feat(profile): general update.

apparmor.d/groups/gnome/epiphany-search-provider

@@ -36,6 +36,7 @@ profile epiphany-search-provider @{exec_path} {
   owner /tmp/Serialized* rw,
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/firmware/acpi/pm_profile r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
@@ -46,6 +47,8 @@ profile epiphany-search-provider @{exec_path} {
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/statm r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 

apparmor.d/groups/gnome/gio-launch-desktop

@@ -16,6 +16,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/deny-sensitive-home>
   include <abstractions/gnome-strict>
+  include <abstractions/nameservice-strict>
   include <abstractions/trash>
 
   @{exec_path} mr,
@@ -25,6 +26,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/{,**} rw,
 
+  owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/gnome/gnome-characters

@@ -18,7 +18,7 @@ profile gnome-characters @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
-  dbus bind bus=session name=org.gnome.Characters,
+  # dbus: own bus=session name=org.gnome.Characters
   dbus receive bus=session path=/org/gnome/Characters/SearchProvider
        interface=org.gnome.Shell.SearchProvider2
        peer=(name=:*, label=gnome-shell),

apparmor.d/groups/gnome/gnome-music

@@ -30,7 +30,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   @{bin}/ r,
   @{bin}/env r,
   @{bin}/python3.@{int} rix,
-  @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,
+  @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw,
 
   /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
   /usr/share/org.gnome.Music/{,**} r,
@@ -45,8 +45,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
 
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
-  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
   owner /var/tmp/etilqs_@{hex} rw,

apparmor.d/groups/gnome/gnome-shell

@@ -288,6 +288,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_music_dirs}/**.{png,jpg,svg} r,
 
   owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
+  owner @{user_config_dirs}/background r,
   owner @{user_config_dirs}/ibus/ w,
   owner @{user_config_dirs}/monitors.xml{,~} rwl,
   owner @{user_config_dirs}/pulse/ rw,

apparmor.d/groups/gnome/gnome-software

@@ -91,8 +91,8 @@ profile gnome-software @{exec_path} {
   owner /tmp/#@{int} rw,
 
   owner @{run}/user/@{uid}/.dbus-proxy/ rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
   owner @{run}/user/@{uid}/.flatpak-cache rw,
   owner @{run}/user/@{uid}/.flatpak/{,**} rw,
   owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,

apparmor.d/groups/kde/konsole

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Jeroen Rijken
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,9 +14,8 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/consoles>
-  include <abstractions/dri>
+  include <abstractions/graphics>
   include <abstractions/kde-strict>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
 
   ptrace (read),
@@ -25,10 +25,13 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   @{exec_path}                          mr,
   @{bin}/@{shells}                      rUx,
   @{browsers_path}                      rPx,
-  @{lib}/@{multiarch}/utempter/utempter rPUx,
+
+  @{lib}/{,@{multiarch}/}utempter/utempter  rPx,
 
   /usr/share/color-schemes/{,**} r,
+  /usr/share/knotifications5/plasma_workspace.notifyrc r,
   /usr/share/konsole/{,**} r,
+  /usr/share/sounds/** r,
 
   /etc/xdg/konsolerc r,
   /etc/xdg/ui/ui_standards.rc r,
@@ -36,31 +39,25 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_SSH_DIR}/config r,
 
   owner @{user_config_dirs}/#@{int} rwl,
-  owner @{user_config_dirs}/konsolerc{,**} rw,
+  owner @{user_config_dirs}/konsolerc rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/konsolerc.lock rwlk,
-  owner @{user_config_dirs}/konsolesshconfig rw,
+  owner @{user_config_dirs}/konsolerc.lock rwk,
+  owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.lock rwk,
-  owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_share_dirs}/konsole/{,**} rw,
 
