feat(profile): general update.

2025-01-18 17:08:09 +01:00 · 2024-03-29 19:45:10 +00:00 · 2024-03-29 19:45:10 +00:00 · 0619f4dcec
commit 0619f4dcec
parent 1f8507548f
43 changed files with 160 additions and 208 deletions
--- a/apparmor.d/groups/apps/imv-wayland
+++ b/apparmor.d/groups/apps/imv-wayland
@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -8,8 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/imv-wayland
 profile imv @{exec_path} {
  include <abstractions/base>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
@ -18,7 +18,7 @@ profile imv @{exec_path} {
  @{exec_path} mr,

  /etc/imv_config r,
-  /usr/share/X11/xkb/** r,
+
  /tmp/ r,

  owner @{user_config_dirs}/imv/config r,
--- a/apparmor.d/groups/apps/zathura
+++ b/apparmor.d/groups/apps/zathura
@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -8,18 +9,16 @@ include <tunables/global>
@{exec_path} = @{bin}/zathura 
 profile zathura @{exec_path} {
  include <abstractions/base>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/nameservice-strict>
-  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/user-read>
+  include <abstractions/user-read-strict>

  @{exec_path} mr,

  /usr/share/file/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
+
  /etc/xdg/{,**} r,
  /etc/zathurarc r,

--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -21,6 +21,7 @@ profile dpkg-preconfigure @{exec_path} {

  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
+  @{bin}/dialog     rix,
  @{bin}/locale     rix,
  @{bin}/sed        rix,
  @{bin}/sort       rix,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -26,6 +26,7 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
+  network netlink raw,

  @{exec_path} mr,

--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@ -15,6 +15,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/X-strict>

+  signal (receive) set=(term) peer=gdm,
+
  #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry
  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -9,12 +9,18 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/bus-session>
  include <abstractions/ibus>

  signal (receive) set=term peer=ibus-daemon,

  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

+  dbus receive bus=session path=/
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=:*, label=gnome-shell),
+
  @{exec_path} mr,

  /etc/machine-id r,
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-memconf
 profile ibus-memconf @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>

@ -16,9 +18,6 @@ profile ibus-memconf @{exec_path} {

  @{exec_path} mr,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -12,6 +12,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/desktop>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -46,12 +46,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {

  / r,
  /.flatpak-info r,
-  
-  owner @{user_config_dirs}/pipewire/pipewire-pulse.conf r,
-  owner @{user_config_dirs}/pipewire/pipewire.conf r,
+
+  owner @{user_config_dirs}/pipewire/{,**} r,

  owner /tmp/librnnoise-@{int}.so rm,

+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
  owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
  owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
  owner @{run}/user/@{uid}/pulse/pid rw,
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@ -10,23 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/xprop
 profile xprop @{exec_path} {
  include <abstractions/base>
+  include <abstractions/freedesktop.org>
+  include <abstractions/X-strict>

  @{exec_path} mr,

-  /usr/etc/X11/xdm/Xresources r,
-  /usr/share/icons/*/cursors/crosshair r,
-
-  owner @{HOME}/.Xauthority r,
-  owner @{HOME}/.icons/default/index.theme r,
-  
-  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_@{rand6} r,
-
-  owner @{run}/user/@{uid}/xauth_@{rand6} rl,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-  owner @{HOME}/.xsession-errors w,
-
  include if exists <local/xprop>
 }
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -18,8 +18,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(term hup) peer=kwin_wayland,
  signal (receive) set=(term hup) peer=login,

-  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
-
  @{exec_path} mrix,

  @{sh_path}        rix,
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -12,11 +12,12 @@ profile evolution-alarm-notify @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gnome-strict>
-  include <abstractions/nameservice-strict>
  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>

  network netlink raw,

--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -27,16 +27,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {

  ptrace (read) peer=unconfined,

-  signal (send) set=(term) peer=dbus-accessibility,
-  signal (send) set=(term) peer=dbus-session,
-  signal (send) set=(term) peer=dconf-service,
-  signal (send) set=(term) peer=gdm-session-worker,
-  signal (send) set=(term) peer=gdm-session,
-  signal (send) set=(term) peer=gnome-session-binary,
-  signal (send) set=(term) peer=jackdbus,
-  signal (send) set=(term) peer=tracker-miner,
-  signal (send) set=(term) peer=xdg-*,
-  signal (send) set=(term) peer=xorg,
+  signal (send) set=(term),

  unix (bind, listen) type=stream addr="@/tmp/dbus-@{rand8}",
  unix (send receive accept) type=stream addr="@/tmp/dbus-@{rand8}" peer=(label=gdm-session-worker, addr=none),
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -18,6 +18,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@ -11,19 +11,13 @@ profile gnome-characters-backgroudservice @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
-  include <abstractions/wayland>
+  include <abstractions/gnome-strict>

