feat(profiles): general update.

2024-11-15 16:03:51 +01:00 · 2023-08-17 18:43:56 +01:00 · 2023-08-17 18:43:56 +01:00 · 5d47dfba95
commit 5d47dfba95
parent f7b9ff959a
50 changed files with 174 additions and 50 deletions
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -12,18 +12,11 @@ profile dpkg @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  # To set proper ownership/permissions of installed files.
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  # These are needed because dpkg wants to read/write files from/to directories owned by different
  # users than root, for instance files in the /usr/share/polkit-1/ dir , which is owned by the
  # "polkitd" user with the "drwx------" permissions.
  capability dac_read_search,
  capability dac_override,
  # Needed? (##FIXME##)
  capability setgid,
  @{exec_path} mr,
@ -35,6 +28,7 @@ profile dpkg @{exec_path} {
  @{bin}/dpkg-deb    rpx,
  @{bin}/dpkg-query  rpx,
  @{bin}/dpkg-split  rPx,
  @{bin}/deb-systemd-helper rix,
  @{lib}/needrestart/dpkg-status rPx,
  /usr/share/debian-security-support/check-support-status.hook rPx,
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@ -26,6 +26,8 @@ profile firefox-glxtest @{exec_path} {
  owner /tmp/firefox/.parentlock rw,
  owner /tmp/xauth_?????? r,
  owner @{run}/user/@{uid}/xauth_?????? r,
  @{sys}/bus/pci/devices/ r,
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -90,6 +90,7 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.xsession-errors w,
  owner /tmp/runtime-*/xauth_?????? r,
  owner /tmp/xauth_?????? r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/xauth_?????? r,
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@ -14,6 +14,8 @@ profile fc-cache @{exec_path} {
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  capability dac_read_search,
  @{exec_path} mr,
  /var/cache/fontconfig/{,**} rw,
--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@ -13,6 +13,8 @@ profile fc-list @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  capability dac_read_search,
  @{exec_path} mr,
  include if exists <local/fc-list>
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -72,6 +72,8 @@ profile pipewire-media-session @{exec_path} {
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/meminfo r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  /dev/video[0-9]* rw,
  /dev/snd/ r,
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -47,6 +47,7 @@ profile polkit-agent-helper @{exec_path} {
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/loginuid r,
  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -165,6 +165,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  owner @{HOME}/@{XDG_DATA_HOME}/ r,
  owner /tmp/runtime-*/xauth_?????? r,
  owner /tmp/xauth_?????? r,
        @{run}/mount/utab r,
        @{run}/user/@{uid}/xauth_* rl,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@ -45,6 +45,8 @@ profile xdg-desktop-portal-kde @{exec_path} {
  owner @{user_config_dirs}/kwinrc r,
  owner @{user_config_dirs}/xdg-desktop-portal-kderc r,
  owner /tmp/xauth_?????? r,
  @{run}/user/@{uid}/xauth_* rl,
  @{PROC}/sys/kernel/core_pattern r,
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@ -20,6 +20,8 @@ profile xprop @{exec_path} {
  owner @{HOME}/.icons/default/index.theme r,
  owner /tmp/runtime-*/xauth_?????? r,
  owner /tmp/xauth_?????? r,
  owner @{run}/user/@{uid}/xauth_* rl,
  # file_inherit
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@ -11,6 +11,7 @@ include <tunables/global>
 profile scdaemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  network netlink raw,
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@ -38,6 +38,8 @@ profile kaccess @{exec_path} {
  owner @{user_share_dirs}/mime/generic-icons r,
  owner /tmp/xauth_?????? r,
  owner @{run}/user/@{uid}/xauth_?????? r,
  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
--- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
+++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/kauth/{,libexec/}kinfocenter-dmidecode-helper
