Update profiles.

apparmor.d/groups/apps/signal-desktop

@@ -99,7 +99,7 @@ profile signal-desktop @{exec_path} {
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   # No new privs
-  /{usr/,}bin/xdg-settings rPUx,
+  /{usr/,}bin/xdg-settings rPx,
 
   /{usr/,}bin/getconf rix,
 

apparmor.d/groups/gnome/gnome-control-center

@@ -60,7 +60,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/gnome-control-center/{,**} rw,
   owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
   owner @{user_share_dirs}/backgrounds/{,**} rw,
-  owner @{user_share_dirs}/gvfs-metadata/home{,-*.log} r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_share_dirs}/icc/{,edid-*} r,
   owner @{user_share_dirs}/webkitgtk/{,**} r,
   owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,

apparmor.d/groups/gnome/gnome-shell

@@ -56,6 +56,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /usr/share/wayland-sessions/{,*.desktop} r,
   /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
   /usr/share/xsessions/{,*.desktop} r,
+  /opt/*/**/*.png r,
 
   /etc/fstab r,
   /etc/machine-id r,

apparmor.d/groups/gnome/tracker-extract

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/tracker-extract-3
 profile tracker-extract @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fonts>
   include <abstractions/gstreamer>
   include <abstractions/openssl>
 
@@ -24,6 +25,8 @@ profile tracker-extract @{exec_path} {
   /usr/share/tracker3-miners/{,**} r,
   /usr/share/tracker3/{,**} r,
 
+  /etc/libva.conf r,
+
   owner /tmp/tracker-extract-3-files.*/{,*} rw,
   owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
   owner @{user_share_dirs}/gvfs-metadata/** r,
@@ -44,6 +47,7 @@ profile tracker-extract @{exec_path} {
   @{run}/udev/data/c51[0-9]:* r,
 
   /dev/video[0-9]* rw,
+  /dev/dri/renderD128 rw,
 
   include if exists <local/tracker-extract>
 }

apparmor.d/groups/pacman/mkinitcpio

@@ -56,6 +56,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}lib/initcpio/busybox    rix,
   /{usr/,}lib/ld-*.so             rix,
+  /{usr/,}@{multiarch}/ld-*.so    rix,
+  /{usr/,}lib/@{multiarch}/ld-*.so  rix,
 
   /etc/fstab r,
   /etc/lvm/lvm.conf r,
@@ -68,6 +70,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   # Can copy any program to the initframs
   /{usr/,}bin/ r,
   /{usr/,}bin/[a-z0-9]* rm,
+  /{usr/,}lib/udev/[a-z0-9]* rm,
   /{usr/,}lib/systemd/systemd-* rm,
 
   # Manage /boot

apparmor.d/groups/pacman/pacman

@@ -93,7 +93,7 @@ profile pacman @{exec_path} {
 
   @{PROC}/ r,
   @{run}/ r,
-  @{sys}/ r,
+  @{sys}/{,**} r,
   /mnt r,
 
   # Read packages files

apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install
-profile pacman-hook-mkinitcpio-install @{exec_path} {
+profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability dac_read_search,
@@ -37,6 +37,7 @@ profile pacman-hook-mkinitcpio-install @{exec_path} {
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
+  deny /apparmor/.null rw,
 
   include if exists <local/pacman-hook-mkinitcpio-install>
 }

apparmor.d/groups/pacman/pacman-hook-systemd

@@ -19,12 +19,12 @@ profile pacman-hook-systemd @{exec_path} {
 
   /{usr/,}bin/journalctl             rPx,
   /{usr/,}bin/systemctl              rPx -> child-systemctl,
-  /{usr/,}bin/systemd-binfmt         rPx,
   /{usr/,}bin/systemd-detect-virt    rPx,
   /{usr/,}bin/systemd-hwdb           rPx,
   /{usr/,}bin/systemd-sysusers       rPx,
   /{usr/,}bin/systemd-tmpfiles       rPx,
   /{usr/,}bin/udevadm                rPx,
+  /{usr/,}lib/systemd-binfmt         rPx,
   /{usr/,}lib/systemd/systemd-sysctl rPx,
 
   /usr/ rw,

apparmor.d/groups/systemd/systemd-analyze

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,9 +12,8 @@ profile systemd-analyze @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
-  # Needed for the prctl's PR_SET_MM option:
-  #  prctl(PR_SET_MM, PR_SET_MM_ARG_START, 0x721691edc000, 0, 0) = -1 EPERM (Operation not permitted)
   capability sys_resource,
+  capability net_admin,
 
   signal (send) peer=child-pager,
 

apparmor.d/groups/systemd/systemd-logind

@@ -42,8 +42,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
   @{run}/udev/data/c13:[0-9]* r,  # for /dev/input/*
   @{run}/udev/data/c116:[0-9]* r, # for ALSA
   @{run}/udev/data/c226:[0-9]* r, # for /dev/dri/card*
-  @{run}/udev/data/c237:[0-9]* r,
-  @{run}/udev/data/c238:[0-9]* r,
+  @{run}/udev/data/c23[0-9]:[0-9]* r,
 
