feat(profile): start using new abstraction.

2025-01-18 08:58:15 +01:00 · 2023-12-19 23:29:15 +00:00 · 2023-12-19 23:29:15 +00:00 · b7140c9b2b
commit b7140c9b2b
parent 9f49052529
33 changed files with 44 additions and 196 deletions
--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@ -8,6 +8,8 @@
  @{system_share_dirs}/xfce4/applications/{,**} r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/mime/ r,
  /etc/gnome/defaults.list r,
  /etc/xfce4/defaults.list r,  
--- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource
+++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource
@ -9,13 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_akonotes_resource
 profile akonadi_akonotes_resource @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent
+++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent
@ -9,21 +9,17 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_archivemail_agent
 profile akonadi_archivemail_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
  /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
  /usr/share/hwdata/*.ids r,
  /usr/share/mime/{,**} r,
  /etc/machine-id r,
  /etc/xdg/kdeglobals r,
--- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource
+++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
@ -9,13 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_birthdays_resource
 profile akonadi_birthdays_resource @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/akonadi/akonadi_contacts_resource
+++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_contacts_resource
 profile akonadi_contacts_resource @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/akonadi/akonadi_control
+++ b/apparmor.d/groups/akonadi/akonadi_control
@ -9,15 +9,12 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_control
 profile akonadi_control @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
-  include <abstractions/mesa>
+  include <abstractions/freedesktop.org>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  include <abstractions/qt5>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
+++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
@ -9,15 +9,12 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_followupreminder_agent
 profile akonadi_followupreminder_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  include <abstractions/qt5>
  include <abstractions/X-strict>
  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/akonadi/akonadi_ical_resource
+++ b/apparmor.d/groups/akonadi/akonadi_ical_resource
@ -9,11 +9,8 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_ical_resource
 profile akonadi_ical_resource @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dri-common>
+  include <abstractions/graphics>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/akonadi/akonadi_indexing_agent
+++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_indexing_agent
 profile akonadi_indexing_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
@ -27,7 +24,6 @@ profile akonadi_indexing_agent @{exec_path} {
  /usr/share/akonadi/plugins/serializer/*.desktop r,
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/mime/{,**} r,
  /etc/machine-id r,
  /etc/xdg/kdeglobals r,
--- a/apparmor.d/groups/akonadi/akonadi_maildir_resource
+++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource
@ -9,21 +9,17 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_maildir_resource
 profile akonadi_maildir_resource @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
  /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
  /usr/share/hwdata/*.ids r,
  /usr/share/mime/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /etc/xdg/kdeglobals r,
--- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
+++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
@ -9,16 +9,13 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_maildispatcher_agent
 profile akonadi_maildispatcher_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/qt5>
  include <abstractions/ssl_certs>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  network inet dgram,
@ -34,7 +31,6 @@ profile akonadi_maildispatcher_agent @{exec_path} {
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/knotifications5/akonadi_maildispatcher_agent.notifyrc r,
  /usr/share/mime/{,**} r,
  /etc/xdg/kdeglobals r,
  /etc/xdg/kwinrc r,
--- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_mailfilter_agent
 profile akonadi_mailfilter_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  ptrace (read) peer=akonadi_archivemail_agent,
@ -28,7 +25,6 @@ profile akonadi_mailfilter_agent @{exec_path} {
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/mime/{,**} r,
  /etc/machine-id r,
  /etc/xdg/kdeglobals r,
@ -60,9 +56,6 @@ profile akonadi_mailfilter_agent @{exec_path} {
  owner @{user_share_dirs}/akonadi/file_db_data/{,**} rw,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/sys/kernel/random/boot_id r,
--- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
@ -9,13 +9,10 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_mailmerge_agent
 profile akonadi_mailmerge_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  network inet dgram,
--- a/apparmor.d/groups/akonadi/akonadi_migration_agent
+++ b/apparmor.d/groups/akonadi/akonadi_migration_agent
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_migration_agent
 profile akonadi_migration_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
+++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
@ -9,21 +9,17 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_newmailnotifier_agent
 profile akonadi_newmailnotifier_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
  /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
  /usr/share/hwdata/*.ids r,
  /usr/share/mime/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/knotifications5/akonadi_newmailnotifier_agent.notifyrc r,
