From 42fc4622ed799f01e529f63b6554ad6b41ed8083 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 21 Jan 2024 11:56:02 +0000
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/browsers/firefox-glxtest    |  2 +-
 apparmor.d/groups/browsers/firefox-vaapitest  |  2 +-
 apparmor.d/groups/freedesktop/polkitd         |  2 +
 .../freedesktop/update-desktop-database       |  2 +
 .../groups/freedesktop/xdg-icon-resource      |  3 +-
 apparmor.d/groups/freedesktop/xdg-user-dir    |  2 +-
 .../groups/gnome/epiphany-search-provider     |  1 +
 apparmor.d/groups/gnome/gdm-session-worker    |  3 +-
 apparmor.d/groups/gnome/gjs-console           |  1 +
 .../gnome/gnome-contacts-search-provider      |  3 ++
 apparmor.d/groups/gnome/gnome-control-center  |  1 +
 .../gnome/gnome-control-center-goa-helper     |  1 +
 apparmor.d/groups/gnome/gnome-shell           |  1 +
 .../groups/gnome/org.gnome.NautilusPreviewer  |  1 +
 apparmor.d/groups/gvfs/gvfsd-smb-browse       |  5 +-
 apparmor.d/groups/pacman/pacman               |  5 +-
 apparmor.d/groups/pacman/pacman-hook-dkms     |  3 +-
 .../pacman/pacman-hook-gtk4-querymodules      | 28 +++++++++++
 .../groups/pacman/pacman-hook-mkinitcpio      |  2 -
 apparmor.d/groups/pacman/pacman-key           |  4 +-
 apparmor.d/groups/ssh/sshd                    |  1 +
 apparmor.d/groups/systemd/busctl              |  4 ++
 .../systemd-generator-environment-flatpak     |  2 +
 apparmor.d/groups/systemd/systemd-hostnamed   |  1 +
 apparmor.d/groups/systemd/systemd-journald    |  1 +
 .../groups/systemd/systemd-vconsole-setup     |  1 +
 apparmor.d/profiles-a-f/dmidecode             | 14 ++----
 apparmor.d/profiles-a-f/flatpak-system-helper |  2 +
 apparmor.d/profiles-g-l/gio-querymodules      |  2 +
 apparmor.d/profiles-g-l/lspci                 |  5 +-
 apparmor.d/profiles-m-r/mount-nfs             | 50 +++++++++----------
 apparmor.d/profiles-m-r/nvtop                 |  1 +
 apparmor.d/profiles-m-r/pinentry-gnome3       |  2 +
 apparmor.d/profiles-m-r/protonmail-bridge     |  7 +++
 apparmor.d/profiles-s-z/sensors-detect        | 44 +++++++---------
 apparmor.d/profiles-s-z/setpci                |  3 +-
 apparmor.d/profiles-s-z/slirp4netns           |  2 +-
 apparmor.d/profiles-s-z/spotify               |  6 +++
 apparmor.d/profiles-s-z/udisksd               |  1 +
 apparmor.d/profiles-s-z/uname                 |  3 +-
 apparmor.d/profiles-s-z/unix-chkpwd           |  6 +--
 apparmor.d/profiles-s-z/which                 | 18 +++----
 42 files changed, 154 insertions(+), 94 deletions(-)
 create mode 100644 apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules

diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 8a5f7ad4..ebbec180 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -11,7 +11,7 @@ include <tunables/global>
 @{config_dirs} = @{HOME}/.mozilla/
 
 @{exec_path} = @{lib_dirs}/glxtest
-profile firefox-glxtest @{exec_path} {
+profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest
index 62916502..68cc76fe 100644
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@@ -11,7 +11,7 @@ include <tunables/global>
 @{config_dirs} = @{HOME}/.mozilla/
 
 @{exec_path} = @{lib_dirs}/vaapitest
-profile firefox-vaapitest @{exec_path} {
+profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
 
