Merge branch 'master' into thunderbird2

2025-01-18 08:58:15 +01:00 · 2022-08-12 14:35:53 +00:00 · 2022-08-12 14:35:53 +00:00 · db8e881c06
commit db8e881c06
parent 00a1e70720 2878fa6a2e
467 changed files with 6300 additions and 2372 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -50,7 +50,7 @@ tests:

 archlinux:
  stage: build
-  image: registry.gitlab.com/archlex/packages/builders/arch
+  image: registry.gitlab.com/archlex/packages/builders/archlinux
  script:
    - sudo pacman -Syu --noconfirm --noprogressbar lsb-release
    - makepkg -s --noconfirm --noprogressbar
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -30,6 +30,17 @@ in this page all the useful information needed to contribute.
 you'll see a Compare & pull request button, fill and submit the pull request.


+## Projects rules
+ 
+A few rules:
+1. As these are mandatory access control policies only what it explicitly required
+   should be authorized. Meaning, you should not allow everything (or a large area)
+   and blacklist some sub area.
+2. A profile **should not break a normal usage of the confined software**. It can
+   be complex as simply running the program for your own use case is not alway
+   exhaustive of the program features and required permissions.
+
+
 ## Add a profile

 1. To add a new profile `foo`, add the file `foo` in `apparmor.d/profile-a-f`. 
@ -64,37 +75,66 @@ profile foo @{exec_path} {

 ## Profile Guidelines

-In order to ensure a common structure across the profiles, all new profile should try to follow the guideline presented here.
+> This profile guideline is still evloving, feel free to propose improvment
+
+In order to ensure a common structure across the profiles, all new profile should
+try to follow the guideline presented here.

 The rules in the profile should be sorted as follow:
 - include
 - capability
- ptrace
- signal
 - network
 - mount
+- remount
+- umount
+- ptrace
+- signal
+- unix
+- dbus (send, receive) send receice 
 - @{exec_path} mr,
 - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
 - The shared resources: `/usr/share`...
 - The system configuration: `/etc`...
+- The system data: `/var`...
 - The user data: `owner @{HOME}/`...
- The user configuration (all dotfiles)
+- The user configuration, cache and in general all dotfiles
 - Temporary data: `/tmp/`, `@{run}/`...
 - Sys files: `@{sys}/`...
 - Proc files: `@{PROC}/`... 
 - Dev files: `/dev/`...
+- Deny rules: `deny`...
+- Local include


 **Other rules**
 * Do not use: `/usr/lib` or `/usr/bin` but `/{usr/,}bin/` or `/{usr/,}lib/`.
+* Do not use: `/usr/sbin` or `/sbin` but `/{usr/,}{s,}bin/`.
 * Always use the apparmor variables.
 * In a rule block, the rule shall be alphabetically sorted.
-* When some file access share similar purpose, they shall be sorted together. Eg:
+* Subprofile should comes at the end of a profile.
+* When some file access share similar purpose, they may be sorted together. Eg:
  ```
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
  ```

+The included tool `aa-log` can be useful to explore the apparmor log 
+
+## Abstraction
+
+This project and the apparmor profile official project provide a large selection
+of abstraction to be included in profiles. They should be used.
+
+For instance, instead of writting:
+```sh
+owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
+```
+to allow download directory access, you should write
+
+```sh
+include <abstractions/user-download-strict>
+```
+
 ## AppArmor variables

 **Included variables:**
@ -119,10 +159,11 @@ The rules in the profile should be sorted as follow:
 **Additional variables available with this project:**

 * Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
+* Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
 * Extended XDG user directories: 
    - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
    - Books: `@{XDG_BOOKS_DIR}="Books"`
-    - Wallpapers: `@{XDG_WALLPAPERS_DIR}="Pictures/Wallpapers"`
+    - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
    - Sync: `@{XDG_SYNC_DIR}="Sync"`
    - Vm: `@{XDG_VM_DIR}=".vm"`
    - SSH: `@{XDG_SSH_DIR}=".ssh"`
--- a/README.md
+++ b/README.md
@ -11,7 +11,8 @@

 ## Description 

-A set of over 1000 AppArmor profiles which aims is to confine most of Linux base applications and processes.
+A set of over 1200 AppArmor profiles which aims is to confine most of Linux base
+applications and processes.

 **Goals & Purpose**
 - Support all distributions that support AppArmor:
@ -47,6 +48,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
 * An `apparmor` based linux distribution.
 * Base profiles and abstractions shipped with AppArmor are supposed to be
  installed.
+* Go (build dependency only)
+* rsync (build dependency only)

