feat(profiles): general update.

apparmor.d/groups/bus/dbus-daemon-launch-helper

@@ -19,9 +19,10 @@ profile dbus-daemon-launch-helper @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
+  /{usr/,}lib/cups-pk-helper-mechanism                      rPx,
   /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism       rPx,
   /{usr/,}lib/software-properties/software-properties-dbus  rPx,
-  
+
   /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,
 
   /usr/share/dbus-1/{,**} r,

apparmor.d/groups/freedesktop/plymouth

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/plymouth
 profile plymouth @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
 

apparmor.d/groups/freedesktop/pulseaudio

@@ -34,105 +34,78 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus (send)
-     bus=session
-     path=/Client0/EntryGroup[0-9]*
-     interface=org.freedesktop.Avahi.EntryGroup
-     member={GetState,AddService,AddServiceSubtype,Commit}
-     peer=(name=org.freedesktop.Avahi),
+  dbus send bus=session path=/Client0/EntryGroup[0-9]*
+       interface=org.freedesktop.Avahi.EntryGroup
+       member={GetState,AddService,AddServiceSubtype,Commit}
+       peer=(name=org.freedesktop.Avahi),
 
-  dbus (receive)
-     bus=session
-     path=/Client0/EntryGroup[0-9]*
-     interface=org.freedesktop.Avahi.EntryGroup
-     member=StateChanged
-     peer=(name=org.freedesktop.Avahi),
+  dbus receive bus=session path=/Client0/EntryGroup[0-9]*
+       interface=org.freedesktop.Avahi.EntryGroup
+       member=StateChanged
+       peer=(name=org.freedesktop.Avahi),
 
-  dbus (send)
-     bus=session
-     path=/org/freedesktop/DBus
-     interface=org.freedesktop.DBus
-     member={RequestName,ReleaseName}
-     peer=(name=org.freedesktop.DBus),
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus),
 
-  dbus (receive)
-     bus=session
-     path=/org/freedesktop/DBus
-     interface=org.freedesktop.DBus
-     member={Hello,RequestName,ReleaseName}
-     peer=(name=:*),
+  dbus receive bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,RequestName,ReleaseName}
+       peer=(name=:*),
 
-  dbus (receive)
-     bus=session
-     interface=org.freedesktop.DBus.Introspectable
-     member=Introspect,
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
 
-  dbus (bind)
-     bus=session
-     name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
+  dbus bind bus=session
+       name=org.freedesktop.ReserveDevice[0-9].Audio[0-9],
 
-  dbus (bind)
-     bus=session
-     name=org.PulseAudio[0-9],
+  dbus bind bus=session
+       name=org.PulseAudio[0-9],
 
-  dbus (bind)
-     bus=session
-     name=org.pulseaudio*,
+  dbus bind bus=session
+       name=org.pulseaudio*,
 
-  dbus (send)
-     bus=system
-     path=/org/freedesktop/DBus
-     interface=org.freedesktop.DBus
-     member={Hello,AddMatch,RemoveMatch}
-     peer=(name=org.freedesktop.DBus),
+  dbus send bus=system
+       path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch}
+       peer=(name=org.freedesktop.DBus),
 
-  dbus (send)
-     bus=system
-     path=/org/freedesktop/RealtimeKit[0-9]
-     member={Get,MakeThreadHighPriority,MakeThreadRealtime}
-     peer=(name=org.freedesktop.RealtimeKit[0-9]),
+  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       member={Get,MakeThreadHighPriority,MakeThreadRealtime}
+       peer=(name=org.freedesktop.RealtimeKit[0-9]),
 
-  dbus (send)
-     bus=system
-     path=/
-     interface=org.freedesktop.DBus.ObjectManager
-     member=GetManagedObjects
-     peer=(name=org.bluez),
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=org.bluez),
   
-  dbus (send)
-     bus=system
-     path=/
-     interface=org.freedesktop.DBus.Peer
-     member=Ping
-     peer=(name=org.freedesktop.Avahi),
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Avahi),
 
