feat(profile): initial integration with attached path.

The feature is not yet enabled. See https://apparmor.pujol.io/development/internal/#re-attached-path
2025-01-24 03:48:13 +01:00 · 2024-10-11 14:13:17 +01:00 · 2024-10-11 14:13:17 +01:00 · 61a27bc336
commit 61a27bc336
parent 5bf8c6ef0f
85 changed files with 164 additions and 139 deletions
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+  # Do not use it manually, it is automatically included in profiles when it is required.
+
+  abi <abi/4.0>,
+
+  @{att}/apparmor/.null rw,
+
+  include if exists <abstractions/attached/base.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/attached/consoles
+++ b/apparmor.d/abstractions/attached/consoles
@ -0,0 +1,13 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+  abi <abi/4.0>,
+
+  owner @{att}/dev/pts/@{int} rw,
+  owner @{att}/dev/tty@{int} rw,
+
+  include if exists <abstractions/attached/consoles.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -67,10 +67,11 @@
  owner @{tmp}/** rmwk,
  owner /dev/shm/** rwlk -> /dev/shm/**,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
  @{run}/host/{,**} r,
  @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/utmp rk,

  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -44,15 +44,16 @@
  owner /tmp/newroot/ w,
  owner /tmp/oldroot/ w,

+        @{att}/@{PROC}/sys/user/max_user_namespaces rw,
+  owner @{att}/@{PROC}/@{pid}/cgroup r,
+  owner @{att}/@{PROC}/@{pid}/gid_map rw,
+  owner @{att}/@{PROC}/@{pid}/mountinfo r,
+  owner @{att}/@{PROC}/@{pid}/setgroups rw,
+  owner @{att}/@{PROC}/@{pid}/uid_map rw,
+
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
-        @{PROC}/sys/user/max_user_namespaces rw,
-  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/gid_map rw,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/setgroups rw,
-  owner @{PROC}/@{pid}/uid_map rw,

  include if exists <abstractions/common/bwrap.d>

--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -141,6 +141,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/apt.conf.* rw,
  owner @{tmp}/apt.data.* rw,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pid}/fd/ r,
@ -148,8 +150,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {

  /dev/ptmx rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
-
  profile editor flags=(complain) {
    include <abstractions/base>
    include <abstractions/app/editor>
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -100,7 +100,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /var/log/apt/{term,history}.log w,
  /var/log/apt/eipp.log.xz w,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/unattended-upgrades.lock rwk,
  owner @{run}/unattended-upgrades.pid rw,
  owner @{run}/unattended-upgrades.progress rw,
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@ -24,8 +24,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {

  owner /var/log/unattended-upgrades/*.log* rw,

+  owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/unattended-upgrades.lock rwk,
-  owner @{run}/systemd/inhibit/@{int}.ref rw,

  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/groups/browsers/epiphany
+++ b/apparmor.d/groups/browsers/epiphany
@ -39,7 +39,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,

  owner /bindfile@{rand6} rw,
-  owner /.flatpak-info r,
+  owner @{att}/.flatpak-info r,

  owner @{user_config_dirs}/glib-2.0/ w,
  owner @{user_config_dirs}/glib-2.0/settings/ w,
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
@ -27,8 +28,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/at-spi2-registryd>
 }

--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -72,8 +73,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/dbus-accessibility>
 }

--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -49,17 +49,17 @@ profile dbus-system flags=(attach_disconnected) {
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

-  @{desktop_share_dirs}/icc/ r,
-  @{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
-  @{user_share_dirs}/icc/ r,
-  @{user_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{desktop_share_dirs}/icc/ r,
+  @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{user_share_dirs}/icc/ r,
+  @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,

  # Dbus can receive any user files
  @{HOME}/** r,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
  @{run}/systemd/notify w,
-  @{run}/systemd/sessions/*.ref rw,
  @{run}/systemd/users/@{int} r,