 profile kauth-kinfocenter-dmidecode-helper @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -16,6 +16,7 @@ profile kconf_update @{exec_path} {
  @{bin}/{,ba,da}sh                      rix,
  @{bin}/grep                            rix,
  @{bin}/python3.[0-9]*                  rix,
  @{bin}/qtpaths                         rix,
  @{bin}/sed                             rix,
@ -30,16 +31,38 @@ profile kconf_update @{exec_path} {
  /usr/share/kconf_update/{,**} r,
  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
  /etc/machine-id r,
  /etc/xdg/kdeglobals r,
  owner @{user_config_dirs}/#[0-9]* rw,
  owner @{user_config_dirs}/akregatorrc r,
  owner @{user_config_dirs}/kateschemarc r,
  owner @{user_config_dirs}/kcminputrc r,
  owner @{user_config_dirs}/kconf_updaterc r,
  owner @{user_config_dirs}/kconf_updaterc.lock rk,
  owner @{user_config_dirs}/kconf_updaterc* rwl,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdedefaults/kwinrc r,
  owner @{user_config_dirs}/kdeglobals.lock rk,
  owner @{user_config_dirs}/kdeglobals* rwl,
  owner @{user_config_dirs}/khotkeysrc r,
  owner @{user_config_dirs}/kmixrc r,
  owner @{user_config_dirs}/kscreenlockerrc r,
  owner @{user_config_dirs}/ksmserverrc r,
  owner @{user_config_dirs}/kwinrc.?????? rwl -> @{user_config_dirs}/#[0-9]*,
  owner @{user_config_dirs}/kwinrc.lock rwk,
  owner @{user_config_dirs}/kwinrulesrc rw,
  owner @{user_config_dirs}/kwinrulesrc.?????? rwl -> @{user_config_dirs}/#[0-9]*,
  owner @{user_config_dirs}/kwinrulesrc.lock rwk,
  owner @{user_config_dirs}/kxkbrc rw,
  owner @{user_config_dirs}/kxkbrc.?????? rwl -> @{user_config_dirs}/#[0-9]*,
  owner @{user_config_dirs}/kxkbrc.lock rwk,
  owner @{user_config_dirs}/plasmashellrc r,
  owner /tmp/#[0-9]* rw,
-  owner /tmp/kconf_update.?????? rw,
+  owner /tmp/kconf_update.* rwl,
  @{PROC}/@{sys}/kernel/random/boot_id r,
  include if exists <local/kconf_update>
 }
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{lib}/org_kde_powerdevil
-profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
+profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
  include <abstractions/base>
  include <abstractions/qt5>
  include <abstractions/X-strict>
@ -32,15 +32,19 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/#[0-9]* rw,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/powerdevilrc rwl -> @{user_config_dirs}/#[0-9]*,
  owner @{user_config_dirs}/powerdevilrc rwl,
  owner @{user_config_dirs}/powerdevilrc.lock rwk,
  owner @{user_config_dirs}/powermanagementprofilesrc r,
  owner @{user_config_dirs}/powermanagementprofilesrc rwl -> @{user_config_dirs}/#[0-9]*,
  owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
        @{run}/systemd/inhibit/*.ref rw,
  owner @{run}/user/@{uid}kcrash_[0-9]* rw,
  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/@{pid}/mounts r,
  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/sys/kernel/random/boot_id r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
--- a/apparmor.d/groups/kde/kded5
+++ b/apparmor.d/groups/kde/kded5
@ -20,6 +20,7 @@ profile kded5 @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/wutmp>
  include <abstractions/X-strict>
--- a/apparmor.d/groups/kde/kioslave5
+++ b/apparmor.d/groups/kde/kioslave5
@ -47,6 +47,7 @@ profile kioslave5 @{exec_path} {
  /etc/xdg/menus/{,**} r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory r,
  owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
  owner @{user_cache_dirs}/ksycoca5_* r,
--- a/apparmor.d/groups/kde/kwalletd5
+++ b/apparmor.d/groups/kde/kwalletd5
@ -61,6 +61,7 @@ profile kwalletd5 @{exec_path} {
  owner /tmp/kwalletd5.* rw,
  owner /tmp/runtime-*/xauth_?????? r,
  owner /tmp/xauth_?????? r,
        @{PROC}/sys/kernel/core_pattern r,
  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@ -27,6 +27,8 @@ profile plasma-discover @{exec_path} {
  network inet6 stream,
  network netlink raw,
  signal (send) set=(term) peer=kioslave5,
  @{exec_path} mr,
