update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>
2025-01-18 08:58:15 +01:00 · 2021-12-08 12:59:46 +01:00 · 2021-12-08 12:59:46 +01:00 · 3430e3df90
commit 3430e3df90
parent 44aca3ba51
56 changed files with 146 additions and 45 deletions
--- a/apparmor.d/abstractions/libvirt-qemu
+++ b/apparmor.d/abstractions/libvirt-qemu
@ -198,7 +198,7 @@
  /sys/class/ r,
  # for rbd
-  /etc/ceph/ceph.conf r,
+  /etc/ceph/*.conf r,
  # Various functions will need to enumerate /tmp (e.g. ceph), allow the base
  # dir and a few known functions like samba support.
--- a/apparmor.d/groups/apps/okular
+++ b/apparmor.d/groups/apps/okular
@ -19,6 +19,7 @@ profile okular @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/dri-enumerate>
  include <abstractions/kde-icon-cache-write>
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@ -67,6 +67,7 @@ profile vlc @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/ssl_certs>
  include <abstractions/devices-usb>
  include <abstractions/deny-root-dir-access>
--- a/apparmor.d/groups/apt/apt-show-versions
+++ b/apparmor.d/groups/apt/apt-show-versions
@ -15,8 +15,13 @@ profile apt-show-versions @{exec_path} {
  @{exec_path} r,
  /{usr/,}bin/perl r,
  /{usr/,}bin/{,ba,da}sh rix,
-  /usr/bin/dpkg rPx -> child-dpkg,
+  /{usr/,}bin/dpkg       rPx -> child-dpkg,
  /{usr/,}bin/apt-get    rPx,
  # apt-helper gets "no new privs" so "rix" it
  /{usr/,}lib/apt/apt-helper rix,
  owner /var/cache/apt-show-versions/{a,i}packages-multiarch rw,
  owner /var/cache/apt-show-versions/files rw,
--- a/apparmor.d/groups/apt/cron-popularity-contest
+++ b/apparmor.d/groups/apt/cron-popularity-contest
@ -46,6 +46,7 @@ profile cron-popularity-contest @{exec_path} {
  /var/log/ r,
  /var/log/popularity-contest{,.new} rw,
  /var/log/popularity-contest{,.new}.gpg rw,
  /var/log/popularity-contest.[0-9]* rw,
  # Store last successful http submission timestamp
  /var/lib/popularity-contest/ rw,
@ -118,6 +119,8 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/popularity-contest.new r,
    /var/log/popularity-contest.new.gpg rw,
    /var/log/popularity-contest.[0-9]* r,
    /var/log/popularity-contest.[0-9]*.gpg rw,
    owner /tmp/tmp.*/** rwkl -> /tmp/tmp.*/**,
@ -144,6 +147,7 @@ profile cron-popularity-contest @{exec_path} {
    /var/log/ r,
    /var/log/popularity-contest.new.gpg r,
    /var/log/popularity-contest.[0-9]*.gpg r,
    # file_inherit
    owner /tmp/#[0-9]*[0-9] rw,
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -71,11 +71,14 @@ profile dpkg @{exec_path} {
  /etc/dpkg/dpkg.cfg r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/sys/kernel/random/boot_id r,
  owner /tmp/apt-dpkg-install-*/ r,
  /var/log/dpkg.log w,
  @{run}/systemd/userdb/ r,
  # For shell pwd
  /root/ r,
@ -103,9 +106,15 @@ profile dpkg @{exec_path} {
  /var/local/**  rwl -> /var/local/**,
  /var/spool/    r,
  /var/spool/**  rwl -> /var/spool/**,
  # Fixme when more transitions will be available (#FIXME#)
  /var/www/      r,
  /var/www/**    rwl,
  # To create log and cache dirs
  /var/log/**/   rw,
  /var/cache/**/ rw,
  # To create dirs under var
  /var/*.dpkg-new/ rw,
  /var/*/ rw,
  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/apt/dpkg-deb
+++ b/apparmor.d/groups/apt/dpkg-deb
@ -14,6 +14,9 @@ profile dpkg-deb @{exec_path} {
  #capability sys_tty_config,
  # For "mk-build-deps -i"
  capability dac_override,
  @{exec_path} mr,
  /{usr/,}bin/tar rix,
