feat(profiles): general update.

2025-01-18 08:58:15 +01:00 · 2022-11-11 22:18:55 +00:00 · 2022-11-11 22:18:55 +00:00 · 26f838b73f
commit 26f838b73f
parent fd88162c55
23 changed files with 121 additions and 78 deletions
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@ -113,25 +113,25 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  owner /tmp/tmp.*/** rwk,
  owner /tmp/scoped_dir*/{,**} rw,
-             @{PROC}/ r,
+        @{PROC}/ r,
-             @{PROC}/vmstat r,
+        @{PROC}/@{pid}/fd/ r,
-             @{PROC}/sys/kernel/yama/ptrace_scope r,
+        @{PROC}/@{pids}/stat r,
-             @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pids}/statm r,
-             @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/task/@{tid}/stat r,
-             @{PROC}/@{pids}/statm r,
+        @{PROC}/@{pids}/task/@{tid}/status r,
-       owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
-  deny       @{PROC}/@{pids}/cmdline r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
-       owner @{PROC}/@{pids}/environ r,
+        @{PROC}/vmstat r,
-       owner @{PROC}/@{pids}/task/ r,
+  owner @{PROC}/@{pid}/limits r,
-             @{PROC}/@{pids}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/mem r,
-             @{PROC}/@{pids}/task/@{tid}/status r,
+  owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/mounts r,
-       owner @{PROC}/@{pid}/mem r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-       owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-       owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pids}/clear_refs w,
-             @{PROC}/sys/fs/inotify/max_user_watches r,
+  owner @{PROC}/@{pids}/cmdline r,
-       owner @{PROC}/@{pids}/clear_refs w,
+  owner @{PROC}/@{pids}/environ r,
-       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pids}/task/ r,
  @{run}/udev/data/* r,
@ -140,6 +140,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  @{sys}/class/ r,
  @{sys}/class/**/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/boot_vga r,
  @{sys}/devices/pci[0-9]*/**/irq r,
  @{sys}/devices/pci[0-9]*/**/report_descriptor r,
  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
@ -149,9 +150,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/**/report_descriptor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/pci[0-9]*/**/boot_vga r,
+  @{sys}/devices/virtual/tty/tty[0-9]/active r,
  deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
  /dev/ r,
  /dev/video[0-9]* rw,
--- a/apparmor.d/groups/browsers/google-chrome-chrome
+++ b/apparmor.d/groups/browsers/google-chrome-chrome
@ -22,7 +22,7 @@ profile google-chrome-chrome @{exec_path} {
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/opencl-intel>
+  include <abstractions/opencl>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
@ -99,23 +99,25 @@ profile google-chrome-chrome @{exec_path} {
  # owner @{user_config_dirs}/chromium/*/ r,
  # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
-             @{PROC}/ r,
+        @{PROC}/ r,
-  deny       @{PROC}/vmstat r,
+        @{PROC}/@{pid}/fd/ r,
-             @{PROC}/sys/kernel/yama/ptrace_scope r,
+        @{PROC}/@{pids}/stat r,
-             @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pids}/statm r,
-  deny       @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/task/@{tid}/stat r,
-  deny       @{PROC}/@{pids}/statm r,
+        @{PROC}/@{pids}/task/@{tid}/status r,
-       owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
-  deny       @{PROC}/@{pids}/cmdline r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
-  deny owner @{PROC}/@{pids}/environ r,
+        @{PROC}/vmstat r,
-       owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/limits r,
-  deny       @{PROC}/@{pids}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/mem r,
-             @{PROC}/@{pids}/task/@{tid}/status r,
+  owner @{PROC}/@{pid}/mountinfo r,
-  deny owner @{PROC}/@{pid}/limits r,
+  owner @{PROC}/@{pid}/mounts r,
-  deny owner @{PROC}/@{pid}/mem r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-       owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-       owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pids}/clear_refs w,
-  deny       @{PROC}/diskstats r,
+  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/environ r,
  owner @{PROC}/@{pids}/task/ r,
  @{run}/udev/data/* r,
@ -124,14 +126,21 @@ profile google-chrome-chrome @{exec_path} {
  @{sys}/class/ r,
  @{sys}/class/**/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/boot_vga r,
  @{sys}/devices/pci[0-9]*/**/irq r,
  @{sys}/devices/pci[0-9]*/**/report_descriptor r,
  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idProduct,idVendor,interface} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
  @{sys}/devices/virtual/**/report_descriptor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/tty/tty[0-9]/active r,