  @{bin}/{,ba,da}sh                 rix,
@ -37,10 +39,13 @@ profile plasma-discover @{exec_path} {
  /usr/share/kservices5/{,*} r,
  /usr/share/knsrcfiles/{,*} r,
  /usr/share/qt/translations/*.qm r,
  /etc/appstream.conf r,
  /etc/machine-id r,
  /etc/flatpak/remotes.d/{,**} r,
  /etc/machine-id r,
  /etc/xdg/ r,
  /etc/xdg/accept-languages.codes r,
  /var/tmp/flatpak-cache-*/ rw,
  /var/tmp/flatpak-cache-*/** rwkl,
@ -54,6 +59,8 @@ profile plasma-discover @{exec_path} {
  owner @{user_cache_dirs}/discover/{,**} rwl,
  owner @{user_cache_dirs}/appstream/*.xb r,
  owner @{user_cache_dirs}/appstream/ r,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_cache_dirs}/kio_http/ w,
  owner @{user_config_dirs}/ r,
  owner @{user_config_dirs}/#[0-9]* rwl,
@ -61,6 +68,7 @@ profile plasma-discover @{exec_path} {
  owner @{user_config_dirs}/discoverrc.lock rwk,
  owner @{user_config_dirs}/kde.org/{,**} rwlk,
  owner @{user_config_dirs}/kdedefaults/ r,
  owner @{user_config_dirs}/kdedefaults/plasmarc r,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdedefaults/kwinrc r,
  owner @{user_config_dirs}/kdeglobals r,
@ -68,10 +76,14 @@ profile plasma-discover @{exec_path} {
  owner @{user_config_dirs}/libaccounts-glib/ rw,
  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
  owner @{user_share_dirs}/knewstuff3/ r,
  owner @{user_share_dirs}/flatpak/repo/{,**} rw,
  owner @{user_share_dirs}/knewstuff3/ r,
  owner @{user_share_dirs}/knewstuff3/ w,
  owner @{run}/user/@{uid}/#[0-9]* rw,
  owner @{run}/user/@{uid}/discover??????.* rwl ->  @{run}/user/@{uid}/#[0-9]*,
        @{PROC}/sys/kernel/core_pattern r,
        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@ -110,8 +110,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
  owner @{user_config_dirs}/dolphinrc r,
  owner @{user_config_dirs}/eventviewsrc r,
  owner @{user_config_dirs}/kactivitymanagerd-statsrc r,
-  owner @{user_config_dirs}/kde.org/{,**} rwlk,
+  owner @{user_config_dirs}/{KDE,kde.org}/ rw,
-  owner @{user_config_dirs}/KDE/{,**} r,
+  owner @{user_config_dirs}/{KDE,kde.org}/** rwkl -> @{user_config_dirs}/{KDE,kde.org}/#[0-9]*,
  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
  owner @{user_config_dirs}/kdedefaults/kwinrc r,
  owner @{user_config_dirs}/kdedefaults/plasmarc r,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -65,7 +65,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{bin}/dbus-update-activation-environment rCx -> dbus,
  @{bin}/gnome-keyring-daemon rPx,
  @{bin}/kwalletd5            rPx,
-  @{bin}/startplasma-wayland  rPUx,
+  @{bin}/startplasma-wayland  rPx,
  @{bin}/startplasma-x11      rPx,
  @{bin}/systemctl            rPx -> child-systemctl,
  @{bin}/xrdb                 rPx,
@ -125,12 +125,12 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner /tmp/*/{,s} rw,
  owner /tmp/#[0-9]* rw,
  owner /tmp/sddm-auth* rw,
-  owner /tmp/xauth_?????? rw,
+  owner /tmp/xauth_?????? rwl -> /tmp/#[0-9]*,
        @{run}/faillock/[a-zA-z0-9]* rwk,
        @{run}/sddm.pid rw,
        @{run}/sddm/\{@{uuid}\} rw,
-        @{run}/sddm/xauth_?????? rwl,
+        @{run}/sddm/xauth_?????? rwl -> @{run}/sddm/#[0-9]*,
        @{run}/systemd/sessions/*.ref rw,
        @{run}/user/@{uid}/xauth_?????? rwl,
  owner @{run}/sddm/ rw,
--- a/apparmor.d/groups/kde/startplasma-x11
+++ b/apparmor.d/groups/kde/startplasma-x11
@ -6,8 +6,8 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/startplasma-x11
+@{exec_path} = @{bin}/startplasma-{wayland,x11}
-profile startplasma-x11 @{exec_path} {
+profile startplasma @{exec_path} {
  include <abstractions/base>
  include <abstractions/freedesktop.org>
  include <abstractions/qt5>
@ -61,6 +61,7 @@ profile startplasma-x11 @{exec_path} {
  owner @{user_share_dirs}/kservices5/{,**} r,
  owner @{user_share_dirs}/sddm/xorg-session.log rw,
  owner @{user_share_dirs}/sddm/wayland-session.log rw,
  owner /tmp/#[0-9][0-9] rw,
  owner /tmp/startplasma-x11.?????? rwl,
@ -72,5 +73,5 @@ profile startplasma-x11 @{exec_path} {
