polishing

apparmor.d/groups/apps/vlc

@@ -118,6 +118,7 @@ profile vlc @{exec_path} {
   owner @{user_config_dirs}/qt5ct/{,**} r,
   /usr/share/qt5ct/** r,
 
+  /dev/snd/ r,
   /dev/shm/#[0-9]*[0-9] rw,
 
   deny owner @{PROC}/@{pid}/cmdline r,

apparmor.d/groups/freedesktop/polkit-agent-helper

@@ -35,7 +35,18 @@ profile polkit-agent-helper @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
+
+  # DBus
+  @{run}/dbus/system_bus_socket rw,
+
+  dbus send
+    bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"),
 
   include if exists <local/polkit-agent-helper>
 }

apparmor.d/groups/freedesktop/polkitd

@@ -53,8 +53,6 @@ profile polkitd @{exec_path} {
 
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-  @{run}/systemd/userdb/io.systemd.Machine rw,
 
   # Silencer
   deny /.cache/ rw,
@@ -67,10 +65,13 @@ profile polkitd @{exec_path} {
     bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
 
   dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"),
+    bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"),
+
+  dbus send
+    bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"),
 
   dbus receive
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"),
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"),
 
   dbus bind
     bus="system" name="org.freedesktop.PolicyKit1",

apparmor.d/profiles-m-r/pkexec

@@ -10,9 +10,9 @@ include <tunables/global>
 profile pkexec @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/authentication>
-  include <abstractions/wutmp>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -53,7 +53,7 @@ profile pkexec @{exec_path} flags=(complain) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  # DBus
+  # DBus stricter
   @{run}/dbus/system_bus_socket rw,
 
   dbus send