feat(profile): general update

apparmor.d/groups/apps/dropbox

@@ -108,7 +108,7 @@ profile dropbox @{exec_path} {
   owner /tmp/dropbox-antifreeze-* rw,
   owner /tmp/[a-zA-z0-9]* rw,
   owner /tmp/#@{int} rw,
-  owner /var/tmp/etilqs_* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
 
   @{run}/systemd/users/@{uid} r,
 

apparmor.d/groups/children/child-open

@@ -67,6 +67,7 @@ profile child-open {
   @{bin}/discord{,-ptb}    rPx,
   @{bin}/draw.io          rPUx,
   @{bin}/dropbox           rPx,
+  @{bin}/element-desktop   rPx,
   @{bin}/engrampa          rPx,
   @{bin}/eog              rPUx,
   @{bin}/evince            rPx,
@@ -74,6 +75,7 @@ profile child-open {
   @{bin}/filezilla         rPx,
   @{bin}/flameshot         rPx,
   @{bin}/geany             rPx,
+  @{bin}/gimp*            rPUx,
   @{bin}/gnome-calculator rPUx,
   @{bin}/gnome-disk-image-mounter rPx,
   @{bin}/gnome-disks       rPx,
@@ -84,6 +86,7 @@ profile child-open {
   @{bin}/qpdfview          rPx,
   @{bin}/smplayer          rPx,
   @{bin}/spacefm           rPx,
+  @{bin}/steam-runtime    rPUx,
   @{bin}/teams            rPUx,
   @{bin}/telegram-desktop  rPx,
   @{bin}/thunderbird       rPx,

apparmor.d/groups/gnome/evolution-alarm-notify

@@ -28,5 +28,7 @@ profile evolution-alarm-notify @{exec_path} {
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/*ubuntu/applications/ r,
 
+  /etc/timezone r,
+
   include if exists <local/evolution-alarm-notify>
 }

apparmor.d/groups/gnome/gnome-system-monitor

@@ -46,9 +46,9 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/sessions/*     r,
   @{run}/systemd/sessions/*.ref r,
 
-  @{sys}/devices/@{pci}/{,*/}net/*/statistics/collisions r,
-  @{sys}/devices/@{pci}/{,*/}net/*/statistics/rx_{bytes,errors,packets} r,
-  @{sys}/devices/@{pci}/{,*/}net/*/statistics/tx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/net/*/statistics/collisions r,
+  @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
+  @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/collisions r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/rx_{bytes,errors,packets} r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/*/statistics/tx_{bytes,errors,packets} r,

apparmor.d/groups/systemd/systemd-udevd

@@ -38,11 +38,14 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   @{bin}/{,ba,da}sh        rix,
   @{bin}/{,e}grep          rix,
   @{bin}/*-print-pci-ids   rix,
+  @{bin}/alsactl          rPUx,
   @{bin}/cat               rix,
   @{bin}/chgrp             rix,
   @{bin}/chmod             rix,
   @{bin}/cut               rix,
   @{bin}/dmsetup          rPUx,
+  @{bin}/ethtool           rix,
+  @{bin}/kmod              rPx,
   @{bin}/ln                rix,
   @{bin}/logger            rix,
   @{bin}/lvm               rPx,

apparmor.d/groups/virt/cockpit-bridge

@@ -18,6 +18,7 @@ profile cockpit-bridge @{exec_path} {
   capability dac_read_search,
   capability net_admin,
   capability sys_nice,
+  capability sys_ptrace,
 
   network inet dgram,
   network inet stream,
@@ -55,9 +56,12 @@ profile cockpit-bridge @{exec_path} {
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
   @{run}/utmp r,
 
+  @{sys}/class/hwmon/ r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
-  @{sys}/fs/cgroup/*.slice/**/memory* r,
+  @{sys}/fs/cgroup/**/ r,
+  @{sys}/fs/cgroup/**/cpu.{stat,weight} r,
+  @{sys}/fs/cgroup/**/memory* r,
 
         @{PROC}/ r,
         @{PROC}/@{pids}/cgroup r,
@@ -68,6 +72,7 @@ profile cockpit-bridge @{exec_path} {
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,
         @{PROC}/uptime r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
 

apparmor.d/groups/virt/cockpit-session

@@ -29,10 +29,11 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   @{lib}/cockpit/cockpit-pcp  rPx,
 
