feat(profile): general update.

apparmor.d/groups/apps/freetube

@@ -7,27 +7,22 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{FT_LIBDIR} =  @{lib}/freetube
-@{FT_LIBDIR} += @{lib}/freetube-vue
-@{FT_LIBDIR} += /opt/FreeTube
-@{FT_LIBDIR} += /opt/FreeTube-Vue
+@{lib_dirs}  = @{lib}/freetube @{lib}/freetube-vue
+@{lib_dirs} += /opt/FreeTube /opt/FreeTube-Vue
 
-@{exec_path} = @{FT_LIBDIR}/freetube{,-vue}
+@{exec_path} = @{lib_dirs}/freetube{,-vue}
 profile freetube @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/chromium-common>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/opencl-intel>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
-  include <abstractions/audio-client>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/user-download-strict>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/chromium-common>
+  include <abstractions/user-download-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -37,23 +32,30 @@ profile freetube @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{FT_LIBDIR}/ r,
-  @{FT_LIBDIR}/** r,
-  @{FT_LIBDIR}/libffmpeg.so mr,
-  @{FT_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
-  @{FT_LIBDIR}/{swiftshader/,}libEGL.so mr,
-  @{FT_LIBDIR}/chrome-sandbox rPx,
+  @{lib_dirs}/ r,
+  @{lib_dirs}/** r,
+  @{lib_dirs}/libffmpeg.so mr,
+  @{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
+  @{lib_dirs}/{swiftshader/,}libEGL.so mr,
+  @{lib_dirs}/chrome-sandbox rPx,
+
+  @{open_path}            rPx -> child-open,
+
+  /etc/fstab r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
   owner @{HOME}/ r,
   owner @{user_config_dirs}/FreeTube/ rw,
   owner @{user_config_dirs}/FreeTube/** rwk,
 
+  owner @{run}/user/@{uid}/ r,
+
   # The /proc/ dir is needed to avoid the following error:
   #   traps: freetube[] trap int3 ip:56499eca9d26 sp:7ffcab073060 error:0 in
   #          freetube[56499b8a8000+531e000]
              @{PROC}/ r,
        owner @{PROC}/@{pid}/fd/ r,
-  #          @{PROC}/@{pid}/fd/ r,
              @{PROC}/@{pids}/task/ r,
              @{PROC}/@{pids}/task/@{tid}/status r,
   deny       @{PROC}/@{pids}/stat r,
@@ -67,60 +69,7 @@ profile freetube @{exec_path} {
   deny       @{PROC}/vmstat r,
              @{PROC}/sys/fs/inotify/max_user_watches r,
 
-  /etc/fstab r,
-
-  owner @{user_share_dirs} r,
-
-  deny @{sys}/devices/virtual/tty/tty@{int}/active r,
-  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-  # To remove the following error:
-  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
-  # The irq file is needed to render pages.
-  deny @{sys}/devices/@{pci}/irq r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  owner @{run}/user/@{uid}/ r,
-
-  # no new privs
-  @{bin}/xdg-settings    rPx,
-
-  @{bin}/xdg-open        rCx -> open,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPx,
-  @{bin}/mpv             rPx,
-  @{bin}/vlc             rPx,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPx,
-    @{bin}/mpv             rPx,
-    @{bin}/vlc             rPx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/freetube>
 }

apparmor.d/groups/bus/dbus-session

@@ -26,7 +26,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (receive) set=(term hup)      peer=gdm,
   signal (send)    set=(term hup kill) peer=dbus-accessibility,
   signal (send)    set=(term hup kill) peer=dconf-service,
-  signal (send)    set=(term hup kill) peer=xdg-permission-store,
+  signal (send)    set=(term hup kill) peer=xdg-*,
 
   dbus bus=session,
 

apparmor.d/groups/gnome/gnome-initial-setup

@@ -14,6 +14,7 @@ profile gnome-initial-setup @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.Accounts>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/disks-read>
@@ -51,6 +52,9 @@ profile gnome-initial-setup @{exec_path} {
 
   owner @{GDM_HOME}/greeter-dconf-defaults r,
 
+  owner @{user_cache_dirs}/ubuntu-report/ w,
+  owner @{user_cache_dirs}/ubuntu-report/pending w,
+
   owner @{user_config_dirs}/gnome-initial-setup-done w,
   owner @{user_config_dirs}/gnome-initial-setup-done.@{rand6} rw,
 
@@ -59,6 +63,8 @@ profile gnome-initial-setup @{exec_path} {
 
   owner @{run}/user/@{uid}/avatar.png rw,
 
+  @{run}/snapd.socket rw,
+
   @{run}/systemd/sessions/@{int} r,
   @{run}/systemd/users/@{uid} r,
 

apparmor.d/groups/gnome/gnome-recipes

@@ -15,6 +15,8 @@ profile gnome-recipes @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/p11-kit>
 
