feat(profiles): general update.

apparmor.d/groups/apt/dpkg

@@ -26,6 +26,7 @@ profile dpkg @{exec_path} {
   @{bin}/rm          rix,
 
   @{bin}/deb-systemd-helper rix,
+  @{bin}/deb-systemd-invoke rix,
   @{bin}/dpkg-deb    rpx,
   @{bin}/dpkg-query  rpx,
   @{bin}/dpkg-split  rPx,

apparmor.d/groups/apt/unattended-upgrade

@@ -64,17 +64,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   @{bin}/touch                    rix,
   @{bin}/uname                    rix,
 
-  @{bin}/dpkg-preconfigure    rPx,
-  @{bin}/on_ac_power          rPx,
-  @{bin}/sendmail             rPUx,
   @{bin}/apt-listchanges          rPx,
   @{bin}/dpkg                     rPx,
+  @{bin}/dpkg-preconfigure        rPx,
   @{bin}/etckeeper                rPx,
   @{bin}/lsb_release              rPx -> lsb_release,
+  @{bin}/on_ac_power              rPx,
+  @{bin}/sendmail                rPUx,
   @{lib}/apt/methods/http{,s}     rPx,
   @{lib}/needrestart/apt-pinvoke  rPx,
   @{lib}/update-notifier/update-motd-updates-available rPx,
-  @{lib}/zsys-system-autosnapshot  rPx,
+  @{lib}/zsys-system-autosnapshot rPx,
 
   /usr/share/distro-info/* r,
 
@@ -85,17 +85,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/dpkg/origins/{,debian,ubuntu} r,
   /etc/fwupd/{,**} r,
   /etc/grub.d/* r,
+  /etc/init.d/* r,
   /etc/issue{.net,} r,
   /etc/kernel/*.d/*grub* r,
   /etc/legal r,
   /etc/lsb-release r,
   /etc/machine-id r,
+  /etc/pam.d/* r,
   /etc/pki/fwupd-metadata/{,**} r,
   /etc/pki/fwupd/{,**} r,
   /etc/profile.d/* r,
   /etc/security/capability.conf r,
   /etc/update-manager/{,**} r,
   /etc/update-motd.d/* r,
+  /etc/vmware-tools/* r,
 
   /var/log/unattended-upgrades/{,**} rw,
 
@@ -110,16 +113,16 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /var/log/apt/{term,history}.log w,
   /var/log/apt/eipp.log.xz w,
 
+        @{run}/resolvconf/resolv.conf r,
+        @{run}/systemd/inhibit/[0-9]*.ref rw,
   owner @{run}/unattended-upgrades.lock rwk,
   owner @{run}/unattended-upgrades.pid rw,
   owner @{run}/unattended-upgrades.progress rw,
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
-        @{run}/resolvconf/resolv.conf r,
 
   owner /tmp/apt-dpkg-install-*/{,*} rw,
 
-  owner @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pids}/fd/ r,
 
   /dev/ptmx rw,
 

apparmor.d/groups/children/child-systemctl

@@ -53,7 +53,7 @@ profile child-systemctl flags=(attach_disconnected) {
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/random/boot_id r,
-  owner @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/stat r,
 
   /dev/kmsg w,

apparmor.d/groups/freedesktop/xdg-user-dir

@@ -17,6 +17,8 @@ profile xdg-user-dir @{exec_path} {
 
   owner @{user_config_dirs}/user-dirs.dirs r,
 
+  /dev/tty rw,
+
   # Silencer
   deny network inet stream,
   deny network inet6 stream,

apparmor.d/groups/gnome/gnome-calculator-search-provider

@@ -25,13 +25,15 @@ profile gnome-calculator-search-provider @{exec_path} {
   /{usr/,}bin/[a-z0-9]* rPUx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/X11/xkb/{,**} r,
+  /usr/share/x11/xkb/{,**} r,
   /usr/share/icons/{,**} r,
-  
+  /usr/share/nvidia/nvidia-application-profiles-*-rc r,
+
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pids}/cmdline r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/comm r,
 
   include if exists <local/gnome-calculator-search-provider>
 }

apparmor.d/groups/gnome/gnome-calendar

@@ -30,5 +30,7 @@ profile gnome-calendar @{exec_path} {
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+
   include if exists <local/gnome-calendar>
 }

apparmor.d/groups/gnome/gnome-characters

@@ -28,7 +28,10 @@ profile gnome-characters @{exec_path} {
   /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,
+  /usr/share/nvidia/nvidia-application-profiles-*-rc r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/status r,

apparmor.d/groups/gnome/gnome-control-center-search-provider

@@ -23,10 +23,14 @@ profile gnome-control-center-search-provider @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/X11/xkb/{,**} r,
+  /usr/share/nvidia/nvidia-application-profiles-*-rc r,
 
   /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/comm r,
+
   include if exists <local/gnome-control-center-search-provider>
 }

apparmor.d/groups/gvfs/gvfsd-computer

@@ -13,5 +13,7 @@ profile gvfsd-computer @{exec_path} {
 
   @{exec_path} mr,
 
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+
   include if exists <local/gvfsd-computer>
 }

apparmor.d/groups/network/mullvad-gui

@@ -20,6 +20,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/nvidia>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   capability sys_chroot,
   capability sys_ptrace,
@@ -44,7 +45,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
 
