From 4286b5330ca33335f957501cadfb776d516e3464 Mon Sep 17 00:00:00 2001
From: nobody43 <nobody43@users.noreply.github.com>
Date: Wed, 22 Jan 2025 22:50:59 +0000
Subject: [PATCH] xfce, updates

---
 apparmor.d/groups/apt/dpkg-preconfigure        |  7 +++++++
 apparmor.d/groups/children/child-dpkg-divert   |  1 +
 apparmor.d/groups/display-manager/lightdm      | 11 +++++++++++
 .../polkit-gnome-authentication-agent          |  8 ++++++++
 apparmor.d/groups/freedesktop/polkitd          |  1 +
 apparmor.d/groups/gnome/gnome-system-monitor   |  2 +-
 apparmor.d/groups/grub/grub-mkconfig           |  1 +
 apparmor.d/groups/grub/grub-probe              |  1 +
 apparmor.d/groups/gvfs/gvfsd-computer          |  3 +++
 apparmor.d/groups/gvfs/gvfsd-wsdd              |  3 +++
 apparmor.d/groups/network/NetworkManager       |  1 +
 apparmor.d/groups/network/wg                   |  1 +
 apparmor.d/groups/network/wg-quick             |  1 +
 apparmor.d/groups/systemd/systemd-hwdb         |  4 ++--
 apparmor.d/groups/systemd/systemd-udevd        |  2 +-
 apparmor.d/groups/xfce/startxfce               |  4 ++++
 apparmor.d/groups/xfce/thunar                  |  9 +++++++++
 apparmor.d/groups/xfce/thunar-volman           |  2 ++
 apparmor.d/groups/xfce/tumblerd                | 15 +++++++++++++++
 apparmor.d/groups/xfce/xfce-clipman-settings   |  4 ++++
 apparmor.d/groups/xfce/xfce-notifyd            |  5 +++++
 apparmor.d/groups/xfce/xfce-panel              | 18 +++++++++++++++++-
 apparmor.d/groups/xfce/xfce-power-manager      |  7 +++++++
 apparmor.d/groups/xfce/xfce-screensaver        |  4 ++++
 apparmor.d/groups/xfce/xfce-session            | 11 +++++++++++
 apparmor.d/groups/xfce/xfce-terminal           | 11 +++++++++++
 apparmor.d/groups/xfce/xfconfd                 |  5 ++++-
 apparmor.d/groups/xfce/xfdesktop               | 10 ++++++++++
 apparmor.d/groups/xfce/xfsettingsd             |  6 ++++++
 apparmor.d/groups/xfce/xfwm                    |  2 ++
 apparmor.d/profiles-a-f/blueman                |  2 ++
 apparmor.d/profiles-a-f/blueman-mechanism      |  1 +
 apparmor.d/profiles-a-f/filezilla              |  2 ++
 apparmor.d/profiles-g-l/iceauth                |  2 +-
 apparmor.d/profiles-g-l/im-launch              |  1 +
 apparmor.d/profiles-g-l/libreoffice            |  9 +++++++--
 apparmor.d/profiles-m-r/mkinitramfs            |  1 +
 apparmor.d/profiles-m-r/mount-cifs             |  2 ++
 apparmor.d/profiles-m-r/nemo                   |  5 +++++
 apparmor.d/profiles-m-r/remmina                |  6 ++++++
 apparmor.d/profiles-m-r/run-parts              |  2 ++
 apparmor.d/profiles-s-z/su                     |  2 ++
 .../profiles-s-z/system-config-printer-applet  |  3 +++
 apparmor.d/profiles-s-z/xarchiver              |  1 +
 44 files changed, 190 insertions(+), 9 deletions(-)

diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure
index 34163333..eb022b3c 100644
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@@ -30,6 +30,9 @@ profile dpkg-preconfigure @{exec_path} {
   @{bin}/sort       rix,
   @{bin}/stty       rix,
   @{bin}/tr         rix,
+  @{bin}/head       rix,
+  @{bin}/readlink   rix,
+  @{bin}/realpath   rix,
 
