feat(profiles): better integration with openSUSE.

See #134

apparmor.d/abstractions/gstreamer

@@ -43,8 +43,8 @@
   #owner @{HOME}/orcexec.* mrw,
 
   /{usr/,}lib/frei0r-[0-9]/*.so mr,
-  /{usr/,}lib/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
-  /{usr/,}lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
+  /{usr/,}lib{,exec}/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
+  /{usr/,}lib{,exec}/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
   /{usr/,}lib/@{multiarch}/libproxy/*/modules/*.so mr,
   /{usr/,}lib/@{multiarch}/libproxy/*/pxgsettings ixr,
   /{usr/,}lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,

apparmor.d/groups/bus/dbus-daemon

@@ -41,11 +41,12 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   @{libexec}/{,at-spi2{,-core}/}at-spi2-registryd                         rPx,
   @{libexec}/*                                                           rPUx,
   @{libexec}/gnome-shell/gnome-shell-calendar-server                      rPx,
+  @{libexec}/kf5/kiod5                                                   rPUx,
   /{usr/,}bin/                                                              r,
   /{usr/,}bin/[a-z0-9]*                                                  rPUx,
+  /{usr/,}lib{,exec}/dbus-1.0/dbus-daemon-launch-helper                   rPx,
   /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd                            rPUx,
   /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd                          rPUx,
-  /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper                          rPx,
   /{usr/,}lib/ibus/ibus-*                                                 rPx,
   /{usr/,}lib/telepathy/mission-control-5                                 rPx,
   /usr/share/gnome-documents/org.gnome.Documents                          rPx,

apparmor.d/groups/cron/cron

@@ -17,6 +17,7 @@ profile cron @{exec_path} {
 
   capability audit_write,
   capability dac_read_search,
+  capability net_admin,
   capability setgid,
   capability setuid,
   capability sys_resource,
@@ -35,7 +36,6 @@ profile cron @{exec_path} {
   /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
   /{usr/,}lib/sysstat/debian-sa1       rPUx,
   /usr/share/rsync/scripts/rrsync      rPUx,
-  /usr/local/lib/pki/pki-realm         rPUx,  # TODO: FIXME: NO COMMIT ZENFRA ONLY
 
   /etc/cron.d/{,*} r,
   /etc/crontab r,
@@ -54,5 +54,7 @@ profile cron @{exec_path} {
   owner @{PROC}/@{pid}/loginuid rw,
         @{PROC}/1/limits r,
 
+  /dev/tty rw,
+
   include if exists <local/cron>
 }

apparmor.d/groups/freedesktop/at-spi-bus-launcher

@@ -39,6 +39,8 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.xsession-errors w,
 
+  owner /tmp/runtime-cb/xauth_?????? r,
+
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   /var/lib/lightdm/.Xauthority r,

apparmor.d/groups/freedesktop/at-spi2-registryd

@@ -89,6 +89,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.xsession-errors w,
 
+  owner /tmp/runtime-cb/xauth_?????? r,
+
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   owner /dev/tty[0-9]* rw,

apparmor.d/groups/freedesktop/pulseaudio

@@ -18,11 +18,11 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>
   include <abstractions/hosts_access>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
-  include <abstractions/freedesktop.org>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -140,12 +140,13 @@ profile pulseaudio @{exec_path} {
   owner /var/lib/lightdm/.config/pulse/{,**}  rw,
   owner /var/lib/lightdm/.config/pulse/cookie   k,
 
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
+  /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
+
   owner @{user_config_dirs}/ w,
   owner @{user_config_dirs}/pulse/{,**} rw,
 
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
-       /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
-       /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
 
   owner @{run}/user/@{uid}/ rw,
   owner @{run}/user/@{uid}/pulse/{,*} rw,
@@ -167,6 +168,9 @@ profile pulseaudio @{exec_path} {
   owner @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/cmdline r,
 
+  /dev/media[0-9]* r,
+  /dev/video[0-9]* rw,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -111,6 +111,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/nautilus    rPx,
   /{usr/,}bin/snap        rPx,
 
+  /{usr/,}bin/kreadconfig5 rPUx,
   /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
   /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
   /{usr/,}lib/xdg-desktop-portal-validate-icon             rPUx,
@@ -142,5 +143,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/task/@{tid}/status r,
   owner @{PROC}/@{pids}/cgroup r,
 
