Merge branch 'main' into patch-profiles-m-r

2025-01-18 17:08:09 +01:00 · 2024-06-15 18:32:30 +03:00 · 2024-06-15 18:32:30 +03:00 · 280289247d
commit 280289247d
parent 40a30dc310 6c1cdf4d58
72 changed files with 1103 additions and 611 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -110,8 +110,7 @@
  /etc/@{name}/{,**} r,
  /etc/fstab r,
-  /etc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/opensc/opensc.conf r, # Debian ubication
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
@ -151,10 +150,10 @@
  owner @{tmp}/.@{domain}.* rw,
  owner @{tmp}/.@{domain}*/{,**} rw,
  owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
-  owner @{tmp}/scoped_dir*/{,**} rw,
+  audit owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
-  owner @{tmp}/tmp.* rw,
+  owner @{tmp}/tmp.@{rand6} rw,
-  owner @{tmp}/tmp.*/ rw,
+  owner @{tmp}/tmp.@{rand6}/ rw,
-  owner @{tmp}/tmp.*/** rwk,
+  owner @{tmp}/tmp.@{rand6}/** rwk,
  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -17,6 +17,7 @@
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/cups-client>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
@ -69,12 +70,10 @@
  /usr/share/xul-ext/kwallet5/* r,
  /etc/@{name}/{,**} r,
  /etc/cups/client.conf r,
  /etc/fstab r,
  /etc/mailcap r,
  /etc/mime.types r,
-  /etc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/opensc/opensc.conf r,
  /etc/sysconfig/proxy r,
  /etc/xdg/* r,
  /etc/xul-ext/kwallet5.js r,
@ -82,7 +81,6 @@
  /var/lib/nscd/services r,
  owner @{HOME}/ r,
  owner @{HOME}/.cups/lpoptions r,
  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwk,
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@ -41,6 +41,9 @@
  owner @{user_config_dirs}/pulse/client.conf.d/{,*.conf} r,
  owner @{user_config_dirs}/pulse/cookie rwk,
  owner @{user_config_dirs}/pipewire/ rw,
  owner @{user_config_dirs}/pipewire/client.conf r,
  owner @{user_share_dirs}/openal/hrtf/{,**} r,
  owner @{user_share_dirs}/sounds/__custom/index.theme r,
--- a/apparmor.d/abstractions/authentication.d/complete
+++ b/apparmor.d/abstractions/authentication.d/complete
@ -11,3 +11,4 @@
  @{lib}/security-misc/pam_faillock_not_if_x rPx,
  @{lib}/security-misc/pam-abort-on-locked-password rPx,
  @{lib}/security-misc/pam-info rPx,
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -4,6 +4,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
  # Allow to receive some signals from new well-known profiles
  signal (receive)                           peer=btop,
  signal (receive)                           peer=htop,
  signal (receive)                           peer=sudo,
  signal (receive)                           peer=top,
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -15,10 +15,11 @@
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/consoles>
-  # include <abstractions/deny-sensitive-home>
+  include <abstractions/cups-client>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
@ -63,7 +64,6 @@
  owner @{tmp}/** rmwk,
  owner /dev/shm/** rwlk -> /dev/shm/**,
  @{run}/cups/cups.sock rw, # Allow access to cups printing socket.
  @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
  @{run}/host/{,**} r,
  @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -2,10 +2,9 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-# Minimal set of rules for bwrap
+# A minimal set of rules for sandboxed programs using bwrap. 
 # A profile using this abstraction still needs to set:
-# - the attach_disconnected flag
+# - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'
  # userns,
@ -31,6 +30,9 @@
  umount /,
  umount /oldroot/,
  #aa:only debian whonix
  mount -> /newroot/{,**}, # Debian does not support the remount rule.
  pivot_root oldroot=/newroot/ /newroot/,
  pivot_root oldroot=/tmp/oldroot/ /tmp/,
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@ -20,19 +20,19 @@
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
+  owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
        /tmp/ r,
        /var/tmp/ r,
-  owner @{tmp}/.org.chromium.Chromium.* rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
-  owner @{tmp}/.org.chromium.Chromium.*/{,**} rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
  owner @{tmp}/scoped_dir*/ rw,
  owner @{tmp}/scoped_dir*/SingletonCookie w,
  owner @{tmp}/scoped_dir*/SingletonSocket w,
  owner @{tmp}/scoped_dir*/SS w,
        /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.* rw,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
  # If kernel.unprivileged_userns_clone = 1
  owner @{PROC}/@{pid}/setgroups w,
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@ -0,0 +1,116 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  include <abstractions/audio-client>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  @{bin}/uname          rix,
  @{bin}/xdg-settings   rPx,
  @{browsers_path}      rPx,
  @{bin}/env r,
  @{app_dirs}/ r,
  @{lib_dirs}/ r,
  @{lib}/ r,
  / r,
  /home/ r,
  /usr/ r,
  /usr/local/ r,
  /usr/local/lib/ r,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
  owner @{HOME}/ r,
  owner @{HOME}/.steam/steam.pid r,
  owner @{HOME}/.steam/steam.pipe r,
  owner @{user_games_dirs}/ r,
  owner @{user_games_dirs}/*/ r,
  owner @{user_games_dirs}/*/{,**} rwkl,
  owner @{user_config_dirs}/unity3d/{,**} rwk,
  owner @{share_dirs}/ r,
  owner @{share_dirs}/* r,
  owner @{share_dirs}/config/*.vdf* rw,
  owner @{share_dirs}/logs/* rw,
  owner @{share_dirs}/steamapps/ r,
  owner @{share_dirs}/steamapps/common/ r,
  owner @{share_dirs}/steamapps/common/*/** rwlk,
  owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
  owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
        @{tmp}/ r,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
  owner @{tmp}/crashes/ rw,
  owner @{tmp}/crashes/** rwk,
  owner @{tmp}/miles_image_@{rand6} mrw,
  owner @{tmp}/runtime-info.txt.@{rand6} rw, 
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
  owner /dev/shm/mono.@{int} rw,
  owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/devices/ r,
  @{sys}/devices/@{pci}/boot_vga r,
  @{sys}/devices/@{pci}/net/*/carrier r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/system/ r,
  @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
  @{sys}/devices/system/cpu/cpu@{int}/ r,
  @{sys}/devices/virtual/dmi/id/* r,
  @{sys}/devices/virtual/net/*/carrier r,
  @{sys}/kernel/ r,
        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max  r,
        @{PROC}/uptime r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/pagemap r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  /dev/ r,
  /dev/hidraw@{int} rw,
  /dev/input/ r,
  /dev/input/event@{int} rw,
  /dev/tty rw,
  /dev/uinput rw,
  include if exists <abstractions/common/steam-game.d>
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@ -14,9 +14,12 @@
  /etc/vulkan/icd.d/{,*.json} r,
  /etc/vulkan/implicit_layer.d/{,*.json} r,
  owner @{user_share_dirs}/vulkan/implicit_layer.d/{,*.json} r,
  owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
  owner @{user_share_dirs}/vulkan/ rw,
  owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw,
  owner @{user_share_dirs}/vulkan/implicit_layer.d/*.json r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/devices/@{pci}/drm/ r,
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-wayland-@{int} r,
  owner @{user_share_dirs}/sddm/wayland-session.log w,
  owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@ -43,6 +43,7 @@ profile signal-desktop @{exec_path} {
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/vmstat r,
  include if exists <local/signal-desktop>
--- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
+++ b/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
@ -22,6 +22,8 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
  @{lib_dirs}/signal-desktop{,-beta} rPx,
  @{PROC}/@{pid}/ r,
  @{PROC}/@{pid}/oom_adj w,
  @{PROC}/@{pid}/oom_score_adj w,
  include if exists <local/signal-desktop-chrome-sandbox>
 }
--- a/apparmor.d/groups/apt/debsign
+++ b/apparmor.d/groups/apt/debsign
@ -55,6 +55,7 @@ profile debsign @{exec_path} {
    owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r,
    owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw,
    include if exists <local/debsign_gpg>
  }
  include if exists <local/debsign>
--- a/apparmor.d/groups/apt/debsums