   @{bin}/dpkg                 rPx -> child-dpkg,
   @{bin}/apt-extracttemplates rPx,
@@ -37,11 +40,14 @@ profile dpkg-preconfigure @{exec_path} {
   @{lib}/apt/apt-extracttemplates rPx,
 
   /usr/share/debconf/confmodule r,
+  /usr/share/dictionaries-common/{,*} r,
 
+  /etc/cloud/cloud.cfg.d/90_dpkg.cfg r,
   /etc/debconf.conf r,
   /etc/default/grub r,
   /etc/inputrc r,
   /etc/shadow r,
+  /etc/X11/Xwrapper.config r,
 
   owner @{tmp}/*.template.* rw,
   owner @{tmp}/*.config.* rwPUx,
@@ -54,6 +60,7 @@ profile dpkg-preconfigure @{exec_path} {
   owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w,
   owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w,
   owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w,
+  owner /var/cache/dictionaries-common/flag-wordlist-new w,
   owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert
index 6ea41a9e..ddfff5fc 100644
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@@ -22,6 +22,7 @@ profile child-dpkg-divert {
   /var/lib/dpkg/arch r,
   /var/lib/dpkg/status r,
   /var/lib/dpkg/updates/ r,
+  /var/lib/dpkg/updates/@{int} r,
   /var/lib/dpkg/triggers/File r,
   /var/lib/dpkg/triggers/Unincorp r,
   /var/lib/dpkg/diversions r,
diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm
index 04accbbf..a70779fc 100644
--- a/apparmor.d/groups/display-manager/lightdm
+++ b/apparmor.d/groups/display-manager/lightdm
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/lightdm
 profile lightdm @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-system>
   include <abstractions/authentication>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
@@ -36,6 +37,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(term) peer=xfce-session,
   signal (send) set=(term) peer=xorg,
 
+  unix (bind) type=stream addr="@@{hex}/bus/lightdm/system",
+
+  dbus (bind) bus=system name=org.freedesktop.DisplayManager,
+
   @{exec_path} mrix,
 
   @{bin}/rm     rix,
@@ -45,6 +50,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   @{bin}/Xorg                  rPx,
   @{bin}/plymouth              rPx,
   @{bin}/gnome-keyring-daemon  rPx,
+  @{bin}/lightdm-session       rPx,
 
   @{lib}/security-misc/*       rPx, #aa:only whonix
   @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
@@ -52,6 +58,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   /etc/lightdm/Xsession        rPx,
   /etc/X11/Xsession            rPx,
 
+  @{sh_path}        rix,
+  @{bin}/{,e,f}grep rix,
+  @{bin}/df         rix,
+
   /usr/share/lightdm/{,**} r,
   /usr/share/wayland-sessions/{,*.desktop} r,
   /usr/share/xgreeters/{,**} r,
@@ -81,6 +91,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid rw,
   owner @{PROC}/@{pid}/uid_map r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/tty@{int} r,
 
diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
index 94bc7ece..e488272c 100644
--- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
@@ -12,11 +12,19 @@ include <tunables/global>
 @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1
 profile polkit-gnome-authentication-agent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
 
+  signal (send) set=(term) peer=polkit-agent-helper,
+
   @{exec_path} mr,
 
+  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+
   @{PROC}/@{pid}/cgroup r,
 
   include if exists <local/polkit-gnome-authentication-agent>
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 5e3d3ee7..5b630a15 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -31,6 +31,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/pkla-check-authorization rPUx,
+  @{bin}/pkla-admin-identities     rPx,
 
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 92cbd369..8df82b29 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -36,7 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{bin}/tr     rix,
 
   /usr/share/gnome-system-monitor/{,**} r,
-  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
+  /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
 
   / r,
 
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index 2a60d69c..1ff23f1f 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   @{lib}/grub/grub-sort-version rPx,
   @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
 