  # Silencer
  deny @{CHROME_INSTALLDIR}/** w,
  deny @{user_share_dirs}/gvfs-metadata/* r,
  include if exists <local/google-chrome-chrome>
 }
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -23,8 +23,8 @@ profile child-open {
  /{usr/,}bin/exo-open                                     mr,
  /{usr/,}bin/xdg-open                                     mr,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mr,
+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
-  /{usr/,}lib/gio-launch-desktop                           mr,
+  /{usr/,}lib/gio-launch-desktop                           mrix,
  /{usr/,}bin/{,ba,da}sh        rix,
  /{usr/,}bin/{,m,g}awk         rix,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -66,6 +66,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
  @{sys}/class/ r,
  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -12,10 +12,13 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/user-download>
  include <abstractions/user-read>
  include <abstractions/vulkan>
@ -125,5 +128,9 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
  @{run}/mount/utab r,
  owner @{PROC}/@{pid}/mountinfo r,
  include if exists <local/xdg-desktop-portal-gnome>
 }
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -30,6 +30,8 @@ profile gnome-terminal-server @{exec_path} {
  # Some CLI program can be launched directly from Gnome Shell
  /{usr/,}bin/htop                 rPx,
  /{usr/,}bin/micro               rPUx,
  /{usr/,}bin/nvtop                rPx,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -9,13 +9,14 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -9,13 +9,14 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -12,8 +12,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
  include <abstractions/trash>
  include <abstractions/vulkan>
@ -42,20 +45,22 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/firejail           rPUx,
  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
  /usr/share/*ubuntu/applications/{,**} r,
  /usr/share/nautilus/{,**} r,
  /usr/share/poppler/{,**} r,
  /usr/share/sounds/freedesktop/stereo/*.oga r,
  /usr/share/terminfo/ r,
  /usr/share/thumbnailers/{,**} r,
  /usr/share/tracker3/{,**} r,
  /usr/share/*ubuntu/applications/{,**} r,
  /usr/share/tracker/domain-ontologies/*.rule r,
  /usr/share/tracker3/{,**} r,
  /var/lib/snapd/desktop/icons/{,**} r,
  # Full access to user's data
  include <abstractions/deny-sensitive-home>
  / r,
-  /home/ r,
+  /*/ r,
  /{usr/,}bin/ r,
  @{libexec}/ r,
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  owner @{HOME}/{,**} rw,
@ -74,10 +79,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  @{run}/mount/utab r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/system/cpu/possible r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -68,6 +68,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/iscsi-iname                 rix,
  /{usr/,}bin/killall                     rix,
  /{usr/,}bin/ln                          rix,
  /{usr/,}bin/perl                        rix,
  /{usr/,}bin/pkill                       rix,
  /{usr/,}bin/rm                          rix,
  /{usr/,}bin/sed                         rix,
@ -140,7 +141,7 @@ profile pacman @{exec_path} {
  # Silencer, 
  deny /tmp/ r,
-  deny @{HOME}/{,**} r,
+  deny @{HOME}/ r,
  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/groups/ssh/sftp-server
+++ b/apparmor.d/groups/ssh/sftp-server
@ -7,6 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/openssh/sftp-server
@{exec_path} += /{usr/,}lib/ssh/sftp-server
 profile sftp-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/openssl>
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -30,6 +30,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  capability audit_write,
  capability chown,
  capability dac_read_search,
  capability dac_override,
  capability fowner,
  capability kill,
  capability net_bind_service,
@ -65,6 +66,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/passwd               rPx,
  /{usr/,}lib/openssh/sftp-server  rPx,
  /etc/shells r,
  /etc/default/locale r,
  /etc/environment r,
  /etc/gss/mech.d/{,*} r,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -68,7 +68,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  /etc/udev/ r,
  /etc/udev/udev.conf r,
  /etc/udev/rules.d/ r,
-  /etc/udev/rules.d/[0-9][0-9]-*.rules r,
+  /etc/udev/rules.d/*.rules r,
  /etc/udev/hwdb.d/ r,
  /etc/udev/hwdb.d/[0-9][0-9]-*.hwdb r,
@ -84,8 +84,9 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
  @{run}/udev/ rw,
  @{run}/udev/** rw,
-  @{run}/systemd/seats/seat[0-9]* r,
+  @{run}/systemd/network/ r,
  @{run}/systemd/notify rw,
  @{run}/systemd/seats/seat[0-9]* r,
  @{sys}/** rw,
--- a/apparmor.d/profiles-a-f/frontend
+++ b/apparmor.d/profiles-a-f/frontend
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -10,17 +11,23 @@ include <tunables/global>
