feat(profile): general update.

apparmor.d/groups/apt/dpkg-preconfigure

@@ -21,6 +21,8 @@ profile dpkg-preconfigure @{exec_path} {
 
   @{sh_path}        rix,
   @{bin}/{,e}grep   rix,
+  @{bin}/{,g,m}awk  rix,
+  @{bin}/cat        rix,
   @{bin}/dialog     rix,
   @{bin}/locale     rix,
   @{bin}/sed        rix,

apparmor.d/groups/apt/unattended-upgrade

@@ -33,6 +33,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   signal (send) peer=apt-methods-http,
 
+  unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
+
   @{exec_path} mr,
 
   @{bin}/ r,
@@ -106,6 +108,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/apt-dpkg-install-*/{,*} rw,
 
         @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/fd/ r,
 
   /dev/ptmx rw,

apparmor.d/groups/bus/dbus-session

@@ -38,7 +38,7 @@ profile dbus-session flags=(attach_disconnected) {
 
   @{bin}/**                   PUx,
   @{lib}/**                   PUx,
-  /usr/share/**               PUx,
+  /usr/share/*/**             PUx,
 
   /etc/dbus-1/{,**} r,
   /usr/share/dbus-1/{,**} r,

apparmor.d/groups/bus/dbus-system

@@ -36,9 +36,9 @@ profile dbus-system flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{bin}/**                         PUx,
-  @{lib}/**                         PUx,
-  /usr/share/*/**                   PUx,
+  @{bin}/**                   PUx,
+  @{lib}/**                   PUx,
+  /usr/share/*/**             PUx,
 
   /etc/dbus-1/{,**} r,
   /usr/share/dbus-1/{,**} r,

apparmor.d/groups/gnome/gnome-control-center

@@ -57,6 +57,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   @{bin}/grep          rix,
   @{bin}/locale        rix,
   @{bin}/sed           rix,
+  @{bin}/tecla         rix,
 
   @{bin}/bwrap                                   rCx -> bwrap,
   @{bin}/gkbd-keyboard-display                   rPx,
@@ -159,6 +160,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
 
         @{PROC}/cmdline r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,

apparmor.d/groups/gnome/gnome-remote-desktop-daemon

@@ -24,5 +24,9 @@ profile gnome-remote-desktop-daemon @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/gnome-remote-desktop/{,**} r,
+
+  owner /var/lib/gnome-remote-desktop//{,**} r,
+
   include if exists <local/gnome-remote-desktop-daemon>
 }

apparmor.d/groups/gnome/gnome-shell

@@ -281,7 +281,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_cache_dirs}/media-art/{,**} r,
   owner @{user_cache_dirs}/vlc/**/*.jpg r,
 
-        @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
+        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
@@ -398,6 +398,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
     include <abstractions/app-launcher-user>
 
+    unix receive type=stream,
+
     @{lib}/gio-launch-desktop                               mr,
     @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
 

apparmor.d/groups/gnome/gnome-text-editor

@@ -16,6 +16,8 @@ profile gnome-text-editor @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/enchant-*/{,**} r,
+
   owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
 
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/groups/gvfs/gvfsd-wsdd

@@ -14,6 +14,7 @@ profile gvfsd-wsdd @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/env r,
   @{bin}/wsdd rPx,
 
         @{run}/mount/utab r,

apparmor.d/groups/network/nmcli

@@ -15,7 +15,9 @@ profile nmcli @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less rCx -> pager,
+  @{bin}/less            rPx -> child-pager,
+  @{bin}/more            rPx -> child-pager,
+  @{bin}/pager           rPx -> child-pager,
 
   owner @{HOME}/.nm-vpngate/*.ovpn r,
   owner @{HOME}/.cert/nm-openvpn/*.pem rw,
@@ -26,16 +28,5 @@ profile nmcli @{exec_path} {
   @{sys}/devices/virtual/net/{,**} r,
   @{sys}/devices/@{pci}/net/*/{,**} r,
 
-  profile pager {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/less  mr,
-
-    owner @{HOME}/.lesshs* rw,
-    owner @{user_cache_dirs}/.lesshs* rw,
-
-  }
-
   include if exists <local/nmcli>
 }

apparmor.d/groups/pacman/pacman

@@ -117,11 +117,6 @@ profile pacman @{exec_path} {
   /usr/** rwlk -> /usr/**,
   /var/** rwlk -> /var/**,
 