+  network inet dgram,
+  network inet6 dgram,
   network inet stream,
   network inet6 stream,
   network netlink raw,

apparmor.d/groups/gnome/session-migration

@@ -12,6 +12,9 @@ profile session-migration @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path}  rix,
+  /usr/share/session-migration/scripts/*.sh rix,
+
   /usr/share/session-migration/{,**} r,
 
   owner @{gdm_share_dirs}/session_migration-* rw,

apparmor.d/groups/gvfs/gvfsd-http

@@ -29,7 +29,7 @@ profile gvfsd-http @{exec_path} {
        interface=org.gtk.vfs.Mountable
        member=Mount
        peer=(name=:*, label=gvfsd),
-  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/0
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
        interface=org.gtk.vfs.Spawner
        member=Spawned
        peer=(name=:*, label=gvfsd),

apparmor.d/groups/kde/systemsettings

@@ -34,6 +34,7 @@ profile systemsettings @{exec_path} {
   /etc/machine-id r,
   /etc/xdg/menus/ r,
   /etc/xdg/ui/ui_standards.rc r,
+  /var/lib/dbus/machine-id r,
 
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,

apparmor.d/groups/ubuntu/apport-gtk

@@ -100,12 +100,13 @@ profile apport-gtk @{exec_path} {
     @{bin}/iconv rix,
     @{bin}/* r,
 
-    /usr/share/gcc/python/**/__pycache__/{,**} rw,
+    /usr/share/gcc/python/{,**/}__pycache__/{,**} rw,
 
     /usr/share/gdb/{,**} r,
-    /usr/share/themes/{,**} r,
-    /usr/share/gnome-shell/{,**} r,
     /usr/share/glib-2.0/schemas/gschemas.compiled r,
+    /usr/share/gnome-shell/{,**} r,
+    /usr/share/terminfo/** r,
+    /usr/share/themes/{,**} r,
 
     /etc/gdb/{,**} r,
 

apparmor.d/profiles-a-f/file-roller

@@ -40,5 +40,9 @@ profile file-roller @{exec_path} {
 
   @{open_path}         rPx -> child-open,
 
+  @{run}/mount/utab r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
   include if exists <local/file-roller>
 }

apparmor.d/profiles-m-r/popcon-largest-unused

@@ -1,34 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/popcon-largest-unused
-profile popcon-largest-unused @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/perl>
-
-  @{exec_path} r,
-  @{bin}/perl r,
-
-  @{sh_path}        rix,
-  @{bin}/{,e}grep   rix,
-  @{bin}/sort       rix,
-  @{bin}/cut        rix,
-  @{bin}/xargs      rix,
-
-  @{bin}/apt-cache  rPx,
-
-  /var/log/popularity-contest r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-
-  # For shell pwd
-  /root/ r,
-
-  include if exists <local/popcon-largest-unused>
-}

apparmor.d/profiles-m-r/popularity-contest

@@ -13,14 +13,12 @@ profile popularity-contest @{exec_path} {
   include <abstractions/perl>
   include <abstractions/nameservice-strict>
 
-  # For popularity-contest --su-nobody
-  capability setuid,
-  capability setgid,
-
-  capability sys_ptrace,
-  ptrace (read),
-
   capability dac_read_search,
+  capability setgid,
+  capability setuid, # For popularity-contest --su-nobody
+  capability sys_ptrace,
+
+  ptrace (read),
 
   @{exec_path} r,
   @{bin}/perl r,
@@ -32,31 +30,24 @@ profile popularity-contest @{exec_path} {
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
   @{bin}/dpkg-query  rpx,
-  #
   @{bin}/dpkg        rPx -> child-dpkg,
   @{bin}/dpkg-divert rPx -> child-dpkg-divert,
 
-  # For shell pwd
-  /root/ r,
-
   /etc/popularity-contest.conf r,
-
   /etc/dpkg/origins/debian r,
-
   /etc/shadow r,
 
-  /var/lib/dpkg/info/{,*.list} r,
-
-  @{PROC}/ r,
-
-  /var/log/ r,
-  /var/log/popularity-contest.new w,
+  /root/ r, # For shell pwd
 
   /var/lib/ r,
-
-  # file_inherit
-  /tmp/#@{int} rw,
+  /var/lib/dpkg/info/{,*.list} r,
+  /var/log/ r,
   /var/log/popularity-contest.[0-9]* w,
+  /var/log/popularity-contest.new w,
+
+  owner /tmp/#@{int} rw,
+  
+  @{PROC}/ r,
 
   include if exists <local/popularity-contest>
 }

apparmor.d/profiles-s-z/snapd

@@ -146,7 +146,6 @@ profile snapd @{exec_path} {
   @{run}/user/@{uid}/snapd-session-agent.socket rw,
   @{run}/user/snap.*/{,**} rw,
 
-  @{run}/mnt/ubuntu-seed/EFI/ubuntu/grubenv r,  # only:core
   @{run}/snapd*.socket rw,
   @{run}/snapd/{,**} rw,
   @{run}/snapd/lock/*.lock rwk,

apparmor.d/profiles-s-z/x11-xsession

@@ -56,7 +56,7 @@ profile x11-xsession @{exec_path} {
   @{bin}/sway                 rPUx,
   @{bin}/ssh-agent            rPx,
 
-  @{bin}/sudo rPx, # only: whonix
+  @{bin}/sudo rPx, #aa:only whonix
   @{lib}/*/*.sh r,
 
   /etc/default/{,*} r,