From 6add80d83ff1e24a4469626727e3cafddb12cac4 Mon Sep 17 00:00:00 2001
From: Georgia Garcia <georgia.garcia@canonical.com>
Date: Fri, 2 Feb 2024 10:51:06 -0300
Subject: [PATCH] add profiles for applications that create user namespaces

These are profiles for applications that create user namespaces, both
the actual policy and unconfined profiles, like it was done in MR
1123.

https://gitlab.com/apparmor/apparmor/-/merge_requests/1123

In addition this serves as a handle to uniquely identify these
applications instead of unconfined to peers in policy.

Note that unconfined mode should be changed for default_allow when
https://gitlab.com/apparmor/apparmor/-/merge_requests/1109 is merged.

Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com>
---
 profiles/apparmor.d/plasmashell      | 42 ++++++++++++++++++++++++++++
 profiles/apparmor.d/steam            |  2 +-
 profiles/apparmor.d/surfshark        | 12 ++++++++
 profiles/apparmor.d/systemd-coredump | 12 ++++++++
 4 files changed, 67 insertions(+), 1 deletion(-)
 create mode 100644 profiles/apparmor.d/plasmashell
 create mode 100644 profiles/apparmor.d/surfshark
 create mode 100644 profiles/apparmor.d/systemd-coredump

diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell
new file mode 100644
index 000000000..d743ff7a3
--- /dev/null
+++ b/profiles/apparmor.d/plasmashell
@@ -0,0 +1,42 @@
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile plasmashell /usr/bin/plasmashell {
+  include <abstractions/dbus-session>
+
+  capability,
+  userns,
+  network,
+  dbus,
+  mount,
+  umount,
+  remount,
+  signal,
+  mqueue,
+  unix,
+  ptrace,
+
+  /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
+  /** pux,
+  /{,**} mrwlk,
+
+  profile QtWebEngineProcess {
+    capability,
+    userns,
+    network,
+    dbus,
+    mount,
+    umount,
+    remount,
+    signal,
+    mqueue,
+    unix,
+    ptrace,
+    /** pux,
+    /{,**} mrwlk,
+  }
+
+  # Site-specific additions and overrides.  See local/README for details.
+  include if exists <local/plasmashell>
+}
diff --git a/profiles/apparmor.d/steam b/profiles/apparmor.d/steam
index 1b3abb453..ebd06f71d 100644
--- a/profiles/apparmor.d/steam
+++ b/profiles/apparmor.d/steam
@@ -4,7 +4,7 @@
 abi <abi/4.0>,
 include <tunables/global>
 
-profile steam /usr/lib/steam/bin_steam.sh flags=(unconfined) {
+profile steam /usr/{lib/steam/bin_steam.sh,games/steam} flags=(unconfined) {
   userns,
 
   # Site-specific additions and overrides. See local/README for details.
diff --git a/profiles/apparmor.d/surfshark b/profiles/apparmor.d/surfshark
new file mode 100644
index 000000000..adbd896d5
--- /dev/null
+++ b/profiles/apparmor.d/surfshark
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile surfshark /opt/Surfshark/surfshark flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/surfshark>
+}
diff --git a/profiles/apparmor.d/systemd-coredump b/profiles/apparmor.d/systemd-coredump
new file mode 100644
index 000000000..5b89dcd08
--- /dev/null
+++ b/profiles/apparmor.d/systemd-coredump
@@ -0,0 +1,12 @@
+# This profile allows everything and only exists to give the
+# application a name instead of having the label "unconfined"
+
+abi <abi/4.0>,
+include <tunables/global>
+
+profile systemd-coredump /usr/lib/systemd/systemd-coredump flags=(unconfined) {
+  userns,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/systemd-coredump>
+}