feat(profile): start using the exec directive.

apparmor.d/groups/gnome/gnome-session-binary

@@ -139,18 +139,19 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
     @{bin}/xdg-user-dirs-update                            rPx,
     @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher          rPx,
     @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx,
-    @{lib}/@{multiarch}/libexec/kdeconnectd               rPUx,
     @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
     @{lib}/baloo_file                                      rPx,
     @{lib}/caribou/caribou                                rPUx,
     @{lib}/deja-dup/deja-dup-monitor                       rPx,
-    @{lib}/evolution-data-server/{,evolution-data-server/}evolution-alarm-notify rPx,
     @{lib}/gsd-disk-utility-notify                         rPx,
     @{lib}/update-notifier/ubuntu-advantage-notification   rPx,
     @{lib}/xapps/sn-watcher/*                             rPUx,
     @{thunderbird_path}                                    rPx,
     /usr/share/libpam-kwallet-common/pam_kwallet_init     rPUx,
 
+    #aa:exec evolution-alarm-notify
+    #aa:exec PU kdeconnectd
+
     include if exists <usr/gnome-session-binary_open.d>
     include if exists <local/gnome-session-binary_open>
   }

apparmor.d/groups/kde/dolphin

@@ -27,14 +27,8 @@ profile dolphin @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/ldd            rix,
-
-   @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5  rPx,
-   @{lib}/@{multiarch}/{,libexec/}kf6/kioworker  rPx,
-   @{lib}/kf5/kioslave5                          rPx,
-   @{lib}/kf6/kioworker                          rPx,
-
-  # Share functions
-  @{lib}/thunderbird/thunderbird.sh rPx,
+  @{thunderbird_path}   rPx,
+  #aa:exec kioworker
 
   /usr/share/kf5/kmoretools/{,**} r,
   /usr/share/kio/{,**} r,

apparmor.d/groups/kde/kded

@@ -68,9 +68,9 @@ profile kded @{exec_path} {
   @{bin}/xrdb               rPx,
   @{bin}/xsettingsd         rPx,
   @{lib}/drkonqi            rPx,
-  @{lib}/kf{5,6}/kconf_update   rPx,
-  @{lib}/{,@{multiarch}/}libexec/kf{5,6}/kconf_update rPx,
-  @{lib}/{,@{multiarch}/}utempter/utempter  rPx,
+
+  #aa:exec utempter
+  #aa:exec kconf_update
 
   /usr/share/kconf_update/ r,
   /usr/share/kded{5,6}/{,**} r,

apparmor.d/groups/kde/kioworker

@@ -34,7 +34,8 @@ profile kioworker @{exec_path} {
 
   @{lib}/libheif/ r,
   @{lib}/libheif/*.so* rm,
-  @{lib}/kf{5,6}/kio_http_cache_cleaner rPx,
+
+  #aa:exec kio_http_cache_cleaner
 
   /usr/share/kio_desktop/directory.desktop r,
   /usr/share/kservices{5,6}/{,**} r,

apparmor.d/groups/kde/konsole

@@ -26,7 +26,7 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   @{bin}/@{shells}                      rUx,
   @{browsers_path}                      rPx,
 
-  @{lib}/{,@{multiarch}/}utempter/utempter  rPx,
+  #aa:exec utempter
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/kf6/{,**} r,

apparmor.d/groups/kde/kscreenlocker_greet

@@ -9,7 +9,7 @@ include <tunables/global>
 
 @{exec_path}  = @{lib}/kscreenlocker_greet
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}kscreenlocker_greet
-profile kscreenlocker-greet @{exec_path} {
+profile kscreenlocker_greet @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -107,5 +107,5 @@ profile kscreenlocker-greet @{exec_path} {
 
   /dev/tty r,
 
-  include if exists <local/kscreenlocker-greet>
+  include if exists <local/kscreenlocker_greet>
 }

apparmor.d/groups/kde/ksmserver

@@ -21,15 +21,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{exec_path} mr,
 
-  @{bin}/rm rix,
+  @{bin}/rm            rix,
+  @{thunderbird_path}  rPx,
 
-  @{lib}/@{multiarch}/{,libexec/}DiscoverNotifier  rPx,
-  @{lib}/@{multiarch}/libexec/DiscoverNotifier     rPx,
-  @{lib}/@{multiarch}/libexec/kscreenlocker_greet  rPx,
-  @{lib}/DiscoverNotifier                          rPx,
-  @{lib}/drkonqi                                   rPx,
-  @{lib}/kscreenlocker_greet                       rPx,
-  @{thunderbird_path}                              rPx,
+  #aa:exec DiscoverNotifier
+  #aa:exec drkonqi
+  #aa:exec kscreenlocker_greet
 