  @{exec_path} mr,

  @{bin}/gjs-console rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService.*.gresource r,
-  /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
-
-  /etc/gtk-3.0/settings.ini r,

  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -45,12 +45,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{bin}/locale        rix,
  @{bin}/sed           rix,

-  @{bin}/bwrap                                  rPUx,
-  @{bin}/gkbd-keyboard-display                  rPUx,
-  @{bin}/gnome-software                         rPUx,
+  @{bin}/bwrap                                   rCx -> bwrap,
+  @{bin}/gkbd-keyboard-display                   rPx,
+  @{bin}/gnome-software                          rPx,
  @{bin}/openvpn                                 rPx,
  @{bin}/passwd                                  rPx,
-  @{bin}/pkexec                                  rPx,
+  @{bin}/pkexec                                  rCx -> pkexec,
  @{bin}/software-properties-gtk                 rPx,
  @{bin}/usermod                                 rPx,
  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx,
@ -165,5 +165,22 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

+  profile bwrap {
+    include <abstractions/base>
+    include <abstractions/common/bwrap>
+
+    @{bin}/bwrap mr,
+  
+    include if exists <local/gnome-control-center_bwrap>
+  }
+
+  profile pkexec {
+    include <abstractions/base>
+  
+    @{bin}/pkexec mr,
+  
+    include if exists <local/gnome-control-center_pkexec>
+  }
+
  include if exists <local/gnome-control-center>
 }
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -71,6 +71,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter/autostart/{,*.desktop} r,
  /usr/share/gnome-session/hardware-compatibility r,
  /usr/share/gnome-session/sessions/*.session r,
+  /usr/share/gnome-shell/extensions/*/metadata.json r,
  /usr/share/gnome/autostart/{,*.desktop} r,

  @{etc_ro}/xdg/autostart/{,*.desktop} r,
@ -141,7 +142,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
    @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
    @{lib}/caribou/caribou                                rPUx,
    @{lib}/deja-dup/deja-dup-monitor                       rPx,
-    @{lib}/gsd-disk-utility-notify                         rPx,
+    @{lib}/gsd-*                                           rPx,
    @{lib}/update-notifier/ubuntu-advantage-notification   rPx,
    @{lib}/xapps/sn-watcher/*                             rPUx,
    @{thunderbird_path}                                    rPx,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -80,7 +80,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  #aa:dbus own bus=session name=org.gnome.Shell

  #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity
-  #aa:dbus own bus=session name=com.rastersoft.dingextension interface=org.gtk.Actions
+  #aa:dbus own bus=session name=com.rastersoft.dingextension
+  #aa:dbus own bus=session name=org.gtk.Actions path=/**
  #aa:dbus own bus=session name=org.gtk.MountOperationHandler
  #aa:dbus own bus=session name=org.gtk.Notifications
  #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -29,10 +29,11 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  @{bin}/lsblk  rPx,
-  @{bin}/pkexec rPx,
-  @{bin}/sed    rix,
  @{sh_path}    rix,
+  @{bin}/lsblk  rPx,
+  @{bin}/pkexec rCx -> pkexec,
+  @{bin}/sed    rix,
+  @{bin}/tr     rix,

  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
@ -75,5 +76,15 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

+  /dev/tty rw,
+
+  profile pkexec {
+    include <abstractions/base>
+
+    @{bin}/pkexec mr,
+
+    include if exists <local/gnome-system-monitor_pkexec>
+  }
+
  include if exists <local/gnome-system-monitor>
 }
--- a/apparmor.d/groups/gnome/goa-identity-service
+++ b/apparmor.d/groups/gnome/goa-identity-service
@ -11,6 +11,7 @@ profile goa-identity-service @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>

