From 38b973c5965410cb33958b9ca9ade2d6328b3127 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 22 Oct 2024 20:03:24 +0100
Subject: [PATCH 1/4] chore(profile): remove  trailing whitespace in profiles.

---
 apparmor.d/abstractions/app/sudo                    |  2 +-
 .../abstractions/bus/org.freedesktop.GeoClue2       |  2 +-
 apparmor.d/abstractions/common/bwrap                |  2 +-
 apparmor.d/abstractions/common/electron             |  4 ++--
 apparmor.d/abstractions/common/steam-game           |  2 +-
 apparmor.d/abstractions/desktop                     |  2 +-
 apparmor.d/abstractions/dri                         |  2 +-
 apparmor.d/abstractions/gnome-strict                |  2 +-
 apparmor.d/abstractions/gstreamer                   |  3 +--
 apparmor.d/abstractions/lxqt                        |  2 +-
 apparmor.d/abstractions/uim                         |  6 +++---
 .../groups/akonadi/akonadi_followupreminder_agent   |  2 +-
 apparmor.d/groups/akonadi/akonadi_ical_resource     |  2 +-
 apparmor.d/groups/akonadi/akonadi_mailfilter_agent  |  2 +-
 apparmor.d/groups/akonadi/akonadi_migration_agent   |  2 +-
 apparmor.d/groups/apt/apt-helper                    |  2 +-
 apparmor.d/groups/apt/apt-key                       |  4 ++--
 apparmor.d/groups/apt/debsign                       |  2 +-
 apparmor.d/groups/apt/reportbug                     |  2 +-
 apparmor.d/groups/browsers/torbrowser-launcher      |  2 +-
 apparmor.d/groups/browsers/torbrowser-tor           |  2 +-
 apparmor.d/groups/bus/dbus-system                   |  2 +-
 apparmor.d/groups/bus/ibus-memconf                  |  2 +-
 apparmor.d/groups/children/child-modprobe-nvidia    |  2 +-
 apparmor.d/groups/children/child-open-any           |  2 +-
 apparmor.d/groups/cron/cron-cracklib                |  2 +-
 apparmor.d/groups/cron/cron-etckeeper               |  2 +-
 apparmor.d/groups/cron/cron-sysstat                 |  2 +-
 apparmor.d/groups/display-manager/lightdm-xsession  |  2 +-
 apparmor.d/groups/display-manager/x11-xsession      |  2 +-
 apparmor.d/groups/display-manager/xdm-xsession      |  2 +-
 .../freedesktop/polkit-kde-authentication-agent     |  2 +-
 apparmor.d/groups/freedesktop/xdg-document-portal   |  2 +-
 apparmor.d/groups/gnome/deja-dup-monitor            |  2 +-
 .../groups/gnome/evolution-addressbook-factory      |  2 +-
 apparmor.d/groups/gnome/gdm-xsession                |  2 +-
 apparmor.d/groups/gnome/gnome-boxes                 |  2 +-
 apparmor.d/groups/gnome/gnome-calendar              |  2 +-
 apparmor.d/groups/gnome/gnome-control-center        |  2 +-
 .../groups/gnome/gnome-control-center-goa-helper    |  2 +-
 apparmor.d/groups/gnome/gnome-extension-ding        |  2 +-
 apparmor.d/groups/gnome/gnome-session               |  2 +-
 apparmor.d/groups/gnome/gnome-shell                 |  8 ++++----
 apparmor.d/groups/gnome/gnome-shell-calendar-server |  2 +-
 apparmor.d/groups/gnome/gnome-software              |  4 ++--
 apparmor.d/groups/gnome/gsd-disk-utility-notify     |  2 +-
 apparmor.d/groups/gnome/tracker-extract             |  2 +-
 apparmor.d/groups/gnome/yelp                        |  2 +-
 apparmor.d/groups/gvfs/gvfs-afc-volume-monitor      |  2 +-
 apparmor.d/groups/gvfs/gvfs-goa-volume-monitor      |  2 +-
 apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor  |  2 +-
 apparmor.d/groups/gvfs/gvfsd-metadata               |  2 +-
 apparmor.d/groups/gvfs/gvfsd-recent                 |  2 +-
 apparmor.d/groups/hyprland/hyprland                 |  2 +-
 apparmor.d/groups/hyprland/hyprpicker               |  2 +-
 apparmor.d/groups/kde/baloo                         |  2 +-
 apparmor.d/groups/kde/kwin_wayland                  |  2 +-
 apparmor.d/groups/kde/okular                        |  2 +-
 apparmor.d/groups/kde/sddm                          |  2 +-
 apparmor.d/groups/network/dhcpcd                    |  2 +-
 apparmor.d/groups/network/mullvad-daemon            |  2 +-
 apparmor.d/groups/network/mullvad-gui               |  2 +-
 apparmor.d/groups/network/nm-online                 |  2 +-
 apparmor.d/groups/network/tailscaled                |  2 +-
 apparmor.d/groups/pacman/arch-audit                 |  2 +-
 apparmor.d/groups/pacman/makepkg                    |  2 +-
 apparmor.d/groups/pacman/pacman-conf                |  2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio     |  4 ++--
 apparmor.d/groups/pacman/pacman-key                 |  2 +-
 apparmor.d/groups/ssh/ssh-agent-launch              |  4 ++--