+  /usr/share/desktop-base/*/grub/* r,
   /usr/share/grub/{,**} r,
   /usr/share/terminfo/** r,
 
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
index 80d517de..2e2d9232 100644
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@@ -27,6 +27,7 @@ profile grub-probe @{exec_path} {
 
   / r,
   /boot/ r,
+  /boot/grub/ r,
   /boot/grub/themes/{,**} r,
 
   @{PROC}/@{pids}/mountinfo r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer
index e756c844..f72fc17c 100644
--- a/apparmor.d/groups/gvfs/gvfsd-computer
+++ b/apparmor.d/groups/gvfs/gvfsd-computer
@@ -10,6 +10,9 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer
 profile gvfsd-computer @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+
+  dbus (bind) bus=session name=org.gtk.vfs.mountpoint_@{int},
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd
index f971b5f6..1b0dc2cc 100644
--- a/apparmor.d/groups/gvfs/gvfsd-wsdd
+++ b/apparmor.d/groups/gvfs/gvfsd-wsdd
@@ -9,9 +9,12 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd
 profile gvfsd-wsdd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
 
   network netlink raw,
 
+  dbus (bind) bus=session name=org.gtk.vfs.mountpoint_wsdd,
+
   @{exec_path} mr,
 
   @{bin}/env r,
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 1bb2de23..39c68fda 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -105,6 +105,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /etc/ r,
   /etc/iproute2/* r,
   /etc/machine-id r,
+  /etc/netplan/90-NM-@{uuid}.yaml w,
   /etc/network/interfaces r,
   /etc/network/interfaces.d/{,*} r,
   /etc/NetworkManager/{,**} r,
diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg
index 781a52f7..57e6ec76 100644
--- a/apparmor.d/groups/network/wg
+++ b/apparmor.d/groups/network/wg
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wg
 profile wg @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
   capability net_bind_service,
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index c7ea6b1b..5c4a5579 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wg-quick
 profile wg-quick @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability net_admin,
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 9b6203e9..ae64274c 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{exec_path} mr,
 
   @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int},
   @{lib}/udev/hwdb.bin w,
 
-  /etc/udev/.#hwdb.bin@{hex16} wl ->  /etc/udev/#@{int},
+  /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl ->  /etc/udev/#@{int},
   /etc/udev/hwdb.bin w,
   /etc/udev/hwdb.d/{,*} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index f52a2fc6..0ba3be20 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -79,7 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   /etc/nfs.conf rk,
 
   /etc/udev/{,**} r,
-  /etc/udev/.#hwdb.bin* rw,
+  /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw,
   /etc/udev/hwdb.bin rw,
 
   /etc/modprobe.d/ r,
diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce
index 8d91581c..110da187 100644
--- a/apparmor.d/groups/xfce/startxfce
+++ b/apparmor.d/groups/xfce/startxfce
@@ -19,6 +19,7 @@ profile startxfce @{exec_path} {
   @{bin}/mkdir  rix,
   @{bin}/id     rix,
 
+  @{bin}/xdg-user-dirs-update                rPx,
   @{bin}/xfce4-session                       rPx,
   @{bin}/xrdb                                rPx,
   @{bin}/systemctl                           rCx -> systemctl,
@@ -27,6 +28,8 @@ profile startxfce @{exec_path} {
   /etc/X11/xinit/xinitrc.d/{,**} r,
   /etc/xdg/xfce4/{,**} r,
 
+  owner @{HOME}/.Xdefaults r,
+
   profile systemctl flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/systemctl>
@@ -36,6 +39,7 @@ profile startxfce @{exec_path} {
 
   profile dbus {
     include <abstractions/base>
+    include <abstractions/bus-session>
 