 **Archlinux**

@ -58,17 +61,18 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
  --overwrite etc/apparmor.d/tunables/xdg-user-dirs
 ```

-> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
+> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)

 **Debian**

 Build using standard Debian package build tools:
 ```sh
+sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync
 dpkg-buildpackage -b -d --no-sign
-sudo dpkg --install ../apparmor.d_*_all.deb
+sudo dpkg -i ../apparmor.d_*_all.deb
 ```

-> Note: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
+> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)

 **Partial install**

@ -131,7 +135,7 @@ DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
 **AppArmor configuration**

 As they are a lot of rules, it is recommended to enable caching AppArmor profiles.
-In `/etc/apparmor/parser.conf`, uncomment `write-cache`.
+In `/etc/apparmor/parser.conf`, uncomment `write-cache` and `Optimize=compress-fast`.
 See [Speed up AppArmor Start] on the Arch Wiki for more information.


@ -176,9 +180,9 @@ AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with `aa-

 **System Recovery**

-Issue in some core profiles like the systemd tools, or the desktop environment
+Issue in some core profiles like the systemd suite, or the desktop environment
 can fully break your system. This should not happen a lot, but if it does here
-is the procces to recover your system on Archlinux:
+is the process to recover your system on Archlinux:
 1. Boot from a Archlinux live USB
 1. If you root partition is encryped, decrypt it: `cryptsetup open /dev/<your-disk-id> vg0`
 1. Mount your root partition: `mount /dev/<your-plain-disk-id> /mnt`
@ -253,3 +257,4 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 [android_model]: https://arxiv.org/pdf/1904.05572
 [clipos]: https://clip-os.org/en/
 [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles
+[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  # The unix socket to use to connect to the display
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
+  unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
+  /tmp/.X11-unix/* rw,
+  /tmp/.ICE-unix/* rw,
+
+  # Available Xsessions
+  /usr/share/xsessions/{,*.desktop} r,
+
+  # ICEauthority files required for X authentication, per user
+  owner @{HOME}/.ICEauthority r,
+  owner @{run}/user/@{uid}/ICEauthority r,
+
+  # Xauthority files required for X connections, per user
+  owner @{HOME}/.Xauthority r,
+  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
+  owner @{run}/user/@{uid}/X11/Xauthority r,
+  owner @{run}/user/@{uid}/xauth_* r,
+
+  # Xwayland
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+
+  include if exists <abstractions/X-strict.d>
--- a/apparmor.d/abstractions/X.d/complete
+++ b/apparmor.d/abstractions/X.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  # Available Xsessions
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,
@ -9,5 +10,7 @@
  /usr/                            r,
  /{usr/,}{s,}bin/                 r,
  /{usr/,}{s,}bin/[a-z0-9]*        rPUx,
+  /usr/local/{s,}bin/              r,
+  /usr/local/{s,}bin/[a-zA-Z0-9]*  rPUx,

  include if exists <abstractions/app-launcher-root.d>
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,
@ -9,6 +10,8 @@
  /usr/                        r,
  /{usr/,}bin/                 r,
  /{usr/,}bin/[a-zA-Z0-9]*     rPUx,
+  /usr/local/bin/              r,
+  /usr/local/bin/[a-zA-Z0-9]*  rPUx,

  # Firefox
  /{usr/,}lib/                 r,
--- a/apparmor.d/abstractions/audio.d/complete
+++ b/apparmor.d/abstractions/audio.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  /usr/share/sounds/ r,
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -1,20 +1,21 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  /etc/writable/localtime        r,
  /usr/share/locale/             r,

  # Allow to receive some signals
-  signal (receive)                           peer=top,
  signal (receive)                           peer=htop,
+  signal (receive)                           peer=sudo,
+  signal (receive)                           peer=top,
+  signal (receive) set=(hup)                 peer=xinit,
  signal (receive) set=(term,cont)           peer=systemd,
  signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
+  signal (receive) set=(term,kill)           peer=gnome-shell,
  signal (receive) set=(term,kill)           peer=openbox,
-  signal (receive) set=(hup)                 peer=xinit,
  signal (receive) set=(term,kill)           peer=su,
-  signal (receive)                           peer=sudo,

  ptrace (readby) peer=systemd-coredump,

--- a/apparmor.d/abstractions/chromium-common
+++ b/apparmor.d/abstractions/chromium-common
@ -39,3 +39,5 @@
  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  include if exists <abstractions/chromium-common.d>
--- a/apparmor.d/abstractions/dbus-session-strict.d/complete
+++ b/apparmor.d/abstractions/dbus-session-strict.d/complete
@ -0,0 +1,11 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+
+  unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+
+  owner @{run}/user/@{uid}/at-spi/ rw,
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
--- a/apparmor.d/abstractions/dconf-write
+++ b/apparmor.d/abstractions/dconf-write
@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Permissions for querying dconf settings with write access; use the dconf
+# abstraction first, and dconf-write only for specific application's profile.
+
+  /etc/dconf/** r,
+
+  owner @{user_config_dirs}/dconf/user r,
+
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
+  include if exists <abstractions/dconf-write.d>
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -7,6 +7,8 @@
  # The /sys/ entries probably should be tightened

  /dev/ r,
+  /dev/block/ r,
+  /dev/disk/{,*/} r,

  # Regular disk/partition devices
  /dev/{s,v}d[a-z]* rk,
@ -35,14 +37,46 @@

  # LUKS/LVM (device-mapper) devices
  /dev/dm-[0-9]* rk,
+  /dev/mapper/{,*} r,
  @{sys}/devices/virtual/block/dm-[0-9]*/ r,
  @{sys}/devices/virtual/block/dm-[0-9]*/** r,

+  # ZFS devices
+  /dev/zd[0-9]* rk,
+  /dev/zvol/{,*/} r,
+  /dev/*pool/ r,
+  @{sys}/devices/virtual/block/zd[0-9]*/ r,
+  @{sys}/devices/virtual/block/zd[0-9]*/** r,
+
  # ZRAM devices
  /dev/zram[0-9]* rk,
  @{sys}/devices/virtual/block/zram[0-9]*/ r,
  @{sys}/devices/virtual/block/zram[0-9]*/** r,

+  # Armbian / DietPi
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}          r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden    r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev       r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size      r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro        r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start     r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent    r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/  r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/   r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/      r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type  r,
+  @{sys}/devices/virtual/block/ram[0-9]*/          r,
+  @{sys}/devices/virtual/block/ram[0-9]*/hidden    r,
+  @{sys}/devices/virtual/block/ram[0-9]*/dev       r,
+  @{sys}/devices/virtual/block/ram[0-9]*/size      r,
+  @{sys}/devices/virtual/block/ram[0-9]*/ro        r,
+  @{sys}/devices/virtual/block/ram[0-9]*/removable r,
+  @{sys}/devices/virtual/block/ram[0-9]*/holders/  r,
+  @{sys}/devices/virtual/block/ram[0-9]*/slaves/   r,
+# investigate
+#  /dev/ram[0-9]* r,
+
  # CD-ROM
  /dev/sr[0-9]* rk,

@ -57,27 +91,15 @@
  # changes, it's better to allow the whole range (240-254) instead of the single major numbers
  # visible in the /proc/devices file.
  # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b24[0-9]:[0-9]* r,
+  @{run}/udev/data/b25[0-4]:[0-9]* r,
  @{run}/udev/data/b259:[0-9]* r,

-  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
+  @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*

  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@ -39,6 +39,11 @@
  @{sys}/devices/virtual/block/dm-[0-9]*/ r,
  @{sys}/devices/virtual/block/dm-[0-9]*/** r,

+  # ZFS devices
+  /dev/zd[0-9]* rwk,
+  @{sys}/devices/virtual/block/zd[0-9]*/ r,
+  @{sys}/devices/virtual/block/zd[0-9]*/** r,
+
  # ZRAM devices
  /dev/zram[0-9]* rwk,
  @{sys}/devices/virtual/block/zram[0-9]*/ r,
@ -63,28 +68,16 @@
  # changes, it's better to allow the whole range (240-254) instead of the single major numbers
  # visible in the /proc/devices file.
  # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b24[0-9]:[0-9]* r,
+  @{run}/udev/data/b25[0-4]:[0-9]* r,
  @{run}/udev/data/b259:[0-9]* r,

-  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
-  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
  @{run}/udev/data/b2:[0-9]*   r, # for /dev/fd*
+  @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
+  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*

  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  owner @{HOME}/.icons/default/index.theme r,
--- a/apparmor.d/abstractions/ibus.d/complete
+++ b/apparmor.d/abstractions/ibus.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  # abstract path in ibus < 1.5.22 uses /tmp
@ -16,3 +16,7 @@
  unix (connect, receive, send)
      type=stream
      peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
+  unix (connect, send, receive, accept, bind, listen)
+       type=stream
+       addr="@/home/*/.cache/ibus/dbus-*",
--- a/apparmor.d/abstractions/libvirt-lxc
+++ b/apparmor.d/abstractions/libvirt-lxc
@ -3,7 +3,9 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

- # allow receiving signals from libvirtd
+  include <abstractions/base>
+
+  # Allow receiving signals from libvirtd
  signal (receive) peer=libvirtd,

  umount,
@ -119,4 +121,4 @@
  deny /sys/fs/cgroup?*{,/**} wklx,
  deny /sys/fs?*{,/**} wklx,

-  include if exists <local/abstractions/libvirt-lxc>
+  include if exists <abstractions/libvirt-lxc.d>
--- a/apparmor.d/abstractions/libvirt-qemu
+++ b/apparmor.d/abstractions/libvirt-qemu
@ -1,8 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
  # required for reading disk images
  capability dac_override,
  capability dac_read_search,
@ -251,5 +255,4 @@
  owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
  owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,

-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/abstractions/libvirt-qemu>
+  include if exists <abstractions/libvirt-qemu.d>
--- a/apparmor.d/abstractions/lxc/start-container
+++ b/apparmor.d/abstractions/lxc/start-container
@ -11,7 +11,7 @@
  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
-  mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
+  mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -1,24 +1,30 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,

