Merge branch 'roddhjav:main' into main

2025-02-11 12:45:10 +01:00 · 2024-11-23 20:53:49 +01:00 · 2024-11-23 20:53:49 +01:00 · 2bee0206fc
commit 2bee0206fc
parent 9452b4fefd 7acd9079a2
230 changed files with 1440 additions and 708 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -3,8 +3,19 @@ name: Ubuntu
 on: [push, pull_request, workflow_dispatch]
 jobs:
  check:
    runs-on: ubuntu-24.04
    steps:
      - name: Check out repository code
        uses: actions/checkout@v4
      - name: Run basic profile linter check
        run: |
          make check
  build:
    runs-on: ${{ matrix.os }}
    needs: check
    strategy:
      matrix:
        os:
@ -89,6 +100,30 @@ jobs:
          sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
          sudo systemctl restart apparmor.service
      - name: Restart some services to ensure they are confined
        run: |
          services=(
            containerd cron
            dbus docker
            ModemManager multipathd
            networkd-dispatcher
            packagekit polkit
            snapd
            systemd-journald systemd-hostnamed systemd-logind systemd-networkd
            systemd-resolved systemd-udevd
            udisks2
          )
          sudo systemctl daemon-reload
          for service in "${services[@]}"; do
            sudo systemctl restart "$service" || systemctl status "$service.service" || true
          done
          sudo ps auxZ | grep -v '\[.*\]'
          sudo aa-log -s --raw
      - name: Install integration dependencies
        run: |
          bash tests/requirements.sh
      - name: Run the bats integration tests
        run: |
          make bats
@ -97,3 +132,8 @@ jobs:
        if: always()
        run: |
          sudo aa-log -s --raw
      - name: Show final processes security context
        if: always()
        run: |
          sudo ps auxZ | grep -v '\[.*\]'
--- a/2
+++ b/2
@ -113,7 +113,7 @@ check:
 .PHONY: bats
 bats:
-	@bats --print-output-on-failure tests/bats/
+	@bats --timing --print-output-on-failure tests/bats/
 .PHONY: manual
 manual:
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -186,6 +186,7 @@
        @{PROC}/ r,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/statm r,
        @{PROC}/@{pid}/task/@{tid}/status r,
        @{PROC}/pressure/{memory,cpu,io} r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
@ -201,7 +202,6 @@
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pid}/setgroups w,
  owner @{PROC}/@{pid}/statm r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -101,7 +101,7 @@
  owner @{tmp}/Temp-@{uuid}/ rw,
  owner @{tmp}/Temp-@{uuid}/* rwk,
  owner @{tmp}/tmp-*.xpi rw,
-  owner @{tmp}/tmpaddon r,
+  owner @{tmp}/tmpaddon rw,
  owner @{tmp}/tmpaddon-@{int} r,
  owner /dev/shm/org.chromium.@{rand6} rw,
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -24,10 +24,10 @@
  network netlink raw,   # PAM
-  dbus send bus=system path=/org/freedesktop/login1
+  unix bind type=stream addr=@@{udbus}/bus/sudo/system,
-       interface=org.freedesktop.logi1.Manager
+
-       member=CreateSession
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  dbus (send receive) bus=session path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd.Manager
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -10,7 +10,7 @@
  ptrace read peer=@{p_systemd},
-  unix bind type=stream addr=@@{hex16}/bus/systemctl/,
+  unix bind type=stream addr=@@{udbus}/bus/systemctl/,
  @{bin}/systemctl mr,
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@ -7,6 +7,10 @@
  abi <abi/4.0>,
  @{att}/@{run}/systemd/journal/dev-log w,
  @{att}/@{run}/systemd/journal/socket w,
  deny /apparmor/.null rw,
  deny @{att}/apparmor/.null rw,
  include if exists <abstractions/attached/base.d>
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -33,6 +33,4 @@
  @{PROC}/sys/kernel/core_pattern r,
  deny /apparmor/.null rw,
 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus-accessibility
+++ b/apparmor.d/abstractions/bus-accessibility
@ -7,12 +7,12 @@
  dbus send bus=accessibility path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
  dbus send bus=accessibility path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
  owner @{run}/user/@{uid}/at-spi/ rw,
  owner @{run}/user/@{uid}/at-spi/bus rw,
--- a/apparmor.d/abstractions/bus-session
+++ b/apparmor.d/abstractions/bus-session
@ -11,12 +11,12 @@
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/abstractions/bus-system
+++ b/apparmor.d/abstractions/bus-system
@ -7,12 +7,12 @@
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{run}/dbus/system_bus_socket rw,
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@ -36,7 +36,7 @@