     @{bin}/dbus-update-activation-environment mr,
 
diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar
index d8f04d49..629fc2b4 100644
--- a/apparmor.d/groups/xfce/thunar
+++ b/apparmor.d/groups/xfce/thunar
@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/thunar
 profile thunar @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/deny-sensitive-home>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
@@ -17,6 +19,10 @@ profile thunar @{exec_path} {
 
   network netlink raw,
 
+  dbus (bind) bus=session name=org.xfce.Thunar,
+  dbus (bind) bus=session name=org.xfce.FileManager,
+  dbus (bind) bus=session name=org.freedesktop.FileManager1,
+
   @{exec_path} mr,
 
   @{bin}/thunar-volman  rPx,
@@ -30,6 +36,7 @@ profile thunar @{exec_path} {
 
   /etc/fstab r,
   /etc/timezone r,
+  /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r,
 
   # Full access to user's data
   / r,
@@ -50,6 +57,8 @@ profile thunar @{exec_path} {
   deny /tmp/.* rw,
   deny /tmp/.*/{,**} rw,
 
+  @{run}/mount/utab r,
+
   owner @{PROC}/@{pid}/mountinfo r,
 
   profile dbus {
diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman
index 35025583..fc73a14c 100644
--- a/apparmor.d/groups/xfce/thunar-volman
+++ b/apparmor.d/groups/xfce/thunar-volman
@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/thunar-volman
 profile thunar-volman @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/nameservice-strict>
   include <abstractions/xfce>
 
diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd
index 99971abb..db90af4c 100644
--- a/apparmor.d/groups/xfce/tumblerd
+++ b/apparmor.d/groups/xfce/tumblerd
@@ -9,18 +9,33 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd
 profile tumblerd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/desktop>
+  include <abstractions/bus-session>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/desktop>
+  include <abstractions/bus-session>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-write>
 
+  dbus (bind) bus=session name=org.freedesktop.thumbnails.Cache1,
+  dbus (bind) bus=session name=org.freedesktop.thumbnails.Manager1,
+  dbus (bind) bus=session name=org.freedesktop.thumbnails.Thumbnailer1,
+
   @{exec_path} mr,
 
+  @{bin}/gdk-pixbuf-thumbnailer rPx,
+
   /usr/share/backgrounds/xfce/{,**} r,
   /usr/share/thumbnailers/{,**} r,
 
   /etc/fstab r,
   /etc/xdg/tumbler/* r,
 
+  owner /tmp/tumbler-@{rand6}.png r,
+  owner /tmp/tumbler-@{rand6}.??? w,
+
   owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/ r,
diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings
index 248d60b7..2c777a0a 100644
--- a/apparmor.d/groups/xfce/xfce-clipman-settings
+++ b/apparmor.d/groups/xfce/xfce-clipman-settings
@@ -9,8 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-clipman-settings
 profile xfce-clipman-settings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/xfce>
 
+  dbus (bind) bus=session name=org.xfce.clipman.settings,
+
   @{exec_path} mr,
 
   @{open_path} rPx -> child-open-help,
diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd
index f5c80e07..d8ef2a9e 100644
--- a/apparmor.d/groups/xfce/xfce-notifyd
+++ b/apparmor.d/groups/xfce/xfce-notifyd
@@ -10,6 +10,8 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd
 profile xfce-notifyd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
@@ -22,6 +24,9 @@ profile xfce-notifyd @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  dbus (bind) bus=session name=org.xfce.Notifyd,
+  dbus (bind) bus=session name=org.freedesktop.Notifications,
+
   @{exec_path} mr,
 
   owner @{user_cache_dirs}/xfce4/notifyd/ rw,
diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel
index 7b192ffc..d2a9cdbf 100644
--- a/apparmor.d/groups/xfce/xfce-panel
+++ b/apparmor.d/groups/xfce/xfce-panel
@@ -9,12 +9,22 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-panel @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0
 profile xfce-panel @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-system>
+  include <abstractions/bus-session>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/thumbnails-cache-read>
   include <abstractions/app-launcher-user>
   include <abstractions/audio-client>
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
   include <abstractions/xfce>
 