   @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
+  /etc/cockpit/disallowed-users r,
   /etc/group r,
   /etc/motd r,
   /etc/motd.d/ r,
-  @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/shells r,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,

apparmor.d/profiles-a-f/agetty

@@ -23,8 +23,6 @@ profile agetty @{exec_path} {
 
   @{bin}/login rPx,
 
-  /usr/share/subiquity/console-conf-wrapper rPx, # only:core22
-
   @{etc_rw}/issue r,
   /{,usr/}lib/os-release r,
   /{etc,run,lib,usr/lib}/issue r,

apparmor.d/profiles-a-f/dkms

@@ -63,6 +63,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{lib}/modules/*/build/scripts/**            rix,
   @{lib}/modules/*/build/tools/objtool/objtool rix,
 
+  /var/lib/dkms/**/build/* rix,
   /var/lib/dkms/**/configure rix,
   /var/lib/dkms/**/dkms.postbuild rix,
 

apparmor.d/profiles-a-f/file-roller

@@ -14,8 +14,12 @@ profile file-roller @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
   include <abstractions/user-write>
   include <abstractions/wayland>
+  include <abstractions/X-strict>
 
   dbus bind bus=session name=org.gnome.ArchiveManager1,
 
@@ -25,16 +29,16 @@ profile file-roller @{exec_path} {
 
   # Archivers
   @{bin}/7z            rix,
-  @{lib}/p7zip/7z      rix,
-  @{bin}/unrar-nonfree rix,
-  @{bin}/zip           rix,
-  @{bin}/unzip         rix,
-  @{bin}/tar           rix,
-  @{bin}/xz            rix,
   @{bin}/bzip2         rix,
   @{bin}/cpio          rix,
   @{bin}/gzip          rix,
+  @{bin}/tar           rix,
+  @{bin}/unrar-nonfree rix,
+  @{bin}/unzip         rix,
+  @{bin}/xz            rix,
+  @{bin}/zip           rix,
   @{bin}/zstd          rix,
+  @{lib}/p7zip/7z      rix,
 
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,

apparmor.d/profiles-g-l/hw-probe

@@ -191,6 +191,7 @@ profile hw-probe @{exec_path} {
     @{sys}/devices/**/uevent r,
     @{run}/udev/data/* r,
 
+    include if exists <local/hw-probe_udevadm>
   }
 
   profile kmod {
@@ -205,6 +206,7 @@ profile hw-probe @{exec_path} {
     @{sys}/module/*/{coresize,refcnt} r,
     @{sys}/module/*/holders/ r,
 
+    include if exists <local/hw-probe_kmod>
   }
 
   profile netconfig {

apparmor.d/profiles-g-l/logrotate

@@ -17,11 +17,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability net_admin,
   capability setgid,
   capability setuid,
-  capability net_admin,
-
-  audit deny capability net_admin,
 
   signal (send) set=(hup),
   signal (send) set=(term cont) peer=systemd-tty-ask-password-agent,

apparmor.d/profiles-g-l/lscpu

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,22 +14,19 @@ profile lscpu @{exec_path} {
 
   @{exec_path} mr,
 
-  @{PROC}/ r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/bus/pci/devices r,
-
   @{sys}/devices/system/cpu/{,**} r,
-
-  @{sys}/firmware/dmi/tables/DMI r,
-
-
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/cpumap r,
+  @{sys}/firmware/dmi/tables/DMI r,
+  @{sys}/kernel/cpu_byteorder r,
 
-  owner @{sys}/kernel/cpu_byteorder r,
+  @{PROC}/ r,
+  @{PROC}/bus/pci/devices r,
+  @{PROC}/sys/kernel/osrelease r,
 
   /dev/tty@{int} rw,
-  
+
+  deny network unix stream,
 
   include if exists <local/lscpu>
 }

apparmor.d/profiles-m-r/quiterss

@@ -67,7 +67,7 @@ profile quiterss @{exec_path} {
 
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]* rw,
   owner /tmp/qtsingleapp-quiter-[0-9]*-[0-9]*-lockfile rwk,
-  owner /var/tmp/etilqs_* rw,
+  owner /var/tmp/etilqs_@{hex} rw,
 
   # Allowed apps to open
   @{lib}/firefox/firefox rPUx,

apparmor.d/profiles-m-r/run-parts

@@ -129,6 +129,12 @@ profile run-parts @{exec_path} {
   /etc/kernel/prerm.d/ r,
   /etc/kernel/prerm.d/dkms                    rCx -> kernel,
 
