feat(profiles): general update.

2024-11-14 23:43:56 +01:00 · 2022-05-07 11:42:18 +01:00 · 2022-05-07 11:42:18 +01:00 · da1b3e1f1c
commit da1b3e1f1c
parent 6aadd82293
26 changed files with 114 additions and 126 deletions
--- a/apparmor.d/groups/desktop/accounts-daemon
+++ b/apparmor.d/groups/desktop/accounts-daemon
@ -23,7 +23,7 @@ profile accounts-daemon @{exec_path} {
  @{exec_path} mr,

  /usr/share/accountsservice/{,**} r,
-  /usr/share/dbus-1/interfaces/org.freedesktop.DisplayManager.AccountsService.xml r,
+  /usr/share/dbus-1/interfaces/*.xml r,

  /etc/gdm/ r,
  /etc/gdm/custom.conf rw,
--- a/apparmor.d/groups/desktop/colord
+++ b/apparmor.d/groups/desktop/colord
@ -41,7 +41,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{sys}/class/drm/ r,
  @{sys}/class/video4linux/ r,
-  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP}-*/{enabled,edid} r,
+  @{sys}/devices/pci[0-9]*/**/drm/card[0-9]/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -33,6 +33,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(kill) peer=passwd,

  @{exec_path} mr,
+
+  /{usr/,}bin/bash       rUx,
  /{usr/,}bin/bwrap      rPUx,
  /{usr/,}bin/gcm-viewer rix,
  /{usr/,}bin/locale     rix,
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -14,11 +14,9 @@ profile gvfsd @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/{,ba,da}sh   rix,
-
-  # Don't strip env here.
-  /{usr/,}lib/gvfs/gvfsd-*    rpx,
-  @{libexec}/gvfsd-*  rpx,
+  /{usr/,}bin/{,ba,da}sh    rix,
+  /{usr/,}lib/gvfs/gvfsd-*  rpx,
+  @{libexec}/gvfsd-*        rpx,

  /usr/share/gvfs/{,**} r,

--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -41,17 +41,18 @@ profile systemd-journald @{exec_path} {

  @{run}/host/container-manager r,

-  @{run}/udev/data/c189:[0-9]*  r, # for /dev/bus/usb/**
-  @{run}/udev/data/c10:224      r, # for /dev/tpm0
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/+usb:*       r,
-  @{run}/udev/data/+pci:*       r,
-  @{run}/udev/data/+hid:*       r,
  @{run}/udev/data/+acpi:*      r,
-  @{run}/udev/data/+scsi:*      r,
  @{run}/udev/data/+bluetooth:* r,
-  @{run}/udev/data/+usb-serial:* r,
+  @{run}/udev/data/+hid:*       r,
+  @{run}/udev/data/+pci:*       r,
  @{run}/udev/data/+platform* r,
+  @{run}/udev/data/+scsi:*      r,
+  @{run}/udev/data/+usb-serial:* r,
+  @{run}/udev/data/+usb:*       r,
+  @{run}/udev/data/c10:224      r, # for /dev/tpm0
+  @{run}/udev/data/c189:[0-9]*  r, # for /dev/bus/usb/**
+  @{run}/udev/data/c23[0-9]:[0-9]* r,
+  @{run}/udev/data/c24[0-9]:[0-9]* r,

  @{sys}/devices/**/uevent r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@ -7,9 +7,10 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}lib/systemd/systemd-oomd
-profile systemd-oomd @{exec_path} {
+profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/systemd-common>
+  include <abstractions/dbus-strict>

  capability dac_override,
  capability kill,
@ -18,7 +19,13 @@ profile systemd-oomd @{exec_path} {

  /etc/systemd/oomd.conf r,

+  owner @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,
+        @{run}/systemd/io.system.ManagedOOM rw,
+
  @{sys}/fs/cgroup/cgroup.controllers r,
+  @{sys}/fs/cgroup/memory.pressure r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,

  @{PROC}/pressure/{cpu,io,memory} r,

--- a/apparmor.d/groups/systemd/systemd-random-seed
+++ b/apparmor.d/groups/systemd/systemd-random-seed
@ -15,10 +15,14 @@ profile systemd-random-seed @{exec_path} {

  @{exec_path} mr,

+  /etc/machine-id r,
+
  /var/lib/systemd/ r,
  /var/lib/systemd/random-seed rw,