-  /etc/hosts r,
-  /etc/host.conf r,
-  /etc/resolv.conf r,
+  @{etc_ro}/default/nss r,
+  @{etc_ro}/gai.conf r,
+  @{etc_ro}/group r,
+  @{etc_ro}/host.conf r,
+  @{etc_ro}/hosts r,
+  @{etc_ro}/nsswitch.conf r,
+  @{etc_ro}/passwd r,
+  @{etc_ro}/protocols r,
+  @{etc_ro}/resolv.conf r,
+  @{etc_ro}/services r,
+
  @{run}/systemd/resolve/stub-resolv.conf r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/gai.conf r,
-  /etc/group r,
-  /etc/protocols r,
-  /etc/default/nss r,
-  /etc/services r,

  # NSS records from systemd-userdbd.service
  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
+  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
+  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
+  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
  @{PROC}/sys/kernel/random/boot_id r,

  include if exists <abstractions/nameservice-strict.d>
--- a/apparmor.d/abstractions/python.d/complete
+++ b/apparmor.d/abstractions/python.d/complete
@ -1,11 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  /{usr/,}bin/ r,
+
  /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r,

-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r,

  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so}              mr,
  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth}          r,
--- a/apparmor.d/abstractions/tor
+++ b/apparmor.d/abstractions/tor
@ -1,33 +0,0 @@
-# vim:syntax=apparmor
-
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-
-  network tcp,
-  network udp,
-
-  capability chown,
-  capability dac_read_search,
-  capability fowner,
-  capability fsetid,
-  capability setgid,
-  capability setuid,
-
-  /usr/bin/tor r,
-  /usr/sbin/tor r,
-
-  # Needed by obfs4proxy
-  /proc/sys/net/core/somaxconn r,
-
-  /proc/sys/kernel/random/uuid r,
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/** r,
-
-  /etc/tor/* r,
-  /usr/share/tor/** r,
-
-  /usr/bin/obfsproxy PUx,
-  /usr/bin/obfs4proxy Pix,
-
-  include if exists <abstractions/tor.d>
--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@ -4,14 +4,11 @@

  abi <abi/3.0>,

-  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
-  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
-
-  owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r,
-  owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
-
  owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
-  owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,
+  owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
+
+  owner @{user_download_dirs}/ r,
+  owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,

  # For SSHFS mounts (without owner as files in such mounts can be owned by different users)
        @{HOME}/mount-sshfs/ r,
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@ -2,20 +2,23 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+# Give read access on all defined user directories. It should only be used if
+# access to ALL folders is required.

-  owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+
+  owner @{user_books_dirs}/{,**} r,
+  owner @{user_documents_dirs}/{,**} r,
+  owner @{user_music_dirs}/{,**} r,
+  owner @{user_pictures_dirs}/{,**} r,
+  owner @{user_projects_dirs}/{,**} r,
+  owner @{user_publicshare_dirs}/{,**} r,
+  owner @{user_sync_dirs}/{,**} r,
+  owner @{user_templates_dirs}/{,**} r,
+  owner @{user_torrents_dirs}/{,**} r,
+  owner @{user_videos_dirs}/{,**} r,

  include if exists <abstractions/user-read.d>
--- a/apparmor.d/abstractions/user-write.d/complete
+++ b/apparmor.d/abstractions/user-write.d/complete
@ -2,17 +2,12 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
+  owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,

-  owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
+  owner @{user_books_dirs}/{,**} rwl,
+  owner @{user_documents_dirs}/{,**} rwl,
+  owner @{user_music_dirs}/{,**} rwl,
+  owner @{user_pictures_dirs}/{,**} rwl,
+  owner @{user_projects_dirs}/{,**} rwl,
+  owner @{user_videos_dirs}/{,**} rwl,
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
--- a/apparmor.d/groups/apps/android-studio
+++ b/apparmor.d/groups/apps/android-studio
@ -6,8 +6,8 @@ abi <abi/3.0>,

 include <tunables/global>

-@{AS_LIBDIR}     = @{MOUNTS}/*/android-studio
-@{AS_SDKDIR}     = @{MOUNTS}/*/SDK
+@{AS_LIBDIR}     = @{MOUNTS}/android-studio
+@{AS_SDKDIR}     = @{MOUNTS}/SDK
@{AS_HOMEDIR}    = @{HOME}/.AndroidStudio*
@{AS_PROJECTDIR} = @{HOME}/AndroidStudioProjects

--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
 profile atom @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -86,18 +87,14 @@ profile atom @{exec_path} {
  # Git dirs
        / r,
        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{MOUNTS}/*/atom/ r,
-  owner @{MOUNTS}/*/atom/** rwkl -> @{MOUNTS}/*/atom/**,
+  owner @{MOUNTS}/ r,
+  owner @{user_projects_dirs}/ r,
+  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,

  owner @{user_config_dirs}/git/config r,

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or atom gets crash with the following error:
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/groups/apps/calibre
@ -75,12 +75,8 @@ profile calibre @{exec_path} {

  /usr/share/calibre/{,**} r,

-  owner @{HOME}/@{XDG_BOOKS_DIR} rw,
-  owner @{HOME}/@{XDG_BOOKS_DIR}/** rwkl,
-
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/ r,
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/ rw,
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/** rwkl -> @{MOUNTS}/*/@{XDG_BOOKS_DIR}*/**,
+  owner @{user_books_dirs} rw,
+  owner @{user_books_dirs}/** rwkl -> @{user_books_dirs}/**,

  owner @{user_config_dirs}/calibre/ rw,
  owner @{user_config_dirs}/calibre/** rwk,
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
 profile code @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -63,18 +64,11 @@ profile code @{exec_path} {
  owner @{HOME}/.vscode/** rwlk -> @{HOME}/.vscode/**,

  # Git dirs
-        / r,
-        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{MOUNTS}/*/code/ r,
-  owner @{MOUNTS}/*/code/** rwkl -> @{MOUNTS}/*/code/**,
+  owner @{user_projects_dirs}/ r,
+  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or code gets crash with the following error:
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/groups/apps/filezilla
@ -56,8 +56,8 @@ profile filezilla @{exec_path} {
  /{usr/,}lib/firefox/firefox rPUx,

  # FTP share folder
-  owner @{MOUNTS}/*/ftp/ r,
-  owner @{MOUNTS}/*/ftp/** rw,
+  owner @{MOUNTS}/ftp/ r,
+  owner @{MOUNTS}/ftp/** rw,

  # Silencer
  / r,
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@ -15,6 +15,7 @@ include <tunables/global>
 profile freetube @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
@ -67,10 +68,6 @@ profile freetube @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{user_share_dirs} r,
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/groups/apps/telegram-desktop
@ -12,6 +12,7 @@ include <tunables/global>
 profile telegram-desktop @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/fonts>
@ -74,10 +75,6 @@ profile telegram-desktop @{exec_path} {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # Needed when saving files as, or otherwise the app crashes
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

--- a/apparmor.d/groups/apps/thunderbird
+++ b/apparmor.d/groups/apps/thunderbird
@ -17,6 +17,7 @@ include <tunables/global>
 profile thunderbird @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/wayland>
  include <abstractions/nvidia>
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -1,19 +1,22 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get
+@{exec_path} = /{usr/,}bin/apt /{usr/,}bin/apt-get /{usr/,}{s,}bin/aptd
 profile apt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
+  include <abstractions/dbus-strict>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
+  include <abstractions/openssl>
+  include <abstractions/python>

  capability chown,
  capability dac_override,
@ -24,15 +27,46 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  capability net_admin,
  capability setgid,
  capability setuid,
+  capability sys_nice,

  signal (send) peer=apt-methods-*,

+  unix (receive, send) type=stream peer=(label=apt-esm-json-hook),
+
+  dbus (send, receive) bus=system path=/org/debian/apt{,/transaction/[0-9a-f]*}
+       interface=org.{debian.apt*,freedesktop.DBus.{Properties,Introspectable}},
+
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.{DBus.Introspectable,PackageKit}
+       member={StateHasChanged,Introspect}
+       peer=(name=org.freedesktop.PackageKit),
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit
+       peer=(name=org.freedesktop.login[0-9]),
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus{,.Introspectable}
+       member={RequestName,GetConnectionUnixProcessID,Introspect}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.{DBus.Introspectable,PolicyKit1.Authority}
+       member={CheckAuthorization,Introspect},
+
+  dbus bind bus=system 
+       name= org.debian.apt,
+
  @{exec_path} mr,

+  /{usr/,}{s,}bin/ r,
+
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/{,e}grep   rix,
  /{usr/,}bin/echo       rix,
  /{usr/,}bin/gdbus      rix,
+  /{usr/,}bin/ischroot   rix,
  /{usr/,}bin/test       rix,
  /{usr/,}bin/touch      rix,

@ -45,81 +79,95 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/apt-listchanges                 rPx,
  /{usr/,}bin/apt-show-versions               rPx,
  /{usr/,}bin/debtags                         rPx,
+  /{usr/,}bin/df                              rPx,
+  /{usr/,}bin/dmesg                           rPx,
  /{usr/,}bin/dpkg                            rPx,
  /{usr/,}bin/dpkg-source                     rcx -> dpkg-source,
  /{usr/,}bin/etckeeper                       rPx,
  /{usr/,}bin/ps                              rPx,
+  /{usr/,}bin/snap                           rPUx,
+  /{usr/,}lib/cnf-update-db                   rPx,
  /{usr/,}lib/needrestart/apt-pinvoke         rPx,
-  /{usr/,}lib/update-notifier/update-motd-updates-available rPx,
-  /usr/share/command-not-found/cnf-update-db  rPx,
-
-  # Methods to use to download packages from the net
-  /{usr/,}lib/apt/methods/*      rPx,
-
-  /var/lib/apt/lists/** rw,
-  /var/lib/apt/lists/lock rwk,
-  /var/lib/apt/extended_states{,.*} rw,
-
-  /var/log/apt/eipp.log.xz w,
-  /var/log/apt/{term,history}.log w,

  # For building the source after the download process is finished (apt-get source --compile)
  /{usr/,}bin/dpkg-buildpackage               rPUx,

+  # Methods to use to download packages from the net
+  /{usr/,}lib/apt/methods/*                   rPx,
+
+  # Ubuntu specificities
+  /{usr/,}lib/ubuntu-advantage/apt-esm-hook                  rPx,
+  /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook             rPx,