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 9a6c0e19..4499c7b1 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -64,6 +64,8 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
+
   # Silencer
   deny /.cache/ rw,
 
diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database
index e48c1e70..2de7c940 100644
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@@ -37,6 +37,8 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/.mimeinfo.cache.* rw,
   owner @{user_share_dirs}/{,**/} r,
   owner @{user_share_dirs}/**.desktop r,
+  owner @{user_share_dirs}/applications/.mimeinfo.cache.* rw,
+  owner @{user_share_dirs}/applications/mimeinfo.cache w,
   owner @{user_share_dirs}/mimeinfo.cache w,
 
   # Inherit silencer
diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource
index 9f7740fe..471dd0eb 100644
--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -7,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xdg-icon-resource
-profile xdg-icon-resource @{exec_path} flags=(complain) {
+profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir
index 17545911..9748a6c9 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dir
+++ b/apparmor.d/groups/freedesktop/xdg-user-dir
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xdg-user-dir
-profile xdg-user-dir @{exec_path} {
+profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider
index 819fb17b..33a47f19 100644
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@@ -36,6 +36,7 @@ profile epiphany-search-provider @{exec_path} {
   owner /tmp/Serialized* rw, 
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
         @{PROC}/driver/nvidia/params r,
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 43725a20..f9948690 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -60,12 +60,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   @{bin}/gnome-keyring-daemon             rPx,
+  @{bin}/unix_chkpwd                      rPx,
+  @{etc_ro}/X11/xdm/Xstartup             rPUx,
   @{lib}/{,gdm/}gdm-wayland-session       rPx,
   @{lib}/{,gdm/}gdm-x-session             rPx,
   /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
   /etc/gdm{3,}/PostLogin/Default          rix,
   /etc/gdm{3,}/PrimeOff/Default           rix,
-  @{etc_ro}/X11/xdm/Xstartup             rPUx,
 
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index bb4db3dc..ace95af8 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -72,6 +72,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gstreamer-1.0/ rw,
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
 
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider
index 6950255e..767de95c 100644
--- a/apparmor.d/groups/gnome/gnome-contacts-search-provider
+++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gnome-contacts-search-provider
 profile gnome-contacts-search-provider @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
@@ -16,6 +17,8 @@ profile gnome-contacts-search-provider @{exec_path} {
 
   signal (send) set=(term) peer=unconfined,
 
+  # dbus own bus=session name=org.gnome.Contacts.SearchProvider
+
   @{exec_path} mr,
 
   owner @{user_share_dirs}/folks/{,**/} rw,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 8bc876bb..5f2c8396 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -145,6 +145,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/maps r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
index a09152c6..b152f456 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -44,6 +44,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,
 
+  /usr/share/cracklib/* r,
   /usr/share/publicsuffix/public_suffix_list.dafsa r,
 
   /var/lib/flatpak/exports/share/icons/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 895ae3ca..0fbef9c8 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -373,6 +373,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index d112d994..c285f614 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -38,6 +38,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/a*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
         @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse
index 3f26bf8d..c979ed11 100644
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@@ -39,8 +39,9 @@ profile gvfsd-smb-browse @{exec_path} {
 
   /etc/samba/* r,
 
-  /var/cache/samba/ rw,
-  /var/lib/samba/** rwk,
+        /var/cache/samba/ rw,
+        /var/lib/samba/** rwk,
+  owner /var/cache/samba/gencache.tdb w,
 
