feat(profiles): general update.

apparmor.d/groups/gnome/gdm-session-worker

@@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   capability sys_tty_config,
 
   signal (receive) set=term peer=gdm,
+  signal (receive) set=hup peer=@{systemd},
   signal (send) set=hup peer=at-spi*,
   signal (send) set=hup peer=dbus-daemon,
   signal (send) set=hup peer=dbus-run-session,

apparmor.d/groups/gnome/gnome-software

@@ -34,6 +34,7 @@ profile gnome-software @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/baobab              rPUx,
   @{bin}/bwrap               rPUx,
   @{bin}/fusermount{,3}      rCx -> fusermount,
   @{bin}/gpg{,2}             rCx -> gpg,

apparmor.d/groups/gnome/mutter-x11-frames

@@ -27,7 +27,8 @@ profile mutter-x11-frames @{exec_path} {
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
 
-  /var/lib/gdm/.config/dconf/user r,
+  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
 
   owner @{PROC}/@{pid}/cmdline r,
 

apparmor.d/groups/gnome/tracker-miner

@@ -104,6 +104,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   @{run}/blkid/blkid.tab r,
   @{run}/mount/utab r,
 
+        @{PROC}/@{pid}/cmdline r,
         @{PROC}/sys/fs/fanotify/max_user_marks r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/groups/systemd/systemd-coredump

@@ -25,6 +25,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   mount -> /,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   @{lib}/** r,

apparmor.d/groups/systemd/systemd-journald

@@ -27,6 +27,8 @@ profile systemd-journald @{exec_path} {
 
   network netlink raw,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   /etc/systemd/journald.conf r,

apparmor.d/groups/systemd/systemd-portabled

@@ -13,16 +13,9 @@ profile systemd-portabled @{exec_path} {
 
   capability sys_ptrace,
 
-  ptrace (read) peer=unconfined,
-
   @{exec_path} mr,
 
   /var/lib/portables/{,**} rw,
 
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/sys/kernel/random/boot_id r,
-
   include if exists <local/systemd-portabled>
 }

apparmor.d/groups/systemd/systemd-tty-ask-password-agent

@@ -14,6 +14,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
 
   audit capability net_admin,
 
+  signal (receive) set=(term cont) peer=default,
   signal (receive) set=(term cont) peer=logrotate,
 
   @{exec_path} mr,

apparmor.d/profiles-a-f/blueman-mechanism

@@ -1,17 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2021-20223 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/blueman-mechanism
-@{exec_path} += @{lib}/blueman/blueman-mechanism
+@{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism
 profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/python>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
 
   capability mknod,
   capability net_admin,

apparmor.d/profiles-a-f/borg

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/borg
 profile borg @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/python>
 
   capability dac_read_search,
@@ -20,6 +21,11 @@ profile borg @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
+  mount fstype=fuse -> @{MOUNTS}/,
+  mount fstype=fuse -> @{MOUNTS}/*/,
+  umount @{MOUNTS}/,
+  umount @{MOUNTS}/*/,
+
   @{exec_path} r,
 
   @{bin}/ r,
@@ -30,42 +36,10 @@ profile borg @{exec_path} {
   @{bin}/ldconfig               rix,
   @{bin}/uname                  rix,
 
-  @{bin}/pass                   rPUx,
-  @{bin}/ssh                    rPx,
   @{bin}/ccache                 rCx -> ccache,
   @{bin}/fusermount{,3}         rCx -> fusermount,
-
-  mount fstype=fuse -> @{MOUNTS}/,
-  mount fstype=fuse -> @{MOUNTS}/*/,
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-
-  /dev/fuse rw,
-
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/sys/kernel/random/boot_id r,
-
-  @{run}/systemd/userdb/ r,
-  @{run}/resolvconf/resolv.conf r,
-
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/borg/ rw,
-  owner @{user_cache_dirs}/borg/** rw,
-
-  owner @{user_config_dirs}/borg/ rw,
-  owner @{user_config_dirs}/borg/** rw,
-
-  # If /tmp/ isn't accessible, then /var/tmp/ is used.
-  owner /tmp/* rw,
-  owner /tmp/tmp*/ rw,
-  owner /tmp/tmp*/idx rw,
-  owner /tmp/tmp*/file rw,
-  owner /tmp/borg-cache-*/ rw,
-  owner /tmp/borg-cache-*/* rw,
-  owner /var/tmp/* rw,
-  owner /var/tmp/tmp*/ rw,
-  owner /var/tmp/tmp*/idx rw,
-  owner /var/tmp/tmp*/file rw,
+  @{bin}/pass                   rPx,
+  @{bin}/ssh                    rPx,
 
