From eddf6bfc4fbd6352a37465fc4e811654e22b3f2c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 8 Oct 2022 13:13:44 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/abstractions/totem                         | 5 +++--
 apparmor.d/groups/bus/ibus-engine-table               | 2 --
 apparmor.d/groups/freedesktop/pipewire                | 9 +++++----
 apparmor.d/groups/freedesktop/pipewire-pulse          | 1 +
 apparmor.d/groups/freedesktop/update-desktop-database | 8 ++++----
 apparmor.d/groups/gnome/gnome-shell                   | 5 ++---
 apparmor.d/groups/systemd/journalctl                  | 4 +++-
 apparmor.d/groups/systemd/systemd-machine-id-setup    | 2 ++
 apparmor.d/groups/systemd/systemd-mount               | 2 ++
 apparmor.d/groups/systemd/userdbctl                   | 4 +++-
 apparmor.d/profiles-a-f/code-git-editor               | 2 ++
 apparmor.d/profiles-s-z/sbctl                         | 2 +-
 apparmor.d/profiles-s-z/vlc-cache-gen                 | 2 ++
 13 files changed, 30 insertions(+), 18 deletions(-)

diff --git a/apparmor.d/abstractions/totem b/apparmor.d/abstractions/totem
index c14ff3d0..41da792a 100644
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@@ -40,7 +40,6 @@
   owner @{user_config_dirs}/totem/** rwk,
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_share_dirs}/totem/ rwk,
   owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk,
 
@@ -50,6 +49,8 @@
   @{run}/udev/data/+drm:card* r,
   @{run}/udev/data/+usb* r,
 
-  /sys/devices/system/node/*/meminfo r,
+  @{sys}/devices/system/node/*/meminfo r,
+
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <abstractions/totem.d>
\ No newline at end of file
diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table
index 9e110491..395f89f9 100644
--- a/apparmor.d/groups/bus/ibus-engine-table
+++ b/apparmor.d/groups/bus/ibus-engine-table
@@ -13,7 +13,5 @@ profile ibus-engine-table @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/python3.[0-9]* rix,
-
   include if exists <local/ibus-engine-table>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index 46c7cd73..1c3864ff 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -29,15 +29,18 @@ profile pipewire @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pipewire-media-session rPx,
+  /{usr/,}bin/pactl                   rPx,
+  /{usr/,}bin/pipewire-media-session  rPx,
 
-  /usr/share/pipewire/pipewire.conf r,
+  /usr/share/pipewire/pipewire*.conf r,
 
   /etc/pipewire/client.conf r,
   /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
   /etc/pipewire/pipewire.conf r,
   /etc/pipewire/pipewire.conf.d/{,*} r,
 
+  / r,
+
   owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
 
   @{sys}/devices/virtual/dmi/id/product_name r,
@@ -45,8 +48,6 @@ profile pipewire @{exec_path} {
   @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
 
-  / r,
-
   /dev/video[0-9]* rw,
 
   include if exists <local/pipewire>
diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse
index af39a1a9..c495a8d9 100644
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@@ -33,6 +33,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/.config/pulse/cookie rwk,
 
   owner @{run}/user/@{uid}/pulse/pid w,
+  owner /tmp/librnnoise-[0-9]*.so rm,
 
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database
index 608595e6..5b2ce5ce 100644
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/*/*.desktop r,
 
-  /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
-  /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
-  /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
-  /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
+  /var/lib/flatpak/{app/**/,}export/share/applications/{,**/} r,
+  /var/lib/flatpak/{app/**/,}export/share/applications/**.desktop r,
+  /var/lib/flatpak/{app/**/,}export/share/applications/.mimeinfo.cache.* rw,
+  /var/lib/flatpak/{app/**/,}export/share/applications/mimeinfo.cache w,
 
   /var/lib/snapd/desktop/applications/{,**/} r,
   /var/lib/snapd/desktop/applications/**.desktop r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index fe929c56..25c61c5a 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -108,8 +108,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /var/lib/snapd/desktop/icons/{,**} r,
 
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/.var/app/**/icons/**.png r,
   owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_music_dirs}/**/*.jpg r,
 
@@ -206,7 +207,5 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /dev/input/event[0-9]* rw,
   /dev/tty[0-9]* rw,
 
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
   include if exists <local/gnome-shell>
 }
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index 772c7c4b..e9efcd57 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/journalctl
-profile journalctl @{exec_path} {
+profile journalctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -47,5 +47,7 @@ profile journalctl @{exec_path} {
 
   owner @{PROC}/@{pid}/cgroup r,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/systemd-journalctl>
 }
diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup
index 86a0d4f7..b5124c60 100644
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@@ -17,5 +17,7 @@ profile systemd-machine-id-setup @{exec_path} {
 
   /etc/machine-id rw,
 
+  owner @{PROC}/@{pid}/stat r,
+
   include if exists <local/systemd-machine-id-setup>
 }
diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount
index 3db96312..f658baea 100644
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@@ -21,5 +21,7 @@ profile systemd-mount @{exec_path} {
   @{sys}/bus/ r,
   @{sys}/class/ r,
 
+  owner @{PROC}/@{pid}/mountinfo r,
+
   include if exists <local/systemd-mount>
 }
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index caaee986..48f7b345 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -16,7 +16,9 @@ profile userdbctl @{exec_path} {
 
   @{exec_path} mr,
   
-  /{usr/,}bin/less rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /etc/shadow r,
   /etc/gshadow r,
diff --git a/apparmor.d/profiles-a-f/code-git-editor b/apparmor.d/profiles-a-f/code-git-editor
index c278becb..9d1a7637 100644
--- a/apparmor.d/profiles-a-f/code-git-editor
+++ b/apparmor.d/profiles-a-f/code-git-editor
@@ -15,5 +15,7 @@ profile code-git-editor @{exec_path} {
   /{usr/,}bin/{,ba,da}sh               rix,
   /{usr/,}lib/electron[0-9]*/electron  rUx,
 
+  /dev/tty rw,
+
   include if exists <local/code-git-editor>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index dcfd7c1e..530e1d90 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -21,8 +21,8 @@ profile sbctl @{exec_path} {
 
   /{boot,efi}/{,**} r,
   /{boot,efi}/EFI/{,**} rw,
+  /{boot,efi}/vmlinuz-linux* rw,
   /{usr/,}lib/fwupd/efi/{,**} rw,
-  /boot/vmlinuz-linux* rw,
 
   @{sys}/firmware/efi/efivars/db-@{uuid} rw,
   @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen
index 52fa5c27..0fa668cb 100644
--- a/apparmor.d/profiles-s-z/vlc-cache-gen
+++ b/apparmor.d/profiles-s-z/vlc-cache-gen
@@ -15,6 +15,8 @@ profile vlc-cache-gen @{exec_path} {
 
   /{usr/,}lib/vlc/plugins/{,*} rw,
 
+  @{sys}/devices/system/cpu/possible r,
+
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,