  @{PROC}/sys/kernel/random/poolsize r,

+  /dev/urandom w,
+
  include if exists <local/systemd-random-seed>
 }
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@ -1,17 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-3.0-only

 abi <abi/3.0>,
+
 include <tunables/global>

@{exec_path} = /{usr/,}lib/systemd/systemd-resolved
-profile systemd-resolved @{exec_path} {
+profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
+  include <abstractions/systemd-common>

  capability net_bind_service,
  capability net_raw,
@ -28,20 +30,13 @@ profile systemd-resolved @{exec_path} {

  @{exec_path} mr,

-  # Runtime directories
-  /{,var/}run/systemd/netif/links/* r,
-  /{,var/}run/systemd/resolve/{,**} rw,
-
-  # Config
  /etc/systemd/resolved.conf r,
  /etc/systemd/resolved.conf.d/{,*} r,

-  # Proc
-  owner @{PROC}/*/stat r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/hostname r,
-  @{PROC}/sys/kernel/osrelease r,
+  owner @{run}/systemd/journal/socket w,
+  owner @{run}/systemd/notify rw,
+        @{run}/systemd/netif/links/* r,
+        @{run}/systemd/resolve/{,**} rw,

-  # System access
-  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
+  include if exists <local/systemd-timesyncd>
 }
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -8,13 +8,11 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}lib/systemd/systemd-timesyncd
-profile systemd-timesyncd @{exec_path} {
+profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/systemd-common>
  include <abstractions/nameservice-strict>
-
-  network inet dgram,
-  network inet6 dgram,
+  include <abstractions/systemd-common>
+  include <abstractions/dbus-strict>

  capability sys_time,

@ -29,6 +27,8 @@ profile systemd-timesyncd @{exec_path} {

  owner /var/lib/systemd/timesync/clock rw,

+  owner @{run}/systemd/journal/socket w,
+  owner @{run}/systemd/notify rw,
  owner @{run}/systemd/timesync/synchronized rw,
        @{run}/systemd/netif/state r,
        @{run}/resolvconf/*.conf r,
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@ -20,6 +20,7 @@ profile systemd-update-utmp @{exec_path} {
  @{exec_path} mr,

  @{run}/host/container-manager r,
+  @{run}/systemd/private rw,

  include if exists <local/systemd-update-utmp>
 }
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@ -23,6 +23,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {

  owner /var/cache/apparmor/{,**} rw,
  owner /var/lib/docker/tmp/docker-default[0-9]* r,
+  owner /var/lib/snapd/apparmor/{,**} r,

  owner @{sys}/kernel/security/apparmor/.{remove,replace,load,access} rw,
        @{sys}/kernel/security/apparmor/{,**} r,
--- a/apparmor.d/profiles-a-f/appstreamcli
+++ b/apparmor.d/profiles-a-f/appstreamcli
@ -16,8 +16,9 @@ profile appstreamcli @{exec_path} flags=(complain) {

  @{exec_path} mr,

-  # For file validation using the network
  /{usr/,}bin/curl rCx -> curl,
+  /{usr/,}bin/gzip rix,
+  /{usr/,}bin/tar  rix,

  /usr/share/appdata/ r,
  /usr/share/applications/{,*.desktop} r,
@ -33,15 +34,16 @@ profile appstreamcli @{exec_path} flags=(complain) {
  owner @{user_cache_dirs}/appstream/appcache-*.mdb rw,
  owner @{user_share_dirs}/mime/mime.cache r,
  
+  /var/lib/app-info/ w,
  /var/lib/app-info/yaml/ r,
  /var/lib/app-info/yaml/*_Components-*.yml.gz w,
-  /var/lib/app-info/ w,
  /var/lib/apt/lists/ r,
  /var/lib/apt/lists/*_Components-*.gz r,
+  /var/lib/flatpak/appstream/{,**} r,
  /var/lib/swcatalog/ rw,
+  /var/lib/swcatalog/icons/{,**} rw,
  /var/lib/swcatalog/yaml/ rw,
  /var/lib/swcatalog/yaml/*_Components-*.yml.gz w,
-  /var/lib/flatpak/appstream/{,**} r,

        /var/cache/swcatalog/cache/{,**} rw,
  owner /var/cache/app-info/{,**} rw,
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}{s,}bin/auditd
-profile auditd @{exec_path} {
+profile auditd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

@ -29,7 +29,8 @@ profile auditd @{exec_path} {

  owner @{run}/auditd.pid rwl,
  owner @{run}/auditd.state rw,
-  @{run}/systemd/userdb/ r,
+        @{run}/systemd/journal/dev-log w,
+        @{run}/systemd/userdb/ r,

  owner @{PROC}/@{pid}/attr/current r,
  owner @{PROC}/@{pid}/loginuid r,
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@ -19,8 +19,11 @@ profile etckeeper @{exec_path} {