+  /{usr/,}lib/update-notifier/update-motd-updates-available  rPx,
+  /usr/share/command-not-found/cnf-update-db                 rPx,
+
  # For editing the sources.list file
-  /etc/apt/sources.list rwk,
  /{usr/,}bin/sensible-editor rCx -> editor,
  /{usr/,}bin/vim.*           rCx -> editor,

  # For changelogs
-        /tmp/apt-changelog-*/ w,
-  owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
-        /tmp/apt-changelog-*/*.changelog w,
  /{usr/,}bin/sensible-pager  rCx -> pager,

-  /var/lib/dpkg/** r,
-  /var/lib/dpkg/lock{,-frontend} rwk,
+  /usr/share/xml/iso-codes/{,**} r,

-  owner @{PROC}/@{pid}/fd/ r,
-
-  /dev/ptmx rw,
-
-  /var/lib/dbus/machine-id r,
+  /etc/apt/sources.list rwk,
  /etc/machine-id r,
-
-        /tmp/ r,
-  owner /tmp/apt.conf.* rw,
-  owner /tmp/apt.data.* rw,
-  owner /tmp/apt-dpkg-install-*/ rw,
-  owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
+  /var/lib/dbus/machine-id r,

  /var/cache/apt/ r,
  /var/cache/apt/** rwk,

+  /var/crash/{,*.@{uid}.crash} rw,
+
+  /var/lib/apt/extended_states{,.*} rw,
+  /var/lib/apt/lists/** rw,
+  /var/lib/apt/lists/lock rwk,
+  /var/lib/apt/periodic/update-success-stamp rw,
+  /var/lib/dpkg/** r,
+  /var/lib/dpkg/lock{,-frontend} rwk,
+  /var/lib/update-notifier/dpkg-run-stamp rw,
+
+  /var/log/apt/{,**} rw,
+
  # For package building
  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,

+        /tmp/ r,
+        /tmp/apt-changelog-*/ w,
+        /tmp/apt-changelog-*/*.changelog w,
+  owner /tmp/apt-changelog-*/.apt-acquire-privs-test.* rw,
+  owner /tmp/apt-dpkg-install-*/ rw,
+  owner /tmp/apt-dpkg-install-*/[0-9]*-*.deb w,
+  owner /tmp/apt.conf.* rw,
+  owner /tmp/apt.data.* rw,
+
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/ptmx rw,
+
  @{run}/systemd/inhibit/[0-9]*.ref rw,

  profile editor flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

+    /{usr/,}bin/{,ba,da}sh            rix,
    /{usr/,}bin/sensible-editor      mr,
    /{usr/,}bin/vim.*                mrix,
-    /{usr/,}bin/{,ba,da}sh       rix,
    /{usr/,}bin/which{,.debianutils}  rix,

-    owner @{HOME}/.selected_editor r,
-
    /usr/share/vim/{,**} r,
-    /etc/vim/{,**} r,
-    owner @{HOME}/.viminfo{,.tmp} rw,
-
-    owner @{HOME}/.fzf/plugin/ r,
-    owner @{HOME}/.fzf/plugin/fzf.vim r,

    /etc/apt/sources.list rw,
+    /etc/vim/{,**} r,
+
+    owner @{HOME}/.viminfo{,.tmp} rw,
+    owner @{HOME}/.selected_editor r,
+    owner @{HOME}/.fzf/plugin/ r,
+    owner @{HOME}/.fzf/plugin/fzf.vim r,

  }

@ -130,39 +178,36 @@ profile apt @{exec_path} flags=(attach_disconnected) {
    capability dac_read_search,

    /{usr/,}bin/                      r,
-    /{usr/,}bin/sensible-pager mr,
    /{usr/,}bin/{,ba,da}sh            rix,
-
-    /{usr/,}bin/which{,.debianutils}         rix,
    /{usr/,}bin/less                  rix,
+    /{usr/,}bin/sensible-pager       mr,
+    /{usr/,}bin/which{,.debianutils}  rix,
+
+    /root/ r,  # For shell pwd

    owner @{HOME}/.less* rw,

    owner /tmp/apt-changelog-*/ r,
    owner /tmp/apt-changelog-*/*.changelog r,

-    # For shell pwd
-    /root/ r,
-
  }

  profile dpkg-source flags=(complain) {
    include <abstractions/base>
-    include <abstractions/perl>
    include <abstractions/nameservice-strict>
+    include <abstractions/perl>

    /{usr/,}bin/dpkg-source mr,
    /{usr/,}bin/perl r,

-    /{usr/,}bin/tar     rix,
    /{usr/,}bin/bunzip2 rix,
+    /{usr/,}bin/chmod   rix,
    /{usr/,}bin/gunzip  rix,
    /{usr/,}bin/gzip    rix,
-    /{usr/,}bin/xz      rix,
-    /{usr/,}bin/rm      rix,
-    /{usr/,}bin/chmod   rix,
-
    /{usr/,}bin/patch   rix,
+    /{usr/,}bin/rm      rix,
+    /{usr/,}bin/tar     rix,
+    /{usr/,}bin/xz      rix,

    /etc/dpkg/origins/debian r,

--- a/apparmor.d/groups/apt/apt-cache
+++ b/apparmor.d/groups/apt/apt-cache
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,23 +10,23 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cache
 profile apt-cache @{exec_path} {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/apt-common>
+  include <abstractions/consoles>

  @{exec_path} mr,

  /{usr/,}bin/dpkg rPx -> child-dpkg,

+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
  /var/lib/dpkg/** r,
  /var/lib/dpkg/lock{,-frontend} rwk,

-  owner @{PROC}/@{pid}/fd/ r,
-
  /var/cache/apt/ r,
  /var/cache/apt/** rwk,

-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/apt-cache>
 }
--- a/apparmor.d/groups/apt/apt-cdrom
+++ b/apparmor.d/groups/apt/apt-cdrom
@ -9,8 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-cdrom
 profile apt-cdrom @{exec_path} flags=(complain) {
  include <abstractions/base>
-  include <abstractions/nameservice-strict>
  include <abstractions/apt-common>
+  include <abstractions/nameservice-strict>

  capability dac_read_search,

@ -21,6 +21,8 @@ profile apt-cdrom @{exec_path} flags=(complain) {
  /{usr/,}bin/mount       rCx -> mount,
  /{usr/,}bin/umount      rCx -> umount,

+  /etc/fstab r,
+
  # Are all of these needed? (#FIXME#)
  @{sys}/bus/ r,
  @{sys}/bus/*/devices/ r,
@ -29,8 +31,6 @@ profile apt-cdrom @{exec_path} flags=(complain) {
  @{sys}/devices/**/uevent r,
  @{run}/udev/data/* r,

-  /etc/fstab r,
-
  # For cd-roms
  /media/cdrom[0-9]/ r,
  /media/cdrom[0-9]/**/ r,
@ -39,11 +39,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
  /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,

  # For pendrives
-  @{MOUNTS}/*/*/ r,
-  @{MOUNTS}/*/*/**/ r,
-  @{MOUNTS}/*/*/.disk/info r,
-  @{MOUNTS}/*/*/dists/**/binary-*/Packages{,.gz} r,
-  @{MOUNTS}/*/*/dists/**/i18n/Translation-en{,.gz} r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/**/ r,
+  @{MOUNTS}/.disk/info r,
+  @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
+  @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,

  /var/lib/apt/lists/** rw,

--- a/apparmor.d/groups/apt/apt-config
+++ b/apparmor.d/groups/apt/apt-config
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,13 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-config
 profile apt-config @{exec_path} {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/apt-common>
+  include <abstractions/consoles>

  @{exec_path} mr,

  /{usr/,}bin/dpkg rPx -> child-dpkg,

+  owner /tmp/tmp*/apt.conf r,
+
  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/apt-config>
--- a/apparmor.d/groups/apt/apt-extracttemplates
+++ b/apparmor.d/groups/apt/apt-extracttemplates
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -16,15 +17,17 @@ profile apt-extracttemplates @{exec_path} {

  /{usr/,}bin/dpkg rPx -> child-dpkg,

-  owner @{PROC}/@{pid}/fd/ r,
-
  /var/cache/apt/ r,
  /var/cache/apt/** rwk,

-  owner /tmp/*.{config,template}.?????? rw,
-
  # For package building
  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,

+  owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
+
+  owner /tmp/*.{config,template}.?????? rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+
  include if exists <local/apt-extracttemplates>
 }
--- a/apparmor.d/groups/apt/apt-file
+++ b/apparmor.d/groups/apt/apt-file
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -25,13 +26,13 @@ profile apt-file @{exec_path} {

  /etc/apt/apt-file.conf r,

-  owner @{PROC}/@{pid}/fd/ r,
-
  # For shell pwd
  /root/ r,

  # file_inherit
  /var/log/cron-apt/temp w,

+  owner @{PROC}/@{pid}/fd/ r,
+
  include if exists <local/apt-file>
 }
--- a/apparmor.d/groups/apt/apt-forktracer
+++ b/apparmor.d/groups/apt/apt-forktracer
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,8 +10,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/apt-forktracer
 profile apt-forktracer @{exec_path} {
  include <abstractions/base>
-  include <abstractions/python>
  include <abstractions/apt-common>
+  include <abstractions/python>

  @{exec_path} mr,

@ -19,21 +20,20 @@ profile apt-forktracer @{exec_path} {
  /{usr/,}bin/apt-cache rPx,

  /usr/share/apt-forktracer/{,**} r,
+  /usr/share/distro-info/debian.csv r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,

  /var/lib/apt/lists/ r,
  /var/lib/apt/lists/*_InRelease r,

  /var/cache/apt/pkgcache.bin{,.*} rw,

-  /usr/share/distro-info/debian.csv r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
  /etc/dpkg/origins/debian r,
  /etc/debian_version r,

+  owner @{PROC}/@{pid}/fd/ r,
+
  include if exists <local/apt-forktracer>
 }
--- a/apparmor.d/groups/apt/apt-key
+++ b/apparmor.d/groups/apt/apt-key
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -14,21 +15,21 @@ profile apt-key @{exec_path} {
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}bin/{,e}grep   rix,
+  /{usr/,}bin/cat        rix,
+  /{usr/,}bin/chmod      rix,
+  /{usr/,}bin/cmp        rix,
+  /{usr/,}bin/comm       rix,
+  /{usr/,}bin/cp         rix,
+  /{usr/,}bin/cut        rix,
+  /{usr/,}bin/find       rix,
+  /{usr/,}bin/id         rix,
+  /{usr/,}bin/mktemp     rix,
+  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/rm         rix,
  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/cmp        rix,
-  /{usr/,}bin/find       rix,
-  /{usr/,}bin/cut        rix,
-  /{usr/,}bin/mktemp     rix,
-  /{usr/,}bin/chmod      rix,
-  /{usr/,}bin/touch      rix,
-  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/sort       rix,
-  /{usr/,}bin/comm       rix,
-  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/id         rix,
+  /{usr/,}bin/touch      rix,
  /{usr/,}bin/tr         rix,
  /{usr/,}bin/uniq       rix,
  /{usr/,}bin/wc         rix,
@ -73,6 +74,11 @@ profile apt-key @{exec_path} {
    /{usr/,}bin/gpg-agent         rix,
    /{usr/,}bin/gpg-connect-agent rix,

+    /usr/share/gnupg/sks-keyservers.netCA.pem r,
+  
+    /etc/hosts r,
+    /etc/inputrc r,
+
    /etc/apt/.#lk0x[a-f0-9]*.@{pid} rw,
    /etc/apt/.#lk0x[a-f0-9]*.@{pid}x rwl -> /etc/apt/.#lk0x[a-f0-9]*.@{pid},
    /etc/apt/trusted.gpg{,~,.tmp} rw,
@ -86,18 +92,13 @@ profile apt-key @{exec_path} {

    owner /tmp/apt-key-gpghome.*/ rw,
    owner /tmp/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
+    owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
+  
+    owner @{run}/user/@{uid}/gnupg/d.*/ rw,

    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,

-    /usr/share/gnupg/sks-keyservers.netCA.pem r,
-
-    /etc/hosts r,
-    /etc/inputrc r,
-
-    # File_inherit
-    owner /tmp/apt-key-gpghome.*/gpgoutput.{log,err} w,
-
  }

  include if exists <local/apt-key>
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -14,17 +14,15 @@ profile apt-methods-http @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

-  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
-  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
-  # used by APT to download packages, package list, and other things using APT methods as an
-  # unprivileged user/group (_apt/nogroup).
  capability setgid,
  capability setuid,

-  signal (receive) peer=apt,
