feat(profile): general update.

2025-01-30 23:05:11 +01:00 · 2024-02-29 21:45:42 +00:00 · 2024-02-29 21:45:42 +00:00 · 06abeac2ee
commit 06abeac2ee
parent cd09dc7688
33 changed files with 154 additions and 47 deletions
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -34,6 +34,7 @@ profile child-open {
  @{sh_path}               rix,
  @{bin}/{,m,g}awk         rix,
  @{bin}/basename          rix,
  @{bin}/env               rix,
  @{bin}/readlink          rix,
  include if exists <usr/child-open.d>
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -25,6 +25,11 @@ profile pipewire-media-session @{exec_path} {
  signal (receive) set=(cont term) peer=@{systemd_user},
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixProcessID
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -30,15 +30,15 @@ profile polkit-agent-helper @{exec_path} {
  signal (receive) set=(term, kill) peer=pkttyagent,
  signal (receive) set=(term, kill) peer=polkit-*-authentication-agent,
-  dbus (send) bus=system path=/org/freedesktop/PolicyKit1/Authority
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name=:*),
+       peer=(name=:*, label=polkitd),
-  dbus (send) bus=system path=/org/freedesktop/PolicyKit1/Authority
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=AuthenticationAgentResponse2
-       peer=(name=:*),
+       peer=(name=:*, label=polkitd),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -51,7 +51,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
-       member=*Session
+       member={*Session,CreateSessionWithPIDFD}
       peer=(name=org.freedesktop.login1, label=systemd-logind),
  dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -45,6 +45,15 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       member=GetActive
       peer=(name=org.gnome.Shell.ScreenShield, label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-shell),
  dbus send bus=session path=/org/gnome/Shell
       interface=org.gnome.Shell.Extensions
       member=ListExtensions
       peer=(name=:*, label=gnome-shell),
  @{exec_path} mr,
  @{bin}/       r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -11,9 +11,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/dbus-session>
  include <abstractions/dbus>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
@ -32,6 +32,10 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
  dbus bus=accessibility,
  dbus bus=session,
  dbus bus=system,
  @{exec_path} mr,
  @{bin}/@{shells}     rUx,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -16,6 +16,7 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.Notifications>
  include <abstractions/bus/org.gnome.ArchiveManager1>
  include <abstractions/bus/org.gnome.Nautilus.FileOperations2>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/bus/org.gtk.vfs.Daemon>
@ -29,17 +30,13 @@ profile gnome-extension-ding @{exec_path} {
  unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
-  # dbus: own bus=session name=com.rastersoft.ding
+  # dbus: own bus=session name=com.rastersoft.ding interface={org.freedesktop.DBus.Properties,org.gtk.Actions}
  # dbus: talk bus=session name=com.rastersoft.dingextension label=gnome-shell
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect 
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
  dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=nautilus),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus*
@ -48,6 +45,11 @@ profile gnome-extension-ding @{exec_path} {
       interface=org.freedesktop.DBus*
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
  dbus send bus=session path=/org/gtk/vfs/metadata
       interface=org.gtk.vfs.Metadata
       member=Set
       peer=(name=:*, label=gvfsd-metadata),
  @{exec_path} mr,
  @{sh_path}                   rix,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -9,15 +9,20 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-initial-setup
 profile gnome-initial-setup @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  network inet stream,
  network inet6 stream,
  network netlink raw,
-  # dbus: own bus=session name=org.gnome.InitialSetup
+  # dbus: own bus=session name=org.gnome.InitialSetup interface={org.freedesktop.DBus.Properties,org.gtk.Actions}
  @{exec_path} mr,
@ -35,6 +40,9 @@ profile gnome-initial-setup @{exec_path} {
  /var/lib/gdm{,3}/greeter-dconf-defaults r,
        @{run}/systemd/sessions/@{int} r,
  owner @{run}/systemd/users/@{uid} r,
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -14,7 +14,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/openssl>
@ -25,13 +24,18 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(term) peer=ssh-agent,
  # dbus: own bus=session name=org.gnome.keyring
-  # dbus: own bus=session name=org.freedesktop.secrets
+  # dbus: own bus=session name=org.freedesktop.{S,s}ecret{,s}
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=GetSession
       peer=(name=org.freedesktop.login1, label=systemd-logind),
  @{exec_path} mr,
  @{bin}/ssh-add   rix,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -49,7 +49,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
-       peer=(name=org.freedesktop.systemd1, label=@{systemd}),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -12,6 +12,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  capability sys_ptrace,