--- a/apparmor.d/groups/akonadi/akonadi_notes_agent
+++ b/apparmor.d/groups/akonadi/akonadi_notes_agent
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_notes_agent
 profile akonadi_notes_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  network inet dgram,
@ -28,7 +25,6 @@ profile akonadi_notes_agent @{exec_path} {
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/mime/{,**} r,
  /etc/xdg/kdeglobals r,
  /etc/xdg/kwinrc r,
--- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent
+++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_sendlater_agent
 profile akonadi_sendlater_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  network inet dgram,
@ -28,7 +25,6 @@ profile akonadi_sendlater_agent @{exec_path} {
  /usr/share/hwdata/*.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/mime/{,**} r,
  /etc/xdg/kdeglobals r,
  /etc/xdg/kwinrc r,
@ -44,9 +40,6 @@ profile akonadi_sendlater_agent @{exec_path} {
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kwinrc r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{PROC}/sys/kernel/core_pattern r,
  /dev/tty r,
--- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
+++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
@ -9,20 +9,16 @@ include <tunables/global>
@{exec_path} = @{bin}/akonadi_unifiedmailbox_agent
 profile akonadi_unifiedmailbox_agent @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
  /usr/share/hwdata/*.ids r,
  /usr/share/mime/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /etc/xdg/kdeglobals r,
@ -38,9 +34,6 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kwinrc r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node@{int}/meminfo r,
  @{PROC}/sys/kernel/core_pattern r,
  /dev/tty r,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -25,20 +25,16 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.RealtimeKit1>
  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/graphics-full>
  include <abstractions/freedesktop.org>
  include <abstractions/gstreamer>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/ssl_certs>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download-strict>
  include <abstractions/user-read>
  include <abstractions/vulkan>
  # userns,
@ -121,9 +117,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  /usr/share/@{name}/{,**} r,
  /usr/share/doc/{,**} r,
  /usr/share/egl/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/libdrm/*.ids r,
  /usr/share/mozilla/extensions/{,**} r,
  /usr/share/webext/{,**} r,
  /usr/share/xul-ext/kwallet5/* r,
@ -132,7 +125,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  /etc/cups/client.conf r,
  /etc/fstab r,
  /etc/igfx_user_feature{,_next}.txt w,
  /etc/libva.conf r,
  /etc/mailcap r,
  /etc/mime.types r,
  /etc/opensc.conf r,
@ -145,9 +137,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/ r,
  owner @{HOME}/.cups/lpoptions r,
  owner @{user_cache_dirs}/ rw,
  owner @{user_config_dirs}/ r,
  owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
  owner @{user_config_dirs}/ibus/bus/ r,
  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
@ -156,7 +145,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{user_config_dirs}/kioslaverc r,
  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/applications/userapp-Firefox-@{rand6}.desktop{,.@{rand6}} rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,
@ -206,10 +194,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/**/uevent r,
  @{sys}/devices/@{pci}/ r,
  @{sys}/devices/@{pci}/drm/card@{int}/ r,
-  @{sys}/devices/@{pci}/drm/renderD[0-9]*/ r,
+  @{sys}/devices/@{pci}/drm/renderD128/ r,
-  @{sys}/devices/@{pci}/irq r,
+  @{sys}/devices/@{pci}/drm/renderD129/ r,
  @{sys}/devices/system/cpu/cpu@{int}/cache/index[0-9]/size r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
  @{sys}/devices/system/cpu/present r,
  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
@ -219,7 +205,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
        @{PROC}/@{pid}/net/if_inet6 r,
        @{PROC}/@{pid}/net/route r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
  owner @{PROC}/@{pid}/mountinfo r,
@ -241,15 +226,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
        /dev/shm/ r,
        /dev/tty rw,
        /dev/video@{int} rw,
  owner /dev/dri/card@{int} rw, # File Inherit
  owner /dev/shm/org.chromium.* rw,
  owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
  owner /dev/tty@{int} rw, # File Inherit
  # X-tiny
  /tmp/.X0-lock r,
  # Silencer
  deny @{lib_dirs}/** w,
  deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -16,13 +16,10 @@ include <tunables/global>
 profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/nameservice-strict>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/nameservice>
  include <abstractions/openssl>
  include <abstractions/wayland>
  signal (receive) set=(term, kill) peer=firefox,
@ -37,8 +34,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  @{bin}/mv rix,
  /usr/share/X11/xkb/** r,
  owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw,
  owner @{config_dirs}/*.*/crashes/{,**} rw,
  owner @{config_dirs}/*.*/crashes/events/@{uuid} rw,
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@ -13,12 +13,8 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/glxtest
 profile firefox-glxtest @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dri-common>
+  include <abstractions/graphics>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  @{exec_path} mr,
@ -27,9 +23,6 @@ profile firefox-glxtest @{exec_path} {
  owner /tmp/@{name}/.parentlock rw,
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/@{pci}/class r,
  owner @{PROC}/@{pid}/cmdline r,
  include if exists <local/firefox-glxtest>
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@ -9,11 +9,9 @@ include <tunables/global>