   owner @{run}/samba/ rw,
   owner @{run}/samba/gencache.tdb rwk,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 4b4484d2..4fc26fcc 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -77,6 +77,7 @@ profile pacman @{exec_path} {
   @{bin}/grep                        rix,
   @{bin}/groupadd                    rPx,
   @{bin}/gtk-query-immodules-{2,3}.0 rPx,
+  @{bin}/gtk{,4}-update-icon-cache   rPx,
   @{bin}/head                        rix,
   @{bin}/install-catalog             rPx,
   @{bin}/install-info                rPx,
@@ -86,6 +87,7 @@ profile pacman @{exec_path} {
   @{bin}/ldconfig                    rix,
   @{bin}/ln                          rix,
   @{bin}/locale-gen                  rPx,
+  @{bin}/mkdir                       rix,
   @{bin}/mkinitcpio                  rPx,
   @{bin}/needrestart                 rPx,
   @{bin}/pacdiff                     rPx,
@@ -93,14 +95,13 @@ profile pacman @{exec_path} {
   @{bin}/perl                        rix,
   @{bin}/pkgfile                     rPUx,
   @{bin}/pkill                       rix,
-  @{bin}/mkdir                       rix,
-  @{bin}/setfacl                     rix,
   @{bin}/pwd                         rix,
   @{bin}/rm                          rix,
   @{bin}/rsync                       rix,
   @{bin}/sbctl                       rPx,
   @{bin}/sed                         rix,
   @{bin}/setcap                      rix,
+  @{bin}/setfacl                     rix,
   @{bin}/sync                        rix,
   @{bin}/sysctl                      rPx,
   @{bin}/systemctl                   rPx -> child-systemctl,
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index 4526d430..1a732ce0 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -7,8 +7,9 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /usr/share/libalpm/scripts/dkms
-profile pacman-hook-dkms @{exec_path} {
+profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
new file mode 100644
index 00000000..63401975
--- /dev/null
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules
+profile pacman-hook-gtk4-querymodules @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh r,
+  @{bin}/rmdir rix,
+  @{bin}/gio-querymodules rPx,
+
+  @{lib}/gtk-4.0/*/*/ w,
+
+  # Inherit Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
+  include if exists <local/pacman-hook-gtk4-querymodules>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index 9b7b898c..14a9470c 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -14,8 +14,6 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability mknod,
 
-  audit deny unix (receive) type=stream,
-
   @{exec_path} mr,
 
   @{bin}/bash       rix,
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index c8a9ba9c..3850ee9e 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -33,8 +33,8 @@ profile pacman-key @{exec_path} {
   /usr/share/pacman/keyrings/{,*} r,
   /usr/share/terminfo/** r,
 
-  /etc/pacman.d/gnupg/gpg.conf r,
-
+  /etc/pacman.d/gnupg/* rw,
+  
   /dev/tty rw,
 
   profile gpg {
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index f2f9fe3a..3af273fd 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -66,6 +66,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{bin}/false                rix,
   @{bin}/nologin              rPx,
   @{bin}/passwd               rPx,
+  @{bin}/unix_chkpwd          rPx,
   @{lib}/openssh/sftp-server  rPx,
 
   @{etc_ro}/environment r,
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index 97ab3af3..57138e0d 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -10,6 +10,10 @@ include <tunables/global>
 profile busctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/systemd-common>
+
+  capability net_admin,
+  capability sys_ptrace,
 
   ptrace (read),
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
index dd63c8c3..8f392b83 100644
--- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
+++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
@@ -15,6 +15,8 @@ profile systemd-generator-environment-flatpak @{exec_path} {
 
   @{bin}/flatpak rix,
 
+  /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,
+
   /dev/tty rw,
 
   include if exists <local/systemd-generator-environment-flatpak>
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index b295858a..19afdb64 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -23,6 +23,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
   @{etc_rw}/.#hostname* rw,
   @{etc_rw}/hostname rw,
   /etc/.#machine-info@{rand6} rw,
+  /etc/machine-id r,
   /etc/machine-info rw,
 
   @{run}/systemd/default-hostname rw,
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index afeee661..d32602fd 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -55,6 +55,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+usb:*       r,
   @{run}/udev/data/+virtio:*    r,
   @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
+  @{run}/udev/data/b259:@{int} r,
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup
index daf9a1a4..f3db180c 100644
--- a/apparmor.d/groups/systemd/systemd-vconsole-setup
+++ b/apparmor.d/groups/systemd/systemd-vconsole-setup
@@ -34,6 +34,7 @@ profile systemd-vconsole-setup @{exec_path} {
 