--- a/apparmor.d/groups/apt/dpkg-genbuildinfo
+++ b/apparmor.d/groups/apt/dpkg-genbuildinfo
@ -11,6 +11,9 @@ profile dpkg-genbuildinfo @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/perl>
  # For "mk-build-deps -i"
  capability dac_override,
  @{exec_path} r,
  /{usr/,}bin/perl r,
--- a/apparmor.d/groups/apt/dpkg-trigger
+++ b/apparmor.d/groups/apt/dpkg-trigger
@ -16,7 +16,7 @@ profile dpkg-trigger @{exec_path} {
  /var/lib/dpkg/triggers/Lock rwk,
  /var/lib/dpkg/triggers/ r,
-  /var/lib/dpkg/triggers/Unincorp{,.new} rw,
+  /var/lib/dpkg/triggers/* rw,
  include if exists <local/dpkg-trigger>
 }
--- a/apparmor.d/groups/desktop/obex-folder-listing
+++ b/apparmor.d/groups/desktop/obex-folder-listing
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/obex-folder-listing
 profile obex-folder-listing @{exec_path} {
  include <abstractions/base>
  include <abstractions/private-files-strict>
  include <abstractions/user-download-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -32,6 +32,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
  owner @{run}/user/@{uid}/dconf/ w,
  owner @{run}/user/@{uid}/dconf/user rw,
  @{run}/systemd/sessions/[0-9]* r,
  /etc/fstab r,
  # Mount points
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@ -11,8 +11,10 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
  include <abstractions/base>
  include <abstractions/freedesktop.org>
  include <abstractions/devices-usb>
  include <abstractions/freedesktop.org>
  include <abstractions/private-files-strict>
  include <abstractions/user-download-strict>
  network netlink raw,
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -28,7 +28,7 @@ profile ssh @{exec_path} {
  owner @{HOME}/@{XDG_SSH_DIR}/ r,
  owner @{HOME}/@{XDG_SSH_DIR}/config r,
-  owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw,
+  owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl,
  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/ssh/{,*} r,
  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/config r,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -30,4 +30,6 @@ profile systemd-hostnamed @{exec_path} {
  /etc/hostname rw,
  /etc/.#hostname* rw,
  @{run}/udev/data/+dmi:id r,
 }
--- a/apparmor.d/profiles-a-f/adduser
+++ b/apparmor.d/profiles-a-f/adduser
@ -49,16 +49,11 @@ profile adduser @{exec_path} {
  /etc/adduser.conf r,
-  # To create user dirs
+  # To create user dirs and copy files from /etc/skel/ to them
  @{HOME}/ rw,
  # To copy files from /etc/skel/ to user dirs
  @{HOME}/.* w,
  /var/lib/*/{,*} rw,
  /etc/skel/{,.*} r,
  # What's this for? (#FIXME#)
  /var/lib/lightdm/{,*} w,
  /var/lib/sddm/{,*} w,
  include if exists <local/adduser>
 }
--- a/apparmor.d/profiles-a-f/amixer
+++ b/apparmor.d/profiles-a-f/amixer
@ -10,15 +10,20 @@ include <tunables/global>
 profile amixer @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
  /usr/share/pipewire/client.conf r,
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  owner @{HOME}/.Xauthority r,
-  owner @{user_config_dirs}/pulse/ r,
+  owner @{HOME}/.config/pulse/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/profiles-a-f/badblocks
+++ b/apparmor.d/profiles-a-f/badblocks
@ -18,7 +18,7 @@ profile badblocks @{exec_path} {
        @{PROC}/swaps r,
  # A place for a list of already existing known bad blocks
-  @{HOME}/** rwk,
+  @{HOME}/* rwk,
  @{MOUNTS}/*/** rwk,
  include if exists <local/badblocks>