@{exec_path} = @{lib}/mozilla/kmozillahelper
 profile firefox-kmozillahelper @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-settings-write>
  include <abstractions/qt5>
@ -31,7 +29,6 @@ profile firefox-kmozillahelper @{exec_path} {
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/knotifications5/*.notifyrc r,
  /usr/share/kservices5/{,**} r,
  /usr/share/mime/ r,
  /usr/share/sounds/{,**} r,
  /etc/pulse/client.conf r,
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@ -13,23 +13,16 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/vaapitest
 profile firefox-vaapitest @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dri-enumerate>
+  include <abstractions/graphics>
  include <abstractions/dri-common>
  include <abstractions/nvidia>
  include <abstractions/vulkan>
  network netlink raw,
  @{exec_path} mr,
  /etc/igfx_user_feature{,_next}.txt w,
  /etc/libva.conf r,
  owner /tmp/@{name}/.parentlock rw,
  @{sys}/devices/@{pci}/{irq,revision,resource} r,
  @{sys}/devices/@{pci}/config r,
  deny @{config_dirs}/firefox/*/.parentlock rw,
  deny @{config_dirs}/firefox/*/startupCache/** r,
  deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -18,8 +18,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
-  include <abstractions/dri-common>
+  include <abstractions/dri>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
  include <abstractions/mesa>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -21,18 +21,13 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
+  include <abstractions/gnome-strict>
-  include <abstractions/freedesktop.org>
+  include <abstractions/graphics>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/thumbnails-cache-read>
  include <abstractions/user-download>
  include <abstractions/user-write>
  include <abstractions/wayland>
  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
@ -53,8 +48,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  @{exec_path} mr,
  /usr/share/X11/xkb/{,**} r,
  / r,
  owner /var/lib/xkb/server-@{int}.xkm rw,
@ -65,7 +58,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  owner @{HOME}/@{XDG_DATA_DIR}/ r,
  owner /tmp/runtime-*/xauth_@{rand6} r,
  owner /tmp/xauth_@{rand6} r,
        @{run}/mount/utab r,
        @{run}/user/@{uid}/xauth_@{rand6} rl,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@ -9,13 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-kde
 profile xdg-desktop-portal-kde @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  network inet dgram,
  network inet6 dgram,
@ -27,7 +24,6 @@ profile xdg-desktop-portal-kde @{exec_path} {
  /usr/share/hwdata/pnp.ids r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/share/mime/{,**} r,
  /usr/share/qt5/qtlogging.ini r,
  /etc/xdg/kdeglobals r,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -15,13 +15,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/graphics>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/vulkan>
  capability dac_override,
  capability dac_read_search,
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@ -9,12 +9,8 @@ include <tunables/global>
@{exec_path}  = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
+  include <abstractions/graphics>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  signal (receive) set=(term hup) peer=gdm*,
@ -29,10 +25,8 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  @{bin}/{,ba,da}sh rix,
  @{bin}/xkbcomp    rPx,
  /usr/share/egl/{,**} r,
  /usr/share/fonts/{,**} r,
  /usr/share/ghostscript/fonts/{,**} r,
  /usr/share/libdrm/*.ids r,
  owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
@ -41,10 +35,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/server-@{int}.xkm rw,
  owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw,
  @{sys}/bus/pci/devices/ r,
  @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/comm r,
  /dev/tty@{int} rw,
  /dev/tty rw,
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@ -10,17 +10,13 @@ include <tunables/global>
 profile epiphany-search-provider @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/enchant>
  include <abstractions/fonts>
  include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/vulkan>
  include <abstractions/X-strict>
  network inet dgram,
@ -49,7 +45,6 @@ profile epiphany-search-provider @{exec_path} {
        @{PROC}/zoneinfo r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm r,
  deny @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -16,7 +16,7 @@ profile evolution-alarm-notify @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
+  include <abstractions/graphics>
  include <abstractions/openssl>
  network netlink raw,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -19,14 +19,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
  include <abstractions/vulkan>
  network netlink raw,
@ -59,7 +55,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /etc/openni2/OpenNI.ini r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/egl/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@ -11,11 +11,8 @@ profile gnome-calculator-search-provider @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/vulkan>
  signal (send) set=kill peer=unconfined,
@ -28,11 +25,8 @@ profile gnome-calculator-search-provider @{exec_path} {
  @{bin}/* rPUx,
  /usr/share/nvidia/nvidia-application-profiles-*-rc r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm r,
  include if exists <local/gnome-calculator-search-provider>
 }
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -19,13 +19,11 @@ profile gnome-calendar @{exec_path} {
  include <abstractions/bus/org.freedesktop.timedate1>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/vulkan>
  network netlink raw,
@ -42,7 +40,6 @@ profile gnome-calendar @{exec_path} {
  @{exec_path} mr,
  /usr/share/egl/{,**} r,
  /usr/share/evolution-data-server/{,**} r,
  /usr/share/libgweather/Locations.xml r,