-  dbus (send)
-     bus=system
-     path=/
-     interface=org.freedesktop.Avahi.Server
-     member={GetAPIVersion,GetState,EntryGroupNew}
-     peer=(name=org.freedesktop.Avahi),
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member={GetAPIVersion,GetState,EntryGroupNew}
+       peer=(name=org.freedesktop.Avahi),
 
-  dbus (receive)
-     bus=system
-     path=/
-     interface=org.freedesktop.Avahi.Server
-     member=StateChanged
-     peer=(name=org.freedesktop.Avahi),
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged
+       peer=(name=org.freedesktop.Avahi),
 
-  dbus (send)
-     bus=system
-     path=/
-     interface=org.freedesktop.hostname[0-9]
-     member=Get
-     peer=(name=/org/freedesktop/hostname[0-9]),
+  dbus send bus=system path=/
+       interface=org.freedesktop.hostname[0-9]
+       member=Get
+       peer=(name=/org/freedesktop/hostname[0-9]),
 
-  dbus (send)
-     bus=system
-     path=/org.freedesktop.hostname[0-9]
-     interface=org.freedesktop.DBus.Prope
-     member=Get
-     peer=(name=/org/freedesktop/hostname[0-9]),
+  dbus send bus=system path=/org.freedesktop.hostname[0-9]
+       interface=org.freedesktop.DBus.Prope
+       member=Get
+       peer=(name=/org/freedesktop/hostname[0-9]),
 
   @{exec_path} mrix,
 

apparmor.d/groups/freedesktop/update-mime-database

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/update-mime-database
 profile update-mime-database @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_override,
   capability dac_read_search,

apparmor.d/groups/gnome/evolution-calendar-factory

@@ -31,6 +31,12 @@ profile evolution-calendar-factory @{exec_path} {
        interface=org.freedesktop.NetworkManager
        member={CheckPermissions,StateChanged},
 
+  dbus (send,receive) bus=session path=/org/gnome/evolution/dataserver{,/**}
+       interface={org.freedesktop.DBus.{Introspectable,ObjectManager,Properties},org.gnome.evolution.dataserver.*},
+
+  dbus bind bus=session
+       name=org.gnome.evolution.dataserver.Calendar[0-9],
+
   @{exec_path} mr,
   @{exec_path}-subprocess rix,
 

apparmor.d/groups/gnome/gnome-session-binary

@@ -49,6 +49,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.login[0-9].Manager
        member={SessionNew,PrepareForShutdown,SessionRemoved},
 
+  dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/**}
+       interface={org.freedesktop.DBus.{Properties,Introspectable},org.gnome.SessionManager},
+
+  dbus send bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       peer=(name=:org.freedesktop.systemd1),
+
+  dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
+       interface=org.gnome.Mutter.IdleMonitor
+       member=AddIdleWatch
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/gnome/ScreenSaver
+       interface=org.gnome.ScreenSaver
+       member=GetActive 
+       peer=(name=:*),
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,z,ba,da}sh                                 rix,
@@ -57,6 +74,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/mkdir                                        rix,
   /{usr/,}bin/touch                                        rix,
   /{usr/,}bin/gsettings                                    rix,
+  /{usr/,}bin/gsettings-data-convert                       rix,
   /{usr/,}bin/session-migration                            rix,
   /{usr/,}bin/xdg-user-dirs-gtk-update                     rix,
   @{libexec}/gnome-session-check-accelerated               rix,
@@ -124,22 +142,23 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/applications/mimeinfo.cache r,
   owner @{user_share_dirs}/session_migration-ubuntu r,
 
-  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
-  owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
-  owner @{run}/user/@{uid}/systemd/notify w,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
         @{run}/systemd/inhibit/[0-9]*.ref rw,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/sessions/*.ref rw,
         @{run}/systemd/users/@{uid} r,
+  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
+  owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
+  owner @{run}/user/@{uid}/systemd/notify w,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{sys}/devices/**/{vendor,device} r,
 
-  owner @{PROC}/@{pid}/loginuid r,
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/cmdline r,
+        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/loginuid r,
 