+  /dev/tty rw,
+
   include if exists <local/xdg-desktop-portal>
 }

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -9,15 +9,18 @@ include <tunables/global>
 @{exec_path} = @{libexec}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
+  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download>
   include <abstractions/user-write>
@@ -153,10 +156,14 @@ profile xdg-desktop-portal-gtk @{exec_path} {
 
   / r,
 
+  owner /var/lib/xkb/server-[0-9]*.xkm rw,
+
   owner @{HOME}/ r,
   owner @{HOME}/.* r,
   owner @{HOME}/@{XDG_DATA_HOME}/ r,
 
+  owner /tmp/runtime-cb/xauth_?????? r,
+
         @{run}/mount/utab r,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,

apparmor.d/groups/freedesktop/xorg

@@ -22,14 +22,15 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/opencl>
   include <abstractions/vulkan>
 
+  capability ipc_owner,
   capability setgid,
   capability setuid,
   capability sys_admin,
 
-  # These can be denied.
-  #deny capability dac_override,
-  #deny capability sys_rawio,
-  # deny capability sys_nice,
+  # These can be denied?
+  #audit capability dac_override,
+  #audit capability sys_rawio,
+  #audit capability sys_nice,
   #capability sys_tty_config,
 
   signal (send) set=(usr1),
@@ -64,6 +65,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/xorg/modules/** mr,
 
   /var/lib/xkb/server-[0-9]*.xkm rw,
+  /var/lib/xkb/compiled/server-[0-9]*.xkm rw,
 
   /usr/share/egl/{,**} rw,
   /usr/share/libinput*/ r,

apparmor.d/groups/freedesktop/xprop

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,11 +13,13 @@ profile xprop @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{HOME}/.Xauthority r,
-
-  owner @{HOME}/.icons/default/index.theme r,
   /usr/share/icons/*/cursors/crosshair r,
 
+  owner @{HOME}/.Xauthority r,
+  owner @{HOME}/.icons/default/index.theme r,
+  
+  owner /tmp/runtime-cb/xauth_?????? r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,

apparmor.d/groups/freedesktop/xrdb

@@ -17,7 +17,7 @@ profile xrdb @{exec_path} {
   /{usr/,}bin/{,ba,da}sh                  rix,
   /{usr/,}bin/{,@{multiarch}-}cpp-[0-9]*  rix,
   /{usr/,}bin/cpp                         rix,
-  /{usr/,}lib/gcc/@{multiarch}/[0-9]*/cc1 rix,
+  /{usr/,}lib{,32,64}/gcc/@{multiarch}/[0-9]*/cc1 rix,
   /{usr/,}lib/llvm-[0-9]*/bin/clang       rix,
 
   /usr/include/stdc-predef.h r,
@@ -30,8 +30,9 @@ profile xrdb @{exec_path} {
   owner @{user_config_dirs}/Xresources/.Xresources r,
   owner @{user_config_dirs}/Xresources/* r,
 
-  owner /tmp/xauth-[0-9]*-_[0-9] r,
   owner /tmp/kcminit.* r,
+  owner /tmp/runtime-cb/xauth_?????? r,
+  owner /tmp/xauth-[0-9]*-_[0-9] r,
 
   # file_inherit
   owner /dev/tty[0-9]* rw,

apparmor.d/groups/gpg/gpgsm

@@ -16,6 +16,8 @@ profile gpgsm @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/gnupg/* r,
+
   /etc/gcrypt/hwf.deny r,
 
   deny /usr/bin/.gnupg/ w,

apparmor.d/groups/gpg/scdaemon

@@ -24,6 +24,8 @@ profile scdaemon @{exec_path} {
   owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
   owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw,
 
+  owner /var/tmp/zypp.??????/zypp-trusted-*/S.scdaemon w,
+
   @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   @{sys}/devices/pci[0-9]*/**/bConfigurationValue r,

apparmor.d/groups/network/nm-dispatcher

@@ -26,6 +26,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /{usr/,}{s,}bin/netconfig     rPUx,
   /{usr/,}bin/{,ba,da}sh         rix,
   /{usr/,}bin/basename           rix,
   /{usr/,}bin/chronyc           rPUx,

apparmor.d/groups/ssh/ssh

@@ -27,21 +27,22 @@ profile ssh @{exec_path} {
   /{usr/,}bin/{,b,d,rb}ash  rix,
   /{usr/,}bin/{c,k,tc,z}sh  rix,
 
