feat(profile): general update.

2024-11-14 23:43:56 +01:00 · 2023-12-08 18:01:39 +00:00 · 2023-12-08 18:01:39 +00:00 · d81bce5559
commit d81bce5559
parent 52e52f06db
32 changed files with 114 additions and 135 deletions
--- a/apparmor.d/abstractions/bwrap-app
+++ b/apparmor.d/abstractions/bwrap-app
@ -4,20 +4,25 @@

 # Common rules for applications sandboxed using bwrap.

+# This abstraction is wide on purpose. It is meant to be used by sandbox
+# applications (bwrap) that have no way to restrict access depending of the
+# application beeing confined.
+
  include <abstractions/audio>
  include <abstractions/consoles>
  include <abstractions/dbus-session>
  include <abstractions/deny-sensitive-home>
  include <abstractions/devices-usb>
+  include <abstractions/disks-read>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
-  include <abstractions/openssl>
  include <abstractions/opencl-intel>
  include <abstractions/opencl-mesa>
  include <abstractions/opencl-nvidia>
+  include <abstractions/openssl>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
  include <abstractions/video>
@ -59,37 +64,28 @@
  owner @{run}/user/@{uid}/orcexec.@{rand6} rwm,

  @{sys}/ r,
+  @{sys}/block/ r,
  @{sys}/bus/ r,
-  @{sys}/bus/pci/devices/ r,
-  @{sys}/class/ r,
-  @{sys}/class/drm/ r,
-  @{sys}/class/hidraw/ r,
-  @{sys}/class/input/ r,
-  @{sys}/class/power_supply/ r,
-  @{sys}/devices/@{pci}/{class,numa_node,local_cpus,irq,carrier} r,
-  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/class r,
-  @{sys}/devices/@{pci}/config r,
-  @{sys}/devices/@{pci}/net/{,**} r,
-  @{sys}/devices/**/input@{int}/ r,
-  @{sys}/devices/**/input@{int}/capabilities/* r,
-  @{sys}/devices/**/input/input@{int}/ r,
-  @{sys}/devices/**/power_supply/** r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/system/** r,
-  @{sys}/devices/system/cpu/** r,
-  @{sys}/devices/virtual/dmi/id/{,**} r,
-  @{sys}/devices/virtual/net/{,**} r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.* r,
+  @{sys}/bus/*/devices/ r,
+  @{sys}/class/*/ r,
+  @{sys}/devices/** r,
+
+        @{sys}/fs/cgroup/user.slice/* r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/* r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/* r,

        @{PROC}/ r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/comm r,
        @{PROC}/@{pid}/mountinfo r,
        @{PROC}/@{pid}/net/** r,
        @{PROC}/@{pid}/smaps r,
        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/statm r,
        @{PROC}/@{pid}/task/@{tid}/stat r,
+        @{PROC}/bus/pci/devices r,
        @{PROC}/driver/** r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/osrelease r,
@ -100,6 +96,7 @@
  owner @{PROC}/@{pid}/comm rw,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fd/@{int} rw,
+  owner @{PROC}/@{pid}/io r,
  owner @{PROC}/@{pid}/net/if_inet6 r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/statm r,
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -142,6 +142,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {

  profile editor flags=(complain) {
    include <abstractions/base>
+    include <abstractions/fzf>
    include <abstractions/nameservice-strict>

    @{bin}/{,ba,da}sh            rix,
@ -156,8 +157,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {

    owner @{HOME}/.viminfo{,.tmp} rw,
    owner @{HOME}/.selected_editor r,
-    owner @{HOME}/.fzf/plugin/ r,
-    owner @{HOME}/.fzf/plugin/fzf.vim r,

  }

--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -41,7 +41,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {

  @{bin}/ r,

-  @{bin}/[a-z0-9]*                                                       rPUx,
+  @{bin}/*                                                               rPUx,
  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher                           rix, # See #74, #80 & #235
  @{lib}/@{multiarch}/tumbler-1/tumblerd                                 rPUx,
  @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd                            rPx,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -35,6 +35,7 @@ profile crontab @{exec_path} {
  profile editor {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
+    include <abstractions/fzf>

    capability fsetid,

@ -49,9 +50,6 @@ profile crontab @{exec_path} {
    /etc/vim/{,**} r,
    owner @{HOME}/.viminfo{,.tmp} rw,

-    owner @{HOME}/.fzf/plugin/ r,
-    owner @{HOME}/.fzf/plugin/fzf.vim r,
-
          /tmp/ r,
    owner /tmp/crontab.*/crontab rw,

--- a/apparmor.d/groups/freedesktop/iio-sensor-proxy
+++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy
@ -10,6 +10,8 @@ include <tunables/global>
 profile iio-sensor-proxy @{exec_path} {
  include <abstractions/base>

+  capability net_admin,
+
  network netlink raw,

  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -8,20 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path}  = @{bin}/gio
-@{exec_path} += @{bin}/gio-launch-desktop
+@{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/consoles>
  include <abstractions/gnome-strict>
-  include <abstractions/nameservice-strict>
-  include <abstractions/trash>

  @{exec_path} mr,

  owner @{HOME}/{,**} rw,
-  owner /tmp/wl-copy-buffer-*/{,**} rw,

  @{run}/mount/utab r,

--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -2,9 +2,10 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# TODO: GNOME JavaScript interpreter. It's used to run extensions. Therefore,
-# by default, some extension are confined under this profile. The resulting profile
-# is quite broard. The architecture of this needs to be rethinked.
+# TODO: GNOME JavaScript interpreter. It is used to run some gnome internal app
+# as well as third party extensions. Therefore, by default, some extension are
+# confined under this profile. The resulting profile is quite broad.
+# This architecture needs to be rethinked.

 abi <abi/3.0>,

@ -19,15 +20,12 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>
  include <abstractions/openssl>
  include <abstractions/vulkan>
-  include <abstractions/wayland>

  network netlink raw,

@ -72,9 +70,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
       peer=(name=:*, label=gnome-shell),

  @{exec_path} mr,
-  @{bin}/          r,
-  @{bin}/[a-z0-9]* rPUx,
-  @{lib}/** rPUx,
+
+  @{bin}/       r,
+  @{bin}/*   rPUx,
+  @{lib}/**  rPUx,

  /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx,
  @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx,
@ -86,7 +85,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/gnome-shell/{,**} r,
  /usr/share/icu/@{int}.@{int}/*.dat r,
-  /usr/share/X11/xkb/** r,

  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
  /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
@ -101,8 +99,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/gstreamer-1.0/ rw,
  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,

-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -66,8 +66,6 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {

  owner @{HOME}/.local/ w,
  owner @{user_share_dirs}/ w,
-  owner @{HOME}/.xsession-errors w,
-
  owner @{run}/user/@{uid}/keyring/ rw,
  owner @{run}/user/@{uid}/keyring/* rw,
  owner @{run}/user/@{uid}/ssh-askpass.[0-9A-Z]*/{,*} rw,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -35,7 +35,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.secrets>
  include <abstractions/bus/org.freedesktop.systemd1>
  include <abstractions/bus/org.freedesktop.UPower>
-  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.Metadata>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
@ -43,8 +42,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gnome>
+  include <abstractions/gnome-strict>
  include <abstractions/gstreamer>
  include <abstractions/ibus>
  include <abstractions/mesa>
@ -57,8 +55,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/thumbnails-cache-read>
  include <abstractions/video>
  include <abstractions/vulkan>
-  include <abstractions/wayland>
-  include <abstractions/X-strict>

  capability sys_nice,
  capability sys_ptrace,
@ -68,6 +64,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
+  network unix stream,

  ptrace (read),

@ -336,12 +333,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,
  owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,

  owner /dev/shm/.org.chromium.Chromium.* rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,

