feat(profiles): general update.

2025-01-18 17:08:09 +01:00 · 2023-03-25 15:48:59 +00:00 · 2023-03-25 15:48:59 +00:00 · 02499d90f0
commit 02499d90f0
parent 5ea574c333
42 changed files with 119 additions and 33 deletions
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -228,7 +228,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  profile systemctl {
    include <abstractions/base>
    include <abstractions/consoles>
    capability net_admin,
    capability sys_resource,
    ptrace (read),
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -66,6 +66,7 @@ profile apt-methods-http @{exec_path} {
  owner /tmp/aptitude-root.*/aptitude-download-* rw,
  owner /tmp/apt-changelog-*/*.changelog rw,
  @{run}/ubuntu-advantage/aptnews.json rw,
  @{run}/resolvconf/resolv.conf r,
  @{PROC}/1/cgroup r,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -143,6 +143,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  # Desktop integration
  @{libexec}/gvfsd-metadata                               rPx,
  /{usr/,}bin/exo-open                                    rPx -> child-open,
  /{usr/,}bin/gnome-software                              rPx,
  /{usr/,}bin/lsb_release                                 rPx -> lsb_release,
  /{usr/,}bin/update-mime-database                        rPx,
  /{usr/,}bin/xdg-open                                    rPx -> child-open,
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -74,6 +74,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
  /etc/geoclue/{,**} r,
  /var/lib/nscd/services r,
  @{run}/systemd/journal/socket rw,
  @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -46,7 +46,7 @@ profile plymouthd @{exec_path} {
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/graphics/ r,
-  @{sys}/devices/pci[0-9]*/**/{,uevent,vendor.device} r,
+  @{sys}/devices/pci[0-9]*/**/{,uevent,vendor,device} r,
  @{sys}/devices/pci[0-9]*/**/{,uevent} r,
  @{sys}/devices/virtual/graphics/fbcon/uevent r,
  @{sys}/devices/virtual/tty/console/active r,
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -105,7 +105,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
    /{usr/,}bin/fusermount{,3} mr,
-    /etc/fuse.conf r,
+    /etc/fuse{,3}.conf r,
    mount options=(rw, rprivate) -> /,
    mount options=(rw, rbind) @{run}/user/@{uid}/ -> /,
--- a/apparmor.d/groups/freedesktop/xdg-user-dir
+++ b/apparmor.d/groups/freedesktop/xdg-user-dir
@ -17,5 +17,9 @@ profile xdg-user-dir @{exec_path} {
  owner @{user_config_dirs}/user-dirs.dirs r,
  # Silencer
  deny network inet stream,
  deny network inet6 stream,
  include if exists <local/xdg-user-dir>
 }
--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@ -12,6 +12,7 @@ profile gnome-disks @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/disks-write>
  include <abstractions/gnome>
  include <abstractions/user-download-strict>
  @{exec_path} mr,
@ -23,8 +24,8 @@ profile gnome-disks @{exec_path} {
  owner @{user_cache_dirs}/gnome-disks/{,**} rw,
  owner @{PROC}/@{pid}/cgroup r,
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,
  include if exists <local/gnome-disks>
 }
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -80,6 +80,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  @{libexec}/gsd-printer rPx,
  /etc/machine-id r,
  /etc/cups/client.conf r,
  @{run}/cups/cups.sock rw,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -43,6 +43,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh          rix,
  /{usr/,}bin/net                rPUx,
  /{usr/,}bin/firejail           rPUx,
  /{usr/,}bin/bwrap              rPUx,
  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -76,6 +76,7 @@ profile tracker-extract @{exec_path} {
  /usr/share/tracker3/{,**} r,
  /usr/share/gvfs/remote-volume-monitors/{,*} r,
  /etc/blkid.conf r,
  /etc/fstab r,
  /etc/libva.conf r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -85,6 +85,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  /usr/share/tracker3/{,**} r,
  /etc/fstab r,
  /etc/blkid.conf r,
  /var/lib/flatpak/exports/share/applications/{,mimeinfo.cache} r,