-  # Required including abstractions/audio for sending notifications
-  /usr/share/knotifications5/plasma_workspace.notifyrc r,
-  /usr/share/sounds/** r,
-
   owner /tmp/#@{int} rw,
   owner /tmp/konsole.@{rand6} rw,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,
-
+        @{PROC}/sys/kernel/core_pattern r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/stat r,
-  @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/ptmx rw,
 
   include if exists <local/konsole>
 }

apparmor.d/groups/kde/utempter

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/utempter/utempter
+@{exec_path} = @{lib}/{,@{multiarch}/}utempter/utempter
 profile utempter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/network/netplan.script

@@ -23,11 +23,11 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   /etc/netplan/{,*} r,
 
   @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
-  @{run}/NetworkManager/system-connections/ r,
+  @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
-  @{run}/systemd/system/systemd-networkd.service.wants/ r,
+  @{run}/systemd/system/systemd-networkd.service.wants/ rw,
   @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
   @{run}/udev/rules.d/ r,
   @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -28,6 +28,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed        rix,
   @{bin}/sort       rix,
   @{bin}/stat       rix,
+  @{bin}/pacman     rCx -> pacman,
 
   /usr/share/mkinitcpio/*.preset r,
 
@@ -47,5 +48,26 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   deny network inet6 stream,
   deny network inet stream,
 
+  profile pacman {
+    include <abstractions/base>
+    include <abstractions/openssl>
+
+    capability dac_read_search,
+
+    @{bin}/pacman mr,
+  
+    @{bin}/gpg rix,
+    @{bin}/gpgconf rix,
+    @{bin}/gpgsm rix,
+  
+    /etc/pacman.conf r,
+    /etc/pacman.d/{,**} r,
+    /etc/pacman.d/gnupg/** rwkl,
+
+    /var/lib/pacman/local/{,**} r,
+
+    include if exists <local/pacman-hook-mkinitcpio_pacman>
+  }
+
   include if exists <local/pacman-hook-mkinitcpio>
 }

apparmor.d/groups/systemd/busctl

@@ -22,6 +22,8 @@ profile busctl @{exec_path} {
 
   unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
 
+  signal (send) set=(cont) peer=child-pager,
+
   dbus eavesdrop bus=session,
   dbus eavesdrop bus=system,
 
@@ -36,12 +38,12 @@ profile busctl @{exec_path} {
   @{bin}/more  rPx -> child-pager,
   @{bin}/pager rPx -> child-pager,
 
-  owner @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/sessionid r,
-  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/busctl>
 }

apparmor.d/groups/systemd/systemd-generator-ds-identify

@@ -22,10 +22,19 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
   @{bin}/tr                      rix,
   @{bin}/uname                   rix,
 
+  /etc/cloud/{,**} r,
+
   @{run}/cloud-init/{,.}ds-identify.* rw,
 
+  @{sys}/devices/virtual/dmi/id/chassis_asset_tag r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_serial r,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
   @{PROC}/cmdline r,
   @{PROC}/uptime r,
+  @{PROC}/@{pid}/environ r,
 
   include if exists <local/systemd-generator-ds-identify>
 }

apparmor.d/groups/systemd/systemd-hwdb

@@ -16,7 +16,7 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{exec_path} mr,
 
   @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
   @{lib}/udev/hwdb.bin w,
 
   /etc/udev/.#hwdb.bind* rw,

apparmor.d/groups/systemd/systemd-machined

@@ -37,5 +37,10 @@ profile systemd-machined @{exec_path} {
   @{run}/systemd/userdb/io.systemd.Machine rw,
   @{run}/systemd/notify w,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/cpu r,
+  @{PROC}/pressure/io r,
+  @{PROC}/pressure/memory r,
+
   include if exists <local/systemd-machined>
 }

apparmor.d/groups/systemd/systemd-sysusers

@@ -33,17 +33,16 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   /etc/{passwd,shadow} rw,
   /etc/{passwd,shadow}- rw,
   /etc/{passwd,shadow}+ rw,
-  /etc/.#{passwd,shadow}[0-9a-zA-Z]* rw,
+  /etc/.#{passwd,shadow}@{hex} rw,
   /etc/{group,gshadow} rw,
   /etc/{group,gshadow}- rw,
   /etc/{group,gshadow}+ rw,
-  /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
+  /etc/.#{group,gshadow}@{hex} rw,
   /etc/.pwd.lock rwk,
 
