feat(profile): general update.

2025-01-31 07:17:22 +01:00 · 2024-04-28 13:50:48 +01:00 · 2024-04-28 13:50:48 +01:00 · 65d0cfafe4
commit 65d0cfafe4
parent e44b0613c7
54 changed files with 169 additions and 107 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -113,6 +113,7 @@
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

+  / r,
  owner @{HOME}/ r,

  owner @{HOME}/.pki/ rw,
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@ -22,4 +22,9 @@
       member={MakeThreadRealtime,MakeThreadHighPriority}
       peer=(name=org.freedesktop.RealtimeKit1),

+  dbus send bus=system path=/org/freedesktop/RealtimeKit1
+       interface=org.freedesktop.RealtimeKit1
+       member=MakeThreadRealtimeWithPID
+       peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
+
  include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -18,6 +18,7 @@
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
+  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -10,22 +10,20 @@ include <tunables/global>
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/ibus>

  signal (receive) set=term peer=ibus-daemon,

  unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-????????", label=ibus-daemon),

-  dbus receive bus=session path=/
+  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -12,6 +12,7 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-write>
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -16,6 +16,11 @@ profile ibus-memconf @{exec_path} {

  signal (receive) set=(term) peer=ibus-daemon,

+    dbus receive bus=session
+         interface=org.freedesktop.DBus.Introspectable
+         member=Introspect 
+         peer=(name=:*, label=gnome-shell),
+
  @{exec_path} mr,

  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
--- a/apparmor.d/groups/freedesktop/update-mime-database
+++ b/apparmor.d/groups/freedesktop/update-mime-database
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/update-mime-database
-profile update-mime-database @{exec_path} {
+profile update-mime-database @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
@ -17,9 +17,13 @@ profile update-mime-database @{exec_path} {

  @{exec_path} mr,

-  /usr/share/mime/{,**} rw,
+  @{system_share_dirs}/mime/{,**} rw,

-  /dev/tty@{int} rw,
+  /var/lib/flatpak/app/**.xml r,
+
+  owner @{user_share_dirs}/mime/{,**} rw,
+
+        /dev/tty@{int} rw,
  owner /dev/pts/@{int} rw,

  # Inherit silencer
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@ -31,6 +31,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/flatpak/db/ rw,
  owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/flatpak/db/background rw,
+  owner @{user_share_dirs}/flatpak/db/devices r,
  owner @{user_share_dirs}/flatpak/db/notifications rw,

  /dev/tty@{int} rw,
--- a/apparmor.d/groups/gnome/deja-dup-monitor
+++ b/apparmor.d/groups/gnome/deja-dup-monitor
@ -20,7 +20,7 @@ profile deja-dup-monitor @{exec_path} {
  network netlink raw,

  #aa:dbus own bus=session name=org.gnome.DejaDup.Monitor
-  #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup interface=org.gtk.Actions
+  #aa:dbus talk bus=session name=org.gnome.DejaDup label=deja-dup

  dbus send bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -12,7 +12,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  include <abstractions/authentication>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/nameservice-strict>

  capability audit_write,
@ -46,16 +45,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {

  unix (bind) type=stream addr=@@{hex}/bus/gdm-session-wor/system,

+  #aa:dbus talk bus=system name=org.freedesktop.Accounts.User label=accounts-daemon
+
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={*Session,CreateSessionWithPIDFD}
       peer=(name=org.freedesktop.login1, label=systemd-logind),

-  dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
-       interface=org.freedesktop.Accounts.User
-       member=SetLanguage
-       peer=(name=:*, label=accounts-daemon),
-
  @{exec_path} mrix,

  @{bin}/gnome-keyring-daemon             rPx,
@ -99,6 +95,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/keyring/control rw,

        @{run}/gdm{3,}/custom.conf r,
+        @{run}/gdm{3,}/dbus/dbus-@{rand8} r,
  owner @{run}/gdm{3,}/dbus/ w,
  owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,

--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@ -10,7 +10,13 @@ include <tunables/global>
 profile gnome-clocks @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
  include <abstractions/common/gnome>
+  include <abstractions/nameservice-strict>
+
+  #aa:dbus own bus=session name=org.gnome.clocks