+        /tmp/.X@{int}-lock rw,
        /tmp/dbus-@{rand8} rw,
-  owner /tmp/.X[0-9]-lock rw,
  owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,

--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -41,12 +41,12 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/thumbnails/{,**} rw,
  owner @{user_share_dirs}/applications/ rw,

+        @{run}/mount/utab r,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+
  owner @{PROC}/@{pids}/cgroup r,
  owner @{PROC}/@{pids}/mountinfo r,

-  @{run}/mount/utab r,
-  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
-
  owner /dev/tty@{int} rw,

  include if exists <local/gsd-housekeeping>
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -21,11 +21,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
-  include <abstractions/wayland>

  signal (receive) set=(term, hup) peer=gdm*,

@ -91,10 +88,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/icons/{,**} r,
-  /usr/share/mime/mime.cache r,
  /usr/share/sounds/freedesktop/stereo/*.oga r,
-  /usr/share/X11/xkb/** r,

  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
@ -105,12 +99,10 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {

  owner @{user_config_dirs}/pulse/ rw,

-  owner @{user_share_dirs}/ r,
  owner @{user_share_dirs}/event-sound-cache.tdb.* rwk,
  owner @{user_share_dirs}/recently-used.xbel{,.*} rw,

-        @{run}/systemd/inhibit/[0-9]*.ref rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,

  @{run}/udev/data/+sound:card@{int} r,   # For sound
  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -35,7 +35,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
  @{lib}/gsd-printer rPx,

  /etc/cups/client.conf r,
-  /etc/machine-id r,

  @{run}/cups/cups.sock rw,

--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -30,8 +30,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  /etc/machine-id r,
-
  /var/lib/gdm{3,}/.local/share/sounds/ rw,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -16,10 +16,8 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
-  include <abstractions/wayland>

  signal (receive) set=(term, hup) peer=gdm*,

@ -38,16 +36,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/libwacom/{,*} r,
-  /usr/share/X11/xkb/** r,
-
-  /etc/machine-id r,
-
-  # freedesktop.org-strict
-  /usr/share/icons/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/mime/mime.cache r,
-
-  owner @{run}/user/@{uid}/gdm/Xauthority r,

  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -22,11 +22,9 @@ profile gsd-xsettings @{exec_path} {
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
-  include <abstractions/wayland>

  network inet stream,
  network inet6 stream,
@ -68,7 +66,6 @@ profile gsd-xsettings @{exec_path} {

  /usr/share/dconf/profile/gdm r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/libdrm/*.ids r,

  /etc/X11/Xsession.options r,
@ -81,10 +78,8 @@ profile gsd-xsettings @{exec_path} {

  owner @{user_cache_dirs}/mesa_shader_cache/index rw,

-        @{run}/systemd/sessions/* r,
-        @{run}/systemd/users/@{uid} r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  @{run}/systemd/sessions/* r,
+  @{run}/systemd/users/@{uid} r,

  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@ -13,14 +13,11 @@ profile kgx @{exec_path} {
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gnome-strict>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/nvidia>
  include <abstractions/vulkan>
-  include <abstractions/X-strict>

  capability sys_ptrace,

@ -40,8 +37,6 @@ profile kgx @{exec_path} {
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
  @{lib}/gio-launch-desktop                          rPx -> child-open,

-  /usr/share/themes/{,**} r,
-
  owner /tmp/#@{int} rw,

        @{PROC}/ r,
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@ -54,5 +54,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,

+  /dev/media@{int} r,
+
  include if exists <local/org.gnome.NautilusPreviewer>
 }
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -22,6 +22,8 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/private-files-strict>

+  network netlink raw,
+
  signal (receive) set=(term, kill) peer=gdm,
  signal (receive) set=(hup)        peer=gdm-session-worker,