--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -30,8 +30,10 @@ profile blkid @{exec_path} {
  @{PROC}/partitions r,
  # Image files
-  @{HOME}/** r,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  @{MOUNTS}/*/** r,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
  include if exists <local/blkid>
 }
--- a/apparmor.d/profiles-a-f/conky
+++ b/apparmor.d/profiles-a-f/conky
@ -18,8 +18,12 @@ profile conky @{exec_path} {
  include <abstractions/ssl_certs>
  include <abstractions/deny-root-dir-access>
  # To get the external IP address
  # For samba share mounts
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  # For dig
  #network inet stream,
--- a/apparmor.d/profiles-a-f/df
+++ b/apparmor.d/profiles-a-f/df
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/df
 profile df @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
--- a/apparmor.d/profiles-a-f/dfc
+++ b/apparmor.d/profiles-a-f/dfc
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dfc
 profile dfc @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
--- a/apparmor.d/profiles-a-f/dumpe2fs
+++ b/apparmor.d/profiles-a-f/dumpe2fs
@ -18,8 +18,10 @@ profile dumpe2fs @{exec_path} {
  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
  # Image files
-  @{HOME}/** r,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  @{MOUNTS}/** r,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
  include if exists <local/dumpe2fs>
 }
--- a/apparmor.d/profiles-a-f/ffmpeg
+++ b/apparmor.d/profiles-a-f/ffmpeg
@ -50,6 +50,7 @@ profile ffmpeg @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  network inet dgram,
--- a/apparmor.d/profiles-a-f/ffplay
+++ b/apparmor.d/profiles-a-f/ffplay
@ -43,6 +43,8 @@ profile ffplay @{exec_path} {
  include <abstractions/X>
  include <abstractions/freedesktop.org>
  include <abstractions/audio>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  @{exec_path} mr,
--- a/apparmor.d/profiles-a-f/ffprobe
+++ b/apparmor.d/profiles-a-f/ffprobe
@ -41,6 +41,8 @@ include <tunables/global>
 profile ffprobe @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/hdparm
+++ b/apparmor.d/profiles-g-l/hdparm
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/hdparm
 profile hdparm @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/disks-read>
  # To remove the following errors:
@ -27,8 +29,10 @@ profile hdparm @{exec_path} flags=(complain) {
  @{PROC}/devices r,
  # Image files
-  @{HOME}/** r,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} r,
-  @{MOUNTS}/*/** r,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} r,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} r,
  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} r,
  include if exists <local/hdparm>
 }
--- a/apparmor.d/profiles-g-l/hypnotix
+++ b/apparmor.d/profiles-g-l/hypnotix
@ -25,6 +25,7 @@ profile hypnotix @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/python>
@ -85,7 +86,7 @@ profile hypnotix @{exec_path} {
  /etc/machine-id r,
  # Silencer
-  /{usr/,}lib/hypnotix/** w,
+  deny /{usr/,}lib/hypnotix/** w,
  profile xdg-screensaver {
--- a/apparmor.d/profiles-g-l/jmtpfs
+++ b/apparmor.d/profiles-g-l/jmtpfs
@ -17,12 +17,18 @@ profile jmtpfs @{exec_path} {
  /{usr/,}bin/fusermount{,3} rCx -> fusermount,
  owner /tmp/tmp* rw,
  owner /tmp/#[0-9]* rw,
  # Mount points
  owner @{HOME}/*/ r,
  owner @{HOME}/*/*/ r,
  owner @{HOME}/.cache/*/mtp{,-[0-9]*}/ rw,