   @{run}/udev/data/+input* r,          # for mouse, keyboard, touchpad
   @{run}/udev/data/+drm:card[0-9]-* r, # for screen outputs

apparmor.d/groups/systemd/systemd-sysctl

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-sysctl
-profile systemd-sysctl @{exec_path} {
+profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/systemd-common>
@@ -26,5 +26,8 @@ profile systemd-sysctl @{exec_path} {
 
   /etc/sysctl.conf r,
 
+  # Inherit Silencer
+  deny /apparmor/.null rw,
+
   include if exists <local/systemd-sysctl>
 }

apparmor.d/profiles-a-f/dkms

@@ -70,6 +70,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /var/lib/dkms/ r,
   /var/lib/dkms/** rw,
 
+  /etc/lsb-release r,
   /etc/dkms/{,**} r,
 
   # For building module in /usr/src/ subdirs

apparmor.d/profiles-g-l/git

@@ -14,7 +14,6 @@ include <tunables/global>
 @{exec_path} += /usr/libexec/git-core/git
 @{exec_path} += /usr/libexec/git-core/git-*
 @{exec_path} += /usr/libexec/git-core/mergetools/*
-
 profile git @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -52,7 +51,6 @@ profile git @{exec_path} {
   /{usr/,}bin/cat         rix,
   /{usr/,}bin/dirname     rix,
 
-  owner @{BUILD_DIR}/*/.repo/repo/hooks/* rwix,
   /{usr/,}bin/mv          rix,
   /{usr/,}bin/whoami      rix,
   /{usr/,}bin/hostname    rix,
@@ -139,7 +137,8 @@ profile git @{exec_path} {
     /etc/ssh/ssh_config r,
 
     owner @{HOME}/@{XDG_SSH_DIR}/* r,
-    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts rw,
+    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
+    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
 
     owner @{PROC}/@{pid}/fd/ r,
 

apparmor.d/profiles-m-r/ntfs-3g

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -14,13 +15,12 @@ profile ntfs-3g @{exec_path} {
   # When UserMapping is placed under /.NTFS-3G/UserMapping on the NTFS volume
   include <abstractions/nameservice-strict>
 
-  # Needed in order to mount ntfs disks
+  capability dac_override,
+  capability dac_read_search,
+  capability mknod,
   capability setgid,
   capability setuid,
   capability sys_admin,
-  capability dac_read_search,
-  capability dac_override,
-  capability mknod,
 
   @{exec_path} mr,
 
@@ -35,12 +35,13 @@ profile ntfs-3g @{exec_path} {
   @{MOUNTS}/*/ r,
   @{MOUNTS}/*/*/ r,
 
-
-  # Allow to mount ntfs disks only under the /media/ and /mnt/ dirs
+  # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
   mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/,
   mount fstype=fuseblk /dev/sd[a-z][0-9]* -> @{MOUNTS}/*/*/,
   mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/,
   mount fstype=fuseblk /dev/sd[a-z][0-9]* -> /mnt/*/,
+  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
+  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
 
   # Allow to mount encrypted partition
   mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,

apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper

@@ -13,6 +13,8 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
   capability sys_ptrace,
   capability fowner,
 
+  ptrace (read) peer=virt-manager,
+
   @{exec_path} mr,
 
   /{usr/,}lib/gconv/gconv-modules r,

apparmor.d/profiles-s-z/sudo

@@ -15,11 +15,11 @@ profile sudo @{exec_path} {
   include <abstractions/wutmp>
 # include <pam/mappings>
 
-  # capability mknod,
   capability audit_write,
   capability chown,
   capability dac_override,
   capability dac_read_search,
+  capability mknod,
   capability net_admin,
   capability setgid,
   capability setuid,

apparmor.d/profiles-s-z/virt-manager

@@ -66,6 +66,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/virt-manager/ rw,
   owner @{user_cache_dirs}/virt-manager/** rw,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   # For disk images
   @{MOUNTS}/ r,

apparmor.d/profiles-s-z/xdg-desktop-portal-gtk

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>

apparmor.d/profiles-s-z/xdg-permission-store

@@ -10,7 +10,8 @@ include <tunables/global>
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
-  signal (receive) set=(term) peer=gdm,
+  signal (receive) set=(term hup kill) peer=dbus-daemon,
+  signal (receive) set=(term hup kill) peer=gdm*,
 
   @{exec_path} mr,