feat(profile): general update.

apparmor.d/abstractions/audio-client

@@ -30,8 +30,9 @@
 
   owner @{HOME}/.alsoftrc r,
   owner @{HOME}/.asoundrc r,
-  owner @{HOME}/.libao r,
   owner @{HOME}/.esd_auth r,
+  owner @{HOME}/.libao r,
+  owner @{HOME}/.pulse-cookie rwk,
 
   owner @{user_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,  # libcanberra
 
@@ -48,6 +49,8 @@
   owner @{run}/user/@{uid}/pulse/ rw,
   owner @{run}/user/@{uid}/pulse/native rw,
 
+  @{sys}/class/sound/ r,
+
         /dev/shm/ r,
   owner /dev/shm/pulse-shm-@{int} rw,
 

apparmor.d/abstractions/nvidia-strict

@@ -18,6 +18,7 @@
   owner @{HOME}/.nv/nvidia-application-profiles-* r,
 
   @{sys}/devices/system/memory/block_size_bytes r,
+  @{sys}/module/nvidia/version r,
 
         @{PROC}/driver/nvidia/params r,
         @{PROC}/sys/vm/max_map_count r,

apparmor.d/abstractions/video.d/complete

@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
+
   @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
 
   # Access to video /dev devices

apparmor.d/groups/bus/dbus-session

@@ -57,8 +57,8 @@ profile dbus-session flags=(attach_disconnected) {
   @{sys}/kernel/security/apparmor/features/dbus/mask r,
   @{sys}/module/apparmor/parameters/enabled r,
  
+        @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/attr/apparmor/current r,
-  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/oom_score_adj r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/freedesktop/xdg-permission-store

@@ -27,6 +27,13 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
 
   @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,
 
+  owner @{desktop_share_dirs}/flatpak/ w,
+  audit owner @{desktop_share_dirs}/flatpak/db/ rw,
+  audit owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
+  audit owner @{desktop_share_dirs}/flatpak/db/background rw,
+  audit owner @{desktop_share_dirs}/flatpak/db/devices r,
+  audit owner @{desktop_share_dirs}/flatpak/db/notifications rw,
+
   owner @{user_share_dirs}/flatpak/ w,
   owner @{user_share_dirs}/flatpak/db/ rw,
   owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,

apparmor.d/groups/freedesktop/xwayland

@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path}  = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
   include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
 
   signal (receive) set=(term hup) peer=gdm*,

apparmor.d/groups/gnome/gnome-shell

@@ -235,7 +235,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{gdm_config_dirs}/pulse/cookie rwk,
   owner @{gdm_share_dirs}/applications/{,**} r,
   owner @{gdm_share_dirs}/gnome-shell/{,**} rw,
-  owner @{gdm_share_dirs}/icc/ r,
+  owner @{gdm_share_dirs}/icc/ rw,
   owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
   owner @{gdm_share_dirs}/icc/.goutputstream-@{rand6} rw,
 
@@ -260,7 +260,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/gnome-shell/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-  owner @{user_share_dirs}/icc/ r,
+  owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
 
@@ -273,6 +273,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_cache_dirs}/media-art/{,**} r,
   owner @{user_cache_dirs}/vlc/**/*.jpg r,
 
+        @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

apparmor.d/groups/gpg/gpg

@@ -43,6 +43,11 @@ profile gpg @{exec_path} {
   owner /etc/apt/keyrings/ rw,
   owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
 
+  #aa:only pacman
+  owner /etc/pacman.d/gnupg/gpg.conf r,
+  owner /etc/pacman.d/gnupg/pubring.gpg r,
+  owner /etc/pacman.d/gnupg/trustdb.gpg r,
+
   owner /var/lib/*/gnupg/ rw,
   owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
 

apparmor.d/groups/kde/baloo

@@ -25,6 +25,7 @@ profile baloo @{exec_path} {
   @{lib}/{,kf6/}baloo_file_extractor rix,
 
   /usr/share/poppler/{,**} r,
+  /usr/share/desktop-base/kf5-settings/baloofilerc r,
 