   @{sys}/module/vt/parameters/default_utf8 w,
 
+  /dev/console k,
   /dev/tty@{int} rwk,
 
   include if exists <local/systemd-vconsole-setup>
diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode
index adc5c443..ef111f9c 100644
--- a/apparmor.d/profiles-a-f/dmidecode
+++ b/apparmor.d/profiles-a-f/dmidecode
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,16 +14,11 @@ profile dmidecode @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sys}/firmware/dmi/tables/smbios_entry_point r,
-  @{sys}/firmware/dmi/tables/DMI r,
-
-  # The following are needed when the --no-sysfs flag is used
-  #capability sys_rawio,
-  #/dev/mem r,
-  #@{sys}/firmware/efi/systab r,
-
-  # For dumping the output to a file
   owner /tmp/dump.bin rw,
 
+  @{sys}/firmware/dmi/tables/DMI r,
+  @{sys}/firmware/dmi/tables/smbios_entry_point r,
+  @{sys}/firmware/efi/systab r,
+
   include if exists <local/dmidecode>
 }
diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper
index 87cd64a0..9a996274 100644
--- a/apparmor.d/profiles-a-f/flatpak-system-helper
+++ b/apparmor.d/profiles-a-f/flatpak-system-helper
@@ -56,12 +56,14 @@ profile flatpak-system-helper @{exec_path} {
     @{bin}/gpgconf  mr,
     @{bin}/gpgsm    mr,
 
+    @{lib}/gnupg/scdaemon rix,
     @{bin}/gpg-agent rix,
 
     owner /tmp/ostree-gpg-*/ r,
     owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
 
     owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   }
 
diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules
index 03de3446..6e60e97c 100644
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@@ -20,6 +20,8 @@ profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
   @{lib}/gio/modules/giomodule.cache{,.[0-9A-Z]*} w,
 
   deny /apparmor/.null rw,
+  deny network inet stream,
+  deny network inet6 stream,
 
   include if exists <local/gio-querymodules>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci
index 0d726ca1..a12b6046 100644
--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@@ -32,8 +32,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/bus/pci/slots/ r,
-  @{sys}/bus/pci/slots/@{int}-@{int}/address r,
-  @{sys}/devices/pci[0-9]*/** r,
+  @{sys}/bus/pci/slots/@{int}/address r,
+  @{sys}/devices/@{pci}/** r,
+  @{sys}/module/compression r,
 
   @{PROC}/cmdline r,
   @{PROC}/ioports r,
diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs
index c8f31769..af811898 100644
--- a/apparmor.d/profiles-m-r/mount-nfs
+++ b/apparmor.d/profiles-m-r/mount-nfs
@@ -25,31 +25,6 @@ profile mount-nfs @{exec_path} flags=(complain) {
   network inet stream,
   network inet6 stream,
 
-  @{exec_path} mr,
-
-  @{bin}/{,ba,da}sh       rix,
-  @{bin}/flock            rix,
-  @{bin}/start-statd      rix,
-
-  /usr/bin/systemctl           rPx -> child-systemctl,
-
-  /etc/fstab r,
-  /etc/netconfig r,
-  /etc/rpc r,
-
-        @{PROC}/filesystems r,
-  owner @{PROC}/@{pid}/mountinfo r,
-
-  owner @{run}/mount/utab{,.*} rw,
-  owner @{run}/mount/utab.lock wk,
-
-  owner @{run}/rpc.statd.lock wk,
-
-  # Mount points
-  @{MOUNTDIRS}/ r,
-  @{MOUNTS}/ r,
-  @{MOUNTS}/*/ r,
-
   # Allow to mount smb/cifs disks only under the /media/ dirs
   mount fstype=nfs -> @{MOUNTDIRS}/,
   mount fstype=nfs -> @{MOUNTS}/,
@@ -63,5 +38,30 @@ profile mount-nfs @{exec_path} flags=(complain) {
   umount /,
   umount /*/,
 