   # Dirs that can be backed up
   /            r,
@@ -80,13 +54,28 @@ profile borg @{exec_path} {
   owner @{MOUNTS}/ r,
   owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
 
-  # borg serve on server's side
-  owner /home/borg/*/ rw,
-  owner /home/borg/*/{,**} rw,
+  owner @{user_cache_dirs}/ rw,
+  owner @{user_cache_dirs}/borg/ rw,
+  owner @{user_cache_dirs}/borg/** rw,
 
-  # For exporting the key
-  owner /**/key w,
+  owner @{user_config_dirs}/borg/ rw,
+  owner @{user_config_dirs}/borg/** rw,
 
+  # If /tmp/ isn't accessible, then /var/tmp/ is used.
+  owner /tmp/* rw,
+  owner /tmp/borg-cache-*/ rw,
+  owner /tmp/borg-cache-*/* rw,
+  owner /tmp/tmp*/ rw,
+  owner /tmp/tmp*/file rw,
+  owner /tmp/tmp*/idx rw,
+  owner /var/tmp/* rw,
+  owner /var/tmp/tmp*/ rw,
+  owner /var/tmp/tmp*/file rw,
+  owner /var/tmp/tmp*/idx rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
+  /dev/fuse rw,
 
   profile ccache {
     include <abstractions/base>
@@ -97,29 +86,31 @@ profile borg @{exec_path} {
     @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
     @{bin}/{,@{multiarch}-}g++-[0-9]* rix,
 
-    /media/ccache/*/** rw,
-
     /etc/debian_version r,
 
+    @{MOUNTS}/** rw,
+
+    include if exists <local/borg_ccache>
   }
 
   profile fusermount {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    # To mount anything:
     capability sys_admin,
 
+    umount @{MOUNTS}/,
+    umount @{MOUNTS}/*/,
+
     @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
 
-    umount @{MOUNTS}/,
-    umount @{MOUNTS}/*/,
-  
     @{PROC}/@{pids}/mounts r,
 
     /dev/fuse rw,
+
+    include if exists <local/borg_fusermount>
   }
 
   include if exists <usr/borg.d>

apparmor.d/profiles-a-f/cups-pk-helper-mechanism

@@ -16,6 +16,9 @@ profile cups-pk-helper-mechanism @{exec_path} {
   capability dac_read_search,
   capability sys_nice,
 
+  network inet stream,
+  network inet6 stream,
+
   dbus receive bus=system path=/
        interface=org.opensuse.CupsPkHelper.Mechanism,
 

apparmor.d/profiles-g-l/language-validate

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /usr/share/language-tools/language-{options,validate}
-profile language-validate @{exec_path} {
+profile language-validate @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability setgid,

apparmor.d/profiles-m-r/netcap

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,9 +14,6 @@ profile netcap @{exec_path} {
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
-
-  # To get access to all of the @{PROC}/@{pids}/fd/ dirs, which sometimes can be owned by other
-  # users than root, for instance systemd-timesync.
   capability dac_read_search,
 
   ptrace (read),

apparmor.d/profiles-m-r/pactl

@@ -20,7 +20,7 @@ profile pactl @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  /var/lib/gdm/.config/pulse/cookie rk,
+  /var/lib/gdm{3,}/.config/pulse/cookie rk,
 
   owner @{HOME}/.Xauthority r,
 

apparmor.d/profiles-m-r/redshift

@@ -1,42 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2015 Cameron Norman <camerontnorman@gmail.com>
-#    Copyright (C) 2017-2021 Mikhail Morfikov
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/redshift
-profile redshift @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/wayland>
-  include <abstractions/nameservice-strict>
-
-  @{exec_path} mr,
-
-  dbus send
-       bus=system
-       path=/org/freedesktop/GeoClue2/Client/@{int},
-
-  dbus receive
-       bus=system
-       path=/org/freedesktop/GeoClue2/Manager,
-
-  # Allow but log any other dbus activity
-  audit dbus bus=system,
-
-  # Redshift config files
-  owner @{user_config_dirs}/redshift/{,**} rw,
-  owner @{user_config_dirs}/redshift.conf rw,
-
-  owner @{run}/user/@{uid}/redshift-shared-* rw,
-
-  owner @{HOME}/.Xauthority r,
-  owner /tmp/xauth-[0-9]*-_[0-9] r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-
-  include if exists <local/redshift>
-}

apparmor.d/profiles-s-z/udisksd

@@ -20,6 +20,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability net_admin,
   capability setgid,
   capability setuid,
   capability sys_admin,