  #aa:dbus own bus=session name=org.gnome.Identity

--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -46,6 +46,7 @@ profile gsd-xsettings @{exec_path} {
  @{exec_path} mr,

  @{bin}/cat                   rix,
+  @{bin}/sed                   rix,
  @{bin}/which{,.debianutils}  rix,

  @{bin}/busctl         rPx,
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -12,11 +12,14 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>

+  signal (receive) set=(term) peer=gdm,
+
  @{exec_path} mr,

  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/grub/grub-sort-version
+++ b/apparmor.d/groups/grub/grub-sort-version
@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = @{lib}/grub/grub-sort-version
 profile grub-sort-version @{exec_path} {
  include <abstractions/base>
+  include <abstractions/common/apt>
  include <abstractions/python>
-  include if exists <abstractions/common/apt>

  capability dac_read_search,

--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@ -13,14 +13,7 @@ profile gvfsd @{exec_path} {
  include <abstractions/bus-session>

  #aa:dbus own bus=session name=org.gtk.vfs.Daemon
-
-  dbus send bus=session path=/org/gtk/vfs/mounttracker
-       interface=org.gtk.vfs.MountTracker
-       peer=(name=org.freedesktop.DBus),
-
-  dbus receive bus=session path=/org/gtk/vfs/mounttracker
-       interface=org.gtk.vfs.MountTracker
-       peer=(name=:*), # all members
+  #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker

  dbus send bus=session path=/org/gtk/vfs/mountable
       interface=org.gtk.vfs.Mountable
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@ -15,7 +15,7 @@ profile gvfsd-dnssd @{exec_path} {
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.gtk.vfs.MountTracker>

-  dbus bind bus=session name=org.gtk.vfs.mountpoint_dnssd,
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd

  dbus receive bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -13,7 +13,7 @@ profile gvfsd-network @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>

-  dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int},
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}

  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
       interface=org.gtk.vfs.Spawner
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@ -10,10 +10,27 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-recent
 profile gvfsd-recent @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-session>
  include <abstractions/nameservice-strict>
  include <abstractions/thumbnails-cache-read>

+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
+
+  dbus receive bus=session path=/org/gtk/vfs/mountable
+       interface=org.gtk.vfs.Mountable
+       member=Mount
+       peer=(name=:*, label=gvfsd),
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
+       interface=org.gtk.vfs.Spawner
+       member=Spawned
+       peer=(name=:*, label=gvfsd),
+  dbus send bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=RegisterMount
+       peer=(name=:*, label=gvfsd),
+
  @{exec_path} mr,
+
  /usr/share/mime/mime.cache r,

  # Full access to user's data
@ -27,10 +44,10 @@ profile gvfsd-recent @{exec_path} {

  owner @{run}/user/@{uid}/gvfsd/ rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+
+  @{run}/mount/utab r,
  
  owner @{PROC}/@{pid}/mountinfo r,

-  @{run}/mount/utab r,
-
  include if exists <local/gvfsd-recent>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -21,7 +21,7 @@ profile gvfsd-smb-browse @{exec_path} {
  network inet dgram,
  network inet6 dgram,

-  dbus bind bus=session name=org.gtk.vfs.mountpoint_smb_browse,
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_smb_browse

  dbus receive bus=session path=/org/gtk/vfs/mountable
       interface=org.gtk.vfs.Mountable
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -19,7 +19,7 @@ profile gvfsd-trash @{exec_path} {
  network inet stream,
  network inet6 stream,

-  dbus bind bus=session name=org.gtk.vfs.mountpoint_@{int},
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}

  dbus receive bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@ -89,7 +89,7 @@ profile sddm-xsession @{exec_path} {
    include if exists <local/sddm-xsession_dbus>
  }

-    profile gpg {
+  profile gpg {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
    include <abstractions/ssl_certs>
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@ -20,6 +20,8 @@ profile systemd-cryptsetup @{exec_path} {

  /etc/fstab r,

+  /var/swapfile rw,  #aa:only whonix
+
  @{run}/ r,
  @{run}/cryptsetup/ r,
  @{run}/cryptsetup/* rwk,
@ -31,5 +33,7 @@ profile systemd-cryptsetup @{exec_path} {
        @{PROC}/devices r,
  owner @{PROC}/@{pid}/mountinfo r,