+++ b/apparmor.d/groups/apt/debsums
@ -20,13 +20,6 @@ profile debsums @{exec_path} {
  @{sh_path}        rix,
  @{bin}/{m,g,}awk  rix,
  /etc/dpkg/dpkg.cfg.d/{,*} r,
  /etc/dpkg/dpkg.cfg r,
  /var/lib/dpkg/info/* r,
  /etc/locale.nopurge r,
  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
@ -35,6 +28,13 @@ profile debsums @{exec_path} {
  @{bin}/dpkg        rPx -> child-dpkg,
  @{bin}/dpkg-divert rPx -> child-dpkg-divert,
  /etc/dpkg/dpkg.cfg.d/{,*} r,
  /etc/dpkg/dpkg.cfg r,
  /etc/locale.nopurge r,
  /var/lib/dpkg/info/* r,
  # For shell pwd
  / r,
  /root/ r,
--- a/apparmor.d/groups/apt/dpkg-divert
+++ b/apparmor.d/groups/apt/dpkg-divert
@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
  /var/lib/dpkg/** r,
-  /usr/share/*/** w,
+  /usr/share/*/** rw,
  /var/lib/dpkg/diversions rw,
  /var/lib/dpkg/diversions-new rw,
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@ -15,7 +15,7 @@ include <tunables/global>
@{cache_dirs} = @{user_cache_dirs}/mozilla/
@{exec_path} = @{lib_dirs}/minidump-analyzer
-profile firefox-minidump-analyzer @{exec_path} {
+profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  signal (receive) set=(term, kill) peer=firefox,
@ -27,10 +27,10 @@ profile firefox-minidump-analyzer @{exec_path} {
  owner "@{config_dirs}/firefox/Crash Reports/" rw,
  owner "@{config_dirs}/firefox/Crash Reports/pending/" rw,
  owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
-  owner @{config_dirs}/*.*/extensions/*.xpi r,
+  owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r,
-  owner @{config_dirs}/*.*/minidumps/ rw,
+  owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw,
-  owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw,
+  owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw,
-  owner @{config_dirs}/*.*/storage/default/* r,
+  owner @{config_dirs}/{,firefox/}*.*/storage/default/* r,
  owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r,
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-memconf
-profile ibus-memconf @{exec_path} {
+profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -27,5 +27,7 @@ profile ibus-memconf @{exec_path} {
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner /dev/tty@{int} rw,
  include if exists <local/ibus-memconf>
 }
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@ -49,6 +49,7 @@ profile cron-popularity-contest @{exec_path} {
  /var/log/popularity-contest{,.new} rw,
  /var/log/popularity-contest{,.new}.gpg rw,
  /var/log/popularity-contest.@{int} rw,
  /var/log/popularity-contest.@{int}.gpg rw,
  # Store last successful http submission timestamp
  /var/lib/popularity-contest/ rw,
@ -66,15 +67,14 @@ profile cron-popularity-contest @{exec_path} {
    @{bin}/savelog mr,
    @{bin}/date       rix,
    @{bin}/basename   rix,
-    @{bin}/which{,.debianutils}      rix,
+    @{bin}/date       rix,
    @{bin}/dirname    rix,
    @{bin}/rm         rix,
    @{bin}/mv         rix,
    @{bin}/touch      rix,
    @{bin}/gzip       rix,
-
+    @{bin}/mv         rix,
    @{bin}/rm         rix,
    @{bin}/touch      rix,
    @{bin}/which{,.debianutils}      rix,
    @{sh_path}        rix,
    /var/log/ r,
@ -82,9 +82,9 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/popularity-contest.@{int} rw,
    /var/log/popularity-contest rw,
-    # file_inherit
+    owner @{tmp}/#@{int} rw,  # file_inherit
    owner @{tmp}/#@{int} rw,
    include if exists <local/cron-popularity-contest_savelog>
  }
  profile runuser {
@ -96,19 +96,18 @@ profile cron-popularity-contest @{exec_path} {
    @{bin}/runuser mr,
    @{sh_path}                 rix,
    @{bin}/popularity-contest  rPx,
    owner @{PROC}/@{pids}/loginuid r,
          @{PROC}/1/limits r,
    @{etc_ro}/security/limits.d/ r,
    /var/log/popularity-contest.new w,
-    # file_inherit
+          @{PROC}/1/limits r,
-    owner @{tmp}/#@{int} rw,
+    owner @{PROC}/@{pids}/loginuid r,
    owner @{tmp}/#@{int} rw,  # file_inherit
    include if exists <local/cron-popularity-contest_runuser>
  }
  profile gpg {
@ -126,9 +125,9 @@ profile cron-popularity-contest @{exec_path} {
    owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**,
-    # file_inherit
+    owner @{tmp}/#@{int} rw,  # file_inherit
    owner @{tmp}/#@{int} rw,
    include if exists <local/cron-popularity-contest_gpg>
  }
  profile popcon-upload {
@ -142,18 +141,18 @@ profile cron-popularity-contest @{exec_path} {
    network inet6 stream,
    network netlink raw,
    /usr/share/popularity-contest/popcon-upload r,
    @{bin}/perl r,
    @{bin}/gzip rix,
    /usr/share/popularity-contest/popcon-upload r,
    /var/log/ r,
    /var/log/popularity-contest.new.gpg r,
    /var/log/popularity-contest.@{int}.gpg r,
-    # file_inherit
+    owner @{tmp}/#@{int} rw,  # file_inherit
    owner @{tmp}/#@{int} rw,
    include if exists <local/cron-popularity-contest_/popcon-upload>
  }
  include if exists <local/cron-popularity-contest>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-open>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/net.hadess.PowerProfiles>
@ -19,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  capability sys_ptrace,
@ -70,10 +72,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  /.flatpak-info r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/pipewire/client.conf r,
  /usr/share/xdg-desktop-portal/** r,
  /etc/pipewire/client.conf.d/ r,
  /etc/sysconfig/proxy r,
  /var/lib/gdm{,3}/greeter-dconf-defaults r,
@ -83,7 +83,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/icon* rw,
  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
  owner @{run}/user/@{uid}/pipewire-@{int} rw,
        @{PROC}/ r,
        @{PROC}/*/ r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -22,7 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
-  include <abstractions/user-download>
+  include <abstractions/user-download-strict>
  network unix stream,
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -42,7 +42,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  / r,
  owner /.flatpak-info r,
-  owner @{HOME}/*/{,**} r,
+  owner @{HOME}/** r,
  owner @{user_share_dirs}/flatpak/db/documents r,
  owner @{user_share_dirs}/Trash/files/** r,
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -42,6 +42,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/flatpak/db/background rw,
  owner @{user_share_dirs}/flatpak/db/devices r,
  owner @{user_share_dirs}/flatpak/db/documents rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,
  /dev/tty@{int} rw,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -16,6 +16,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/cups-client>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
@ -93,7 +94,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /usr/share/wallpapers/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,
  /etc/cups/client.conf r,
  /etc/machine-info r,
  /etc/rygel.conf r,
  /etc/security/pwquality.conf r,
@ -130,7 +130,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
        @{run}/cups/cups.sock rw,
        @{run}/samba/ rw,
        @{run}/systemd/sessions/  r,
        @{run}/systemd/sessions/* r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -407,6 +407,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    /usr/games/*  PUx,
    /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, 
    deny @{user_share_dirs}/gvfs-metadata/* r,
    include if exists <local/gnome-shell_open>
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -99,6 +99,9 @@ profile gnome-software @{exec_path} {
  owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
  owner @{run}/user/@{uid}/app/{,*/} rw,
  owner /dev/shm/flatpak-com.*/ rw,
  owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
  @{run}/systemd/inhibit/*.ref rw,
  @{sys}/module/nvidia/version r,
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@ -11,13 +11,12 @@ profile gnome-text-editor @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/common/gnome>
  include <abstractions/enchant>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>
  @{exec_path} mr,
  /usr/share/enchant-*/{,**} r,
  owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -13,6 +13,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/cups-client>
  include <abstractions/nameservice-strict>
  network inet stream,
@ -34,10 +35,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{lib}/gsd-printer rPx,
