,s}  rPx,
+  /{usr/,}{s,}bin/dpkg-preconfigure    rPx,
+  /{usr/,}{s,}bin/on_ac_power          rPx,
+  /{usr/,}{s,}bin/sendmail             rPUx,
+  /{usr/,}bin/{,ba,da}sh               rix,
+  /{usr/,}bin/apt-listchanges          rPx,
+  /{usr/,}bin/dpkg                     rPx,
+  /{usr/,}bin/etckeeper                rPx,
+  /{usr/,}bin/lsb_release              rPx -> lsb_release,
+  /{usr/,}bin/python3.[0-9]*           rix,
+  /{usr/,}bin/uname                    rix,
+  /{usr/,}lib/apt/methods/http{,s}     rPx,
+  /{usr/,}lib/needrestart/apt-pinvoke  rPx,
 
+  /usr/share/distro-info/* r,
   /usr/share/dpkg/*table r,
 
   /etc/apt/*.list r,
@@ -50,11 +63,16 @@ profile unattended-upgrade @{exec_path} {
   /var/lib/dpkg/status r,
   /var/lib/dpkg/updates/ r,
 
-  /var/cache/apt/archives/{,**} rw,
-  /var/cache/apt/pkgcache.bin r,
+  /var/cache/apt/{,**} rwk,
+  /var/lib/apt/extended_states{,.*} rw,
+  /var/log/apt/{term,history}.log w,
+  /var/log/apt/eipp.log.xz w,
 
-  owner @{run}/unattended-upgrades.pid rw,
   owner @{run}/unattended-upgrades.lock rwk,
+  owner @{run}/unattended-upgrades.pid rw,
+  owner @{run}/unattended-upgrades.progress rw,
+        @{run}/systemd/inhibit/[0-9]*.ref rw,
+        @{run}/resolvconf/resolv.conf r,
 
   owner /tmp/#[0-9]* rw,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 1372f8ff..701adf2b 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -20,6 +20,7 @@ profile gvfsd @{exec_path} {
 
   /usr/share/gvfs/{,**} r,
 
+  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/gvfs/ rw,
   owner @{run}/user/@{uid}/gvfsd/ rw,
 
diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper
index 085b4af3..18fa79ff 100644
--- a/apparmor.d/groups/network/nm-dhcp-helper
+++ b/apparmor.d/groups/network/nm-dhcp-helper
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/nm-dhcp-helper
 profile nm-dhcp-helper @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index fcb8da5f..644d7408 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -54,6 +54,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{kmod,lsmod}        rPx,
   /{usr/,}bin/{modinfo,rmmod}     rPx,
   /{usr/,}bin/modprobe            rPx,
+  /{usr/,}bin/plymouth            rPx,
+  /{usr/,}bin/plymouth-set-default-theme rPx,
 
   /{usr/,}lib/initcpio/busybox    rix,
   /{usr/,}lib{,32,64}/ld-*.so*    rix,
@@ -64,16 +66,20 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /etc/mkinitcpio.conf r,
   /etc/mkinitcpio.d/{,**} r,
   /etc/modprobe.d/{,*} r,
+  /etc/plymouth/plymouthd.conf r,
   /etc/vconsole.conf r,
 
   /usr/share/kbd/keymaps/{,**} r,
+  /usr/share/plymouth/plymouthd.defaults r,
+  /usr/share/plymouth/themes/{,**} r,
   /usr/share/terminfo/x/xterm-256color r,
 
   # Can copy any program to the initframs
   /{usr/,}bin/ r,
   /{usr/,}bin/[a-z0-9]* rm,
-  /{usr/,}lib/udev/[a-z0-9]* rm,
+  /{usr/,}lib/plymouth/plymouthd-* rm,
   /{usr/,}lib/systemd/systemd-* rm,
+  /{usr/,}lib/udev/[a-z0-9]* rm,
 
   # Manage /boot
   / r,
diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf
index 4948c064..517637e3 100644
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pacman-conf
 profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet stream,
   network inet6 stream,
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index 65832bbd..c3a3e304 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -11,6 +11,7 @@ include <tunables/global>
 profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   # Needed?
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index 3eee8648..07f1a181 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -39,6 +39,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   /dev/{,**} rw,
   /etc/{,**} r,
   /home/ rw,
+  /opt/{,**} rw,
   /run/{,**} rw,
   /srv/{,**} rw,
   /tmp/{,**} rwk,
@@ -50,6 +51,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
 
   @{PROC}/@{pid}/net/unix r,
   @{PROC}/1/cmdline r,
+  @{PROC}/sched_debug w,
 
   deny /apparmor/.null rw,
 
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 073dc510..8a5aef04 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -20,7 +20,6 @@ profile logrotate @{exec_path} flags=(attach_disconnected, complain) {
   capability setgid,
   capability setuid,
 
-  # Needed?
   audit deny capability net_admin,
 
   signal (send) set=(hup),