  /{usr/,}bin/{,ba,da}sh     rix,
  /{usr/,}bin/{,e}grep       rix,
+  /{usr/,}bin/cat            rix,
  /{usr/,}bin/chmod          rix,
  /{usr/,}bin/cut            rix,
+  /{usr/,}bin/diff           rix,
+  /{usr/,}bin/dpkg           rPx -> child-dpkg,
  /{usr/,}bin/dpkg-query     rpx,
  /{usr/,}bin/find           rix,
  /{usr/,}bin/getent         rix,
@ -34,9 +37,11 @@ profile etckeeper @{exec_path} {
  /{usr/,}bin/rm             rix,
  /{usr/,}bin/sed            rix,
  /{usr/,}bin/sort           rix,
+  /{usr/,}bin/tail           rix,
  /{usr/,}bin/tty            rix,
  /{usr/,}bin/uniq           rix,
  /{usr/,}bin/whoami         rix,
+  /{usr/,}bin/xargs          rix,
  /{usr/,}lib/git-core/git*  rix,

  /etc/.git/hooks/*     rix,
@ -54,7 +59,7 @@ profile etckeeper @{exec_path} {

  @{run}/resolvconf/resolv.conf r,

-  owner /tmp/etckeeper-git* rw,
+  /tmp/etckeeper-git* rw,

  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,6 +14,7 @@ profile fsck @{exec_path} {

  capability dac_override,
  capability dac_read_search,
+  capability sys_rawio,

  @{exec_path} mr,

@ -21,19 +23,20 @@ profile fsck @{exec_path} {

  /etc/fstab r,

-        @{PROC}/partitions r,
-  owner @{PROC}/@{pid}/mountinfo r,
-
-  owner @{run}/fsck/ rw,
-  owner @{run}/fsck/*.lock rwk,
-
  # When a mount dir is passed to fsck as an argument.
  @{MOUNTS}/*/ r,
  /boot/ r,
  /home/ r,

+  owner @{run}/fsck/ rw,
+  owner @{run}/fsck/*.lock rwk,
  owner @{run}/blkid/blkid.tab{,-*} rw,
  owner @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
+  owner @{run}/systemd/fsck.progress w,
+        @{run}/mount/utab r,
+
+  @{PROC}/@{pids}/mountinfo r,
+  @{PROC}/partitions r,

  include if exists <local/fsck>
 }
--- a/apparmor.d/profiles-a-f/fsck-fat
+++ b/apparmor.d/profiles-a-f/fsck-fat
@ -20,5 +20,7 @@ profile fsck-fat @{exec_path} {
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,

+  owner @{run}/systemd/fsck.progress rw,
+
  include if exists <local/fsck-fat>
 }
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -86,6 +86,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  /dev/bus/usb/ r,
  /dev/bus/usb/[0-9]*/[0-9]* rw,
  /dev/drm_dp_aux[0-9]* rw,
+  /dev/hidraw[0-9]* rw,
  /dev/mei[0-9]* rw,
  /dev/mem r,
  /dev/sd[a-z]* r,
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@ -56,6 +56,7 @@ profile htop @{exec_path} {
  @{PROC}/@{pids}/comm r,
  @{PROC}/@{pids}/environ r,
  @{PROC}/@{pids}/io r,
+  @{PROC}/@{pids}/mounts r,
  @{PROC}/@{pids}/net/dev r,
  @{PROC}/@{pids}/oom_{,score_}adj r,
  @{PROC}/@{pids}/oom_score r,
--- a/apparmor.d/profiles-g-l/less
+++ b/apparmor.d/profiles-g-l/less
@ -1,33 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
-#               2021 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-3.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = /{usr/,}bin/less
-profile less @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/bash>
-
-  capability dac_read_search,
-  capability dac_override,
-
-  @{exec_path} mr,
-
-  /{usr/,}bin/{,ba,da}sh              rix,
-  /{usr/,}bin/source-highlight        rix,
-  /{usr/,}bin/src-hilite-lesspipe.sh  rix,
-
-  @{system_share_dirs}/terminfo/{,**} r,
-
-        @{user_cache_dirs}/lesshs* rw,
-  owner /root/.lesshs* rw,
-
-       /{,**} r,
-  deny /{,**} w,
-
-  include if exists <local/less>
-}
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -67,51 +68,47 @@ profile run-parts @{exec_path} {
    /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,