+  /dev/loop-control r,  #aa:only whonix
+
  include if exists <local/systemd-cryptsetup>
 }
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -29,6 +29,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  @{bin}/gdbus        rix,
+  @{bin}/{,e,f}grep   rix,
  @{bin}/dpkg         rPx -> child-dpkg,
  @{bin}/dpkg-divert  rPx -> child-dpkg-divert,

--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -9,11 +9,12 @@ include <tunables/global>
@{exec_path} = /usr/share/apport/apport-gtk
 profile apport-gtk @{exec_path} {
  include <abstractions/base>
-  include <abstractions/common/apt>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/common/apt>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
@ -49,6 +50,7 @@ profile apport-gtk @{exec_path} {
  @{bin}/md5sum                 rix,
  @{bin}/pkexec                 rPx, # TODO: rCx or something
  @{bin}/systemctl              rCx -> systemctl,
+  @{bin}/systemd-detect-virt    rPx,
  @{bin}/which{,.debianutils}   rix,
  @{lib}/{,colord/}colord-sane  rPx,
  @{lib}/@{multiarch}/ld*.so*   rix,
@ -58,6 +60,7 @@ profile apport-gtk @{exec_path} {
  /usr/share/apport/general-hooks/*.py r,

  /etc/apport/{,**} r,
+  /etc/cloud/cloud.cfg.d/{,**} r,
  /etc/bash_completion.d/apport_completion r,
  /etc/cron.daily/apport r,
  /etc/default/apport r,
--- a/apparmor.d/groups/whonix/sensible-browser
+++ b/apparmor.d/groups/whonix/sensible-browser
@ -17,7 +17,12 @@ profile sensible-browser @{exec_path} {
  @{bin}/whichbrowser   rix,
  @{bin}/x-www-browser  rix,

+  @{lib}/msgcollector/generic_gui_message rPx,
+  @{lib}/msgcollector/striphtml rPx,
+
  @{bin}/torbrowser     rPx,

+  /etc/open_link_confirm.d/{,**} r,
+
  include if exists <local/sensible-browser>
 }
--- a/apparmor.d/groups/whonix/whonix-firewall-restarter
+++ b/apparmor.d/groups/whonix/whonix-firewall-restarter
@ -33,9 +33,7 @@ profile whonix-firewall-restarter @{exec_path} {

  /{run,var}/log/journal/ r,
  /{run,var}/log/journal/@{hex32}/ r,
-  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
-  /{run,var}/log/journal/@{hex32}/system.journal* r,
-  /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/*.journal* r,

 owner /tmp/tmp.@{rand10} rw,

--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@ -26,10 +26,9 @@ profile mutt @{exec_path} {
  # Used to exec programs defined in the mailcap.
  # There are countless programs that can be executed from the mailcap.
  # This profile includes only the most basic.
-  @{bin}/{,ba,da}sh               rix,
+  @{sh_path}                      rix,
 
-  @{bin}/sendmail                rPUx,
-  @{lib}/sendmail/sendmail rPUx,
+  @{lib}/{,sendmail/}sendmail    rPUx,
  @{bin}/ispell                  rPUx, 
  @{bin}/abook                   rPUx,
  @{bin}/mutt_dotlock             rix,
@ -41,34 +40,33 @@ profile mutt @{exec_path} {
  @{bin}/vim             rCx -> editor,
  @{bin}/vim.*           rCx -> editor,
  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/more            rCx -> pager,
-  @{bin}/less            rCx -> pager,
-  @{bin}/pager           rCx -> pager,
+
+  @{bin}/less            rPx -> child-pager,
+  @{bin}/more            rPx -> child-pager,
+  @{bin}/pager           rPx -> child-pager,
+
  @{bin}/gpg{2,}         rCx -> gpg,
  @{bin}/gpgconf         rCx -> gpg,
  @{bin}/gpgsm           rCx -> gpg,
  @{bin}/pgpewrap        rCx -> gpg,

  /usr/share/terminfo/** r,
+  /usr/share/mutt/** r,

-  # Mutt MIME types search path
-  /etc/mime.types           r,
-  owner @{HOME}/.mime.types r,
+  @{etc_ro}/mailcap r,
+  /etc/mime.types r,
+  /etc/mutt{,**} r,
+  /etc/Muttrc r,
+  /etc/Muttrc.d/{*,} r,

