From b79a1fcd31e9597a6734f9b0744cba9c5fd9edfb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 19 Nov 2023 11:08:35 +0000
Subject: [PATCH] feat(profile): general update.

Also include some preparation for the systemd profile.
---
 apparmor.d/groups/apt/apt                     |  2 +-
 apparmor.d/groups/children/child-open         |  1 +
 apparmor.d/groups/freedesktop/colord          |  9 +++----
 apparmor.d/groups/freedesktop/polkitd         |  4 ++--
 .../freedesktop/update-desktop-database       |  5 ++++
 .../freedesktop/xdg-desktop-portal-gnome      |  1 +
 apparmor.d/groups/freedesktop/xorg            |  6 +----
 apparmor.d/groups/gnome/gdm-x-session         |  5 ++--
 apparmor.d/groups/gnome/gnome-shell           |  2 +-
 apparmor.d/groups/gnome/gsd-xsettings         |  2 ++
 apparmor.d/groups/pacman/pacman               |  2 ++
 apparmor.d/groups/ssh/sshfs                   | 24 +++++++++----------
 apparmor.d/groups/systemd/systemd-homed       |  2 ++
 apparmor.d/groups/systemd/systemd-hostnamed   | 10 +++++---
 apparmor.d/groups/systemd/systemd-journald    |  9 +++----
 apparmor.d/groups/systemd/systemd-logind      |  2 ++
 .../groups/systemd/systemd-modules-load       |  2 ++
 apparmor.d/groups/systemd/systemd-networkd    |  2 ++
 apparmor.d/groups/systemd/systemd-resolved    |  2 ++
 apparmor.d/groups/systemd/systemd-timesyncd   | 11 +++++----
 apparmor.d/groups/systemd/systemd-udevd       |  4 +++-
 .../groups/systemd/systemd-user-runtime-dir   |  4 ++--
 apparmor.d/groups/systemd/systemd-userdbd     |  3 +++
 apparmor.d/groups/systemd/systemd-userwork    |  1 +
 apparmor.d/profiles-a-f/fwupd                 |  2 +-
 apparmor.d/profiles-g-l/haveged               |  4 ++--
 apparmor.d/profiles-g-l/irqbalance            |  2 +-
 apparmor.d/profiles-g-l/lvm                   |  1 +
 apparmor.d/profiles-m-r/packagekitd           |  5 +++-
 apparmor.d/profiles-m-r/rngd                  |  3 ++-
 apparmor.d/profiles-s-z/sudo                  |  2 +-
 31 files changed, 86 insertions(+), 48 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 9f057e79..bcec1d2f 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -120,7 +120,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  /var/cache/apt/ r,
+  /var/cache/apt/ rw,
   /var/cache/apt/** rwk,
 
   /var/crash/{,*.@{uid}.crash} rw,
diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open
index f7ffc320..406e6891 100644
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@@ -69,6 +69,7 @@ profile child-open {
   @{bin}/engrampa          rPx,
   @{bin}/eog              rPUx,
   @{bin}/evince            rPx,
+  @{bin}/extension-manager rPx,
   @{bin}/file-roller      rPUx,
   @{bin}/filezilla         rPx,
   @{bin}/flameshot         rPx,
diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index ab83a7ff..0b490b8a 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -57,8 +57,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{lib}/colord/colord-sane  rPx,
-  @{lib}/colord-sane          rPx,
+  @{lib}/{,colord/}colord-sane  rPx,
 
   /etc/machine-id r,
   /etc/udev/hwdb.bin r,
@@ -79,16 +78,18 @@ profile colord @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/sessions/* r,
 
+  @{run}/udev/data/+pci:* r,
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
 
   @{sys}/class/drm/ r,
   @{sys}/class/video4linux/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/colord>
 }
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 4126867e..fb5b210f 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/{,polkit-1/}polkitd
-profile polkitd @{exec_path} {
+profile polkitd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
@@ -58,8 +58,8 @@ profile polkitd @{exec_path} {
   /usr/share/polkit-1/actions/*.policy r,
   /usr/share/polkit-1/actions/*.policy.choice r,
 
