From b79ffa52c6818f365c301969f990914a47a5f9d2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 28 Sep 2021 21:53:50 +0100
Subject: [PATCH] Update profiles.

---
 apparmor.d/groups/apt/apt                     | 51 +++--------------
 apparmor.d/groups/apt/apt-get                 | 51 +++--------------
 apparmor.d/groups/apt/apt-systemd-daily       | 36 ++++++------
 apparmor.d/groups/apt/dpkg                    |  2 +
 apparmor.d/groups/gnome/gdm-wayland-session   |  3 +-
 .../systemd/systemd-environment-d-generator   |  6 +-
 apparmor.d/groups/systemd/systemd-journald    |  1 +
 apparmor.d/groups/virt/containerd             |  6 ++
 apparmor.d/profiles-a-f/aa-log                |  2 +
 apparmor.d/profiles-a-f/dhclient              |  2 +
 apparmor.d/profiles-a-f/dhclient-script       |  1 +
 apparmor.d/profiles-g-l/htop                  | 56 +++++++++----------
 apparmor.d/profiles-m-r/mandb                 |  1 +
 apparmor.d/profiles-m-r/mount-cifs            |  2 +-
 apparmor.d/profiles-m-r/mount-nfs             |  2 +-
 apparmor.d/profiles-m-r/pass                  |  8 +--
 apparmor.d/profiles-m-r/pass-extension-python |  3 +-
 .../profiles-m-r/pipewire-media-session       |  1 +
 18 files changed, 91 insertions(+), 143 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index b6795e7d..6fa7155e 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,56 +10,20 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/apt
 profile apt @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/apt-common>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  # To remove the following errors:
-  #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
-  #     (1: Operation not permitted)
-  #  W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
-  #     (1: Operation not permitted)
-  #  W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
-  #     Item::QueueURI (1: Operation not permitted)
-  capability fowner,
-
-  # To remove the following errors:
-  #  W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
-  #  (1: Operation not permitted)
-  #  W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
-  #  (1: Operation not permitted)
   capability chown,
-
-  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
-  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
-  # used by APT to download packages, package list, and other things using APT methods as an
-  # unprivileged user/group (_apt/nogroup).
-  #
-  # To remove the following errors:
-  #  E: setgroups 65534 failed - setgroups (1: Operation not permitted)
-  #  E: setegid 65534 failed - setegid (1: Operation not permitted)
-  #  E: seteuid 100 failed - seteuid (1: Operation not permitted)
-  #  E: setgroups 0 failed - setgroups (1: Operation not permitted)
-  capability setuid,
-  capability setgid,
-
-  # To remove the following errors:
-  #  W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
-  #     PrepareFiles (13: Permission denied)
-  #  E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
-  capability dac_read_search,
-
-  # To remove the following errors:
-  #  E: Failed to fetch https://**.deb  rename failed, Permission denied
-  #     (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
-  #  E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
   capability dac_override,
-
-  # Needed? (##FIXME##)
-  capability kill,
+  capability dac_read_search,
+  capability fowner,
   capability fsetid,
-  audit deny capability net_admin,
+  capability kill,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
 
   signal (send) peer=apt-methods-*,
 
diff --git a/apparmor.d/groups/apt/apt-get b/apparmor.d/groups/apt/apt-get
index 09c855fe..22fbbe35 100644
--- a/apparmor.d/groups/apt/apt-get
+++ b/apparmor.d/groups/apt/apt-get
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,55 +10,19 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/apt-get
 profile apt-get @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/apt-common>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # To remove the following errors:
-  #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
-  #     (1: Operation not permitted)
-  #  W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
-  #     (1: Operation not permitted)
-  #  W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
-  #     Item::QueueURI (1: Operation not permitted)
-  capability fowner,
-
-  # To remove the following errors:
-  #  W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
-  #  (1: Operation not permitted)
-  #  W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
-  #  (1: Operation not permitted)
   capability chown,
-
-  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
-  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
-  # used by APT to download packages, package list, and other things using APT methods as an
-  # unprivileged user/group (_apt/nogroup).
-  #
-  # To remove the following errors:
-  #  E: setgroups 65534 failed - setgroups (1: Operation not permitted)
-  #  E: setegid 65534 failed - setegid (1: Operation not permitted)
-  #  E: seteuid 100 failed - seteuid (1: Operation not permitted)
-  #  E: setgroups 0 failed - setgroups (1: Operation not permitted)
-  capability setuid,
-  capability setgid,
-
-  # To remove the following errors:
-  #  W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
-  #     PrepareFiles (13: Permission denied)
-  #  E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
-  capability dac_read_search,
-
-  # To remove the following errors:
-  #  E: Failed to fetch https://**.deb  rename failed, Permission denied
-  #     (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
-  #  E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
   capability dac_override,
-
-  # Needed? (##FIXME##)
-  capability kill,
+  capability dac_read_search,
+  capability fowner,
   capability fsetid,
-  audit deny capability net_admin,
+  capability kill,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
 