    /{usr/,}bin/{,ba,da}sh rix,
-
    /{usr/,}bin/{,e}grep   rix,
-    /{usr/,}bin/rm         rix,
-    /{usr/,}bin/rmdir      rix,
-    /{usr/,}bin/dirname    rix,
-    /{usr/,}bin/sed        rix,
-    /{usr/,}bin/gawk       rix,
-    /{usr/,}bin/sort       rix,
-    /{usr/,}bin/cut        rix,
-    /{usr/,}bin/tr         rix,
-    /{usr/,}bin/mv         rix,
    /{usr/,}bin/cat        rix,
    /{usr/,}bin/chmod      rix,
+    /{usr/,}bin/cut        rix,
+    /{usr/,}bin/dirname    rix,
+    /{usr/,}bin/gawk       rix,
+    /{usr/,}bin/kmod       rix,
+    /{usr/,}bin/mv         rix,
+    /{usr/,}bin/rm         rix,
+    /{usr/,}bin/rmdir      rix,
+    /{usr/,}bin/sed        rix,
+    /{usr/,}bin/sort       rix,
+    /{usr/,}bin/touch      rix,
+    /{usr/,}bin/tr         rix,
    /{usr/,}bin/uname      rix,
    /{usr/,}bin/which{,.debianutils}      rix,

-    /{usr/,}bin/kmod       rix,
-
-    /{usr/,}bin/dpkg                     rPx -> child-dpkg,
-
-    /{usr/,}sbin/dkms                    rPx,
-    /{usr/,}sbin/update-initramfs        rPx,
-    /{usr/,}lib/dkms/dkms_autoinstaller  rPx,
-
    /{usr/,}bin/apt-config               rPx,
-
-    # (#FIXME#)
+    /{usr/,}bin/dpkg                     rPx -> child-dpkg,
+    /{usr/,}bin/systemd-detect-virt      rPx,
+    /{usr/,}lib/dkms/dkms_autoinstaller  rPx,
+    /{usr/,}sbin/dkms                    rPx,
    /{usr/,}sbin/update-grub             rPUx,
-    /{usr/,}bin/systemd-detect-virt      rPUx,
+    /{usr/,}sbin/update-initramfs        rPx,
+
+    /{usr/,}lib/modules/*/updates/ w,
+    /{usr/,}lib/modules/*/updates/dkms/ w,

    # For shell pwd
    / r,
    /boot/ r,
-
+  
    /etc/apt/apt.conf.d/ r,
    /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
-
-    # For kmod
-    @{PROC}/cmdline r,
    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,
-    /{usr/,}lib/modules/*/updates/ w,
-    /{usr/,}lib/modules/*/updates/dkms/ w,
+
+    @{run}/reboot-required.pkgs w,

    @{PROC}/devices r,
+    @{PROC}/cmdline r,

  }

--- a/apparmor.d/profiles-s-z/scrcpy
+++ b/apparmor.d/profiles-s-z/scrcpy
@ -13,6 +13,7 @@ profile scrcpy @{exec_path} {
  include <abstractions/dri-enumerate>
  include <abstractions/mesa>
  include <abstractions/opencl>
+  include <abstractions/vulkan>

  network inet stream,
  network inet6 stream,
--- a/apparmor.d/profiles-s-z/swtpm_setup
+++ b/apparmor.d/profiles-s-z/swtpm_setup
@ -22,6 +22,7 @@ profile swtpm_setup @{exec_path} {
  /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r,

  owner /tmp/swtpm_setup.certs.*/ w,
+  owner /tmp/swtpm_setup.certs.*/*.cert rw,
  owner /tmp/.swtpm_setup.pidfile* rw,

  @{run}/systemd/userdb/ r,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -102,6 +102,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pids}/net/route r,

+  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,

  # Silence the noise
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal
@ -9,8 +9,9 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/nameservice-strict>
+  include <abstractions/dconf>
  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>

  capability sys_ptrace,

@ -40,8 +41,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/exports/share/applications/{**,} r,

  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
-
-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/ rw,
  owner @{run}/user/@{uid}/dconf/user rw,

--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gnome
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
@ -19,10 +20,8 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,

-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
-
-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,

  include if exists <local/xdg-desktop-portal-gnome>
 }
--- a/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
+++ b/apparmor.d/profiles-s-z/xdg-desktop-portal-gtk
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -27,12 +28,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  owner @{HOME}/ r,
  owner @{HOME}/.* r,
  owner @{HOME}/@{XDG_DATA_HOME}/ r,
+
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-
-  include <abstractions/dconf>
  owner @{run}/user/@{uid}/dconf/user rw,
-
-  @{run}/mount/utab r,
+        @{run}/mount/utab r,

  owner @{PROC}/@{uid}/mountinfo r,