refractor(abs): move common and app abstraction to their own abstractions subfolder.

As the number of abstraction is increasing, it is valuable to separate "base" abstractions to programs specific ones.
2025-01-19 01:18:16 +01:00 · 2024-03-27 15:11:21 +00:00 · 2024-03-27 15:11:21 +00:00 · b88b8b8c26
commit b88b8b8c26
parent 92f83d9e8d
158 changed files with 226 additions and 198 deletions
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # For chromium based browser. If your application requires chromium to run
-# (like electron) use abstractions/chromium-common instead.
+# (like electron) use abstractions/common/chromium instead.
 # This abstraction requires the following variables definied in the profile header:
 # @{name} = chromium
@ -209,4 +209,4 @@
  deny @{lib_dirs}/** w,
  deny @{user_share_dirs}/gvfs-metadata/* r,
-  include if exists <abstractions/chromium.d>
+  include if exists <abstractions/app/chromium.d>
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -64,4 +64,4 @@
  deny @{user_share_dirs}/gvfs-metadata/* r,
-  include if exists <abstractions/sudo.d>
+  include if exists <abstractions/app/sudo.d>
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -2,6 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  include <abstractions/bus-system>
  include <abstractions/consoles>
  ptrace (read) peer=@{systemd},
@ -24,4 +25,4 @@
    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/stat r,
-  include if exists <abstractions/systemctl.d>
+  include if exists <abstractions/app/systemctl.d>
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -13,9 +13,6 @@
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Avahi>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/consoles>
  include <abstractions/deny-sensitive-home>
  include <abstractions/desktop>
@ -55,8 +52,7 @@
  owner @{run}/user/@{uid}/{,**} rw,
  owner @{user_config_dirs}/** rwkl,
  owner @{user_share_dirs}/** rwkl,
-
+  owner @{user_games_dirs}/{,**} rm,
  @{user_games_dirs}/{,**} rm,
  owner /tmp/** rmwk,
  owner /dev/shm/** rwlk -> /dev/shm/**,
@ -114,4 +110,4 @@
  /dev/pts/ptmx rw,
  /dev/tty rw,
-  include if exists <abstractions/bwrap-app.d>
+  include if exists <abstractions/common/app.d>
--- a/apparmor.d/abstractions/common/apt
+++ b/apparmor.d/abstractions/common/apt
@ -25,7 +25,7 @@
  /var/lib/dpkg/status r,
  /var/lib/ubuntu-advantage/apt-esm/{,**} r,
  owner /tmp/clearsigned.message.* rw,
  owner /tmp/#@{int} rw,
  owner /tmp/clearsigned.message.* rw,
-  include if exists <abstractions/apt-common.d>
+  include if exists <abstractions/common/apt.d>
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -51,4 +51,4 @@
  owner @{PROC}/@{pid}/setgroups rw,
  owner @{PROC}/@{pid}/uid_map rw,
-  include if exists <abstractions/bwrap.d>
+  include if exists <abstractions/common/bwrap.d>
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@ -0,0 +1,40 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Mikhail Morfikov
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/chromium instead.