  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
  mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/.cache/*/*/,
  /etc/magic r,
@ -36,10 +42,14 @@ profile jmtpfs @{exec_path} {
    # To mount anything:
    capability sys_admin,
    #
    capability dac_read_search,
    /{usr/,}bin/fusermount{,3} mr,
    mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/,
    mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/*/*/,
    mount fstype={fuse,fuse.jmtpfs} -> @{HOME}/.cache/*/*/,
    /etc/fuse.conf r,
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -48,7 +48,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
  # Initframs
  owner /tmp/mkinitcpio.*/{,**} rw,
-  #owner @{PROC}/@{pid}/fd/1 w,
+  owner @{run}/tmpfiles.d/ w,
  owner @{run}/tmpfiles.d/static-nodes.conf w,
  # For local kernel build
  owner /tmp/depmod.*/lib/modules/*/ r,
--- a/apparmor.d/profiles-m-r/mediainfo
+++ b/apparmor.d/profiles-m-r/mediainfo
@ -34,6 +34,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/mediainfo
 profile mediainfo @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@ -39,6 +39,7 @@ profile mediainfo-gui @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  @{exec_path} mr,
--- a/apparmor.d/profiles-m-r/mkvmerge
+++ b/apparmor.d/profiles-m-r/mkvmerge
@ -41,6 +41,7 @@ include <tunables/global>
 profile mkvmerge @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  signal (receive) set=(term, kill) peer=mkvtoolnix-gui,
--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@ -53,6 +53,7 @@ profile mkvtoolnix-gui @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  signal (send) set=(term, kill) peer=mkvmerge,
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@ -9,7 +9,7 @@ include <tunables/global>
 # Video/audio extensions:
 # a52, aac, ac3, mka, flac, mp1, mp2, mp3, mpc, oga, oma, wav, wv, wm, wma, 3g2, 3gp, 3gp2, 3gpp,
 # asf, avi, divx, m1v, m2v, m4v, mkv, mov, mp4, mpa, mpe, mpg, mpeg, mpeg1, mpeg2, mpeg4, ogg, ogm,
-# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t
+# ogx, ogv, rm, rmvb, webm, wmv, wtv, mp2t, flv
@{mpv_ext}  = [aA]{52,[aA][cC],[cC]3}
@{mpv_ext} += [mM][kK][aA]
@{mpv_ext} += [fF][lL][aA][cC]
@ -30,6 +30,7 @@ include <tunables/global>
@{mpv_ext} += [wW][eE][bB][mM]
@{mpv_ext} += [wW][mMtT][vV]
@{mpv_ext} += [mM][pP]2[tT]
@{mpv_ext} += [fF][lL][vV]
 # Image extensions
 # bmp, jpg, jpeg, png, gif
@ -66,6 +67,7 @@ profile mpv @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/deny-root-dir-access>
--- a/apparmor.d/profiles-m-r/ntfsclone
+++ b/apparmor.d/profiles-m-r/ntfsclone
@ -10,6 +10,8 @@ include <tunables/global>
 profile ntfsclone @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
  include <abstractions/private-files-strict>
  include <abstractions/user-download-strict>
  capability sys_admin,
@ -18,7 +20,7 @@ profile ntfsclone @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,
  # A place for backups
-  @{HOME}/** rwk,
+  @{HOME}/* rwk,
  @{MOUNTS}/*/** rwk,
  include if exists <local/ntfsclone>
--- a/apparmor.d/profiles-m-r/openbox
+++ b/apparmor.d/profiles-m-r/openbox
@ -77,7 +77,8 @@ profile openbox @{exec_path} {
    /etc/xdg/autostart/{,*} r,
    # Silencer
-    /{usr/,}lib/python3/** w,
+    deny /{usr/,}lib/python3/** w,
    deny owner @{HOME}/.local/lib/python*/site-packages/ r,
    # file_inherit
    owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/profiles-m-r/popularity-contest