   signal (send) peer=apt-methods-*,
 
diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily
index adf30d0a..2d9a2afe 100644
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -10,36 +11,37 @@ include <tunables/global>
 profile apt-systemd-daily @{exec_path} {
   include <abstractions/base>
 
-  # Needed to remove the following error:
-  # apt.systemd.daily[]: find: ‘/var/cache/apt/archives/partial’: Permission denied
   capability dac_read_search,
 
   @{exec_path} mrix,
   /{usr/,}bin/{,ba,da}sh rix,
 
-  /{usr/,}bin/flock      rix,
+  /{usr/,}bin/basename   rix,
   /{usr/,}bin/cmp        rix,
   /{usr/,}bin/cp         rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/mv         rix,
-  /{usr/,}bin/savelog    rix,
-  /{usr/,}bin/which{,.debianutils}      rix,
-  /{usr/,}bin/touch      rix,
-  /{usr/,}bin/basename   rix,
-  /{usr/,}bin/dirname    rix,
   /{usr/,}bin/date       rix,
-  /{usr/,}bin/find       rix,
+  /{usr/,}bin/dirname    rix,
   /{usr/,}bin/du         rix,
-  /{usr/,}bin/stat       rix,
+  /{usr/,}bin/env        rix,
+  /{usr/,}bin/find       rix,
+  /{usr/,}bin/flock      rix,
+  /{usr/,}bin/grep       rix,
+  /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/mv         rix,
+  /{usr/,}bin/rm         rix,
+  /{usr/,}bin/savelog    rix,
+  /{usr/,}bin/seq        rix,
   /{usr/,}bin/sort       rix,
+  /{usr/,}bin/stat       rix,
+  /{usr/,}bin/touch      rix,
   /{usr/,}bin/uniq       rix,
   /{usr/,}bin/wc         rix,
-  /{usr/,}bin/seq        rix,
+  /{usr/,}bin/which{,.debianutils}      rix,
   /{usr/,}bin/xargs      rix,
-  /{usr/,}bin/gzip       rix,
 
-  /{usr/,}bin/apt-config rPx,
-  /{usr/,}bin/apt-get    rPx,
+  /{usr/,}bin/apt-config         rPx,
+  /{usr/,}bin/apt-get            rPx,
+  /{usr/,}bin/unattended-upgrade rPx,
 
   /etc/default/locale    r,
 
@@ -48,7 +50,7 @@ profile apt-systemd-daily @{exec_path} {
   /var/lib/apt/daily_lock wk,
 
   /var/lib/apt/extended_states r,
-  /var/lib/apt/periodic/autoclean-stamp w,
+  /var/lib/apt/periodic/* w,
 
   /var/backups/ r,
   /var/backups/apt.extended_states rw,
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index 8655c5ef..5a2fe9df 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -38,6 +38,8 @@ profile dpkg @{exec_path} {
   #
   /{usr/,}bin/dpkg-split  rPx,
 
+  /{usr/,}lib/needrestart/dpkg-status rPx,
+
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
   /{usr/,}bin/pager       rCx -> diff,
diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session
index 406a0a9d..a55a11fb 100644
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@@ -28,8 +28,9 @@ profile gdm-wayland-session @{exec_path} {
   /{usr/,}bin/gnome-session        rix,
   /{usr/,}bin/gsettings            rix,
 
-  /{usr/,}bin/dbus-run-session     rPx,
   /{usr/,}bin/dbus-daemon          rPx,
+  /{usr/,}bin/dbus-run-session     rPx,
+  /{usr/,}bin/flatpak             rPUx,
   /{usr/,}lib/gnome-session-binary rPx,
 
   /etc/shells r,
diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator
index 7bea7114..9165b1b0 100644
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-environment-d-generator
@@ -14,8 +14,10 @@ profile systemd-environment-d-generator @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gpgconf  rPx,
-  /{usr/,}bin/mawk     rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/flatpak     rPUx,
+  /{usr/,}bin/gpgconf     rPx,
+  /{usr/,}bin/mawk        rix,
 