   /etc/fstab r,
   /etc/machine-id r,

apparmor.d/groups/kde/drkonqi-coredump-cleanup

@@ -14,7 +14,7 @@ profile drkonqi-coredump-cleanup @{exec_path} {
   @{exec_path} mr,
 
         @{user_cache_dirs}/kcrash-metadata/ r,
-  owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w,
+  owner @{user_cache_dirs}/kcrash-metadata/plasmashell.@{hex32}.@{int4}.ini w,
 
   include if exists <local/drkonqi-coredump-cleanup>
 }

apparmor.d/groups/kde/gmenudbusmenuproxy

@@ -18,6 +18,7 @@ profile gmenudbusmenuproxy @{exec_path} {
   @{exec_path} mr,
 
   /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
   owner @{HOME}/.gtkrc-2.0 rw,
   owner @{user_config_dirs}/gtk-{2,3}.0/#@{int} rw,

apparmor.d/groups/kde/kde-systemd-start-condition

@@ -16,6 +16,7 @@ profile kde-systemd-start-condition @{exec_path} {
   /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r,
 
   owner @{user_config_dirs}/baloofilerc r,
+  owner @{user_config_dirs}/konquerorrc r,
   owner @{user_config_dirs}/plasma-welcomerc r,
 
   include if exists <local/kde-systemd-start-condition>

apparmor.d/groups/kde/kwin_wayland

@@ -32,6 +32,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   #aa:exec kscreenlocker_greet
 
   /usr/share/color-schemes/*.colors r,
+  /usr/share/desktop-base/kf5-settings/{,**} r,
   /usr/share/desktop-directories/*.directory r,
   /usr/share/kglobalaccel/{,**} r,
   /usr/share/knotifications{5,6}/ksmserver.notifyrc r,

apparmor.d/groups/kde/sddm

@@ -168,7 +168,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
         /tmp/sddm-* rw,
         /tmp/xauth_@{rand6} rwl -> /tmp/#@{int},
-  owner @{tmp}/*/{,s} rw,
+  owner @{tmp}/.@{rand6}/{,s} rw,
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/sddm-auth* rw,
 
@@ -209,15 +209,15 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
     @{bin}/xauth mr,
 
-    owner @{HOME}/.Xauthority-c  w,
-    owner @{HOME}/.Xauthority-l  wl -> @{HOME}/.Xauthority-c,
+    owner @{HOME}/.Xauthority-c rw,
+    owner @{HOME}/.Xauthority-l rwl -> @{HOME}/.Xauthority-c,
     owner @{HOME}/.Xauthority-n rw,
     owner @{HOME}/.Xauthority   rwl -> @{HOME}/.Xauthority-n,
 
     owner @{user_share_dirs}/sddm/xorg-session.log w,
 
-    owner @{run}/sddm/\{@{uuid}\}-c  w,
-    owner @{run}/sddm/\{@{uuid}\}-l  wl -> @{run}/sddm/\{@{uuid}\}-c,
+    owner @{run}/sddm/\{@{uuid}\}-c rw,
+    owner @{run}/sddm/\{@{uuid}\}-l rwl -> @{run}/sddm/\{@{uuid}\}-c,
     owner @{run}/sddm/\{@{uuid}\}-n rw,
     owner @{run}/sddm/\{@{uuid}\}   rwl -> @{run}/sddm/\{@{uuid}\}-n,
 

apparmor.d/groups/kde/wayland-session

@@ -24,5 +24,7 @@ profile wayland-session @{exec_path} {
 
   owner @{user_share_dirs}/sddm/wayland-session.log rw,
 
+  /dev/tty rw,
+
   include if exists <local/wayland-session>
 }

apparmor.d/groups/virt/cni-calico

@@ -30,8 +30,7 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
   
   /var/lib/calico/{,**} r,
   /var/log/calico/cni/ r,
-  /var/log/calico/cni/cni.log rw,
-  /var/log/calico/cni/cni-@{date}T@{time}.@{int}.log rw,
+  /var/log/calico/cni/*.log rw,
   