-  owner @{PROC}/@{pid}/fd/ r,
+  @{etc_ro}/ssh/sshd_config r,
+  @{etc_ro}/ssh/sshd_config.d/{,*} r,
 
   owner @{HOME}/@{XDG_SSH_DIR}/ r,
+  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
   owner @{HOME}/@{XDG_SSH_DIR}/config r,
   owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rwl,
-  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} r,
+  owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_*_*_* wl,
+
   owner @{user_projects_dirs}/**/ssh/{,*} r,
   owner @{user_projects_dirs}/**/config r,
 
-  /etc/ssh/ssh_config r,
-  /etc/ssh/ssh_config.d/{,*} r,
-  
   owner @{run}/user/@{uid}/keyring/ssh rw,
 
   owner @{PROC}/@{pid}/loginuid r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/ssh>
 }

apparmor.d/profiles-g-l/kwalletd5

@@ -20,6 +20,7 @@ profile kwalletd5 @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5>
   include <abstractions/wayland>
   include <abstractions/X>
 
@@ -29,18 +30,23 @@ profile kwalletd5 @{exec_path} {
   /{usr/,}bin/gpg{,2} rCx -> gpg,
   /{usr/,}bin/gpgsm   rCx -> gpg,
 
-  /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
-
   /usr/share/hwdata/pnp.ids r,
+  /usr/share/icu/72.1/icudt72l.dat r,
+  /usr/share/qt5/qtlogging.ini r,
   /usr/share/qt5ct/** r,
 
-  /var/lib/dbus/machine-id r,
   /etc/machine-id r,
+  /etc/xdg/kdeglobals r,
+  /etc/xdg/kwinrc r,
+  /var/lib/dbus/machine-id r,
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kwalletrc r,
+  owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/qt5ct/{,**} r,
 
   owner @{user_share_dirs}/kwalletd/ rw,
@@ -50,6 +56,7 @@ profile kwalletd5 @{exec_path} {
   owner @{user_share_dirs}/kwalletd/#[0-9]*[0-9] rw,
 
   owner /tmp/kwalletd5.* rw,
+  owner /tmp/runtime-cb/xauth_?????? r,
 
         @{PROC}/sys/kernel/core_pattern r,
   owner @{PROC}/@{pid}/cmdline r,

apparmor.d/profiles-g-l/lspci

@@ -22,6 +22,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   /usr/share/hwdata/pci.ids r,
   /usr/share/misc/pci.ids r,
   /usr/share/misc/pci.ids.gz r,
+  /usr/share/pci.ids r,
 
   /etc/modprobe.d/{,*.conf} r,
   /etc/udev/hwdb.bin r,

apparmor.d/profiles-g-l/lvm

@@ -33,9 +33,9 @@ profile lvm @{exec_path} {
   @{sys}/class/ r,
   @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
 
-        @{PROC}/devices r,
-  owner @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/fd/ r,
+        @{PROC}/devices r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/**/ r,

apparmor.d/profiles-s-z/su

@@ -47,11 +47,14 @@ profile su @{exec_path} {
   /{usr/,}bin/{c,k,tc,z}sh  rUx,
   /{usr/,}{s,}bin/nologin   rPx,
 
-  /etc/default/locale r,
+  @{etc_ro}/default/su r,
   @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
+  /etc/default/locale r,
   /etc/shells r,
 
+  owner@{HOME}/.xauth?????? rw,
+
   owner @{PROC}/@{pids}/loginuid r,
   owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/mountinfo r,

apparmor.d/profiles-s-z/xauth

@@ -16,6 +16,11 @@ profile xauth @{exec_path} {
 
   /Xauthority-c w,
 
+  owner @{HOME}/.xauth?????? rw,
+  owner @{HOME}/.xauth??????-c w,
+  owner @{HOME}/.xauth??????-l wl,
+  owner @{HOME}/.xauth??????-n rw,
+
   owner @{HOME}/.Xauthority-c  w,
   owner @{HOME}/.Xauthority-l  wl -> @{HOME}/.Xauthority-c,
   owner @{HOME}/.Xauthority-n rw,
@@ -26,5 +31,8 @@ profile xauth @{exec_path} {
   owner /tmp/serverauth.*-n rw,
   owner /tmp/serverauth.*   rwl -> /tmp/serverauth.*-n,
 
+  owner @{run}/run/user/@{uid}/xauth_?????? r,
+  owner /tmp/runtime-cb/xauth_?????? r,
+
   include if exists <local/xauth>
 }