feat(profiles): general update.

2025-01-18 00:48:10 +01:00 · 2023-12-12 18:29:08 +00:00 · 2023-12-12 18:29:08 +00:00 · ab9e1932da
commit ab9e1932da
parent 42ea537687
32 changed files with 102 additions and 75 deletions
--- a/apparmor.d/abstractions/bwrap-app
+++ b/apparmor.d/abstractions/bwrap-app
@ -16,7 +16,7 @@
  include <abstractions/disks-read>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-intel>
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@ -2,7 +2,7 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  owner @{run}/user/@{uid}/wayland-@{int}.lock rk,
+  owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,

  owner /dev/shm/sway* rw,
  owner /dev/shm/dunst-@{rand6} rw,
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@ -19,7 +19,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/devices-usb>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-intel>
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -158,6 +158,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
    owner @{HOME}/.viminfo{,.tmp} rw,
    owner @{HOME}/.selected_editor r,

+    include if exists <local/apt_editor>
  }

  profile pager {
@ -179,6 +180,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
    owner /tmp/apt-changelog-*/ r,
    owner /tmp/apt-changelog-*/*.changelog r,

+    include if exists <local/apt_pager>
  }

  profile dpkg-source flags=(complain) {
@ -206,6 +208,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
    audit deny owner @{HOME}/.*/     rw,
    audit deny owner @{HOME}/.*/**  mrwkl,

+    include if exists <local/apt_dpkg-source>
  }

  profile systemctl {
@ -234,6 +237,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {

    /dev/kmsg w,

+    include if exists <local/apt_systemctl>
  }

  include if exists <local/apt>
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -30,7 +30,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
       peer=(name=:*), # all members

-  dbus (send) bus=system path=/org/freedesktop/DBus
+  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@ -34,10 +34,10 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/webkitgtk/bus-proxy-[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/webkitgtk/bus-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/webkitgtk/dbus-proxy-@{rand6} rw,

  @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,

--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@ -14,7 +14,7 @@ profile epiphany-search-provider @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/enchant>
  include <abstractions/fonts>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -9,8 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/gnome-calendar
 profile gnome-calendar @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.GeoClue2>
+  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
@ -28,6 +31,10 @@ profile gnome-calendar @{exec_path} {
  network netlink raw,

  dbus bind bus=session name=org.gnome.Calendar,
+  dbus (send, receive) bus=session path=/org/gnome/Calendar
+       interface=org.freedesktop.{Actions,Application}
+       peer=(name="{:*,org.freedesktop.DBus}"),
+
  dbus receive bus=session path=/org/gnome/Calendar/SearchProvider
       interface=org.gnome.Shell.SearchProvider2
       peer=(name=:*, label=gnome-shell),
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -107,17 +107,19 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_config_dirs}/rygel.conf{,.@{rand6}} rw,
+  owner @{user_games_dirs}/**.png r,
  owner @{user_share_dirs}/backgrounds/{,**} rw,
-  owner @{user_share_dirs}/icc/{,edid-*} r,
-  owner @{user_share_dirs}/sounds/__custom/{,*} rw,
  owner @{user_share_dirs}/gnome-remote-desktop/ w,
  owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
+  owner @{user_share_dirs}/icc/{,edid-*} r,
+  owner @{user_share_dirs}/sounds/__custom/{,*} rw,
+
+  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  owner @{run}/user/@{uid}/gnome-control-center-region-needs-restart w,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
-  owner @{run}/user/@{uid}/wayland-@{int} rw,
        @{run}/cups/cups.sock rw,
        @{run}/samba/ rw,
        @{run}/systemd/sessions/  r,
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@ -9,14 +9,16 @@ include <tunables/global>
@{exec_path} = @{lib}/gnome-control-center-goa-helper
 profile gnome-control-center-goa-helper @{exec_path} {
  include <abstractions/base>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
@ -33,15 +35,20 @@ profile gnome-control-center-goa-helper @{exec_path} {

  signal (send) set=(kill) peer=bwrap,

+  dbus bind bus=session name=org.gnome.Settings.GoaHelper,
+
+  dbus send bus=session path=/org/gnome/OnlineAccounts
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=goa-daemon),
+
  @{exec_path} mr,

  @{bin}/bwrap  rPUx,

  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
+  /usr/share/publicsuffix/public_suffix_list.dafsa r,