+++ b/apparmor.d/profiles-m-r/popularity-contest
@ -55,6 +55,7 @@ profile popularity-contest @{exec_path} {
  # file_inherit
  /tmp/#[0-9]*[0-9] rw,
  /var/log/popularity-contest.[0-9]* w,
  include if exists <local/popularity-contest>
 }
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -18,6 +18,7 @@ profile qbittorrent @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
  include <abstractions/wayland>
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@ -51,6 +51,7 @@ profile qnapi @{exec_path} {
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/deny-root-dir-access>
  # Some apps can use qnapi to automate downloading of subtitles. When a user wants to abort the
--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@ -22,6 +22,7 @@ profile qpdfview @{exec_path} {
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/dri-enumerate>
  include <abstractions/qt5-settings-write>
--- a/apparmor.d/profiles-m-r/redshift
+++ b/apparmor.d/profiles-m-r/redshift
@ -36,5 +36,8 @@ profile redshift @{exec_path} {
  owner @{HOME}/.Xauthority r,
  owner /tmp/xauth-[0-9]*-_[0-9] r,
  # file_inherit
  owner /dev/tty[0-9]* rw,
  include if exists <local/redshift>
 }
--- a/apparmor.d/profiles-m-r/reprepro
+++ b/apparmor.d/profiles-m-r/reprepro
@ -48,12 +48,14 @@ profile reprepro @{exec_path} {
  # Dirs containing .deb files
  owner @{REPO_DIR}/*.deb r,
  /var/cache/apt/archives/*.deb r,
  # For package building
  owner @{user_build_dirs}/pbuilder/result/*.{dsc,changes} r,
  owner @{user_build_dirs}/pbuilder/result/*.deb r,
  owner @{user_build_dirs}/pbuilder/result/*.tar.* r,
  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/profiles-s-z/smplayer
+++ b/apparmor.d/profiles-s-z/smplayer
@ -69,6 +69,7 @@ profile smplayer @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/openssl>
  include <abstractions/deny-root-dir-access>
--- a/apparmor.d/profiles-s-z/tune2fs
+++ b/apparmor.d/profiles-s-z/tune2fs
@ -11,6 +11,8 @@ profile tune2fs @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  network inet stream,
  network inet6 stream,
@ -26,8 +28,10 @@ profile tune2fs @{exec_path} {
  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
  # Image files
-  @{HOME}/** rw,
+  @{HOME}/**.{iso,img,bin,mdf,nrg} rw,
-  @{MOUNTS}/*/** rw,
+  @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rw,
  @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rw,
  @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rw,
  include if exists <local/tune2fs>
 }
--- a/apparmor.d/profiles-s-z/ucf
+++ b/apparmor.d/profiles-s-z/ucf
@ -55,10 +55,9 @@ profile ucf @{exec_path} flags=(complain) {
  # For md5sum
  /etc/** r,
-  /usr/share/*/conffiles/* r,
+  /usr/share/** r,
  @{run}/** r,
  # For writing new config files
  /etc/** rw,
--- a/apparmor.d/profiles-s-z/umount
+++ b/apparmor.d/profiles-s-z/umount
@ -33,6 +33,7 @@ profile umount @{exec_path} flags=(complain) {
  @{HOME}/ r,
  @{HOME}/*/ r,
  @{HOME}/*/*/ r,
  @{HOME}/.cache/*/*/ r,
  @{MOUNTS}/*/ r,
  @{MOUNTS}/*/*/ r,
--- a/apparmor.d/profiles-s-z/uscan
+++ b/apparmor.d/profiles-s-z/uscan
@ -38,6 +38,9 @@ profile uscan @{exec_path} {
  # To run custom maintainer scripts
  owner @{user_build_dirs}/**/debian/* rPUx,
  /usr/share/*/debian/ r,
  /usr/share/*/debian/changelog r,
  /{usr/,}bin/gpg       rCx -> gpg,
  /{usr/,}bin/gpgv      rCx -> gpg,
@ -49,7 +52,6 @@ profile uscan @{exec_path} {
  # For package building
  owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