-  owner /var/lib/polkit{,-1}/.cache/ rw,
         /var/lib/polkit{,-1}/localauthority/{,**} r,
+  owner /var/lib/polkit{,-1}/.cache/ rw,
 
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database
index 46735b40..096c44a6 100644
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@@ -34,6 +34,11 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
   /var/lib/snapd/desktop/applications/mimeinfo.cache w,
 
+  owner @{user_share_dirs}/.mimeinfo.cache.* rw,
+  owner @{user_share_dirs}/{,**/} r,
+  owner @{user_share_dirs}/**.desktop r,
+  owner @{user_share_dirs}/mimeinfo.cache w,
+
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index a259bbe3..a7a684f8 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -20,6 +20,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/nvidia>
   include <abstractions/user-download>
   include <abstractions/vulkan>
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 9a2d133d..3abee290 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -22,6 +22,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/opencl>
   include <abstractions/vulkan>
 
+  capability dac_override,
   capability dac_read_search,
   capability ipc_owner,
   capability perfmon,
@@ -30,11 +31,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_rawio,
 
-  # These can be denied?
-  #audit capability dac_override,
-  #audit capability sys_nice,
-  #capability sys_tty_config,
-
   signal (send) set=(usr1),
 
   signal (receive) peer=lightdm,
diff --git a/apparmor.d/groups/gnome/gdm-x-session b/apparmor.d/groups/gnome/gdm-x-session
index db6a8d34..cd6d9eaf 100644
--- a/apparmor.d/groups/gnome/gdm-x-session
+++ b/apparmor.d/groups/gnome/gdm-x-session
@@ -35,10 +35,11 @@ profile gdm-x-session @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/Xorg              rPx,
+  @{bin}/dbus-daemon       rPx,
   @{bin}/dbus-run-session  rPx,
-  /etc/gdm{3,}/Xsession         rPx,
+  @{bin}/Xorg              rPx,
   /etc/gdm{3,}/Prime/Default    rix,
+  /etc/gdm{3,}/Xsession         rPx,
 
   /usr/share/gdm/gdm.schemas r,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index c756b5fa..da4a5478 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -524,7 +524,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/.config/pulse/client.conf r,
   /var/lib/gdm{3,}/.config/pulse/cookie rwk,
   /var/lib/gdm{3,}/.local/share/applications/{,**} r,
-  /var/lib/gdm{3,}/.local/share/gnome-shell/ rw,
+  /var/lib/gdm{3,}/.local/share/gnome-shell/{,**} rw,
   /var/lib/gdm{3,}/.local/share/icc/{,*} rw,
 
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index 76db087c..3979cbcc 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -137,7 +137,9 @@ profile gsd-xsettings @{exec_path} {
   @{etc_ro}/xdg/Xwayland-session.d/ r,
   @{etc_ro}/xdg/Xwayland-session.d/* rix,
 
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
   /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm3/greeter-dconf-defaults r,
 
   owner @{user_cache_dirs}/mesa_shader_cache/index rw,
 
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index acec19ad..6c73607b 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -93,6 +93,8 @@ profile pacman @{exec_path} {
   @{bin}/perl                        rix,
   @{bin}/pkgfile                     rPUx,
   @{bin}/pkill                       rix,
+  @{bin}/mkdir                       rix,
+  @{bin}/setfacl                     rix,
   @{bin}/pwd                         rix,
   @{bin}/rm                          rix,
   @{bin}/rsync                       rix,
diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs
index 7791871a..b5ef540d 100644
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -10,41 +11,40 @@ include <tunables/global>
 profile sshfs @{exec_path} flags=(complain) {
   include <abstractions/base>
 
-  @{exec_path} mr,
+  mount fstype=fuse.sshfs -> @{HOME}/*/,
+  mount fstype=fuse.sshfs -> @{HOME}/*/*/,
 
   unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
 
+  @{exec_path} mr,
+
   @{bin}/ssh            rPx,
   @{bin}/fusermount{,3} rCx -> fusermount,
 
