From facade62b6a065a1395a924d9355168a46f0ab67 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 2 Apr 2021 10:22:03 +0100
Subject: [PATCH] Add more apparmor profiles.

---
 apparmor.d/profiles-a-l/freefall | 27 ++++++++++++++++++++++++++
 apparmor.d/profiles-m-z/pcscd    | 24 +++++++++++++++++++++++
 apparmor.d/profiles-m-z/rngd     | 33 ++++++++++++++++++++++++++++++++
 apparmor.d/profiles-m-z/xclip    | 24 +++++++++++++++++++++++
 4 files changed, 108 insertions(+)
 create mode 100644 apparmor.d/profiles-a-l/freefall
 create mode 100644 apparmor.d/profiles-m-z/pcscd
 create mode 100644 apparmor.d/profiles-m-z/rngd
 create mode 100644 apparmor.d/profiles-m-z/xclip

diff --git a/apparmor.d/profiles-a-l/freefall b/apparmor.d/profiles-a-l/freefall
new file mode 100644
index 00000000..afa3ee9f
--- /dev/null
+++ b/apparmor.d/profiles-a-l/freefall
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/freefall
+profile freefall @{exec_path} {
+  include <abstractions/base>
+
+  capability sys_nice,
+  capability ipc_lock,
+  capability mknod,
+
+  @{exec_path} mr,
+
+  /dev/freefall r,
+  /dev/sd[a-z] rk,
+  /dev/sd[a-z][0-9]* rk,
+
+  @{sys}/devices/**/unload_heads r,
+  @{sys}/class/leds/**/brightness r,
+
+  include if exists <local/freefall>
+}
diff --git a/apparmor.d/profiles-m-z/pcscd b/apparmor.d/profiles-m-z/pcscd
new file mode 100644
index 00000000..ab995822
--- /dev/null
+++ b/apparmor.d/profiles-m-z/pcscd
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/pcscd
+profile pcscd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/devices-usb>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/libccid_Info.plist r,
+  /etc/reader.conf.d/{,libccidtwin} r,
+
+  owner @{run}/pcscd/{,pcscd.pid} rw,
+
+  include if exists <local/pcscd>
+}
diff --git a/apparmor.d/profiles-m-z/rngd b/apparmor.d/profiles-m-z/rngd
new file mode 100644
index 00000000..1464ba43
--- /dev/null
+++ b/apparmor.d/profiles-m-z/rngd
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/rngd
+profile rngd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  capability sys_admin,
+  capability sys_nice,
+  capability dac_read_search,
+
+  /etc/opensc.conf r,
+  /etc/conf.d/rngd r,
+
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  @{PROC}/sys/kernel/random/poolsize r,
+  @{PROC}/sys/kernel/random/write_wakeup_threshold rw,
+
+  /dev/hwrng r,
+  /dev/random w,
+
+  include if exists <local/rngd>
+}
diff --git a/apparmor.d/profiles-m-z/xclip b/apparmor.d/profiles-m-z/xclip
new file mode 100644
index 00000000..620c0423
--- /dev/null
+++ b/apparmor.d/profiles-m-z/xclip
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
+#               2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Version of program profiled: 0.13
+
+abi <abi/3.0>,
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/xclip
+profile xclip @{exec_path} {
+  include <abstractions/base>
+  network unix stream,
+
+  @{exec_path} mr,
+
+  # Mutt
+  owner /tmp/mutt-* rw,
+
+  owner @{HOME}/.Xauthority r,
+
+  deny /dev/tty rw,
+}