feat(profile): use the new audio-client abs in profiles.

apparmor.d/groups/browsers/firefox-kmozillahelper

@@ -9,12 +9,11 @@ include <tunables/global>
 @{exec_path} = @{lib}/mozilla/kmozillahelper
 profile firefox-kmozillahelper @{exec_path} {
   include <abstractions/base>
-  include <abstractions/fonts>
+  include <abstractions/audio-client>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-settings-write>
-  include <abstractions/qt5>
   include <abstractions/recent-documents-write>
   include <abstractions/thumbnails-cache-read>
 
@@ -29,10 +28,7 @@ profile firefox-kmozillahelper @{exec_path} {
   /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/knotifications{5,6}/*.notifyrc r,
   /usr/share/kservices{5,6}/{,**} r,
-  /usr/share/sounds/{,**} r,
 
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,*} r,
   /etc/xdg/kdeglobals r,
   /etc/xdg/kwinrc r,
   /etc/xdg/menus/ r,
@@ -51,10 +47,8 @@ profile firefox-kmozillahelper @{exec_path} {
   owner @{user_config_dirs}/kmozillahelperrc r,
   owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
   owner @{user_config_dirs}/kwinrc r,
-  owner @{user_config_dirs}/pulse/cookie rk,
 
   owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl,
-  owner @{run}/user/@{uid}/pulse/ r,
   owner @{run}/user/@{uid}/xauth_@{rand6} rl,
 
   @{run}/udev/data/+usb:* r,              # For /dev/bus/usb/**

apparmor.d/groups/kde/kalendarac

@@ -9,9 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/kalendarac
 profile kalendarac @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
   include <abstractions/kde-strict>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -20,11 +21,8 @@ profile kalendarac @{exec_path} {
   /usr/share/akonadi/firstrun/{,*} r,
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
   /usr/share/knotifications{5,6}/{,**} r,
-  /usr/share/sounds/{,**} r,
 
   /etc/machine-id r,
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,**} r,
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
@@ -37,9 +35,6 @@ profile kalendarac @{exec_path} {
   owner @{user_config_dirs}/kalendaracrc.@{rand6} rwl,
   owner @{user_config_dirs}/kalendaracrc.lock rwk,
   owner @{user_config_dirs}/kmail2rc r,
-  owner @{user_config_dirs}/pulse/cookie rk,
-
-  owner @{run}/user/@{uid}/pulse/ r,
 
   @{PROC}/sys/kernel/core_pattern r,
 

apparmor.d/groups/kde/plasma-discover

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/plasma-discover
 profile plasma-discover @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/dconf-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
@@ -46,7 +47,6 @@ profile plasma-discover @{exec_path} {
   /usr/share/kservices{5,6}/{,*} r,
   /usr/share/kservicetypes5/{,*} r,
   /usr/share/libdiscover/** r,
-  /usr/share/qt/translations/*.qm r,
 
   /etc/appstream.conf r,
   /etc/flatpak/remotes.d/{,**} r,

apparmor.d/groups/ubuntu/apport-gtk

@@ -10,6 +10,7 @@ include <tunables/global>
 profile apport-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
+  include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
@@ -54,11 +55,8 @@ profile apport-gtk @{exec_path} {
   @{lib}/@{multiarch}/ld*.so*   rix,
   /usr/share/apport/root_info_wrapper rix,
 
-  /usr/share/alsa/{,**} r,
   /usr/share/apport/{,**} r,
   /usr/share/apport/general-hooks/*.py r,
-  /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
 
   /etc/apport/{,**} r,
   /etc/bash_completion.d/apport_completion r,
@@ -67,8 +65,6 @@ profile apport-gtk @{exec_path} {
   /etc/gtk-3.0/settings.ini r,
   /etc/init.d/apport r,
   /etc/logrotate.d/apport r,
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,**} r,
   /etc/xdg/autostart/*.desktop r,
 
   /var/crash/{,*.@{uid}.crash} rw,
@@ -78,10 +74,7 @@ profile apport-gtk @{exec_path} {
   /var/lib/dpkg/info/*.md5sums r,
   /var/log/installer/media-info r,
 
-  owner @{user_config_dirs}/pulse/cookie rk,
-
    @{run}/snapd.socket rw,
-  owner @{run}/user/.mutter-Xwaylandauth.@{rand6} rw,
 
   /tmp/[a-z0-9]* rw,
   /tmp/apport_core_* rw,

apparmor.d/groups/ubuntu/update-manager

@@ -10,6 +10,7 @@ include <tunables/global>
 profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/apt-common>
+  include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -59,8 +60,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   /usr/share/update-manager/{,**} r,
 