-  /dev/fuse rw,
-
-  mount fstype=fuse.sshfs -> @{HOME}/*/,
-  mount fstype=fuse.sshfs -> @{HOME}/*/*/,
-
   @{PROC}/sys/fs/pipe-max-size r,
 
+  /dev/fuse rw,
 
   profile fusermount flags=(complain) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    # To mount anything:
     capability sys_admin,
 
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
+    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
+
     unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
 
     @{bin}/fusermount{,3} mr,
 
-    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,
-    mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/*/,
-
     /etc/fuse.conf r,
 
-    /dev/fuse rw,
-
     @{PROC}/@{pid}/mounts r,
 
+    /dev/fuse rw,
+
+    include if exists <local/sshfs_fusermount>
   }
 
   include if exists <local/sshfs>
diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed
index 4c09badd..13016266 100644
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/uevent_seqnum r,
   @{sys}/devices/**/read_ahead_kb r,
 
+        @{PROC}/@{pid}/cgroup r,
         @{PROC}/devices r,
+        @{PROC}/pressure/* r,
         @{PROC}/sysvipc/{shm,sem,msg} r,
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index 490ab3ca..4c8609f9 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   capability sys_admin,  # To set a hostname
 
+  dbus bind bus=system name=org.freedesktop.hostname1,
+
+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname 
+       peer=(name=:*, label=systemd//&systemd-networkd),
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName,GetConnectionUnixUser}
@@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
        member=Set*Hostname
        peer=(name=:*, label=hostnamectl),
 
-  dbus bind bus=system
-       name=org.freedesktop.hostname[0-9],
-
   @{exec_path} mr,
 
   @{etc_rw}/.#hostname* rw,
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index b168c5f4..4899546a 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} {
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/module/printk/parameters/time r,
 
-  @{PROC}/@{pids}/comm r,
-  @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/attr/current r,
-  @{PROC}/@{pids}/sessionid r,
-  @{PROC}/@{pids}/loginuid r,
   @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/sessionid r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/kernel/hostname r,
 
   /dev/kmsg rw,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index a7d3fa06..925ad73b 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/sleep.conf r,
   /etc/systemd/logind.conf.d/{,**} r,
 
+  / r,
   /boot/{,**} r,
   /swap/swapfile r,
   /swapfile r,
@@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{PROC}/@{pid}/sessionid r,
   @{PROC}/@{pid}/stat r,
   @{PROC}/1/cmdline r,
+  @{PROC}/pressure/* r,
   @{PROC}/swaps r,
   @{PROC}/sysvipc/{shm,sem,msg} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load
index 6d816083..07268038 100644
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} {
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 
+  @{sys}/module/compression r,
+
   include if exists <local/systemd-modules-load>
 }
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 88007715..5b6499bf 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/net/ipv{4,6}/** rw,
 
   include if exists <local/systemd-networkd>
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index 4637e76a..2cf7ecf2 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/resolve/{,**} rw,
   owner @{run}/systemd/journal/socket w,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd
index d9324bdb..f6e9ddda 100644
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
+  dbus bind bus=system name=org.freedesktop.timesync1,
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  dbus bind bus=system name=org.freedesktop.timesync1,
-
   @{exec_path} mr,
 
   @{etc_rw}/adjtime r,
@@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
 
   owner /var/lib/systemd/timesync/clock rw,
 
-  owner @{run}/systemd/journal/socket w,
-  owner @{run}/systemd/timesync/synchronized rw,
         @{run}/resolvconf/*.conf r,
         @{run}/systemd/netif/state r,
         @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,
+  owner @{run}/systemd/timesync/synchronized rw,
+
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
 
   include if exists <local/systemd-timesyncd>
 }
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 7ae92f1e..0ac7717c 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   @{sys}/** rw,
 
+        @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/devices r,
         @{PROC}/driver/nvidia/gpus/ r,
         @{PROC}/driver/nvidia/gpus/*/information r,
+        @{PROC}/pressure/* r,
+        @{PROC}/sys/fs/nr_open r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
-        @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
 