  /etc/cups/client.conf r,
  @{run}/cups/cups.sock rw,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -30,8 +30,7 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /etc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/opensc/opensc.conf r,
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -36,8 +36,7 @@ profile seahorse @{exec_path} {
  /etc/pki/trust/blocklist/ r,
  /etc/gcrypt/hwf.deny r,
-  /etc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/opensc/opensc.conf r,
  owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -16,6 +16,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/consoles>
  include <abstractions/cups-client>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
  include <abstractions/enchant>
@ -76,7 +77,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  /usr/share/wallpapers/{,**} r,
  /etc/appstream.conf r,
  /etc/cups/client.conf r,
  /etc/fstab r,
  /etc/ksysguarddrc r,
  /etc/machine-id r,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -206,6 +206,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r,
  @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
  @{sys}/devices/system/cpu/isolated r,
  @{sys}/devices/system/cpu/present r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/ r,
--- a/apparmor.d/groups/xfce/mousepad
+++ b/apparmor.d/groups/xfce/mousepad
@ -10,6 +10,7 @@ include <tunables/global>
 profile mousepad @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/enchant>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>
  include <abstractions/xfce>
@ -18,14 +19,9 @@ profile mousepad @{exec_path} {
  @{open_path}  rPx -> child-open-help,
  /usr/share/hunspell/{,**} r,
  owner @{user_config_dirs}/Mousepad/ rw,
  owner @{user_config_dirs}/Mousepad/** rwk,
  owner @{user_config_dirs}/enchant/ rw,
  owner @{user_config_dirs}/enchant/ rwk,
  owner @{user_share_dirs}/Mousepad/ rw,
  owner @{user_share_dirs}/Mousepad/** rwk,
--- a/apparmor.d/profiles-a-f/cups-notifier-dbus
+++ b/apparmor.d/profiles-a-f/cups-notifier-dbus
@ -11,14 +11,13 @@ profile cups-notifier-dbus @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/cups-client>
  include <abstractions/nameservice-strict>
  signal (receive) set=(term) peer=cupsd,
  @{exec_path} mr,
  /etc/cups/client.conf r,
  owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
  owner @{tmp}/cups-dbus-notifier-lockfile rwk,
--- a/apparmor.d/profiles-a-f/elinks
+++ b/apparmor.d/profiles-a-f/elinks
@ -0,0 +1,27 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/elinks
 profile elinks @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/user-read-strict>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  @{exec_path} mr,
  owner @{user_config_dirs}/elinks/{,**} rw,
  include if exists <local/elinks>
 }
--- a/apparmor.d/profiles-a-f/ffmpegthumbnailer
+++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer
@ -0,0 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/ffmpegthumbnailer
 profile ffmpegthumbnailer @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-write-strict>
  @{exec_path} mr,
  include if exists <local/ffmpegthumbnailer>
 }
--- a/apparmor.d/profiles-a-f/flatpak-portal
+++ b/apparmor.d/profiles-a-f/flatpak-portal
@ -34,6 +34,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  / r,
  /.flatpak-info r,
  owner @{HOME}/.var/app/*/**/.ref rw,
  owner @{HOME}/.var/app/*/**/logs/* rw,
  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_share_dirs}/mime/mime.cache r,
--- a/apparmor.d/profiles-g-l/img2txt
+++ b/apparmor.d/profiles-g-l/img2txt
@ -0,0 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/img2txt
 profile img2txt @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-read-strict>
  @{exec_path} mr,
  include if exists <local/img2txt>
 }
--- a/apparmor.d/profiles-g-l/kodi-xrandr
+++ b/apparmor.d/profiles-g-l/kodi-xrandr
@ -16,7 +16,7 @@ profile kodi-xrandr @{exec_path} {
  owner @{HOME}/.Xauthority r,
  # file_inherit
-  @{sys}/devices/virtual/thermal/thermal_zone0/temp r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
  @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r,
  owner @{HOME}/.kodi/temp/kodi.log w,
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@ -13,6 +13,7 @@ profile libreoffice @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-read-strict>
@ -52,13 +53,17 @@ profile libreoffice @{exec_path} {
  @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,
  @{lib}/libreoffice/{,**} rm,
  /usr/share/hyphen/{,**} r,
  /usr/share/libexttextcat/{,**} r,
  /usr/share/liblangtag/{,**} r,
  /usr/share/libreoffice/{,**} r,
  /usr/share/mythes/{,**} r,
  /etc/java-openjdk/{,**} r,
  /etc/libreoffice/{,**} r,
  /etc/paperspecs r,
  owner @{user_cache_dirs}/libreoffice/{,**} rw,
  owner @{user_config_dirs}/libreoffice/ rw,
  owner @{user_config_dirs}/libreoffice/** rwk,
@ -75,6 +80,7 @@ profile libreoffice @{exec_path} {
        @{sys}/kernel/mm/transparent_hugepage/enabled r,
        @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
        @{PROC}/cgroups r,
  owner @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/profiles-g-l/lynx
+++ b/apparmor.d/profiles-g-l/lynx
@ -13,6 +13,8 @@ profile lynx @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/user-read-strict>
  network inet dgram,
  network inet6 dgram,
@ -20,20 +22,19 @@ profile lynx @{exec_path} {
  network inet6 stream,
  @{exec_path} mr,
  @{sh_path}        rix,
-  /etc/lynx/{,*} r,
+  /usr/share/terminfo/{,**} r,
  /usr/share/doc/lynx-common/** r,
-  /etc/mime.types r,
+  /etc/lynx.cfg r,
-
+  /etc/lynx.lss r,
-  @{sh_path}        rix,
+  /etc/lynx/{,**} r,
  /etc/mailcap r,
  /etc/mime.types r,
  owner @{tmp}/lynxXXXX*/ rw,
  owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw,
  owner @{HOME}/ r,
  include if exists <local/lynx>
 }
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -59,7 +59,7 @@ profile mkinitramfs @{exec_path} {
  @{bin}/kmod                 rCx -> kmod,
  @{bin}/ldconfig             rCx -> ldconfig,
  @{bin}/ldd                  rCx -> ldd,
-  @{lib}/ld-linux.so.2        rCx -> ldd,
+  @{lib}/ld-linux.so*         rCx -> ldd,
  @{bin}/dpkg          rPx -> child-dpkg,
  @{bin}/linux-version rPx,
--- a/apparmor.d/profiles-m-r/odt2txt
+++ b/apparmor.d/profiles-m-r/odt2txt
@ -0,0 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/odt2txt
 profile odt2txt @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-write-strict>
  @{exec_path} mr,
  include if exists <local/odt2txt>
 }
--- a/apparmor.d/profiles-m-r/pdftotext
+++ b/apparmor.d/profiles-m-r/pdftotext
@ -0,0 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/pdftotext
 profile pdftotext @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-write-strict>
  @{exec_path} mr,
  /usr/share/poppler/{,**} r,
  include if exists <local/pdftotext>
 }
--- a/apparmor.d/profiles-m-r/pkcs11-register
+++ b/apparmor.d/profiles-m-r/pkcs11-register
@ -12,8 +12,7 @@ profile pkcs11-register @{exec_path} {
  @{exec_path} mr,
-  /etc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/opensc/opensc.conf r,
  owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw,
  owner @{HOME}/.mozilla/firefox/profiles.ini r,
--- a/apparmor.d/profiles-m-r/protonmail-bridge
+++ b/apparmor.d/profiles-m-r/protonmail-bridge
@ -2,80 +2,46 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Warning: only the protonmail-bridge CLI and service are supported, NOT the GUI.
 abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/protonmail-bridge
+@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3
@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge"
@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3
@{exec_path} = @{lib}/protonmail/bridge/bridge-gui
 profile protonmail-bridge @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-shader-cache>
-  network inet dgram,
+  # network inet dgram,
-  network inet6 dgram,
+  # network inet6 dgram,
  network inet stream,
  network inet6 stream,
-  network netlink raw,
+  # network netlink raw,
  @{exec_path} mr,
-  @{bin}/pass rCx -> pass,
+  @{lib}/protonmail/bridge/bridge  rPx,
  @{open_path}                     rPx -> child-open-strict,
  /etc/lsb-release r,
  /etc/machine-id r,
-  owner /var/tmp/etilqs_@{hex} rw,
+  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwlk -> @{config_dirs}/**,