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -14,12 +14,15 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-write>

  network inet dgram,
@ -33,10 +36,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {

  unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),

-  dbus bus=accessibility,
  dbus bus=session,
  dbus bus=system,

+  #aa:dbus own bus=session name=org.gnome.Settings
+
+  #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
+  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
+  #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
+
+  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
+  #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
+  #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd
+
  @{exec_path} mr,

  @{bin}/@{shells}     rUx,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -21,9 +21,6 @@ profile gnome-control-center-print-renderer @{exec_path} {

  /usr/share/pixmaps/{,**} r,

-  /var/lib/flatpak/exports/share/icons/{,**} r,
-  /var/lib/flatpak/exports/share/mime/mime.cache r,
-
  owner @{PROC}/@{pid}/cmdline r,

  include if exists <local/gnome-control-center-print-renderer>
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-disk-image-mounter @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
  include <abstractions/gnome-strict>

  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -50,10 +50,15 @@ profile gnome-initial-setup @{exec_path} {
  /etc/security/pwquality.conf.d/{,**} r,
  /etc/timezone r,

+  /etc/gdm{,3}/custom.conf r,
+
+  /var/log/installer/telemetry r, #aa:only ubuntu
+
  owner @{GDM_HOME}/greeter-dconf-defaults r,

-  owner @{user_cache_dirs}/ubuntu-report/ w,
-  owner @{user_cache_dirs}/ubuntu-report/pending w,
+  #aa:only ubuntu
+  owner @{user_cache_dirs}/ubuntu-report/ rw,
+  owner @{user_cache_dirs}/ubuntu-report/* rw,

  owner @{user_config_dirs}/gnome-initial-setup-done w,
  owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw,
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-remote-desktop-daemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
+  include <abstractions/bus-system>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -111,6 +111,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
  profile open {
    include <abstractions/base>
+    include <abstractions/app-launcher-user>

    @{lib}/gio-launch-desktop                               mr,
    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -89,6 +89,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  # Talk with gnome-shell

  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus talk bus=system name=org.freedesktop.login1.Manager label=systemd-logind
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
@ -111,23 +112,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
       member={RegisterWithCapabilities,Unregister}
       peer=(name=:*, label=NetworkManager),

-  dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name=:*, label=systemd-logind),
-  dbus send bus=system path=/org/freedesktop/login1/seat/seat@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=systemd-logind),
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member=Can*
-       peer=(name=:*, label=systemd-logind),
-  dbus send bus=system path=/org/freedesktop/login1/user/*
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=systemd-logind),
-
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetNameOwner,ListNames}
@ -333,16 +317,23 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
+  @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
+  @{sys}/devices/@{pci}/net/*/statistics/collisions r,
+  @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
+  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,
  @{sys}/devices/**/hwmon@{int}/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon@{int}/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/power_supply/{,**} r,
-  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
-  @{sys}/devices/@{pci}/net/*/statistics/{rx_bytes,tx_bytes} r,
  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
-  @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
+  @{sys}/devices/virtual/net/*/statistics/collisions r,
+  @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
+  @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,

  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@ -360,6 +351,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
+        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -93,6 +93,7 @@ profile gnome-software @{exec_path} {
  owner @{run}/user/@{uid}/.dbus-proxy/ rw,
  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/system-bus-proxy-@{rand6} rw,
  owner @{run}/user/@{uid}/.flatpak-cache rw,
  owner @{run}/user/@{uid}/.flatpak/{,**} rwl,
  owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -25,7 +25,7 @@ profile gnome-terminal-server @{exec_path} {
  ptrace (read) peer=htop,
  ptrace (read) peer=unconfined,

-  #aa:dbus own bus=session name=org.gnome.Terminal interface=org.gtk.Actions
+  #aa:dbus own bus=session name=org.gnome.Terminal

  dbus receive bus=session path=/org/gnome/Terminal/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@ -12,6 +12,7 @@ profile goa-daemon @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -28,6 +28,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {

  / r,

+  @{run}/mount/utab r,
+
  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
@ -35,6 +37,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {

  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,

  deny @{user_share_dirs}/gvfs-metadata/* r,

--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -28,7 +28,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {

  # mqueue r type=posix /,

-  #aa:dbus own bus=session name=org.gnome.Nautilus
+  #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions}
  #aa:dbus own bus=session name=org.freedesktop.FileManager1

