From 9312f36a2c6e6ca7a00f52d52a9fb773c94e66b51d04deda170acd1fb19ac20d Mon Sep 17 00:00:00 2001
From: Christian Boltz <suse-beta@cboltz.de>
Date: Tue, 4 Jun 2024 19:56:31 +0000
Subject: [PATCH] Accepting request 1178599 from home:cboltz

- add sddm-xauth.diff - sddm uses a new path for xauth (boo#1223900)
- add plasmashell.diff - fix QtWebEngineProcess path to prevent a
  crash in plasmashell (boo#1225961)

OBS-URL: https://build.opensuse.org/request/show/1178599
OBS-URL: https://build.opensuse.org/package/show/security:apparmor/apparmor?expand=0&rev=415
---
 apparmor.changes |  7 +++++++
 apparmor.spec    |  8 ++++++++
 plasmashell.diff | 31 +++++++++++++++++++++++++++++++
 sddm-xauth.diff  | 22 ++++++++++++++++++++++
 4 files changed, 68 insertions(+)
 create mode 100644 plasmashell.diff
 create mode 100644 sddm-xauth.diff

diff --git a/apparmor.changes b/apparmor.changes
index 160c0b7..ed7672d 100644
--- a/apparmor.changes
+++ b/apparmor.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Jun  4 19:48:47 UTC 2024 - Christian Boltz <suse-beta@cboltz.de>
+
+- add sddm-xauth.diff - sddm uses a new path for xauth (boo#1223900)
+- add plasmashell.diff - fix QtWebEngineProcess path to prevent a
+  crash in plasmashell (boo#1225961)
+
 -------------------------------------------------------------------
 Thu May 30 10:19:32 UTC 2024 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 
diff --git a/apparmor.spec b/apparmor.spec
index 1bf9895..2a09e94 100644
--- a/apparmor.spec
+++ b/apparmor.spec
@@ -98,6 +98,12 @@ Patch13:        teardown-unconfined.diff
 Patch14:        utils-relax-mount-rules.diff
 Patch15:        utils-relax-mount-rules-2.diff
 
+# Fix QtWebEngineProcess path in plasmashell profile (merged upstream 2024-06-04 in 4.0 and master - https://gitlab.com/apparmor/apparmor/-/merge_requests/1248)
+Patch16:        plasmashell.diff
+
+# latest sddm uses yet another path for xauth (submitted upstream 2024-06-04 https://gitlab.com/apparmor/apparmor/-/merge_requests/1249)
+Patch17:        sddm-xauth.diff
+
 PreReq:         sed
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  autoconf
@@ -371,6 +377,8 @@ mv -v profiles/apparmor.d/usr.lib.apache2.mpm-prefork.apache2 profiles/apparmor/
 %patch -P 13 -p1
 %patch -P 14 -p1
 %patch -P 15 -p1
+%patch -P 16 -p1
+%patch -P 17 -p1
 
 %build
 export SUSE_ASNEEDED=0
diff --git a/plasmashell.diff b/plasmashell.diff
new file mode 100644
index 0000000..bf6d1de
--- /dev/null
+++ b/plasmashell.diff
@@ -0,0 +1,31 @@
+commit 64469afa2c65eb8a90a19d2b658a9559fb3964b0
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Tue Jun 4 21:14:50 2024 +0200
+
+    Add openSUSE path to plasmashell profile
+    
+    While on it,
+    - add some comments explaining what the profile does
+    - adjust the rule with the Debian/Ubuntu path to work with Qt6
+    
+    Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1225961
+
+diff --git a/profiles/apparmor.d/plasmashell b/profiles/apparmor.d/plasmashell
+index d743ff7a3..51c50a689 100644
+--- a/profiles/apparmor.d/plasmashell
++++ b/profiles/apparmor.d/plasmashell
+@@ -17,8 +17,13 @@ profile plasmashell /usr/bin/plasmashell {
+   unix,
+   ptrace,
+ 
+-  /usr/lib/x86_64-linux-gnu/qt5/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
++  # allow executing QtWebEngineProcess with full permissions including userns (using profile stacking to avoid no_new_privs issues)
++  /usr/lib/x86_64-linux-gnu/qt[56]/libexec/QtWebEngineProcess cx -> &plasmashell//QtWebEngineProcess,
++  /usr/libexec/qt[56]/QtWebEngineProcess                      cx -> &plasmashell//QtWebEngineProcess,
++
++  # allow to execute all other programs under their own profile, or to run unconfined
+   /** pux,
++
+   /{,**} mrwlk,
+ 
+   profile QtWebEngineProcess {
diff --git a/sddm-xauth.diff b/sddm-xauth.diff
new file mode 100644
index 0000000..701adc5
--- /dev/null
+++ b/sddm-xauth.diff
@@ -0,0 +1,22 @@
+commit 0c6e031c02fb18affd3bb7f15e269d9dd5c3317a
+Author: Christian Boltz <apparmor@cboltz.de>
+Date:   Tue Jun 4 21:45:06 2024 +0200
+
+    abstractions/X: add another xauth path
+    
+    This time it's   /tmp/xauth_?????? r,   which gets used by latest sddm.
+    
+    Fixes: https://bugzilla.opensuse.org/show_bug.cgi?id=1223900
+
+diff --git a/profiles/apparmor.d/abstractions/X b/profiles/apparmor.d/abstractions/X
+index 6f0272d64..6df891185 100644
+--- a/profiles/apparmor.d/abstractions/X
++++ b/profiles/apparmor.d/abstractions/X
+@@ -28,6 +28,7 @@
+   owner @{run}/user/*/gdm/Xauthority r,
+   owner @{run}/user/*/X11/Xauthority r,
+   owner @{run}/user/*/xauth_* r,
++  owner /tmp/xauth_?????? r,
+ 
+   # the unix socket to use to connect to the display
+   /tmp/.X11-unix/* rw,