From d4e380ad46a7cb3c5f9b7d935bcd94b093124530 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 19:40:42 +0100
Subject: [PATCH] feat(profile): update & enable profiles in the apps group.

see #471
---
 .../{groups/apps => profiles-a-f}/calibre     | 58 ++++++++++---------
 .../{groups/apps => profiles-a-f}/discord     | 14 +++--
 .../discord-chrome-sandbox                    |  0
 .../{groups/apps => profiles-a-f}/dropbox     |  5 +-
 .../{groups/apps => profiles-a-f}/filezilla   | 26 ++++++---
 .../{groups/apps => profiles-a-f}/freetube    |  6 +-
 .../freetube-chrome-sandbox                   |  0
 .../apps => profiles-s-z}/signal-desktop      | 29 ++++++----
 .../signal-desktop-chrome-sandbox             |  4 +-
 .../apps => profiles-s-z}/telegram-desktop    | 26 +++++----
 dists/flags/main.flags                        | 12 ++++
 dists/ignore/main.ignore                      |  5 --
 12 files changed, 115 insertions(+), 70 deletions(-)
 rename apparmor.d/{groups/apps => profiles-a-f}/calibre (67%)
 rename apparmor.d/{groups/apps => profiles-a-f}/discord (73%)
 rename apparmor.d/{groups/apps => profiles-a-f}/discord-chrome-sandbox (100%)
 rename apparmor.d/{groups/apps => profiles-a-f}/dropbox (91%)
 rename apparmor.d/{groups/apps => profiles-a-f}/filezilla (75%)
 rename apparmor.d/{groups/apps => profiles-a-f}/freetube (80%)
 rename apparmor.d/{groups/apps => profiles-a-f}/freetube-chrome-sandbox (100%)
 rename apparmor.d/{groups/apps => profiles-s-z}/signal-desktop (50%)
 rename apparmor.d/{groups/apps => profiles-s-z}/signal-desktop-chrome-sandbox (85%)
 rename apparmor.d/{groups/apps => profiles-s-z}/telegram-desktop (66%)

diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/profiles-a-f/calibre
similarity index 67%
rename from apparmor.d/groups/apps/calibre
rename to apparmor.d/profiles-a-f/calibre
index f1b3e905..d58a8d04 100644
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/profiles-a-f/calibre
@@ -7,23 +7,22 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
-@{exec_path} += @{bin}/calibredb
-@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
+@{exec_path}  = @{bin}/calibre{,-*} @{bin}/calibredb @{bin}/ebook{,-*}
 @{exec_path} += @{bin}/fetch-ebook-metadata
-@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer
-@{exec_path} += @{bin}/web2disk
+@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk
 profile calibre @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/common/chromium>
+  include <abstractions/bus/org.freedesktop.UDisks2>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
+  include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/qt5-compose-cache-write>
@@ -45,20 +44,19 @@ profile calibre @{exec_path} {
   unix (bind)          type=stream addr="@calibre-*",
 
   @{exec_path} mrix,
-  @{bin}/python3.@{int} r,
 
-  @{bin}/ldconfig{,.real} rix,
   @{sh_path}              rix,
+  @{python_path}          rix,
   @{bin}/file             rix,
+  @{bin}/ldconfig{,.real} rix,
   @{bin}/uname            rix,
-  @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
+  @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix,
 
   @{bin}/pdftoppm        rPUx, # (#FIXME#)
   @{bin}/pdfinfo         rPUx,
   @{bin}/pdftohtml       rPUx,
 
-  @{bin}/xdg-open         rPx -> child-open,
-  @{bin}/xdg-mime         rPx,
+  @{open_path}            rPx -> child-open,
 
   /usr/share/calibre/{,**} r,
 
@@ -79,16 +77,11 @@ profile calibre @{exec_path} {
   owner @{user_config_dirs}/calibre/** rwk,
 
   owner @{user_share_dirs}/calibre-ebook.com/ rw,
-  owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw,
-  owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk,
+  owner @{user_share_dirs}/calibre-ebook.com/** rwk,
 
-  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/calibre/ rw,
   owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
 
-  owner @{user_cache_dirs}/gstreamer-@{int}/ rw,
-  owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
-
   owner @{tmp}/calibre_*_tmp_*/{,**} rw,
   owner @{tmp}/calibre-*/{,**} rw,
   owner @{tmp}/@{int}-*/ rw,
@@ -98,18 +91,31 @@ profile calibre @{exec_path} {
 