         /dev/tty@{int} rw,
   owner /dev/pts/@{int} rw,
 
-
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/systemd/systemd-update-done

@@ -16,9 +16,9 @@ profile systemd-update-done @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/.#.updated[0-9a-zA-Z]* rw,
+  /etc/.#.updated@{hex} rw,
   /etc/.updated w,
-  /var/.#.updated[0-9a-zA-Z]* rw,
+  /var/.#.updated@{hex} rw,
   /var/.updated w,
 
   @{run}/host/container-manager r,

apparmor.d/groups/systemd/zram-generator

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/system-generators/zram-generator
-profile zram-generator @{exec_path} {
+profile zram-generator @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
 

apparmor.d/groups/ubuntu/apport

@@ -16,6 +16,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
   include <abstractions/openssl>
   include <abstractions/python>
 
+  capability chown,
   capability dac_read_search,
   capability fsetid,
   capability setgid,

apparmor.d/groups/ubuntu/check-new-release-gtk

@@ -32,6 +32,9 @@ profile check-new-release-gtk @{exec_path} {
   @{bin}/ischroot     rix,
   @{bin}/lsb_release  rPx -> lsb_release,
 
+  @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+  @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+
   /usr/share/distro-info/{,**} r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
   /usr/share/update-manager/{,**} r,

apparmor.d/groups/virt/cockpit-certificate-ensure

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-certificate-ensure
-profile cockpit-certificate-ensure @{exec_path} {
+profile cockpit-certificate-ensure @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability dac_override,

apparmor.d/groups/virt/cockpit-tls

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-tls
-profile cockpit-tls @{exec_path} {
+profile cockpit-tls @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   network inet stream,

apparmor.d/groups/virt/cockpit-update-motd

@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/cockpit/motd/update-motd
+profile cockpit-update-motd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{sh_path}        rix,
+  @{bin}/hostname   rix,
+  @{bin}/ip         rPx,
+  @{bin}/sed        rix,
+  @{bin}/systemctl  rCx -> systemctl,
+
+  @{run}/cockpit/active.motd rw,
+
+  owner /dev/tty rw,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+  
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+    include if exists <local/cockpit-update-motd_systemctl>
+  }
+
+  include if exists <local/cockpit-update-motd>
+}

apparmor.d/profiles-a-f/aa-notify

@@ -19,6 +19,8 @@ profile aa-notify @{exec_path} {
 
   ptrace (read),
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   @{bin}/ r,

apparmor.d/profiles-a-f/blueman

@@ -33,7 +33,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{bin}/{b,d}ash            rix,
+  @{sh_path}           rix,
 
   @{bin}/blueman-tray  rPx,
   @{open_path}         rPx -> child-open,

apparmor.d/profiles-a-f/browserpass

@@ -18,11 +18,11 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   @{bin}/gpg{2,} rCx -> gpg,
 
   owner @{HOME}/.password-store/{,**} r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
+  owner @{HOME}/.mozilla/firefox/@{rand8}.*/.parentlock rw,
+  owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
   owner /tmp/mozilla-temp-@{int} r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@@ -32,8 +32,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6,
   deny network inet,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw,
+  deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/features/*/*.xpi r,
+  deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/storage/default/{,**} rw,
   deny owner @{user_download_dirs}/{,**} rw,
   deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
   deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,

apparmor.d/profiles-a-f/flatpak-app

@@ -14,7 +14,8 @@
 #
 # 1. All of this will have to be improved. However, as of today, it is the only way
 # to not break some (major) flatpak app.
-# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
+# 2. It is not a big deal as flatpak is responsible for the sandbox anyway. This this only defence in depth. 
+# 3. The main purpose of this profile is to ensure all processes are confined.
 
