Profiles update.

2025-01-18 08:58:15 +01:00 · 2021-10-22 15:01:43 +01:00 · 2021-10-22 15:01:43 +01:00 · aac0a93080
commit aac0a93080
parent b91ddfa493
34 changed files with 136 additions and 144 deletions
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@ -40,7 +40,7 @@
  owner @{user_config_dirs}/totem/** rwk,
  owner @{user_share_dirs}/grilo-plugins/ rwk,
  owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/** r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/totem/ rwk,
  owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk,
--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@ -68,9 +68,9 @@ profile atom @{exec_path} {
  /{usr/,}bin/lsb_release   rPx -> lsb_release,
  /{usr/,}bin/xdg-open      rCx -> open,
-  /{usr/,}bin/xdg-settings rPUx,
+  /{usr/,}bin/xdg-settings rPx,
-  /{usr/,}bin/git          rPUx,
+  /{usr/,}bin/git          rPx,
  # Needed to sign commits
  /{usr/,}bin/gpg           rCx -> gpg,
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.senddoc
@ -27,8 +27,8 @@ profile libreoffice-senddoc /usr/lib/libreoffice/program/senddoc flags=(complain
  /usr/bin/basename     rmix,
  /{usr/,}bin/grep      rmix,
  /{usr/,}bin/uname     rmix,
-  /usr/bin/xdg-open     rPUx,
+  /usr/bin/xdg-open     rPx,
-  /usr/bin/xdg-email    rPUx,
+  /usr/bin/xdg-email    rPx,
  /dev/null             rw,
  /usr/lib/libreoffice/program/uri-encode rmpux,
  /usr/share/libreoffice/share/config/* r,
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@ -169,7 +169,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
  /usr/lib/libreoffice/program/soffice.bin       mix,
  /usr/lib/libreoffice/program/xpdfimport        px,
  /usr/lib/libreoffice/program/senddoc           px,
-  /usr/bin/xdg-open                 rPUx,
+  /usr/bin/xdg-open                 rPx,
  /usr/share/java/**.jar                r,
  /usr/share/hunspell/                  r,
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@ -73,8 +73,8 @@ profile brave @{exec_path} {
  #deny /{usr/,}bin/xdg-desktop-menu  rx,
  /{usr/,}bin/xdg-open           rCx -> open,
-  /{usr/,}bin/xdg-settings      rPUx,
+  /{usr/,}bin/xdg-settings      rPx,
-  /{usr/,}bin/xdg-mime          rPUx,
+  /{usr/,}bin/xdg-mime          rPx,
  /usr/share/chromium/extensions/ r,
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@ -34,6 +34,8 @@ profile chromium @{exec_path} flags=(attach_disconnected) {
  # For chromium -g
  /{usr/,}bin/gdb   rPUx,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner /tmp/chromiumargs.?????? rw,
  # For a temp profile
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@ -60,11 +60,11 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/browserpass       rPx,
  /{usr/,}bin/lsb_release        rPx -> lsb_release,
-  /{usr/,}bin/xdg-mime          rPUx,
+  /{usr/,}bin/xdg-mime           rPx,
  /{usr/,}bin/xdg-open           rCx -> open,
-  /{usr/,}bin/xdg-settings      rPUx,
+  /{usr/,}bin/xdg-settings       rPx,
-  /{usr/,}bin/xdg-desktop-menu  rPUx,
+  /{usr/,}bin/xdg-desktop-menu   rPx,
-  /{usr/,}bin/xdg-icon-resource rPUx,
+  /{usr/,}bin/xdg-icon-resource  rPx,
  # To remove the following error:
  #  Error initializing NSS with a persistent database
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -1,8 +1,10 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2015-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Warning: Such a profile is limitted as it gives access to a lot of resources.