  /var/lib/flatpak/exports/share/icons/{,**} r,

--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@ -12,7 +12,7 @@ profile gnome-disks @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/disks-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/user-download-strict>

  dbus bind bus=session name=org.gnome.DiskUtility,
@ -22,9 +22,6 @@ profile gnome-disks @{exec_path} {
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  @{lib}/gio-launch-desktop                           rPx -> child-open,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/X11/xkb/{,**} r,
-
  owner @{user_cache_dirs}/gnome-disks/{,**} rw,

        @{PROC}/1/cgroup r,
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@ -11,7 +11,7 @@ profile gnome-initial-setup @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>

  network netlink raw,
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -11,7 +11,7 @@ profile gnome-music @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/gstreamer>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -324,7 +324,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,
-  owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
  owner @{run}/user/@{uid}/pipewire-@{int} rw,

  owner /dev/shm/.org.chromium.Chromium.* rw,
@ -333,7 +332,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
  owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
-  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
+  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,

  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/seats/seat@{int} r,
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@ -11,7 +11,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>

  capability sys_ptrace,
@ -31,15 +31,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
  /usr/share/gnome-system-monitor/{,**} r,
  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,

-  # freedesktop.org-strict
-  /usr/share/pixmaps/{,**} r,
-  /usr/share/*ubuntu/applications/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
-  /etc/machine-id r,
-
-  /var/lib/snapd/desktop/icons/ r,
-
  owner @{run}/user/@{uid}/doc/ rw,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -11,8 +11,7 @@ profile gnome-tweaks @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/python>

  @{exec_path} mr,
@ -23,7 +22,6 @@ profile gnome-tweaks @{exec_path} {

  @{lib}/python3.[0-9]*/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,

-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-tweaks/{,**} r,

  /etc/xdg/autostart/{,**} r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -20,8 +20,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
+  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
@ -92,6 +93,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {

  @{bin}/{,ba,da}sh          rix,
  @{bin}/bwrap              rPUx,
+  @{bin}/file-roller         rPx,
  @{bin}/firejail           rPUx,
  @{bin}/net                rPUx,
  @{bin}/tracker3           rPUx,
@ -99,7 +101,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
  @{lib}/gio-launch-desktop                           rPx -> child-open,

-  /usr/share/*ubuntu/applications/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/libdrm/*.ids r,
  /usr/share/nautilus/{,**} r,
@ -112,7 +113,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  /etc/fstab r,

  /var/cache/fontconfig/ rw,
-  /var/lib/snapd/desktop/icons/{,**} r,

  # Full access to user's data
  / r,
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@ -12,7 +12,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/dri-enumerate>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/gstreamer>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -17,7 +17,7 @@ profile seahorse @{exec_path} {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -33,15 +33,9 @@ profile seahorse @{exec_path} {
  @{bin}/gpg{,2}  rPx,
  @{bin}/gpgsm    rPx,

-  # freedesktop.org-strict
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/*ubuntu/applications/ r,
-
  /etc/pki/trust/blocklist/ r,
  /etc/gcrypt/hwf.deny r,

-  /var/lib/snapd/desktop/icons/ r,
-
  owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/kde/kwin_wayland_wrapper
+++ b/apparmor.d/groups/kde/kwin_wayland_wrapper
@ -20,7 +20,6 @@ profile kwin_wayland_wrapper @{exec_path} {

  owner @{run}/user/@{uid}/#@{int} rw,
  owner @{run}/user/@{uid}/xauth_@{rand6} w,
-  owner @{run}/user/@{uid}/wayland-*.lock rk,

  owner /tmp/.X1-lock rw,

--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -9,18 +9,41 @@ include <tunables/global>
@{exec_path} = /usr/share/netplan/netplan.script
 profile netplan.script @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>

  @{exec_path} mr,

  @{lib}/netplan/generate  rix,
+  @{bin}/udevadm           rCx -> udevadm,

  /usr/share/netplan/{,**} r,

  /etc/netplan/{,*} r,

+  @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf w,
+  @{run}/NetworkManager/system-connections/ r,
+  @{run}/NetworkManager/system-connections/netplan-*.nmconnection w,
  @{run}/systemd/system/ r,
+  @{run}/systemd/system/netplan-* rw,
  @{run}/systemd/system/systemd-networkd.service.wants/ r,
+  @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
+
  @{run}/udev/rules.d/ r,

