Update profiles.

apparmor.d/groups/browsers/chrome-gnome-shell

@@ -31,5 +31,7 @@ profile chrome-gnome-shell @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
+  deny @{HOME}/.* r,
+
   include if exists <local/chrome-gnome-shell>
 }

apparmor.d/groups/bus/dbus-daemon

@@ -49,12 +49,12 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
         @{user_share_dirs}/icc/{,edid-*} r,
 
   owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/oom_score_adj rw,
+        @{PROC}/@{pid}/oom_score_adj rw,
         @{PROC}/@{pids}/cmdline r,
-        @{PROC}/sys/kernel/random/boot_id r,
-        @{PROC}/sys/kernel/osrelease r,
         @{PROC}/1/environ r,
         @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/random/boot_id r,
 
   @{sys}/module/apparmor/parameters/enabled r,
 

apparmor.d/groups/desktop/blueman-mechanism

@@ -8,7 +8,7 @@ include <tunables/global>
 
 @{exec_path} = @{libexec}/blueman-mechanism
 @{exec_path} += /{usr/,}lib/blueman/blueman-mechanism
-profile blueman-mechanism @{exec_path} {
+profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/python>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gnome/gnome-control-center

@@ -37,6 +37,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
 
   /usr/share/backgrounds/gnome/* r,
+  /usr/share/egl/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/glvnd/egl_vendor.d/{,*.json} r,
   /usr/share/gnome-background-properties/{,**} r,

apparmor.d/groups/gpg/gpg-agent

@@ -26,33 +26,39 @@ profile gpg-agent @{exec_path} {
   owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
   owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/[0-9A-F]*.key rw,
   owner @{HOME}/@{XDG_GPG_DIR}/S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
 
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/ rw,
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/gpg-agent.conf r,
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/ rw,
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
   owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/{.,}gnupg/sshcontrol r,
 
   owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
   owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
 
   owner /var/lib/*/.gnupg/ rw,
   owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
   owner /var/lib/*/.gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
   owner /var/lib/*/.gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /var/lib/*/.gnupg/sshcontrol r,
 
   owner /var/lib/*/gnupg/ rw,
   owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
   owner /var/lib/*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
   owner /var/lib/*/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /var/lib/*/gnupg/sshcontrol r,
 
   owner /tmp/tmp.*/gnupg/ rw,
   owner /tmp/tmp.*/gnupg/private-keys-v1.d/ rw,
   owner /tmp/tmp.*/gnupg/private-keys-v1.d/[0-9A-F]*.key rw,
   owner /tmp/tmp.*/gnupg/S.gpg-agent rw,
+  owner /tmp/tmp.*/gnupg/sshcontrol r,
 
   # For debuild
   owner /tmp/dpkg-import-key.*/private-keys-v1.d/ w,

apparmor.d/groups/pacman/mkinitcpio

@@ -56,7 +56,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/modprobe            rPx,
 
   /{usr/,}lib/initcpio/busybox    rix,
-  /{usr/,}lib{,32,64}/ld-*.so     rix,
+  /{usr/,}lib{,32,64}/ld-*.so*    rix,
 
   /etc/fstab r,
   /etc/lvm/lvm.conf r,

apparmor.d/groups/pacman/pacdiff

@@ -18,13 +18,14 @@ profile pacdiff @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pacman-conf  rPx,
   /{usr/,}bin/{,ba,da}sh   rix,
   /{usr/,}bin/cat          rix,
-  /{usr/,}bin/gawk         rix,
-  /{usr/,}bin/tput         rix,
-  /{usr/,}bin/locate       rix,
+  /{usr/,}bin/cmp          rix,
   /{usr/,}bin/find         rix,
+  /{usr/,}bin/gawk         rix,
+  /{usr/,}bin/locate       rix,
+  /{usr/,}bin/pacman-conf  rPx,
+  /{usr/,}bin/tput         rix,
 
   # packages files
   / r,

apparmor.d/groups/pacman/pacman-key

@@ -17,12 +17,15 @@ profile pacman-key @{exec_path} {
 
   /{usr/,}bin/basename     rix,
   /{usr/,}bin/bash         rix,
+  /{usr/,}bin/chmod        rix,
   /{usr/,}bin/gawk         rix,
   /{usr/,}bin/gettext      rix,
   /{usr/,}bin/gpg          rCx -> gpg,
   /{usr/,}bin/grep         rix,
   /{usr/,}bin/pacman-conf  rPx,
+  /{usr/,}bin/touch        rix,
   /{usr/,}bin/tput         rix,
+  /{usr/,}bin/vercmp       rix,
   /{usr/,}bin/wc           rix,
 
   /usr/share/makepkg/{,**} r,

apparmor.d/groups/systemd/bootctl

@@ -22,17 +22,20 @@ profile bootctl @{exec_path} {
 
   /{usr/,}bin/less       rPx -> child-pager,
 
-  /boot/ r,
-  /boot/EFI/{,**} r,
-  /boot/loader/{,**} r,
-  /boot/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
-  /boot/EFI/BOOT/BOOTX64.EFI w,
-  /boot/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
-  /boot/EFI/systemd/systemd-boot*.efi w,
-  /boot/loader/.#bootctlrandom-seed[0-9a-f]* rw,
-  /boot/loader/random-seed w,
+  /{boot,efi}/ r,
+  /{boot,efi}/EFI/{,**} r,
+  /{boot,efi}/loader/{,**} r,
+  /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
+  /{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
+  /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
+  /{boot,efi}/EFI/systemd/systemd-boot*.efi w,
+  /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
+  /{boot,efi}/loader/random-seed w,
 