  #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -47,7 +47,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
  /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
+  /usr/share/hwdata/*.ids r,
  /usr/share/ladspa/rdf/{,**} r,
+  /usr/share/osinfo/{,**} r,
  /usr/share/poppler/{,**} r,
  /usr/share/tracker3-miners/{,**} r,
  /usr/share/tracker3/{,**} r,
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@ -20,7 +20,7 @@ profile scdaemon @{exec_path} {
  @{exec_path} mr,

  owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r,
-  owner @{HOME}/@{XDG_GPG_DIR}/reader_0.status rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw,

  owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
  owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw,
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@ -11,9 +11,10 @@ include <tunables/global>
 profile gvfsd-dav @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/user-read-strict>

@ -25,9 +26,6 @@ profile gvfsd-dav @{exec_path} {

  @{exec_path} mr,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/mime/mime.cache r,
-
  owner @{run}/user/@{uid}/gvfsd/ rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@ -11,6 +11,7 @@ include <tunables/global>
 profile gvfsd-mtp @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
  include <abstractions/devices-usb>
  include <abstractions/freedesktop.org>
  include <abstractions/private-files-strict>
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@ -31,16 +31,12 @@ profile gvfsd-recent @{exec_path} {

  @{exec_path} mr,

-  /usr/share/mime/mime.cache r,
-
  # Full access to user's data
  owner @{HOME}/{,**} rw,
  owner @{MOUNTS}/{,**} rw,

  owner @{HOME}/.zshenv r,
-  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-  owner @{user_share_dirs}/recently-used.xbel r,

  owner @{run}/user/@{uid}/gvfsd/ rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -16,7 +16,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.ModemManager1>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
-  include <abstractions/bus/org.freedesktop.resolve1>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

@ -44,6 +43,9 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {

  #aa:dbus own bus=system name=org.freedesktop.NetworkManager

+  #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
+  #aa:dbus talk bus=system name=org.freedesktop.resolve1.Manager label=systemd-resolved
+
  dbus receive bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
@ -69,16 +71,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
       member=InterfacesAdded
       peer=(name=org.freedesktop.DBus, label=nm-online),

-  dbus send bus=system path=/org/freedesktop/nm_dispatcher
-       interface=org.freedesktop.nm_dispatcher
-       member=Action
-       peer=(name=org.freedesktop.nm_dispatcher),
-
-  dbus send bus=system path=/org/freedesktop/resolve1
-       interface=org.freedesktop.resolve1.Manager
-       member={SetLink*,ResolveHostname}
-       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
-
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -9,11 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/busctl
 profile busctl @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/common/systemd>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/common/systemd>

  capability net_admin,
  capability sys_ptrace,
@ -24,6 +26,7 @@ profile busctl @{exec_path} {

  signal (send) set=(cont) peer=child-pager,

+  dbus eavesdrop bus=accessibility,
  dbus eavesdrop bus=session,
  dbus eavesdrop bus=system,

--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -38,6 +38,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
        /{run,var}/log/journal/ r,
        /{run,var}/log/journal/@{hex32}/ r,
        /{run,var}/log/journal/@{hex32}/system.journal* r,
+        /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* rw,
        /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex}-@{hex}.journal* rw,
        /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw,
        /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* rw,
--- a/apparmor.d/groups/systemd/zramctl
+++ b/apparmor.d/groups/systemd/zramctl
@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/zramctl
+profile zramctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{sys}/devices/virtual/block/zram@{int}/ r,
+  @{sys}/devices/virtual/block/zram@{int}/disksize r,
+
+  /dev/ r,
+  /dev/zram@{int} rw,
+
+  include if exists <local/zramctl>
+}
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@ -13,6 +13,7 @@ profile check-new-release-gtk @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gtk>
  include <abstractions/wayland>
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/gtk>
  include <abstractions/wayland>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -9,13 +9,14 @@ include <tunables/global>
@{exec_path} = @{bin}/update-notifier
 profile update-notifier @{exec_path} {
  include <abstractions/base>
-  include <abstractions/common/apt>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/bus/org.kde.StatusNotifierWatcher>
+  include <abstractions/common/apt>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
@ -32,7 +33,7 @@ profile update-notifier @{exec_path} {