+  ptrace (read) peer=xfce-terminal,
+
+  dbus (bind) bus=session name=org.xfce.Panel,
+  dbus (bind) bus=session name=org.kde.StatusNotifierWatcher,
+
   @{exec_path} mr,
 
   @{bin}/exo-open                                     rix,
@@ -26,6 +36,7 @@ profile xfce-panel @{exec_path} {
   @{bin}/sudo rCx -> root,
 
   /usr/share/desktop-directories/{,**} r,
+  /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
   /usr/share/livecheck/** r,
   /usr/share/xfce4/{,**} r,
 
@@ -33,15 +44,20 @@ profile xfce-panel @{exec_path} {
   /etc/machine-id r,
   /etc/timezone r,
   /etc/xdg/menus/{,**} r,
-  /etc/xdg/xfce4/{,**} r,
+  /etc/xdg/{,xdg-xubuntu/}xfce4/{,**} r,
 
   owner @{user_cache_dirs}/xfce4/notifyd/icons/ rw,
+  owner @{user_cache_dirs}/xfce4-indicator-plugin.log w,
   owner @{user_config_dirs}/xfce4/panel/{,**} rw,
 
+  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} w,
+
         @{PROC}/cmdline r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/mountinfo r,
 
+  deny @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   profile root {
     include <abstractions/base>
     include <abstractions/app/sudo>
diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager
index 1c2a0263..4f3199a9 100644
--- a/apparmor.d/groups/xfce/xfce-power-manager
+++ b/apparmor.d/groups/xfce/xfce-power-manager
@@ -9,9 +9,16 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-power-manager
 profile xfce-power-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/xfce>
   include <abstractions/nameservice-strict>
 
+  dbus (bind) bus=session name=org.xfce.PowerManager,
+  dbus (bind) bus=session name=org.freedesktop.PowerManagement,
+
   @{exec_path} mr,
 
   @{bin}/xfpm-power-backlight-helper rPx,
diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver
index e486ac6d..911cc1b9 100644
--- a/apparmor.d/groups/xfce/xfce-screensaver
+++ b/apparmor.d/groups/xfce/xfce-screensaver
@@ -9,11 +9,15 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-screensaver
 profile xfce-screensaver @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/authentication>
   include <abstractions/graphics>
   include <abstractions/xfce>
   include <abstractions/nameservice-strict>
 
+  dbus (bind) bus=session name=org.xfce.ScreenSaver,
+
   @{exec_path} mr,
 
   @{sh_path}    rix,
diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session
index 17007122..6db8277d 100644
--- a/apparmor.d/groups/xfce/xfce-session
+++ b/apparmor.d/groups/xfce/xfce-session
@@ -9,6 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-session
 profile xfce-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/desktop>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/fontconfig-cache-read>
   include <abstractions/app-launcher-user>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
@@ -16,6 +20,8 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term) peer=lightdm,
 
+  dbus (bind) bus=session name=org.xfce.SessionManager,
+
   @{exec_path} mr,
 
   @{sh_path} rix,
@@ -33,6 +39,7 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) {
   @{lib}/msgcollector/msgdispatcher_xdg_autostart      rPx,
   @{lib}/sdwdate-gui/start-maybe                       rPx,
   @{lib}/setup-wizard-dist/setup-dist_check_for_start  rPx,
+  @{lib}/xapps/sn-watcher/xapp-sn-watcher             rPUx,
 