   /etc/machine-id r,
+  /etc/machine-info r,
+
+  @{run}/host/container-manager r,
 
   @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

apparmor.d/groups/systemd/journalctl

@@ -33,6 +33,8 @@ profile journalctl @{exec_path} {
   /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
   /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
 
+  @{run}/host/container-manager r,
+
   # For --setup-keys and --verify
   owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
   owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,

apparmor.d/groups/systemd/systemd-detect-virt

@@ -13,12 +13,17 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/systemd-common>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{run}/host/container-manager r,
+
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
   # Inherit silencer
   deny /apparmor/.null rw,

apparmor.d/groups/systemd/systemd-journald

@@ -39,6 +39,8 @@ profile systemd-journald @{exec_path} {
   owner @{run}/systemd/journal/{,**} rw,
   owner @{run}/systemd/notify rw,
 
+  @{run}/host/container-manager r,
+
   @{run}/udev/data/c189:[0-9]*  r, # for /dev/bus/usb/**
   @{run}/udev/data/c10:224      r, # for /dev/tpm0
   @{run}/udev/data/c243:0       r,

apparmor.d/groups/systemd/systemd-logind

@@ -32,6 +32,8 @@ profile systemd-logind @{exec_path} flags=(complain) {
 
   /var/lib/systemd/linger/ r,
 
+  @{run}/host/container-manager r,
+
   @{run}/utmp rk,
 
   @{run}/udev/tags/master-of-seat/ r,
@@ -74,6 +76,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
 
   @{sys}/module/vt/parameters/default_utf8 r,
   @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
+  @{sys}/fs/cgroup/memory.max r,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/devices/**/{uevent,enabled,status} r,
   @{sys}/devices/**/brightness rw,
@@ -89,8 +92,10 @@ profile systemd-logind @{exec_path} flags=(complain) {
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/@{pid}/comm r,
   @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/mountinfo r,
   @{PROC}/@{pid}/sessionid r,
   @{PROC}/@{pid}/stat r,
+  @{PROC}/1/cmdline r,
   @{PROC}/swaps r,
   @{PROC}/sysvipc/{shm,sem,msg} r,
 

apparmor.d/groups/systemd/systemd-remount-fs

@@ -13,5 +13,11 @@ profile systemd-remount-fs @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/fstab r,
+
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
+
   include if exists <local/systemd-remount-fs>
 }

apparmor.d/groups/systemd/systemd-sysusers

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-sysusers
 profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/systemd-common>
 
   @{exec_path} mr,
 
@@ -34,9 +35,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
   /etc/.pwd.lock rwk,
 
-  owner @{PROC}/@{pid}/stat r,
-        @{PROC}/sys/kernel/random/boot_id r,
-
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -49,6 +49,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/system/cpu/microcode/reload w,
 
   @{PROC}/@{pid}/net/unix r,
+  @{PROC}/1/cmdline r,
 
   deny /apparmor/.null rw,
 

apparmor.d/groups/systemd/systemd-update-done

@@ -21,6 +21,9 @@ profile systemd-update-done @{exec_path} {
   /var/.#.updated[0-9a-zA-Z]* rw,
   /var/.updated w,
 
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/groups/systemd/systemd-update-utmp

@@ -22,6 +22,9 @@ profile systemd-update-utmp @{exec_path} {
   owner /var/log/wtmp rwk,
   owner @{run}/utmp rwk,
 
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/groups/systemd/systemd-user-sessions

@@ -20,6 +20,9 @@ profile systemd-user-sessions @{exec_path} {
   owner @{run}/.#nologin rw,
   owner @{run}/nologin rw,
 
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/profiles-a-f/btrfs

@@ -46,5 +46,7 @@ profile btrfs @{exec_path} {
   owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
   owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
 
+  /dev/btrfs-control rw,
+
   include if exists <local/btrfs>
 }

apparmor.d/profiles-g-l/kmod

@@ -27,6 +27,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   # Needed for static-nodes
   capability dac_override,
 
+  capability mknod,
+
   unix (receive) type=stream,
 
   @{exec_path} mrix,
@@ -43,6 +45,8 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   /var/lib/dkms/**/module/*.ko r,
   /usr/src/*/*.ko r,
 
+  /var/tmp/dracut.*/{,**} rw,
+
   @{sys}/module/{,**} r,
 
   @{PROC}/cmdline r,

apparmor.d/profiles-m-r/mke2fs

@@ -18,6 +18,8 @@ profile mke2fs @{exec_path} {
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}{s,}bin/badblocks rPx,
 
+  /usr/share/file/misc/magic.mgc r,
+
   /etc/mke2fs.conf r,
 
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-m-r/qbittorrent

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2015-2020 Mikhail Morfikov
+# Copyright (C) 2015-2022 Mikhail Morfikov
+# Copyright (C) 2022 nobodysu
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,

apparmor.d/profiles-s-z/xdg-permission-store

@@ -16,6 +16,8 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{HOME}/@{XDG_DATA_HOME}/flatpak/db/gnome rw,
+
+  @{user_share_dirs}/flatpak/db/.goutputstream-* r,
   @{user_share_dirs}/flatpak/db/background r,
 
   /dev/tty[0-9]* rw,