   /dev/tty rw,
   /dev/tty[0-9]* rw,

apparmor.d/groups/gnome/gsd-printer

@@ -11,6 +11,7 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
 
   signal (receive) set=(term, hup) peer=gdm*,
   signal (receive) set=(hup) peer=gsd-print-notifications,
@@ -25,8 +26,26 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
   dbus bind bus=system
        name=com.redhat.PrinterDriversInstaller,
 
+  dbus (send,receive) bus=session path=/org/gnome/SessionManager
+       interface=org.gnome.SessionManager
+       peer=(name=:*),
+
+  dbus send bus=session path=/org/gnome/SessionManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus receive bus=session path=/
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect 
+       peer=(name=:*),
+
   @{exec_path} mr,
 
+  owner /tmp/[a-z0-9]* rw,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
   owner /dev/tty[0-9]* rw,
 
   include if exists <local/gsd-printer>

apparmor.d/groups/network/mullvad-gui

@@ -46,6 +46,7 @@ profile mullvad-gui @{exec_path} {
   /var/lib/dbus/machine-id r,
 
   owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
+  owner @{user_share_dirs}/gvfs-metadata/* r,
 
   owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,

apparmor.d/groups/network/networkd-dispatcher

@@ -18,6 +18,8 @@ profile networkd-dispatcher @{exec_path} {
   /{usr/,}bin/ r,
   /{usr/,}bin/networkctl  rPx,
 
+  /etc/networkd-dispatcher/{,**} r,
+
   @{run}/systemd/notify rw,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/systemd/systemd-coredump

@@ -26,11 +26,10 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/* r,
-  /{usr/,}sbin/* r,
   @{libexec}/** r,
-  /opt/** r,
   / r,
+  /{usr/,}{s,}bin/* r,
+  /opt/** r,
 
   /etc/systemd/coredump.conf r,
 
@@ -38,15 +37,15 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
   owner /var/lib/systemd/coredump/#[0-9]* rwl,
   owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
 
-  owner @{PROC}/@{pid}/setgroups r,
-        @{PROC}/@{pids}/comm r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
-        @{PROC}/@{pids}/limits r,
-        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/comm r,
         @{PROC}/@{pids}/environ r,
         @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pids}/fdinfo/[0-9]* r,
+        @{PROC}/@{pids}/limits r,
+        @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pid}/setgroups r,
 
   include if exists <local/systemd-coredump>
 }

apparmor.d/groups/systemd/systemd-hostnamed

@@ -26,8 +26,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
        peer=(name=org.freedesktop.PolicyKit1),
 
   dbus receive bus=system path=/org/freedesktop/hostname[0-9]
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll,SetHostname},
+       interface=org.freedesktop.{DBus.Properties,hostname1}
+       member={Get,GetAll,SetHostname}
+       peer=(name=:*),
 
   dbus bind bus=system 
        name=org.freedesktop.hostname[0-9],

apparmor.d/groups/systemd/systemd-networkd

@@ -39,6 +39,11 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
        interface=org.freedesktop.DBus.Properties
        member=Get,
 
+  dbus send bus=system path=/org/freedesktop/network[0-9]/link/*
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged 
+       peer=(name=org.freedesktop.DBus),
+
   dbus bind bus=system
        name=org.freedesktop.network1,
 
@@ -55,6 +60,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
 
         @{run}/systemd/network/ r,
         @{run}/systemd/network/*.network r,
+        @{run}/systemd/notify rw,
   owner @{run}/systemd/netif/.#state rw,
   owner @{run}/systemd/netif/.#state* rw,
   owner @{run}/systemd/netif/leases/.#* rw,

apparmor.d/groups/systemd/systemd-timesyncd

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
 profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/systemd-common>
 
@@ -20,6 +21,9 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
+  dbus bind bus=system
+       name=org.freedesktop.timesync1,
+
   @{exec_path} mr,
 
   /etc/adjtime r,
@@ -34,19 +38,5 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/netif/state r,
         @{run}/systemd/notify rw,
 