   /etc/environment r,
 
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 6d6380e9..dc051277 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+scsi:*      r,
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+usb-serial:* r,
+  @{run}/udev/data/+platform:intel_pmc_core.[0-9]* r,
   @{run}/udev/data/+platform:iTCO_wdt r,
   @{run}/udev/data/+platform:regulatory.[0-9]* r,
   @{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index e0e3367e..7c8f4d7c 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -21,8 +21,14 @@ profile containerd @{exec_path} {
   /{usr/,}bin/containerd-shim-runc-v2 rPUx,
   /{usr/,}bin/kmod                    rPx,
 
+  /etc/cni/{,**} r,
+  /etc/containerd/*.toml r,
+
+  /var/lib/containerd/{,**} rwk,
   /var/lib/docker/containerd/{,**} rwk,
+  @{run}/containerd/{,**} rwk,
   @{run}/docker/containerd/{,**} rwk,
+  /opt/containerd/{,**} rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index db930d7c..2e549f1b 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -14,8 +14,10 @@ profile aa-log @{exec_path} {
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/awk         rix,
+  /{usr/,}bin/env         rix,
   /{usr/,}bin/gawk        rix,
   /{usr/,}bin/grep        rix,
+  /{usr/,}bin/mawk        rix,
   /{usr/,}bin/sed         rix,
 
   /usr/share/terminfo/x/xterm-256color r,
diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient
index 3466c6e8..a3091424 100644
--- a/apparmor.d/profiles-a-f/dhclient
+++ b/apparmor.d/profiles-a-f/dhclient
@@ -29,6 +29,8 @@ profile dhclient @{exec_path} {
   network netlink raw,
   network packet raw,
 
+  signal (send) peer=unconfined,
+
   @{exec_path} mr,
 
   # To run dhclient scripts
diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script
index cd152a9f..8c58edfe 100644
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@@ -26,6 +26,7 @@ profile dhclient-script @{exec_path} {
   /{usr/,}bin/ping        rPx,
   /{usr/,}bin/chronyc     rPUx,
   /{usr/,}bin/run-parts   rCx -> run-parts,
+  /{usr/,}sbin/resolvconf rPx,
 
   # To remove the following error:
   #  /sbin/dhclient-script: 133: hostname: Permission denied
diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop
index 7c8da2de..c5c72b45 100644
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,15 +12,9 @@ profile htop @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
-
-  # To manage priorities.
-  capability sys_nice,
-
-  # To terminate other users' processes when htop is started as root.
   capability kill,
-
+  capability sys_nice,
   capability sys_ptrace,
 
   # Needed? (for system state)
@@ -34,6 +29,14 @@ profile htop @{exec_path} {
 
   /usr/share/terminfo/x/xterm-256color r,
 
+  /etc/sensors.d/ r,
+  /etc/sensors3.conf r,
+
+  owner @{user_config_dirs}/htop/ rw,
+  owner @{user_config_dirs}/htop/htoprc rw,
+
+  owner @{PROC}/@{pid}/smaps_rollup r,
+
   @{PROC}/ r,
   @{PROC}/loadavg r,
   @{PROC}/uptime r,
@@ -45,6 +48,8 @@ profile htop @{exec_path} {
   @{PROC}/pressure/memory r,
   @{PROC}/diskstats r,
 
+  @{PROC}/@{pids}/ r,
+  
   @{PROC}/@{pids}/attr/current r,
   @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/stat r,
@@ -58,6 +63,7 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/comm r,
 
   @{PROC}/@{pids}/task/ r,
+  @{PROC}/@{pids}/task/@{tid}/ r,
   @{PROC}/@{pids}/task/@{tid}/attr/current r,
   @{PROC}/@{pids}/task/@{tid}/cmdline r,
   @{PROC}/@{pids}/task/@{tid}/stat r,
@@ -72,37 +78,27 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/task/@{tid}/comm r,
   @{PROC}/@{pids}/net/dev r,
 