-  owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r,
+  owner @{cache_dirs}/ rw,
-  owner @{user_password_store_dirs}/protonmail-credentials/{,**} r,
+  owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**,
-  owner @{user_cache_dirs}/protonmail/{,**} rwk,
+  owner @{share_dirs}/ rw,
-  owner @{user_config_dirs}/protonmail/{,**} rwk,
+  owner @{share_dirs}/** rwlk -> @{share_dirs}/**,
  owner @{user_share_dirs}/protonmail/{,**} rwk,
-  @{PROC}/sys/net/core/somaxconn r,
+  owner @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/cgroup r,
  # Force the use of the Gnome Keyring or Kwallet secret-service.
  # Comment these lines and add the commented lines in your local/protonmail-bridge
  # to allow the use of pass as secret-service.
  # of pass as secret store
  # deny @{bin}/pass rmx,
  # deny owner @{user_password_store_dirs}/** r,
  profile pass {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
    @{bin}/pass         mr,
    @{sh_path}         rix,
    @{bin}/base64      rix,
    @{bin}/dirname     rix,
    @{bin}/env         rix,
    @{bin}/getopt      rix,
    @{bin}/git         rPx -> pass//git,
    @{bin}/gpg{,2}     rPx -> pass//gpg,
    @{bin}/mkdir       rix,
    @{bin}/rm          rix,
    @{bin}/rmdir       rix,
    @{bin}/sed         rix,
    @{bin}/tail        rix,
    @{bin}/tree        rix,
    @{bin}/tty         rix,
    @{bin}/which       rix,
         owner @{user_password_store_dirs}/ r,
         owner @{user_password_store_dirs}/.gpg-id r,
         owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw,
    deny owner @{user_password_store_dirs}/**/ r,
    /dev/tty rw,
    include if exists <local/protonmail-bridge_pass>
  }
  include if exists <local/protonmail-bridge>
 }
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@ -0,0 +1,85 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # To force the use of the Gnome Keyring or Kwallet secret-service, add the 
 # following lines in your local/protonmail-bridge-core file:
 #   deny @{bin}/pass x,
 #   deny owner @{user_password_store_dirs}/** r,
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{lib}/protonmail/bridge/bridge
 profile protonmail-bridge-core @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  @{exec_path} mr,
  @{bin}/pass rCx -> pass,
  /etc/lsb-release r,
  /etc/machine-id r,
  owner @{user_password_store_dirs}/docker-credential-helpers/{,**} r,
  owner @{user_password_store_dirs}/protonmail-credentials/{,**} r,
  owner @{user_cache_dirs}/protonmail/{,**} rwk,
  owner @{user_config_dirs}/protonmail/{,**} rwk,
  owner @{user_share_dirs}/protonmail/{,**} rwk,
  owner "@{user_config_dirs}/autostart/Proton Mail Bridge.desktop" rw,
  owner @{tmp}/bridge@{int} rw,
  owner @{tmp}/user/@{uid}/etilqs_@{hex} rw,
  owner /var/tmp/etilqs_@{hex} rw,
  @{PROC}/ r,
  @{PROC}/sys/net/core/somaxconn r,
  @{PROC}/@{pid}/cgroup r,
  deny @{bin}/pass x,
  deny owner @{user_password_store_dirs}/** r,
  profile pass {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
    @{bin}/pass         mr,
    @{sh_path}         rix,
    @{bin}/base64      rix,
    @{bin}/dirname     rix,
    @{bin}/env         rix,
    @{bin}/getopt      rix,
    @{bin}/git         rpx -> pass//git,
    @{bin}/gpg{,2}     rpx -> pass//gpg,
    @{bin}/mkdir       rix,
    @{bin}/rm          rix,
    @{bin}/rmdir       rix,
    @{bin}/sed         rix,
    @{bin}/tail        rix,
    @{bin}/tree        rix,
    @{bin}/tty         rix,
    @{bin}/which       rix,
         owner @{user_password_store_dirs}/ r,
         owner @{user_password_store_dirs}/.gpg-id r,
         owner @{user_password_store_dirs}/protonmail-credentials/{,**} rw,
    deny owner @{user_password_store_dirs}/**/ r,
    /dev/tty rw,
    include if exists <local/protonmail-bridge-core_pass>
  }
  include if exists <local/protonmail-bridge-core>
 }
--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@ -63,6 +63,4 @@ profile qpdfview @{exec_path} {
  include if exists <local/qpdfview>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@ -24,8 +24,7 @@ profile rngd @{exec_path} flags=(attach_disconnected) {
  /etc/conf.d/rngd r,
  /etc/machine-id r,
-  /etc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/opensc/opensc.conf r,
  /var/lib/dbus/machine-id r,
  @{sys}/devices/virtual/misc/hw_random/rng_available r,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -6,28 +6,32 @@
 # - Ensure no user data is accessed by either steam or steam games
 # - Limit what steam/games can access to the host
 #
-# Current architecture:
+# Overall architecture of the steam profiles:
 # steam
-# ├── steam-fossilize
+# ├── steam//check           # Requirements check (sandboxed)
-# ├── steam-reaper
+# ├── steam//web             # steamwebhelper (sandboxed)
-# │   └── steam-game
+# ├── steam-fossilize        # Update shader cache
-# ├── steam-gameoverlayui
+# ├── steam-runtime          # Launcher tasks up to the creation of the sandbox
-# └── steamerrorreporter
+# │   ├── steam-game-native  # Native games
 # │   └── steam-game-proton  # Proton games (sandboxed)
 # ├── steam-gameoverlayui    # Steam game overlay
 # └── steamerrorreporter     # Error reporter
 abi <abi/3.0>,
 include <tunables/global>
-@{share_dirs} = @{user_share_dirs}/Steam
+@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
-@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
+@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{share_dirs}/steam.sh
 profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/common/bwrap>
  include <abstractions/common/chromium>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
@ -38,69 +42,71 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/ssl_certs>
  include <abstractions/video>
  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  network unix stream,
-  ptrace (read),
+  ptrace read,
-  ptrace (trace) peer=steam,
+  ptrace trace peer=steam,
-  signal (send) peer=steam-game,
+  signal send peer=steam-game,
-  signal (read),
+  signal send peer=steam-launcher,
-
+  signal send peer=steam//journalctl,
-  unix (receive) type=stream,
+  signal send peer=steam//web,
  @{exec_path} mrix,
  @{sh_path}                    rix,
  @{coreutils_path}             rix,
  @{bin}/cmp                    rix,
  @{bin}/file                   rix,
  @{bin}/getopt                 rix,
-  @{bin}/gzip                   rix,
+  @{bin}/journalctl             rPx -> systemctl,
  @{bin}/ldconfig               rix,
  @{bin}/ldd                    rix,
  @{bin}/localedef              rix,
  @{bin}/lsb_release            rPx -> lsb_release,
  @{bin}/lsof                   rix,
  @{bin}/lspci                  rCx -> lspci,
-  @{bin}/steam-runtime-urlopen  rix,
+  @{bin}/which{,.debianutils}   rix,
  @{bin}/tar                    rix,
  @{bin}/which                  rix,
  @{bin}/xdg-icon-resource      rPx,
  @{bin}/xdg-user-dir           rix,
-  @{bin}/xz                     rix,
+  @{lib}/@{multiarch}/ld-*.so*  rix,
  @{bin}/zenity                 rix,
  @{lib}/ld-linux.so*           rix,
  @{open_path}                  rPx -> child-open,
  @{lib_dirs}/**                  mr,
  @{lib_dirs}/*/**               ix,
  @{lib_dirs}/*driverquery       rix,
  @{lib_dirs}/fossilize_replay   rpx,
  @{lib_dirs}/gameoverlayui      rpx,
-  @{lib_dirs}/reaper            rpx,
+  @{lib_dirs}/reaper             rpx, # steam-runtime
  @{lib_dirs}/steam*             rix,
-  # Entry point for steam-game
+  @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime,
  @{runtime_dirs}/*entry-point  rpx,
  @{lib}/pressure-vessel/from-host/**  rix,
  @{run}/host/@{bin}/*                 rix,
  @{run}/host/@{lib}/**                rix,
  @{share_dirs}/linux{32,64}/steamerrorreporter rpx,
  @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so rm,
-  /usr/lib/os-release rk,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements rcx -> check,
-  /usr/share/fonts/**.{ttf,otf} rk,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-identify-library-abi rix,
-  /usr/share/terminfo/** r,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service rpx,
-  /usr/share/zenity/* r,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info rix,
  @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
  @{runtime_dirs}/*entry-point rix,
  @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-* rix,
  @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
  @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rcx -> web,
  @{runtime_dirs}/run{,.sh} rix,
  @{runtime_dirs}/setup.sh rix,
  @{lib}/os-release rk,
  /usr/share/fonts/** rk,
  /etc/lsb-release r,
  /etc/udev/udev.conf r,
  /etc/machine-id r,
  /etc/timezone r,
  /var/lib/dbus/machine-id r,
  @{bin}/ r,
@ -108,16 +114,11 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  / r,
  /etc/ r,
  /home/ r,
  /run/ r,
  /usr/ r,
  /usr/local/ r,
  /usr/local/lib/ r,
  /var/ r,
-
+  /var/tmp/ r,
  owner /bindfile@{rand6} rw,
  owner /var/pressure-vessel/** rw,
  owner /var/cache/ldconfig/aux-cache* rw,
  owner @{HOME}/ r,
  owner @{HOME}/.steam/{,**} rw,