   @{user_bin_dirs}/** rPUx,
 

apparmor.d/groups/kde/kwin_wayland

@@ -30,10 +30,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   @{bin}/kcminit              rPx,
   @{bin}/plasmashell          r,
   @{bin}/Xwayland             rPx,
-  @{lib}/kscreenlocker_greet  rPx,
-  @{lib}/@{multiarch}/libexec/kscreenlocker_greet rPx,
   @{lib}/kwin_killer_helper   rix,
 
+  #aa:exec kscreenlocker_greet
+
   /usr/share/color-schemes/*.colors r,
   /usr/share/desktop-directories/*.directory r,
   /usr/share/kglobalaccel/{,**} r,

apparmor.d/groups/kde/kwin_x11

@@ -25,7 +25,8 @@ profile kwin_x11 @{exec_path} {
 
   @{sh_path}                 rix,
   @{lib}/kwin_killer_helper  rix,
-  @{lib}/drkonqi             rPx,
+
+  #aa:exec drkonqi
 
   /usr/share/kwin/{,**} r,
   /usr/share/plasma/desktoptheme/{,**} r,

apparmor.d/groups/kde/plasma-discover

@@ -35,11 +35,8 @@ profile plasma-discover @{exec_path} {
   @{bin}/gpgconf                    rCx -> gpg,
   @{bin}/gpgsm                      rCx -> gpg,
 
-  @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5  rPx,
-  @{lib}/@{multiarch}/{,libexec/}kf6/kioworker  rPx,
-  @{lib}/kf{5,6}/kio_http_cache_cleaner         rPx,
-  @{lib}/kf5/kioslave5                          rPx,
-  @{lib}/kf6/kioworker                          rPx,
+  #aa:exec kio_http_cache_cleaner
+  #aa:exec kioworker
 
   /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
   /usr/share/knsrcfiles/{,*} r,

apparmor.d/groups/kde/plasma_session

@@ -24,15 +24,13 @@ profile plasma_session @{exec_path} {
   @{bin}/plasmashell                                     rPx,
   @{bin}/spice-vdagent                                   rPx,
   @{bin}/xembedsniproxy                                  rPx,
-  @{lib}/baloo_file                                      rPx,
-  @{lib}/DiscoverNotifier                                rPx,
-  @{lib}/geoclue-2.0/demos/agent                         rPx,
-  @{lib}/org_kde_powerdevil                              rPx,
   @{lib}/pam_kwallet_init                                rPx,
-  @{lib}/polkit-kde-authentication-agent-[0-9]           rPx,
 
-  @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil      rPx,
-  @{lib}/@{multiarch}/{,libexec/}polkit-kde-authentication-agent-[0-9] rPx,
+  #aa:exec baloo
+  #aa:exec DiscoverNotifier
+  #aa:exec geoclue
+  #aa:exec kde-powerdevil
+  #aa:exec polkit-kde-authentication-agent
 
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/knotifications{5,6}/{,**} r,

apparmor.d/groups/kde/plasmashell

@@ -2,13 +2,6 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# When we have issues:
-
-#   owner @{user_config_dirs}/#@{int} rw,
-#   owner @{user_config_dirs}/QtProject.conf rwl -> @{user_config_dirs}/#@{int},
-#   owner @{user_config_dirs}/QtProject.conf.@{rand6} rwl -> @{user_config_dirs}/#@{int},
-#   owner @{user_config_dirs}/QtProject.conf.lock rwk,
-
 abi <abi/3.0>,
 
 include <tunables/global>
@@ -61,10 +54,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{bin}/xrdb              rPx,
   @{lib}/kf{5,6}/kdesu{,d} rix,
 
-  @{lib}/@{multiarch}/{,libexec/}kf5/kioslave5  rPx,
-  @{lib}/@{multiarch}/{,libexec/}kf6/kioworker  rPx,
-  @{lib}/kf5/kioslave5                          rPx,
-  @{lib}/kf6/kioworker                          rPx,
+  #aa:exec kioworker
 
   /usr/share/akonadi/firstrun/{,*} r,
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,