@ -60,9 +62,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,

  /var/lib/gdm{3,}/ r,
+  /var/lib/gdm{3,}/.cache/gstreamer-*/registry.*.bin r,
  /var/lib/gdm{3,}/.cache/tracker3/{,tracker3/}files/{,**} rwk,
-  /var/lib/gdm{3,}/.local/share/applications/ r,
  /var/lib/gdm{3,}/.config/dconf/user r,
+  /var/lib/gdm{3,}/.local/share/applications/ r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

  /var/lib/lightdm/.config/dconf/user r,
@ -83,13 +86,18 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
  @{run}/blkid/blkid.tab r,
  @{run}/mount/utab r,

+  @{run}/udev/data/c3[0-9]*:@{int} r,     # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:@{int} r,
+  @{run}/udev/data/c5[0-9]*:@{int} r,
+
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/sys/fs/fanotify/max_user_marks r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,

-  # file_inherit
+        /dev/media@{int} rw,
+        /dev/video@{int} rw,
  owner /dev/tty@{int} rw,

  include if exists <local/tracker-miner>
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@ -7,14 +7,20 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /usr/share/netplan/netplan.script
-profile netplan.script @{exec_path} {
+profile netplan.script @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  @{exec_path} mr,

-  @{lib}exec/netplan/generate rix,
+  @{lib}/netplan/generate rix,

  /usr/share/netplan/{,**} r,

+  /etc/netplan/{,*} r,
+
+  @{run}/systemd/system/ r,
+  @{run}/systemd/system/systemd-networkd.service.wants/ r,
+  @{run}/udev/rules.d/ r,
+
  include if exists <local/netplan.script>
 }
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@ -23,7 +23,7 @@ profile ssh-keygen @{exec_path} {
  owner @{HOME}/@{XDG_SSH_DIR}/*_*{,.pub} rw,

  /dev/tty@{int} rw,
-  /dev/ttyS[0-9]* rw,
+  /dev/ttyS@{int} rw,

  include if exists <local/ssh-keygen>
 }
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -115,7 +115,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {

  /dev/ptmx rw,
  /dev/tty@{int} rw,
-  /dev/ttyS[0-9]* rw,
+  /dev/ttyS@{int} rw,

  include if exists <local/sshd>
 }
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -137,16 +137,17 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/module/vt/parameters/default_utf8 r,
  @{sys}/power/{state,resume_offset,resume,disk} r,

-  @{PROC}/@{pid}/cgroup r,
-  @{PROC}/@{pid}/comm r,
-  @{PROC}/@{pid}/fd/ r,
-  @{PROC}/@{pid}/mountinfo r,
-  @{PROC}/@{pid}/sessionid r,
-  @{PROC}/@{pid}/stat r,
-  @{PROC}/1/cmdline r,
-  @{PROC}/pressure/* r,
-  @{PROC}/swaps r,
-  @{PROC}/sysvipc/{shm,sem,msg} r,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/mountinfo r,
+        @{PROC}/@{pid}/sessionid r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/1/cmdline r,
+        @{PROC}/pressure/* r,
+        @{PROC}/swaps r,
+        @{PROC}/sysvipc/{shm,sem,msg} r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,

  /dev/dri/card@{int} rw,
  /dev/input/event@{int} rw,  # Input devices (keyboard, mouse, etc)
--- a/apparmor.d/profiles-a-f/element
+++ b/apparmor.d/profiles-a-f/element
@ -35,6 +35,7 @@ profile element @{exec_path} {

  @{exec_path} mr,

+  @{bin}/{,ba,da}sh r,
  @{bin}/electron@{int} rix,
  @{lib}/electron@{int}/{,**} r,
  @{lib}/electron@{int}/electron  rix,
@ -74,9 +75,11 @@ profile element @{exec_path} {
        @{PROC}/ r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
+  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/oom_score_adj w,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/statm r,
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -166,6 +166,7 @@ profile git @{exec_path} {

  profile editor {
    include <abstractions/base>
+    include <abstractions/fzf>
    include <abstractions/nameservice-strict>