@ -142,106 +143,231 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
  owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
  owner /dev/shm/#@{int} rw,
  owner /dev/shm/fossilize-*-@{int}-@{int} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
        @{tmp}/ r,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/dumps/ rw,
  owner @{tmp}/dumps/** rwk,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
-  owner @{tmp}/miles_image_* mrw,
+  owner @{tmp}/glx-icds-@{rand6}/{,**} rw,
-  owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
+  owner @{tmp}/runtime-info.txt.@{rand6} rwk,
  owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
  owner @{tmp}/runtime-info.txt.* rwk,
  owner @{tmp}/sh-thd.* rw,
  owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
  owner @{tmp}/steam@{rand6}/{,**} rw,
  owner @{tmp}/steam/ rw,
  owner @{tmp}/steam/** rwk,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
-  owner @{run}/pressure-vessel/** r,
+        /dev/shm/ r,
  owner /dev/shm/fossilize-*-@{int}-@{int} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
  owner @{run}/user/@{uid}/ r,
  @{run}/host/{,**} r,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{run}/udev/data/c116:@{int} r,         # for ALSA
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
  @{run}/udev/data/n@{int} r,
  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/bus/pci/devices/ r,
  @{sys}/class/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
-  @{sys}/devices/@{pci}/class r,
+  @{sys}/devices/ r,
-  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}report_descriptor r,
+  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/sound/card@{int}/** r,
+  @{sys}/devices/@{pci}/sound/card@{int}/input@{int}/properties r,
  @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/input/input@{int}/properties r,
  @{sys}/devices/**/report_descriptor r,
  @{sys}/devices/**/uevent r,
-  @{sys}/devices/system/cpu/** r,
+  @{sys}/devices/system/ r,
-  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/cpu/cpu@{int}/ r,
-  @{sys}/devices/virtual/**/report_descriptor r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/bios_version r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/net/*/ r,
  @{sys}/devices/virtual/tty/tty@{int}/active r,
  @{sys}/kernel/ r,
  @{sys}/power/suspend_stats/success rk,
        @{PROC}/ r,
-        @{PROC}/@{pids}/comm rk,
+        @{PROC}/@{pid}/comm rk,
-        @{PROC}/@{pids}/net/route r,
+        @{PROC}/@{pid}/fdinfo/@{int} r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/locks r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/1/cgroup r,
-        @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/locks r,
        @{PROC}/sys/kernel/sched_autogroup_enabled r,
-        @{PROC}/sys/kernel/unprivileged_userns_clone r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
        @{PROC}/sys/user/max_user_namespaces r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/autogroup rw,
  owner @{PROC}/@{pid}/cmdline rk,
  owner @{PROC}/@{pid}/environ r,
  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/fdinfo/@{int} r,
+  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  /dev/input/ r,
  /dev/uinput w,
  deny /opt/** r,
  profile web flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/audio-client>
    include <abstractions/common/bwrap>
    include <abstractions/dconf-write>
    include <abstractions/desktop>
    include <abstractions/fontconfig-cache-write>
    include <abstractions/graphics>
    include <abstractions/nameservice-strict>
    network inet dgram,
    network inet6 dgram,
    network inet stream,
    network inet6 stream,
    network netlink raw,
    ptrace trace peer=steam//web,
    signal receive set=kill peer=steam,
    unix receive type=stream,
    @{bin}/ldconfig   rix,
    @{bin}/getopt     rix,
    @{bin}/gzip       rix,
    @{bin}/true       rix,
    @{bin}/localedef  rix,
    @{bin}/readlink   rix,
    @{lib_dirs}/** mr,
    @{lib_dirs}/steamwebhelper rix,
    @{lib_dirs}/steamwebhelper_sniper_wrap.sh rix,
    @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap mr,
    @{runtime_dirs}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
    @{lib}/pressure-vessel/from-host/**  rix,
    @{run}/host/@{bin}/*                 rix,
    @{run}/host/@{lib}/**                rix,
    @{share_dirs}/config/cefdata/WidevineCdm/**/linux_*/libwidevinecdm.so mr,
    @{runtime_dirs}/var/tmp-@{rand6}/usr/.ref w,
    @{run}/host/{,**} r,
    /etc/machine-id r,
    @{lib}/ r,
    /usr/local/lib/ r,
    /var/tmp/ r,
    owner /bindfile@{rand6} rw,
    owner /var/cache/ldconfig/aux-cache* rw,
    owner /var/pressure-vessel/ldso/* rw,
    owner @{HOME}/.pki/ rw,
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
    owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
    owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
    owner @{lib_dirs}/.cef-* wk,
    owner @{share_dirs}/{,**} r,
    owner @{share_dirs}/config/** rwk,
    owner @{share_dirs}/logs/** rwk,
    owner @{share_dirs}/clientui/** k,
    owner @{share_dirs}/public/** k,
          @{tmp}/ r,
    owner @{tmp}/#@{int} rw,
    owner @{tmp}/dumps/ rw,
    owner @{tmp}/dumps/** rwk,
    owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
    owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
    owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
    owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
          /dev/shm/ r,
    owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
    owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
    owner /dev/shm/ValveIPCSHM_@{uid} rw,
    owner @{run}/pressure-vessel/** r,
    @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
    @{sys}/bus/ r,
    @{sys}/bus/*/devices/ r,
    @{sys}/class/*/ r,
    @{sys}/devices/**/report_descriptor r,
    @{sys}/devices/**/uevent r,
    @{sys}/devices/system/cpu/kernel_max r,
    @{sys}/devices/virtual/tty/tty@{int}/active r,
          @{PROC}/ r,
          @{PROC}/@{pid}/stat r,
          @{PROC}/sys/fs/inotify/max_user_watches r,
          @{PROC}/sys/kernel/yama/ptrace_scope r,
    owner @{PROC}/@{pid}/cmdline r,
    owner @{PROC}/@{pid}/oom_score_adj w,
    owner @{PROC}/@{pid}/statm r,
    owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
    owner @{PROC}/@{pid}/task/@{tid}/status r,
    /dev/hidraw@{int} rw,
  /dev/input/ r,
  /dev/input/event@{int} r,
    /dev/tty rw,
  /dev/uinput w,
-  audit deny /**.steam_exec_test.sh rw,
+    include if exists <local/steam_web>
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+  }
-  profile lspci {
+  profile check flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/common/bwrap>
    include <abstractions/nameservice-strict>
    unix receive type=stream,
    @{bin}/true rix,
    @{lib_dirs}/**  mr,
    @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-check-requirements mr,
    @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rix,
    / r,
    owner @{HOME}/.steam/root r,
    owner @{HOME}/.steam/steam r,
    owner @{share_dirs}/ r,
    @{PROC}/@{pid}/cgroup r,
    include if exists <local/steam_check>
  }
  profile lspci flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>
    unix receive type=stream,
    @{bin}/lspci mr,
    owner @{HOME}/.steam/steam.pipe r,
@ -256,5 +382,18 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include if exists <local/steam_lspci>
  }
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
    /{run,var}/log/journal/ r,
    /{run,var}/log/journal/@{hex32}/ r,
    /{run,var}/log/journal/@{hex32}/system.journal* r,
    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
    include if exists <local/steam_systemctl>
  }
  include if exists <local/steam>
 }
--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@ -6,9 +6,12 @@ abi <abi/3.0>,
 include <tunables/global>
-@{share_dirs} = @{user_share_dirs}/Steam
+@{arch} = amd64 i386
-@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
+@{runtime} = SteamLinuxRuntime_sniper
-@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
+@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/fossilize_replay
 profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
@ -17,17 +20,22 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
  include <abstractions/wayland>
  include <abstractions/X-strict>
  signal receive peer=steam,
  @{exec_path} mr,
-  @{lib_dirs}/*.so*  mr,
+  @{lib_dirs}/**  mr,
  owner @{HOME}/.steam/steam.pipe r,
  owner @{share_dirs}/logs/container-runtime-info.txt.@{rand6} rw,
  owner @{share_dirs}/steamapps/shadercache/@{int}/fozpipelinesv@{int}/{,**} rw,
  owner @{share_dirs}/steamapps/shadercache/@{int}/mesa_shader_cache_sf/{,**} rwk,
  owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw,
  owner @{share_dirs}/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk,
  owner @{tmp}/runtime-info.txt.@{rand6} rw,
  owner /dev/shm/fossilize-*-@{int}-@{int} rw,
  @{sys}/devices/system/node/node@{int}/cpumap r,
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -1,225 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for steam games