  signal (receive) peer=apt-get,
+  signal (receive) peer=apt,
  signal (receive) peer=aptitude,
  signal (receive) peer=synaptic,
+  signal (receive) peer=unattended-upgrade,
+  signal (receive) peer=update-manager,

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/groups/apt/dpkg-divert
+++ b/apparmor.d/groups/apt/dpkg-divert
@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {

  /var/lib/dpkg/** r,

-  /usr/share/*/**.dpkg-divert.tmp w,
+  /usr/share/*/** w,

  /var/lib/dpkg/diversions rw,
  /var/lib/dpkg/diversions-new rw,
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -35,6 +36,9 @@ profile dpkg-preconfigure @{exec_path} {
  owner /tmp/*.config.* rwPUx,

  owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
+  owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
+
+  @{run}/user/@{uid}/pk-debconf-socket rw,

  # The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
  include <abstractions/gtk>
@ -44,9 +48,7 @@ profile dpkg-preconfigure @{exec_path} {
  capability dac_read_search,
  /{usr/,}bin/lsb_release rPx -> lsb_release,
  /{usr/,}bin/hostname    rix,
-  owner @{PROC}/@{pid}/mounts r,
  @{HOME}/.Xauthority r,
-
  owner @{PROC}/@{pid}/mounts r,

  include if exists <local/dpkg-preconfigure>
--- a/apparmor.d/groups/apt/dpkg-query
+++ b/apparmor.d/groups/apt/dpkg-query
@ -23,6 +23,7 @@ profile dpkg-query @{exec_path} {

  # file_inherit
  /tmp/#[0-9]*[0-9] rw,
+  /dev/tty[0-9]* rw,

  include if exists <local/dpkg-query>
 }
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug
 profile reportbug @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/wayland>
  include <abstractions/consoles>
  include <abstractions/fonts>
@ -63,10 +64,6 @@ profile reportbug @{exec_path} {
  /{usr/,}bin/run-parts        rCx -> run-parts,
  /{usr/,}bin/gpg              rCx -> gpg,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # For sending additional information
  /etc/** r,

--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,10 +10,12 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/unattended-upgrade
 profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/apt-common>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
-  include <abstractions/consoles>

  capability chown,
  capability dac_override,
@ -26,41 +29,64 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

+  signal (send) peer=apt-methods-http,
+
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.PackageKit
+       member=StateHasChanged,
+
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit,
+
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member={PropertiesChanged,GetAll},
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=StateChanged,
+
  @{exec_path} mr,

  /{usr/,}bin/ r,

+  /{usr/,}bin/{,ba,da}sh               rix,
+  /{usr/,}bin/echo                     rix,
+  /{usr/,}bin/gdbus                    rix,
+  /{usr/,}bin/ischroot                 rix,
+  /{usr/,}bin/python3.[0-9]*           rix,
+  /{usr/,}bin/test                     rix,
+  /{usr/,}bin/touch                    rix,
+  /{usr/,}bin/uname                    rix,
+
  /{usr/,}{s,}bin/dpkg-preconfigure    rPx,
  /{usr/,}{s,}bin/on_ac_power          rPx,
  /{usr/,}{s,}bin/sendmail             rPUx,
-  /{usr/,}bin/{,ba,da}sh               rix,
  /{usr/,}bin/apt-listchanges          rPx,
  /{usr/,}bin/dpkg                     rPx,
  /{usr/,}bin/etckeeper                rPx,
  /{usr/,}bin/lsb_release              rPx -> lsb_release,
-  /{usr/,}bin/python3.[0-9]*           rix,
-  /{usr/,}bin/uname                    rix,
  /{usr/,}lib/apt/methods/http{,s}     rPx,
  /{usr/,}lib/needrestart/apt-pinvoke  rPx,
+  /{usr/,}lib/update-notifier/update-motd-updates-available rPx,

  /usr/share/distro-info/* r,
-  /usr/share/dpkg/*table r,

  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
-  /etc/apt/preferences.d/{,**} r,
-  /etc/apt/sources.list.d/{,**} r,

  /etc/machine-id r,

  /var/log/unattended-upgrades/*.log rw,

-  /var/lib/apt/extended_states r,
-  /var/lib/apt/lists/{,**} r,
  /var/lib/apt/periodic/unattended-upgrades-stamp w,
  /var/lib/dpkg/lock rwk,
  /var/lib/dpkg/lock-frontend rwk,
-  /var/lib/dpkg/status r,
  /var/lib/dpkg/updates/ r,

  /var/cache/apt/{,**} rwk,
@ -74,9 +100,12 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/inhibit/[0-9]*.ref rw,
        @{run}/resolvconf/resolv.conf r,

-  owner /tmp/#[0-9]* rw,
+  owner /tmp/apt-dpkg-install-*/{,*} rw,

  owner @{PROC}/@{pids}/fd/ r,
+        @{PROC}/@{pids}/mountinfo r,
+
+  /dev/ptmx rw,

  include if exists <local/unattended-upgrade>
 }
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@ -9,11 +9,31 @@ include <tunables/global>
@{exec_path} = /usr/share/unattended-upgrades/unattended-upgrade-shutdown
 profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-network-manager-strict>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit,
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.DBus.{Introspectable,Properties}
+       member={Introspect,Get},
+
+  dbus send bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus receive bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=PrepareForShutdown,
+
  @{exec_path} mr,

+  /{usr/,}bin/ischroot  rix,
+
  /usr/share/unattended-upgrades/{,*} r,
  /etc/apt/apt.conf.d/{,*} r,

--- a/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
+++ b/apparmor.d/groups/apt/usr.sbin.apt-cacher-ng
@ -1,43 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) Felix Geyer <debfx@ubuntu.com>
-# SPDX-License-Identifier: GPL-2.0-only
-
-@{APT_CACHER_NG_CACHE_DIR}=/var/cache/apt-cacher-ng
-
-include <tunables/global>
-
-profile apt-cacher-ng /usr/sbin/apt-cacher-ng flags=(complain) {
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-  include <abstractions/user-tmp>
-
-  /etc/apt-cacher-ng/ r,
-  /etc/apt-cacher-ng/** r,
-  /etc/hosts.{deny,allow} r,
-  /usr/sbin/apt-cacher-ng mr,
-
-  /var/lib/apt-cacher-ng/** r,
-  /{,var/}run/apt-cacher-ng/* rw,
-  @{APT_CACHER_NG_CACHE_DIR}/ r,
-  @{APT_CACHER_NG_CACHE_DIR}/** rwl,
-  /var/log/apt-cacher-ng/ r,
-  /var/log/apt-cacher-ng/* rw,
-  /{,var/}run/systemd/notify w,
-
-  /{usr/,}bin/dash ixr,
-  /{usr/,}bin/ed ixr,
-  /{usr/,}bin/red ixr,
-  /{usr/,}bin/sed ixr,
-
-  /usr/lib/apt-cacher-ng/acngtool ixr,
-
-  # Allow serving local documentation
-  /etc/mime.types r,
-  /usr/share/doc/apt-cacher-ng/html/** r,
-
-  # used by libevent
-  @{PROC}/sys/kernel/random/uuid r,
-
-  include if exists <local/usr.sbin.apt-cacher-ng>
-}
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@ -14,6 +14,7 @@ include <tunables/global>
 profile brave @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -105,10 +106,6 @@ profile brave @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or Brave crash with the following error:
--- a/apparmor.d/groups/browsers/chrome-gnome-shell
+++ b/apparmor.d/groups/browsers/chrome-gnome-shell
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/chrome-gnome-shell
 profile chrome-gnome-shell @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/mounts r,

  deny @{HOME}/.* r,
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/chromium-common>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/lsb_release        rPx -> lsb_release,
  /{usr/,}bin/xdg-desktop-menu   rPx,
+  /{usr/,}bin/xdg-email          rPx,
  /{usr/,}bin/xdg-icon-resource  rPx,
  /{usr/,}bin/xdg-mime           rPx,
  /{usr/,}bin/xdg-open           rCx -> open,
@ -106,9 +107,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
  # owner @{HOME}/.mozilla/firefox/*/logins.json r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner /tmp/tmp.*/ rw,
  owner /tmp/tmp.*/** rwk,
  owner /tmp/scoped_dir*/{,**} rw,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -15,7 +15,7 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
    /var/tmp/ r,
        /tmp/ r,
  owner /tmp/* rw,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -12,7 +12,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox/crashreporter
 profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {

  owner @{user_cache_dirs}/mozilla/firefox/*.*/** r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
        /tmp/ r,
    /var/tmp/ r,
  owner /tmp/[0-9a-f]*.{dmp,extra} rw,
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@ -13,6 +13,7 @@ include <tunables/global>
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
 profile opera @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -83,10 +84,6 @@ profile opera @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or opera crashes with the following error:
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -11,6 +11,9 @@ include <tunables/global>
 profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dbus>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-accessibility>
  include <abstractions/nameservice-strict>

  capability audit_write,
@ -34,14 +37,18 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  /{usr/,}bin/ r,
  @{libexec}/*            rPUx,
  /{usr/,}lib/ibus/ibus-* rPx,
-  /{usr/,}bin/ r,
  /{usr/,}bin/[a-z0-9]*   rPUx,
  /{usr/,}lib/dbus-1.0/dbus-daemon-launch-helper rPx,
+  # Xubuntu
+  /{usr/,}lib/@{multiarch}/xfce4/xfconf/xfconfd  rPUx,
+  /{usr/,}lib/@{multiarch}/tumbler-1/tumblerd    rPUx,
+
+  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,

  /etc/dbus-1/{,**} r,
-  /etc/machine-id r,

  /usr/share/dbus-1/{,**} r,
  /usr/share/defaults/**.conf r,
@ -63,13 +70,10 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {

  owner /tmp/dbus-[0-9a-zA-Z]* rw,

-  owner @{run}/user/@{uid}/bus w,
-  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
-        @{run}/systemd/sessions/[0-9]*.ref rw,
-        @{run}/systemd/userdb/io.systemd.DynamicUser w,
+        @{run}/systemd/sessions/*.ref rw,
        @{run}/systemd/users/@{uid} r,

  @{sys}/kernel/security/apparmor/.access rw,
@ -77,7 +81,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  @{sys}/module/apparmor/parameters/enabled r,

  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pids}/mounts r,
        @{PROC}/@{pids}/attr/apparmor/current r,
        @{PROC}/@{pids}/oom_score_adj rw,
        @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/groups/bus/dbus-daemon-launch-helper
+++ b/apparmor.d/groups/bus/dbus-daemon-launch-helper
@ -18,10 +18,16 @@ profile dbus-daemon-launch-helper @{exec_path} {

  @{exec_path} mr,

+  /{usr/,}lib/@{multiarch}/cups-pk-helper-mechanism         rPx,
  /{usr/,}lib/cups-pk-helper/cups-pk-helper-mechanism       rPx,
+  /{usr/,}lib/software-properties/software-properties-dbus  rPx,
+  
+  /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService rPx,

  /usr/share/dbus-1/{,**} r,

+  /etc/dbus-1/{,**} r,
+
  owner @{PROC}/@{pid}/oom_score_adj rw,

  include if exists <local/dbus-daemon-launch-helper>
--- a/apparmor.d/groups/bus/dbus-run-session