+  profile udevadm {
+    include <abstractions/base>
+    include <abstractions/systemd-common>
+
+    @{bin}/udevadm mr,
+
+    /etc/udev/udev.conf r,
+
+    @{run}/udev/rules.d/90-netplan.rules rw,
+    @{run}/udev/rules.d/90-netplan.rules.@{rand6} rw,
+
+    include if exists <local/netplan.script_udevadm>
+  }
+
  include if exists <local/netplan.script>
 }
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -10,33 +10,37 @@ include <tunables/global>
 profile software-properties-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
-  include <abstractions/wayland>

  dbus bind bus=session name=com.ubuntu.SoftwareProperties,
-  dbus send bus=system path=/
-      interface=com.ubuntu.SoftwareProperties
-       peer=(name=:*),
-
-  dbus receive bus=session
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=gnome-shell),
+  dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties
+       interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}}
+       peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk),

  dbus send bus=system path=/
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*),

+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
+
+  dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
+
  @{exec_path} mr,

  @{bin}/ r,
@ -51,8 +55,6 @@ profile software-properties-gtk @{exec_path} {
  @{bin}/ubuntu-advantage         rPx,

  /usr/share/distro-info/*.csv r,
-  /usr/share/icons/{,**} r,
-  /usr/share/mime/mime.cache r,
  /usr/share/pixmaps/ r,
  /usr/share/python-apt/{,**} r,
  /usr/share/software-properties/{,**} r,
@ -64,8 +66,6 @@ profile software-properties-gtk @{exec_path} {

  /etc/apport/blacklist.d/{,*} r,
  /etc/default/apport r,
-  /etc/gtk-3.0/settings.ini r,
-  /etc/machine-id r,
  /etc/update-manager/release-upgrades r,

  /var/crash/*software-properties-gtk.@{uid}.crash rw,
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@ -10,20 +10,20 @@ include <tunables/global>
 profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.UPower>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
-  include <abstractions/wayland>

  network inet dgram,
  network inet6 dgram,
@ -55,7 +55,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
  /usr/share/X11/{,**} r,

  /etc/gtk-3.0/settings.ini r,
-  /etc/machine-id r,
  /etc/update-manager/{,**} r,

  /boot/ r,
--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/whonix/torbrowser
@ -36,6 +36,8 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
  include <abstractions/user-download-strict>
  include <abstractions/vulkan>

+#   userns,
+
  capability sys_admin, # If kernel.unprivileged_userns_clone = 1
  capability sys_chroot, # If kernel.unprivileged_userns_clone = 1

--- a/apparmor.d/profiles-a-f/cups-notifier-dbus
+++ b/apparmor.d/profiles-a-f/cups-notifier-dbus
@ -10,7 +10,11 @@ include <tunables/global>
 profile cups-notifier-dbus @{exec_path} {
  include <abstractions/base>

+  signal (receive) set=(term) peer=cupsd,
+
  @{exec_path} mr,
 
+  /tmp/cups-dbus-notifier-lockfile rwk,
+  
  include if exists <local/cups-notifier-dbus>
 }
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@ -41,6 +41,8 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  network rose dgram,
  network x25 seqpacket,

+  signal (send) set=(term) peer=cups-notifier-dbus,
+
  @{exec_path} mr,

  @{bin}/{,ba,da}sh          rix,
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@ -14,7 +14,7 @@ profile evince @{exec_path} {
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/dconf-write>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/ibus>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -50,7 +50,6 @@ profile evince @{exec_path} {
  /usr/share/ghostscript/{,**} r,
  /usr/share/poppler/{,**} r,
  /usr/share/thumbnailers/{,*} r,
-  /usr/share/themes/{,**} r,

  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -29,6 +29,7 @@ profile file-roller @{exec_path} {

  # Archivers
  @{bin}/7z            rix,
+  @{bin}/ar            rix,
  @{bin}/bzip2         rix,
  @{bin}/cpio          rix,
  @{bin}/gzip          rix,
--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@ -58,8 +58,6 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/sessions/* r,
  @{run}/systemd/seats/seat@{int} r,

-  @{run}/user/@{uid}/wayland-@{int}.lock k,
-
  owner @{PROC}/@{pid}/fd/ r,

  owner /tmp/.X[0-9]*-lock rw,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -156,7 +156,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)

  owner /tmp/dumps/ rw,
  owner /tmp/dumps/{assert,crash}_@{int}_@{int}.dmp rw,
-  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
+  owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
  owner /tmp/miles_image_* mrw,
  owner /tmp/runtime-info.txt.* rwk,
  owner /tmp/sh-thd.* rw,