-  # dbus-stricter
-  @{run}/dbus/system_bus_socket rw,
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={Hello,RequestName}
-       peer=(name=org.freedesktop.DBus),
-
-  dbus bind
-       bus=system
-       name=org.freedesktop.timesync1,
-
   include if exists <local/systemd-timesyncd>
 }

apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot

@@ -14,7 +14,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
 
   /{usr/,}{s,}bin/dumpe2fs  rPx,
   /{usr/,}bin/{,ba,da}sh    rix,
-  /{usr/,}bin/{m,}awk       rix,
+  /{usr/,}bin/{m,g,}awk     rix,
   /{usr/,}bin/cat           rix,
   /{usr/,}bin/cut           rix,
   /{usr/,}bin/date          rix,
@@ -37,6 +37,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
     @{sys}/devices/virtual/block/**/ r,
     @{sys}/devices/virtual/block/**/autoclear r,
     @{sys}/devices/virtual/block/**/backing_file r,
+    @{sys}/devices/virtual/block/dm-[0-9]*/dm/name r,
 
     @{PROC}/@{pid}/mountinfo r,
 

apparmor.d/profiles-a-f/dhclient-script

@@ -14,88 +14,60 @@ profile dhclient-script @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
+  capability net_admin,
   capability sys_admin,
-
-  # Needed?
-  audit deny capability sys_module,
+  audit capability sys_module,
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,ba,da}sh mrix,
+  /{usr/,}{s,}bin/ddclient  rPx,
+  /{usr/,}{s,}bin/sysctl    rix,
+  /{usr/,}bin/{,ba,da}sh   mrix,
+  /{usr/,}bin/chmod         rix,
+  /{usr/,}bin/chown         rix,
+  /{usr/,}bin/chronyc       rPUx,
+  /{usr/,}bin/date          rix,
+  /{usr/,}bin/fold          rix,
+  /{usr/,}bin/head          rix,
+  /{usr/,}bin/hostname      rix,
+  /{usr/,}bin/ip            rix,
+  /{usr/,}bin/logger        rix,
+  /{usr/,}bin/mkdir         rix,
+  /{usr/,}bin/mv            rix,
+  /{usr/,}bin/paste         rix,
+  /{usr/,}bin/ping          rPx,
+  /{usr/,}bin/printenv      rix,
+  /{usr/,}bin/readlink      rix,
+  /{usr/,}bin/rm            rix,
+  /{usr/,}bin/run-parts     rCx -> run-parts,
+  /{usr/,}bin/sed           rix,
+  /{usr/,}bin/tr            rix,
+  /{usr/,}bin/xxd           rix,
+  /{usr/,}sbin/resolvconf   rPx,
 
-  /{usr/,}bin/mkdir       rix,
-  /{usr/,}bin/ping        rPx,
-  /{usr/,}bin/chronyc     rPUx,
-  /{usr/,}bin/run-parts   rCx -> run-parts,
-  /{usr/,}sbin/resolvconf rPx,
-
-  # To remove the following error:
-  #  /sbin/dhclient-script: 133: hostname: Permission denied
-  /{usr/,}bin/hostname    rix,
-
-  # To read scripts
-  /etc/dhcp/ r,
-  /etc/dhcp/dhclient-{enter,exit}-hooks.d/{,*} r,
-
-  # For debug script
-  /{usr/,}bin/date rix,
-  /etc/dhcp/debug r,
-  owner /tmp/dhclient-script.debug rw,
-
-  # For ddclient script
-  /{usr/,}{s,}bin/ddclient   rPx,
-  /etc/default/ddclient   r,
-  /{usr/,}bin/logger      rix,
-
-  # For samba script
-  /{usr/,}bin/mv rix,
-  /etc/samba/dhcp.conf{,.new} rw,
-  # For netbios name servers settings from a DHCP server
-  /var/lib/samba/dhcp.conf{,.new} rw,
-
-  # Many scripts may use the ip tool
-  capability net_admin,
-  /{usr/,}bin/ip        rix,
-
-  # For loadbalance
+  /etc/default/ddclient r,
+  /etc/dhcp/{,**} r,
+  /etc/fstab r,
   /etc/iproute2/rt_tables r,
   /etc/iproute2/rt_tables.d/{,*} r,
-  owner @{PROC}/@{pid}/loginuid r,
-
-  # For updating the /etc/resolv.conf file
-  /{usr/,}bin/readlink  rix,
-  /{usr/,}bin/rm rix,
-  /{usr/,}bin/chown     rix,
-  /{usr/,}bin/chmod     rix,
-  /{usr/,}bin/sed       rix,
-  /etc/fstab r,
-  /etc/resolv.conf.dhclient-new.@{pid} rw,
   /etc/resolv.conf rw,
+  /etc/resolv.conf.dhclient-new.@{pid} rw,
+  /etc/samba/dhcp.conf{,.new} rw,
 