   /etc/libva.conf r,
   /etc/igfx_user_feature{,_next}.txt w,
-
+  /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
   owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,

apparmor.d/groups/pacman/mkinitcpio

@@ -17,8 +17,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_chroot,
 
-  unix (receive) type=stream,
-
   @{exec_path} rmix,
 
   @{bin}/{,ba}sh             rix,
@@ -116,9 +114,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Inherit silencer
   deny @{HOME}/** r,
-  deny network inet6 stream,
-  deny network inet stream,
   deny /apparmor/.null rw,
+  deny network inet stream,
+  deny network inet6 stream,
+  deny unix (receive) type=stream,
 
   include if exists <local/mkinitcpio>
 }

apparmor.d/groups/pacman/pacman

@@ -30,17 +30,12 @@ profile pacman @{exec_path} {
   capability sys_chroot,
   capability sys_resource,
 
-  # network unix stream,
-  # network unix dgram,
-
   network inet stream,
   network inet6 stream,
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
-  unix (receive) type=stream,
-
   ptrace (read),
 
   @{exec_path} mrix,
@@ -161,8 +156,9 @@ profile pacman @{exec_path} {
   owner /dev/pts/@{int} rw,
 
   # Silencer, 
-  deny /tmp/ r,
   deny @{HOME}/ r,
+  deny /tmp/ r,
+  deny unix (receive) type=stream,
 
   profile gpg {
     include <abstractions/base>

apparmor.d/groups/pacman/pacman-hook-dkms

@@ -13,8 +13,6 @@ profile pacman-hook-dkms @{exec_path} {
   capability dac_read_search,
   capability mknod,
 
-  unix (receive) type=stream,
-
   @{exec_path} mr,
 
   @{bin}/bash rix,
@@ -30,9 +28,10 @@ profile pacman-hook-dkms @{exec_path} {
   /dev/tty rw,
 
   # Inherit Silencer
-  deny network inet6 stream,
-  deny network inet stream,
   deny /apparmor/.null rw,
+  deny network inet stream,
+  deny network inet6 stream,
+  deny unix (receive) type=stream,
 
   include if exists <local/pacman-hook-dkms>
 }

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -14,7 +14,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability mknod,
 
-  unix (receive) type=stream,
+  audit deny unix (receive) type=stream,
 
   @{exec_path} mr,
 
@@ -37,11 +37,13 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /etc/mkinitcpio.d/*.preset{,.pacsave} rw,
 
   / r,
+  /boot/ r,
   /boot/vmlinuz-* rw,
   /boot/initramfs-*.img rw,
   /boot/initramfs-*-fallback.img rw,
 
   /dev/tty rw,
+  owner /dev/pts/@{int} rw,
 
   # # Inherit Silencer
   deny network inet6 stream,

apparmor.d/groups/systemd/journalctl

@@ -47,6 +47,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
   @{run}/host/container-manager r,
   @{run}/systemd/journal/io.systemd.journal rw,
 
+        @{PROC}/sys/fs/nr_open r,
   owner @{PROC}/@{pid}/cgroup r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,

apparmor.d/profiles-a-f/aa-teardown

@@ -18,6 +18,8 @@ profile aa-teardown @{exec_path} {
   @{bin}/{,ba,da}sh rix,
   @{lib}/apparmor/apparmor.systemd rPx,
 
+  /usr/share/terminfo/x/* r,
+
   /dev/tty rw,
 
   include if exists <local/aa-teardown>

apparmor.d/profiles-a-f/element

@@ -41,6 +41,10 @@ profile element @{exec_path} {
   @{lib}/element/{,**} r,
   @{lib}/element/app.asar.unpacked/node_modules/**.node mr,
 
+  @{bin}/xdg-open                                     rPx -> child-open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
+  @{lib}/gio-launch-desktop                           rPx -> child-open,
+
   /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
   /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
 

apparmor.d/profiles-a-f/findmnt

@@ -15,8 +15,6 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
 
   capability dac_read_search,
 
-  unix (receive) type=stream,
-
   @{exec_path} mr,
 
   /etc/fstab r,
@@ -26,6 +24,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
 
   # File Inherit
   deny /apparmor/.null rw,
+  deny unix (receive) type=stream,
 
   include if exists <local/findmnt>
 }

apparmor.d/profiles-g-l/kmod

@@ -1,14 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = @{bin}/{kmod,lsmod}
+@{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe}
-@{exec_path} += @{bin}/{depmod,insmod,lsmod,rmmod,modinfo,modprobe}
 profile kmod @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -24,8 +23,6 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
 
   network inet raw,
 
-  unix (receive) type=stream,
-
   @{exec_path} mrix,
 
   @{bin}/{,ba,da}sh  rix,
@@ -73,8 +70,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty@{int} rw,
 
-  deny /apparmor/.null rw,
   deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny /apparmor/.null rw,
+  deny unix (receive) type=stream,
 
   include if exists <local/kmod>
 }

apparmor.d/profiles-m-r/needrestart

@@ -45,6 +45,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
 
   /etc/debconf.conf r,
+  /etc/init.d/* r,
   /etc/needrestart/{,**} r,
   /etc/needrestart/*.d/* rix,
   /etc/shadow r,
@@ -57,6 +58,8 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   owner /var/lib/juju/agents/{,**} r,
   owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
 
+  owner @{run}/sshd.pid r,
+
         @{PROC}/ r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,

apparmor.d/profiles-s-z/spotify

@@ -82,6 +82,8 @@ profile spotify @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
+  owner /dev/shm/pulse-shm-@{int} r,
+
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/spotify>

apparmor.d/profiles-s-z/transmission-gtk

@@ -23,6 +23,7 @@ profile transmission-gtk @{exec_path} {
   include <abstractions/trash>
   include <abstractions/user-download-strict>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -49,6 +50,7 @@ profile transmission-gtk @{exec_path} {
   @{run}/mount/utab r,
 
         @{PROC}/@{pid}/net/route r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,