 abi <abi/3.0>,
 include <tunables/global>
@ -14,22 +16,22 @@ include <tunables/global>
@{exec_path} = @{MOZ_LIBDIR}/firefox{,-bin,-esr}
 profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/wayland>
  include <abstractions/opencl-intel>
  include <abstractions/vulkan>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/audio>
  include <abstractions/deny-root-dir-access>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-intel>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/user-read>
-  include <abstractions/thumbnails-cache-read>
+  include <abstractions/vulkan>
-  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
  include <abstractions/ssl_certs>
  include <abstractions/deny-root-dir-access>
  ##include <abstractions/nvidia>
  ptrace peer=@{profile_name},
@ -210,16 +212,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
  owner @{user_share_dirs}/ r,
-  owner @{user_share_dirs}/gvfs-metadata/home r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
  owner @{user_share_dirs}/gvfs-metadata/root r,
  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
  # Silencer
  deny capability sys_ptrace,
  deny owner @{HOME}/.* r,
  profile open {
@ -252,6 +252,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
    /{usr/,}bin/telegram-desktop rPx,
    /{usr/,}bin/spacefm          rPx,
    /{usr/,}bin/qpdfview         rPx,
    /{usr/,}bin/evince           rPx,
    /usr/share/xfce4/exo/exo-compose-mail rPx,
    # file_inherit
--- a/apparmor.d/groups/browsers/google-chrome-chrome
+++ b/apparmor.d/groups/browsers/google-chrome-chrome
@ -66,8 +66,8 @@ profile google-chrome-chrome @{exec_path} {
  deny /{usr/,}bin/xdg-desktop-menu  rx,
  deny /{usr/,}bin/xdg-icon-resource rx,
-  /{usr/,}bin/xdg-mime          rPUx,
+  /{usr/,}bin/xdg-mime          rPx,
-  /{usr/,}bin/xdg-settings      rPUx,
+  /{usr/,}bin/xdg-settings      rPx,
  # To remove the following error:
  #  Error initializing NSS with a persistent database
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@ -56,11 +56,11 @@ profile opera @{exec_path} {
  @{OPERA_INSTALLDIR}/opera_autoupdate    krix,
  /{usr/,}bin/lsb_release        rPx -> lsb_release,
-  /{usr/,}bin/xdg-mime          rPUx,
+  /{usr/,}bin/xdg-mime           rPx,
  /{usr/,}bin/xdg-open           rCx -> open,
-  /{usr/,}bin/xdg-settings      rPUx,
+  /{usr/,}bin/xdg-settings       rPx,
-  /{usr/,}bin/xdg-desktop-menu  rPUx,
+  /{usr/,}bin/xdg-desktop-menu   rPx,
-  /{usr/,}bin/xdg-icon-resource rPUx,
+  /{usr/,}bin/xdg-icon-resource  rPx,
  # To remove the following error:
  #  Error initializing NSS with a persistent database
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -17,9 +17,9 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  capability setuid,
  capability sys_resource,
-  signal (receive) set=(term, kill),
+  signal (receive) set=(term hup kill) peer=gdm*,
-  signal (receive) set=(term, hup) peer=gdm*,
+  signal (send)    set=(term hup kill) peer=at-spi-bus-launcher,
-  signal (send)    set=(term, kill) peer=at-spi-bus-launcher,
+  signal (send)    set=(term hup kill) peer=xdg-permission-store,
  network netlink raw,
--- a/apparmor.d/groups/desktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/desktop/at-spi-bus-launcher
