Update profiles.

apparmor.d/groups/bus/dbus-daemon

@@ -18,6 +18,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   capability sys_resource,
 
   signal (receive) set=(term hup kill) peer=gdm*,
+  signal (receive) set=(term hup kill) peer=at-spi-bus-launcher,
   signal (send)    set=(term hup kill) peer=at-spi-bus-launcher,
   signal (send)    set=(term hup kill) peer=xdg-permission-store,
 

apparmor.d/groups/pacman/pacman

@@ -51,6 +51,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/chmod                       rix,
   /{usr/,}bin/dot                         rix,
   /{usr/,}bin/env                         rix,
+  /{usr/,}bin/filecap                     rix,
   /{usr/,}bin/getent                      rix,
   /{usr/,}bin/gettext                     rix,
   /{usr/,}bin/ghc-pkg-*                   rix,

apparmor.d/groups/systemd/bootctl

@@ -32,6 +32,8 @@ profile bootctl @{exec_path} {
   /boot/loader/.#bootctlrandom-seed[0-9a-f]* rw,
   /boot/loader/random-seed w,
 
+   /etc/machine-id r,
+
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
   @{sys}/firmware/efi/efivars/ r,

apparmor.d/profiles-a-f/acpid

@@ -11,6 +11,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability mknod,
 
   network netlink raw,
@@ -20,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{ba,da,}sh        rix,
   /{usr/,}bin/logger            rix,
 
-  /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh,
+  /etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support,
 
   /etc/acpi/{,**} r,
   /etc/acpi/handler.sh rix,
@@ -37,26 +38,35 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   include if exists <local/acpid>
 }
 
-profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) {
+profile powerbtn-acpi-support flags=(attach_disconnected) {
   include <abstractions/base>
 
   /etc/acpi/powerbtn-acpi-support.sh r,
 
-  /{usr/,}bin/sed          rix,
-  /{usr/,}bin/pgrep        rix,
-  /{usr/,}bin/{e,}grep     rix,
-  /{usr/,}bin/pinky        rix,
-  /{usr/,}bin/{ba,da,}sh   rix,
-  /{usr/,}bin/dbus-send    rix,
   /{usr/,}{s,}bin/killall5 rix,
   /{usr/,}{s,}bin/shutdown rix,
+  /{usr/,}bin/{ba,da,}sh   rix,
+  /{usr/,}bin/{e,}grep     rix,
+  /{usr/,}bin/dbus-send    rix,
+  /{usr/,}bin/pgrep        rix,
+  /{usr/,}bin/pinky        rix,
+  /{usr/,}bin/sed          rix,
   /etc/acpi/powerbtn.sh    rix,
 
   /{usr/,}bin/systemctl    rPx -> child-systemctl,
   /{usr/,}bin/ps           rPx,
 
   /{usr/,}bin/fgconsole rCx,
-  profile fgconsole /usr/bin/fgconsole {
+
+  /usr/share/acpi-support/** r,
+
+  @{PROC} r,
+  @{PROC}/uptime r,
+  @{PROC}/@{pids}/cmdline r,
+
+  deny / r,
+
+  profile fgconsole {
     include <abstractions/base>
 
     capability sys_tty_config,
@@ -67,13 +77,5 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) {
     owner /dev/tty[0-9]* rw,
   }
 
-  /usr/share/acpi-support/** r,
+  include if exists <local/powerbtn-acpi-support>
-
-  deny / r,
-
-  @{PROC} r,
-  @{PROC}/uptime r,
-  @{PROC}/@{pids}/cmdline r,
-
-  include if exists <local/acpid_powerbtn-acpi-support.sh>
 }

apparmor.d/profiles-a-f/aurpublish

@@ -13,10 +13,17 @@ profile aurpublish @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/cat         rix,
   /{usr/,}bin/git         rPx,
   /{usr/,}bin/makepkg     rUx,
   /{usr/,}bin/rm          rix,
   /{usr/,}bin/wc          rix,
 
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r,
+
+  /dev/tty rw,
+
   include if exists <local/aurpublish>
 }

apparmor.d/profiles-a-f/borg

@@ -7,8 +7,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{BACKUP_DIR} = @{MOUNTS}/Arti/backup-*
-
 @{exec_path} = /{usr/,}bin/borg
 profile borg @{exec_path} {
   include <abstractions/base>
@@ -82,8 +80,8 @@ profile borg @{exec_path} {
   /var/{,**}   r,
 
   # The backup dirs
-  owner @{BACKUP_DIR}/ r,
+  owner @{MOUNTS}/ r,
-  owner @{BACKUP_DIR}/** rwkl -> @{BACKUP_DIR}/**,
+  owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
 
   # For exporting the key
   owner /**/key w,

apparmor.d/profiles-a-f/browserpass

@@ -34,9 +34,10 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   deny network inet dgram,
   deny network inet6 stream,
   deny network inet stream,
-  deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
+  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} r,
   deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
   deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
+  deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
   deny /dev/dri/card[0-9]* rw,
   deny /dev/dri/renderD128 rw,
 

apparmor.d/profiles-a-f/fusermount

@@ -21,7 +21,7 @@ profile fusermount @{exec_path} {
   owner @{HOME}/*/ rw,
   owner @{HOME}/*/*/ rw,
   owner @{user_cache_dirs}/**/ rw,
-  owner @{run}/user/@{uid}/doc/ r,
+        @{run}/user/@{uid}/doc/ r,
 
   # Be able to mount ISO images
   mount fstype={fuse,fuse.*} -> @{HOME}/*/,

apparmor.d/profiles-m-r/ntfs-3g

@@ -49,6 +49,9 @@ profile ntfs-3g @{exec_path} {
   mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
   mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,
 
+  umount @{MOUNTS}/*/,
+  umount /mnt/*/,
+
   # kmod is used to load the fuse kernel module
   /{usr/,}bin/kmod rPx,
 

apparmor.d/profiles-s-z/wireplumber

@@ -36,6 +36,7 @@ profile wireplumber @{exec_path} {
   @{sys}/class/ r,
   @{sys}/class/sound/ r,
   @{sys}/class/video4linux/ r,
+  @{sys}/devices/**/sound/**/pcm_class r,
   @{sys}/devices/**/sound/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/modalias r,
   @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,

dists/flags/main.flags

@@ -7,7 +7,6 @@ agetty complain
 askpass complain
 at-spi-bus-launcher attach_disconnected
 auditd complain
-aurpublish complain
 badblocks complain
 biosdecode complain
 blkid complain