  dbus send bus=session path=/org/a11y/bus
       interface=org.a11y.Bus
       member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
  dbus send bus=session path=/org/a11y/bus
       interface=org.a11y.Bus
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@ -14,6 +14,11 @@
       member={Get,GetAll}
       peer=(name=org.freedesktop.hostname1),
  dbus receive bus=system path=/org/freedesktop/hostname1
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
       peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
  include if exists <abstractions/bus/org.freedesktop.hostname1.d>
 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  dbus send bus=system path=/org/freedesktop/systemd1
+  dbus send bus=system path=/org/freedesktop/systemd1{,/**}
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -61,7 +61,7 @@
  owner @{HOME}/** rwlk -> @{HOME}/**,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,
-  owner @{user_games_dirs}/** rm,
+  owner @{user_games_dirs}/** rmix,
  owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
  owner @{tmp}/** rmwk,
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -46,6 +46,9 @@
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/sys/user/max_user_namespaces r,
  owner @{PROC}/@{pid}/fd/ r,
        @{att}/@{PROC}/sys/user/max_user_namespaces rw,
  owner @{att}/@{PROC}/@{pid}/cgroup r,
  owner @{att}/@{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@ -34,7 +34,7 @@
  deny @{HOME}/@{XDG_SSH_DIR}/{,**}       mrwkl,
  deny @{run}/user/@{uid}/keyring**       mrwkl,
  deny @{user_config_dirs}/*-store/{,**}  mrwkl,
-  deny @{user_password_store_dirs}/{,**}  mrwkl,
+  deny @{user_passwordstore_dirs}/{,**}   mrwkl,
  deny @{user_share_dirs}/kwalletd/{,**}  mrwkl,
  # Privacy violations
--- a/apparmor.d/abstractions/devices-usb
+++ b/apparmor.d/abstractions/devices-usb
@ -5,24 +5,11 @@
  abi <abi/4.0>,
-  /dev/ r,
+  include <abstractions/devices-usb-read>
  /dev/bus/usb/ r,
  /dev/bus/usb/@{int}/ r,
  /dev/bus/usb/@{int}/@{int} rwk,
-  @{sys}/class/ r,
+  /dev/bus/usb/@{int}/@{int} wk,
  @{sys}/class/usbmisc/ r,
-  @{sys}/bus/ r,
+  @{sys}/devices/**/usb@{int}/{,**} w,
  @{sys}/bus/usb/ r,
  @{sys}/bus/usb/devices/{,**} r,
  @{sys}/devices/**/usb@{int}/{,**} rw,
  # Udev data about usb devices (~equal to content of lsusb -v)
  @{run}/udev/data/+usb:* r,
  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
  include if exists <abstractions/devices-usb.d>
--- a/apparmor.d/abstractions/devices-usb-read
+++ b/apparmor.d/abstractions/devices-usb-read
@ -0,0 +1,29 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  abi <abi/4.0>,
  /dev/ r,
  /dev/bus/usb/ r,
  /dev/bus/usb/@{int}/ r,
  /dev/bus/usb/@{int}/@{int} r,
  @{sys}/class/ r,
  @{sys}/class/usbmisc/ r,
  @{sys}/bus/ r,
  @{sys}/bus/usb/ r,
  @{sys}/bus/usb/devices/{,**} r,
  @{sys}/devices/**/usb@{int}/{,**} r,
  # Udev data about usb devices (~equal to content of lsusb -v)
  @{run}/udev/data/+usb:* r,
  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
  include if exists <abstractions/devices-usb-read.d>
 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@ -26,4 +26,6 @@
  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk,
  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk,
  @{PROC}/sys/dev/xe/observation_paranoid r,
 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@ -19,6 +19,7 @@
  owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw,
  owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw,
  owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
  owner @{user_cache_dirs}/radv_builtin_shaders{32,64}@{rand6} w,
  owner @{user_share_dirs}/vulkan/ rw,
  owner @{user_share_dirs}/vulkan/implicit_layer.d/ rw,
--- a/apparmor.d/abstractions/webkit
+++ b/apparmor.d/abstractions/webkit
@ -0,0 +1,31 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Minimal set of rules for webkit UI.
  abi <abi/4.0>,
  mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,
  @{bin}/xdg-dbus-proxy  rix,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
  owner /bindfile@{rand6} rw,
  owner @{att}/.flatpak-info r,
  owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/.flatpak/ w,
  owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw,
  owner @{run}/user/@{uid}/webkitgtk/ w,
  owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,
  include if exists <abstractions/webkit.d>
 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/wine
+++ b/apparmor.d/abstractions/wine
@ -0,0 +1,20 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Basic set of resources for wine regardless of the installation method (system or through a game launcher).