    @{bin}/sensible-editor mr,
@ -184,8 +185,6 @@ profile git @{exec_path} {
    owner @{user_projects_dirs}/**/.git/[0-9]* rw,
    owner @{user_projects_dirs}/**/.git/*MSG rw,

-    owner @{HOME}/.fzf/plugin/ r,
-    owner @{HOME}/.fzf/plugin/fzf.vim r,
    owner @{HOME}/.selected_editor r,
    owner @{HOME}/.viminfo{,.tmp} rw,

--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -50,7 +50,15 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
  @{PROC}/@{pids}/stat r,
  @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,

-  /dev/char/509:@{int} w,
+  /dev/char/c23[4-9]:@{int} w,    # For dynamic assignment range 234 to 254
+  /dev/char/c24[0-9]:@{int} w,
+  /dev/char/c25[0-4]:@{int} w,
+  /dev/char/c38[4-9]:@{int} w,    # For dynamic assignment range 384 to 511
+  /dev/char/c39[0-9]:@{int} w,
+  /dev/char/c4[0-9][0-9]:@{int} w,
+  /dev/char/c50[0-9]:@{int} w,
+  /dev/char/c51[0-1]:@{int} w,
+
  /dev/dri/ r,
  /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,

--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -70,6 +70,7 @@ profile pass @{exec_path} {
  profile editor {
    include <abstractions/base>
    include <abstractions/nameservice-strict>
+    include <abstractions/fzf>

    @{bin}/vim{,.*} mrix,

@ -79,8 +80,6 @@ profile pass @{exec_path} {
    /usr/share/vim/{,**} r,
    /tmp/ r,

-    owner @{HOME}/.fzf/plugin/ r,
-    owner @{HOME}/.fzf/plugin/fzf.vim r,
    owner @{HOME}/.viminf{o,z}{,.tmp} rw,

    owner @{user_password_store_dirs}/{,**/} r,
--- a/apparmor.d/profiles-m-r/pinentry-gnome3
+++ b/apparmor.d/profiles-m-r/pinentry-gnome3
@ -12,5 +12,7 @@ profile pinentry-gnome3 @{exec_path} {

  @{exec_path} mr,

+  owner @{PROC}/@{pid}/cmdline r,
+
  include if exists <local/pinentry-gnome3>
 }
--- a/apparmor.d/profiles-s-z/spice-vdagentd
+++ b/apparmor.d/profiles-s-z/spice-vdagentd
@ -14,11 +14,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {

  capability sys_nice,

-  dbus receive bus=system path=/org/freedesktop/login1/session/*
-       interface=org.freedesktop.login1.Session
-       member=Unlock
-       peer=(name=:*, label=systemd-logind),
-
  @{exec_path} mr,

  owner @{run}/spice-vdagentd/spice-vdagent-sock r,
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -95,6 +95,7 @@ profile sudo @{exec_path} {

        /dev/ r,    # interactive login
        /dev/ptmx rwk,
+  owner /dev/tty rwk,
  owner /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,
--- a/apparmor.d/profiles-s-z/vipw-vigr
+++ b/apparmor.d/profiles-s-z/vipw-vigr
@ -39,6 +39,7 @@ profile vipw-vigr @{exec_path} {

  profile editor {
    include <abstractions/base>
+    include <abstractions/fzf>
    include <abstractions/nameservice-strict>

    capability fsetid,
@ -54,9 +55,6 @@ profile vipw-vigr @{exec_path} {
    /etc/vim/{,**} r,
    owner @{HOME}/.viminfo{,.tmp} rw,

-    owner @{HOME}/.fzf/plugin/ r,
-    owner @{HOME}/.fzf/plugin/fzf.vim r,
-
    /etc/{passwd,shadow,gshadow,group}.edit rw,