@ -17,16 +17,16 @@ profile at-spi-bus-launcher @{exec_path} {
  # Needed?
  deny capability sys_nice,
-  signal (receive) set=(term hup) peer=gdm*,
+  signal (receive) set=(term hup kill) peer=dbus-daemon,
-  signal (receive) set=(term hup) peer=dbus-daemon,
+  signal (receive) set=(term hup kill) peer=gdm*,
-  signal (send)    set=(term, kill) peer=dbus-daemon,
+  signal (send)    set=(term hup kill) peer=dbus-daemon,
  network inet stream,
  network inet6 stream,
  @{exec_path} mr,
-  /{usr/,}bin/dbus-daemon rPUx,
+  /{usr/,}bin/dbus-daemon rPx,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -12,6 +12,7 @@ profile gnome-calendar @{exec_path} {
  include <abstractions/gnome>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  network netlink raw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -79,10 +79,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
-  owner @{user_share_dirs}/gvfs-metadata/home r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
  owner @{user_share_dirs}/gvfs-metadata/root r,
  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -30,10 +30,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/pixmaps/{,**} r,
-  owner @{user_share_dirs}/gvfs-metadata/home r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
  owner @{user_share_dirs}/gvfs-metadata/root r,
  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -44,11 +44,17 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/net/wireless r,
        @{PROC}/sys/kernel/random/boot_id r,
  @{run}/mount/utab r,
  @{run}/systemd/userdb/ r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
  /dev/tty rw,
  /dev/dri/card[0-9]* rw,
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@ -16,8 +16,7 @@ profile gvfsd-metadata @{exec_path} {
  @{exec_path} mr,
-  owner @{HOME}/.local/share/gvfs-metadata/ rw,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} rw,
  owner @{HOME}/.local/share/gvfs-metadata/** rw,
  include if exists <local/gvfsd-metadata>
 }
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -48,6 +48,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/cat                         rix,
  /{usr/,}bin/dot                         rix,
  /{usr/,}bin/env                         rix,
  /{usr/,}bin/ghc-pkg-*                   rix,
  /{usr/,}bin/rm                          rix,
  /{usr/,}bin/setcap                      rix,
  /{usr/,}bin/vercmp                      rix,
@ -81,8 +82,8 @@ profile pacman @{exec_path} {
  /etc/{,**} rwl,
  /opt/{,**} rwl,
  /srv/{,**} rwl,
-  /usr/{,**} rwl,
+  /usr/{,**} rwlk,
-  /var/{,**} rwl,
+  /var/{,**} rwlk,
  /bin/ rwl,
  /home/ rw,
--- a/apparmor.d/groups/pacman/pacman-hook-fontconfig
+++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig
@ -10,6 +10,8 @@ include <tunables/global>
 profile pacman-hook-fontconfig @{exec_path} {
  include <abstractions/base>
  capability dac_read_search,
  @{exec_path} mr,
  /{usr/,}bin/bash  rix,
@ -19,5 +21,9 @@ profile pacman-hook-fontconfig @{exec_path} {
  /etc/fonts/conf.d/* rwl,
  /usr/share/fontconfig/conf.default/* r,
  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
  include if exists <local/pacman-hook-fontconfig>
 }
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@ -12,11 +12,10 @@ profile systemd-sysctl @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/systemd-common>
-  # Are these needed?
+  capability net_admin,
-  deny capability sys_ptrace,
+  capability sys_admin,
-  deny capability sys_admin,
+  capability sys_ptrace,
-  deny capability net_admin,
+  # capability sys_resource,
  deny capability sys_resource,
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -37,6 +37,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/sys/kernel/random/boot_id r,
  # Inherit Silencer
  deny network inet6 stream,
  deny network inet stream,
  deny /apparmor/.null rw,
  include if exists <local/systemd-sysusers>
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@ -20,11 +20,11 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
  owner /var/cache/apparmor/{,**} rw,