   /etc/gtk-3.0/settings.ini r,
-  /etc/pulse/client.conf r,
-  /etc/pulse/client.conf.d/{,**} r,
   /etc/ubuntu-advantage/uaclient.conf r,
   /etc/update-manager/{,**} r,
 
@@ -74,11 +73,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  owner @{user_config_dirs}/pulse/cookie rk,
-
-  owner @{run}/user/@{uid}/pulse/ r,
-  owner @{run}/user/@{uid}/pulse/native rw,
-
   @{run}/systemd/inhibit/*.ref w,
 
         @{PROC}/@{pids}/mountinfo r,
@@ -86,7 +80,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/ptmx rw,
-  /dev/shm/ r,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 

apparmor.d/profiles-a-f/cawbird

@@ -10,16 +10,16 @@ include <tunables/global>
 @{exec_path} = @{bin}/cawbird
 profile cawbird @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/dconf-write>
-  include <abstractions/gtk>
+  include <abstractions/enchant>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
+  include <abstractions/gstreamer>
+  include <abstractions/gtk>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/enchant>
-  include <abstractions/audio>
-  include <abstractions/gstreamer>
 
   network inet dgram,
   network inet6 dgram,
@@ -47,7 +47,6 @@ profile cawbird @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-
   profile open {
     include <abstractions/base>
     include <abstractions/xdg-open>

apparmor.d/profiles-a-f/element-desktop

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/element-desktop
 profile element-desktop @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/chromium-common>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -49,8 +50,6 @@ profile element-desktop @{exec_path} {
 
   owner @{user_config_dirs}/Element/ rw,
   owner @{user_config_dirs}/Element/** rwkl -> @{user_config_dirs}/Element/**,
-  owner @{user_config_dirs}/pulse/client.conf r,
-  owner @{user_config_dirs}/pulse/cookie rk,
 
   @{sys}/devices/system/cpu/kernel_max r,
   @{sys}/devices/virtual/tty/tty@{int}/active r,

apparmor.d/profiles-g-l/kodi

@@ -10,14 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/kodi @{lib}/@{multiarch}/kodi/kodi.bin
 profile kodi @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
+  include <abstractions/audio-client>
-  include <abstractions/vulkan>
+  include <abstractions/graphics>
-  include <abstractions/audio>
-  include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
-  include <abstractions/mesa>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
@@ -29,6 +27,7 @@ profile kodi @{exec_path} {
   @{bin}/cat         rix,
   @{bin}/cut         rix,
   @{bin}/date        rix,
+  @{bin}/df          rix,
   @{bin}/dirname     rix,
   @{bin}/find        rix,
   @{bin}/ldconfig    rix,
@@ -36,9 +35,14 @@ profile kodi @{exec_path} {
   @{bin}/uname       rix,
 
   @{bin}/lsb_release rPx -> lsb_release,
-  @{bin}/df          rCx -> df,
 
   /usr/share/kodi/{,**} r,
+  /usr/share/publicsuffix/* r,
+
+  /etc/fstab r,
+  /etc/machine-id r,
+  /etc/timezone r,
+  /var/lib/dbus/machine-id r,
 
   owner @{HOME}/.kodi/ rw,
   owner @{HOME}/.kodi/** rwk,
@@ -46,49 +50,20 @@ profile kodi @{exec_path} {
   owner @{HOME}/core w,
   owner @{HOME}/kodi_crashlog-@{int}_@{int}.log w,
 
-  owner @{HOME}/.icons/default/index.theme r,
+  @{run}/udev/data/* r,
-
-  /usr/share/publicsuffix/* r,
-
-  /usr/share/icons/*/index.theme r,
-  /etc/mime.types r,
-
-  /etc/timezone r,
-  /etc/fstab r,
-
-  owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/@{pid}/net/dev r,
-        @{PROC}/sys/kernel/core_pattern r,
-        @{PROC}/@{pid}/net/route r,
 
   @{sys}/**/ r,
-  @{sys}/devices/**/uevent r,
   @{sys}/devices/@{pci}/usb@{int}/{bDeviceClass,idProduct,idVendor} r,
   @{sys}/devices/@{pci}/usb@{int}/**/{bDeviceClass,idProduct,idVendor} r,
-  @{sys}/devices/system/node/ r,
+  @{sys}/devices/**/uevent r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
 