+++ b/apparmor.d/groups/bus/dbus-run-session
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session
 profile dbus-run-session @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  signal (receive) set=(term, kill, hup) peer=gdm*,
  signal (send) set=term peer=dbus-daemon,
@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/dconf/profile/gdm r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  /var/lib/gdm/.config/dconf/user r,
  /var/lib/gdm/.cache/dconf/ rw,

--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@ -9,6 +9,8 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/ibus-daemon
 profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/ibus>
  include <abstractions/nameservice-strict>

  signal (receive) set=(usr1) peer=gnome-shell,
@ -25,7 +27,6 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

-  owner @{user_config_dirs}/ibus/{,**} rw,
  owner @{user_cache_dirs}/ibus/{,**} rw,
  /var/lib/gdm{3,}/.config/ibus/{,**} rw,
  /var/lib/gdm{3,}/.cache/ibus/{,**} rw,
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-dconf
 profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  signal (receive) set=term peer=ibus-daemon,
@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  /var/lib/gdm/.cache/dconf/ w,
  /var/lib/gdm/.cache/dconf/user rw,
  /var/lib/gdm/.config/dconf/user rw,
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-engine-simple
 profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/ibus>

  signal (receive) set=term peer=ibus-daemon,

@ -18,8 +19,6 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9] r,

--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -10,10 +10,12 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-extension-gtk3
 profile ibus-extension-gtk3 @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
+  include <abstractions/ibus>
  include <abstractions/nameservice-strict>

  signal (receive) set=term peer=ibus-daemon,
@ -32,17 +34,10 @@ profile ibus-extension-gtk3 @{exec_path} {
  /usr/share/icons/{,**} r,
  /usr/share/X11/xkb/** r,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
-
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  /var/lib/gdm/.config/dconf/user r,

  include if exists <local/ibus-extension-gtk3>
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@ -9,14 +9,15 @@ include <tunables/global>
@{exec_path} = @{libexec}/ibus-memconf
 profile ibus-memconf @{exec_path} {
  include <abstractions/base>
+  include <abstractions/ibus>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,

+  /etc/machine-id r,
+
  /var/lib/gdm{3,}/.config/ibus/bus/ r,
  /var/lib/gdm{3,}/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,

-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
-
  include if exists <local/ibus-memconf>
 }
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -10,6 +10,8 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-portal
 profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/ibus>

  signal (receive) set=(term, hup) peer=gdm*,

@ -25,8 +27,6 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/dbus/machine-id r,
  /var/lib/gdm/.config/ibus/bus/ r,
  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,
-  owner @{user_config_dirs}/ibus/bus/ r,
-  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,

  owner /dev/tty[0-9]* rw,
  /dev/null rw,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-x11
 profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
@ -18,14 +19,14 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>

+  unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
+
  @{exec_path} mr,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,

  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,
  owner @{user_config_dirs}/ibus/bus/[0-9a-f]*-unix-[0-9] r,
-  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -7,17 +7,18 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}sbin/cron
+@{exec_path} = /{usr/,}{s,}bin/cron
 profile cron @{exec_path} {
  include <abstractions/base>
-  include <abstractions/nameservice-strict>
+  include <abstractions/app-launcher-root>
  include <abstractions/authentication>
+  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

-  capability setuid,
-  capability setgid,
-  capability dac_read_search,
  capability audit_write,
+  capability dac_read_search,
+  capability setgid,
+  capability setuid,
  capability sys_resource,

  network netlink raw,
@ -29,33 +30,18 @@ profile cron @{exec_path} {
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/nice        rix,
  /{usr/,}bin/ionice      rix,
+  /{usr/,}bin/run-parts   rPx,

-  /etc/crontab r,
-
-  # All stuff that is executed via the /etc/cron.d/ dir
-  /etc/cron.d/{,*} r,
-  /{usr/,}sbin/cron-apt                 rPx,
-  /{usr/,}bin/debsecan                  rPx,
  /{usr/,}lib/@{multiarch}/e2fsprogs/e2scrub_all_cron rPUx,
-  /{usr/,}sbin/e2scrub_all             rPUx,
-  /etc/cron.daily/popularity-contest    rPx,
  /{usr/,}lib/sysstat/debian-sa1       rPUx,
-  /{usr/,}{s,}bin/sendmail             rPUx,
-
-  # All stuff that is executed via the user crontab files
-  /{usr/,}bin/apt-file                  rPx,
-  /{usr/,}bin/apt-key                   rPx,
-  /{usr/,}bin/rsync                    rPUx,
  /usr/share/rsync/scripts/rrsync      rPUx,
-  /{usr/,}bin/gpg                       rPx,
-  /{usr/,}sbin/update-pciids            rPx,
-  /{usr/,}bin/borg                      rPx,
+  /usr/local/lib/pki/pki-realm         rPUx,  # TODO: FIXME: NO COMMIT ZENFRA ONLY

-  # Cron scripts in the /etc/cron.*/ dir to execute
-  /{usr/,}bin/run-parts                 rCx -> run-parts,
-
-  # Send results using email
-  /{usr/,}sbin/exim4                    rPx,
+  /etc/cron.d/{,*} r,
+  /etc/crontab r,
+  /etc/default/locale r,
+  /etc/environment r,
+  /etc/security/limits.d/{,**} r,

  /var/spool/cron/crontabs/{,*} r,

@ -66,56 +52,7 @@ profile cron @{exec_path} {

  owner @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/@{pid}/loginuid rw,
-
-  /etc/environment r,
-
-  /etc/default/locale r,
-
        @{PROC}/1/limits r,
-  /etc/security/limits.d/ r,
-
-  profile run-parts {
-    include <abstractions/base>
-
-    /{usr/,}bin/run-parts mr,
-
-    /etc/cron.{hourly,daily,weekly,monthly}/                     r,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs         rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions    rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/debtags              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/exim4-base           rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/logrotate            rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/mlocate              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/plocate              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/passwd              rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-compat           rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/debsums              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/dpkg                rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/man-db               rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/vrms                rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index     rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/tor                 rPUx,
-    /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime     rPx,
-    /etc/cron.{hourly,daily,weekly,monthly}/etckeeper            rPx,
-
-    #/etc/cron.{hourly,daily,weekly,monthly}/opera-browser                     rPUx,
-    #/etc/cron.{hourly,daily,weekly,monthly}/google-chrome{,-beta,-unstable}   rPUx,
-    #/opt/google/chrome{,-beta,-unstable}/cron/google-chrome{,-beta,-unstable} rPUx,
-    #/opt/brave.com/brave/cron/brave-browser{,-beta,-dev}                      rPUx,
-    #/opt/brave.com/brave{,-beta,-dev}/cron/brave-browser{,-beta,-dev}         rPUx,
-
-    # file_inherit
-    owner /tmp/#[0-9]*[0-9] rw,
-
-    include if exists <local/cron_run-parts>
-  }

  include if exists <local/cron>
 }
--- a/apparmor.d/groups/cron/cron-anacron
+++ b/apparmor.d/groups/cron/cron-anacron
@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/0anacron
+profile cron-anacron @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} r,
+
+  /{usr/,}bin/{,ba,da}sh            rix,
+  /{usr/,}{s,}bin/anacron           rPx,
+
+  include if exists <local/cron-anacron>
+}
--- a/apparmor.d/groups/cron/cron-apport
+++ b/apparmor.d/groups/cron/cron-apport
@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/apport
+profile cron-apport @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} r,
+
+  /{usr/,}bin/{,ba,da}sh            rix,
+  /{usr/,}bin/find                  rix,
+  /{usr/,}bin/rm                    rix,
+
+  / r,
+  /var/crash/ r,
+  /var/crash/*.crash w,
+
+  include if exists <local/cron-apport>
+}
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
--- a/apparmor.d/groups/cron/cron-apt-compat
+++ b/apparmor.d/groups/cron/cron-apt-compat
--- a/apparmor.d/groups/cron/cron-apt-listbugs
+++ b/apparmor.d/groups/cron/cron-apt-listbugs
--- a/apparmor.d/groups/cron/cron-apt-show-versions
+++ b/apparmor.d/groups/cron/cron-apt-show-versions
--- a/apparmor.d/groups/cron/cron-apt-xapian-index
+++ b/apparmor.d/groups/cron/cron-apt-xapian-index
--- a/apparmor.d/groups/cron/cron-aptitude
+++ b/apparmor.d/groups/cron/cron-aptitude
--- a/apparmor.d/groups/cron/cron-debsums
+++ b/apparmor.d/groups/cron/cron-debsums
--- a/apparmor.d/groups/cron/cron-debtags
+++ b/apparmor.d/groups/cron/cron-debtags
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@ -9,25 +9,50 @@ include <tunables/global>

@{exec_path} =  /{usr/,}lib/accountsservice/accounts-daemon
@{exec_path} += @{libexec}/accounts-daemon
-profile accounts-daemon @{exec_path} {
+profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>

  capability dac_read_search,
+  capability setgid,
+  capability setuid,
  capability sys_nice,
  capability sys_ptrace,

  ptrace (read) peer=unconfined,

+  dbus (send,receive) bus=system path=/org/freedesktop/Accounts{,/User[0-9]*}
+       interface=org.freedesktop.{DBus.{Properties,Introspectable},Accounts{,.User}},
+
+  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member={CheckAuthorization,Changed},
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,GetConnectionUnixUser}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus bind bus=system 
+       name=org.freedesktop.Accounts,
+
  @{exec_path} mr,

+  /usr/share/language-tools/language-validate  rPx,
+
  /usr/share/accountsservice/{,**} r,
  /usr/share/dbus-1/interfaces/*.xml r,

-  /etc/gdm/ r,
-  /etc/gdm/custom.conf rw,
-  /etc/gdm/custom.conf.* rw,
+  /etc/default/locale r,
+  /etc/gdm{3,}/ r,
+  /etc/gdm{3,}/custom.conf rw,
+  /etc/gdm{3,}/custom.conf.* rw,
  /etc/machine-id r,
  /etc/shadow r,