  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -45,6 +45,8 @@ profile gpg @{exec_path} {
  owner /var/lib/*/.gnupg/ rw,
  owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
  owner /tmp/tmp.[a-zA-Z0-9]* rw,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@ -17,8 +17,9 @@ profile gpg-agent @{exec_path} {
  @{exec_path} mr,
  /{usr/,}lib/gnupg/scdaemon rPx,
  /{usr/,}bin/pinentry{,-*}  rPx,
  /{usr/,}bin/scdaemon       rPx,
  /{usr/,}lib/gnupg/scdaemon rPx,
  /usr/share/gnupg/* r,
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /{usr/,}lib/gnupg/scdaemon
+@{exec_path} = /{usr/,}bin/scdaemon /{usr/,}lib/gnupg/scdaemon
 profile scdaemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -53,7 +53,7 @@ profile gvfsd-fuse @{exec_path} {
    /{usr/,}bin/fusermount{,3} mr,
-    /etc/fuse.conf r,
+    /etc/fuse{,3}.conf r,
    /etc/machine-id r,
    @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -47,6 +47,7 @@ profile mullvad-gui @{exec_path} {
  /var/lib/dbus/machine-id r,
  owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
  owner @{user_cache_dirs}/dconf/user rw,
  owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -17,6 +17,7 @@ profile aurpublish @{exec_path} {
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/cat         rix,
  /{usr/,}bin/chmod       rix,
  /{usr/,}bin/curl        rix,
  /{usr/,}bin/date        rix,
  /{usr/,}bin/gettext     rix,
  /{usr/,}bin/git         rPx,
@ -25,6 +26,7 @@ profile aurpublish @{exec_path} {
  /{usr/,}bin/makepkg     rix,
  /{usr/,}bin/mkdir       rix,
  /{usr/,}bin/mktemp      rix,
  /{usr/,}bin/mv          rix,
  /{usr/,}bin/nproc       rix,
  /{usr/,}bin/rm          rix,
  /{usr/,}bin/sha512sum   rix,
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -35,7 +35,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/gzip                rix,
  /{usr/,}bin/hexdump             rix,
  /{usr/,}bin/install             rix,
-  /{usr/,}bin/ldconfig            rix,
+  /{usr/,}{s,}bin/ldconfig        rix,
  /{usr/,}bin/ldd                 rix,
  /{usr/,}bin/ln                  rix,
  /{usr/,}bin/loadkeys            rix,
@ -94,14 +94,14 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /boot/initramfs-*.img* rw,
  /boot/vmlinuz-* r,
  @{sys}/class/block/ r,
  @{sys}/devices/{,**} r,
  # Temp files
  owner @{run}/initramfs/{,**} rw,
  owner @{run}/mkinitcpio.*/{,**} rw,
  owner /tmp/mkinitcpio.*/{,**} rw,
  @{sys}/class/block/ r,
  @{sys}/devices/{,**} r,
  owner @{PROC}/@{pid}/mountinfo r,
  # Inherit silencer
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -24,6 +24,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/install    rix,
  /{usr/,}bin/mkinitcpio rPx,
  /{usr/,}bin/mv         rix,
  /{usr/,}bin/od         rix,
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/sed        rix,
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -16,6 +16,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
  /{usr/,}lib/udev/hwdb.bin w,
  /etc/udev/.#hwdb.bind* rw,
  /etc/udev/hwdb.bin rw,
  /etc/udev/hwdb.d/{,*} r,
  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@ -9,12 +9,16 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-inhibit
 profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  capability net_admin,
  capability sys_resource,
  @{exec_path} mr,
  /{usr/,}bin/cat rix,
  @{run}/systemd/inhibit/*.ref rw,
  include if exists <local/systemd-inhibit>
 }
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -32,15 +32,18 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /usr/share/kbd/keymaps/{,**} r,
-  /usr/share/systemd/language-fallback-map r,
+  /usr/share/systemd/*-map r,
  /usr/share/X11/xkb/rules/evdev r,
  /etc/.#vconsole.conf* rw,
  /etc/default/.#locale* rw,
  /etc/default/keyboard r,
  /etc/default/locale rw,
  /etc/locale.conf r,
-  /etc/vconsole.conf r,
+  /etc/vconsole.conf rw,
-  /etc/X11/xorg.conf.d/*.conf r,
+  /etc/X11/xorg.conf.d/ r,
  /etc/X11/xorg.conf.d/.#*.confd* rw,
  /etc/X11/xorg.conf.d/*.conf rw,
  @{run}/systemd/notify rw,
--- a/apparmor.d/groups/systemd/systemd-resolve
+++ b/apparmor.d/groups/systemd/systemd-resolve