  # userns,
  # Only needed when kernel.unprivileged_userns_clone is set to "1"
  capability sys_admin,
  capability sys_chroot,
  capability setuid,
  capability setgid,
  owner @{PROC}/@{pid}/setgroups w,
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/uid_map w,
  owner @{HOME}/.pki/ rw,
  owner @{HOME}/.pki/nssdb/ rw,
  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
        /tmp/ r,
        /var/tmp/ r,
  owner /tmp/.org.chromium.Chromium.* rw,
  owner /tmp/.org.chromium.Chromium.*/{,**} rw,
  owner /tmp/scoped_dir*/ rw,
  owner /tmp/scoped_dir*/SingletonCookie w,
  owner /tmp/scoped_dir*/SingletonSocket w,
  owner /tmp/scoped_dir*/SS w,
        /dev/shm/ r,
  owner /dev/shm/.org.chromium.Chromium.* rw,
  include if exists <abstractions/common/chromium.d>
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@ -18,4 +18,4 @@
  /dev/kmsg w,
-  include if exists <abstractions/systemd-common.d>
+  include if exists <abstractions/common/systemd.d>
--- a/apparmor.d/groups/_full/bwrap
+++ b/apparmor.d/groups/_full/bwrap
@ -11,8 +11,8 @@ include <tunables/global>
@{exec_path} = @{bin}/bwrap
 profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
-  include <abstractions/bwrap>
+  include <abstractions/common/bwrap>
-  include <abstractions/bwrap-app>
+  include <abstractions/common/app>
  include <abstractions/dbus>
  include <abstractions/fontconfig-cache-write>
--- a/apparmor.d/groups/_full/bwrap-app
+++ b/apparmor.d/groups/_full/bwrap-app
@ -10,7 +10,7 @@ include <tunables/global>
 profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
-  include <abstractions/bwrap-app>
+  include <abstractions/common/app>
  include <abstractions/fontconfig-cache-write>
  network inet dgram,
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@ -8,7 +8,7 @@ include <tunables/global>
 profile default-sudo @{exec_path} {
  include <abstractions/base>
-  include <abstractions/sudo>
+  include <abstractions/app/sudo>
  capability chown,
  capability dac_override,
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -19,7 +19,7 @@ profile calibre @{exec_path} {
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/groups/apps/discord
@ -27,7 +27,7 @@ profile discord @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/user-download-strict>
  include <abstractions/thumbnails-cache-read>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  signal (send) set=(kill, term) peer=@{profile_name}//lsb_release,
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@ -14,7 +14,7 @@ include <tunables/global>
 profile freetube @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@ -15,7 +15,7 @@ include <tunables/global>
 profile signal-desktop @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt @{bin}/apt-get @{bin}/aptd
 profile apt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.PackageKit>
@ -220,7 +220,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability net_admin,
    capability sys_resource,
--- a/apparmor.d/groups/apt/apt-cache
+++ b/apparmor.d/groups/apt/apt-cache
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt-cache
 profile apt-cache @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/consoles>
  @{exec_path} mr,
--- a/apparmor.d/groups/apt/apt-cdrom
+++ b/apparmor.d/groups/apt/apt-cdrom
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt-cdrom
 profile apt-cdrom @{exec_path} flags=(complain) {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/nameservice-strict>
  capability dac_read_search,
--- a/apparmor.d/groups/apt/apt-config
+++ b/apparmor.d/groups/apt/apt-config
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt-config
 profile apt-config @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/consoles>
  @{exec_path} mr,
--- a/apparmor.d/groups/apt/apt-extracttemplates
+++ b/apparmor.d/groups/apt/apt-extracttemplates
@ -11,7 +11,7 @@ include <tunables/global>
 profile apt-extracttemplates @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  capability dac_read_search,
--- a/apparmor.d/groups/apt/apt-file
+++ b/apparmor.d/groups/apt/apt-file
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt-file
 profile apt-file @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/perl>
  @{exec_path} r,
--- a/apparmor.d/groups/apt/apt-forktracer
+++ b/apparmor.d/groups/apt/apt-forktracer
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt-forktracer
 profile apt-forktracer @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/python>
  @{exec_path} mr,
--- a/apparmor.d/groups/apt/apt-helper
+++ b/apparmor.d/groups/apt/apt-helper
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/apt/apt-helper
 profile apt-helper @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  @{exec_path} mr,
@ -21,7 +21,7 @@ profile apt-helper @{exec_path} {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability net_admin,
--- a/apparmor.d/groups/apt/apt-mark
+++ b/apparmor.d/groups/apt/apt-mark
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/apt-mark
 profile apt-mark @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  @{exec_path} mr,
--- a/apparmor.d/groups/apt/apt-show-versions
+++ b/apparmor.d/groups/apt/apt-show-versions
@ -12,7 +12,7 @@ profile apt-show-versions @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/perl>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  @{exec_path} r,
  @{bin}/perl r,
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@ -12,7 +12,7 @@ profile aptitude @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  # To remove the following errors:
  #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@ -12,7 +12,7 @@ include <tunables/global>
@{exec_path} += @{lib}/command-not-found
 profile command-not-found @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
--- a/apparmor.d/groups/apt/debtags
+++ b/apparmor.d/groups/apt/debtags
@ -11,7 +11,7 @@ include <tunables/global>
 profile debtags @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/python>
  #capability sys_tty_config,
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -78,7 +78,7 @@ profile dpkg @{exec_path} {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    include if exists <local/dpkg_systemctl>
  }
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -23,7 +23,9 @@ profile dpkg-preconfigure @{exec_path} {
  @{bin}/{,e}grep   rix,
  @{bin}/locale     rix,
  @{bin}/sed        rix,
  @{bin}/sort       rix,
  @{bin}/stty       rix,
  @{bin}/tr         rix,
  @{bin}/dpkg                 rPx -> child-dpkg,
  @{bin}/apt-extracttemplates rPx,
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@ -17,7 +17,7 @@ profile querybts @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  include <abstractions/ssl_certs>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/reportbug
 profile reportbug @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
@ -109,7 +109,7 @@ profile reportbug @{exec_path} {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    include if exists <local/reportbug_systemctl>
  }
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@ -15,7 +15,7 @@ profile synaptic @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/freedesktop.org>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/nameservice-strict>
  # To remove the following errors:
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/unattended-upgrade
 profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
--- a/apparmor.d/groups/apt/update-apt-xapian-index
+++ b/apparmor.d/groups/apt/update-apt-xapian-index
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/update-apt-xapian-index
 profile update-apt-xapian-index @{exec_path} {
  include <abstractions/base>
-  include <abstractions/apt-common>
+  include <abstractions/common/apt>
  include <abstractions/python>
  @{exec_path} r,
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@ -16,7 +16,7 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/@{name}
 profile brave @{exec_path} {
  include <abstractions/base>
-  include <abstractions/chromium>
+  include <abstractions/app/chromium>
  unix (send, receive) type=stream peer=(label=brave-crashpad-handler),
--- a/apparmor.d/groups/browsers/chrome
+++ b/apparmor.d/groups/browsers/chrome
@ -16,7 +16,7 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/@{name}
 profile chrome @{exec_path} {
  include <abstractions/base>
-  include <abstractions/chromium>
+  include <abstractions/app/chromium>
  @{exec_path} mrix,
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@ -16,7 +16,7 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/@{name}
 profile chromium @{exec_path} {
  include <abstractions/base>
-  include <abstractions/chromium>
+  include <abstractions/app/chromium>
  @{exec_path} mrix,
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@ -16,7 +16,7 @@ include <tunables/global>
@{exec_path} = @{lib_dirs}/@{name}
 profile opera @{exec_path} {
  include <abstractions/base>
-  include <abstractions/chromium>
+  include <abstractions/app/chromium>
  @{exec_path} mrix,
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -18,7 +18,7 @@ profile child-systemctl flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  include <abstractions/wutmp>
  capability mknod,
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -84,7 +84,7 @@ profile gdm-xsession @{exec_path} {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    owner /dev/tty@{int} rw,
--- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
+++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
@ -8,7 +8,7 @@ include <tunables/global>
 profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/bwrap>
+  include <abstractions/common/bwrap>
  include <abstractions/gnome-strict>
  include <abstractions/gstreamer>
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -34,7 +34,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
  profile bwrap flags=(attach_disconnected) {
    include <abstractions/base>
-    include <abstractions/bwrap>
+    include <abstractions/common/bwrap>
    signal (receive) set=(kill) peer=loupe,
--- a/apparmor.d/groups/grub/grub-sort-version
+++ b/apparmor.d/groups/grub/grub-sort-version
@ -10,7 +10,7 @@ include <tunables/global>
 profile grub-sort-version @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
-  include if exists <abstractions/apt-common>
+  include if exists <abstractions/common/apt>
  capability dac_read_search,
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -154,7 +154,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    include if exists <local/NetworkManager_systemctl>
  }
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /opt/Mullvad*/mullvad-gui
 profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/chromium-common>
+  include <abstractions/common/chromium>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -34,7 +34,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
  profile udevadm {
    include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/common/systemd>
    @{bin}/udevadm mr,