   /usr/share/kde-power-savings-disable-in-vms/{,**} r,
   /usr/share/kde-screen-locker-disable-in-vms/{,**} r,
@@ -48,11 +55,15 @@ profile xfce-session @{exec_path} flags=(attach_disconnected) {
   /etc/xdg/autostart/*.desktop r,
 
   owner @{user_cache_dirs}/sessions/{,**} rw,
+  owner @{user_config_dirs}/autostart/ r,
+  owner @{user_config_dirs}/autostart/*.desktop r,
 
   owner @{tmp}/.xfsm-ICE-@{rand6} rw,
 
   owner @{PROC}/@{pid}/stat r,
 
+  @{sys}/class/i2c-adapter/ r,
+
   /dev/tty rw,
 
   profile systemctl flags=(attach_disconnected) {
diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal
index d0d895c5..46a17ca7 100644
--- a/apparmor.d/groups/xfce/xfce-terminal
+++ b/apparmor.d/groups/xfce/xfce-terminal
@@ -9,6 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-terminal
 profile xfce-terminal @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/audio-client>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
@@ -16,6 +19,10 @@ profile xfce-terminal @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/xfce>
 
+  signal (send),
+
+  dbus (bind) bus=session name=org.xfce.Terminal5,
+
   @{exec_path} mr,
 
   @{open_path} rPx -> child-open-help,
@@ -28,7 +35,10 @@ profile xfce-terminal @{exec_path} {
   @{bin}/micro               rPUx,
   @{bin}/nvtop                rPx,
 
+  @{bin}/vim{,.basic} rPUx,
+
   /usr/share/ r,
+  /usr/share/desktop-base/profiles/xdg-config/ r,
   /usr/share/xfce4/ r,
   /usr/share/xfce4/terminal/{,**} r,
 
@@ -36,6 +46,7 @@ profile xfce-terminal @{exec_path} {
   /etc/xdg/ r,
   /etc/xdg/xfce4/ r,
 
+  owner @{user_config_dirs}/xfce4/ r,
   owner @{user_config_dirs}/xfce4/terminal/{,**} r,
 
   owner @{tmp}/#@{int} rw,
diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd
index 0ab17ac5..de82191a 100644
--- a/apparmor.d/groups/xfce/xfconfd
+++ b/apparmor.d/groups/xfce/xfconfd
@@ -10,11 +10,14 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/xfconf/xfconfd
 profile xfconfd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
   include <abstractions/xfce>
 
+  dbus (bind) bus=session name=org.xfce.Xfconf,
+
   @{exec_path} mr,
 
-  /etc/xdg/xfce4/xfconf/** r,
+  /etc/xdg/{,xdg-xubuntu/}xfce4/xfconf/** r,
 
   owner @{HOME}/ r,
 
diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop
index d19e3de6..ed7d18dd 100644
--- a/apparmor.d/groups/xfce/xfdesktop
+++ b/apparmor.d/groups/xfce/xfdesktop
@@ -9,15 +9,25 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfdesktop
 profile xfdesktop @{exec_path} {
   include <abstractions/base>
+  include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/app-launcher-user>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/xfce>
 
+  dbus (bind) bus=session name=org.xfce.xfdesktop,
+
   @{exec_path} mr,
 
   @{bin}/xfce4-mime-helper rix,
 
+  /etc/xdg/{,xdg-xubuntu/}xfce4/helpers.rc r,
+  /etc/xdg/menus/{,*.menu} r,
+  /usr/share/xfce4/helpers/{,*.desktop} r,
+  /usr/share/desktop-directories/{,*.directory} r,
   /usr/share/backgrounds/xfce/{,**} r,
 
   /etc/fstab r,
diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd
index 3eec3377..b2f78339 100644
--- a/apparmor.d/groups/xfce/xfsettingsd
+++ b/apparmor.d/groups/xfce/xfsettingsd
@@ -10,8 +10,14 @@ include <tunables/global>
 profile xfsettingsd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/fontconfig-cache-read>
   include <abstractions/xfce>
 
+  dbus (bind) bus=session name=org.xfce.SettingsDaemon,
+
   @{exec_path} mr,
 
   /etc/xdg/autostart/xfsettingsd.desktop r,
diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm
index d7af2ccb..7ecd2c8f 100644
--- a/apparmor.d/groups/xfce/xfwm
+++ b/apparmor.d/groups/xfce/xfwm
@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfwm4
 profile xfwm @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/audio-client>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman
index 08a553c1..7a2b4530 100644
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@@ -11,6 +11,7 @@ include <tunables/global>
 profile blueman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -61,6 +62,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   /dev/shm/ r,
   /dev/tty rw,
 