   /dev/ rw,
diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir
index 9037b992..18166ec9 100644
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} {
   mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
   umount @{run}/user/@{uid}/,
 
-  dbus send bus=system path=/org/freedesktop/login[0-9]
+  dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Properties
        member=Get
-       peer=(name=org.freedesktop.login[0-9]),
+       peer=(name=org.freedesktop.login1),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd
index 3ef93d22..d4b2ddda 100644
--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/userdb/{,**} rw,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
+
   include if exists <local/systemd-userdbd>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork
index a3b5b1fa..3732f425 100644
--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@@ -17,6 +17,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /etc/machine-id r,
+  /etc/shadow r,
 
   @{run}/systemd/userdb/ r,
 
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index fcb9bc5a..fad36516 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -100,7 +100,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /boot/EFI/*/.goutputstream-@{rand6} rw,
   /boot/EFI/*/fw/fwupd-*.cap{,.*} rw,
   /boot/EFI/*/fwupdx@{int}.efi rw,
-  @{lib}/fwupd/efi/fwupdx@{int}.efi r,
+  @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged
index da4bc0a7..48d3dd08 100644
--- a/apparmor.d/profiles-g-l/haveged
+++ b/apparmor.d/profiles-g-l/haveged
@@ -25,8 +25,8 @@ profile haveged @{exec_path} {
   @{PROC}/sys/kernel/random/write_wakeup_threshold w,
   /dev/random w,
 
-  @{sys}/devices/system/cpu/cpu*/cache/ r,
-  @{sys}/devices/system/cpu/cpu*/cache/index*/{type,size,level} r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,
 
   include if exists <local/haveged>
 }
diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance
index 37b88831..4c4d3374 100644
--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/irqbalance
-profile irqbalance @{exec_path} {
+profile irqbalance @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability setpcap,
diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm
index b6fdeced..1760ae92 100644
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@@ -27,6 +27,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
 
   @{etc_rw}/lvm/** rwkl,
 
+  @{run}/lock/ rw,
   @{run}/lock/lvm/ rw,
   @{run}/lock/lvm/* rwk,
   @{run}/lvm/** rwk,
diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd
index 94949bdd..9c4030e1 100644
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@@ -101,14 +101,16 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   @{bin}/appstreamcli                rPx,
   @{bin}/arch-audit                  rPx, # only: arch
   @{bin}/dpkg                        rPx -> child-dpkg, # only: dpkg
+  @{bin}/fc-cache                    rPx
   @{bin}/glib-compile-schemas        rPx,
+  @{bin}/install-info                rPx 
   @{bin}/systemd-inhibit             rPx,
   @{bin}/update-desktop-database     rPx,
   @{lib}/apt/methods/*               rPx, # only: dpkg
   @{lib}/cnf-update-db               rPx,
   @{lib}/update-notifier/update-motd-updates-available  rPx,
   @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
-  /usr/share/libalpm/scripts/*            rPx,
+  /usr/share/libalpm/scripts/*       rPx,
 
   # Install/update packages
   / r,
@@ -122,6 +124,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
 
         /tmp/apt-changelog-@{rand6}/ w,
         /tmp/apt-changelog-@{rand6}/*.changelog rw,
+  owner /tmp/alpm_*/{,**} rw,
   owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
   owner /tmp/packagekit* rw,
 
diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd
index 41de3f47..aa702237 100644
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@@ -8,13 +8,14 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/rngd
-profile rngd @{exec_path} {
+profile rngd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/devices-usb>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
   capability dac_read_search,
+  capability net_admin,
   capability sys_admin,
   capability sys_nice,
 
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index fefe8a10..487cdf07 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -94,7 +94,7 @@ profile sudo @{exec_path} {
   @{PROC}/sys/kernel/seccomp/actions_avail r,
 
         /dev/ r,    # interactive login
-        /dev/ptmx rw,
+        /dev/ptmx rwk,
   owner /dev/tty@{int} rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,