  abi <abi/4.0>,
  owner @{user_share_dirs}/applications/wine/ rw,
  owner @{user_share_dirs}/applications/wine/**/ rw,
  owner @{tmp}/.wine-@{uid}/ rw,
  owner @{tmp}/.wine-@{uid}/** rwk,
  owner /dev/shm/wine-@{hex6}-fsync rw,
  owner /dev/shm/wine-@{hex6}@{h}-fsync rw,
  include if exists <abstractions/wine.d>
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -138,7 +138,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{bin}/**                         Px,
  @{lib}/**                         Px,
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -32,8 +32,8 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  ptrace read peer=@{p_systemd},
-  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
+  unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
-  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
+  unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
  #aa:dbus own bus=session name=org.freedesktop.systemd1
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -34,7 +34,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  signal (send) peer=apt-methods-*,
-  unix (bind) type=stream addr=@@{hex16}/bus/apt/system,
+  unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
  unix bind type=stream addr=@@{udbus}/bus/apt/system,
  unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
  unix (send, receive) type=stream peer=(label=snapd),
@ -43,7 +45,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus/Bus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=system
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/apt/apt-methods-file
+++ b/apparmor.d/groups/apt/apt-methods-file
@ -30,8 +30,9 @@ profile apt-methods-file @{exec_path} {
  @{lib}/apt/apt-helper rix,
-  /etc/apt/apt.conf.d/{,*} r,
+  /etc/apt/apt-mirrors.txt r,
  /etc/apt/apt.conf r,
  /etc/apt/apt.conf.d/{,*} r,
  /etc/apt/mirrors/* r,
  /usr/share/dpkg/cputable r,
--- a/apparmor.d/groups/apt/apt-methods-mirror
+++ b/apparmor.d/groups/apt/apt-methods-mirror
@ -28,6 +28,7 @@ profile apt-methods-mirror @{exec_path} {
  @{exec_path} mr,
  /etc/apt/apt-mirrors.txt r,
  /etc/apt/mirrors/* r,
  # For shell pwd
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -33,7 +33,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  signal (send) peer=apt-methods-http,
-  unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
+  unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
  @{exec_path} mr,
--- a/apparmor.d/groups/browsers/chromium-sandbox
+++ b/apparmor.d/groups/browsers/chromium-sandbox
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{lib}/chromium/chrome-sandbox
-profile chromium-sandbox @{exec_path} {
+profile chromium-sandbox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  capability dac_override,
--- a/apparmor.d/groups/browsers/epiphany
+++ b/apparmor.d/groups/browsers/epiphany
@ -19,6 +19,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/webkit>
  capability dac_override,
@ -28,21 +29,14 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,
  mount options=(rw rbind) /bindfile@{rand6} -> /newroot/.flatpak-info,
  @{exec_path} mr,
  @{open_path}  rPx -> child-open,
  @{bin}/bwrap           rix,
  @{bin}/xdg-dbus-proxy  rix,
  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
  /usr/share/enchant*/{,**} r,
  owner /bindfile@{rand6} rw,
  owner @{att}/.flatpak-info r,
  owner @{user_config_dirs}/glib-2.0/ w,
  owner @{user_config_dirs}/glib-2.0/settings/ w,
@ -51,14 +45,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/Serialized@{rand9} rw,
  owner @{tmp}/WebKit-Media-@{rand6} rw,
  owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/.flatpak/ w,
  owner @{run}/user/@{uid}/.flatpak/webkit-*/{,bwrapinfo.json} rw,
  owner @{run}/user/@{uid}/webkitgtk/ w,
  owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Epiphany-@{int}.scope/memory.* r,
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@ -16,10 +16,11 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/X-strict>
-  signal (receive) set=(term) peer=gdm,
+  signal receive set=term peer=gdm,
  signal receive set=hup  peer=gdm-session-worker,
  #aa:dbus own bus=accessibility name=org.a11y.atspi
-  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label="@{p_dbus_accessibility}"
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@ -28,6 +28,10 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=accessibility name=org.freedesktop.DBus
  #aa:dbus own bus=session name=org.a11y.{B,b}us
  dbus receive bus=accessibility path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=@{busname}),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@ -31,6 +31,10 @@ profile dbus-session flags=(attach_disconnected) {
  signal (send)    set=(term hup kill) peer=xdg-*,
  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus}
  dbus receive bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=@{busname}),
  @{exec_path} mrix,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -33,7 +33,11 @@ profile dbus-system flags=(attach_disconnected) {
  ptrace (read) peer=@{p_systemd},
-  #aa:dbus own bus=system name=org.freedesktop.DBus
+  #aa:dbus own bus=system name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
  dbus receive bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=Hello
       peer=(name=@{busname}),
  @{exec_path} mrix,