  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu}
       interface=org.freedesktop.DBus.Properties
-       member=GetAll
+       member=={Get,GetAll}
       peer=(name=:*, label=gnome-shell),
  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu
       interface=com.canonical.dbusmenu
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -31,6 +31,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  @{etc_ro}/security/limits.d/{,*.conf} r,
  /etc/cockpit/disallowed-users r,
  /etc/group r,
+  /etc/machine-id r,
  /etc/motd r,
  /etc/motd.d/ r,
  /etc/shells r,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -66,10 +66,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  mount options=(rw, move) @{run}/libvirt/qemu/*.dev/ -> /dev/,
  mount options=(rw, move) @{run}/libvirt/qemu/*{,/} -> /dev/**,

-  ptrace (read,trace) peer=unconfined,
  ptrace (read,trace) peer=@{profile_name},
  ptrace (read,trace) peer=dnsmasq,
  ptrace (read,trace) peer=libvirt-@{uuid},
+  ptrace (read,trace) peer=libvirt-dbus,
+  ptrace (read,trace) peer=unconfined,
  ptrace (read,trace) peer=virt-manager,

  signal (read,send) peer=libvirt-@{uuid},
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@ -61,9 +61,11 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c13:@{int} r,          # For /dev/input/*
  @{run}/udev/data/c21:@{int} r,          # Generic SCSI access
  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
  @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
  @{run}/udev/data/c116:@{int} r,         # For ALSA
  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
+  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
  @{run}/udev/data/n@{int} r,
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@ -70,6 +70,7 @@ profile borg @{exec_path} {
  owner /tmp/tmp*/ rw,
  owner /tmp/tmp*/file rw,
  owner /tmp/tmp*/idx rw,
+  owner /var/lib/libuuid/clock.txt w,
  owner /var/tmp/* rw,
  owner /var/tmp/tmp*/ rw,
  owner /var/tmp/tmp*/file rw,
@ -97,10 +98,14 @@ profile borg @{exec_path} {

  profile fusermount {
    include <abstractions/base>
+    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    capability sys_admin,

+    mount fstype=fuse borgfs -> @{MOUNTS}/,
+    mount fstype=fuse borgfs -> @{MOUNTS}/*/,
+
    umount @{MOUNTS}/,
    umount @{MOUNTS}/*/,

--- a/apparmor.d/profiles-a-f/fail2ban-server
+++ b/apparmor.d/profiles-a-f/fail2ban-server
@ -31,6 +31,7 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) {
  /var/lib/fail2ban/fail2ban.sqlite3 rwk,
  /var/log/auth.log r,
  /var/log/fail2ban.log w,
+  /var/log/journal/@{hex32}/system.journal r,

  @{run}/fail2ban/fail2ban.pid rw,
  @{run}/fail2ban/fail2ban.sock rw,
--- a/apparmor.d/profiles-a-f/firewalld
+++ b/apparmor.d/profiles-a-f/firewalld
@ -59,8 +59,7 @@ profile firewalld @{exec_path} {
  /usr/share/libalternatives/ebtables*/{,*} r,
  /usr/share/libalternatives/ip{,4,6}tables*/{,*} r,

-  /etc/firewalld/{,**} r,
-  /etc/firewalld/zones/{,**} rw,
+  /etc/firewalld/{,**} rw,
  /etc/iproute2/group r,
  /etc/iproute2/rt_realms r,

--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -62,6 +62,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /etc/pki/fwupd/{,**} r,

  /var/cache/fwupd/{,**} rw,
+  /var/lib/flatpak/exports/share/mime/mime.cache r,
  /var/lib/fwupd/{,**} rw,
  /var/lib/fwupd/pending.db rwk,
  /var/tmp/etilqs_@{hex} rw,
--- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
+++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
@ -11,6 +11,8 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_read_search,
+
  network inet stream,
  network inet6 stream,

--- a/apparmor.d/profiles-g-l/hostapd
+++ b/apparmor.d/profiles-g-l/hostapd
@ -5,7 +5,7 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{,usr/}{,s}bin/hostapd
+@{exec_path} = @{bin}/hostapd
 profile hostapd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@ -11,19 +11,14 @@ include <tunables/global>
 profile kanyremote @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/X>
-  include <abstractions/nameservice-strict>
-  include <abstractions/gtk>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/user-download-strict>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
  include <abstractions/python>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
-  include <abstractions/qt5>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
+  include <abstractions/user-download-strict>

  network inet stream,
  network inet6 stream,
@ -52,33 +47,26 @@ profile kanyremote @{exec_path} {
  @{bin}/pactl      rPUx,