-  # For stable-privacy addresses
-  /{usr/,}{s,}bin/sysctl   rix,
-  /{usr/,}bin/head      rix,
-  /{usr/,}bin/xxd       rix,
-  /{usr/,}bin/paste     rix,
-  /{usr/,}bin/fold      rix,
-  /{usr/,}bin/tr        rix,
-  @{PROC}/sys/net/ipv6/conf/*/stable_secret w,
+  /var/lib/dhcp/dhclient.leases r,
+  /var/lib/samba/dhcp.conf{,.new} rw,
 
-  # For printing env
-  /{usr/,}bin/printenv  rix,
+  owner /tmp/dhclient-script.debug rw,
   owner /tmp/variables.txt w,
 
-  # For ntpd/ntpsec
+  @{run}/chrony-dhcp/ rw,
   @{run}/systemd/netif/leases/ r,
 
-  # For chrony
-  @{run}/chrony-dhcp/ rw,
-
-  # file_inherit
-  /var/lib/dhcp/dhclient.leases r,
-
   @{sys}/devices/virtual/dmi/id/board_vendor r,
 
+  owner @{PROC}/@{pid}/loginuid r,
+        @{PROC}/sys/net/ipv6/conf/*/stable_secret w,
+
   profile run-parts {
     include <abstractions/base>
 

apparmor.d/profiles-g-l/git

@@ -11,9 +11,9 @@ include <tunables/global>
 @{exec_path} += /{usr/,}bin/git-*
 @{exec_path} += /{usr/,}lib/git-core/git
 @{exec_path} += /{usr/,}lib/git-core/git-*
-@{exec_path} += /usr/libexec/git-core/git
-@{exec_path} += /usr/libexec/git-core/git-*
-@{exec_path} += /usr/libexec/git-core/mergetools/*
+@{exec_path} += @{libexec}/git-core/git
+@{exec_path} += @{libexec}/git-core/git-*
+@{exec_path} += @{libexec}/git-core/mergetools/*
 profile git @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -167,8 +167,9 @@ profile git @{exec_path} {
     /etc/vimrc r,
     /etc/vim/{,**} r,
 
-    owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
+    owner @{user_projects_dirs}/**/ r,
     owner @{user_projects_dirs}/**/.git/[0-9]* rw,
+    owner @{user_projects_dirs}/**/.git/*MSG rw,
 
     owner @{HOME}/.fzf/plugin/ r,
     owner @{HOME}/.fzf/plugin/fzf.vim r,

apparmor.d/profiles-m-r/needrestart

@@ -38,6 +38,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/needrestart/iucode-scan-versions  rPx,
   /usr/share/debconf/frontend                   rix,
 
+  /{usr/,}bin/networkd-dispatcher r,
   /{usr/,}bin/gettext.sh r,
   /usr/share/needrestart/{,**} r,
   /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
@@ -47,15 +48,18 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   /etc/needrestart/*.d/* rix,
   /etc/shadow r,
 
+  /boot/ r,
+  /boot/vmlinuz* r,
+
   owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/ r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/environ r,
         @{PROC}/@{pids}/maps r,
         @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   /dev/ r,
   /dev/**/ r,

apparmor.d/profiles-m-r/needrestart-apt-pinvoke

@@ -10,6 +10,7 @@ include <tunables/global>
 profile needrestart-apt-pinvoke @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/steam

@@ -86,7 +86,7 @@ profile steam @{exec_path} {
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{amd64,i386}/usr/bin/* rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**.so*  mr,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix,
 
