From 2207a042a49bf000753e3e84d29139f6ec19f03d Mon Sep 17 00:00:00 2001
From: Frank Brehm <frank@brehm-online.com>
Date: Sat, 25 Nov 2023 06:18:01 +0100
Subject: [PATCH] committing changes in /etc made by "/usr/bin/python3
 /usr/bin/nala upgrade --purge"

Packages with configuration changes:
-apparmor 3.0.4-2ubuntu2.2 amd64
+apparmor 3.0.4-2ubuntu2.3 amd64
-evince 42.3-0ubuntu3 amd64
+evince 42.3-0ubuntu3.1 amd64

Package changes:
-apparmor 3.0.4-2ubuntu2.2 amd64
-apparmor-profiles 3.0.4-2ubuntu2.2 all
-apparmor-utils 3.0.4-2ubuntu2.2 all
+apparmor 3.0.4-2ubuntu2.3 amd64
+apparmor-profiles 3.0.4-2ubuntu2.3 all
+apparmor-utils 3.0.4-2ubuntu2.3 all
-evince 42.3-0ubuntu3 amd64
-evince-common 42.3-0ubuntu3 all
+evince 42.3-0ubuntu3.1 amd64
+evince-common 42.3-0ubuntu3.1 all
-gir1.2-evince-3.0 42.3-0ubuntu3 amd64
+gir1.2-evince-3.0 42.3-0ubuntu3.1 amd64
-libapparmor1 3.0.4-2ubuntu2.2 amd64
-libapparmor1 3.0.4-2ubuntu2.2 i386
+libapparmor1 3.0.4-2ubuntu2.3 amd64
+libapparmor1 3.0.4-2ubuntu2.3 i386
-libevdocument3-4 42.3-0ubuntu3 amd64
+libevdocument3-4 42.3-0ubuntu3.1 amd64
-libevview3-3 42.3-0ubuntu3 amd64
+libevview3-3 42.3-0ubuntu3.1 amd64
-lintian 2.114.0ubuntu1.2 all
+lintian 2.114.0ubuntu1.3 all
-python3-apparmor 3.0.4-2ubuntu2.2 all
+python3-apparmor 3.0.4-2ubuntu2.3 all
-python3-libapparmor 3.0.4-2ubuntu2.2 amd64
+python3-libapparmor 3.0.4-2ubuntu2.3 amd64
---
 .etckeeper                            |  1 +
 apparmor.d/abstractions/snap_browsers | 43 +++++++++++++++++++++++++++
 apparmor.d/usr.bin.evince             |  6 ++++
 3 files changed, 50 insertions(+)
 create mode 100644 apparmor.d/abstractions/snap_browsers

diff --git a/.etckeeper b/.etckeeper
index 469eef8..0a641a1 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -365,6 +365,7 @@ maybe chmod 0644 'apparmor.d/abstractions/recent-documents-write'
 maybe chmod 0644 'apparmor.d/abstractions/ruby'
 maybe chmod 0644 'apparmor.d/abstractions/samba'
 maybe chmod 0644 'apparmor.d/abstractions/smbpass'
+maybe chmod 0644 'apparmor.d/abstractions/snap_browsers'
 maybe chmod 0644 'apparmor.d/abstractions/ssl_certs'
 maybe chmod 0644 'apparmor.d/abstractions/ssl_keys'
 maybe chmod 0644 'apparmor.d/abstractions/svn-repositories'
diff --git a/apparmor.d/abstractions/snap_browsers b/apparmor.d/abstractions/snap_browsers
new file mode 100644
index 0000000..98fdeed
--- /dev/null
+++ b/apparmor.d/abstractions/snap_browsers
@@ -0,0 +1,43 @@
+profile snap_browsers {
+  include if exists <abstractions/snap_browsers.d>
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+
+  /etc/passwd r,
+  /etc/nsswitch.conf r,
+  /etc/fstab r,
+
+  # noisy
+  deny owner /run/user/[0-9]*/gdm/Xauthority r, # not needed on Ubuntu
+
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrix, # re-exec
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/info r,
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snapd r,
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-seccomp rPix,
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/lib/snapd/snap-confine Pix,
+  /var/lib/snapd/system-key r,
+  /run/snapd.socket rw,
+
+  @{PROC}/version r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/net/core/somaxconn r,
+  @{PROC}/sys/kernel/seccomp/actions_avail r,
+  @{PROC}/sys/kernel/random/uuid r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{HOME}/.snap/auth.json r, # if exists, required
+
+  dbus send bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="StartTransientUnit" peer=(name="org.freedesktop.systemd1"),
+  dbus receive bus="session" path="/org/freedesktop/systemd1" interface="org.freedesktop.systemd1.Manager" member="JobRemoved",
+
+  /sys/kernel/security/apparmor/features/ r,
+
+  # allow launching official browser snaps.
+  /snap/chromium/[0-9]*/meta/{snap.yaml,hooks/} r,
+  /snap/firefox/[0-9]*/meta/{snap.yaml,hooks/} r,
+  /snap/opera/[0-9]*/meta/{snap.yaml,hooks/} r,
+
+  /var/lib/snapd/sequence/{chromium,firefox,opera}.json r,
+  /var/lib/snapd/inhibit/{chromium,firefox,opera}.lock rk,
+  # add other browsers here
+}
diff --git a/apparmor.d/usr.bin.evince b/apparmor.d/usr.bin.evince
index 904f0ea..55370f0 100644
--- a/apparmor.d/usr.bin.evince
+++ b/apparmor.d/usr.bin.evince
@@ -28,6 +28,9 @@
   #include <abstractions/ubuntu-console-email>
   #include <abstractions/ubuntu-media-players>
 
+  # allow evince to spawn browsers distributed as snaps (LP: #1794064)
+  #include <abstractions/snap_browsers>
+
   # For now, let evince talk to any session services over dbus. We can
   # blacklist any problematic ones (but note, evince uses libsecret :\)
   #include <abstractions/dbus-session>
@@ -146,6 +149,9 @@
   # evince creates a temporary stream file like '.goutputstream-XXXXXX' in the
   # directory a file is saved. This allows that behavior.
   owner /**/.goutputstream-* w,
+
+  # allow evince to spawn browsers distributed as snaps (LP: #1794064)
+  /{,snap/core/[0-9]*/,snap/snapd/[0-9]*/}usr/bin/snap mrCx -> snap_browsers,
 }
 
 /usr/bin/evince-previewer {
-- 
2.39.5