 # TODO:
 # Split this profile in three:
 # - steam-game-native for native linux games
 # - steam-runtime for all runtime related task up to the creation of the sandbox
 # - steam-game-proton for the sandboxed proton games
 #
 # Tasks:
 # - AppArmor supports for {*^} regex, or find an alternative
 # - AppArmor supports change profile from pivot_root
 # - Stack steam//&game to bypass no-new-privs issue
 #
 # The current version of this profile is not very useful as it is very similar
 # to the main steam profile.
 abi <abi/3.0>,
 include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam
@{lib_dirs} = @{share_dirs}/ubuntu@{int}_{32,64}
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
@{exec_path}  = @{share_dirs}/steamapps/common/*/**
@{exec_path} += @{lib_dirs}/steam-runtime-sniper/*entry-point
 profile steam-game @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/common/bwrap>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  capability dac_override,
  capability dac_read_search,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  signal (receive) peer=steam,
  unix (receive) type=stream,
  @{exec_path} mrix,
  @{sh_path}                                 rix,
  @{bin}/bwrap                               rix,
  @{bin}/env                                 rix,
  @{bin}/getopt                              rix,
  @{bin}/gzip                                rix,
  @{bin}/localedef                           rix,
  @{bin}/python3.@{int}                      rix,
  @{bin}/readlink                            rix,
  @{bin}/steam-runtime-launcher-interface-*  rix,
  @{bin}/steam-runtime-system-info           rix,
  @{bin}/timeout                             rix,
  @{bin}/true                                rix,
  @{bin}/uname                               rix,
  @{bin}/xdg-open                            rPx,
  @{lib}/pressure-vessel/from-host/@{bin}/*   rix,
  @{lib}/pressure-vessel/from-host/@{lib}/**  rix,
  @{lib}/steam-runtime-tools*/*              mrix,
  @{lib_dirs}/{,**} r,
  @{lib_dirs}/**.so*  mr,
  @{lib_dirs}/reaper rix,
  @{lib_dirs}/steam-launch-wrapper rm,
  @{lib_dirs}/steam-runtime/@{lib}/** mrix,
  @{runtime_dirs}/pressure-vessel/@{bin}/ r,
  @{runtime_dirs}/pressure-vessel/@{bin}/* rix,
  @{runtime_dirs}/pressure-vessel/@{lib}/ r,
  @{runtime_dirs}/pressure-vessel/@{lib}/** mrix,
  @{runtime_dirs}/run rix,
  @{share_dirs}/@{bin}/ r,
  @{share_dirs}/@{bin}/* mr,
  @{share_dirs}/d3ddriverquery64.dxvk-cache rw,
  @{share_dirs}/legacycompat/ r,
  @{share_dirs}/legacycompat/** mr,
  @{share_dirs}/linux{32,64}/ r,
  @{share_dirs}/linux{32,64}/**.so* mr,
  @{share_dirs}/standalone_installscript_progress_@{int}.vdf rw,
  @{share_dirs}/steamapps/common/*/* mr,
  @{share_dirs}/steamapps/common/Proton*/ r,
  @{share_dirs}/steamapps/common/Proton*/files/@{bin}/*  mrix,
  @{share_dirs}/steamapps/common/Proton*/files/@{lib}/** mrix,
  @{share_dirs}/steamapps/common/Proton*/proton rix,
  @{share_dirs}/steamapps/compatdata/@{int}/pfx/**.dll rm,
  @{user_games_dirs}/*/* mr,
  @{user_games_dirs}/*/**.dll mr,
  @{run}/host/usr/bin/ldconfig rix,
  @{run}/host/usr/lib{,32,64}/**.so* rm,
  @{run}/host/usr/bin/localedef rix,
  /usr/share/terminfo/** r,
  /etc/machine-id r,
  /etc/udev/udev.conf r,
  /var/lib/dbus/machine-id r,
  / r,
  /{usr/,}{local/,} r,
  /{usr/,}{local/,}lib{,32,64}/ r,
  /bindfile@{rand6} rw,
  /home/ r,
  /tmp/ r,
  owner /var/pressure-vessel/** rw,
  owner /var/cache/ldconfig/aux-cache* rw,
  owner @{HOME}/ r,
  owner @{HOME}/.steam/steam.pid r,
  owner @{HOME}/.steam/steam.pipe r,
  owner @{user_games_dirs}/{,*/} r,
  owner @{user_games_dirs}/*/{,**} rwkl,
  owner @{user_config_dirs}/unity3d/{,**} rwk,
  owner @{share_dirs}/ r,
  owner @{share_dirs}/* r,
  owner @{share_dirs}/*log* rw,
  owner @{share_dirs}/config/config.vdf* rw,
  owner @{share_dirs}/logs/{,*} rw,
  owner @{share_dirs}/shader_cache_temp*/fozpipelinesv*/{,**} rw,
  owner @{share_dirs}/steamapps/ r,
  owner @{share_dirs}/steamapps/common/ r,
  owner @{share_dirs}/steamapps/common/*/ r,
  owner @{share_dirs}/steamapps/common/*/** rwkl,
  owner @{share_dirs}/steamapps/common/Proton*/files/share/{,**} r,
  owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
  owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
  owner @{share_dirs}/userdata/**/remotecache.vdf rw,
        @{run}/host/ r,
        @{run}/host/container-manager r,
        @{run}/host/fonts/{,**} r,
        @{run}/host/share/{,**} r,
        @{run}/host/usr/{,**} r,
  owner @{run}/pressure-vessel/{,**} rw,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/orcexec.* mrw,  # gstreamer
  owner /dev/shm/#@{int} rw,
  owner /dev/shm/mono.* rw,
  owner /dev/shm/u@{uid}-Shm_@{hex} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
  owner /dev/shm/wine-*-fsync rw,
  owner @{tmp}/ r,
  owner @{tmp}/.wine-@{int}/ rw,
  owner @{tmp}/.wine-@{int}/** rwk,
  owner @{tmp}/.wine-@{uid}/server-*/* rwk,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
  owner @{tmp}/miles_image_* mr,
  owner @{tmp}/pressure-vessel-*/{,**} rwl,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{run}/udev/data/c116:@{int} r,         # for ALSA
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/@{pci}/sound/card@{int}/** r,
  @{sys}/devices/@{pci}/usb@{int}/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
  @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
  @{sys}/devices/system/cpu/** r,
  @{sys}/devices/system/node/node[0-9]/cpumap r,
  @{sys}/devices/system/node/online r,
  @{sys}/devices/virtual/dmi/id/* r,
  @{sys}/kernel/ r,
        @{PROC}/@{pids}/net/dev r,
        @{PROC}/@{pids}/net/route r,
        @{PROC}/sys/net/core/bpf_jit_enable r,
        @{PROC}/uptime r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/pagemap r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  /dev/hidraw@{int} rw,
  /dev/input/ r,
  /dev/input/* rw,
  /dev/tty rw,
  /dev/uinput rw,
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  include if exists <local/steam-game>
 }
--- a/apparmor.d/profiles-s-z/steam-game-native
+++ b/apparmor.d/profiles-s-z/steam-game-native
@ -0,0 +1,37 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/*/**
 profile steam-game-native @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/steam-game>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network unix stream,
  signal receive peer=steam,
  @{exec_path} rmix,
  @{sh_path}                                            rix,
  @{app_dirs}/**                                         mr,
  @{lib_dirs}/**                                         mr,
  include if exists <local/steam-game-native>
 }
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@ -0,0 +1,107 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap
 profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/bwrap>
  include <abstractions/common/steam-game>
  include <abstractions/python>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network unix stream,
  signal receive peer=steam,
  @{exec_path} mr,
  @{bin}/bwrap mrix,
  @{bin}/getopt                                         rix,
  @{bin}/gzip                                           rix,
  @{bin}/ldconfig                                       rix,
  @{bin}/localedef                                      rix,
  @{bin}/python3.@{int}                                 rix,
  @{bin}/readlink                                       rix,
  @{bin}/steam-runtime-launcher-interface-@{int}        rix,
  @{bin}/steam-runtime-system-info                      rix,
  @{bin}/steam-runtime-urlopen                          rix,
  @{bin}/true                                           rix,
  @{bin}/chmod                                          rix,
  @{open_path}                                          rix,
  @{lib_dirs}/**                                         mr,
  @{lib}/pressure-vessel/from-host/@{bin}/*             rix,
  @{lib}/pressure-vessel/from-host/@{lib}/**            rix,
  @{lib}/steam-runtime-tools-@{int}/@{multiarch}-*      rix,
  @{app_dirs}/**                                         mr,
  @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-*  rix,
  @{app_dirs}/Proton*/files/@{bin}/*                    rix,
  @{app_dirs}/Proton*/files/@{lib}/**                   rix,
  @{app_dirs}/Proton*/proton                            rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
  @{run}/host/@{bin}/ldconfig                           rix,
  @{run}/host/@{bin}/localedef                          rix,
  @{run}/host/@{lib}/**                                  mr,
  @{share_dirs}/bin/d3ddriverquery64.exe                 mr,
  @{share_dirs}/steamapps/compatdata/@{int}/pfx/**       mr,
  @{user_games_dirs}/**                                  mr,
  owner /bindfile@{rand6} rw,
  owner /var/pressure-vessel/** rw,
  owner /var/cache/ldconfig/aux-cache* rw,
  owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
  owner @{app_dirs}/Proton*/** rwkl,
  owner @{share_dirs}/*.dll r,
  owner @{share_dirs}/steamapps/compatdata/{,**} rwk,
  owner @{share_dirs}/legacycompat/ r,
  owner @{share_dirs}/legacycompat/** mr,
  owner @{user_share_dirs}/applications/wine/ rw,
  owner @{user_share_dirs}/applications/wine/**/ rw,
  owner @{tmp}/ r,
  owner @{tmp}/.wine-@{uid}/ rw,
  owner @{tmp}/.wine-@{uid}/** rwk,
  owner @{tmp}/glx-icds-@{rand6}/{,**} w,
  owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
  owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} w,
  owner /dev/shm/wine-@{hex6}-fsync rw,
  owner /dev/shm/wine-@{hex6}@{h}-fsync rw,
        @{run}/host/fonts/{,**} r,
        @{run}/host/share/{,**} r,
        @{run}/host/usr/{,**} r,
  owner @{run}/pressure-vessel/{,**} r,
  @{sys}/devices/system/node/node@{int}/cpumap r,
  @{sys}/devices/system/node/online r,
  @{PROC}/@{pids}/net/* r,
  @{PROC}/sys/net/core/bpf_jit_enable r,
  include if exists <local/steam-game-proton>
 }
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@ -6,9 +6,12 @@ abi <abi/3.0>,
 include <tunables/global>
-@{share_dirs} = @{user_share_dirs}/Steam
+@{arch} = amd64 i386
-@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
+@{runtime} = SteamLinuxRuntime_sniper
-@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
+@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{lib_dirs}/gameoverlayui
 profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
@ -19,15 +22,16 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,
-
+  network unix stream,
  unix (receive) type=stream,
  @{exec_path} mr,
-  @{lib_dirs}/*.so*  mr,
+  @{lib_dirs}/**.so*  mr,
-  @{lib_dirs}/steam-runtime/@{lib}/**.so*  mr,
+  @{runtime_dirs}/@{lib}/**.so*  mr,
-  /usr/share/fonts/{,**}  rk,  # ?