   @{sys}/devices/@{pci}/irq r,
 
-             @{PROC}/ r,
-             @{PROC}/@{pids}/net/route r,
-             @{PROC}/sys/fs/inotify/max_user_watches r,
-             @{PROC}/sys/kernel/yama/ptrace_scope r,
-             @{PROC}/vmstat r,
-       owner @{PROC}/@{pid}/fd/ r,
-       owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/ r,
+        @{PROC}/@{pids}/net/route r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+        @{PROC}/vmstat r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+       owner @{PROC}/@{pid}/stat{,m} r,
        owner @{PROC}/@{pid}/stat{,m} r,
        owner @{PROC}/@{pid}/comm r,
-       owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/stat{,m} r,
+       owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
        owner @{PROC}/@{pid}/task/@{tid}/status r,
+       owner @{PROC}/@{pid}/task/@{tid}/status r,
+       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  deny owner @{PROC}/@{pid}/cmdline r,
+  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  deny       @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/task/@{tid}/status r,
        owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   deny owner @{PROC}/@{pid}/cmdline r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/profiles-a-f/discord
similarity index 73%
rename from apparmor.d/groups/apps/discord
rename to apparmor.d/profiles-a-f/discord
index 3c70844c..fc2aadd1 100644
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/profiles-a-f/discord
@@ -16,6 +16,9 @@ include <tunables/global>
 profile discord @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/common/electron>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
@@ -28,23 +31,26 @@ profile discord @{exec_path} {
 
   @{exec_path} mrix,
   @{sh_path}    rix,
+  @{bin}/lsb_release rPx -> lsb_release,
 
   @{lib_dirs}/chrome-sandbox rix,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
-  @{open_path}         rPx -> child-open-browsers,
+  @{open_path}         rPx -> child-open-strict,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  owner @{user_videos_dirs}/{,**} rwl,
+  owner @{user_pictures_dirs}/{,**} rwl,
 
   owner @{tmp}/net-export/ rw,
   owner @{tmp}/discord.sock rw,
   owner "@{tmp}/Discord Crashes/" rw,
 
-  owner @{config_dirs}/*/modules/** rm,
+  audit owner @{config_dirs}/*/modules/** rm,
 
   owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
 
+  owner @{PROC}/@{pid}/task/@{tid}/comm r,
+
   include if exists <local/discord>
 }
 
diff --git a/apparmor.d/groups/apps/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox
similarity index 100%
rename from apparmor.d/groups/apps/discord-chrome-sandbox
rename to apparmor.d/profiles-a-f/discord-chrome-sandbox
diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/profiles-a-f/dropbox
similarity index 91%
rename from apparmor.d/groups/apps/dropbox
rename to apparmor.d/profiles-a-f/dropbox
index ddb62bf6..8aa05423 100644
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/profiles-a-f/dropbox
@@ -15,6 +15,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/dropbox
 profile dropbox @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
@@ -35,7 +38,7 @@ profile dropbox @{exec_path} {
   @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
   @{bin}/{,@{multiarch}-}objdump    rix,
 
-  @{bin}/xdg-open                   rCx -> child-open,
+  @{open_path}                      rPx -> child-open-strict,
   @{bin}/lsb_release                rPx -> lsb_release,
 
   owner @{HOME}/ r,
diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/profiles-a-f/filezilla
similarity index 75%
rename from apparmor.d/groups/apps/filezilla
rename to apparmor.d/profiles-a-f/filezilla
index 29654c95..2ec1a542 100644
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/profiles-a-f/filezilla
@@ -10,13 +10,23 @@ include <tunables/global>
 @{exec_path} = @{bin}/filezilla
 profile filezilla @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
   signal (send) set=(term, kill) peer=fzsftp,
 
   @{exec_path} mr,
@@ -46,15 +56,15 @@ profile filezilla @{exec_path} {
   owner @{user_cache_dirs}/filezilla/ rw,
   owner @{user_cache_dirs}/filezilla/default_*.png rw,
 
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-
         /tmp/ r,
   owner @{tmp}/fz[0-9]temp-@{int}/ rw,
   owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk,
   owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw,
 
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/filezilla>
diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/profiles-a-f/freetube
similarity index 80%
rename from apparmor.d/groups/apps/freetube
rename to apparmor.d/profiles-a-f/freetube
index d59762cf..a3d655d8 100644
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@@ -12,10 +12,12 @@ include <tunables/global>
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
-@{exec_path} = @{lib_dirs}/@{name}
+@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
 profile freetube @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/common/electron>
   include <abstractions/consoles>
   include <abstractions/thumbnails-cache-read>
@@ -27,6 +29,8 @@ profile freetube @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2
+
   @{exec_path} mrix,
 