@ -49,7 +49,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability net_admin,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -70,7 +70,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability net_admin,
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -88,7 +88,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability mknod,
    capability net_admin,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -186,7 +186,7 @@ profile pacman @{exec_path} {
  profile systemctl {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability net_admin,
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@ -40,7 +40,7 @@ profile pacman-hook-systemd @{exec_path} {
  profile systemctl flags=(attach_disconnected) {
    include <abstractions/base>
-    include <abstractions/systemctl>
+    include <abstractions/app/systemctl>
    capability net_admin,
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@ -11,7 +11,7 @@ profile bootctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability mknod,
  capability net_admin,
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@ -13,7 +13,7 @@ profile busctl @{exec_path} {
  include <abstractions/bus-system>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_ptrace,
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -12,7 +12,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability dac_override,
  capability dac_read_search,
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/localectl
 profile localectl @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@ -12,7 +12,7 @@ profile loginctl @{exec_path} {
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1.Session>
  include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_resource,
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -12,7 +12,7 @@ profile systemd-analyze @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability sys_resource,
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-backlight
 profile systemd-backlight @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-binfmt
 profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-cgtop
+++ b/apparmor.d/groups/systemd/systemd-cgtop
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-cgtop @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@ -11,7 +11,7 @@ include <tunables/global>
 profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  # userns,
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup
 profile systemd-cryptsetup @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  include <abstractions/disks-write>
  capability ipc_lock,
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@ -11,7 +11,7 @@ include <tunables/global>
 profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-escape
 profile systemd-escape @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-fsck
+++ b/apparmor.d/groups/systemd/systemd-fsck
@ -12,7 +12,7 @@ profile systemd-fsck @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_resource,
--- a/apparmor.d/groups/systemd/systemd-fsckd
+++ b/apparmor.d/groups/systemd/systemd-fsckd
@ -11,7 +11,7 @@ include <tunables/global>
 profile systemd-fsckd @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_tty_config,
--- a/apparmor.d/groups/systemd/systemd-generator-bless-boot
+++ b/apparmor.d/groups/systemd/systemd-generator-bless-boot
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-bless-boot-generator
 profile systemd-generator-bless-boot @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-generator-cryptsetup
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-generator-cryptsetup @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-debug
+++ b/apparmor.d/groups/systemd/systemd-generator-debug
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-debug-generator
 profile systemd-generator-debug @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-fstab
+++ b/apparmor.d/groups/systemd/systemd-generator-fstab
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-fstab-generator
 profile systemd-generator-fstab @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability dac_override,
  capability dac_read_search,
--- a/apparmor.d/groups/systemd/systemd-generator-getty
+++ b/apparmor.d/groups/systemd/systemd-generator-getty
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-generator-getty @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto
+++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-generator-gpt-auto @{exec_path} flags=(attach_disconnected)  {
  include <abstractions/base>
  include <abstractions/disks-read>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability sys_admin,
--- a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume
+++ b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-hibernate-resume-generator
 profile systemd-generator-hibernate-resume @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-integritysetup
+++ b/apparmor.d/groups/systemd/systemd-generator-integritysetup
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-integritysetup-generator
 profile systemd-generator-integritysetup @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-run
+++ b/apparmor.d/groups/systemd/systemd-generator-run
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-run-generator
 profile systemd-generator-run @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  ptrace (read) peer=@{systemd},
--- a/apparmor.d/groups/systemd/systemd-generator-system-update