   /usr/share/mime/globs2 r,
   

apparmor.d/profiles-a-f/aa-notify

@@ -10,6 +10,7 @@ include <tunables/global>
 profile aa-notify @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 

apparmor.d/profiles-a-f/cups-notifier-dbus

@@ -19,6 +19,8 @@ profile cups-notifier-dbus @{exec_path} {
  
   /etc/cups/client.conf r,
 
+  owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
+
   owner @{tmp}/cups-dbus-notifier-lockfile rwk,
   
   include if exists <local/cups-notifier-dbus>

apparmor.d/profiles-a-f/element-desktop

@@ -30,6 +30,7 @@ profile element-desktop @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path} r,
   @{open_path}     rPx -> child-open-strict,
 
   /usr/share/webapps/element/{,**} r,

apparmor.d/profiles-m-r/mount

@@ -27,7 +27,7 @@ profile mount @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
-  ptrace (read) peer=k3s,
+  ptrace (read),
 
   signal (receive) set=(term, kill),
 

apparmor.d/profiles-m-r/qemu-ga

@@ -37,6 +37,7 @@ profile qemu-ga @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
+        @{PROC}/sys/vm/max_map_count r,
   owner @{PROC}/@{pid}/net/dev r,
 
   /dev/vport@{int}p@{int} rw,

apparmor.d/profiles-s-z/spice-vdagent

@@ -36,8 +36,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /var/lib/nscd/passwd r,
-
   owner @{desktop_config_dirs}/user-dirs.dirs r,
   owner @{user_config_dirs}/user-dirs.dirs r,
 
@@ -45,5 +43,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
+  owner /dev/tty@{int} rw,
+
   include if exists <local/spice-vdagent>
 }

apparmor.d/profiles-s-z/umount

@@ -20,16 +20,19 @@ profile umount @{exec_path} {
   capability setuid,
   capability sys_admin,
 
-  umount,
-
   network inet stream,
   network inet6 stream,
 
+  umount,
+
   @{exec_path} mr,
 
   @{bin}/umount.*  rPx,
   @{bin}/mount.*   rPx,
 
+  /etc/mtab r,
+  /etc/fstab r,
+
   # Mount points
   @{HOME}/ r,
   @{HOME}/*/ r,
@@ -38,15 +41,10 @@ profile umount @{exec_path} {
   @{MOUNTS}/*/ r,
   @{MOUNTS}/*/*/ r,
 
-  /media/cdrom[0-9]/ r,
-
-  /etc/mtab r,
-  /etc/fstab r,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-
   owner @{run}/mount/ rw,
   owner @{run}/mount/utab{,.*} rwk,
 
+  owner @{PROC}/@{pid}/mountinfo r,
+
   include if exists <local/umount>
 }

apparmor.d/tunables/multiarch.d/paths

@@ -4,6 +4,8 @@
 
 # Define some paths for some commonly used programs
 
+# All variables that refer to a path should have the `_path` suffix.
+
 # Shells
 @{sh_path} = @{bin}/@{sh}
 @{shells_path} = @{bin}/@{shells}

apparmor.d/tunables/multiarch.d/profiles

@@ -5,7 +5,7 @@
 # Define some variables for some commonly used profile. They may be used in 
 # other profiles peer label.
 
-# All variables that refer to a profile should be prefixed with `p_`
+# All variables that refer to a profile name should be prefixed with `p_`
 
 # Name of the systemd profiles. Can be `unconfined` or `systemd`, `systemd-user`
 @{p_systemd}=unconfined

apparmor.d/tunables/multiarch.d/system

@@ -67,10 +67,6 @@
 # hci devices
 @{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}
 
-# Date and time
-@{date}=[0-2][0-9][0-9][0-9]-[01][0-9]-[0-3][0-9]
-@{time}={[0-2],}[0-9]-[0-5][0-9]-[0-6][0-9]
-
 # @{MOUNTDIRS} is a space-separated list of where user mount directories
 # are stored, for programs that must enumerate all mount directories on a
 # system.