feat(profiles): general update.

2025-01-18 08:58:15 +01:00 · 2022-05-15 22:56:42 +01:00 · 2022-05-15 22:56:42 +01:00 · 5c382d7eb3
commit 5c382d7eb3
parent 0b66933b45
33 changed files with 115 additions and 52 deletions
--- a/apparmor.d/abstractions/gtk.d/complete
+++ b/apparmor.d/abstractions/gtk.d/complete
@ -9,6 +9,7 @@
  /etc/gtk-{3,4}.0/ r,
  /etc/gtk-{3,4}.0/*.conf r,
  /etc/gtk-{3,4}.0/settings.ini r,
  owner @{user_config_dirs}/gtk-{3,4}.0/ rw,
  owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini r,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -152,6 +152,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
       @{sys}/class/ r,
       @{sys}/class/**/ r,
       @{sys}/devices/**/uevent r,
       @{sys}/devices/pci[0-9]*/**/ r,
       @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/ r,
       @{sys}/devices/pci[0-9]*/**/drm/renderD[0-9]*/ r,
       @{sys}/devices/pci[0-9]*/**/irq r,
       @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
  deny @{sys}/devices/system/cpu/cpu[0-9]/cache/index[0-9]/size r,
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@ -17,7 +17,7 @@ profile firefox-minidump-analyzer @{exec_path} {
  @{exec_path} mr,
-  owner @{HOME}/.mozilla/firefox/m-oyw579q8.default/extensions/*.xpi r,
+  owner @{HOME}/.mozilla/firefox/*.*/extensions/*.xpi r,
  owner @{HOME}/.xsession-errors w,
  owner "@{MOZ_HOMEDIR}/firefox/Crash Reports/" rw,
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@ -10,8 +10,19 @@ include <tunables/global>
 profile dbus-daemon-launch-helper @{exec_path} {
  include <abstractions/base>
  include <abstractions/app-launcher-root>
  include <abstractions/nameservice-strict>
  capability setgid,
  capability setuid,
  capability sys_resource,
  @{exec_path} mr,
  /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism rPx,
  /usr/share/dbus-1/{,**} r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  include if exists <local/dbus-daemon-launch-helper>
 }
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -29,27 +29,33 @@ profile pipewire-media-session @{exec_path} {
  /etc/pipewire/*.conf r,
  /etc/pipewire/media-session.d/*.conf r,
  /var/lib/gdm/.local/state/pipewire/media-session.d/* rw,
  owner @{HOME}/.local/state/ rw,
  owner @{HOME}/.local/state/pipewire/{,**} rw,
  owner @{user_config_dirs}/pipewire/ rw,
  owner @{user_config_dirs}/pipewire/** rw,
  owner @{user_config_dirs}/pulse/ rw,
  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
  @{run}/udev/data/+sound:card[0-9]* r, # For sound
  @{run}/udev/data/c116:[0-9]* r,       # for ALSA
  @{run}/systemd/users/@{uid} r,
  @{sys}/class/sound/ r,
  @{sys}/class/video4linux/ r,
  @{sys}/devices/**/sound/**/uevent r,
  @{sys}/devices/pci[0-9]*/**/modalias r,
  @{sys}/devices/pci[0-9]*/**/sound/**/pcm_class r,
  @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/meminfo r,
  @{sys}/devices/pci[0-9]*/**/modalias r,
  @{run}/systemd/users/@{uid} r,
  /dev/video[0-9]* rw,
  /dev/snd/ r,
  include if exists <local/pipewire-media-session>
 }
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -10,10 +10,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pulseaudio
 profile pulseaudio @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/audio>
-  include <abstractions/dbus-strict>
+  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  ptrace (trace) peer=@{profile_name},
@ -29,8 +31,9 @@ profile pulseaudio @{exec_path} {
  @{exec_path} mrix,
  /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
  /{usr/,}lib{exec,}/pulse/gsettings-helper mrix,