 profile frontend @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/perl>
+  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/perl>
-  #capability sys_tty_config,
+  capability dac_read_search,
  @{exec_path} r,
  /{usr/,}bin/perl r,
-  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/stty       rix,
+  /{usr/,}bin/hostname    rix,
-  /{usr/,}bin/locale     rix,
+  /{usr/,}bin/locale      rix,
  /{usr/,}bin/lsb_release rPx -> lsb_release,
  /{usr/,}bin/stty        rix,
  # debconf apps
  /{usr/,}{s,}bin/aspell-autobuildhash     rPx,
@ -69,24 +76,16 @@ profile frontend @{exec_path} flags=(complain) {
  owner /tmp/file* w,
  owner /var/cache/debconf/* rwk,
  @{HOME}/.Xauthority r,
  @{run}/user/@{uid}/pk-debconf-socket rw,
  # The following is needed when debconf uses GUI frontends.
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  capability dac_read_search,
  /{usr/,}bin/lsb_release rPx -> lsb_release,
  /{usr/,}bin/hostname    rix,
  owner @{PROC}/@{pid}/mounts r,
  @{HOME}/.Xauthority r,
  profile scripts flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    # What's this for? (#FIXME#)
    capability dac_read_search,
    /var/lib/dpkg/info/*.config             r,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -76,8 +76,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /etc/pki/fwupd/{,**} r,
  /etc/pki/fwupd-metadata/{,**} r,
-  /etc/fwupd/{,**} r,
+  /etc/fwupd/{,**} rw,
  /etc/fwupd/remotes.d/* rw,
  /var/cache/fwupd/{,**} rw,
  /var/lib/fwupd/{,**} rw,
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@ -7,12 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/login
-profile login @{exec_path} {
+profile login @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
  include <abstractions/dbus-strict>
  capability chown,
  capability fsetid,
@ -25,6 +26,10 @@ profile login @{exec_path} {
 #  network netlink raw,
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.*
       peer=(name=org.freedesktop.login1),
  @{exec_path} mr,
  /{usr/,}bin/{,z,ba,da}sh  rUx,
@ -51,11 +56,7 @@ profile login @{exec_path} {
  owner @{user_cache_dirs}/motd.legal-displayed rw,
-  dbus send
+  /dev/tty[0-9]* rw,
    bus="system" path="/org/freedesktop/DBus"   interface="org.freedesktop.DBus" member="Hello" peer=(name="org.freedesktop.DBus"),
  dbus send
    bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.*" peer=(name="org.freedesktop.login1"),
  include if exists <local/login>
 }
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -23,8 +23,11 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
  /usr/share/terminfo/x/xterm-256color r,
  owner @{user_config_dirs}/nvtop/{,**} rw,
  @{run}/systemd/inhibit/*.ref r,
  @{run}/udev/data/+drm:* r,
  @{run}/udev/data/+pci* r,
  @{run}/udev/data/c226:[0-9]* r,
  @{run}/udev/data/c236:[0-9]* r,
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -15,6 +15,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/ssl_certs>
  include if exists <abstractions/apt-common>
  capability net_admin,
  capability sys_nice,
  network inet stream,
--- a/apparmor.d/profiles-m-r/pacmd
+++ b/apparmor.d/profiles-m-r/pacmd
@ -24,7 +24,11 @@ profile pacmd @{exec_path} {
  /app/lib/libzypak*.so* mr,
  owner @{run}/user/@{uid}/pulse rw,
  owner @{PROC}/@{pids}/stat r,
  deny @{user_share_dirs}/gvfs-metadata/* r,
  include if exists <local/pacmd>
 }
--- a/apparmor.d/profiles-m-r/pactl
+++ b/apparmor.d/profiles-m-r/pactl
@ -31,5 +31,7 @@ profile pactl @{exec_path} {
  owner @{HOME}/.xsession-errors w,
  owner @{HOME}/.anyRemote/anyremote.stdout w,
  deny @{user_share_dirs}/gvfs-metadata/* r,
  include if exists <local/pactl>
 }
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@ -12,6 +12,7 @@ profile rngd @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  @{exec_path} mr,
--- a/apparmor.d/profiles-s-z/swtpm
+++ b/apparmor.d/profiles-s-z/swtpm
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/swtpm
 profile swtpm @{exec_path} {
  include <abstractions/base>
  include <abstractions/openssl>
  @{exec_path} mr,
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@ -40,14 +40,15 @@ profile wireplumber @{exec_path} {
  @{run}/udev/data/c81:[0-9]*  r,       # For video4linux
  @{sys}/bus/ r,
  @{sys}/bus/media/devices/ r,
  @{sys}/class/ r,
  @{sys}/class/sound/ r,
  @{sys}/devices/**/device:*/**/path r,
  @{sys}/devices/**/sound/**/pcm_class r,
  @{sys}/devices/**/sound/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/modalias r,
  @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
  @{sys}/devices/system/cpu/possible r,
  @{sys}/devices/**/device:*/**/path r,
  /dev/media[0-9]* rw,
  /dev/snd/ r,