+  @{lib_dirs}/steamerrorreporter rpx,
  /usr/share/fonts/{,**}  rk,
  / r,
  /home/ r,
@ -45,15 +49,19 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
  owner @{share_dirs}/userdata/@{int}/{,**} rk,
  owner /dev/shm/u@{uid}-Shm_@{hex} rw,
-  owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
+  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner /dev/shm/ValveIPCSHM_@{uid} rw,
  owner @{tmp}/gameoverlayui.log* rw,
  owner @{tmp}/miles_image_@{rand6} mrw,
  owner @{tmp}/runtime-info.txt.@{rand6} rw,
  owner @{tmp}/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
  owner @{tmp}/miles_image_* mrw,
  @{sys}/ r,
  @{sys}/kernel/ r,
  @{sys}/devices/ r,
  @{sys}/devices/system/ r,
  @{sys}/devices/system/cpu/cpu@{int}/ r,
  @{PROC}/version r,
--- a/apparmor.d/profiles-s-z/steam-launch
+++ b/apparmor.d/profiles-s-z/steam-launch
@ -0,0 +1,46 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{bin}/steam @{bin}/steam-runtime
 profile steam-launch @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
  network unix stream,
  @{exec_path} mr,
  @{sh_path}         rix,
  @{bin}/cp          rix,
  @{bin}/dirname     rix,
  @{bin}/env         rix,
  @{bin}/id          rix,
  @{bin}/readlink    rix,
  @{lib}/steam/steam         rix,
  @{lib}/steam/bin_steam.sh  rix,
  @{share_dirs}/steam.sh     rPx,
  /usr/ r,
  /usr/local/ r,
  owner @{share_dirs}/bootstrap.tar.xz rw,
  /dev/tty rw,
  deny /opt/** r,
  include if exists <local/steam-launch>
 }
--- a/apparmor.d/profiles-s-z/steam-launcher
+++ b/apparmor.d/profiles-s-z/steam-launcher
@ -0,0 +1,29 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{arch} = amd64 i386
@{runtime} = SteamLinuxRuntime_sniper
@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service
 profile steam-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  network unix stream,
  signal receive peer=steam,
  @{exec_path} mr,
  @{lib_dirs}/** mr,
  include if exists <local/steam-launcher>
 }
--- a/apparmor.d/profiles-s-z/steam-reaper
+++ b/apparmor.d/profiles-s-z/steam-reaper
@ -1,40 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{share_dirs} = @{user_share_dirs}/Steam
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
@{exec_path} = @{lib_dirs}/reaper
 profile steam-reaper @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/graphics>
  unix (receive) type=stream,
  @{exec_path} mr,
  @{lib_dirs}/*.so*  mr,
  @{lib_dirs}/steam-runtime/@{lib}/**.so*  mr,
  @{lib_dirs}/steam-launch-wrapper rpx -> steam-game,
  @{share_dirs}/steamapps/common/*/* rpx -> steam-game,
  owner @{HOME}/.steam/steam.pipe r,
  owner @{share_dirs}/userdata/**/remotecache.vdf rw,
  owner /dev/shm/u@{uid}-Shm_@{hex} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  @{sys}/devices/system/cpu/cpu@{int}/** r,
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  include if exists <local/steam-reaper>
 }
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@ -6,38 +6,77 @@ abi <abi/3.0>,
 include <tunables/global>
-@{share_dirs} = @{user_share_dirs}/Steam
+@{arch} = amd64 i386
-@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
+@{runtime} = SteamLinuxRuntime_sniper
-@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
+@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
-@{exec_path} = @{bin}/steam @{bin}/steam-runtime
+@{exec_path} = @{lib_dirs}/reaper
-profile steam-runtime @{exec_path} {
+profile steam-runtime @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/python>
+  include <abstractions/audio-client>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/wayland>
  include <abstractions/X-strict>
-  unix (receive) type=stream,
+  network unix stream,
  @{exec_path} mr,
-  @{sh_path}         rix,
+  @{sh_path} r,
-  @{bin}/cp          rix,
+  @{bin}/getopt    rix,
  @{bin}/dirname     rix,
  @{bin}/env         rix,
  @{bin}/id          rix,
  @{bin}/readlink  rix,
-  @{lib}/steam/steam         rix,
+  @{lib_dirs}/** mr,
-  @{lib}/steam/bin_steam.sh  rix,
+  @{lib_dirs}/steam-launch-wrapper rix,
  @{share_dirs}/steam.sh     rPx,
-  /usr/ r,
+  # Native linux games (steam-game-native)
-  /usr/local/ r,
+  @{app_dirs}/[^S]*/** rpx -> steam-game-native,
-  owner @{share_dirs}/bootstrap.tar.xz rw,
+  # Proton games, sandboxed (steam-game-proton)
  @{app_dirs}/@{runtime}/*entry-point rmix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
  @{app_dirs}/@{runtime}/run rix,
  @{bin}/bwrap rpx -> steam-game-proton,
  / r,
  @{lib}/ r,
  @{lib_dirs}/ r,
  owner @{HOME}/.steam/steam.pipe r,
  owner @{app_dirs}/*/ r,
  owner @{app_dirs}/@{runtime}/** r,
  owner @{app_dirs}/@{runtime}/pressure-vessel/** rwk,
  owner @{app_dirs}/@{runtime}/sniper_platform_*/** rwk,
  owner @{app_dirs}/@{runtime}/var/** rwk,
  owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/pressure-vessel/**,
  owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,
  owner @{tmp}/ r,
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
  owner @{run}/user/@{uid}/ r,
  owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/fd/ r,
  /dev/tty rw,
  deny /opt/** r,
  include if exists <local/steam-runtime>
 }
--- a/apparmor.d/profiles-s-z/steamerrorreporter
+++ b/apparmor.d/profiles-s-z/steamerrorreporter
@ -6,12 +6,15 @@ abi <abi/3.0>,
 include <tunables/global>
-@{share_dirs} = @{user_share_dirs}/Steam
+@{arch} = amd64 i386
-@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
+@{runtime} = SteamLinuxRuntime_sniper
-@{runtime_dirs} = @{share_dirs}/steamapps/common/SteamLinuxRuntime_sniper
+@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
@{app_dirs} = @{share_dirs}/steamapps/common/
-@{exec_path} = @{share_dirs}/linux{32,64}/steamerrorreporter
+@{exec_path} = @{lib_dirs}/steamerrorreporter
-profile steamerrorreporter @{exec_path} {
+profile steamerrorreporter @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -19,14 +22,14 @@ profile steamerrorreporter @{exec_path} {
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network unix stream,
  @{exec_path} mr,
  owner @{HOME}/.steam/steam.pipe r,
-  owner @{lib_dirs}/ r,
+  owner @{lib_dirs}/{,**} r, 
-  owner @{lib_dirs}/steam-runtime/pinned_libs_{32,64}/ r,
+  owner @{runtime_dirs}/pinned_libs_{32,64}/ r,
  owner @{share_dirs}/ r,
  owner @{tmp}/dumps/ r,
--- a/apparmor.d/profiles-s-z/w3m
+++ b/apparmor.d/profiles-s-z/w3m
@ -0,0 +1,33 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/w3m
 profile w3m @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/user-read-strict>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  @{exec_path} mr,
  /usr/share/terminfo/{,**} r,
  /etc/w3m/{,**} r,
  owner @{HOME}/.w3m/{,**} r,
  owner @{user_config_dirs}/w3m/{,**} r,
  owner /tmp/@{rand6}/{,**} rw,
  include if exists <local/w3m>
 }
--- a/apparmor.d/profiles-s-z/wl-copy
+++ b/apparmor.d/profiles-s-z/wl-copy
@ -15,6 +15,7 @@ profile wl-copy @{exec_path} {
  @{bin}/cat rix,
  @{bin}/rm  rix,
  @{bin}/cliphist rPUx,
  @{bin}/xdg-mime rPx,
  owner @{tmp}/wl-copy-buffer-*/{,**} rw,
--- a/apparmor.d/profiles-s-z/wsdd
+++ b/apparmor.d/profiles-s-z/wsdd
@ -11,6 +11,10 @@ profile wsdd @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  @{exec_path} mr,
  @{bin}/env r,
@ -18,6 +22,8 @@ profile wsdd @{exec_path} {
  /etc/machine-id r,
  owner /var/lib/libuuid/clock.txt rw,
  owner @{run}/user/@{uid}/gvfsd/wsdd w,
  include if exists <local/wsdd>
--- a/apparmor.d/tunables/home.d/apparmor.d
+++ b/apparmor.d/tunables/home.d/apparmor.d
@ -12,22 +12,22 @@
 # First part, second part in /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d
 # Extra user personal directories
@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots"
@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"
@{XDG_BOOKS_DIR}="Books"
@{XDG_GAMES_DIR}=".games"
@{XDG_PROJECTS_DIR}="Projects"
@{XDG_WORK_DIR}="Work"
@{XDG_MAIL_DIR}="Mail" ".{m,M}ail"
@{XDG_SYNC_DIR}="Sync"
@{XDG_TORRENTS_DIR}="Torrents"
@{XDG_GAMES_DIR}=".games"
@{XDG_VM_DIR}=".vm"
@{XDG_VM_SHARES_DIR}="VM_Shares"
@{XDG_IMG_DIR}="images"
@{XDG_MAIL_DIR}="Mail" ".{m,M}ail"
@{XDG_SCREENSHOTS_DIR}="Pictures/Screenshots"
@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"
 # User personal keyrings
@{XDG_SSH_DIR}=".ssh"
@{XDG_GPG_DIR}=".gnupg"
@{XDG_SSH_DIR}=".ssh"
@{XDG_PASSWORD_STORE_DIR}=".password-store"
 # User personal private directories
@ -44,9 +44,9 @@
 # Full path of the user configuration directories
@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_DIR}
@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_DIR}
@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR}
@{user_bin_dirs}=@{HOME}/@{XDG_BIN_DIR}
@{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR}
@{user_state_dirs}=@{HOME}/@{XDG_STATE_DIR}
 # User build directories and output
@{user_build_dirs}="/tmp/build/"
@ -57,11 +57,11 @@
 # Other user directories
@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}
@{user_games_dirs}=@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}
@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}
@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}
@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}
@{user_mail_dirs}=@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}
@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}
@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}
@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}
