feat(profiles): general update.

apparmor.d/groups/apps/vlc

@@ -26,14 +26,14 @@ profile vlc @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/vulkan>
 
-  signal (receive) set=(term, kill) peer=anyremote//*,
-
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) set=(term, kill) peer=anyremote//*,
+
   dbus send    bus=session path=/org/freedesktop/DBus 
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName,GetConnectionUnixProcessID}

apparmor.d/groups/gnome/gsd-media-keys

@@ -14,6 +14,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>

apparmor.d/groups/gnome/gsd-power

@@ -10,10 +10,11 @@ include <tunables/global>
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gnome/tracker-extract

@@ -112,6 +112,7 @@ profile tracker-extract @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/dri/card[0-9]* rw,
   /dev/dri/renderD128 rw,

apparmor.d/groups/systemd/coredumpctl

@@ -67,8 +67,6 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
     @{PROC}/@{pids}/fd/  r,
 
-    # Silencer
-    deny /usr/share/** w,
 
   }
 

apparmor.d/groups/systemd/systemd-udevd

@@ -89,6 +89,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
   @{run}/udev/** rwk,
 
   @{run}/systemd/network/ r,
+  @{run}/systemd/network/*.link rw,
   @{run}/systemd/notify rw,
   @{run}/systemd/seats/seat[0-9]* r,
 

apparmor.d/groups/systemd/systemd-userdbd

@@ -23,7 +23,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}lib/systemd/systemd-userwork rPx,
+  /{usr/,}lib/systemd/systemd-userwork rix,
 
   /etc/shadow r,
   /etc/machine-id r,

apparmor.d/groups/virt/cockpit-pcp

@@ -26,6 +26,8 @@ profile cockpit-pcp @{exec_path} {
 
   /var/lib/pcp/{,**} rw,
 
+  /var/log/pcp/pmlogger/ r,
+
         @{PROC}/diskstats r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/virt/docker-proxy

@@ -12,6 +12,9 @@ profile docker-proxy @{exec_path} {
 
   capability net_admin,
 
+  network inet stream,
+  network inet6 stream,
+
   @{exec_path} mr,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

apparmor.d/profiles-a-f/aa-log

@@ -19,6 +19,7 @@ profile aa-log @{exec_path} {
   /var/lib/dbus/machine-id r,
 
   /var/log/audit/* r,
+  /var/log/syslog* r,
 
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/@{hex}/{,*} r,

apparmor.d/profiles-a-f/blueman

@@ -16,13 +16,14 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
 
   network inet stream,
   network inet6 stream,
-
+  network netlink raw,
   network bluetooth raw,
 
   ptrace (read) peer=gjs-console,

apparmor.d/profiles-m-r/pass

@@ -13,8 +13,8 @@ profile pass @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/base64    rix,
-  /{usr/,}bin/bash      rix,
   /{usr/,}bin/cat       rix,
   /{usr/,}bin/cp        rix,
   /{usr/,}bin/diff      rix,

apparmor.d/profiles-s-z/spice-vdagent

@@ -10,8 +10,9 @@ include <tunables/global>
 profile spice-vdagent @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/X-strict>
@@ -56,9 +57,9 @@ profile spice-vdagent @{exec_path} {
 
   @{sys}/devices/pci[0-9]*/**/{device,vendor} r,
 
-  /dev/dri/card[0-9]* rw,
-
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
+  /dev/dri/card[0-9]* rw,
+
   include if exists <local/spice-vdagent>
 }

apparmor.d/profiles-s-z/steam-game

@@ -205,6 +205,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/input/ r,
   @{sys}/class/sound/ r,
   @{sys}/devices/**/input[0-9]*/ r,
+  @{sys}/devices/**/input[0-9]*/**/{vendor,product} r,
   @{sys}/devices/**/input[0-9]*/capabilities/* r,
   @{sys}/devices/**/input/input[0-9]*/ r,
   @{sys}/devices/**/uevent r,

apparmor.d/profiles-s-z/swapon

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,10 +18,10 @@ profile swapon @{exec_path} {
 
   /etc/fstab r,
 
-  @{PROC}/swaps r,
-
-  # SWAP file common locations
   owner /swapfile rw,
+  owner /swap/swapfile rw,
+
+  @{PROC}/swaps r,
 
   include if exists <local/swapon>
 }