  /dev/tty r,
-  include if exists <local/startplasma-x11>
+  include if exists <local/startplasma>
 }
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@ -18,6 +18,8 @@ profile xembedsniproxy @{exec_path} {
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
  owner /tmp/xauth_?????? r,
  @{run}/user/@{uid}/xauth_* rl,
  include if exists <local/xembedsniproxy>
--- a/apparmor.d/groups/kde/xsettingsd
+++ b/apparmor.d/groups/kde/xsettingsd
@ -16,6 +16,8 @@ profile xsettingsd @{exec_path} {
  owner @{user_config_dirs}/xsettingsd/{,**} rw,
  owner /tmp/xauth_?????? r,
  owner @{run}/user/@{uid}/xauth_* rl,
  include if exists <local/xsettingsd>
--- a/apparmor.d/groups/network/tailscale
+++ b/apparmor.d/groups/network/tailscale
@ -11,7 +11,7 @@ profile tailscale @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  ptrace (read),
+  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
@ -19,15 +19,20 @@ profile tailscale @{exec_path} {
  network inet6 stream,
  network netlink raw,
  ptrace (read),
  @{exec_path} mr,
  @{bin}/ip rPx,
  owner @{run}/tailscale/tailscaled.sock rw,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  @{PROC}/ r,
+        @{PROC}/ r,
-  @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/stat r,
-  @{PROC}/sys/net/core/somaxconn r,
+        @{PROC}/sys/net/core/somaxconn r,
  owner @{PROC}/@{pids}/environ r,
  include if exists <local/tailscale>
 }
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/tailscaled
 profile tailscaled @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
@ -17,6 +18,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
  capability net_admin,
  capability net_raw,
  capability sys_ptrace,
  capability syslog,
  network inet dgram,
  network inet6 dgram,
@ -28,6 +30,21 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
  ptrace (read),
  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.DBus.Peer
       member=Ping
       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.DBus.Properties
       member=Get
       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.resolve1.Manager
       member={FlushCaches,SetLink*}
       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
  @{exec_path} mr,
  @{bin}/ip                 rix,
@ -42,10 +59,14 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
  @{etc_rw}/resolv.conf rw,
  @{etc_rw}/resolv.conf.*.tmp rw,
  owner @{run}/tailscale/{,**} rw,
  owner /var/cache/{,**} rw,
  owner /var/lib/tailscale/{,**} rw,
  owner @{user_share_dirs}/tailscale/{,**} rw,
  owner @{run}/systemd/notify w,
  owner @{run}/tailscale/{,**} rw,
  @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@ -81,6 +102,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
    /dev/net/tun rw,
    include if exists <local/tailscaled_systemctl>
  }
  include if exists <local/tailscaled>
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -109,8 +109,8 @@ profile pacman @{exec_path} {
  @{lib}/ghc-*/bin/ghc-pkg           rix,
  @{lib}/systemd/systemd-*           rPx,
  @{lib}/vlc/vlc-cache-gen           rPx,
-  /opt/Mullvad*/resources/mullvad-setup   rPx,
+  /usr/share/code-features/patch.py      rPx,
-  /usr/share/code-features/patch.sh       rPx,
+  /usr/share/code-marketplace/patch.py   rPx,
  /usr/share/libalpm/scripts/*           rPUx,
  /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx,
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@ -6,23 +6,21 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /usr/share/code-features/patch.sh
+@{exec_path} = /usr/share/code-{features,marketplace}/patch.py
 profile pacman-hook-code @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
  capability dac_read_search,
  @{exec_path} mr,
-  @{bin}/{,ba}sh     rix,
+  @{bin}/python3.[0-9]* rix,
  @{bin}/env         rix,
  @{bin}/grep        rix,
  @{bin}/sed         rix,
  @{lib}/code/product.json rw,
  @{lib}/code/sed?????? rw,
-  /dev/tty rw,
+  /usr/share/code-{features,marketplace}/* r,
  /usr/share/code-{features,marketplace}/cache.json rw,