 abi <abi/3.0>,
 
@@ -67,9 +68,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   /app/.ref k,
   /app/extra/** rw,
   /bindfile@{rand6} rw,
-  /newroot/{,**} rw,
-  /tmp/newroot/ w,
-  /tmp/oldroot/ w,
 
   /var/lib/flatpak/app/{,**} r,
   /var/lib/flatpak/exports/** rw,

apparmor.d/profiles-a-f/fwupd

@@ -135,12 +135,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
     @{bin}/gpgconf    mr,
     @{bin}/gpgsm      mr,
     @{bin}/gpg-agent  mrix,
+    @{lib}/gnupg/scdaemon rix,
 
     owner /var/lib/fwupd/gnupg/ rw,
     owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
 
     owner @{PROC}/@{pids}/fd/ r,
 
+    include if exists <local/fwupd_gpg>
   }
 
   include if exists <local/fwupd>

apparmor.d/profiles-g-l/gitstatusd

@@ -13,7 +13,7 @@ profile gitstatusd @{exec_path} {
   @{exec_path} mr,
 
   owner @{user_projects_dirs}/{,**} r,
-  owner @{user_projects_dirs}/**/.git/.gitstatus.[0-9a-zA-Z]*/{,**} rw,
+  owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw,
 
   owner @{HOME}/.gitconfig r,
   owner @{user_config_dirs}/git/{,*} r,

apparmor.d/profiles-m-r/rustdesk

@@ -5,19 +5,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/rustdesk
+@{exec_path} = @{bin}/rustdesk
 profile rustdesk @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
-  include <abstractions/X-strict>
 
   capability dac_read_search,
   capability dac_override,
@@ -37,44 +35,29 @@ profile rustdesk @{exec_path} {
   @{bin}/curl     rix,
   @{bin}/ls       rix,
 
+  @{bin}/sudo rCx           -> sudo,
   @{bin}/python3.@{int} rPx -> rustdesk_python,
   @{sh_path}            rPx -> rustdesk_shell,
 
   /etc/gdm{,3}/custom.conf r,
 
+  owner @{HOME}/ r,  # fails otherwise
+  owner @{HOME}/[rR]ust[dD]esk/{,**} rw,
+
   owner @{HOME}/.local/ w,
   owner @{user_share_dirs}/ w,
   owner @{user_share_dirs}/logs/ w,
   owner @{user_share_dirs}/logs/[rR]ust[dD]esk/{,**} rw,
   owner @{user_config_dirs}/[rR]ust[dD]esk/{,**} rw,
 
+  /tmp/[rR]ust[dD]esk/{,**} rw,
+
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{cur,min,max}_freq r,
 
         @{PROC}/uptime r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
 
-  # grep ps
-  @{PROC} r,
-  capability sys_ptrace,
-  ptrace (read),
-  @{PROC}/@{pid}/stat r,
-  @{PROC}/@{pid}/cmdline r,
-  @{PROC}/@{pid}/environ r,
-  @{PROC}/@{pid}/io r,
-  @{PROC}/@{pid}/task/ r,
-  @{PROC}/@{pid}/task/@{tid}/stat r,
-  @{PROC}/@{pid}/task/@{tid}/io r,
-  @{PROC}/@{pid}/task/@{tid}/status r,
-
-  # service and GUI intercommunication
-  @{HOME}/.Xauthority r,
-  @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
-  @{run}/user/@{uid}/gdm{,3}/Xauthority r,
-  /tmp/[rR]ust[dD]esk/{,**} rw,
-  /tmp/.X11-unix/ r,
-  /var/lib/lightdm/.Xauthority r,
-
   # pulse
   /dev/shm/ r,
   /etc/pulse/client.conf r,
@@ -86,24 +69,6 @@ profile rustdesk @{exec_path} {
   owner @{user_config_dirs}/pulse/@{md5}-runtime{,.tmp} rw,
   owner /tmp/pulse-*/ rw,
 