@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}
@{user_work_dirs}=@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}
@{user_password_store_dirs}=@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}
@{user_private_dirs}=@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}
--- a/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d
+++ b/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d
@ -18,9 +18,9 @@
@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}
@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}
@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}
@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}
@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}
@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}
@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}
@{user_vm_shares}=@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}
 include if exists <tunables/xdg-user-dirs.d/apparmor.d.d>
--- a/dists/docker.sh
+++ b/dists/docker.sh
@ -100,7 +100,7 @@ build_in_docker_rpm() {
 		docker pull "$BASEIMAGE/$dist"
 		docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \
 			"$BASEIMAGE/$dist"
-		docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync
+		docker exec "$img" sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
 	fi
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -298,11 +298,13 @@ startplasma complain
 startx attach_disconnected,complain
 steam attach_disconnected,mediate_deleted,complain
 steam-fossilize attach_disconnected,complain
-steam-game attach_disconnected,complain
+steam-game-native attach_disconnected,complain
 steam-game-proton attach_disconnected,complain
 steam-gameoverlayui attach_disconnected,complain
-steam-reaper attach_disconnected,complain
+steam-launch complain
-steam-runtime complain
+steam-launcher attach_disconnected,complain
-steamerrorreporter complain
+steam-runtime attach_disconnected,complain
 steamerrorreporter attach_disconnected,complain
 sulogin complain
 switcherooctl complain
 swtpm complain
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@ -17,8 +17,10 @@ man
 plasma-discover
 steam
 steam-fossilize
-steam-game
+steam-game-native
 steam-game-proton
 steam-gameoverlayui
-steam-reaper
+steam-launch
 steam-launcher
 steam-runtime
 steamerrorreporter
--- a/docs/variables.md
+++ b/docs/variables.md
@ -6,71 +6,83 @@ title: Variables References
 ### User directories
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` |
 | Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` |
 | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` |
 | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` |
 | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` |
 | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` |
 | Music | `@{XDG_MUSIC_DIR}` | `Music` |
 | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` |
 | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` |
 | Books | `@{XDG_BOOKS_DIR}` | `Books` |
 | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` |
 | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` |
 | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
 | Books | `@{XDG_BOOKS_DIR}` | `Books` |
 | Games | `@{XDG_GAMES_DIR}` | `.games` |
 | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` |
 | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` |
 | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` |
 | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` |
 | Work | `@{XDG_WORK_DIR}` | `Work` |
 | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` |
 | Sync | `@{XDG_SYNC_DIR}` | `Sync` |
 | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` |
 | Vm | `@{XDG_VM_DIR}` | `.vm`
-| Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
+| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares`
 | Disk images | `@{XDG_IMG_DIR}` | `images` |
 ### Dotfiles
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | SSH | `@{XDG_SSH_DIR}` | `.ssh` |
 | GPG | `@{XDG_GPG_DIR}` | `.gnupg` |
 | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` |
 | Cache | ` @{XDG_CACHE_DIR}` | `.cache` |
 | Config | `@{XDG_CONFIG_DIR}` | `.config` |
 | Data | `@{XDG_DATA_DIR}` | `.local/share` |
 | State | `@{XDG_STATE_DIR}` | `.local/state` |
 | Bin | `@{XDG_BIN_DIR}` | `.local/bin` |
 | Lib | `@{XDG_LIB_DIR}` | `.local/lib` |
 | GPG | `@{XDG_GPG_DIR}` | `.gnupg` |
 | SSH | `@{XDG_SSH_DIR}` | `.ssh` |
 | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` |
 | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` |
 | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` |
 ### Full configuration path
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` |
 | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` |
 | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` |
 | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
 | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` |
 | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` |
 | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` |
 | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
 | Build | `@{user_build_dirs}` | `/tmp/` |
 | Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` |
 | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` |
 | Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` |
 ### Full user path
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` |
 | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` |
-| Download | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` |
+| Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` |
 | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` |
 | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` |
 | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` |
 | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` |
 | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` |
 | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` |
 | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` |
 | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` |
 | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` |
 | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` |
 | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` |
 | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` |
 | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` |
 | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` |
-| Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` |
+| Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` |
 | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
-| Password | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` |
+| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
-| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` |
+| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
 ## System variables
@ -81,7 +93,7 @@ title: Variables References
 **Helper variables**
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` |
 | Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | |
@ -99,7 +111,7 @@ title: Variables References
 **System Paths**
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | Root Home | `@{HOMEDIRS}` | `/home/` |
 | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` |
@ -111,12 +123,12 @@ title: Variables References
 | Proc | `@{PROC}` | `/proc/` |
 | Run | `@{run}` | `/run/ /var/run/` |
 | Sys | `@{sys}` | `/sys/` |
 | Flatpack export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` |
 | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` |
 | Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` |
 **Program paths**
-| Description | Name | Default Value |
+| Description | Name | Default Value(s) |
 |-------------|:----:|---------------|
 | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` |
 | Shells path | `@{shells_path}` | `@{bin}/@{shells}` |
--- a/pkg/aa/profile.go
+++ b/pkg/aa/profile.go
@ -191,9 +191,13 @@ var (
 			}
 		},
 		"exec":       newFileFromLog,
-		"file_inherit": newFileFromLog,
+		"getattr":    newFileFromLog,
-		"file_perm":    newFileFromLog,
+		"mkdir":      newFileFromLog,
 		"mknod":      newFileFromLog,
 		"open":       newFileFromLog,
 		"rename_src": newFileFromLog,
 		"truncate":   newFileFromLog,
 		"unlink":     newFileFromLog,
 	}
 	newLogMountMap = map[string]func(log map[string]string) Rule{
 		"mount":     newMountFromLog,
@ -229,10 +233,13 @@ func (p *Profile) AddRule(log map[string]string) {
 	}
 	if !done {
-		if strings.Contains(log["operation"], "dbus") {
+		switch {
 		case strings.HasPrefix(log["operation"], "file_"):
 			p.Rules = append(p.Rules, newFileFromLog(log))
 		case strings.Contains(log["operation"], "dbus"):
 			p.Rules = append(p.Rules, newDbusFromLog(log))
-		} else {
+		default:
-			fmt.Printf("unknown log type: %s", log)
+			fmt.Printf("unknown log type: %s", log["operation"])
 		}
 	}
 }
--- a/pkg/prebuild/directive/core.go
+++ b/pkg/prebuild/directive/core.go
@ -65,7 +65,7 @@ func NewOption(file *paths.Path, match []string) *Option {
 // Useful to remove directive text applied on some condition only
 func (o *Option) Clean(profile string) string {
 	reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`)
-	return reg.ReplaceAllString(profile, "")
+	return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1)
 }
 func RegisterDirective(d Directive) {