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/ibus>
@ -28,8 +29,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner /dev/tty@{int} rw,
  include if exists <local/ibus-engine-simple>
 }
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,ibus/}ibus-x11
 profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -42,8 +43,6 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
  owner /dev/tty@{int} rw,
  include if exists <local/ibus-x11>
 }
--- a/apparmor.d/groups/cron/cron-apport
+++ b/apparmor.d/groups/cron/cron-apport
@ -18,7 +18,7 @@ profile cron-apport @{exec_path} {
  / r,
  /var/crash/ r,
-  /var/crash/*.crash w,
+  /var/crash/* w,
  include if exists <local/cron-apport>
 }
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -28,7 +28,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -25,7 +25,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mrix,
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@ -28,15 +28,10 @@ profile cpupower @{exec_path} {
  @{sys}/devices/system/cpu/{cpufreq,cpuidle}/** r,
  @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/ r,
  @{sys}/devices/system/cpu/cpu@{int}/{cpufreq,cpuidle}/** r,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw,
  @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw,
  @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r,
  @{sys}/devices/system/cpu/cpu@{int}/online r,
  @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r,
  @{sys}/devices/system/cpu/cpufreq/policy@{int}/* rw,
  /dev/cpu/@{int}/msr r,
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,dconf/}dconf-service
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
@ -38,8 +39,6 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
  @{PROC}/cmdline r,
  /dev/tty@{int} rw,
  include if exists <local/dconf-service>
 }
--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/fc-list
+@{exec_path} = @{bin}/fc-list @{bin}/fc-match @{bin}/fc-pattern
 profile fc-list @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/geoclue @{lib}/geoclue-2.0/demos/agent
 profile geoclue @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/attached/consoles>
  include <abstractions/bus-system>
  include <abstractions/bus/fi.w1.wpa_supplicant1>
  include <abstractions/bus/org.freedesktop.Avahi>
@ -29,7 +30,7 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -28,7 +28,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -26,7 +26,7 @@ profile pipewire-media-session @{exec_path} {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixProcessID
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9]
@{exec_path} += @{lib}/polkit-agent-helper-[0-9]
-profile polkit-agent-helper @{exec_path} {
+profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -26,7 +26,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
@ -53,6 +53,9 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
        /var/lib/polkit{,-1}/localauthority/{,**} r,
  owner /var/lib/polkit{,-1}/.cache/ rw,
  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -10,9 +10,10 @@ include <tunables/global>
@{exec_path} = @{bin}/upower
 profile upower @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/consoles>
-  # Needed?
+  #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd
  audit capability sys_nice,
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -32,6 +32,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  ptrace read,
  signal receive set=term peer=gdm,
  signal receive set=hup  peer=gdm-session-worker,
  #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
  dbus receive bus=session path=/org/freedesktop/portal/desktop
@ -46,7 +47,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
@ -64,6 +65,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
              / r,
        @{att}/.flatpak-info r,
  owner @{att}/ r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -30,6 +30,7 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-download-strict>
  signal receive set=term peer=gdm,
  signal receive set=hup  peer=gdm-session-worker,
  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -22,7 +22,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  mount fstype=fuse.portal -> @{run}/user/@{uid}/doc/,
-  signal (receive) set=(term) peer=gdm,
+  signal receive set=term peer=gdm,
  signal receive set=hup  peer=gdm-session-worker,
  ptrace (read),
@ -40,6 +41,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak         rPUx,
  @{bin}/fusermount{,3}  rCx -> fusermount,
              / r,
  owner @{att}/ r,
  owner @{att}/.flatpak-info r,
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -15,8 +15,9 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  capability sys_nice,
-  signal (receive) set=(term hup kill) peer=dbus-session,
+  signal receive set=(term hup kill) peer=dbus-session,
-  signal (receive) set=(term hup kill) peer=gdm,
+  signal receive set=(term hup kill) peer=gdm,
  signal receive set=(term hup kill) peer=gdm-session-worker,
  #aa:dbus own bus=session name=org.freedesktop.impl.portal.PermissionStore
@ -42,6 +43,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/db/ rw,
  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/flatpak/db/background rw,
  owner @{user_share_dirs}/flatpak/db/desktop-used-apps r,
  owner @{user_share_dirs}/flatpak/db/devices rw,
