feat(profile): improve integration with opensuse.

apparmor.d/abstractions/sudo

@@ -21,9 +21,9 @@
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*} r,
-  /etc/sudo.conf r,
-  /etc/sudoers r,
-  /etc/sudoers.d/{,*} r,
+  @{etc_ro}/sudo.conf r,
+  @{etc_ro}/sudoers r,
+  @{etc_ro}/sudoers.d/{,*} r,
 
   / r,
 

apparmor.d/groups/freedesktop/plymouthd

@@ -12,6 +12,8 @@ profile plymouthd @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/dri-common>
 
+  capability checkpoint_restore,
+  capability net_admin,
   capability sys_admin,
   capability sys_chroot,
   capability sys_tty_config,

apparmor.d/groups/freedesktop/xrdb

@@ -24,8 +24,7 @@ profile xrdb @{exec_path} {
 
   /usr/include/stdc-predef.h r,
 
-  /usr/etc/X11/xdm/Xresources r,
-
+  @{etc_ro}/X11/xdm/Xresources r,
   /etc/X11/Xresources/* r,
 
   # The location of the .Xresources file

apparmor.d/groups/freedesktop/xset

@@ -12,6 +12,8 @@ profile xset @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   owner @{HOME}/.Xauthority r,

apparmor.d/groups/kde/ksplashqml

@@ -16,6 +16,9 @@ profile ksplashqml @{exec_path} {
 
   @{exec_path} mr,
 
+  @{lib}/libheif/            r,
+  @{lib}/libheif/*.so*      rm,
+
   /usr/share/plasma/** r,
 
   /etc/machine-id r,

apparmor.d/groups/kde/sddm

@@ -73,9 +73,14 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/cat           rix,
   @{bin}/checkproc     rix,
   @{bin}/disable-paste rix,
+  @{bin}/locale        rix,
+  @{bin}/manpath       rix,
   @{bin}/pidof         rix,
+  @{bin}/readlink      rix,
+  @{bin}/realpath      rix,
   @{bin}/tr            rix,
   @{bin}/tty           rix,
+  @{bin}/uname         rix,
   @{bin}/xdm           r,
   @{bin}/xmodmap       rix,
 
@@ -117,19 +122,28 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /{usr/,}etc/security/limits.d/{,*.conf} r,
   /{usr/,}etc/X11/Xmodmap r,
   /etc/debuginfod/{,*} r,
+  /etc/manpath.config r,
   /etc/default/locale r,
   /etc/locale.conf r,
   /etc/machine-id r,
   /etc/sddm.conf r,
   /etc/sddm.conf.d/{,*} r,
   /etc/shells r,
+  /etc/sysconfig/console r,
   /etc/sysconfig/displaymanager r,
+  /etc/sysconfig/language r,
+  /etc/sysconfig/mail r,
+  /etc/sysconfig/proxy r,
+  /etc/sysconfig/windowmanager r,
 
   / r,
 
   /var/lib/lastlog/ r,
   /var/lib/lastlog/* rwk,
 
+  /var/lib/wtmpdb/ r,
+  /var/lib/wtmpdb/* rwk,
+
         /var/lib/sddm/state.conf rw,
   owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.jsc mrw,
   owner /var/lib/sddm/.cache/sddm-greeter/qmlcache/*.qmlc mrw,

apparmor.d/groups/ssh/sshd

@@ -72,6 +72,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
   @{etc_rw}/motd r,
+  @{etc_rw}/motd.d/{,**} r,
   /etc/default/locale r,
   /etc/gss/mech.d/{,*} r,
   /etc/issue.net r,

apparmor.d/groups/systemd/systemd-logind

@@ -53,8 +53,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
 
   /etc/machine-id r,
   /etc/systemd/logind.conf r,
-  /etc/systemd/sleep.conf r,
   /etc/systemd/logind.conf.d/{,**} r,
+  /etc/systemd/sleep.conf r,
+  /etc/systemd/sleep.conf.d/{,**} r,
 
   / r,
   /boot/{,**} r,

apparmor.d/profiles-a-f/agetty

@@ -12,6 +12,7 @@ profile agetty @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
+  capability checkpoint_restore,
   capability fsetid,
   capability sys_admin,
   capability sys_tty_config,

apparmor.d/profiles-a-f/flatpak-system-helper

@@ -57,7 +57,7 @@ profile flatpak-system-helper @{exec_path} {
     @{bin}/gpgconf  mr,
     @{bin}/gpgsm    mr,
 