+  deny @{lib}/python3/dist-packages/blueman/__pycache__/** w,
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/blueman>
diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism
index aae5d53c..bb6c6cdf 100644
--- a/apparmor.d/profiles-a-f/blueman-mechanism
+++ b/apparmor.d/profiles-a-f/blueman-mechanism
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/blueman-mechanism @{lib}/blueman/blueman-mechanism
 profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla
index be734ed5..4463ac58 100644
--- a/apparmor.d/profiles-a-f/filezilla
+++ b/apparmor.d/profiles-a-f/filezilla
@@ -29,6 +29,7 @@ profile filezilla @{exec_path} {
   network netlink raw,
 
   signal send set=(term, kill) peer=fzsftp,
+  signal send set=(term, kill) peer=fzputtygen,
 
   @{exec_path} mr,
 
@@ -36,6 +37,7 @@ profile filezilla @{exec_path} {
   @{bin}/uname       rix,
 
   @{bin}/fzsftp      rPx,  # When using SFTP protocol
+  @{bin}/fzputtygen rPUx,
   @{bin}/lsb_release rPx -> lsb_release,
 
   /usr/share/filezilla/{,**} r,
diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth
index 03c8650d..d4637498 100644
--- a/apparmor.d/profiles-g-l/iceauth
+++ b/apparmor.d/profiles-g-l/iceauth
@@ -16,7 +16,7 @@ profile iceauth @{exec_path} {
   owner @{tmp}/.xfsm-ICE-@{rand6} r,
   owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r,
 
-  owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n,
+  owner @{run}/user/@{uid}/ICEauthority rwl -> @{run}/user/@{uid}/ICEauthority-n,
   owner @{run}/user/@{uid}/ICEauthority-c w,
   owner @{run}/user/@{uid}/ICEauthority-l wl -> @{run}/user/@{uid}/ICEauthority-c,
   owner @{run}/user/@{uid}/ICEauthority-n rw,
diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch
index c5c4aa27..04abb7e0 100644
--- a/apparmor.d/profiles-g-l/im-launch
+++ b/apparmor.d/profiles-g-l/im-launch
@@ -22,6 +22,7 @@ profile im-launch @{exec_path} {
   @{bin}/sed                   rix,
   @{bin}/sleep                 rix,
   @{bin}/startplasma-x11       rPx,
+  @{bin}/startxfce4            rPx,
   @{bin}/true                  rix,
   @{bin}/uim-toolbar-gtk3     rPUx,
   @{bin}/uim-xim              rPUx,
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 03dfe974..11773c91 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -11,6 +11,7 @@ include <tunables/global>
 profile libreoffice @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
@@ -67,11 +68,14 @@ profile libreoffice @{exec_path} {
   /usr/share/mythes/{,**} r,
   /usr/share/thumbnailers/{,**} r,
 
-  /etc/java{,@{version}}-openjdk/{,**} r,
+  /etc/java{,-}{,@{version}}-openjdk/{,**} r,
   /etc/libreoffice/{,**} r,
   /etc/paperspecs r,
+  /etc/papersize r,
   /etc/xdg/* r,
 