  owner @{user_share_dirs}/flatpak/db/documents rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -40,7 +40,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -47,7 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  signal (send) set=hup peer=xorg,
  signal (send) set=hup peer=xwayland,
-  unix (bind) type=stream addr=@@{hex16}/bus/gdm-session-wor/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -55,7 +55,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{bin}/grep          rix,
  @{bin}/locale        rix,
  @{bin}/sed           rix,
-  @{bin}/tecla         rix,
+  @{bin}/tecla         rPx,
  @{bin}/bwrap                                   rCx -> bwrap,
  @{bin}/gkbd-keyboard-display                   rPx,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -38,14 +38,14 @@ profile gnome-extension-ding @{exec_path} {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus*
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  dbus send bus=session path=/org/gtk/vfs/metadata
       interface=org.gtk.vfs.Metadata
--- a/apparmor.d/groups/gnome/gnome-session
+++ b/apparmor.d/groups/gnome/gnome-session
@ -17,6 +17,7 @@ profile gnome-session @{exec_path} {
  @{shells_path}               rix,
  @{bin}/cat                   rix,
  @{bin}/find                  rix,
  @{bin}/gettext               rix,
  @{bin}/gettext.sh              r,
  @{bin}/grep                  rix,
@ -32,6 +33,7 @@ profile gnome-session @{exec_path} {
  @{bin}/tr                    rix,
  @{bin}/tty                   rix,
  @{bin}/uname                 rPx,
  @{bin}/xargs                 rix,
  @{bin}/dpkg-query            rpx,
  @{bin}/flatpak               rCx -> flatpak,
@ -57,6 +59,7 @@ profile gnome-session @{exec_path} {
  /etc/X11/Xsession.d/*im-config_launch r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,
  /dev/tty@{int} rw,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -37,7 +37,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
-       peer=(name=org.freedesktop.DBus label=dbus-session),
+       peer=(name=org.freedesktop.DBus label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.systemd1.Manager
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -17,7 +17,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/bus/net.hadess.SwitcherooControl>
  include <abstractions/bus/net.reactivated.Fprint>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.background.Monitor>
  include <abstractions/bus/org.freedesktop.FileManager1>
  include <abstractions/bus/org.freedesktop.GeoClue2>
@ -83,6 +82,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  # Talk with gnome-shell
  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
@ -112,22 +112,22 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  # Session bus
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetNameOwner,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
@ -161,7 +161,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/gnome/*/SearchProvider
      interface=org.gnome.Shell.SearchProvider2
@ -175,6 +175,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{bin}/glib-compile-schemas   rPx,
  @{bin}/ibus-daemon            rPx,
  @{bin}/Xwayland               rPx,
  @{bin}/tecla                  rPx,
  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
  @{lib}/mutter-x11-frames      rPx,
  #aa:exec polkit-agent-helper
@ -198,10 +199,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gdm/greeter/applications/{,**} r,
  /usr/share/libgweather/Locations.xml r,
-  /usr/share/libinput*/ r,
+  /usr/share/libinput*/{,**} r,
  /usr/share/libinput*/{,**/}@{int2}-*.quirks r,
  /usr/share/libinput*/libinput/ r,
  /usr/share/libwacom/{,*.stylus,*.tablet} r,
  /usr/share/poppler/{,**} r,
  /usr/share/wallpapers/** r,
  /usr/share/wayland-sessions/{,*.desktop} r,
  /usr/share/xml/iso-codes/{,**} r,
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -43,7 +43,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
       member=ListNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/gnome/SettingsDaemon/Power
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -41,7 +41,7 @@ profile gsd-xsettings @{exec_path} {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetId
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -17,7 +17,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>
-  signal (send) set=(kill) peer=loupe//bwrap,
+  signal send set=kill peer=loupe//bwrap,
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
@ -30,6 +30,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
  / r,
  owner @{user_cache_dirs}/glycin/{,**} rw,
  @{run}/mount/utab r,
  @{sys}/fs/cgroup/user.slice/cpu.max r,
@ -51,7 +53,9 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
    signal (receive) set=(kill) peer=loupe,
    @{bin}/bwrap mr,
-    @{lib}/glycin-loaders/*/glycin-image-rs rix,
+    @{lib}/glycin-loaders/*/glycin-* rix,
    owner @{PROC}/@{pid}/fd/ r,
    deny @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -43,12 +43,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=ListActivatableNames
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  dbus send bus=session path=/org/freedesktop/dbus
       interface=org.freedesktop.DBus
       member=NameHasOwner
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{lib}/org.gnome.NautilusPreviewer
-profile org.gnome.NautilusPreviewer @{exec_path} {
+profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/tecla
+++ b/apparmor.d/groups/gnome/tecla
@ -0,0 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/tecla
 profile tecla @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/gnome>
  @{exec_path} mr,
  include if exists <local/tecla>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/dirmngr
 profile dirmngr @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
--- a/apparmor.d/groups/gpg/keyboxd
+++ b/apparmor.d/groups/gpg/keyboxd
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gnupg/keyboxd
 profile keyboxd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@ -37,7 +37,6 @@ profile startplasma @{exec_path} {
  /usr/share/kservicetypes5/{,**} r,
  /usr/share/plasma/{,**} r,
  /etc/locale.alias r,
  /etc/machine-id r,
  /etc/xdg/menus/{,**} r,
  /etc/xdg/plasma-workspace/env/{,*} r,
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -25,9 +25,13 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{run}/udev/data/+acpi:* r,             # for acpi
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+platform:* r,
  @{run}/udev/data/+pnp:* r,
  @{run}/udev/data/+serial*:* r,
  @{run}/udev/data/+usb:* r,
  @{run}/udev/data/+vmbus:* r,
  @{run}/udev/data/c16[6,7]:@{int} r,     # USB modems
  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
  @{run}/udev/data/c4:@{int} r,           # for /dev/tty[0-9]*
@ -43,9 +47,9 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  @{sys}/class/tty/ r,
  @{sys}/class/wwan/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/@{pci}/revision r,
-  @{sys}/devices/virtual/net/*/ r,
+  @{sys}/devices/**/net/*/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/tty/*/ r,
  include if exists <local/ModemManager>
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -47,6 +47,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
  dbus send bus=system path=/org/freedesktop/nm_dispatcher
       interface=org.freedesktop.nm_dispatcher
       peer=(name=org.freedesktop.nm_dispatcher),
  dbus receive bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
@ -70,7 +74,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
@ -128,10 +132,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+rfkill:* r,
  @{run}/udev/data/n@{int} r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/net/{,**} r,
  @{sys}/devices/@{pci}/net/*/{,**} r,
  @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,
  @{sys}/devices/**/@{uuid}/net/*/{,**} r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/net/{,**} r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/1/environ r,
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@ -35,6 +35,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
  @{bin}/chmod                    rix,
  @{bin}/cmp                      rix,
  @{bin}/mkdir                    rix,
  @{bin}/resolvconf               rPx,
  @{bin}/rm                       rix,
  @{bin}/sed                      rix,
  @{lib}/dhcpcd/dhcpcd-run-hooks  rix,
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -12,6 +12,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  network netlink raw,
  @{exec_path} mr,
  @{lib}/netplan/generate  rix,
@ -22,21 +24,34 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
  /etc/netplan/{,*} r,
-  @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
+  @{run}/netplan/ r,
  @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf{,.@{rand6}} rw,
  @{run}/NetworkManager/system-connections/ rw,
  @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
  @{run}/systemd/network/ r,
  @{run}/systemd/network/@{int}-netplan{,-*}.{network,link}{,.@{rand6}} rw,
  @{run}/systemd/system/ r,
  @{run}/systemd/system/netplan-* rw,
  @{run}/systemd/system/systemd-networkd-wait-online.service.d/ r,
  @{run}/systemd/system/systemd-networkd-wait-online.service.d/@{int}-netplan.conf{,.@{rand6}} rw,
  @{run}/systemd/system/systemd-networkd.service.wants/ rw,
  @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
  @{run}/udev/rules.d/ r,
-  @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,
+  @{run}/udev/rules.d/@{int}-netplan{,-*}.rules{,.@{rand6}} rw,
  @{sys}/devices/**/net/*/address r,
  profile udevadm {
    include <abstractions/base>
    include <abstractions/app/udevadm>
-    @{run}/udev/control rw,
+    capability net_admin,
    @{att}/@{run}/udev/control rw,
    @{run}/udev/rules.d/90-netplan.rules rw,
    @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,
@ -49,6 +64,8 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
    capability net_admin,
    @{att}/@{run}/systemd/private rw,
    include if exists <local/netplan.script_systemctl>
  }
--- a/apparmor.d/groups/network/networkd-dispatcher
+++ b/apparmor.d/groups/network/networkd-dispatcher
@ -26,6 +26,7 @@ profile networkd-dispatcher @{exec_path} {
  @{bin}/sed         rix,
  @{lib}/networkd-dispatcher/routable.d/postfix rix,
  @{lib}/NetworkManager/dispatcher.d/@{int}-chrony-onoffline rix,
  /etc/networkd-dispatcher/{,**} r,
--- a/apparmor.d/groups/network/nm-online
+++ b/apparmor.d/groups/network/nm-online
@ -11,6 +11,7 @@ profile nm-online @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/consoles>
  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
       interface=org.freedesktop.NetworkManager.Connection.Active