  /etc/shells r,
@ -35,6 +60,8 @@ profile accounts-daemon @{exec_path} {
  owner /var/lib/AccountsService/ r,
  owner /var/lib/AccountsService/** rw,

+  @{HOME}/ r,
+
  @{PROC}/@{pids}/cmdline r,
  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -11,11 +11,13 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dbus-session>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,
+  signal (receive) set=(term hup kill) peer=gnome-session-binary,
  signal (send)    set=(term hup kill) peer=dbus-daemon,

  network inet stream,
@ -33,9 +35,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,

-  owner @{run}/user/@{uid}/at-spi/{,bus} rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  /var/lib/lightdm/.Xauthority r,
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,21 +11,20 @@ include <tunables/global>
@{exec_path} += @{libexec}/at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
  include <abstractions/nameservice-strict>

-  # Needed?
-  deny capability sys_nice,
-
  signal (receive) set=(term hup) peer=gdm*,

  @{exec_path} mr,

-  owner @{HOME}/.Xauthority r,
  /var/lib/lightdm/.Xauthority r,
+
+  owner @{HOME}/.Xauthority r,
+  owner @{HOME}/.xsession-errors w,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,

-  # file_inherit
-  owner @{HOME}/.xsession-errors w,
  owner /dev/tty[0-9]* rw,

  include if exists <local/at-spi2-registryd>
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,11 +11,30 @@ include <tunables/global>
@{exec_path} += @{libexec}/colord
 profile colord @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/devices-usb>

  network netlink raw,

+  dbus (send,receive) bus=system path=/org/freedesktop/ColorManager{,/**}
+       interface=org.freedesktop.{DBus.Properties,ColorManager*},
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName},
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=CheckAuthorization,
+
+  dbus bind bus=system 
+       name=org.freedesktop.ColorManager,
+
  @{exec_path} mr,

  /{usr/,}lib/colord/colord-sane  rPx,
@ -37,7 +56,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {

  @{user_share_dirs}/icc/edid-*.icc r,

-  @{run}/systemd/sessions/[0-9]* r,
+  @{run}/systemd/sessions/* r,

  @{sys}/class/drm/ r,
  @{sys}/class/video4linux/ r,
--- a/apparmor.d/groups/freedesktop/colord-sane
+++ b/apparmor.d/groups/freedesktop/colord-sane
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -8,25 +9,41 @@ include <tunables/global>

@{exec_path}  = /{usr/,}lib/colord/colord-sane
@{exec_path} += @{libexec}/colord-sane
-profile colord-sane @{exec_path} flags=(complain) {
+profile colord-sane @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>

+  network inet dgram,
+  network inet6 dgram,
  network netlink raw,

+  dbus (send,receive) bus=system path=/org/freedesktop/ColorManager
+       interface=org.freedesktop.{DBus.Properties,ColorManager},
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.{DBus.Peer,Avahi.Server}
+       member={GetAPIVersion,GetState,ServiceBrowserNew,Ping}
+       peer=(name=org.freedesktop.Avahi),
+
+  dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member={CacheExhausted,AllForNow},
+
  @{exec_path} mr,

-  /etc/sane.d/{,**} r,
+  /usr/share/snmp/mibs/{,*} r,

+  /etc/sane.d/{,**} r,
  /etc/snmp/snmp.conf r,
+
+  /var/lib/snmp/{mib,cert}_indexes/ rw,
  /var/lib/snmp/mibs/{iana,ietf}/ r,
  /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,

-  /var/lib/snmp/{mib,cert}_indexes/ rw,
-  /usr/share/snmp/mibs/{,*} r,
+  @{run}/systemd/journal/socket rw,

  @{sys}/bus/scsi/devices/ r,
-
  @{sys}/devices/pci[0-9]*/**/{vendor,model,type} r,

  @{PROC}/sys/dev/parport/ r,
--- a/apparmor.d/groups/freedesktop/colord-session
+++ b/apparmor.d/groups/freedesktop/colord-session
@ -6,7 +6,8 @@ abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}lib/colord/colord-session @{libexec}/colord-session
+@{exec_path} = /{usr/,}lib/colord/colord-session
+@{exec_path} += @{libexec}/colord-session
 profile colord-session @{exec_path} flags=(complain) {
  include <abstractions/base>

--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@ -9,17 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf
 profile dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dconf-write>

  capability sys_nice,

  @{exec_path} mr,

-  /etc/dconf/{,**} r,
  /etc/dconf/db/** rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{user_config_dirs}/dconf/ rw,
  owner @{user_config_dirs}/dconf/user{,.*} rw,

--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,16 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor
 profile dconf-editor @{exec_path} {
  include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/dconf>
+  include <abstractions/gtk>

  @{exec_path} mr,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
+  /usr/share/glib-2.0/schemas/{,*} r,

  # When GSETTINGS_BACKEND=keyfile
  owner @{user_config_dirs}/glib-2.0/ rw,
@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} {
  owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
  owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,

-  /usr/share/glib-2.0/schemas/{,*} r,
-
  owner @{HOME}/.Xauthority r,
-
-  # file_inherit
  owner /dev/tty[0-9]* rw,

  include if exists <local/dconf-editor>
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@ -9,18 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/dconf/dconf-service @{libexec}/dconf-service
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-
-  # Needed?
-  deny capability sys_nice,
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>

  signal (receive) set=(term kill hup) peer=dbus-daemon,
  signal (receive) set=(term hup) peer=gdm*,

  @{exec_path} mr,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{user_config_dirs}/dconf/ rw,
  owner @{user_config_dirs}/dconf/user{,.*} rw,

--- a/apparmor.d/groups/freedesktop/desktop-file-install
+++ b/apparmor.d/groups/freedesktop/desktop-file-install
@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/desktop-file-install
+profile desktop-file-install @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/desktop-file-install>
+}
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@ -7,15 +7,65 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{libexec}/geoclue
-profile geoclue @{exec_path} {
+profile geoclue @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>

  network netlink raw,

+  dbus (send,receive) bus=system path=/org/freedesktop/GeoClue2/{Agent,Manager}
+       interface=org.freedesktop.{DBus.Properties,GeoClue2*},
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,ReleaseName,RequestName}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member={GetAPIVersion,GetState,ServiceBrowserNew},
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping,
+
+  dbus send bus=system path=/fi/w[0-9]/wpa_supplicant[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/ModemManager[0-9]
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects,
+
+  dbus send bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,PropertiesChanged},
+
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged,
+
+  dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member={AllForNow,CacheExhausted},
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member={CheckPermissions,StateChanged,PropertiesChanged},
+
+  dbus receive bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged,
+
+  dbus bind bus=system 
+       name=org.freedesktop.GeoClue2,
+
  @{exec_path} mr,

  /etc/geoclue/{,**} r,

+  @{run}/systemd/journal/socket rw,
+
  @{PROC}/@{pids}/cgroup r,

  include if exists <local/geoclue>
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -11,12 +11,26 @@ include <tunables/global>
 profile pipewire @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

  ptrace (read),

+  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       interface=org.freedesktop.RealtimeKit[0-9]
+       member=MakeThread*
+       peer=(name=org.freedesktop.RealtimeKit[0-9]),
+
+  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.RealtimeKit[0-9]),
+
  @{exec_path} mr,

+  /{usr/,}bin/pipewire-media-session rPx,
+
  /usr/share/pipewire/pipewire.conf r,

  /etc/machine-id r,
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire-media-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
+  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>

@ -19,6 +20,16 @@ profile pipewire-media-session @{exec_path} {
  network bluetooth stream,
  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.freedesktop.RealtimeKit1),
+
+  dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       interface=org.freedesktop.RealtimeKit1
+       member=MakeThreadRealtime
+       peer=(name=org.freedesktop.RealtimeKit1),
+
  @{exec_path} mr,

  /usr/share/alsa-card-profile/{,**} r,
--- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme
+++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme
@ -16,5 +16,7 @@ profile plymouth-set-default-theme @{exec_path} {
  /{usr/,}bin/grep      rix,
  /{usr/,}bin/plymouth  rPx,

+  /etc/plymouth/{,*} r,
+
  include if exists <local/plymouth-set-default-theme>
 }
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@ -0,0 +1,51 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/plymouthd
+profile plymouthd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dri-common>
+
+  capability sys_admin,
+  capability sys_tty_config,
+
+  network netlink raw,
+
+  signal (send) peer=unconfined,
+
+  unix type=stream addr="@/org/freedesktop/plymouthd",
+  unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),
+
+  @{exec_path} mr,
+
+  /usr/share/plymouth/{,**} r,
+
+  /etc/default/keyboard r,
+  /etc/plymouth/plymouthd.conf r,
+  /etc/vconsole.conf r,
+
+  @{run}/udev/data/+drm:* r,
+  @{run}/udev/data/c226:* r,
+  @{run}/udev/data/c29:* r,
+
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/class/graphics/ r,
+  @{sys}/devices/pci[0-9]*/**/{,uevent} r,
+  @{sys}/devices/virtual/tty/console/active r,
+  @{sys}/firmware/acpi/bgrt/{,*} r,
+
+  @{PROC}/cmdline r,
+
+  /dev/ptmx rw,
+  /dev/tty[0-9]* rw,
+
+  include if exists <local/plymouthd>
+}
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/authentication>
  include <abstractions/nameservice-strict>
  include <abstractions/consoles>
@ -28,6 +29,14 @@ profile polkit-agent-helper @{exec_path} {
  signal (receive) set=(term, kill) peer=gnome-shell,
  signal (receive) set=(term, kill) peer=pkexec,

+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=AuthenticationAgentResponse2,
+
  @{exec_path} mr,

  # file_inherit
@ -35,7 +44,6 @@ profile polkit-agent-helper @{exec_path} {
  owner @{HOME}/.xsession-errors w,

  @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,

  include if exists <local/polkit-agent-helper>
 }
--- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,14 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/@{multiarch}/polkit-mate/polkit-mate-authentication-agent-[0-9]