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh       rix,
+  @{bin}/flock            rix,
+  @{bin}/start-statd      rix,
+
+  /usr/bin/systemctl           rPx -> child-systemctl,
+
+  /etc/fstab r,
+  /etc/netconfig r,
+  /etc/nfsmount.conf rk,
+  /etc/rpc r,
+
+  # Mount points
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/*/ r,
+
+  owner @{run}/mount/utab.lock wk,
+  owner @{run}/mount/utab{,.*} rw,
+  owner @{run}/rpc.statd.lock wk,
+
+        @{PROC}/filesystems r,
+  owner @{PROC}/@{pid}/mountinfo r,
+
   include if exists <local/mount-nfs>
 }
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index e413aaee..eb67af61 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -40,6 +40,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
   @{PROC}/@{pids}/fdinfo/ r,
   @{PROC}/@{pids}/fdinfo/@{int} r,
   @{PROC}/@{pids}/stat r,
+  @{PROC}/devices r,
   @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,
 
   /dev/dri/ r,
diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3
index 59e2b473..de150814 100644
--- a/apparmor.d/profiles-m-r/pinentry-gnome3
+++ b/apparmor.d/profiles-m-r/pinentry-gnome3
@@ -10,6 +10,8 @@ include <tunables/global>
 profile pinentry-gnome3 @{exec_path} {
   include <abstractions/base>
 
+  signal (receive) set=(int) peer=gpg-agent,
+
   @{exec_path} mr,
 
   owner @{PROC}/@{pid}/cmdline r,
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge
index 38fc169c..aa3bcb5c 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge
+++ b/apparmor.d/profiles-m-r/protonmail-bridge
@@ -37,6 +37,13 @@ profile protonmail-bridge @{exec_path}  {
   @{PROC}/sys/net/core/somaxconn r,
   @{PROC}/@{pid}/cgroup r,
 
+  # Force the use of the Gnome Keyring or Kwallet secret-service.
+  # Comment these lines and add the commented lines in your local/protonmail-bridge
+  # to allow the use of pass as secret-service.
+  # of pass as secret store
+  # deny @{bin}/pass rmx,
+  # deny owner @{user_password_store_dirs}/** r,
+
   profile pass {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect
index 17be5313..46240cd3 100644
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2022 Mikhail Morfikov
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -14,49 +14,42 @@ profile sensors-detect @{exec_path} {
 
   capability syslog,
 
-  @{exec_path} r,
-  @{bin}/perl r,
-
-  /usr/bin/uname   rix,
-
-  /usr/bin/udevadm rCx -> udevadm,
-  /usr/bin/kmod    rCx -> kmod,
+  @{exec_path} rm,
+ 
+  @{bin}/kmod       rCx -> kmod,
+  @{bin}/perl         r,
+  @{bin}/systemctl  rPx -> child-systemctl,
+  @{bin}/udevadm    rCx -> udevadm,
+  @{bin}/uname      rix,
 
   /etc/udev/udev.conf r,
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/class/i2c-adapter/ r,
-
   @{sys}/devices/@{pci}/{class,vendor,device} r,
-  @{sys}/devices/@{pci}/i2c-[0-9]*/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/name r,
   @{sys}/devices/@{pci}/modalias r,
   @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r,
-  @{sys}/devices/virtual/dmi/id/product_{version,name} r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/devices/virtual/dmi/id/product_{version,name} r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
-  /dev/i2c-[0-9]* r,
-
+        @{PROC}/modules r,
   owner @{PROC}/@{pid}/mounts r,
-  @{PROC}/modules r,
 
+  /dev/i2c-@{int} r,
 
   profile udevadm {
     include <abstractions/base>
+    include <abstractions/systemd-common>
 
     capability sys_ptrace,
 
-    ptrace (read),
-
     @{bin}/udevadm mr,
 
     /etc/udev/udev.conf r,
 
-    owner @{PROC}/@{pid}/stat r,
-    owner @{PROC}/@{pid}/cgroup r,
-          @{PROC}/1/cgroup r,
-          @{PROC}/sys/kernel/random/boot_id r,
-
+    include if exists <local/sensors-detect_udevadm>
   }
 
   profile kmod {
@@ -64,13 +57,12 @@ profile sensors-detect @{exec_path} {
 
     @{bin}/kmod mr,
 
+    @{lib}/modprobe.d/{,*.conf} r,
+    /etc/modprobe.d/{,*.conf} r,
+
     @{PROC}/cmdline r,
 