--- a/apparmor.d/groups/network/nmcli
+++ b/apparmor.d/groups/network/nmcli
@ -9,10 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/nmcli
 profile nmcli @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/consoles>
  capability dac_read_search,
  capability sys_nice,
  #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
  @{exec_path} mr,
  @{pager_path}          rPx -> child-pager,
--- a/apparmor.d/groups/pacman/yay
+++ b/apparmor.d/groups/pacman/yay
@ -84,6 +84,7 @@ profile yay @{exec_path} {
    @{bin}/gpg{,2}     mr,
    @{bin}/gpg-agent  rPx,
    @{bin}/dirmngr    rPx,
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@ -27,7 +27,7 @@ profile ssh-agent-launch @{exec_path} {
    dbus send bus=session path=/org/freedesktop/DBus
         interface=org.freedesktop.DBus
         member=UpdateActivationEnvironment
-         peer=(name=org.freedesktop.DBus, label=dbus-session),
+         peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
    dbus send bus=session path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd1.Manager
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@ -22,6 +22,7 @@ profile ssh-keygen @{exec_path} {
  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,
  /tmp/snapd@{int}/*_*{,.pub} w,
  /tmp/snapd@{int}/*.key{,.pub} w,
  /dev/tty@{int} rw,
  /dev/ttyS@{int} rw,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -53,7 +53,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  ptrace (read,trace) peer=@{p_systemd},
-  unix (bind) type=stream addr=@@{hex16}/bus/sshd/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/sshd/system,
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -22,7 +22,7 @@ profile busctl @{exec_path} {
  ptrace (read),
-  unix (bind) type=stream addr=@@{hex16}/bus/busctl/busctl,
+  unix (bind) type=stream addr=@@{udbus}/bus/busctl/busctl,
  signal (send) set=(cont) peer=child-pager,
@ -33,7 +33,7 @@ profile busctl @{exec_path} {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus.Monitoring
       member=BecomeMonitor
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/homectl
+++ b/apparmor.d/groups/systemd/homectl
@ -0,0 +1,39 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/homectl
 profile homectl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/common/systemd>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  capability net_admin,
  capability sys_resource,
  signal send peer=child-pager,
  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
  @{exec_path} mr,
  @{bin}/pkttyagent  rpx,
  @{pager_path} rPx -> child-pager,
  /etc/machine-id r,
  owner @{PROC}/@{pids}/cgroup r,
  /dev/tty rw,
  include if exists <local/homectl>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@ -10,10 +10,13 @@ include <tunables/global>
 profile hostnamectl @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/consoles>
  capability net_admin,
  unix bind type=stream addr=@@{udbus}/bus/hostnamectl/system,
  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -24,7 +24,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
  ptrace (read) peer=@{p_systemd},
-  unix (bind) type=stream addr=@@{hex16}/bus/networkctl/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/networkctl/system,
  #aa:dbus talk bus=system name=org.freedesktop.network1 label=systemd-networkd
  # No label available
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -22,6 +22,8 @@ profile systemd-analyze @{exec_path} {
  signal (send) peer=child-pager,
  unix bind type=stream addr=@@{udbus}/bus/systemd-analyze/system,
  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-cat
+++ b/apparmor.d/groups/systemd/systemd-cat
@ -9,14 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-cat
 profile systemd-cat @{exec_path} {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
  include <abstractions/consoles>
  capability net_admin,
  @{exec_path} mr,
  @{bin}/cat rix,
  @{bin}/echo rix,
  include if exists <local/systemd-cat>
 }
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@ -9,8 +9,17 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-cgls
 profile systemd-cgls @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/consoles>
-  ptrace (read),
+  capability sys_ptrace,
  ptrace read,
  signal send set=cont peer=child-pager,
  unix bind type=stream addr=@@{udbus}/bus/systemd-cgls/system,
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@ -10,7 +10,6 @@ include <tunables/global>
 profile systemd-escape @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -35,6 +35,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  mount options=(rw, rslave) -> @{run}/,
  mount /dev/dm-@{int} -> @{run}/systemd/user-home-mount/,
  unix bind type=stream addr=@@{udbus}/bus/systemd-homed/system,
  #aa:dbus own bus=system name=org.freedesktop.home1
  @{exec_path} mr,
@ -61,6 +63,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/home/{,**} rw,
  @{run}/systemd/userdb/io.systemd.home r,
  @{run}/systemd/user-home-mount/{,**} rw,
  @{run}/systemd/notify w,
  @{sys}/bus/ r,
  @{sys}/fs/ r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -18,14 +18,14 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  network unix stream,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-hostnam/system,
  #aa:dbus own bus=system name=org.freedesktop.hostname1
