feat(profile): general update.

apparmor.d/groups/apt/apt

@@ -105,6 +105,9 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   # For changelogs
   @{bin}/sensible-pager  rCx -> pager,
 
+  #aa:only whonix
+  @{lib}/uwt/uwtwrapper rix,
+
   /usr/share/xml/iso-codes/{,**} r,
   /usr/share/language-selector/data/pkg_depends r,
 

apparmor.d/groups/freedesktop/accounts-daemon

@@ -52,6 +52,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   /etc/gdm{3,}/ r,
   /etc/gdm{3,}/custom.conf{,.@{rand6}} rw,
   /etc/gdm{3,}/daemon.conf{,.@{rand6}} rw,
+  /etc/lightdm/lightdm.conf r,
   /etc/machine-id r,
   /etc/shadow r,
   /etc/shells r,

apparmor.d/groups/freedesktop/xorg

@@ -56,9 +56,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /var/lib/xkb/server-@{int}.xkm rw,
   /var/lib/xkb/compiled/server-@{int}.xkm rw,
 
-  /usr/share/libinput*/ r,
-  /usr/share/libinput*/{,**/}[0-9][0-9]-*.quirks r,
-  /usr/share/libinput*/libinput/ r,
+  /usr/share/libinput*/{,**} r,
 
   /etc/X11/{,**} r,
 

apparmor.d/groups/gnome/epiphany-search-provider

@@ -25,7 +25,8 @@ profile epiphany-search-provider @{exec_path} {
 
   @{exec_path} mr,
 
-  @{lib}/webkitgtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
 
   owner @{user_cache_dirs}/epiphany/{,**} rwk,
   owner @{user_share_dirs}/epiphany/{,**} rwk,

apparmor.d/groups/gnome/gnome-control-center

@@ -54,7 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   @{bin}/pkexec                                  rCx -> pkexec,
   @{bin}/software-properties-gtk                 rPx,
   @{bin}/usermod                                 rPx,
-  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rPx,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rPx,
   @{lib}/cups/backend/snmp                       rPx,
   @{lib}/gnome-control-center-goa-helper         rPx,
   @{lib}/gnome-control-center-print-renderer     rPx,

apparmor.d/groups/gnome/gsd-housekeeping

@@ -14,6 +14,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
   include <abstractions/thumbnails-cache-write>
 
   signal (receive) set=(term, hup) peer=gdm*,
@@ -32,7 +33,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_config_dirs}/dconf/user r,

apparmor.d/groups/gnome/kgx

@@ -28,6 +28,7 @@ profile kgx @{exec_path} {
   @{bin}/htop                 rPx,
   @{bin}/micro               rPUx,
   @{bin}/nvtop                rPx,
+  @{bin}/vim                  rUx,
 
   @{open_path}                rPx -> child-open,
 

apparmor.d/groups/kde/baloo

@@ -5,7 +5,7 @@
 abi <abi/3.0>,
 
 include <tunables/global>
- 
+
 @{exec_path}  = @{bin}/baloo_file @{lib}/{,kf6/}baloo_file
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloo_file
 profile baloo @{exec_path} {

apparmor.d/groups/kde/kwin_wayland

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/kwin_wayland
 profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   include <abstractions/base>
+  include <abstractions/app-launcher-user>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
@@ -27,12 +28,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   @{exec_path} mr,
 
-  @{bin}/kcminit              rPx,
-  @{bin}/plasmashell          r,
-  @{bin}/Xwayland             rPx,
-  @{lib}/kwin_killer_helper   rix,
-  @{bin}/konsole              rPx,
-
   #aa:exec kscreenlocker_greet
 
   /usr/share/color-schemes/*.colors r,
@@ -76,11 +71,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/ksycoca{5,6}_* r,
   owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
-  owner @{user_cache_dirs}/kwin/ w,
-  owner @{user_cache_dirs}/kwin/qmlcache/ w,
-  owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rwl,
-  owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
-  owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
+  owner @{user_cache_dirs}/kwin/ rw,
+  owner @{user_cache_dirs}/kwin/** rwl -> @{user_cache_dirs}/kwin/**,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
   owner @{user_cache_dirs}/plasma-svgelements rw,
   owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},

apparmor.d/groups/kde/sddm-xsession

@@ -44,7 +44,7 @@ profile sddm-xsession @{exec_path} {
   @{bin}/numlockx                            rPx,
   @{bin}/xhost                               rPx,
   @{bin}/xrdb                                rPx,
-  /etc/X11/Xsession                               rPx,
+  /etc/X11/Xsession                          rPx,
   @{bin}/ssh-agent                           rPx,
   @{bin}/udevadm                             rPx,
 

apparmor.d/groups/systemd/systemd-logind

@@ -40,10 +40,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
        member=Introspect
        peer=(label=ksmserver-logout-greeter),
 