  # Players
-  @{bin}/smplayer   rPUx,
  @{bin}/amarok     rPUx,
-  @{bin}/vlc        rPUx,
  @{bin}/mpv        rPUx,
+  @{bin}/smplayer   rPUx,
  @{bin}/strawberry rPUx,
-
-  owner @{HOME}/ r,
-  owner @{HOME}/.anyRemote/{,*} rw,
+  @{bin}/vlc        rPUx,

  /usr/share/anyremote/{,**} r,

-  deny owner @{PROC}/@{pid}/cmdline r,
-  deny       @{PROC}/sys/kernel/random/boot_id r,
-
-  /dev/shm/#@{int} rw,
-
-  /usr/share/hwdata/pnp.ids r,
-
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

-  # Doc dirs
-  deny /usr/local/share/ r,
-  deny /usr/share/ r,
-  deny /usr/share/doc/ r,
-       /usr/share/doc/anyremote{,-data}/ r,
+  owner @{HOME}/ r,
+  owner @{HOME}/.anyRemote/{,**} rw,

+  owner @{user_config_dirs}/anyRemote/{,**} rw,
+
+  owner /dev/shm/#@{int} rw,
+
+        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/cmdline r,

  profile killall {
    include <abstractions/base>
@ -97,6 +85,7 @@ profile kanyremote @{exec_path} {
         @{PROC}/ r,
         @{PROC}/@{pids}/stat r,

+    include if exists <local/kanyremote_killall>
  }

  profile pgrep {
--- a/apparmor.d/profiles-g-l/losetup
+++ b/apparmor.d/profiles-g-l/losetup
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/losetup
 profile losetup @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  capability dac_override,
  capability dac_read_search,
--- a/apparmor.d/profiles-m-r/mdevctl
+++ b/apparmor.d/profiles-m-r/mdevctl
@ -14,11 +14,11 @@ profile mdevctl @{exec_path} {

  /etc/mdevctl.d/{,**} r,

-  @{PROC}/@{pids}/maps r,
-
  @{sys}/bus/mdev/devices/ r,
  @{sys}/class/mdev_bus/ r,
  @{sys}/devices/@{pci}/mdev_supported_types/{,**} r,

+  @{PROC}/@{pids}/maps r,
+
  include if exists <local/mdevctl>
 }
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -125,6 +125,7 @@ profile pass @{exec_path} {
    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,

    owner /tmp/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
+    owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw,

    include if exists <local/pass_git>
  }
--- a/apparmor.d/profiles-m-r/pinentry-gnome3
+++ b/apparmor.d/profiles-m-r/pinentry-gnome3
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/pinentry-gnome3
 profile pinentry-gnome3 @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>

  signal (receive) set=(int) peer=gpg-agent,

--- a/apparmor.d/profiles-s-z/scrcpy
+++ b/apparmor.d/profiles-s-z/scrcpy
@ -10,6 +10,7 @@ include <tunables/global>
 profile scrcpy @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -83,15 +83,16 @@ profile snap @{exec_path} {
  @{run}/snapd.socket rw,

  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  @{sys}/kernel/security/apparmor/features/ r,
+  @{sys}/kernel/security/apparmor/features/{,**} r,

-  @{PROC}/@{pids}/cgroup r,
-  @{PROC}/@{pids}/mountinfo r,
-  @{PROC}/cgroups r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/random/uuid r,
-  @{PROC}/sys/kernel/seccomp/actions_avail r,
-  @{PROC}/version r,
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/cgroups r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/random/uuid r,
+        @{PROC}/sys/kernel/seccomp/actions_avail r,
+        @{PROC}/version r,
+  owner @{PROC}/@{pid}/mounts r,

  /dev/tty@{int} rw,
  /dev/ttyS@{int} rw,
--- a/apparmor.d/profiles-s-z/tune2fs
+++ b/apparmor.d/profiles-s-z/tune2fs
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/{tune2fs,e2label}
 profile tune2fs @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
  include <abstractions/private-files-strict>
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@ -26,7 +26,7 @@ profile vlc @{exec_path} {
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
+  include <abstractions/qt5-settings-write>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>

@ -71,6 +71,8 @@ profile vlc @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

+  @{run}/mount/utab r,
+
        /dev/shm/#@{int} rw,
        /dev/snd/ r,
        /dev/tty r,