+++ b/apparmor.d/groups/systemd/systemd-generator-system-update
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-system-update-generator
 profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator
 profile systemd-generator-user-autostart @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  include <abstractions/nameservice-strict>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-generator-user-environment
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/user-environment-generators/*
 profile systemd-generator-user-environment @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-veritysetup
+++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/system-generators/systemd-veritysetup-generator
 profile systemd-generator-veritysetup @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  ptrace (read) peer=@{systemd},
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@ -12,7 +12,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus-system>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability chown,
  capability dac_override,
--- a/apparmor.d/groups/systemd/systemd-homework
+++ b/apparmor.d/groups/systemd/systemd-homework
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-homework @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -12,7 +12,7 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability sys_admin,  # To set a hostname
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -11,7 +11,7 @@ include <tunables/global>
 profile systemd-journald @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability audit_control,
  capability audit_read,
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@ -12,7 +12,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/consoles>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  # Needed?
  audit capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -16,7 +16,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  include <abstractions/devices-usb>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability chown,
  capability dac_override,
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@ -11,7 +11,7 @@ profile systemd-machined @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability chown,
  capability dac_override,
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-makefs @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-write>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_resource,
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-modules-load
 profile systemd-modules-load @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_module,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -12,7 +12,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.hostname1>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability net_bind_service,
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-networkd-wait-online
 profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability dac_override,
  capability kill,
--- a/apparmor.d/groups/systemd/systemd-portabled
+++ b/apparmor.d/groups/systemd/systemd-portabled
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-portabled
 profile systemd-portabled @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability chown,
  capability dac_override,
--- a/apparmor.d/groups/systemd/systemd-random-seed
+++ b/apparmor.d/groups/systemd/systemd-random-seed
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-random-seed
 profile systemd-random-seed @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@ -10,7 +10,7 @@ include <tunables/global>
 profile systemd-remount-fs @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_admin,
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -14,7 +14,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_bind_service,
  capability net_raw,
--- a/apparmor.d/groups/systemd/systemd-rfkill
+++ b/apparmor.d/groups/systemd/systemd-rfkill
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-rfkill
 profile systemd-rfkill @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_ptrace,
--- a/apparmor.d/groups/systemd/systemd-shutdown
+++ b/apparmor.d/groups/systemd/systemd-shutdown
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-shutdown
 profile systemd-shutdown @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability kill,
  capability sys_boot,
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -11,7 +11,7 @@ profile systemd-sleep @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_admin,
--- a/apparmor.d/groups/systemd/systemd-socket-proxyd
+++ b/apparmor.d/groups/systemd/systemd-socket-proxyd
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-socket-proxyd
 profile systemd-socket-proxyd @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
--- a/apparmor.d/groups/systemd/systemd-sulogin-shell
+++ b/apparmor.d/groups/systemd/systemd-sulogin-shell
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-sulogin-shell
 profile systemd-sulogin-shell @{exec_path} {
  include <abstractions/base>
-  include <abstractions/systemd-common>
+  include <abstractions/common/systemd>
  capability net_admin,
  capability sys_resource,
--- a/Show more
+++ b/Show more
`@ -64,4 +64,4 @@`

	`deny @{user_share_dirs}/gvfs-metadata/* r,`	`deny @{user_share_dirs}/gvfs-metadata/* r,`

	`include if exists <abstractions/sudo.d>`	`include if exists <abstractions/app/sudo.d>`
`@ -18,4 +18,4 @@`

	`/dev/kmsg w,`	`/dev/kmsg w,`

	`include if exists <abstractions/systemd-common.d>`	`include if exists <abstractions/common/systemd.d>`