-  # Mutt mailcap search path
-  /etc/{mutt/,}mailcap   r,
-  /usr/etc/mailcap       r,
+  owner @{HOME}/.mail_aliases r, # Common location for mail aliases
  owner @{HOME}/.mailcap r,
-
-  # Mutt config files
-  /usr/share/mutt/**         r,
-  /etc/{mutt/,}Muttrc        r,
-  /etc/{mutt/,}Muttrc.d/{*,} r,
-  owner @{HOME}/.mutt/**     r,
-  owner @{HOME}/.muttrc*     r,
-
-  # Needed for the edit operation.
-  owner @{HOME}/ r,
+  owner @{HOME}/.mime.types r,
+  owner @{HOME}/.mutt_certificates rwk,
+  owner @{HOME}/.mutt/{,**} r,
+  owner @{HOME}/.mutthistory rwk,
+  owner @{HOME}/.muttrc* r,
+  owner @{HOME}/.signature r,  # Mutt signature file

  # User mbox
  # Could be a file or dir depending on mbox_type variable
@ -76,24 +74,14 @@ profile mutt @{exec_path} {
  owner @{HOME}/{mbox,postponed,sent}*   rwlk,
  owner @{HOME}/{mbox,postponed,sent}/   rw,
  owner @{HOME}/{mbox,postponed,sent}/** rwlk,
+
+  owner @{user_config_dirs}/mutt/{,**} r,
+  owner @{user_cache_dirs}/mutt rwk,
+
  # User maildir
  owner @{user_mail_dirs}/ rw,
  owner @{user_mail_dirs}/** rwlk -> @{user_mail_dirs}/**,

-  # Trusted certificate store
-  owner @{HOME}/.mutt_certificates rwk,
-  
-  # Mutt history file
-  owner @{HOME}/.mutthistory rwk,
-  
-  # Mutt signature file
-  owner @{HOME}/.signature r,
-
-  # Common location for mail aliases
-  owner @{HOME}/.mail_aliases r,
-
-  owner @{HOME}/.cache/mutt rwk,
-
  # Needed to compose a message
  owner /{var/,}tmp/.mutt*/  rw,
  owner /{var/,}tmp/.mutt*/* lrwk,
@ -137,35 +125,14 @@ profile mutt @{exec_path} {
  
    # Vim swap file 
    owner @{HOME}/ r,
-    owner @{HOME}/.cache/ r,
-    owner @{HOME}/.cache/vim/** wr,
+    owner @{user_cache_dirs}/ r,
+    owner @{user_cache_dirs}/vim/** wr,
   
    # This is the file that holds the message
    owner /{var/,}tmp/{.,}mutt* rw,

    include if exists <local/mutt_editor>
  }
-  
-  profile pager {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    /usr/share/terminfo/** r,
-    /usr/share/file/misc/magic.mgc r,
-
-    @{bin}/less  mr,
-    @{bin}/more  mr,
-    @{bin}/pager mr,
-    
-    owner @{HOME}/.lesshs* r,
-    owner @{HOME}/.local/state/ r,
-    owner @{HOME}/.local/state/less* rw,
-  
-    # This is the file that holds the message
-    owner /{var/,}tmp/mutt* rw,
-
-    include if exists <local/mutt_pager>
-  }

  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/profiles-m-r/nemo
+++ b/apparmor.d/profiles-m-r/nemo
@ -10,77 +10,19 @@ include <tunables/global>
@{exec_path} = @{bin}/nemo
 profile nemo @{exec_path} {
  include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
  include <abstractions/nameservice-strict>

-  # This should be tightened when the "profile has merged rule with conflicting x modifiers" error
-  # will be fixed. (#FIXME#)
-  include <abstractions/app-launcher-user>
-  include <abstractions/app-launcher-root>
-
-  # For root window
-  deny capability dac_read_search,
-  deny capability dac_override,
-
-  # Needed?
-  deny capability sys_nice,
-
  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

-  @{lib}/@{multiarch}/nemo/** mrix,
-
-  @{lib}/gvfsd-*              rPx,
+#   @{lib}/@{multiarch}/nemo/** mrix,