  /{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
  /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
  # PulseAudio files
  /usr/share/pulseaudio/{,**} r,
@ -40,6 +43,8 @@ profile pulseaudio @{exec_path} {
  owner @{user_config_dirs}/pulse/{,**} rw,
  owner @{user_config_dirs}/dconf/user r,
  owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
  # Needed when PulseAudio is started via the start-pulseaudio-x11 script
  owner @{HOME}/.Xauthority r,
@ -80,6 +85,7 @@ profile pulseaudio @{exec_path} {
  owner @{PROC}/@{pids}/fd/ r,
  owner @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/cmdline r,
  # DBus
  dbus (send)
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -105,7 +105,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
-  owner @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/user@[0-9]*.service/{,**} rw,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -43,6 +43,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/collisions r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/pci[0-9]*/**/virtio[0-9]*/**/stat r,
  @{sys}/devices/virtual/net/*/statistics/collisions r,
  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -12,6 +12,7 @@ profile gnome-tweaks @{exec_path} {
  include <abstractions/audio>
  include <abstractions/dconf>
  include <abstractions/gnome>
  include <abstractions/gtk>
  include <abstractions/python>
  @{exec_path} mr,
@ -20,7 +21,7 @@ profile gnome-tweaks @{exec_path} {
  /{usr/,}bin/ps rPx,
  /{usr/,}bin/python3.[0-9]* rix,
-  /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{*/,**/}__pycache__/*pyc* w,
+  /{usr/,}lib/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-tweaks/{,**} r,
@ -28,7 +29,8 @@ profile gnome-tweaks @{exec_path} {
  /etc/xdg/autostart/{,**} r,
  owner @{user_cache_dirs}/thumbnails/{,**} r,
-  owner @{user_config_dirs}/autostart/{,*.desktop} r,
+  owner @{user_config_dirs}/autostart/ rw,
  owner @{user_config_dirs}/autostart/*.desktop r,
  owner @{user_share_dirs}/backgrounds/{,**} r,
  owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
@ -38,5 +40,7 @@ profile gnome-tweaks @{exec_path} {
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{PROC}/@{pid}/fd/ r,
  include if exists <local/gnome-tweaks>
 }
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -22,6 +22,8 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  /etc/machine-id r,
  @{run}/cups/cups.sock rw,
  owner @{PROC}/@{pid}/fd/ r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -22,6 +22,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  /usr/share/nautilus/{,**} r,
  /usr/share/poppler/{,**} r,
  /usr/share/sounds/freedesktop/stereo/*.oga r,
  /usr/share/thumbnailers/{,**} r,
  /usr/share/tracker3/{,**} r,
  owner @{user_share_dirs}/nautilus/{,**} rwk,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -29,6 +29,9 @@ profile pacman @{exec_path} {
  capability sys_chroot,
  capability sys_resource,
  # network unix stream,
  # network unix dgram,
  network inet stream,
  network inet6 stream,
  network inet dgram,
@ -66,6 +69,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/rm                          rix,
  /{usr/,}bin/sed                         rix,
  /{usr/,}bin/setcap                      rix,
  /{usr/,}bin/touch                       rix,
  /{usr/,}bin/vercmp                      rix,
  /{usr/,}bin/xmlcatalog                  rix,
  /{usr/,}lib/ghc-*/bin/ghc-pkg           rix,
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@ -18,6 +18,10 @@ profile pacman-hook-depmod @{exec_path} {
  /{usr/,}bin/bash      rix,
  /{usr/,}bin/depmod    rPx,
