Various fixes.

apparmor.d/groups/browsers/chromium

@@ -53,6 +53,7 @@ profile chromium @{exec_path} {
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
+  /dev/dri/card[0-9] rw,
 
   include if exists <local/chromium>
 }

apparmor.d/groups/desktop/dbus-daemon

@@ -37,7 +37,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   /usr/share/defaults/**.conf r,
 
   owner @{user_share_dirs}/dbus-1/{,**} r,
-  owner @{user_share_dirs}/icc/{,edid-*.icc} r,
+  owner @{user_share_dirs}/icc/{,edid-*} r,
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_score_adj rw,

apparmor.d/groups/gnome/gdm

@@ -20,7 +20,7 @@ profile gdm @{exec_path} {
 
   ptrace (read) peer=unconfined,
 
-  signal (send) set=(term) peer=confined,
+  signal (send) set=(term),
 
   @{exec_path} mr,
 
@@ -38,6 +38,7 @@ profile gdm @{exec_path} {
   @{run}/gdm/gdm.pid rw,
   @{run}/gdm/greeter/ rw,
   @{run}/systemd/seats/seat[0-9]* r,
+  @{run}/systemd/sessions/[0-9] r,
   @{run}/systemd/sessions/[0-9].ref r,
   @{run}/systemd/userdb/ r,
   @{run}/systemd/users/[0-9]* r,

apparmor.d/groups/gnome/gdm-session-worker

@@ -12,9 +12,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
 
-  signal (receive) set=term peer=gdm,
-  signal (send) set=term peer=gdm-wayland-session,
-
   capability audit_write,
   capability chown,
   capability dac_override,
@@ -27,6 +24,10 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   capability sys_nice,
   capability sys_tty_config,
 
+  signal (send) set=hup peer=gsd-*,
+  signal (send) set=hup peer=gnome-*,
+  signal (send) set=hup peer=xwayland,
+  signal (send) set=term peer=gdm-wayland-session,
   signal (receive) set=term peer=gdm,
 
   network netlink raw,
@@ -46,6 +47,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /etc/security/limits.d/{,*.conf} r,
 
   /usr/share/gdm/gdm.schemas r,
+  /usr/share/wayland-sessions/*.desktop r,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
   @{run}/systemd/sessions/[0-9].ref rw,

apparmor.d/groups/gnome/gnome-shell

@@ -29,6 +29,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
+  signal (receive) set=(term, hup) peer=gdm*,
   signal (send) set=(term) peer=polkit*,
 
   @{exec_path} mr,

apparmor.d/groups/gnome/goa-identity-service

@@ -9,12 +9,9 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/goa-identity-service
 profile goa-identity-service @{exec_path} {
   include <abstractions/base>
+  include <abstractions/authentication>
 
   @{exec_path} mr,
 
-  # Kerberos authentication
-  /etc/krb5.conf r,
-  deny /etc/krb5.conf w,
-
   include if exists <local/goa-identity-service>
 }

apparmor.d/groups/gnome/gsd-xsettings

@@ -14,6 +14,13 @@ profile gsd-xsettings @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/fonts>
   include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
 
   @{exec_path} mr,
   /{usr/,}bin/xrdb rPx,

apparmor.d/groups/systemd/systemd-coredump

@@ -32,7 +32,7 @@ profile systemd-coredump @{exec_path} flags=(complain) {
 
         /var/lib/systemd/coredump/ r,
   owner /var/lib/systemd/coredump/#[0-9]* rw,
-  owner /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
+  owner /var/lib/systemd/coredump/core.*.[0-9]*.[0-9a-f]*.[0-9]*.[0-9]*{,.zst} rwl -> /var/lib/systemd/coredump/#[0-9]*,
 
   owner @{PROC}/@{pid}/setgroups r,
         @{PROC}/@{pids}/comm r,

apparmor.d/groups/systemd/systemd-logind

@@ -81,11 +81,12 @@ profile systemd-logind @{exec_path} flags=(complain) {
   @{sys}/firmware/efi/efivars/LoaderEntries-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
   @{sys}/firmware/efi/efivars/LoaderFeatures-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]* r,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/sessionid r,
+  @{PROC}/@{pid}/stat r,
   @{PROC}/swaps r,
-  @{PROC}/[0-9]*/cgroup r,
-  @{PROC}/[0-9]*/stat r,
-  @{PROC}/[0-9]*/sessionid r,
-  @{PROC}/[0-9]*/fd/ r,
+  @{PROC}/sysvipc/{shm,sem,msg} r,
 
   include if exists <local/systemd-logind>
 }

apparmor.d/profiles-a-l/borg

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+#               2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -29,9 +30,11 @@ profile borg @{exec_path} {
   /{usr/,}bin/python3.[0-9]* r,
 
   /usr/bin/uname                     rix,
-  /usr/sbin/ldconfig                 rix,
+  /{usr/,}{s,}bin/ldconfig           rix,
   /{usr/,}bin/{,@{multiarch}-}ld.bfd rix,
 
+  /usr/bin/pass                      rPUx,
+  /usr/bin/ssh                       rPx,
   /{usr/,}bin/ccache                 rCx -> ccache,
   /usr/bin/fusermount{,3}            rCx -> fusermount,
 
@@ -43,6 +46,9 @@ profile borg @{exec_path} {
   /dev/fuse rw,
 
   owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/sys/kernel/random/boot_id r,
+
+  @{run}/systemd/userdb/ r,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/borg/ rw,

apparmor.d/profiles-m-z/xdg-dbus-proxy

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/xdg-dbus-proxy
-profile xdg-dbus-proxy @{exec_path} flags=(complain) {
+profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
   include <abstractions/base>
 
   @{exec_path} mr,