  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/fd/ r,

-  # To read/write files in the system. The read permission is granted for all files, the write
-  # permission only for the owner. Also, dirs like /dev/, /efi/, /proc/, /sys/ are not included in
-  # the list.
-        /         r,
-        /boot/    r,
-        /boot/**  r,
-  owner /boot/**  rw,
-        /etc/     r,
-        /etc/**   r,
-  owner /etc/**   rw,
-        /home/    r,
-        /home/**  r,
-  owner /home/**  rw,
-        /lost+found/ r,
-        /lost+found/** r,
-  owner /lost+found/** rw,
-        @{MOUNTS}/   r,
-        @{MOUNTS}/** r,
-  owner @{MOUNTS}/** rw,
-        /opt/     r,
-        /opt/**   r,
-  owner /opt/**   rw,
-        /root/    r,
-        /root/**  r,
-  owner /root/**  rw,
-        @{run}/   r,
-        @{run}/** r,
-  owner @{run}/** rw,
-        /srv/     r,
-        /srv/**   r,
-  owner /srv/**   rw,
-        /tmp/     r,
-        /tmp/**   r,
-  owner /tmp/**   rw,
-        /usr/     r,
-        /usr/**   r,
-  owner /usr/**   rw,
-        /var/     r,
-        /var/**   r,
-  owner /var/**   rw,
-
  include if exists <local/nemo>
 }
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -13,9 +13,9 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/common/apt> #aa:only apt
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
-  include if exists <abstractions/common/apt>

  capability chown,
  capability dac_override,
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -21,6 +21,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  network netlink raw,

  #aa:dbus own bus=system name=net.hadess.PowerProfiles
+  #aa:dbus own bus=system name=org.freedesktop.UPower.PowerProfiles

  @{exec_path} mr,

--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -28,6 +28,9 @@ profile snap @{exec_path} {

  mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,

+  #aa:dbus own bus=session name=io.snapcraft.Launcher
+  #aa:dbus own bus=session name=io.snapcraft.Settings
+
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -18,6 +18,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dri>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -35,10 +35,13 @@ profile wireplumber @{exec_path} {
  /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
  /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,

+  /usr/share/alsa/{,**} r,
  /usr/share/alsa-card-profile/{,**} r,
  /usr/share/spa-*/bluez@{int}/{,*} r,
  /usr/share/wireplumber/{,**} r,

+  /etc/alsa/conf.d/{,**} r,
+
  /etc/machine-id r,

  owner @{desktop_local_dirs}/ w,
@ -49,6 +52,8 @@ profile wireplumber @{exec_path} {
  owner @{user_state_dirs}/ w,
  owner @{user_state_dirs}/wireplumber/{,**} rw,

+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
+
  @{run}/systemd/users/@{uid} r,

  @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)
@ -69,7 +74,6 @@ profile wireplumber @{exec_path} {
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

  /dev/media@{int} rw,
-  /dev/snd/ r,

  include if exists <local/wireplumber>
 }
--- a/apparmor.d/profiles-s-z/yadifad
+++ b/apparmor.d/profiles-s-z/yadifad
@ -1,9 +1,10 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 include <tunables/global>

-@{exec_path} = /{,usr/}{,s}bin/yadifad
+@{exec_path} = @{bin}/yadifad
 profile yadifad @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -22,16 +23,12 @@ profile yadifad @{exec_path} {

  /etc/yadifa/yadifad.conf               r,

-        /var/lib/yadifa/**               r,
-  owner /var/lib/yadifa/ydf.@{rand6}       rw,
-  owner /var/lib/yadifa/keys/ydf.@{rand6}  rw,
-  owner /var/lib/yadifa/xfr/ydf.@{rand6}   rw,
+  /var/log/yadifa/{,**} rw,

-  /var/log/yadifa/*.log                  rw,
-  /var/log/yadifa/ydf.@{rand6}             rw,
+  owner /var/lib/yadifa/{,**}       rw,

+  owner @{run}/yadifa/{,*}    rw,
  owner @{run}/yadifa/yadifad.pid   rwk,
-  owner @{run}/yadifa/ydf.@{rand6}    rw,

  include if exists <local/yadifad>
 }