@@ -140,6 +140,7 @@ profile steam @{exec_path} {
   owner /tmp/sh-thd.* rw,
   owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
   owner /tmp/miles_image_* mrw,
+  owner /tmp/runtime-info.txt.* rw,
 
   @{run}/udev/data/+input* r,      # for mouse, keyboard, touchpad
   @{run}/udev/data/+sound* r,
@@ -147,7 +148,7 @@ profile steam @{exec_path} {
 
   @{run}/udev/data/c13:[0-9]*  r,  # for /dev/input/*
   @{run}/udev/data/c116:[0-9]* r,  # for ALSA
-  @{run}/udev/data/c241:[0-9]* r,
+  @{run}/udev/data/c24[0-9]:[0-9]* r,
   @{run}/udev/data/n[0-9]* r,
 
   @{sys}/ r,
@@ -167,6 +168,9 @@ profile steam @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
   @{sys}/devices/system/cpu/** r,
   @{sys}/devices/system/node/ r,
+  @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
+  @{sys}/devices/virtual/dmi/id/product_{name,version} r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/net/*/ r,
   @{sys}/devices/virtual/tty/tty[0-9]/active r,
   @{sys}/kernel/ r,
@@ -176,6 +180,7 @@ profile steam @{exec_path} {
         @{PROC}/@{pids}/comm rk,
         @{PROC}/@{pids}/net/route r,
         @{PROC}/@{pids}/stat r,
+        @{PROC}/1/cgroup r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
         @{PROC}/sys/kernel/sched_autogroup_enabled r,
         @{PROC}/sys/kernel/unprivileged_userns_clone r,
@@ -193,7 +198,9 @@ profile steam @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
   /dev/input/ r,
+  /dev/input/event[0-9]* r,
   /dev/tty rw,
+  /dev/uinput w,
 
   audit deny /**.steam_exec_test.sh rw,
 

apparmor.d/profiles-s-z/steam-fossilize

@@ -21,7 +21,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.steam/steam.pipe r,
 
-  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,*} rw,
+  owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/fozpipelinesv[0-9]*/{,**} rw,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/mesa_shader_cache_sf/{,**} rwk,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk,

apparmor.d/profiles-s-z/steam-reaper

@@ -17,6 +17,7 @@ profile steam-reaper @{exec_path} {
 
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*.so*  mr,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rpx -> steam-game,
 
   @{user_share_dirs}/Steam/steamapps/common/*/* rpx -> steam-game,
 

apparmor.d/profiles-s-z/whereis

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,31 +14,29 @@ profile whereis @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}{local/,}{s,}bin/ r,
-  /{usr/,}lib/go-*/bin/ r,
+  /{usr/,}{local/,}{s,}bin/{,*/} r,
   /{usr/,}{local/,}games/ r,
+  /{usr/,}lib/go-*/bin/ r,
 
-  /etc/ r,
-
+  @{libexec}/ r,
   /{usr/,}lib{,32,64}/ r,
-  /usr/local/{,etc/,lib/} r,
+  /usr/{local/,}{,etc/,lib/} r,
   /usr/include/ r,
   /usr/share/ r,
   /usr/share/info/{**,} r,
   /usr/share/man/{**,} r,
   /usr/src/{**,} r,
 
-  @{libexec}/ r,
-
   /opt/ r,
   /opt/cni/bin/ r,
   /opt/containerd/bin/ r,
 
   /snap/bin/ r,
+  /var/lib/flatpak/exports/bin/ r,
 
-  owner @{HOME}/{.local/,}/{.,}bin/ r,
   owner @{HOME}/.krew/bin/ r,
-  owner @{HOME}/go/bin/ r,
+  owner @{HOME}/{.,}go/bin/ r,
+  owner @{HOME}/{.local/,}{.,}bin/ r,
 
   include if exists <local/whereis>
 }

apparmor.d/profiles-s-z/whiptail

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,6 +14,8 @@ profile whiptail @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
+  /etc/newt/palette.ubuntu r,
+
   owner /tmp/gpm* w,
 
   include if exists <local/whiptail>