-  dbus send bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       peer=(name=org.freedesktop.systemd1),
-
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,GetConnectionCredentials}

apparmor.d/groups/whonix/open-link-confirmation

@@ -12,5 +12,14 @@ profile open-link-confirmation @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path}            rix,
+  @{bin}/readlink       rix,
+  @{bin}/whichbrowser   rix,
+  @{bin}/torbrowser     rPx,
+  @{lib}/msgcollector/generic_gui_message rPx,
+  @{lib}/msgcollector/striphtml rPx,
+
+  /etc/open_link_confirm.d/{,**} r,
+
   include if exists <local/open-link-confirmation>
 }

apparmor.d/profiles-a-f/abook

@@ -16,7 +16,7 @@ profile abook @{exec_path} {
   @{exec_path} mr,
 
   # Used for printing
-  @{bin}/{,ba,da}sh rix,
+  @{sh_path}         rix,
   @{bin}/lp{,r}     rPUx,
   # Abook has built in support to launch mutt
   @{bin}/mutt       rPUx,

apparmor.d/profiles-a-f/acpi-powerbtn

@@ -24,7 +24,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
   @{bin}/systemctl    rCx -> systemctl,
   @{bin}/ps           rPx,
 
-  @{bin}/fgconsole    rCx,
+  @{bin}/fgconsole    rCx -> fgconsole,
 
   /usr/share/acpi-support/** r,
 

apparmor.d/profiles-a-f/atril

@@ -40,8 +40,8 @@ profile atril @{exec_path} {
 
   @{bin}/atril-previewer rPx,
 
-  @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix,
-  @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
 
   /usr/share/atril/{,**} r,
   /usr/share/poppler/{,**} r,

apparmor.d/profiles-a-f/evince

@@ -36,7 +36,6 @@ profile evince @{exec_path} {
   @{exec_path} rix,
 
   @{sh_path}                 rix,
-  @{bin}/gio-launch-desktop  rPx,
   @{open_path}               rPx -> child-open,
 
   /usr/share/djvu/{,**} r,

apparmor.d/profiles-a-f/flatpak-system-helper

@@ -35,6 +35,7 @@ profile flatpak-system-helper @{exec_path} {
   @{lib}/revokefs-fuse  rix,
 
   /etc/flatpak/{,**} r,
+  /etc/machine-id r,
 
   /usr/share/mime/mime.cache r,
   /usr/share/flatpak/triggers/ r,

apparmor.d/profiles-a-f/font-manager

@@ -27,8 +27,8 @@ profile font-manager @{exec_path} {
 
   @{exec_path} r,
 
-  @{lib}/@{multiarch}/webkit*gtk-*/WebKitWebProcess     rix,
-  @{lib}/@{multiarch}/webkit*gtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/font-manager/ rw,

apparmor.d/profiles-g-l/jami-gnome

@@ -25,8 +25,8 @@ profile jami-gnome @{exec_path} {
 
   @{exec_path} mr,
 
-  @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitNetworkProcess rix,
-  @{lib}/{,@{multiarch}/}webkit2gtk-*/WebKitWebProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
 
   /usr/share/ring/{,**} r,
   /usr/share/sounds/jami-gnome/{,**} r,

apparmor.d/profiles-s-z/system-config-printer

@@ -49,9 +49,10 @@ profile system-config-printer @{exec_path} flags=(complain) {
   owner /tmp/* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/stat r,
 
   owner /dev/tty@{int} rw,
 

apparmor.d/profiles-s-z/system-config-printer-applet

@@ -23,7 +23,11 @@ profile system-config-printer-applet @{exec_path} {
 
   /usr/share/system-config-printer/{,**} r,
 
+  owner @{HOME}/.xsession-errors w,
+
   owner @{PROC}/@{pid}/mounts r,
 
+  /dev/tty rw,
+
   include if exists <local/system-config-printer-applet>
 }