-  @{run}/udev/data/* r,
+        @{PROC}/@{pid}/net/dev r,
-
+        @{PROC}/@{pid}/net/route r,
-  /var/lib/dbus/machine-id r,
+        @{PROC}/sys/kernel/core_pattern r,
-  /etc/machine-id r,
+  owner @{PROC}/@{pid}/mounts r,
-
-  profile df {
-    include <abstractions/base>
-
-    @{bin}/df mr,
-
   owner @{PROC}/@{pid}/mountinfo r,
 
-    # file_inherit
-    /usr/share/kodi/** r,
-    /sys/devices/virtual/thermal/thermal_zone@{int}/temp r,
-    /sys/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
-    /home/morfik/.kodi/temp/kodi.log w,
-
-  }
-
   include if exists <local/kodi>
 }

apparmor.d/profiles-m-r/mono-sgen

@@ -9,14 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/mono-sgen
 profile mono-sgen @{exec_path} {
   include <abstractions/base>
-  include <abstractions/audio>
+  include <abstractions/audio-client>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
   include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network inet dgram,
   network inet6 dgram,
@@ -37,18 +35,11 @@ profile mono-sgen @{exec_path} {
 
   owner @{user_config_dirs}/openra/{,**} rw,
   owner @{user_config_dirs}/.mono/{,**} r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
 
   owner /tmp/*.* rw,
   owner /tmp/CASESENSITIVETEST* rw,
   owner /dev/shm/mono.* rw,
 
-  @{sys}/devices/@{pci}/uevent r,
-  @{sys}/devices/@{pci}/vendor r,
-  @{sys}/devices/@{pci}/device r,
-  @{sys}/devices/@{pci}/subsystem_vendor r,
-  @{sys}/devices/@{pci}/subsystem_device r,
-
   owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/mono-sgen>

apparmor.d/profiles-m-r/pavucontrol

@@ -10,28 +10,23 @@ include <tunables/global>
 @{exec_path} = @{bin}/pavucontrol
 profile pavucontrol @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
+  include <abstractions/audio-client>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
-  include <abstractions/audio>
+  include <abstractions/gtk>
 
   @{exec_path} mr,
 
-  # Pavucontrol files
+  /usr/share/pavucontrol/** r,
-  /usr/share/pavucontrol/pavucontrol.glade r,
-
-  # Pavucontrol config files
-  owner @{user_config_dirs}/ r,
-  owner @{user_config_dirs}/pavucontrol.ini* rw,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  owner @{PROC}/@{pid}/cmdline r,
+  owner @{user_config_dirs}/ r,
+  owner @{user_config_dirs}/pavucontrol.ini* rw,
 
-  # Missing icons
+  owner @{PROC}/@{pid}/cmdline r,
-  /usr/share/**/icons/**/*.png r,
 
   # file_inherit
   owner /dev/tty@{int} rw,

apparmor.d/profiles-m-r/qtox

@@ -10,18 +10,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/qtox
 profile qtox @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
+  include <abstractions/audio-client>
-  include <abstractions/gtk>
+  include <abstractions/desktop>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
   include <abstractions/enchant>
-  include <abstractions/user-download-strict>
+  include <abstractions/fontconfig-cache-read>
-  include <abstractions/qt5-settings-write>
+  include <abstractions/graphics>
-  include <abstractions/mesa>
-  include <abstractions/dri-enumerate>
   include <abstractions/nameservice-strict>
-  include <abstractions/audio>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/user-download-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -31,7 +27,12 @@ profile qtox @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/xdg-open    rCx -> open,
+  @{open_path}  rPx -> child-open,
+
+  /usr/share/qt5ct/** r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
 
   # For importing old profile
   owner @{HOME}/**.tox r,
@@ -51,50 +52,14 @@ profile qtox @{exec_path} {
 
   # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
   owner @{user_config_dirs}/qt5ct/{,**} r,
-  /usr/share/qt5ct/** r,
 
   owner @{PROC}/@{pid}/cmdline r,
         @{PROC}/sys/kernel/core_pattern r,  # for KCrash::initialize()
 
-  /usr/share/hwdata/pnp.ids r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   owner /tmp/qipc_{systemsem,sharedmemory}_*@{hex} rw,
 
-  @{sys}/devices/system/node/ r,                   # for ld-linux-x86-64.so -> libnuma1.so
-  @{sys}/devices/system/node/node@{int}/meminfo r, # for ld-linux-x86-64.so -> libnuma1.so
-
   /dev/ r,
   /dev/video@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-    @{bin}/viewnior        rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-    owner @{user_cache_dirs}/qTox/qtox.log w,
-    deny /dev/video@{int} rw,
-
-  }
-
   include if exists <local/qtox>
 }