@ -24,9 +25,14 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(kill term cont stop),
  # dbus: own bus=session name=org.gnome.SystemMonitor
  @{exec_path} mr,
  @{bin}/lsblk  rPx,
  @{bin}/pkexec rPx,
  @{bin}/sed    rix,
  @{sh_path}    rix,
  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
@ -64,6 +70,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pids}/stat r,
  @{PROC}/@{pids}/statm r,
  @{PROC}/@{pids}/wchan r,
  @{PROC}/diskstats r,
  @{PROC}/vmstat r,
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -34,7 +34,7 @@ profile gnome-terminal-server @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -13,7 +13,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.ColorManager>
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -27,6 +26,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  # dbus: own bus=session name=org.gnome.SettingsDaemon.Color
  # dbus: talk bus=system name=org.freedesktop.ColorManager label=colord
  @{exec_path} mr,
  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -39,6 +39,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  @{run}/systemd/sessions/@{int} r,
  @{run}/systemd/users/@{uid} r,
  @{PROC}/@{pid}/cgroup r,
  owner /dev/tty@{int} rw,
  include if exists <local/gsd-sharing>
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -26,6 +26,9 @@ profile mutter-x11-frames @{exec_path} {
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  @{sys}/devices/@{pci}/boot_vga r,
  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,gvfs/}gvfsd-http
 profile gvfsd-http @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
@ -22,6 +23,21 @@ profile gvfsd-http @{exec_path} {
  network inet6 dgram,
  network netlink raw,
  # dbus: own bus=session name=org.gtk.vfs.mountpoint_http
  dbus receive bus=session path=/org/gtk/vfs/mountable
       interface=org.gtk.vfs.Mountable
       member=Mount
       peer=(name=:*, label=gvfsd),
  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/0
       interface=org.gtk.vfs.Spawner
       member=Spawned
       peer=(name=:*, label=gvfsd),
  dbus send bus=session path=/org/gtk/vfs/mounttracker
       interface=org.gtk.vfs.MountTracker
       member=RegisterMount
       peer=(name=:*, label=gvfsd),
  @{exec_path} mr,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@ -14,6 +14,7 @@ profile ssh-agent-launch @{exec_path} {
  @{bin}/{,z,ba,da}sh   rix,
  @{bin}/dbus-update-activation-environment  rCx -> dbus,
  @{bin}/getopt         rix,
  @{bin}/grep           rix,
  @{bin}/ssh-agent      rPx,
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/busctl
 profile busctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-session>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/systemd-common>
@ -19,15 +22,25 @@ profile busctl @{exec_path} {
  unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
  dbus eavesdrop bus=session,
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Monitoring
       member=BecomeMonitor
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
  @{exec_path} mr,
  @{bin}/less  rPx -> child-pager,
  @{bin}/more  rPx -> child-pager,
  @{bin}/pager rPx -> child-pager,
-  @{PROC}/@{pids}/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
-  @{PROC}/@{pids}/comm r,
+  owner @{PROC}/@{pid}/cmdline r,
-  @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/sessionid r,
  owner @{PROC}/@{pid}/stat r,
  include if exists <local/busctl>
 }
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@ -19,6 +19,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{run}/cloud-init/ds-identify.log w,
  @{run}/host/container-manager r,
  @{run}/systemd/notify w,
--- a/apparmor.d/groups/systemd/systemd-generator-cloud-init
+++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init
@ -19,7 +19,8 @@ profile systemd-generator-cloud-init @{exec_path} flags=(attach_disconnected) {
  @{bin}/systemd-detect-virt     rPx,
  @{lib}/cloud-init/ds-identify rPUx,
-  @{run}/cloud-init/cloud-init-generator.log rw,
+  @{run}/cloud-init/ w,
  @{run}/cloud-init/cloud-init-generator.* rw,
  @{run}/cloud-init/disabled w,
  @{PROC}/cmdline r,
--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@ -20,7 +20,10 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
  @{bin}/tr                      rix,
  @{bin}/uname                   rix,
-  @{run}/cloud-init/.ds-identify.result r,
+  @{run}/cloud-init/{,.}ds-identify.* rw,
  @{PROC}/cmdline r,
  @{PROC}/uptime r,
  include if exists <local/systemd-generator-ds-identify>
 }
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -19,6 +19,7 @@ profile systemd-journald @{exec_path} {
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability setgid,
  capability setuid,
  capability sys_admin,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -59,6 +59,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  / r,
  /boot/{,**} r,
  /efi/{,**} r,
  /swap.img r,
  /swap/swapfile r,
  /swapfile r,
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@ -10,10 +10,13 @@ include <tunables/global>
 profile apport @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  capability dac_read_search,
  capability fsetid,
  capability setgid,
  capability setuid,
@ -21,21 +24,32 @@ profile apport @{exec_path} flags=(attach_disconnected) {
  ptrace (read) peer=gnome-shell,
  ptrace (read) peer=snap.cups.cupsd,