@ -18,5 +18,8 @@ profile systemd-resolve @{exec_path} {
  @{exec_path} mr,
        @{PROC}/ r,
  owner @{PROC}/@{pids}/fd/ r,
  include if exists <local/systemd-resolve>
 }
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -61,6 +61,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  /{usr/,}lib/gdm-runtime-config           rPx,
  /{usr/,}lib/systemd/systemd-*            rPx,
  /{usr/,}lib/udev/*                      rPUx,
  /{usr/,}lib/open-iscsi/net-interface-handler rPUx,
  /usr/share/hplip/config_usb_printer.py  rPUx,
  /etc/console-setup/*.sh       rPUx,
--- a/apparmor.d/groups/systemd/systemd-vconsole-setup
+++ b/apparmor.d/groups/systemd/systemd-vconsole-setup
@ -14,6 +14,7 @@ profile systemd-vconsole-setup @{exec_path} {
  include <abstractions/systemd-common>
  capability dac_override,
  capability net_admin,
  capability sys_ptrace,
  capability sys_resource,
  capability sys_tty_config,
@ -23,9 +24,11 @@ profile systemd-vconsole-setup @{exec_path} {
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/gzip        rix,
  /{usr/,}bin/loadkeys    rix,
  /{usr/,}bin/setfont     rix,
  /{usr/,}bin/gzip        rix,
  / r,
-  /usr/share/kbd/keymaps/{,**} r,
+  /usr/share/kbd/{,**} r,
  /etc/vconsole.conf r,
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@ -19,6 +19,7 @@ profile apt-esm-json-hook @{exec_path} {
  /{usr/,}bin/dpkg         rPx,
  /var/lib/ubuntu-advantage/{,**} r,
  /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -45,14 +45,15 @@ profile cockpit-bridge @{exec_path} {
  @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
  @{run}/utmp r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/@{pids}/net/dev r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/diskstats r,
        @{PROC}/loadavg r,
        @{PROC}/uptime r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  /dev/ptmx rw,
--- a/apparmor.d/groups/virt/cockpit-pcp
+++ b/apparmor.d/groups/virt/cockpit-pcp
@ -28,6 +28,11 @@ profile cockpit-pcp @{exec_path} {
  /var/log/pcp/pmlogger/ r,
  @{sys}/fs/cgroup/{,**/} r,
  @{sys}/fs/cgroup/**/{memory,cpu}* r,
  @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/temp* r,
  @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
        @{PROC}/diskstats r,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@ -9,12 +9,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/virtlogd
 profile virtlogd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/openssl>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  ptrace (read) peer=libvirtd,
  ptrace (read) peer=virtqemud,
  ptrace (read) peer=unconfined,
  ptrace (read) peer=virtqemud,
  @{exec_path} mr,
@ -29,17 +29,17 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/libvirt/virtlogd* w,
  @{run}/libvirt/common/system.token rwk,
  @{run}/systemd/inhibit/[0-9]*.ref rw,
  @{run}/libvirt/virtlogd-sock rw,
  @{run}/systemd/inhibit/[0-9]*.ref rw,
  @{run}/virtlogd.pid rwk,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/meminfo r,
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/stat r,
  /dev/dri/ r,
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@ -11,6 +11,8 @@ profile aa-log @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  @{exec_path} mr,
  /{usr/,}bin/journalctl rix,
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@ -17,7 +17,9 @@ profile gsettings @{exec_path} {
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  owner /dev/tty[0-9]* rw,
+  /var/lib/gdm/.config/dconf/user r,
  /dev/tty[0-9]* rw,
  include if exists <local/gsettings>
 }
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -65,9 +65,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,
  /etc/ r,
-  /etc/logrotate.conf rk,
+  @{etc_ro}/logrotate.conf rk,
-  /etc/logrotate.d/ r,
+  @{etc_ro}/logrotate.d/ r,
-  /etc/logrotate.d/* rk,
+  @{etc_ro}/logrotate.d/* rk,
  / r,
  /var/log{,.hdd}/   r,
--- a/apparmor.d/profiles-m-r/needrestart-dpkg-status
+++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status
@ -11,6 +11,8 @@ profile needrestart-dpkg-status @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability  dac_read_search,