  @{sys}/kernel/security/apparmor/.access rw,
@ -77,8 +77,8 @@ profile dbus-system flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_score_adj rw,

-  /dev/dri/card@{int} rw,
-  /dev/input/event@{int} rw,
+  @{att}/dev/dri/card@{int} rw,
+  @{att}/dev/input/event@{int} rw,

  include if exists <local/dbus-system>
 }
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@ -53,8 +53,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
  owner /dev/nvidia-caps/ w,
  owner /dev/nvidia-caps/nvidia-cap@{int} w,

-  /dev/tty@{int} rw,
-
  deny  @{HOME}/.steam/** r,

  profile kmod {
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -49,8 +49,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/snmp/mibs/{iana,ietf}/ r,
  owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,

-  @{desktop_share_dirs}/icc/edid-*.icc r,
-  @{user_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-*.icc r,

  @{run}/systemd/sessions/* r,

--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -44,8 +44,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {

  /etc/pipewire/{,**} r,

-  / r,
-  /.flatpak-info r,
+              / r,
+        @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{user_config_dirs}/pipewire/{,**} r,

--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@ -28,8 +28,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

-  / r,
-  /.flatpak-info r,
+        @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{run}/user/@{uid}/pulse/pid w,
  owner @{tmp}/librnnoise-@{int}.so rm,
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -41,7 +41,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{run}/udev/data/c116:@{int} r,         # for ALSA

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{sys}/bus/hid/devices/ r,
  @{sys}/class/input/ r,
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -16,7 +17,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/consoles>
  include <abstractions/user-download-strict>

  network unix stream,
@ -31,7 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
  owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
  owner @{run}/flatpak/doc/** r,
  owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-open>
+  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -61,8 +62,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  @{lib}/xdg-desktop-portal-validate-icon rPx,
  @{open_path}                            rPx -> child-open,

-  / r,
-  /.flatpak-info r,
+        / r,
+  @{att}/.flatpak-info r,

  /usr/share/dconf/profile/gdm r,
  /usr/share/xdg-desktop-portal/** r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
@ -65,8 +66,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/task/@{tid}/ r,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/xdg-desktop-portal-gnome>
 }

--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-document-portal
 profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
  include <abstractions/deny-sensitive-home>
@ -39,8 +40,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  @{bin}/flatpak         rPUx,
  @{bin}/fusermount{,3}  rCx -> fusermount,

-  / r,
-  owner /.flatpak-info r,
+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{HOME}/ r,
  owner @{HOME}/*/{,**} rw,
@ -57,7 +58,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fd/ r,

        /dev/fuse rw,
-  owner /dev/tty@{int} rw,

  profile fusermount flags=(attach_disconnected) {
    include <abstractions/base>
@ -83,7 +83,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
    @{PROC}/@{pids}/mounts r,

          /dev/fuse rw,
-    owner /dev/tty@{int} rw,
+    @{att}/dev/tty@{int} rw,
  
    include if exists <local/xdg-document-portal_fusermount>
  }
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-permission-store
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/nameservice-strict>

@ -45,8 +46,6 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/db/documents rw,
  owner @{user_share_dirs}/flatpak/db/notifications rw,

-  /dev/tty@{int} rw,
-
  include if exists <local/xdg-permission-store>
 }

--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/mesa>
  include <abstractions/X-strict>

@ -37,7 +38,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
  /dev/dri/card@{int} rw,
  /dev/fb@{int} rw,
  /dev/tty rw,
-  /dev/tty@{int} rw,

  deny /dev/input/event@{int} rw,
  deny /var/log/Xorg.@{int}.log w,
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -36,7 +36,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {

  @{PROC}/@{pids}/cmdline r,

-  /dev/tty@{int} rw,
+  @{att}/dev/tty@{int} rw,
  /dev/tty rw,

  include if exists <local/xwayland>
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -114,13 +114,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  owner @{run}/gdm{3,}/dbus/ w,
  owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,