  include if exists <local/pacman-hook-code>
 }
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@ -14,7 +14,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
  capability dac_read_search,
  capability mknod,
-  # unix (receive) type=stream,
+  unix (receive) type=stream,
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -16,6 +16,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{bin}/* r,
  # Config file locations
  /etc/binfmt.d/{,*.conf} r,
  @{run}/binfmt.d/{,*.conf} r,
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -68,6 +68,8 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  @{sys}/kernel/uevent_seqnum r,
  @{sys}/devices/**/read_ahead_kb r,
  @{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw,
        @{PROC}/devices r,
        @{PROC}/sysvipc/{shm,sem,msg} r,
  owner @{PROC}/@{pid}/gid_map w,
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -11,9 +11,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_override,
  @{exec_path} mr,
-  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* w,
+  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* wl -> @{lib}/udev/#[0-9]*,
  @{lib}/udev/hwdb.bin w,
  /etc/udev/.#hwdb.bind* rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -30,7 +30,7 @@ profile systemd-journald @{exec_path} {
  @{run}/log/ rw,
  /{run,var}/log/journal/ rw,
-  /{run,var}/log/journal/@{hex}/{,*} rw,
+  /{run,var}/log/journal/@{hex}/{,*} rwl -> /{run,var}/log/journal/@{hex}/**,
  owner @{run}/systemd/journal/{,**} rw,
  owner @{run}/systemd/notify rw,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -33,7 +33,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  /usr/share/kbd/keymaps/{,**} r,
  /usr/share/systemd/*-map r,
-  /usr/share/X11/xkb/rules/evdev r,
+  /usr/share/X11/xkb/{,**} r,
  /etc/.#vconsole.conf* rw,
  /etc/default/.#locale* rw,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -128,6 +128,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
  @{sys}/fs/cgroup/memory.max r,
  @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
  @{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw,
  @{sys}/module/vt/parameters/default_utf8 r,
  @{sys}/power/{state,resume_offset,resume,disk} r,
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@ -71,5 +71,7 @@ profile systemd-machined @{exec_path} {
  @{run}/systemd/userdb/io.systemd.Machine rw,
  @{run}/systemd/notify w,
  @{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw,
  include if exists <local/systemd-machined>
 }
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -35,7 +35,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
       peer=(name=org.freedesktop.DBus),
  dbus receive bus=system path=/org/freedesktop/resolve[0-9]
-       interface=org.freedesktop.resolve[0-9].Manager,
+       interface=org.freedesktop.{resolve[0-9].Manager,DBus.Peer,DBus.Properties},
  dbus receive bus=system path=/org/freedesktop/login[0-9]*
       interface=org.freedesktop.login[0-9]*.Manager
@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/resolve/{,**} rw,
  owner @{run}/systemd/journal/socket w,
  owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw,
  @{PROC}/sys/kernel/hostname r,
  @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@ -12,6 +12,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>
  include <abstractions/systemd-common>
  capability mknod,
  capability net_admin,
  capability sys_admin,
  capability sys_ptrace,
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -37,6 +37,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/systemd/timesync/clock rw,
  @{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw,
  owner @{run}/systemd/journal/socket w,
  owner @{run}/systemd/timesync/synchronized rw,
        @{run}/resolvconf/*.conf r,
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@ -12,7 +12,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>
-#  capability net_admin,
+  audit capability net_admin,
  signal (receive) set=(term cont) peer=logrotate,