-  # gtk-tiny
-  /usr/share/themes/{,**} r,
-  /etc/gtk-3.0/settings.ini r,
-  /usr/share/themes/*/gtk-3.0/gtk.css r,
-
-  # file transfer
-  owner @{HOME}/ r,  # fails otherwise
-  owner @{HOME}/[rR]ust[dD]esk/{,**} rw,
-
-  # file_inherit, X-tiny
-  owner @{HOME}/.xsession-errors w,
-
-  # Do not reveal username (pop-up only)
-#  deny /etc/passwd r,
-
-  # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary.
-#  deny @{bin}/sudo   x,
-  @{bin}/sudo rCx -> sudo,
   profile sudo {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
@@ -118,7 +83,9 @@ profile rustdesk @{exec_path} {
 
     network netlink raw,
 
-    @{bin}/sudo r,
+    @{bin}/sudo rm,
+    @{bin}/rustdesk rPx,
+    @{bin}/python3.@{int}    rPx -> rustdesk_python,
 
     /etc/sudo.conf r,
     /etc/sudoers r,
@@ -133,16 +100,10 @@ profile rustdesk @{exec_path} {
     /etc/environment r,
     /etc/default/locale r,
 
-    @{lib}/sudo/libsudo_util.so* mr,
-    @{lib}/sudo/sudoers.so mr,
-
           @{PROC}/1/limits r,
     owner @{PROC}/@{pid}/stat r,
     owner @{PROC}/@{pid}/fd/ r,
 
-    /{,usr/}{,local/}bin/rustdesk rPx,
-    @{bin}/python3.@{int}    rPx -> rustdesk_python,
-
     include if exists <local/rustdesk_sudo>
   }
 
@@ -172,7 +133,6 @@ profile rustdesk_python {
   @{bin}/uname rPx,
   /usr/share/rustdesk/files/pynput_service.py rPx,
 
-  /usr/local/lib/python3.@{int}/dist-packages/pynput/{,**} r,
   /usr/share/[rR]ust[dD]esk/files/{,**} r,
   /tmp/[rR]ust[dD]esk/ w,
   /tmp/[rR]ust[dD]esk/pynput_service rw,

apparmor.d/profiles-s-z/snap

@@ -64,7 +64,7 @@ profile snap @{exec_path} {
   owner /tmp/snapd-auto-import-mount-@{int}/ rw,
 
         @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
   owner @{run}/user/@{uid}/systemd/notify rw,

apparmor.d/profiles-s-z/steam-fossilize

@@ -23,7 +23,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/ rw,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/@{int}/nvidiav@{int}/GLCache/** rwk,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
 
   @{sys}/devices/system/node/node@{int}/cpumap r,
 

apparmor.d/profiles-s-z/steam-gameoverlayui

@@ -11,8 +11,8 @@ include <tunables/global>
 profile steam-gameoverlayui @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
-  include <abstractions/fonts>
-  include <abstractions/nvidia>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
 
   network inet stream,
   network inet6 stream,
@@ -40,11 +40,6 @@ profile steam-gameoverlayui @{exec_path} {
   owner @{user_share_dirs}/Steam/resource/{,**} rk,
   owner @{user_share_dirs}/Steam/userdata/@{int}/{,**} rk,
 
-  owner /var/cache/fontconfig/ rw,
-
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
   owner /dev/shm/u@{uid}-Shm_@{hex} rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
   owner /dev/shm/ValveIPCSHM_@{uid} rw,
@@ -53,12 +48,6 @@ profile steam-gameoverlayui @{exec_path} {
   owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
   owner /tmp/miles_image_* mrw,
 
-  @{sys}/ r,
-  @{sys}/devices/system/cpu/cpu@{int}/** r,
-  @{sys}/kernel/ r,
-
-  @{PROC}/version r,
-
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/steam-gameoverlayui>