  owner /var/lib/docker/tmp/docker-default[0-9]* r,
  owner @{sys}/kernel/security/apparmor/{,**} r,
  owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
        @{sys}/kernel/security/apparmor/{,**} r,
  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/osrelease r,
  deny /apparmor/.null rw,
--- a/apparmor.d/profiles-a-f/engrampa
+++ b/apparmor.d/profiles-a-f/engrampa
@ -66,7 +66,7 @@ profile engrampa @{exec_path} {
  owner @{user_config_dirs}/mimeapps.list{,.*} rw,
  owner @{user_share_dirs}/ r,
-  owner @{user_share_dirs}/gvfs-metadata/** r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  /usr/share/engrampa/{,**} r,
--- a/apparmor.d/profiles-a-f/font-manager
+++ b/apparmor.d/profiles-a-f/font-manager
@ -44,7 +44,7 @@ profile font-manager @{exec_path} {
  owner "@{user_share_dirs}/fonts/Google Fonts/**" rw,
  owner @{user_share_dirs}/ r,
-  owner @{user_share_dirs}/gvfs-metadata/** r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
--- a/apparmor.d/profiles-a-f/fuse-overlayfs
+++ b/apparmor.d/profiles-a-f/fuse-overlayfs
@ -17,9 +17,9 @@ profile fuse-overlayfs @{exec_path} {
  @{exec_path} mr,
-  mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/ -> **,
+  mount fstype=fuse.* options=(rw,nodev,noatime) @{user_share_dirs}/containers/storage/overlay/**/merged/ -> **,
-  owner @{user_share_dirs}/containers/storage/overlay/{,**} rw,
+  owner @{user_share_dirs}/containers/storage/overlay/{,**} rwl,
  @{PROC}/sys/kernel/overflowgid r,
  @{PROC}/sys/kernel/overflowuid r,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -31,12 +31,12 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /{usr/,}bin/gpgconf     rCx -> gpg,
  /{usr/,}bin/gpgsm       rCx -> gpg,
-  /etc/pki/fwupd/** r,
+  /etc/pki/fwupd/{,**} r,
-  /etc/pki/fwupd-metadata/** r,
+  /etc/pki/fwupd-metadata/{,**} r,
-  /etc/fwupd/** r,
+  /etc/fwupd/{,**} r,
-  /usr/share/fwupd/** r,
+  /usr/share/fwupd/{,**} r,
-  /var/cache/fwupd/** rw,
+  /var/cache/fwupd/{,**} rw,
  /var/lib/fwupd/{,**} rw,
  /var/lib/fwupd/pending.db rwk,
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@ -25,7 +25,7 @@ profile fwupdmgr @{exec_path} flags=(complain) {
  @{exec_path} mr,
  /{usr/,}bin/dbus-launch  rCx -> dbus,
-  /{usr/,}bin/pkttyagent rux, # TODO: Work in progress
+  /{usr/,}bin/pkttyagent   rPx,
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/fwupd/ rw,
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@ -9,25 +9,16 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/su
 profile su @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/authentication>
-  include <abstractions/wutmp>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
 # include <pam/mappings>
  # To remove the following errors:
  #  su: cannot set groups: Operation not permitted
  capability setgid,
  # To remove the following errors:
  #  su: cannot set user id: Operation not permitted
  capability setuid,
  # To write records to the kernel auditing log.
  capability audit_write,
-
+  capability setgid,
-  # Needed?
+  capability setuid,
-  audit deny capability net_bind_service,
+  #audit deny capability net_bind_service,
  signal (send)    set=(term,kill),
  signal (receive) set=(int,quit,term),
@ -43,16 +34,14 @@ profile su @{exec_path} {
  # Fake shells to politely refuse a login
  #/{usr/,}{s,}bin/nologin rpux,
  /etc/default/locale r,
  /etc/environment r,
  /etc/security/limits.d/ r,
  /etc/shells r,
        @{PROC}/1/limits r,
  owner @{PROC}/@{pid}/loginuid r,
  /etc/default/locale r,
  /etc/security/limits.d/ r,
  /etc/shells r,
  # For pam_securetty
  @{PROC}/cmdline r,
  @{sys}/devices/virtual/tty/console/active r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -9,43 +9,26 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/sudo
 profile sudo @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/authentication>
-  include <abstractions/wutmp>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
 # include <pam/mappings>
-  # To remove the following errors:
+  # capability mknod,
  #  sudo: unable to change to root gid: Operation not permitted
  capability setgid,
  # To remove the following errors:
  #  sudo: PERM_SUDOERS: setresuid(-1, 1, -1): Operation not permitted
  #  sudo: no valid sudoers sources found, quitting
  #  sudo: setresuid() [0, 0, 0] -> [1000, -1, -1]: Operation not permitted
  capability setuid,
  # To write records to the kernel auditing log.
  capability audit_write,
  # For changing ownership of the /var/log/sudo.log file
  capability chown,
  # Needed? (#FIXME#)
  capability sys_resource,
  capability net_admin,
  capability sys_ptrace,
  capability dac_read_search,
  capability dac_override,
-  capability mknod,
+  capability dac_read_search,
-  ptrace read,
+  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_ptrace,
  capability sys_resource,
  # To remove the following error:
  #  sudo: PAM account management error: Permission denied
  #  sudo: unable to open audit system: Permission denied
  #  sudo: a password is required
  network netlink raw,
  ptrace (read),
  signal,
  @{exec_path} mr,
@ -54,21 +37,9 @@ profile sudo @{exec_path} {
  /{usr/,}bin/{,b,d,rb}ash rpux,
  /{usr/,}bin/{c,k,tc,z}sh rpux,
-  /{usr/,}bin/[a-z0-9]* rPUx,
+  /{usr/,}bin/[a-z0-9]*               rPUx,
-  /{usr/,}{s,}bin/[a-z0-9]* rPUx,
+  /{usr/,}{s,}bin/[a-z0-9]*           rPUx,
-  /{usr/,}lib/cockpit/cockpit-askpass rPx,
+  /{usr/,}lib/cockpit/cockpit-askpass rPUx,
  /dev/ r,
  /dev/ptmx rw,
  # For timestampdir
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
  owner @{run}/sudo/ts/* rwk,
        @{run}/faillock/{,*} rwk,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pids}/stat r,
  /etc/sudo.conf r,
@ -79,9 +50,21 @@ profile sudo @{exec_path} {
  /var/log/sudo.log wk,
-  # file_inherit
+  # For timestampdir
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
  owner @{run}/sudo/ts/* rwk,
        @{run}/faillock/{,*} rwk,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pids}/stat r,
  # File Inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
  /dev/ r,
  /dev/ptmx rw,
  include if exists <local/sudo>
 }
--- a/apparmor.d/profiles-s-z/update-mime-database
+++ b/apparmor.d/profiles-s-z/update-mime-database
@ -10,6 +10,9 @@ include <tunables/global>
 profile update-mime-database @{exec_path} {
  include <abstractions/base>
  capability dac_override,
  capability dac_read_search,
  @{exec_path} mr,
  /usr/share/mime/{,**} rw,
--- a/apparmor.d/profiles-s-z/xdg-dbus-proxy
+++ b/apparmor.d/profiles-s-z/xdg-dbus-proxy
@ -12,10 +12,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected, complain) {
  @{exec_path} mr,
-  owner @{user_share_dirs}/gvfs-metadata/home r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
  owner @{user_share_dirs}/gvfs-metadata/root r,
  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
  owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal
@ -13,6 +13,8 @@ profile xdg-desktop-portal @{exec_path} {
  network netlink raw,
  ptrace (read),
  @{exec_path} mr,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
@ -26,8 +28,9 @@ profile xdg-desktop-portal @{exec_path} {
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,
-  @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pids}/cgroup r,
-  @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/cmdline r,
  include if exists <local/xdg-desktop-portal>
 }
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
@ -11,6 +11,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download>
  @{exec_path} mr,
@ -18,6 +21,11 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
  / r,
  owner @{HOME}/@{XDG_DATA_HOME}/ r,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/user rw,
--- a/apparmor.d/profiles-s-z/xdg-mime
+++ b/apparmor.d/profiles-s-z/xdg-mime
@ -46,10 +46,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/mimeapps.list{,.new} rw,
-  owner @{user_share_dirs}/gvfs-metadata/home r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
  owner @{user_share_dirs}/gvfs-metadata/root r,
  owner @{user_share_dirs}/gvfs-metadata/root-*.log r,
  owner @{HOME}/.Xauthority r,