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetConnectionUnixUser
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
@ -37,8 +37,9 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  /etc/machine-info rw,
  /etc/os-release r,
  @{att}/@{run}/systemd/notify rw,
  @{run}/systemd/default-hostname rw,
  @{run}/systemd/notify rw,
  @{run}/udev/data/+dmi:* r,              # for motherboard info
  @{sys}/devices/virtual/dmi/id/ r,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/common/systemd>
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system,
  #aa:dbus own bus=system name=org.freedesktop.locale1
@ -35,7 +35,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  /etc/X11/xorg.conf.d/.#*.confd* rw,
  /etc/X11/xorg.conf.d/*.conf rw,
-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,
  include if exists <local/systemd-localed>
 }
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -29,7 +29,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  mqueue r type=posix /,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-logind/system,
  #aa:dbus own bus=system name=org.freedesktop.login1
@ -43,7 +43,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
@ -94,10 +94,12 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card*
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
  @{att}/@{run}/systemd/notify w,
  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
  @{run}/systemd/inhibit/ rw,
  @{run}/systemd/inhibit/.#* rw,
  @{run}/systemd/inhibit/@{int}{,.ref} rw,
  @{run}/systemd/notify rw,
  @{run}/systemd/seats/ rw,
  @{run}/systemd/seats/.#seat* rw,
  @{run}/systemd/seats/seat@{int} rw,
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -13,6 +13,7 @@ profile systemd-modules-load @{exec_path} {
  include <abstractions/common/systemd>
  capability net_admin,
  capability perfmon,
  capability sys_module,
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -27,7 +27,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
  network packet dgram,
  network packet raw,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-network/bus-api-network,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network,
  #aa:dbus own bus=system name=org.freedesktop.network1
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -15,7 +15,7 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability kill,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-oomd/bus-api-oom,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-oomd/bus-api-oom,
  #aa:dbus own bus=system name=org.freedesktop.oom1
@ -24,9 +24,11 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/oomd.conf r,
  /etc/systemd/oomd.conf.d/{,**} r,
  @{att}/@{run}/systemd/notify w,
  @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
  @{run}/systemd/io.system.ManagedOOM rw,
  @{run}/systemd/io.systemd.ManagedOOM rw,
  @{run}/systemd/notify rw,
  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.* r,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -34,15 +34,16 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
  @{exec_path} mr,
  /etc/systemd/resolved.conf r,
  /etc/systemd/resolved.conf.d/{,*} r,
  @{att}/@{run}/systemd/notify w,
  @{run}/systemd/netif/links/* r,
  @{run}/systemd/notify rw,
  @{run}/systemd/resolve/{,**} rw,
  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/systemd/systemd-sleep-nvidia
+++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia
@ -11,6 +11,7 @@ profile systemd-sleep-nvidia @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  capability perfmon,
  capability sys_admin,
  capability sys_tty_config,
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -16,8 +16,12 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  capability fsetid,
  capability net_admin,
  signal send set=cont peer=child-pager,
  @{exec_path} mr,
  @{pager_path} rPx -> child-pager,
  # Config file locations
  /etc/sysusers.d/{,*.conf} r,
  @{run}/sysusers.d/{,*.conf} r,
@ -40,6 +44,8 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  /etc/.#{group,gshadow}@{hex} rw,
  /etc/.pwd.lock rwk,
  owner @{PROC}/@{pid}/cgroup r,
        /dev/tty@{int} rw,
  owner /dev/pts/@{int} rw,
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
  capability sys_time,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timedat/system,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system,
  #aa:dbus own bus=system name=org.freedesktop.timedate1
@ -35,7 +35,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
  /etc/.#timezone* rw,
  /etc/timezone rw,
-  @{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/notify rw,
  /dev/rtc@{int} r,
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -21,7 +21,7 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd-timesyn/bus-api-timesync,
+  unix (bind) type=stream addr=@@{udbus}/bus/systemd-timesyn/bus-api-timesync,
  unix (send, receive) type=dgram addr=none peer=(label=@{p_systemd}, addr=none),
  #aa:dbus own bus=system name=org.freedesktop.timesync1
@ -34,9 +34,10 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/systemd/timesync/clock rw,
  @{att}/@{run}/systemd/notify rw,
        @{run}/resolvconf/*.conf r,
        @{run}/systemd/netif/state r,
        @{run}/systemd/notify rw,
        @{run}/systemd/timesyncd.conf.d/{,**} r,
  owner @{run}/systemd/timesync/synchronized rw,
--- a/Show more
+++ b/Show more