  }
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@ -76,11 +76,6 @@ profile vlc @{exec_path} {
       member={Get,GetAll}
       peer=(name=:*),

-  dbus send bus=session path=/ScreenSaver
-       interface=org.freedesktop.ScreenSaver
-       member={Inhibit,UnInhibit}
-       peer=(name=org.freedesktop.ScreenSaver),
-
  dbus send bus=session path=/MenuBar
       interface=com.canonical.dbusmenu
       member={LayoutUpdated,ItemsPropertiesUpdated}
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -29,13 +29,12 @@ akonadi_notes_agent complain
 akonadi_sendlater_agent complain
 akonadi_unifiedmailbox_agent complain
 anacron complain
-apport complain
+appimagelauncherd complain
+apport attach_disconnected,complain
+apt-helper complain
 at-spi-bus-launcher attach_disconnected,complain
 at-spi2-registryd attach_disconnected,complain
 atd complain
-netplan complain
-netplan.script complain
-WebKitNetworkProcess attach_disconnected,complain
 atril-previewer complain
 auditctl attach_disconnected,complain
 auditd attach_disconnected,complain
@ -115,6 +114,7 @@ firefox-vaapitest complain
 flatpak attach_disconnected,mediate_deleted,complain
 flatpak-app attach_disconnected,mediate_deleted,complain
 flatpak-bwrap attach_disconnected,mediate_deleted,complain
+flatpak-oci-authenticator complain
 flatpak-portal attach_disconnected,complain
 flatpak-session-helper attach_disconnected,complain
 flatpak-system-helper complain
@ -122,6 +122,7 @@ flatpak-validate-icon complain
 fsck-ext4 complain
 fuse-overlayfs complain
 fusermount complain
+gcr-ssh-agent complain
 gdisk complain
 gdm-generate-config complain
 gdm-runtime-config complain
@ -242,6 +243,8 @@ multipathd complain
 nautilus complain
 needrestart attach_disconnected,complain
 needrestart-iucode-scan-versions complain
+netplan complain
+netplan.script attach_disconnected,complain
 networkctl attach_disconnected,complain
 networkd-dispatcher complain
 nm-online complain
@ -274,6 +277,8 @@ plymouth complain
 plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent complain
+qdbus complain
+realmd complain
 remmina complain
 run-parts complain
 runuser complain
@ -314,6 +319,7 @@ swtpm_setup complain
 systemd-analyze complain
 systemd-ask-password complain
 systemd-backlight complain
+systemd-battery-check complain
 systemd-binfmt attach_disconnected,complain
 systemd-cgls complain
 systemd-cgtop complain
@ -353,6 +359,7 @@ systemd-modules-load complain
 systemd-mount complain
 systemd-network-generator complain
 systemd-oomd attach_disconnected,complain
+systemd-pcrphase complain
 systemd-portabled complain
 systemd-random-seed complain
 systemd-remount-fs complain
@ -386,6 +393,7 @@ update-grub complain
 update-secureboot-policy complain
 userdbctl complain
 utempter complain
+uuidd complain
 virt-manager attach_disconnected,complain
 virtinterfaced attach_disconnected,complain
 virtiofsd complain,attach_disconnected
@ -395,6 +403,7 @@ virtnodedevd attach_disconnected,complain
 virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
 vlc complain
+WebKitNetworkProcess attach_disconnected,complain
 wg complain
 wg-quick complain
 xdg-dbus-proxy attach_disconnected,complain
@ -403,6 +412,7 @@ xdg-desktop-portal attach_disconnected,complain
 xdg-desktop-portal-gnome complain
 xdg-desktop-portal-gtk complain
 xdg-desktop-portal-kde complain
+xdg-desktop-portal-rewrite-launchers complain
 xdg-document-portal attach_disconnected,complain
 xdg-permission-store attach_disconnected,complain
 xdg-user-dirs-gtk-update complain