+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
  @{run}/cockpit/active.motd r,
  @{run}/faillock/@{user} rwk,
  @{run}/fscrypt/ rw,
  @{run}/fscrypt/@{uid}.count rwk,
  @{run}/motd.d/{,*} r,
  @{run}/systemd/sessions/* r,
-  @{run}/systemd/sessions/*.ref rw,
  @{run}/systemd/users/@{uid} r,
  @{run}/utmp rwk,

--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -14,6 +14,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -85,7 +86,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {

  /dev/ r,
  /dev/tty rw,
-  /dev/tty@{int} rw,

  include if exists <local/gjs-console>
 }
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1.Session>
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/grilo-plugins/ rwk,
  owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
  owner /var/tmp/etilqs_@{hex15} rw,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -79,9 +79,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/gnome-session/ rw,
  owner @{user_config_dirs}/gnome-session/saved-session/ rw,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
+
        @{run}/systemd/sessions/* r,
-        @{run}/systemd/sessions/*.ref rw,
        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
  owner @{run}/user/@{uid}/ICEauthority rw,
@ -104,6 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {

  profile open flags=(attach_disconnected) {
    include <abstractions/base>
+    include <abstractions/attached/consoles>
    include <abstractions/desktop>

    @{bin}/env rix,
@ -119,7 +121,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
    /usr/games/**                 PUx,

    /dev/tty rw,
-    /dev/tty@{int} rw,

    include if exists <usr/gnome-session-binary_open.d>
    include if exists <local/gnome-session-binary_open>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -207,8 +207,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/xml/iso-codes/{,**} r,
  @{system_share_dirs}/gnome-shell/{,**} r,

-  / r,
-  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
  /etc/tpm2-tss/*.json r,
@ -220,6 +218,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /var/lib/flatpak/app/**/gnome-shell/{,**} r,
  /var/lib/flatpak/appstream/**/icons/** r,

+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,
+
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_cache_dirs}/ w,
  owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
@ -293,11 +294,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{tmp}/@{rand6}.shell-extension.zip rw,
  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
  @{run}/systemd/sessions/  r,
  @{run}/systemd/sessions/* r,
-  @{run}/systemd/inhibit/@{int}.ref rw,

  @{run}/udev/tags/seat/ r,

@ -365,9 +367,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

-  /dev/input/event@{int} rw,
-  /dev/media@{int} rw,
-  /dev/tty@{int} rw,
+        /dev/media@{int} rw,
+        /dev/tty@{int} rw,
+  @{att}/dev/dri/card@{int} rw,
+  @{att}/dev/input/event@{int} rw,

  profile shell flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/base>
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -111,7 +111,7 @@ profile gnome-software @{exec_path} {
  owner /dev/shm/flatpak-com.*/ rw,
  owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/systemd/sessions/@{int} r,
  @{run}/systemd/users/@{uid} r,

--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-a11y-settings
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/dconf-write>
@ -31,8 +32,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
  @{gdm_config_dirs}/dconf/user r,
  @{GDM_HOME}/greeter-dconf-defaults r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-a11y-settings>
 }

--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -49,8 +50,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/edid-*.icc rw,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-color>
 }

--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-datetime
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/dconf-write>
@ -49,8 +50,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/stat r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-datetime>
 }

--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -46,8 +47,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pids}/cgroup r,
  owner @{PROC}/@{pids}/mountinfo r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-housekeeping>
 }

--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
@ -39,8 +40,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
  owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-keyboard>
 }

--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-media-keys
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
@ -72,7 +73,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {

  owner @{user_share_dirs}/recently-used.xbel{,.*} rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{run}/udev/data/+sound:card@{int} r,   # For sound card
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
@ -86,8 +87,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-media-keys>
 }

--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-power
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
@ -60,7 +61,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
  @{run}/udev/data/+leds:* r,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{sys}/bus/ r,
  @{sys}/class/ r,
@ -83,8 +84,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/cgroup r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-power>
 }

--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.Avahi>
@ -38,8 +39,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-print-notifications>
 }