+  owner /var/spool/libreoffice/uno_packages/cache/stamp.sys w,
+
   owner @{user_cache_dirs}/libreoffice/{,**} rw,
   owner @{user_config_dirs}/libreoffice/ rw,
   owner @{user_config_dirs}/libreoffice/** rwk,
@@ -90,7 +94,7 @@ profile libreoffice @{exec_path} {
   owner @{tmp}/*.tmp/{,**} rwk,
   owner @{tmp}/hsperfdata_@{user}/  rw,
   owner @{tmp}/hsperfdata_@{user}/@{int} rwk,
-  owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w,
+  owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex32} rw,
 
   owner @{run}/user/@{uid}/#@{int} rw,
 
@@ -99,6 +103,7 @@ profile libreoffice @{exec_path} {
         @{sys}/kernel/mm/hugepages/ r,
         @{sys}/kernel/mm/transparent_hugepage/enabled r,
         @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
+        @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/{cpu,memory}.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index 6585f638..00fdc5cf 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -43,6 +43,7 @@ profile mkinitramfs @{exec_path} {
   @{bin}/mkdir      rix,
   @{bin}/mktemp     rix,
   @{bin}/readlink   rix,
+  @{bin}/realpath   rix,
   @{bin}/rm         rix,
   @{bin}/rmdir      rix,
   @{bin}/sed        rix,
diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs
index 190db34d..6000f633 100644
--- a/apparmor.d/profiles-m-r/mount-cifs
+++ b/apparmor.d/profiles-m-r/mount-cifs
@@ -10,10 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/mount.cifs
 profile mount-cifs @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability sys_admin,
   capability setpcap,
+  capability dac_read_search,
 
   network inet dgram,
   network inet stream,
diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo
index e3edb99c..c7c9160d 100644
--- a/apparmor.d/profiles-m-r/nemo
+++ b/apparmor.d/profiles-m-r/nemo
@@ -21,7 +21,12 @@ profile nemo @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path} rPx -> child-open,
+
+  @{bin}/gdk-pixbuf-thumbnailer rPx,
+
   /usr/share/nemo/** r,
+  /usr/share/thumbnailers/{,*.thumbnailer} r,
 
   # Full access to user's data
   / r,
diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina
index f5988004..44b18cf4 100644
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@@ -22,6 +22,7 @@ profile remmina @{exec_path} {
   include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
   include <abstractions/ibus>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
@@ -29,6 +30,8 @@ profile remmina @{exec_path} {
 
   network inet stream,
   network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
   network netlink raw,
 
   #aa:dbus own bus=session name=org.remmina.Remmina
@@ -58,6 +61,9 @@ profile remmina @{exec_path} {
 
   owner @{run}/user/@{uid}/keyring/ssh rw,
 
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
   include if exists <local/remmina>
 }
 
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index c20b305e..dca0fbe6 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -247,6 +247,8 @@ profile run-parts @{exec_path} {
     @{run}/reboot-required w,
     @{run}/reboot-required.pkgs rw,
 
+    @{sys}/module/compression r,
+
     @{PROC}/devices r,
     @{PROC}/cmdline r,
 
diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su
index 02a21215..8d717274 100644
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@@ -27,6 +27,8 @@ profile su @{exec_path} {
   @{bin}/nologin       rPx,
 
   @{etc_ro}/default/su r,
+  /etc/default/locale r,
+  /etc/environment r,
 
   @{HOME}/.xauth@{rand6} rw,
 
diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet
index 0197e3c3..99cdbc99 100644
--- a/apparmor.d/profiles-s-z/system-config-printer-applet
+++ b/apparmor.d/profiles-s-z/system-config-printer-applet
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/system-config-printer-applet /usr/share/system-config-printer/applet.py
 profile system-config-printer-applet @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
   include <abstractions/python>
   include <abstractions/nameservice-strict>
 
@@ -29,6 +30,8 @@ profile system-config-printer-applet @{exec_path} {
 
   /dev/tty rw,
 
+  deny @{lib}/python3/dist-packages/cupshelpers/__pycache__/** w,
+
   include if exists <local/system-config-printer-applet>
 }
 
diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver
index 00377000..1e0d75fd 100644
--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@@ -55,6 +55,7 @@ profile xarchiver @{exec_path} {
         /home/ r,
   #owner @{HOME}/ r,
   #owner @{HOME}/** rw,
+  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rwl,
         @{MOUNTS}/ r,
         @{MOUNTS}/** rw,
         /tmp/ r,