From e927145edb6d5bb8c26948c3108f04ab241cb26a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 31 Mar 2023 16:52:35 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/abstractions/deny-sensitive-home        | 1 +
 apparmor.d/groups/freedesktop/xdg-user-dirs-update | 3 +++
 apparmor.d/groups/gnome/gsd-housekeeping           | 1 +
 apparmor.d/groups/systemd/systemd-logind           | 3 ++-
 apparmor.d/groups/systemd/systemd-machine-id-setup | 6 ++++++
 apparmor.d/profiles-a-f/fwupd                      | 4 +++-
 apparmor.d/profiles-g-l/groups                     | 6 +++++-
 apparmor.d/profiles-g-l/login                      | 8 ++++++--
 apparmor.d/profiles-m-r/mission-control            | 2 ++
 apparmor.d/profiles-m-r/qemu-ga                    | 2 ++
 10 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home
index ad49264c..ebe3ca39 100644
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@@ -13,6 +13,7 @@
 
   deny @{HOME}/.*_history                 rwlk,
   deny @{HOME}/.*age*{,/{,**}}            rwlk,
+  deny @{HOME}/.*aws*{,/{,**}}            rwkl,
   deny @{HOME}/.*cert*{,/{,**}}           rwlk,
   deny @{HOME}/.*key*{,/{,**}}            rwlk,
   deny @{HOME}/.*pass*{,/{,**}}           rwlk,
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
index 78194b45..1c63d934 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@@ -15,6 +15,7 @@ profile xdg-user-dirs-update @{exec_path} {
   /etc/xdg/user-dirs.conf r,
   /etc/xdg/user-dirs.defaults r,
 
+  /var/lib/gdm{3,}/.config/ rw,
   /var/lib/gdm{3,}/.config/user-dirs.dirs{,*} rw,
   /var/lib/gdm{3,}/.config/user-dirs.locale rw,
   /var/lib/gdm{3,}/@{XDG_DESKTOP_DIR}/ rw,
@@ -26,6 +27,7 @@ profile xdg-user-dirs-update @{exec_path} {
   /var/lib/gdm{3,}/@{XDG_TEMPLATES_DIR}/ rw,
   /var/lib/gdm{3,}/@{XDG_VIDEOS_DIR}/ rw,
 
+  /var/lib/sddm/.config/ rw,
   /var/lib/sddm/.config/user-dirs.dirs{,*} rw,
   /var/lib/sddm/.config/user-dirs.locale rw,
   /var/lib/sddm/@{XDG_DESKTOP_DIR}/ rw,
@@ -48,6 +50,7 @@ profile xdg-user-dirs-update @{exec_path} {
   owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
 
   owner @{user_config_dirs}/user-dirs.dirs r,
+  owner @{user_config_dirs}/user-dirs.dirs?????? rw,
 
   include if exists <local/xdg-user-dirs-update>
 }
diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping
index 057690b6..b032eb17 100644
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@@ -74,6 +74,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/.config/dconf/user r,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
+  owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/mountinfo r,
 
   @{run}/mount/utab r,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index a8be8aca..f06e5893 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -67,8 +67,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/sleep.conf r,
   /etc/systemd/logind.conf.d/{,**} r,
 
-  /swapfile r,
   /boot/{,**} r,
+  /swap/swapfile r,
+  /swapfile r,
 
   /var/lib/systemd/linger/ r,
 
diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup
index b5124c60..0e581cbb 100644
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@@ -13,10 +13,16 @@ profile systemd-machine-id-setup @{exec_path} {
 
   capability dac_override,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   /etc/machine-id rw,
+  /etc/ r,
+  /var/ r,
 
+        @{PROC}/1/environ r,
+        @{PROC}/sys/kernel/osrelease r,
   owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/systemd-machine-id-setup>
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index f7e1c9ec..08336060 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -150,11 +150,13 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
     /{usr/,}bin/gpg{,2}    mr,
     /{usr/,}bin/gpgconf    mr,
     /{usr/,}bin/gpgsm      mr,
-    /{usr/,}bin/gpg-agent  mr,
+    /{usr/,}bin/gpg-agent  mrix,
 
     owner /var/lib/fwupd/gnupg/ rw,
     owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
 
+    owner @{PROC}/@{pids}/fd/ r,
+
   }
 
   include if exists <local/fwupd>
diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups
index b7c74d74..ce910068 100644
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@@ -10,9 +10,13 @@ include <tunables/global>
 profile groups @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
+  /etc/group r,
+  /etc/nsswitch.conf r,
+
+  /dev/tty[0-9]* rw,
+
   include if exists <local/groups>
 }
diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login
index d99a78d2..cdc7f469 100644
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@@ -20,6 +20,7 @@ profile login @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability kill,
   capability net_admin,
   capability setgid,
   capability setuid,
@@ -28,6 +29,8 @@ profile login @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  signal (send) set=(hup,term),
+
   ptrace read,
 
   dbus send bus=system path=/org/freedesktop/login1
@@ -38,13 +41,14 @@ profile login @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/{,z,ba,da}sh  rUx,
 
-  /etc/default/locale r,
   @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
+  /etc/default/locale r,
   /etc/legal r,
+  /etc/machine-id r,
   /etc/motd r,
   /etc/security/group.conf r,
   /etc/security/limits.conf r,
-  @{etc_ro}/security/limits.d/{,*} r,
   /etc/security/pam_env.conf r,
   /etc/shells r,
 
diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control
index 15371e90..c0ebacb9 100644
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@@ -20,6 +20,8 @@ profile mission-control @{exec_path} flags=(attach_disconnected)  {
 
   owner @{user_share_dirs}/telepathy/mission-control/*.cfg r,
 
+  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
+
   @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   include if exists <local/mission-control>
diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga
index 0ca3736f..966e2a05 100644
--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@@ -14,6 +14,8 @@ profile qemu-ga @{exec_path} {
   capability net_admin,
   capability sys_ptrace,
 
+  network netlink raw,
+
   ptrace peer=unconfined,
 
   @{exec_path} mr,