-  owner @{PROC}/@{pid}/smaps_rollup r,
-
-  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
-  @{sys}/class/i2c-adapter/ r,
-  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
   @{sys}/class/hwmon/ r,
+  @{sys}/class/i2c-adapter/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/devices/*/name r,
-  @{sys}/devices/**/power_supply/**/{uevent,type,online} r,
-  @{sys}/devices/**/hwmon/ r,
-  @{sys}/devices/**/hwmon/{name,temp*} r,
-  @{sys}/devices/**/hwmon/**/ r,
-  @{sys}/devices/**/hwmon/**/{name,temp*} r,
   @{sys}/devices/**/hwmon[0-9]*/ r,
   @{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
   @{sys}/devices/**/hwmon[0-9]*/**/ r,
   @{sys}/devices/**/hwmon[0-9]*/**/{name,temp*} r,
+  @{sys}/devices/**/hwmon/ r,
+  @{sys}/devices/**/hwmon/{name,temp*} r,
+  @{sys}/devices/**/hwmon/**/ r,
+  @{sys}/devices/**/hwmon/**/{name,temp*} r,
+  @{sys}/devices/**/power_supply/**/{uevent,type,online} r,
+  @{sys}/devices/*/name r,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/online r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
+  @{sys}/devices/virtual/block/zram[0-9]*/{disksize,mm_stat} r,
+  @{sys}/kernel/mm/hugepages/ r,
+  @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
 
-  owner @{user_config_dirs}/htop/ rw,
-  owner @{user_config_dirs}/htop/htoprc rw,
-
-  # When started in TTY, to remove the following error:
-  #  htop[]: *** err
-  #  /dev/tty2: Permission denied
-  #  htop[]: *** err
-  #  htop[]: Oh, oh, it's an error! possibly I die!
   /dev/tty[0-9]* rw,
 
-  /etc/sensors.d/ r,
-  /etc/sensors3.conf r,
-
   include if exists <local/htop>
 }
diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb
index 0e9b56f2..c60added 100644
--- a/apparmor.d/profiles-m-r/mandb
+++ b/apparmor.d/profiles-m-r/mandb
@@ -23,6 +23,7 @@ profile mandb @{exec_path} flags=(complain) {
 
   /usr/share/man/{,**} r,
   /usr/local/man/{,**} r,
+  /usr/local/share/man/{,**} r,
 
   /usr/{,/share}/man/{,**} r,
   /usr/local/{,/share/}/man/{,**} r,
diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs
index 0b175445..80c23b8d 100644
--- a/apparmor.d/profiles-m-r/mount-cifs
+++ b/apparmor.d/profiles-m-r/mount-cifs
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,bin}/mount.cifs
+@{exec_path} = /{usr/,}sbin/mount.cifs
 profile mount-cifs @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs
index d3fe0c9e..b9d67a1e 100644
--- a/apparmor.d/profiles-m-r/mount-nfs
+++ b/apparmor.d/profiles-m-r/mount-nfs
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{s,bin}/mount.nfs
+@{exec_path} = /{usr/,}sbin/mount.nfs
 profile mount-nfs @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index 90990b69..350ee4e1 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -60,10 +60,10 @@ profile pass @{exec_path} {
   owner @{user_config_dirs}/password-store/{,**} rw,
   owner /dev/shm/pass.*/{,*} rw,
 
-  owner @{PROC}/@{pids}/cmdline r,
-        @{PROC}/ r,
-        @{PROC}/sys/kernel/osrelease r,
-        @{PROC}/uptime r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/ r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/uptime r,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/profiles-m-r/pass-extension-python b/apparmor.d/profiles-m-r/pass-extension-python
index 6d375a77..13d4c7e2 100644
--- a/apparmor.d/profiles-m-r/pass-extension-python
+++ b/apparmor.d/profiles-m-r/pass-extension-python
@@ -21,7 +21,8 @@ profile pass-extension-python {
 
   /usr/share/file/misc/magic.mgc r,
 
-  owner /tmp/* rw,
+  /tmp/* rw,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/pass-extension-python>
diff --git a/apparmor.d/profiles-m-r/pipewire-media-session b/apparmor.d/profiles-m-r/pipewire-media-session
index a970cf0e..5f844d44 100644
--- a/apparmor.d/profiles-m-r/pipewire-media-session
+++ b/apparmor.d/profiles-m-r/pipewire-media-session
@@ -23,6 +23,7 @@ profile pipewire-media-session @{exec_path} {
   /usr/share/alsa-card-profile/{,**} r,
   /usr/share/alsa/{,**} r,
   /usr/share/pipewire/media-session.d/{,**} r,
+  /usr/share/spa-*/bluez[0-9]*/{,*} r,
 
   /etc/alsa/{,**} r,
   /etc/pipewire/media-session.d/*.conf r,