-    @{lib}/modprobe.d/ r,
-    @{lib}/modprobe.d/*.conf r,
-    /etc/modprobe.d/ r,
-    /etc/modprobe.d/*.conf r,
-
+    include if exists <local/sensors-detect_udevadm>
   }
 
   include if exists <local/sensors-detect>
diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci
index f644b0cc..3e4838a6 100644
--- a/apparmor.d/profiles-s-z/setpci
+++ b/apparmor.d/profiles-s-z/setpci
@@ -9,11 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/setpci
 profile setpci @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   @{sys}/bus/pci/devices/ r,
-  @{sys}/devices/pci[0-9]*/** r,
+  @{sys}/devices/@{pci}/** r,
 
   include if exists <local/setpci>
 }
diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns
index 46b559da..28162a6f 100644
--- a/apparmor.d/profiles-s-z/slirp4netns
+++ b/apparmor.d/profiles-s-z/slirp4netns
@@ -27,7 +27,7 @@ profile slirp4netns @{exec_path} flags=(attach_disconnected) {
 
   pivot_root /tmp/**,
   pivot_root /tmp/old/,
-  # pivot_root oldroot=/tmp/old/ -> /tmp/, TODO: not supported on Debian
+  pivot_root oldroot=/tmp/old/ /tmp/,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index 0a5b6796..d5a6d42d 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -31,6 +31,8 @@ profile spotify @{exec_path} {
 
   @{exec_path} mrix,
 
+  @{bin}/grep rix,
+
   @{lib_dirs}/{,**} r,
   @{lib_dirs}/*.so* mr,
 
@@ -57,11 +59,15 @@ profile spotify @{exec_path} {
   owner @{run}/user/@{uid}/pulse/ r,
 
   @{sys}/devices/system/cpu/kernel_max r,
+  @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
+  @{sys}/devices/virtual/dmi/id/product_{name,version} r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/tty/tty@{int}/active r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/stat r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/oom_score_adj w,
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 1c9f9962..06b805a9 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -50,6 +50,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
 
   # Allow mounting on temporary mount point
   mount -> @{run}/udisks2/temp-mount-*/,
+  mount / -> @{MOUNTS}/*/,
 
   # Allow unmounting
   umount @{MOUNTS}/,
diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname
index 7199bdb0..71dc0a8b 100644
--- a/apparmor.d/profiles-s-z/uname
+++ b/apparmor.d/profiles-s-z/uname
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -7,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/uname
-profile uname @{exec_path} {
+profile uname @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd
index 4333ea13..b0fe9533 100644
--- a/apparmor.d/profiles-s-z/unix-chkpwd
+++ b/apparmor.d/profiles-s-z/unix-chkpwd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,9 +10,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/unix_chkpwd
 profile unix-chkpwd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # To write records to the kernel auditing log.
   capability audit_write,
 
   network netlink raw,
@@ -20,8 +21,5 @@ profile unix-chkpwd @{exec_path} {
 
   /etc/shadow r,
 
-  # file_inherit
-  owner /dev/tty@{int} rw,
-
   include if exists <local/unix-chkpwd>
 }
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
index 1f946afc..0678dd66 100644
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/which{.debianutils,}
-profile which @{exec_path} {
+profile which @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
@@ -16,18 +16,14 @@ profile which @{exec_path} {
 
   @{bin}/{,ba,da}sh  rix,
 
-  @{bin}/{,*/} r,
+  @{bin}/ r,
+  @{bin}/**/ r,
   @{lib}/ r,
-  @{lib}/go-*/bin/ r,
-  /usr/{local/,}games/ r,
-  /usr/include/ r,
-  /usr/local/{,etc/,lib/} r,
-  /usr/local/{s,}bin/{,*/} r,
-
-  /opt/cni/bin/ r,
-  /opt/containerd/bin/ r,
-
+  @{lib}/**/ r,
+  /opt/**/bin/ r,
   /snap/bin/ r,
+  /usr/include/ r,
+  /usr/local/**/ r,
   /var/lib/flatpak/exports/bin/ r,
 
   owner @{HOME}/{.,}go/bin/ r,