  /{usr/,}bin/kmod      rPx,
  /{usr/,}bin/rm        rix,
  /{usr/,}bin/rmdir     rix,
  /usr/lib/modules/*/{,**} rw,
  /dev/tty rw,
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pacman-key
 profile pacman-key @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  capability mknod,
@ -32,6 +33,8 @@ profile pacman-key @{exec_path} {
  /usr/share/pacman/keyrings/{,*} r,
  /usr/share/terminfo/x/xterm-256color r,
  /etc/pacman.d/gnupg/gpg.conf r,
  /dev/tty rw,
  # Inherit Silencer
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -76,7 +76,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/userdb/ r,
  @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw,
-  @{sys}/fs/cgroup/systemd/user.slice/user-[0-9]*.slice/session-c[0-9]*.scope/ rw,
+  @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-c[0-9]*.scope/ rw,
  owner @{PROC}/@{pid}/limits r,
  owner @{PROC}/@{pid}/loginuid rw,
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@ -14,5 +14,7 @@ profile hostnamectl @{exec_path} {
  /etc/machine-id r,
  @{PROC}/sys/kernel/random/boot_id r,
  include if exists <local/hostnamectl>
 }
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -29,17 +30,13 @@ profile networkctl @{exec_path} flags=(complain) {
  /{usr/,}bin/less             rPx -> child-pager,
  /{usr/,}bin/more             rPx -> child-pager,
-  @{sys}/devices/**/net/**/uevent r,
+  /etc/udev/hwdb.bin r,
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  @{run}/systemd/netif/links/[0-9]* r,
  @{run}/systemd/netif/state r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/sys/kernel/random/boot_id r,
  /etc/udev/hwdb.bin r,
  # To be able to read logs
  @{run}/log/ r,
  /{run,var}/log/journal/ r,
@ -48,8 +45,11 @@ profile networkctl @{exec_path} flags=(complain) {
  /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
-  /var/lib/dbus/machine-id r,
+  @{sys}/devices/**/net/**/uevent r,
  /etc/machine-id r,
-  include if exists <local/networkctld>
+  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/sys/kernel/random/boot_id r,
  include if exists <local/networkctl>
 }
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -35,7 +35,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/coredump.conf r,
        /var/lib/systemd/coredump/ r,
-  owner /var/lib/systemd/coredump/#[0-9]* rw,
+  owner /var/lib/systemd/coredump/#[0-9]* rwl,
  owner /var/lib/systemd/coredump/core.*.zst rwl -> /var/lib/systemd/coredump/#[0-9]*,
  owner @{PROC}/@{pid}/setgroups r,
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-environment-d-generator
@ -20,6 +20,7 @@ profile systemd-environment-d-generator @{exec_path} {
  /{usr/,}bin/mawk        rix,
  /etc/environment r,
  /etc/environment.d/{,**} r,
  owner @{user_config_dirs}/environment.d/{,*.conf} r,
--- a/apparmor.d/groups/systemd/systemd-fsck
+++ b/apparmor.d/groups/systemd/systemd-fsck
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
 # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -13,17 +14,16 @@ profile systemd-fsck @{exec_path} {
  include <abstractions/disks-read>
  include <abstractions/systemd-common>
  capability net_admin,
  capability sys_resource,
  # Needed?
  deny capability net_admin,
  @{exec_path} mr,
  /{usr/,}{s,}bin/fsck   rPx,
  /{usr/,}{s,}bin/e2fsck rPx,
  owner @{run}/systemd/quotacheck w,
  owner @{run}/systemd/fsck.progress rw,
  include if exists <local/systemd-fsck>
 }
--- a/apparmor.d/groups/systemd/systemd-fsckd
+++ b/apparmor.d/groups/systemd/systemd-fsckd
@ -12,14 +12,12 @@ profile systemd-fsckd @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>