 profile polkit-mate-authentication-agent @{exec_path} {
  include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice-strict>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>

  signal (send) set=(term, kill) peer=polkit-agent-helper,

@ -24,25 +26,19 @@ profile polkit-mate-authentication-agent @{exec_path} {

  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,

-        @{PROC}/1/cgroup r,
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/fd/ r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/X11/xkb/** r,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

  owner @{HOME}/.Xauthority r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
-  /usr/share/X11/xkb/** r,
-
-  # file_inherit
  owner /dev/tty[0-9]* rw,

+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/fd/ r,
+
  include if exists <local/polkit-mate-authentication-agent>
 }
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,24 +11,28 @@ include <tunables/global>
@{exec_path} += @{libexec}/polkitd
 profile polkitd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

-  capability setuid,
  capability setgid,
+  capability setuid,
+  capability sys_nice,
  capability sys_ptrace,
-  audit deny capability net_admin,
+  audit capability net_admin,

  ptrace (read),

-  @{exec_path} mr,
+  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},

-  @{PROC}/@{pids}/stat r,
-  @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pids}/task/@{tid}/stat r,
-  @{PROC}/@{pids}/cgroup r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
+
+  dbus bind bus=system 
+       name=org.freedesktop.PolicyKit[0-9],
+
+  @{exec_path} mr,

  /etc/machine-id r,

@ -52,7 +56,14 @@ profile polkitd @{exec_path} {

  @{run}/systemd/sessions/* r,
  @{run}/systemd/users/@{uid} r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
+
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/task/@{tid}/stat r,
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,

  # Silencer
  deny /.cache/ rw,
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -14,9 +15,13 @@ profile pulseaudio @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
+  include <abstractions/gstreamer>
+  include <abstractions/hosts_access>
  include <abstractions/nameservice-strict>
+  include <abstractions/X-strict>

  ptrace (trace) peer=@{profile_name},

@ -29,65 +34,20 @@ profile pulseaudio @{exec_path} {
  network bluetooth stream,
  network bluetooth seqpacket,

-  @{exec_path} mrix,
+  dbus (send)
+     bus=session
+     path=/Client0/EntryGroup[0-9]*
+     interface=org.freedesktop.Avahi.EntryGroup
+     member={GetState,AddService,AddServiceSubtype,Commit}
+     peer=(name=org.freedesktop.Avahi),

-  /{usr/,}lib{exec,}/pulse/gsettings-helper mrix,
-  /{usr/,}lib/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner mrix,
-  /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
+  dbus (receive)
+     bus=session
+     path=/Client0/EntryGroup[0-9]*
+     interface=org.freedesktop.Avahi.EntryGroup
+     member=StateChanged
+     peer=(name=org.freedesktop.Avahi),

-  # PulseAudio files
-  /usr/share/pulseaudio/{,**} r,
-  /{usr/,}lib/pulse-*/modules/*.so mr,
-
-  # PulseAudio home config files
-  owner @{user_config_dirs}/pulse/{,**} rw,
-  owner @{user_config_dirs}/dconf/user r,
-
-  owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
-
-  # Needed when PulseAudio is started via the start-pulseaudio-x11 script
-  owner @{HOME}/.Xauthority r,
-
-  # Needed when PulseAudio is started via gdm
-  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
-  owner @{HOME}/.ICEauthority r,
-
-  # TCP wrap
-  /etc/hosts.{allow,deny} r,
-
-  owner @{run}/user/@{uid}/ rw,
-  owner @{run}/user/@{uid}/pulse/{,*}   rw,
-  owner @{run}/user/@{uid}/pulse/*.lock   k,
-
-  /usr/share/applications/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
-  @{sys}/bus/ r,
-  @{sys}/class/ r,
-  @{sys}/class/sound/ r,
-  @{sys}/devices/**/sound/**/{uevent,pcm_class} r,
-  @{run}/udev/data/+sound* r,
-  @{run}/udev/data/c116:[0-9]* r, # For ALSA
-
-  @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node[0-9]/meminfo r,
-
-  deny @{sys}/module/apparmor/parameters/enabled r,
-
-  @{run}/systemd/users/@{uid} r,
-
-  owner @{run}/user/@{uid}/dconf/       rw,
-  owner @{run}/user/@{uid}/dconf/user   rw,
-  owner @{run}/user/@{uid}/ICEauthority r,
-  owner @{run}/user/@{uid}/systemd/notify rw,
-
-  owner @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pids}/stat r,
-  owner @{PROC}/@{pids}/cmdline r,
-
-  # DBus
  dbus (send)
     bus=session
     path=/org/freedesktop/DBus
@ -139,14 +99,46 @@ profile pulseaudio @{exec_path} {
     member=GetManagedObjects
     peer=(name=org.bluez),
  
-  unix (send receive connect) type=stream peer=(addr=@/tmp/.X11-unix/*),
-  unix (send receive connect) type=stream peer=(addr=@/tmp/.ICE-unix/*),
+  dbus (send)
+     bus=system
+     path=/
+     interface=org.freedesktop.DBus.Peer
+     member=Ping
+     peer=(name=org.freedesktop.Avahi),

-  # The orcexec.* file is JIT compiled code for various GStreamer elements.
-  # If one is blocked the next is used instead.
-  owner @{run}/user/@{uid}/orcexec.* mrw,
-  #owner @{HOME}/orcexec.* mrw,
-  #owner /tmp/orcexec.* mrw,
+  dbus (send)
+     bus=system
+     path=/
+     interface=org.freedesktop.Avahi.Server
+     member={GetAPIVersion,GetState,EntryGroupNew}
+     peer=(name=org.freedesktop.Avahi),
+
+  dbus (receive)
+     bus=system
+     path=/
+     interface=org.freedesktop.Avahi.Server
+     member=StateChanged
+     peer=(name=org.freedesktop.Avahi),
+
+  dbus (send)
+     bus=system
+     path=/
+     interface=org.freedesktop.hostname[0-9]
+     member=Get
+     peer=(name=/org/freedesktop/hostname[0-9]),
+
+  @{exec_path} mrix,
+
+  /{usr/,}@{libexec}/pulse/gsettings-helper mrix,
+  /{usr/,}lib/@{multiarch}/pulse/gconf-helper mrix,
+  /{usr/,}lib/pulse-*/modules/*.so mr,
+
+  /usr/share/applications/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/pulseaudio/{,**} r,
+  /usr/share/ubuntu/applications/{,*} r,
+
+  /var/lib/snapd/desktop/applications/ r,

  # For GDM
  owner /var/lib/gdm{[1-9],}/.config/pulse/{,**}  rw,
@ -164,13 +156,33 @@ profile pulseaudio @{exec_path} {
  owner /var/lib/lightdm/.config/pulse/{,**}  rw,
  owner /var/lib/lightdm/.config/pulse/cookie   k,

+  owner @{user_config_dirs}/pulse/{,**} rw,
+
+  owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,
+
+  owner @{run}/user/@{uid}/ rw,
+  owner @{run}/user/@{uid}/pulse/{,*} rw,
+  owner @{run}/user/@{uid}/pulse/*.lock k,
+  owner @{run}/user/@{uid}/systemd/notify rw,
+
+  @{run}/systemd/users/@{uid} r,
+
+  @{run}/udev/data/+sound* r,
+  @{run}/udev/data/c116:[0-9]* r, # For ALSA
+
+  @{sys}/class/sound/ r,
+  @{sys}/devices/**/sound/**/{uevent,pcm_class} r,
+  @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,sys_vendor} r,
+
+  deny @{sys}/module/apparmor/parameters/enabled r,
+
+  owner @{PROC}/@{pids}/fd/ r,
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/cmdline r,
+
  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,

-  # Snap
-  /var/lib/snapd/desktop/applications/ r,
-  /usr/{local/,}share/ubuntu/applications/{,*} r,
-
  include if exists <local/pulseaudio>
 }
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@ -24,12 +24,15 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {

  /usr/share/*/*.desktop r,

-  /var/lib/flatpak/exports/share/applications/{,**/} r,
-  /var/lib/flatpak/exports/share/applications/**.desktop r,
-  /var/lib/flatpak/exports/share/applications/.mimeinfo.cache.* rw,
-  /var/lib/flatpak/exports/share/applications/mimeinfo.cache w,
+  /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
+  /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
+  /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
+  /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,

-  /var/lib/flatpak/app/**/export/share/applications/**.desktop r,
+  /var/lib/snapd/desktop/applications/{,**/} r,
+  /var/lib/snapd/desktop/applications/**.desktop r,
+  /var/lib/snapd/desktop/applications/.mimeinfo.cache.* rw,
+  /var/lib/snapd/desktop/applications/mimeinfo.cache w,

  # Inherit silencer
  deny network inet6 stream,
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -11,7 +11,7 @@ profile upower @{exec_path} {
  include <abstractions/base>

  # Needed?
-  deny capability sys_nice,
+  audit capability sys_nice,

  @{exec_path} mr,

--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,36 +11,42 @@ include <tunables/global>
@{exec_path} += @{libexec}/upowerd
 profile upowerd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>

  network netlink raw,

+  dbus (send,receive) bus=system path=/org/freedesktop/UPower{,/**}
+       interface=org.freedesktop.{DBus.Properties,UPower*},
+
+  dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member={PropertiesChanged,GetAll},
+
+  dbus send bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member=Inhibit,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+
+  dbus receive bus=system path=/org/freedesktop/login[0-9]
+       interface=org.freedesktop.login[0-9].Manager
+       member={SessionNew,SessionRemoved,PrepareForShutdown},
+
+  dbus bind bus=system 
+       name=org.freedesktop.UPower,
+
  @{exec_path} mr,

-  # UPower config file
  /etc/UPower/ r,
  /etc/UPower/UPower.conf r,

-  # The history data for the power device
  /var/lib/upower/ r,
  /var/lib/upower/history-*.dat{,.*} rw,

-  # Are all of these needed? (#FIXME#)
-  /dev/input/event* r,
-  @{sys}/bus/hid/devices/ r,
-  @{sys}/class/leds/ r,
-  @{sys}/class/power_supply/ r,
-  @{sys}/class/input/ r,
-  @{sys}/devices/ r,
-  @{sys}/devices/**/power_supply/**/* r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/**/capabilities/* r,
-  @{sys}/devices/virtual/dmi/id/product_name r,
-
-  @{sys}/devices/platform/**/leds/**/max_brightness r,
-  @{sys}/devices/platform/**/leds/**/brightness rw,
-  @{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
-
  @{run}/udev/data/ r,
  @{run}/udev/data/+power_supply* r,
  @{run}/udev/data/+input* r,
@ -48,5 +55,20 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {

  @{run}/systemd/inhibit/[0-9]*.ref rw,

+  @{sys}/bus/hid/devices/ r,
+  @{sys}/class/input/ r,
+  @{sys}/class/leds/ r,
+  @{sys}/class/power_supply/ r,
+  @{sys}/devices/ r,
+  @{sys}/devices/**/capabilities/* r,
+  @{sys}/devices/**/power_supply/**/* r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/platform/**/leds/**/brightness rw,
+  @{sys}/devices/platform/**/leds/**/brightness_hw_changed r,
+  @{sys}/devices/platform/**/leds/**/max_brightness r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+
+  /dev/input/event* r,
+
  include if exists <local/upowerd>
 }
--- a/Show more
+++ b/Show more