   @{open_path}         rPx -> child-open-strict,
diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/profiles-a-f/freetube-chrome-sandbox
similarity index 100%
rename from apparmor.d/groups/apps/freetube-chrome-sandbox
rename to apparmor.d/profiles-a-f/freetube-chrome-sandbox
diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop
similarity index 50%
rename from apparmor.d/groups/apps/signal-desktop
rename to apparmor.d/profiles-s-z/signal-desktop
index 912d9576..e50d9576 100644
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@@ -8,14 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = signal-desktop{,-beta}
-@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
-@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
+@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
+@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{lib_dirs}/@{name}
 profile signal-desktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/common/electron>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/user-download-strict>
@@ -28,24 +31,28 @@ profile signal-desktop @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{bin}/getconf rix,
-  @{bin}/xdg-settings rPx,
+  @{bin}/basename      rix,
+  @{bin}/getconf       rix,
+  @{bin}/xdg-settings  rix,
+  @{open_path} rPx -> child-open-strict,
 
-  @{lib_dirs}/chrome-sandbox rPx,
+  audit @{lib_dirs}/chrome-sandbox rPx,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   @{run}/systemd/inhibit/@{int}.ref rw,
 
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/vmstat r,
 
+  /dev/tty rw,
+
   include if exists <local/signal-desktop>
 }
 
diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
similarity index 85%
rename from apparmor.d/groups/apps/signal-desktop-chrome-sandbox
rename to apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index 8a508314..a5f4a7ef 100644
--- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
-@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
+@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
+@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
 
 @{exec_path} = @{lib_dirs}/chrome-sandbox
 profile signal-desktop-chrome-sandbox @{exec_path} {
diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop
similarity index 66%
rename from apparmor.d/groups/apps/telegram-desktop
rename to apparmor.d/profiles-s-z/telegram-desktop
index be043e15..416c97d7 100644
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/profiles-s-z/telegram-desktop
@@ -11,14 +11,20 @@ include <tunables/global>
 profile telegram-desktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/common/electron>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/qt5-shader-cache>
+  include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
 
   network inet dgram,
@@ -28,22 +34,18 @@ profile telegram-desktop @{exec_path} {
   network netlink dgram,
   network netlink raw,
 
-  @{exec_path} mrix,
+  @{exec_path} mr,
 
-  @{sh_path}             rix,
+  @{sh_path}   rix,
+  @{open_path} rPx -> child-open-strict,
 
-  @{open_path} rPx -> child-open,
-
-  /usr/share/TelegramDesktop/{,**} r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  owner @{user_share_dirs}/TelegramDesktop/ rw,
+  owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**,
 
   owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
 
-  owner @{tmp}/@{hex}-* rwk,
-  owner @{run}/user/@{uid}/@{hex}-* rwk,
-  owner /dev/shm/#@{int} rw,
+  owner @{tmp}/@{hex32}-?@{uuid}? rwk,
+  audit owner /dev/shm/#@{int} rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d26b951f..40168174 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -47,6 +47,7 @@ avahi-set-host-name complain
 baloo complain
 baloorunner complain
 busctl complain
+calibre complain
 cc-remote-login-helper complain
 cctk complain
 child-modprobe-nvidia attach_disconnected,complain
@@ -88,6 +89,8 @@ cups-pk-helper-mechanism complain
 cupsd attach_disconnected,complain
 ddcutil complain
 dino attach_disconnected,complain
+discord complain
+discord-chrome-sandbox complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
 dmsetup complain
@@ -106,6 +109,7 @@ evolution-user-prompter complain
 fail2ban-client attach_disconnected,complain
 fail2ban-server attach_disconnected,complain
 fdisk complain
+filezilla complain
 firewall-applet attach_disconnected,complain
 firewall-config complain
 firewalld attach_disconnected,complain
@@ -119,6 +123,11 @@ flatpak-system-helper complain
 flatpak-validate-icon complain
 foliate attach_disconnected,complain
 fractal attach_disconnected,complain
+freetube complain
+freetube-chrome-sandbox complain
+fstrim complain
+freetube complain
+freetube-chrome-sandbox complain
 fuse-overlayfs complain
 fusermount complain
 gdm-generate-config complain
@@ -291,6 +300,8 @@ sddm attach_disconnected,mediate_deleted,complain
 sddm-greeter complain
 secure-time-sync attach_disconnected,complain
 sftp-server complain
+signal-desktop attach_disconnected,complain
+signal-desktop-chrome-sandbox complain
 sing-box complain
 slirp4netns attach_disconnected,complain
 snap complain
@@ -370,6 +381,7 @@ systemd-udevd attach_disconnected,complain
 systemd-user-sessions complain
 systemd-userwork attach_disconnected,complain
 systemsettings complain
+telegram-desktop complain
 totem attach_disconnected,complain
 tracker-writeback complain
 udev-dmi-memory-id complain
diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore
index fe61aaf2..917b117f 100644
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@@ -5,11 +5,6 @@
 # when built with 'make full'
 apparmor.d/groups/_full
 
-# Apps that should be sandboxed
-apparmor.d/groups/apps
-code
-code-wrapper
-
 # Provided by other packages
 man