+  /usr/share/finalrd/ r,
+  /usr/share/finalrd/mdadm.finalrd rPUx,
+  /usr/share/finalrd/open-iscsi.finalrd rPUx,
+
+  /usr/share/landscape/landscape-sysinfo.wrapper rPUx,
+
   owner /tmp/#@{int} rw,
   owner /tmp/$anacron* rw,
   owner /tmp/file@{rand6} ra,
@@ -203,6 +209,7 @@ profile run-parts @{exec_path} {
     @{bin}/dkms                     rPx,
     @{bin}/dpkg                     rPx -> child-dpkg,
     @{bin}/systemd-detect-virt      rPx,
+    @{bin}/update-alternatives      rPx,
     @{bin}/update-grub             rPUx,
     @{bin}/update-initramfs         rPx,
     @{lib}/dkms/dkms_autoinstaller  rPx,

apparmor.d/profiles-s-z/snap

@@ -51,8 +51,8 @@ profile snap @{exec_path} {
 
   /snap/{,**} rw,
   # @{lib_dirs}/snap-confine           rPx -> /usr/lib/snapd/snap-confine,
-  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
-  @{lib_dirs}/snapd/snapd            rPx -> snapd,
+  @{lib_dirs}/snapd/snap-seccomp     rPx,
+  @{lib_dirs}/snapd/snapd            rPx,
 
   /etc/fstab r,
 

apparmor.d/profiles-s-z/snap-failure

@@ -15,7 +15,7 @@ profile snap-failure @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/systemctl         rPx -> child-systemctl,
-  @{lib_dirs}/snapd/snapd  rPx -> snapd,
+  @{lib_dirs}/snapd/snapd  rPx,
 
   /var/lib/snapd/sequence/snapd.json r,
 

apparmor.d/profiles-s-z/snapd

@@ -92,9 +92,9 @@ profile snapd @{exec_path} {
   @{lib_dirs}/@{multiarch}/**         mr,
   @{lib_dirs}/@{multiarch}/ld-*.so   rix,
   @{lib_dirs}/snapd/apparmor_parser  rPx -> apparmor_parser,
-  @{lib_dirs}/snapd/snap-discard-ns  rPx -> snap-discard-ns,
-  @{lib_dirs}/snapd/snap-seccomp     rPx -> snap-seccomp,
-  @{lib_dirs}/snapd/snap-update-ns   rPx -> snap-update-ns,
+  @{lib_dirs}/snapd/snap-discard-ns  rPx,
+  @{lib_dirs}/snapd/snap-seccomp     rPx,
+  @{lib_dirs}/snapd/snap-update-ns   rPx,
 
   /usr/share/bash-completion/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,

apparmor.d/profiles-s-z/spotify

@@ -82,6 +82,7 @@ profile spotify @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
+        /dev/tty rw,
   owner /dev/shm/pulse-shm-@{int} r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,

apparmor.d/profiles-s-z/sudo

@@ -56,6 +56,7 @@ profile sudo @{exec_path} {
 
   @{lib}/**                        rPUx,
   @{lib}/sudo/**                     mr,
+  /opt/*/**                        rPUx,
   /snap/snapd/@{int}@{bin}/snap    rPUx,
 
   @{etc_ro}/environment r,

apparmor.d/profiles-s-z/transmission-gtk

@@ -50,6 +50,7 @@ profile transmission-gtk @{exec_path} {
   @{run}/mount/utab r,
 
         @{PROC}/@{pid}/net/route r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/profiles-s-z/udisksd

@@ -136,12 +136,17 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{run}/cryptsetup/L* rwk,
 
   @{sys}/bus/ r,
+  @{sys}/bus/pci/slots/ r,
   @{sys}/class/ r,
-  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
+  @{sys}/class/nvme-subsystem/ r,
+  @{sys}/class/nvme/ r,
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
+  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
   @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
   @{sys}/devices/virtual/block/*/{,**} rw,
   @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+  @{sys}/devices/virtual/nvme-subsystem/{,**} r,
   @{sys}/fs/ r,
 
         @{PROC}/cmdline r,

apparmor.d/profiles-s-z/update-cracklib

@@ -22,6 +22,7 @@ profile update-cracklib @{exec_path} {
   @{bin}/grep                 rix,
   @{bin}/gzip                 rix,
   @{bin}/install              rix,
+  @{bin}/install              rix,
   @{bin}/sort                 rix,
   @{bin}/tr                   rix,