  capability net_admin,
  capability sys_tty_config,
  # Needed?
  deny capability net_admin,
  @{exec_path} mr,
-  owner @{run}/systemd/fsck.progress w,
+  @{run}/systemd/fsck.progress rw,
  include if exists <local/systemd-fsckd>
 }
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -45,10 +45,11 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/+bluetooth:* r,
  @{run}/udev/data/+hid:*       r,
  @{run}/udev/data/+pci:*       r,
-  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+platform*   r,
  @{run}/udev/data/+scsi:*      r,
  @{run}/udev/data/+usb-serial:* r,
  @{run}/udev/data/+usb:*       r,
  @{run}/udev/data/+virtio:*    r,
  @{run}/udev/data/c10:224      r, # for /dev/tpm0
  @{run}/udev/data/c189:[0-9]*  r, # for /dev/bus/usb/**
  @{run}/udev/data/c23[0-9]:[0-9]* r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -19,9 +19,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/oomd.conf r,
  owner @{run}/systemd/notify rw,
  owner @{run}/systemd/journal/socket w,
        @{run}/systemd/io.system.ManagedOOM rw,
        @{run}/systemd/notify rw,
  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/memory.pressure r,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -34,9 +34,11 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  /etc/systemd/resolved.conf.d/{,*} r,
  owner @{run}/systemd/journal/socket w,
  owner @{run}/systemd/notify rw,
        @{run}/systemd/netif/links/* r,
        @{run}/systemd/notify rw,
        @{run}/systemd/resolve/{,**} rw,
  @{PROC}/sys/kernel/hostname r,
  include if exists <local/systemd-timesyncd>
 }
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@ -18,11 +18,11 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/gpg rUx,
  owner @{HOME}/.password-store/{,**} r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
  owner /tmp/mozilla-temp-[0-9]* r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@ -32,7 +32,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
  # Inherit Silencer
  deny network inet6,
  deny network inet,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} rw,
+  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r,
  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw,
  deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
  deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
--- a/apparmor.d/profiles-a-f/downloadhelper
+++ b/apparmor.d/profiles-a-f/downloadhelper
@ -26,11 +26,11 @@ profile downloadhelper @{exec_path} {
  /opt/net.downloadhelper.coapp/bin/ r,
  /opt/net.downloadhelper.coapp/converter/build/** rix,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/.parentlock rw,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/extensions/* r,
+  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.default/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
+  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-[0-9]*.vlpset rw,
  owner /tmp/vdh-*.tmp rw,
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@ -15,9 +15,11 @@ profile flatpak-session-helper @{exec_path} {
  @{exec_path} mr,
  /{usr/,}bin/dbus-monitor           rPUx,
  /{usr/,}bin/p11-kit                 rix,
-  /{usr/,}lib/p11-kit/p11-kit-server  rix,
+  /{usr/,}bin/pkexec                  rPx,
  /{usr/,}lib/p11-kit/p11-kit-remote  rix,
  /{usr/,}lib/p11-kit/p11-kit-server  rix,
  owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
  owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-[0-9]* rw,
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@ -32,8 +32,8 @@ profile fsck @{exec_path} {
  owner @{run}/fsck/*.lock rwk,
  owner @{run}/blkid/blkid.tab{,-*} rw,
  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
  owner @{run}/systemd/fsck.progress w,
        @{run}/mount/utab r,
        @{run}/systemd/fsck.progress w,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/partitions r,
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@ -75,7 +75,7 @@ profile jdownloader @{exec_path} {
  # What's this for?
  deny owner @{HOME}/.mozilla/firefox/ r,
-  deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r,
+  deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r,
       owner @{PROC}/@{pid}/fd/ r,
  deny       @{PROC}/@{pid}/net/ipv6_route r,
--- a/apparmor.d/profiles-g-l/jdownloader-install
+++ b/apparmor.d/profiles-g-l/jdownloader-install
@ -85,7 +85,7 @@ profile jdownloader-install @{exec_path} {
  # What's this for?
  deny owner @{HOME}/.mozilla/firefox/ r,
-  deny owner @{HOME}/.mozilla/firefox/*.default/prefs.js r,
+  deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r,
  # Needed when installing JD
             / r,
--- a/apparmor.d/profiles-g-l/locale-gen
+++ b/apparmor.d/profiles-g-l/locale-gen
@ -9,6 +9,9 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/locale-gen
 profile locale-gen @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  @{exec_path} mr,
@ -21,7 +24,13 @@ profile locale-gen @{exec_path} {
  /{usr/,}lib/locale/locale-archive rwl,
  /{usr/,}lib/locale/locale-archive* rw,
  /usr/share/i18n/{,**} r,
  /etc/locale.gen r,
  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
  include if exists <local/locale-gen>
 }
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -46,8 +46,8 @@ profile pkexec @{exec_path} flags=(complain) {
  /{usr/,}{s,}bin/*            rPUx,
  /{usr/,}bin/*                rPUx,
  /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
  /{usr/,}lib/update-notifier/package-system-locked  rPx,
  # file_inherit
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{libexec}/power-profiles-daemon
-profile power-profiles-daemon @{exec_path} {
+profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -23,6 +23,7 @@ profile power-profiles-daemon @{exec_path} {
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/power_supply/*/scope r,
  @{sys}/devices/**/power_supply/*/uevent r,
  @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
  @{sys}/devices/system/cpu/*_pstate/status r,