-    @{lib}/gnupg/scdaemon rix,
+    @{lib}/{,gnupg/}scdaemon rix,
     @{bin}/gpg-agent rix,
 
     owner /tmp/ostree-gpg-*/ r,

apparmor.d/profiles-g-l/htop

@@ -83,10 +83,13 @@ profile htop @{exec_path} {
   @{PROC}/@{pids}/task/@{tid}/status r,
   @{PROC}/@{pids}/task/@{tid}/wchan r,
 
+  @{sys}/bus/dax/devices/ r,
   @{sys}/bus/i2c/devices/ r,
+  @{sys}/bus/soc/devices/ r,
   @{sys}/class/hwmon/ r,
   @{sys}/class/i2c-adapter/ r,
   @{sys}/class/power_supply/ r,
+  @{sys}/devices/@{pci}/i2c-@{int}/name r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
   @{sys}/devices/**/hwmon@{int}/**/ r,
@@ -98,16 +101,37 @@ profile htop @{exec_path} {
   @{sys}/devices/**/power_supply/**/{uevent,type,online} r,
   @{sys}/devices/*/name r,
   @{sys}/devices/i2c-@{int}/name r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
   @{sys}/devices/platform/*/i2c-@{int}/name r,
-  @{sys}/devices/system/cpu/cpu@{int}/online r,
+  @{sys}/devices/system/cpu/cpu@{int}/** r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_{cur,min,max}_freq r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
+  @{sys}/devices/system/node/node@{int}/cpumap r,
+  @{sys}/devices/system/node/node@{int}/hugepages/ r,
+  @{sys}/devices/system/node/node@{int}/hugepages/hugepages-*/nr_hugepages r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+  @{sys}/devices/system/node/online r,
   @{sys}/devices/virtual/block/zram@{int}/{disksize,mm_stat} r,
+  @{sys}/devices/virtual/dmi/id/ r,
+  @{sys}/devices/virtual/dmi/id/bios_date r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/bios_version r,
+  @{sys}/devices/virtual/dmi/id/chassis_asset_tag r,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/devices/virtual/dmi/id/chassis_vendor r,
+  @{sys}/devices/virtual/dmi/id/chassis_version r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
+  @{sys}/fs/cgroup/cgroup.controllers r,
+  @{sys}/fs/cgroup/cpuset.cpus.effective r,
+  @{sys}/fs/cgroup/cpuset.mems.effective r,
   @{sys}/kernel/mm/hugepages/ r,
   @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
 
+        @{PROC}/cmdline r,
+  owner @{PROC}/@{pid}/cpuset r,
+
   /dev/tty@{int} rw,
 
   include if exists <local/htop>

apparmor.d/profiles-m-r/packagekitd

@@ -68,6 +68,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   @{bin}/fc-cache                    rPx,
   @{bin}/glib-compile-schemas        rPx,
   @{bin}/install-info                rPx,
+  @{bin}/rpmdb2solv                  rPx, # only: opensuse
   @{bin}/systemd-inhibit             rPx,
   @{bin}/update-desktop-database     rPx,
   @{lib}/apt/methods/*               rPx, # only: dpkg
@@ -125,6 +126,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
 
     @{bin}/gpg-agent rix,
     @{bin}/scdaemon  rix,
+    @{lib}/{,gnupg/}scdaemon rix,
 
     /etc/gcrypt/hwf.deny r,
 

apparmor.d/profiles-m-r/passwd

@@ -18,6 +18,7 @@ profile passwd @{exec_path} {
   capability audit_write,
   capability chown,
   capability fsetid,
+  capability net_admin,
   capability setuid,
 
   signal (receive) set=(term, kill) peer=gnome-control-center,

apparmor.d/profiles-s-z/udisksd

@@ -86,10 +86,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{bin}/systemctl            rCx -> systemctl,
   @{bin}/systemd-escape       rPx,
 
-  /etc/udisks2/{,**} r,
-  /etc/libblockdev/{,**} r,
-  /etc/fstab r,
   /etc/crypttab r,
+  /etc/fstab r,
+  /etc/libblockdev/{,**} r,
+  /etc/nvme/* r,
+  /etc/udisks2/{,**} r,
 
   /var/lib/udisks2/{,**} r,
   /var/lib/udisks2/mounted-fs{,*} rw,