-  @{PROC}/ r,
-  @{run}/ r,
-  @{sys}/{,**} r,
-  /mnt r,
-
   # Read packages files
   @{user_pkg_dirs}/**/ r,
   @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
@@ -133,12 +128,15 @@ profile pacman @{exec_path} {
 
   @{run}/utmp rk,
 
+  @{sys}/{,**} r,
+
         @{PROC}/@{pids}/ r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,
         @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/tty/drivers r,
         @{PROC}/uptime r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/pacman/pacman-key

@@ -16,13 +16,14 @@ profile pacman-key @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/{m,g,}awk    rix,
   @{bin}/basename     rix,
   @{bin}/bash         rix,
   @{bin}/chmod        rix,
-  @{bin}/{m,g,}awk    rix,
   @{bin}/gettext      rix,
   @{bin}/gpg{,2}      rCx -> gpg,
   @{bin}/grep         rix,
+  @{bin}/ngettext     rix,
   @{bin}/pacman-conf  rPx,
   @{bin}/touch        rix,
   @{bin}/tput         rix,

apparmor.d/groups/ssh/sshd

@@ -84,6 +84,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/ssh/sshd_config.d/{,*} r,
   /etc/ssh/ssh_host_* r,
 
+  /var/lib/lastlog/ r,
+  /var/lib/lastlog/* rwk,
+  /var/lib/wtmpdb/ r,
+  /var/lib/wtmpdb/* rwk,
+
   # For scp
   owner @{user_download_dirs}/{,**} rwl,
   owner @{user_sync_dirs}/{,**} rwl,

apparmor.d/profiles-a-f/borg

@@ -21,11 +21,6 @@ profile borg @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
-  mount fstype=fuse -> @{MOUNTS}/,
-  mount fstype=fuse -> @{MOUNTS}/*/,
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-
   @{exec_path} r,
 
   @{bin}/ r,

apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders

@@ -21,5 +21,7 @@ profile gdk-pixbuf-query-loaders @{exec_path} {
   @{lib}/gdk-pixbuf-[0-9].@{int}/{,*}/loaders.cache.* rw,
   @{lib}/gdk-pixbuf-[0-9].@{int}/*/loaders.cache rw,
 
+  /usr/share/gvfs/remote-volume-monitors/{,**} r,
+
   include if exists <local/gdk-pixbuf-query-loaders>
 }

apparmor.d/profiles-g-l/gpu-manager

@@ -26,6 +26,9 @@ profile gpu-manager @{exec_path} {
 
   /var/log/gpu-manager.log w,
 
+  @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/module/compression r,
+
   @{PROC}/modules r,
   @{PROC}/cmdline r,
 

apparmor.d/profiles-g-l/hostapd

@@ -1,27 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/hostapd
-profile hostapd @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/nameservice-strict>
-
-  capability net_admin,
-  capability net_raw,
-
-  @{exec_path} mr,
-
-  /dev/rfkill r,
-
-  /etc/hostapd.conf r,
-  /etc/hostapd/{,*} r,
-
-  @{run}/hostapd/{,**} rw,
-  @{run}/hostapd.pid rw,
-
-  include if exists <local/hostapd>
-}

apparmor.d/profiles-s-z/snapd

@@ -153,7 +153,7 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
   @{sys}/kernel/kexec_loaded r,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  @{sys}/kernel/security/apparmor/features/{,*/} r,
+  @{sys}/kernel/security/apparmor/features/{,**} r,
   @{sys}/kernel/security/apparmor/profiles r,
 
   @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,

apparmor.d/profiles-s-z/spotify

@@ -41,7 +41,10 @@ profile spotify @{exec_path} {
   owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
   owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,
 
-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/*.crx3 rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
+
+  @{sys}/bus/ r,
+  @{sys}/bus/*/devices/ r,
 
   @{PROC}/pressure/* r,
 

apparmor.d/profiles-s-z/wsdd

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/wsdd
+profile wsdd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{bin}/env r,
+  @{bin}/python3.@{int} rix,
+
+  /etc/machine-id r,
+
+  owner @{run}/user/@{uid}/gvfsd/wsdd w,
+
+  include if exists <local/wsdd>
+}

dists/flags/main.flags

@@ -373,6 +373,7 @@ virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
 wg complain
 wg-quick complain
+wsdd complain
 xdg-dbus-proxy attach_disconnected,complain
 xdg-desktop-icon complain
 xdg-desktop-portal-kde complain