  # For GPG keys
  owner /tmp/*/ rw,
  owner /tmp/*/trustedkeys.gpg w,
--- a/apparmor.d/profiles-s-z/useradd
+++ b/apparmor.d/profiles-s-z/useradd
@ -63,11 +63,10 @@ profile useradd @{exec_path} {
  /var/log/faillog rw,
  /var/log/lastlog rw,
-  # To create user dirs
+  # To create user dirs and copy files from /etc/skel/ to them
  @{HOME}/ rw,
  # To copy files from /etc/skel/ to user dirs
  @{HOME}/.* w,
  /var/lib/*/{,*} rw,
  /etc/skel/{,.*} r,
--- a/apparmor.d/profiles-s-z/userdel
+++ b/apparmor.d/profiles-s-z/userdel
@ -55,11 +55,10 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
  /etc/.pwd.lock rwk,
  # To remove user home files
-  @{HOME}/ rw,
+  @{HOME}/{,**}    rw,
-  @{HOME}/** w,
+  /var/            r,
-
+  /var/lib/        r,
-  # To remove user mail
+  /var/lib/*/{,**} rw,
  /var/mail/* w,
  include if exists <local/userdel>
 }
--- a/apparmor.d/profiles-s-z/usermod
+++ b/apparmor.d/profiles-s-z/usermod
@ -59,7 +59,9 @@ profile usermod @{exec_path} flags=(attach_disconnected) {
  # To create and move user dirs
  @{HOME}/{,**}    rw,
-  /var/{,**}    rw,
+  /var/            r,
  /var/lib/        r,
  /var/lib/*/{,**} rw,
  include if exists <local/usermod>
 }
--- a/apparmor.d/profiles-s-z/vidcutter
+++ b/apparmor.d/profiles-s-z/vidcutter
@ -45,12 +45,12 @@ profile vidcutter @{exec_path} {
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-shader-cache>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/audio>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/deny-dconf>
  include <abstractions/deny-root-dir-access>
  @{exec_path} r,
@ -92,6 +92,10 @@ profile vidcutter @{exec_path} {
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9] rw,
  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/[0-9a-f]* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#[0-9]*[0-9],
  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{user_config_dirs}/qt5ct/{,**} r,
  /usr/share/qt5ct/** r,
--- a/apparmor.d/profiles-s-z/vnstat
+++ b/apparmor.d/profiles-s-z/vnstat
@ -63,6 +63,8 @@ profile vnstat @{exec_path} {
  deny @{PROC}/loadavg r,
  deny @{sys}/devices/**/hwmon/**/temp*_input r,
  owner /dev/tty[0-9]* rw,
  deny network inet dgram,
  deny network inet6 dgram,
  include if exists <local/vnstat>
 }
--- a/apparmor.d/profiles-s-z/wireshark
+++ b/apparmor.d/profiles-s-z/wireshark
@ -21,6 +21,7 @@ profile wireshark @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gtk>
  include <abstractions/user-download-strict>
  include <abstractions/private-files-strict>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/qt5-compose-cache-write>
@ -84,7 +85,6 @@ profile wireshark @{exec_path} {
  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
  profile open {
--- a/apparmor.d/profiles-s-z/xrandr
+++ b/apparmor.d/profiles-s-z/xrandr
@ -14,6 +14,8 @@ profile xrandr @{exec_path} {
  owner @{HOME}/.Xauthority r,
  /usr/share/X11/XErrorDB r,
  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/profiles-s-z/youtube-dl
+++ b/apparmor.d/profiles-s-z/youtube-dl
@ -51,6 +51,7 @@ profile youtube-dl @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/deny-root-dir-access>
  signal (receive) set=(term, kill),
--- a/apparmor.d/profiles-s-z/ytdl
+++ b/apparmor.d/profiles-s-z/ytdl
@ -45,6 +45,7 @@ profile ytdl @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/deny-root-dir-access>
  signal (receive) set=(term, kill),