  ptrace (read) peer=tracker-extract,
  @{exec_path} mr,
-  /usr/share/apport/ r,
+  @{bin}/dpkg rPx,
  @{bin}/gdbus rix,
  /usr/share/apport/{,**} r,
  /etc/apport/report-ignore/{,**} r,
        /var/crash/ rw,
        /var/crash/*.@{uid}.crash rw,
  owner /var/log/apport.log rw,
  @{run}/apport.lock rwk,
-  @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/environ r,
-  @{PROC}/sys/fs/suid_dumpable w,
+        @{PROC}/@{pid}/stat r,
-  @{PROC}/sys/kernel/core_pattern r,
+        @{PROC}/sys/fs/suid_dumpable w,
-  @{PROC}/sys/kernel/core_pattern w,
+        @{PROC}/sys/kernel/core_pattern r,
-  @{PROC}/sys/kernel/core_pipe_limit w,
+        @{PROC}/sys/kernel/core_pattern w,
        @{PROC}/sys/kernel/core_pipe_limit w,
  owner @{PROC}/@{pid}/attr/current r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  include if exists <local/apport>
 }
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -14,13 +14,11 @@ profile apport-gtk @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/dconf-write>
-  include <abstractions/fonts>
+  include <abstractions/gnome-strict>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/wayland>
  capability fowner,
  capability sys_ptrace,
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -22,17 +22,24 @@ profile update-notifier @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/python>
-  # dbus: talk bus=system name=org.debian.apt label=apt
+  unix (bind) type=stream addr=@@{hex}/bus/systemd/bus-api-user,
-#   dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
+  # dbus: talk bus=system name=org.debian.apt label=apt
 #        interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
 #        peer=(name=:*, label=gnome-shell),
  dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=:*, label=gnome-shell),
  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu}
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-shell),
  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu
       interface=com.canonical.dbusmenu
       member={AboutToShow,GetGroupProperties,GetLayout}
       peer=(name=:*, label=gnome-shell),
  @{exec_path} mr,
  @{sh_path}                                     rix,
--- a/apparmor.d/profiles-a-f/anacron
+++ b/apparmor.d/profiles-a-f/anacron
@ -11,6 +11,8 @@ profile anacron @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  signal (receive) set=(usr1) peer=@{systemd},
  @{exec_path} mr,
  @{sh_path}         rix,
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -12,6 +12,7 @@ profile file-roller @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-m-r/obexd
+++ b/apparmor.d/profiles-m-r/obexd
@ -17,13 +17,12 @@ profile obexd @{exec_path} {
  network bluetooth stream,
  network bluetooth seqpacket,
-  # dbus: own bus=system name=org.bluez.obex
+  # dbus: own bus=session name=org.bluez.obex
  @{exec_path} mr,
  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/obexd/ rw,
+  owner @{user_cache_dirs}/obexd/{,**} rw,
  owner @{user_cache_dirs}/obexd/* rw,
  owner @{HOME}/bluetooth/* rw,
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -19,6 +19,7 @@ profile snap @{exec_path} {
  include <abstractions/nameservice-strict>
  capability dac_read_search,
  capability setuid,
  capability sys_admin,
  unix (send, receive) type=stream peer=(label=apt),
@ -28,12 +29,12 @@ profile snap @{exec_path} {
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=StartTransientUnit
-       peer=(name=org.freedesktop.systemd1, label="@{systemd}"),
+       peer=(name=org.freedesktop.systemd1, label="@{systemd_user}"),
  dbus receive bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
       member=JobRemoved
-       peer=(name=:*, label="@{systemd}"),
+       peer=(name=:*, label="@{systemd_user}"),
  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
@ -47,9 +48,6 @@ profile snap @{exec_path} {
  @{bin}/gpg{,2}          rCx -> gpg,
  @{bin}/systemctl        rPx -> child-systemctl,
  /snap/{,**} rw,
  @{lib}/snapd/snap-confine rPx -> /usr/lib/snapd/snap-confine,
  @{lib_dirs}/snapd/snap-confine     rPx,
  @{lib_dirs}/snapd/snap-seccomp     rPx,
  @{lib_dirs}/snapd/snapd            rPx,
@ -60,6 +58,7 @@ profile snap @{exec_path} {
  /var/cache/snapd/commands.db rwk,
  /var/cache/snapd/names r,
  /snap/{,**} rw,
  @{HOME}/snap/{,**} rw,
  owner /tmp/snapd-auto-import-mount-@{int}/ rw,
--- a/apparmor.d/profiles-s-z/snapd-apparmor
+++ b/apparmor.d/profiles-s-z/snapd-apparmor
@ -17,6 +17,7 @@ profile snapd-apparmor @{exec_path} {
  @{bin}/systemd-detect-virt         rPx,
  @{bin}/apparmor_parser             rPx,
  @{lib_dirs}/snapd/apparmor_parser  rPx -> apparmor_parser,
  @{lib_dirs}/snapd/info r,
  /var/lib/snapd/apparmor/profiles/ r,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{name} = thunderbird{,-bin}
+@{name} = thunderbird{,.sh,-bin} 
@{lib_dirs} = @{lib}/@{name}
@{config_dirs} = @{HOME}/.@{name}/
@{cache_dirs} = @{user_cache_dirs}/@{name}/
@ -59,7 +59,8 @@ profile thunderbird @{exec_path} {
  @{exec_path} mrix,
-  @{sh_path}         rix,
+  @{sh_path}                rix,
  @{bin}/which.debianutils  rix,
  @{lib_dirs}/{,**}                            r,
  @{lib_dirs}/*.so                            mr,
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@ -15,7 +15,6 @@ man
 # Work in progress profiles
 plasma-discover
 snap
 steam
 steam-fossilize
 steam-game