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh  rix,
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@ -41,6 +41,7 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/udevadm           rPx,
  /{usr/,}bin/umount            rix,
  /{usr/,}bin/uname             rix,
  /{usr/,}lib/newns             rix,
  /{usr/,}lib/os-prober/*       rix,
  /{usr/,}lib/os-probes/{,**}   rix,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -157,8 +157,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
    owner /etc/pacman.d/gnupg/ r, # only: arch
    owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,
-    owner /var/tmp/zypp.*/zypp-trusted-*/ r, # only: opensuse
+    owner /var/tmp/zypp.*/zypp-*/ r, # only: opensuse
-    owner /var/tmp/zypp.*/zypp-trusted-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
+    owner /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -42,7 +42,7 @@ profile pass @{exec_path} {
  /{usr/,}bin/which     rix,
  /{usr/,}bin/git             rCx -> git,
-  /{usr/,}bin/gpg{2,}         rUx,
+  /{usr/,}bin/gpg{2,}         rCx -> gpg,
  /{usr/,}bin/qdbus           rCx -> qdbus,
  /{usr/,}bin/vim{,.*}        rCx -> editor,
  /{usr/,}bin/wl-{copy,paste} rPx,
@ -116,7 +116,7 @@ profile pass @{exec_path} {
    /{usr/,}bin/less          rPx -> child-pager,
    /{usr/,}bin/more          rPx -> child-pager,
-    /{usr/,}bin/gpg{2,}  rUx,
+    /{usr/,}bin/gpg{2,}  rPx -> pass//gpg,
    /usr/share/git-core/{,**} r,
@ -135,6 +135,27 @@ profile pass @{exec_path} {
    include if exists <local/pass_git>
  }
  profile gpg flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
    capability dac_read_search,
    /{usr/,}bin/gpg{,2}    mr,
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
    owner @{user_password_store_dirs}/   rw,
    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
    owner @{user_projects_dirs}/**/*-store/   rw,
    owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
    owner @{user_config_dirs}/*-store/   rw,
    owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,
    include if exists <local/pass_gpg>
  }
  profile qdbus {
    include <abstractions/base>
--- a/apparmor.d/profiles-m-r/pcscd
+++ b/apparmor.d/profiles-m-r/pcscd
@ -11,6 +11,8 @@ profile pcscd @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
  capability sys_ptrace,
  network netlink raw,
  ptrace (read) peer=rngd,
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -49,8 +49,12 @@ profile spice-vdagent @{exec_path} {
  @{exec_path} mr,
  /usr/share/pipewire/client-rt.conf r,
  /etc/pipewire/client.conf r,
  /var/lib/nscd/passwd r,
  owner @{user_config_dirs}/user-dirs.dirs r,
  @{run}/spice-vdagentd/spice-vdagent-sock rw,
--- a/apparmor.d/profiles-s-z/update-ca-certificates
+++ b/apparmor.d/profiles-s-z/update-ca-certificates
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -19,16 +20,17 @@ profile update-ca-certificates @{exec_path} {
  /{usr/,}bin/basename   rix,
  /{usr/,}bin/cat        rix,
  /{usr/,}bin/chmod      rix,
  /{usr/,}bin/find       rix,
  /{usr/,}bin/flock      rix,
  /{usr/,}bin/ln         rix,
  /{usr/,}bin/mktemp     rix,
  /{usr/,}bin/mv         rix,
  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/sed        rix,
  /{usr/,}bin/sort       rix,
  /{usr/,}bin/wc         rix,
  /{usr/,}bin/find       rix,
  /{usr/,}bin/ln         rix,
  /{usr/,}bin/test       rix,
  /{usr/,}bin/wc         rix,
  /{usr/,}bin/openssl    rix,
--- a/apparmor.d/profiles-s-z/update-command-not-found
+++ b/apparmor.d/profiles-s-z/update-command-not-found
@ -16,6 +16,8 @@ profile update-command-not-found @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  capability dac_read_search,
  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -48,6 +48,9 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/ssh                               rPx,
  /{usr/,}lib/spice-client-glib-usb-acl-helper  rPx,
  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
  /usr/share/egl/{,**} r,
  /usr/share/gtksourceview-4/{,**} r,
  /usr/share/hwdata/*.ids r,