Update profiles.

apparmor.d/groups/gnome/gnome-disk-image-mounter

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
 profile gnome-disk-image-mounter @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
 

apparmor.d/groups/gnome/gnome-shell

@@ -31,10 +31,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   ptrace (read),
 
   signal (receive) set=(term, hup) peer=gdm*,
-  signal (send) set=(kill) peer=unconfined,
+  signal (send),
-  signal (send) set=(term) peer=polkit*,
-  signal (send) set=(term) peer=xwayland,
-  signal (send) set=(usr1) peer=ibus-daemon,
 
   @{exec_path} mr,
 
@@ -87,6 +84,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
   owner @{user_cache_dirs}/libgweather/{,**} r,
   owner @{user_cache_dirs}/media-art/{,**} r,
+  owner @{user_cache_dirs}/vlc/**/*.jpg r,
 
   include <abstractions/dconf>
   owner @{run}/user/@{uid}/dconf/ rw,

apparmor.d/groups/gnome/gsd-power

@@ -60,6 +60,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
 
   owner /dev/tty[0-9]* rw,
 

apparmor.d/groups/systemd/systemd-binfmt

@@ -10,6 +10,10 @@ include <tunables/global>
 profile systemd-binfmt @{exec_path} {
   include <abstractions/base>
 
+  capability net_admin,
+
+  ptrace (read) peer=unconfined,
+
   @{exec_path} mr,
 
   # Config file locations
@@ -18,6 +22,10 @@ profile systemd-binfmt @{exec_path} {
   /usr/lib/binfmt.d/*.conf r,
 
   owner @{PROC}/@{pid}/stat r,
+        @{PROC}/1/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/fs/binfmt_misc/status w,
+        @{PROC}/sys/kernel/osrelease r,
 
   include if exists <local/systemd-binfmt>
 }

apparmor.d/groups/systemd/systemd-modules-load

@@ -11,12 +11,8 @@ profile systemd-modules-load @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
-  # To load kernel modules
   capability sys_module,
 
-  # Needed?
-  audit deny capability net_admin,
-
   @{exec_path} mr,
 
   @{sys}/module/*/initstate r,

apparmor.d/profiles-a-f/fusermount

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,18 +12,16 @@ profile fusermount @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  # To mount anything:
+  capability dac_read_search,
-  #  fusermount: mount failed: Operation not permitted
   capability sys_admin,
 
-  #capability dac_read_search,
-
   @{exec_path} mr,
 
   # Where to mount ISO files
   owner @{HOME}/*/ rw,
   owner @{HOME}/*/*/ rw,
   owner @{user_cache_dirs}/**/ rw,
+  owner @{run}/user/@{uid}/doc/ r,
 
   # Be able to mount ISO images
   mount fstype={fuse,fuse.*} -> @{HOME}/*/,
@@ -30,6 +29,7 @@ profile fusermount @{exec_path} {
   mount fstype={fuse,fuse.*} -> @{HOME}/.cache/**/,
   mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/,
   mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
+  mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/doc/,
 
   umount @{HOME}/*/,
   umount @{HOME}/*/*/,
@@ -37,6 +37,7 @@ profile fusermount @{exec_path} {
   umount @{MOUNTS}/*/,
   umount @{MOUNTS}/*/*/,
   umount /tmp/.mount_*/,
+  umount @{run}/user/@{uid}/doc/,
 
   /etc/fuse.conf r,
 

apparmor.d/profiles-m-r/mono-sgen

@@ -9,13 +9,48 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/mono-sgen
 profile mono-sgen @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
+  include <abstractions/vulkan>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
 
+  /{usr/,}bin/ r,
+  /{usr/,}local/bin/ r,
+  /{usr/,}bin/* rPUx,
+
   /usr/share/.mono/{,**} rw,
 
   /etc/mono/{,**} r,
+  /etc/machine-id r,
+
+  owner @{user_config_dirs}/openra/{,**} rw,
+  owner @{user_config_dirs}/.mono/{,**} r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* rw,
+
+  owner /tmp/*.* rw,
+  owner /tmp/CASESENSITIVETEST* rw,
+  owner /dev/shm/mono.* rw,
+        /dev/shm/ r,
+
+  @{sys}/devices/pci[0-9]*/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/vendor r,
+  @{sys}/devices/pci[0-9]*/**/device r,
+  @{sys}/devices/pci[0-9]*/**/subsystem_vendor r,
+  @{sys}/devices/pci[0-9]*/**/subsystem_device r,
+
+  owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/mono-sgen>
 }

apparmor.d/profiles-s-z/udisksd

@@ -111,6 +111,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
   @{sys}/devices/virtual/block/dm-[0-9]*/ w,
   @{sys}/devices/virtual/block/dm-[0-9]*/** w,
+  @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
 
   # For powering off USB devices
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,