--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-printer
 profile gsd-printer @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.gnome.SessionManager>
@ -29,8 +30,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/cgroup r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-printer>
 }

--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-rfkill
 profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.hostname1>
@ -33,8 +34,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {

  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features

-  owner /dev/tty@{int} rw,
-
  /dev/rfkill rw,

  include if exists <local/gsd-rfkill>
--- a/apparmor.d/groups/gnome/gsd-screensaver-proxy
+++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-screensaver-proxy
 profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>

@ -24,8 +25,6 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-screensaver-proxy>
 }

--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.NetworkManager>
@ -44,8 +45,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/cgroup r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-sharing>
 }

--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-smartcard
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/dconf-write>
@ -42,8 +43,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-smartcard>
 }

--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-sound
 profile gsd-sound @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gnome.SessionManager>
@ -36,8 +37,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {

  owner @{user_share_dirs}/sounds/ rw,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-sound>
 }

--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -32,8 +33,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{GDM_HOME}/greeter-dconf-defaults r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/gsd-wacom>
 }

--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/mutter-x11-frames
 profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
@ -33,8 +34,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/cmdline r,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/mutter-x11-frames>
 }

--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -45,7 +45,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
  owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},

-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
        @{run}/udev/data/c189:@{int} r,       # for /dev/bus/usb/**
  owner @{run}/user/@{uid}kcrash_@{int} rw,

--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@ -66,7 +66,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {

  owner @{tmp}/@{rand6} rw,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/user/@{uid}/KSMserver__[0-9] rw,

  /dev/tty r,
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@ -99,7 +99,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {

  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{sys}/bus/ r,
  @{sys}/class/ r,
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -34,7 +34,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c5:@{int} r,           # for /dev/tty, /dev/console, /dev/ptmx
  @{run}/udev/data/n@{int} r,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  @{sys}/bus/ r,
  @{sys}/bus/usb/devices/ r,
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -95,7 +95,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
  /usr/share/iproute2/{,**} r,

-  / r,
+  @{att}/ r,
+
  /etc/ r,
  /etc/iproute2/* r,
  /etc/machine-id r,
@ -115,11 +116,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  @{sys}/class/net/rfkill/ r,
  @{sys}/class/rfkill/ r,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/network/ifstate r,
  @{run}/NetworkManager/{,**} rw,
  @{run}/nm-*.pid rw,
  @{run}/nscd/db* rwl,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/systemd/users/@{uid} r,
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/+platform:* r,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {

  owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  /dev/tty rw,

--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -97,12 +97,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
  owner @{user_cache_dirs}/{,motd*} rw,

+  @{att}/@{run}/systemd/sessions/@{int}.ref rw,
+
        @{run}/faillock/@{user} rwk,
        @{run}/motd.d/{,*} r,
        @{run}/motd.dynamic rw,
        @{run}/motd.dynamic.new rw,
        @{run}/systemd/notify w,
-        @{run}/systemd/sessions/*.ref rw,
  owner @{run}/sshd{,.init}.pid wl,

  @{sys}/fs/cgroup/*/user/*/@{int}/ rw,
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@ -20,7 +20,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {

  @{bin}/cat rix,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  include if exists <local/systemd-inhibit>
 }
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -50,9 +50,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {

  /etc/networkd-dispatcher/carrier.d/{,*} r,

-  / r,
+  @{att}/ r,

-  owner /var/lib/systemd/network/ r,
+  owner @{att}/var/lib/systemd/network/ r,

        @{run}/systemd/network/ r,
        @{run}/systemd/network/*.network r,
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -71,7 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {

  owner @{user_cache_dirs}/update-manager-core/{,**} rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

        @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -85,9 +85,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {