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@ -25,6 +25,7 @@ profile btrfs @{exec_path} {
  / r,
  /boot/ r,
  /.snapshots/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/ext2_saved/ rw,
  @{MOUNTS}/ext2_saved/image rw,
@ -41,6 +42,8 @@ profile btrfs @{exec_path} {
  @{run}/blkid/blkid.tab{,-*} rw,
  @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
  @{sys}/fs/btrfs/@{uuid}/devinfo/[0-9]*/fsid r,
        @{PROC}/partitions r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@ -83,6 +83,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  owner /dev/tty rw,
  profile systemctl flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/wutmp>
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -122,11 +122,13 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  owner /tmp/packagekit* rw,
        @{run}/zypp.pid rwk, # only: opensuse
        @{run}/systemd/inhibit/*.ref rw,
        @{run}/zypp.pid rwk, # only: opensuse
  owner @{run}/systemd/users/@{uid} r,
  owner @{run}/zypp-rpm.pid rwk, # only: opensuse
  owner /dev/shm/AP_0x??????/{,**} rw,
  owner /dev/shm/ r,
  @{sys}/**/ r,
  @{sys}/devices/**/modalias r,
--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@ -15,6 +15,8 @@ profile qemu-ga @{exec_path} {
  capability net_admin,
  capability sys_ptrace,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  ptrace peer=unconfined,
@ -30,6 +32,8 @@ profile qemu-ga @{exec_path} {
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node*/meminfo r,
  owner @{PROC}/@{pid}/net/dev r,
  /dev/vport[0-9]*p[0-9]* rw,
  include if exists <local/qemu-ga>
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -12,6 +12,7 @@ profile spice-vdagent @{exec_path} {
  include <abstractions/audio>
  include <abstractions/dbus-accessibility-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dri-common>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
--- a/apparmor.d/profiles-s-z/start-pulseaudio-x11
+++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@ -12,8 +12,11 @@ profile start-pulseaudio-x11 @{exec_path} {
  @{exec_path} mr,
-  @{bin}/{,ba,da}sh rix,
+  @{bin}/{,ba,da}sh  rix,
-  @{bin}/pactl      rPx,
+  @{bin}/head        rix,
  @{bin}/pactl       rPx,
  @{bin}/plasmashell rPx,
  @{bin}/sed         rix,
  /dev/tty rw,
--- a/apparmor.d/profiles-s-z/sysctl
+++ b/apparmor.d/profiles-s-z/sysctl
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = @{bin}/sysctl
 profile sysctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability net_admin,
  capability sys_admin,
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@ -95,6 +95,11 @@ profile thunderbird @{exec_path} {
  @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
  # GPG integration
  @{bin}/gpg{,2}     rPx,
  @{bin}/gpgconf     rPx,
  @{bin}/gpgsm       rPx,
  # Desktop integration
  @{bin}/exo-open                                    rPx -> child-open,
  @{bin}/lsb_release                                 rPx -> lsb_release,
--- a/apparmor.d/profiles-s-z/wget
+++ b/apparmor.d/profiles-s-z/wget
@ -11,10 +11,10 @@ profile wget @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  # For downloading files as root to user owned dirs
  capability dac_read_search,
@ -28,12 +28,13 @@ profile wget @{exec_path} {
  @{exec_path} mr,
  /usr/share/publicsuffix/public_suffix_list.* r,
  /etc/wgetrc r,
  owner @{HOME}/.rnd r,
  owner @{HOME}/.wget-hsts rwk,
  /usr/share/publicsuffix/public_suffix_list.* r,
  # For apt
  owner /var/cache/google-android-build-tools-*-installer/build-tools_*-linux.zip w,
  owner /var/cache/google-android-platform-*-installer/platform-*.zip w,
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@ -32,6 +32,9 @@ profile xauth @{exec_path} {
  owner /tmp/serverauth.*   rwl -> /tmp/serverauth.*-n,
  owner /tmp/runtime-*/xauth_?????? r,
  owner /tmp/xauth_?????? r,
  owner /tmp/xauth_??????-c w,
  owner /tmp/xauth_??????-l wl,
  owner @{run}/user/@{uid}/xauth_?????? rw,
  owner @{run}/user/@{uid}/xauth_??????-c w,