From f20ccedf4f753ee238f66764256316b3ea413380 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 7 Feb 2023 23:18:10 +0000
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/groups/freedesktop/polkit-agent-helper | 11 +++++++----
 apparmor.d/groups/freedesktop/xdg-desktop-portal  |  2 +-
 apparmor.d/profiles-a-f/auditctl                  |  2 ++
 apparmor.d/profiles-a-f/augenrules                | 11 ++++++++++-
 apparmor.d/profiles-a-f/fwupd                     |  9 ++++++---
 apparmor.d/profiles-g-l/git                       |  6 ++++++
 apparmor.d/profiles-m-r/pass                      | 15 ++++++++++++---
 7 files changed, 44 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index 32d5b102..231fafee 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -11,10 +11,10 @@ include <tunables/global>
 @{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dbus-strict>
   include <abstractions/authentication>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
 
   capability audit_write,
   capability dac_override,
@@ -41,11 +41,14 @@ profile polkit-agent-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  # file_inherit
-  owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
 
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
+
+  owner /dev/tty[0-9]* rw,
+
   include if exists <local/polkit-agent-helper>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index c8c0075a..5dc0139b 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -133,10 +133,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
 
         @{PROC}/ r,
+        @{PROC}/*/ r,
         @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
-        @{PROC}/@{pid}/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/ r,
diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl
index b1f1fec8..aea50ce5 100644
--- a/apparmor.d/profiles-a-f/auditctl
+++ b/apparmor.d/profiles-a-f/auditctl
@@ -16,5 +16,7 @@ profile auditctl @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/audit/audit.rules r,
+
   include if exists <local/auditctl>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules
index f7356dd0..78ba55bd 100644
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@@ -13,9 +13,18 @@ profile augenrules @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/auditctl  rPx,
+  /{usr/,}bin/chmod     rix,
+  /{usr/,}bin/cmp       rix,
+  /{usr/,}bin/cp        rix,
+  /{usr/,}bin/gawk      rix,
+  /{usr/,}bin/grep      rix,
+  /{usr/,}bin/ls        rix,
   /{usr/,}bin/mktemp    rix,
   /{usr/,}bin/rm        rix,
-  /{usr/,}bin/auditctl  rPx,
+
+  /etc/audit/audit.rules r,
+  /etc/audit/rules.d/ r,
 
   owner /tmp/aurules.* rw,
 
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 0e12b51f..2bfc5924 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -74,9 +74,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /usr/share/fwupd/{,**} r,
   /usr/share/mime/mime.cache r,
 
-  /etc/pki/fwupd/{,**} r,
-  /etc/pki/fwupd-metadata/{,**} r,
   /etc/fwupd/{,**} rw,
+  /etc/lsb-release r,
+  /etc/pki/fwupd-metadata/{,**} r,
+  /etc/pki/fwupd/{,**} r,
 
   /var/cache/fwupd/{,**} rw,
   /var/lib/fwupd/{,**} rw,
@@ -94,6 +95,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   # In order to get to this file, the attach_disconnected flag has to be set
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
+  owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r,
 
   @{sys}/**/ r,
   @{sys}/devices/** r,
@@ -102,7 +104,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   @{sys}/firmware/dmi/tables/DMI r,
   @{sys}/firmware/dmi/tables/smbios_entry_point r,
   @{sys}/firmware/efi/** r,
-  @{sys}/firmware/efi/efivars/BootNext-* rw,
+  @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
   @{sys}/firmware/efi/efivars/fwupd-* rw,
   @{sys}/kernel/security/lockdown r,
   @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 3159c5ae..55603460 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -117,6 +117,8 @@ profile git @{exec_path} {
     owner /tmp/.git_vtag_tmp* r,
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
+
+    include if exists <local/git_gpg>
   }
 
   profile ssh {
@@ -144,6 +146,8 @@ profile git @{exec_path} {
     owner @{PROC}/@{pid}/fd/ r,
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
+
+    include if exists <local/git_ssh>
   }
 
   profile exec {
@@ -151,6 +155,7 @@ profile git @{exec_path} {
 
     owner @{user_build_dirs}/**/bin/* mr,
 
+    include if exists <local/git_exec>
   }
 
   profile editor {
@@ -185,6 +190,7 @@ profile git @{exec_path} {
     owner @{user_build_dirs}/ r,
     owner @{user_build_dirs}/** rw,
 
+    include if exists <local/git_editor>
   }
 
   include if exists <local/git>
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index dc2ee985..2ff735f2 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -83,15 +83,17 @@ profile pass @{exec_path} {
     owner @{HOME}/.fzf/plugin/fzf.vim r,
     owner @{HOME}/.viminfo{,.tmp} rw,
 
-    owner @{user_password_store_dirs}/ r,
-    owner @{user_projects_dirs}/**/*-store/ r,
-    owner @{user_config_dirs}/*-store/ r,
+    owner @{user_password_store_dirs}/{,**/} r,
+    owner @{user_projects_dirs}/**/*-store/{,**/} r,
+    owner @{user_config_dirs}/*-store/{,**/} r,
 
     owner @{user_cache_dirs}/vim/{,**} rw,
     owner @{user_config_dirs}/vim/{,**} rw,
     /dev/shm/pass.*/{,*} rw,
 
     deny owner @{HOME}/ r,
+
+    include if exists <local/pass_editor>
   }
 
   profile git {
@@ -109,6 +111,10 @@ profile pass @{exec_path} {
     /{usr/,}bin/git*          mrix,
     @{libexec}/git-core/git*  mrix,
 
+    /{usr/,}bin/pager         rPx -> child-pager,
+    /{usr/,}bin/less          rPx -> child-pager,
+    /{usr/,}bin/more          rPx -> child-pager,
+
     /{usr/,}bin/gpg{2,}  rUx,
 
     /usr/share/git-core/{,**} r,
@@ -123,6 +129,9 @@ profile pass @{exec_path} {
     owner @{user_config_dirs}/*-store/   rw,
     owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,
 
+    owner /tmp/.git_vtag_tmp* rw,              # For git log --show-signature
+
+    include if exists <local/pass_git>
   }
 
   include if exists <usr/pass.d>