  /etc/docker/{,**} r,

-  / r,
+  @{att}/ r,

-  owner @{lib}/containerd/** w,
+  owner @{att}/@{lib}/containerd/** rw,
  owner @{lib}/docker/overlay2/*/work/{,**} rw,
  owner /var/lib/containerd/** rw,
  owner /var/lib/docker/{,**} rwk,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -153,11 +153,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{user_vm_dirs}/{,**} rwk,
  @{user_publicshare_dirs}/{,**} rwk,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/libvirt/ rw,
  @{run}/libvirt/** rwk,
  @{run}/libvirtd.pid wk,
  @{run}/lock/LCK.._pts_@{int} rw,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/systemd/notify w,
  @{run}/utmp rk,

--- a/apparmor.d/groups/virt/virtinterfaced
+++ b/apparmor.d/groups/virt/virtinterfaced
@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
  @{lib}/gconv/gconv-modules rm,
  @{lib}/gconv/gconv-modules.d/{,*} r,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
  owner @{run}/user/@{uid}/libvirt/interface/ rw,
  owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk,
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@ -28,9 +28,10 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
  owner @{run}/user/@{uid}/libvirt/virtlogd* w,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/libvirt/common/system.token rwk,
  @{run}/libvirt/virtlogd-sock rw,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/virtlogd.pid rwk,

  @{sys}/devices/system/node/ r,
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@ -24,8 +24,9 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {

  owner /var/lib/libvirt/dnsmasq/*.macs* rw,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
        @{run}/libvirt/network/default.pid r,
-        @{run}/systemd/inhibit/@{int}.ref rw,
        @{run}/utmp rk,
  owner @{run}/libvirt/common/system.token rwk,
  owner @{run}/libvirt/network/{,**} rwk,
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@ -32,7 +32,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
  /etc/libvirt/*.conf r,
  /etc/mdevctl.d/{,**} r,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  owner @{run}/libvirt/common/system.token rwk,
  owner @{run}/libvirt/nodedev/ rw,
  owner @{run}/libvirt/nodedev/driver.pid wk,
--- a/apparmor.d/groups/virt/virtsecretd
+++ b/apparmor.d/groups/virt/virtsecretd
@ -20,7 +20,8 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/libvirt/secrets/ rw,
  owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
  owner @{run}/user/@{uid}/libvirt/secrets/ rw,
  owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk,
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@ -54,7 +54,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
  owner @{run}/libvirt/storage/{,**} rwk,
  owner @{run}/virtstoraged.pid rwk,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/utmp rwk,

  @{sys}/devices/system/node/ r,
--- a/apparmor.d/groups/xfce/xfce-power-manager
+++ b/apparmor.d/groups/xfce/xfce-power-manager
@ -21,7 +21,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  include if exists <local/xfce-power-manager>
 }
--- a/apparmor.d/groups/xfce/xfce-screensaver
+++ b/apparmor.d/groups/xfce/xfce-screensaver
@ -25,7 +25,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) {

  /etc/xdg/menus/xfce4-screensavers.menu r,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  include if exists <local/xfce-screensaver>
 }
--- a/apparmor.d/profiles-a-f/flatpak-portal
+++ b/apparmor.d/profiles-a-f/flatpak-portal
@ -31,8 +31,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {

  /var/lib/flatpak/exports/share/mime/mime.cache r,

-  / r,
-  /.flatpak-info r,
+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,

  owner @{HOME}/.var/app/*/**/.ref rw,
  owner @{HOME}/.var/app/*/**/logs/* rw,
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
  /usr/share/com.github.johnfactotum.Foliate/{,**} r,

  owner /bindfile@{rand6} rw,
-  owner /.flatpak-info r,
+  owner @{att}/.flatpak-info r,

  owner @{user_books_dirs}/{,**} r,
  owner @{user_torrents_dirs}/{,**} r,
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@ -27,8 +27,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {

  /var/lib/fprint/{,**} rw,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/systemd/journal/socket rw,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

  @{sys}/class/hidraw/ r,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -94,11 +94,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
  @{sys}/power/mem_sleep r,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/motd.d/ r,
  @{run}/motd.d/@{int}-fwupd* rw,
  @{run}/motd.d/fwupd/{,**} rw,
  @{run}/mount/utab r,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/udev/data/* r,

  @{PROC}/@{pids}/fd/ r,
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@ -35,7 +35,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {

    /etc/machine-id r,

-    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
    @{run}/utmp r,

    owner @{PROC}/@{pid}/loginuid r,
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@ -25,7 +25,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected)  {
  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
  owner @{user_cache_dirs}/.mc_connections rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  include if exists <local/mission-control>
 }
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -23,7 +23,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/nvtop/{,**} rw,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/udev/data/+drm:card@{int}-* r,   # for screen outputs
  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card*
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@ -94,7 +94,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
  owner @{tmp}/packagekit* rw,

-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  owner @{run}/systemd/users/@{uid} r,

  #aa:only opensuse
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@ -57,7 +57,7 @@ profile psi @{exec_path} {
  owner @{tmp}/etilqs_@{hex16} rw,
  owner @{tmp}/Psi.* rwl -> /tmp/#@{int},

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@ -57,7 +57,7 @@ profile psi-plus @{exec_path} {
  owner @{tmp}/etilqs_@{hex16} rw,
  owner @{tmp}/Psi+.* rwl -> /tmp/#@{int},

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@ -40,7 +40,7 @@ profile signal-desktop @{exec_path} {
  audit @{lib_dirs}/chrome-sandbox rPx,
  @{lib_dirs}/chrome_crashpad_handler rix,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/spice-vdagent
 profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/audio-client>
  include <abstractions/audio-server>
  include <abstractions/bus-accessibility>
@ -46,8 +47,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pids}/task/@{tid}/comm rw,

-  owner /dev/tty@{int} rw,
-
  include if exists <local/spice-vdagent>
 }

--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -174,12 +174,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{tmp}/steam@{rand6}/{,**} rw,
  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,

+  owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw,
  owner /dev/shm/fossilize-*-@{int}-@{int} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
  owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
-  owner /dev/shm/ValveIPCSHM_@{uid} rw,

  owner @{run}/user/@{uid}/ r,

--- a/apparmor.d/profiles-s-z/superproductivity
+++ b/apparmor.d/profiles-s-z/superproductivity
@ -29,7 +29,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) {
  @{bin}/speech-dispatcher rPx,
  @{open_path}             rPx -> child-open-strict,

-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

  include if exists <local/superproductivity>
 }
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -104,11 +104,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  @{MOUNTS}/ rw,
  @{MOUNTS}/*/ rw,

+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
  @{run}/ r,
  @{run}/mount/utab{,.*} rwk,
  @{run}/udisks2/{,**} rw,
  @{run}/systemd/seats/seat@{int} r,
-  @{run}/systemd/inhibit/@{int}.ref rw,
  @{run}/cryptsetup/ r,
  @{run}/cryptsetup/L* rwk,

--- a/apparmor.d/profiles-s-z/uname
+++ b/apparmor.d/profiles-s-z/uname
@ -14,7 +14,7 @@ profile uname @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

-  /dev/tty@{int} rw,
+  @{att}/dev/tty@{int} rw,

  deny network,
  deny owner @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@ -46,7 +46,7 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
    owner @{HOME}/.xwechat/{,**} rwk,
    owner @{HOME}/.sys1og.conf rw,

-    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
    @{run}/utmp r,

    @{PROC}/@{pid}/net/route r,
--- a/apparmor.d/profiles-s-z/xbrlapi
+++ b/apparmor.d/profiles-s-z/xbrlapi
@ -9,14 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/xbrlapi
 profile xbrlapi @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>

  network inet stream,
  network inet6 stream,

  @{exec_path} mr,

-  /dev/tty@{int} rw,
-
  include if exists <local/xbrlapi>
 }

--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@ -151,7 +151,6 @@
@{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511

-#aa:only abi3
 # Attachment path for attach_disconnected.path flag.
 # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
@{att}=/