 apparmor.d/groups/systemd/coredumpctl               |  2 +-
 apparmor.d/groups/systemd/systemd-cryptsetup        |  2 +-
 apparmor.d/groups/systemd/systemd-generator-ostree  |  2 +-
 apparmor.d/groups/systemd/systemd-machine-id-setup  |  2 +-
 .../groups/systemd/systemd-tty-ask-password-agent   |  2 +-
 apparmor.d/groups/systemd/userdbctl                 |  2 +-
 apparmor.d/groups/ubuntu/apport                     |  2 +-
 apparmor.d/groups/ubuntu/apport-gtk                 |  2 +-
 apparmor.d/groups/ubuntu/ubuntu-advantage           |  2 +-
 apparmor.d/groups/virt/cni-bandwidth                |  4 ++--
 apparmor.d/groups/virt/cni-calico                   |  8 ++++----
 apparmor.d/groups/virt/cni-loopback                 |  2 +-
 apparmor.d/groups/virt/cni-portmap                  |  2 +-
 apparmor.d/groups/virt/cockpit-bridge               |  2 +-
 apparmor.d/groups/virt/cockpit-update-motd          |  2 +-
 apparmor.d/groups/virt/virt-aa-helper               |  2 +-
 apparmor.d/groups/whonix/msgdispatcher-dispatch     |  2 +-
 apparmor.d/groups/whonix/tor-bootstrap-check        |  2 +-
 apparmor.d/groups/whonix/torbrowser-wrapper         |  6 +++---
 apparmor.d/groups/xfce/startxfce                    |  2 +-
 apparmor.d/profiles-a-f/acpi-powerbtn               |  2 +-
 apparmor.d/profiles-a-f/anyremote                   |  4 ++--
 apparmor.d/profiles-a-f/appstreamcli                |  2 +-
 apparmor.d/profiles-a-f/borg                        |  2 +-
 apparmor.d/profiles-a-f/briar-desktop-tor           |  2 +-
 apparmor.d/profiles-a-f/btrfs                       |  1 -
 apparmor.d/profiles-a-f/cups-notifier-dbus          |  2 +-
 apparmor.d/profiles-a-f/cupsd                       |  2 +-
 apparmor.d/profiles-a-f/dig                         |  4 ++--
 apparmor.d/profiles-a-f/discord                     |  2 +-
 apparmor.d/profiles-a-f/discord-chrome-sandbox      |  2 +-
 apparmor.d/profiles-a-f/dkms-autoinstaller          |  2 +-
 apparmor.d/profiles-a-f/dnscrypt-proxy              |  6 +++---
 apparmor.d/profiles-a-f/element-desktop             |  2 +-
 apparmor.d/profiles-a-f/findmnt                     |  2 +-
 apparmor.d/profiles-a-f/flatpak-app                 |  6 +++---
 apparmor.d/profiles-a-f/flatpak-session-helper      |  2 +-
 apparmor.d/profiles-a-f/fractal                     |  2 +-
 apparmor.d/profiles-a-f/freetube                    |  2 +-
 apparmor.d/profiles-a-f/fwupd                       |  2 +-
 apparmor.d/profiles-a-f/fwupdmgr                    |  2 +-
 apparmor.d/profiles-g-l/gparted                     |  2 +-
 apparmor.d/profiles-g-l/gpartedbin                  |  2 +-
 apparmor.d/profiles-g-l/hw-probe                    |  4 ++--
 apparmor.d/profiles-g-l/iceauth                     |  2 +-
 apparmor.d/profiles-g-l/initd-kexec                 |  2 +-
 apparmor.d/profiles-g-l/inxi                        |  2 +-
 apparmor.d/profiles-g-l/landscape-sysinfo.wrapper   |  2 +-
 apparmor.d/profiles-g-l/logrotate                   |  2 +-
 apparmor.d/profiles-g-l/lynx                        |  2 +-
 apparmor.d/profiles-m-r/molly-guard                 |  2 +-
 apparmor.d/profiles-m-r/mount-nfs                   |  2 +-
 apparmor.d/profiles-m-r/mutt                        | 10 +++++-----
 apparmor.d/profiles-m-r/popularity-contest          |  2 +-
 apparmor.d/profiles-m-r/protonmail-bridge-core      |  2 +-
 apparmor.d/profiles-m-r/resolvconf                  |  2 +-
 apparmor.d/profiles-m-r/run-parts                   |  8 ++++----
 apparmor.d/profiles-s-z/s3fs                        |  4 ++--
 apparmor.d/profiles-s-z/session-desktop             |  2 +-
 apparmor.d/profiles-s-z/snap-failure                |  2 +-
 apparmor.d/profiles-s-z/spice-vdagent               |  2 +-
 apparmor.d/profiles-s-z/steam-launcher              |  2 +-
 apparmor.d/profiles-s-z/steam-runtime               |  2 +-
 apparmor.d/profiles-s-z/steamerrorreporter          |  2 +-
 apparmor.d/profiles-s-z/switcheroo-control          |  2 +-
 apparmor.d/profiles-s-z/task                        |  2 +-
 apparmor.d/profiles-s-z/thunderbird                 |  2 +-
 apparmor.d/profiles-s-z/udev-dmi-memory-id          |  2 +-
 apparmor.d/profiles-s-z/zed                         |  6 +++---
 apparmor.d/profiles-s-z/zfs                         |  4 ++--
 apparmor.d/profiles-s-z/zsys-system-autosnapshot    |  2 +-
 apparmor.d/profiles-s-z/zsysd                       |  2 +-
 tests/check.sh                                      | 13 +++++++++----
 143 files changed, 184 insertions(+), 181 deletions(-)

diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index b83c2d16..14e3dfb7 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -46,7 +46,7 @@
   /etc/machine-id r,
 
         /var/db/sudo/lectured/ r,
-  owner /var/lib/sudo/ts/ rw,   
+  owner /var/lib/sudo/ts/ rw,
   owner /var/lib/sudo/ts/@{uid} rwk,
   owner /var/log/sudo.log wk,
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
index ddbf4d1d..17ea4e45 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@@ -18,7 +18,7 @@
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(name="@{busname}", label=geoclue),
-  
+
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap
index 3a2b0c59..fca42427 100644
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# A minimal set of rules for sandboxed programs using bwrap. 
+# A minimal set of rules for sandboxed programs using bwrap.
 # A profile using this abstraction still needs to set:
 # - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'
diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index 17181525..8134f868 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -2,8 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Minimal set of rules for all electron based UI application. It works as a 
-# *function* and requires some variables to be provided as *arguments* and set 
+# Minimal set of rules for all electron based UI application. It works as a
+# *function* and requires some variables to be provided as *arguments* and set
 # in the header of the calling profile. Example:
 #
 # @{name} = spotify
diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game
index b3c66e03..b60e74a1 100644
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@@ -23,7 +23,7 @@
   owner @{share_dirs}/logs/* rwk,
   owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
   owner @{share_dirs}/steamapps/ r,
-  owner @{share_dirs}/steamapps/appmanifest_* rw, 
+  owner @{share_dirs}/steamapps/appmanifest_* rw,
   owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
 
   owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index 19ffe647..a856cbd3 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -21,7 +21,7 @@
 
     dbus receive bus=session
          interface=org.freedesktop.DBus.Introspectable
-         member=Introspect 
+         member=Introspect
          peer=(name=:*, label=gnome-shell),
 
     /usr/{local/,}share/ r,
diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri
index af634ff9..dd8f7b55 100644
--- a/apparmor.d/abstractions/dri
+++ b/apparmor.d/abstractions/dri
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # The Direct Rendering Infrastructure (DRI) is the framework comprising the modern
-# Linux graphics stack which allows unprivileged user-space programs to issue 
+# Linux graphics stack which allows unprivileged user-space programs to issue
 # commands to graphics hardware without conflicting with other programs.
 
   abi <abi/4.0>,
diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict
index 27d64824..9862ca5e 100644
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@@ -13,7 +13,7 @@
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   /usr/share/desktop-base/{,**} r,
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index c7827b59..de2adb33 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -9,7 +9,6 @@
   @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
   @{lib}/frei0r-@{int}/*.so mr,
 
-  # FIXME: not compatible with FSP mode due conflicting x modifiers 
   @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
   @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
   @{lib}/gstreamer-1.0/gst-plugin-scanner rix,
@@ -40,7 +39,7 @@
   @{run}/udev/data/+usb:* r,              # For /dev/bus/usb/**
 
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
-  @{run}/udev/data/c189:@{int} r,         # For USB serial converters 
+  @{run}/udev/data/c189:@{int} r,         # For USB serial converters
   @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
 
   @{sys}/bus/ r,
diff --git a/apparmor.d/abstractions/lxqt b/apparmor.d/abstractions/lxqt
index c1633033..f20c24a3 100644
--- a/apparmor.d/abstractions/lxqt
+++ b/apparmor.d/abstractions/lxqt
@@ -18,7 +18,7 @@
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/lxqt/** r,
- 
+
   owner @{HOME}/.Xdefaults r,
 
   owner @{user_cache_dirs}/lxqt-notificationd/* r,
diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim
index 88d75ec1..4a40e965 100644
--- a/apparmor.d/abstractions/uim
+++ b/apparmor.d/abstractions/uim
@@ -6,12 +6,12 @@
   abi <abi/4.0>,
 
   /usr/share/uim/* r,
-  
+
   /var/lib/uim/* r,
-  
+
   owner @{HOME}/.uim.d/customs/* r,
   owner @{HOME}/.XCompose r,
-  
+
   owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
 
   include if exists <abstractions/uim.d>
diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
index e85bdcba..be897ee9 100644
--- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
+++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
@@ -22,7 +22,7 @@ profile akonadi_followupreminder_agent @{exec_path} {
   owner @{user_config_dirs}/akonadi_followupreminder_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
-  
+
   /dev/tty r,
 
   include if exists <local/akonadi_followupreminder_agent>
diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource
index 465eebd3..5f37f797 100644
--- a/apparmor.d/groups/akonadi/akonadi_ical_resource
+++ b/apparmor.d/groups/akonadi/akonadi_ical_resource
@@ -22,7 +22,7 @@ profile akonadi_ical_resource @{exec_path} {
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 
   owner @{user_share_dirs}/apps/korganizer/{,**} rw,
-  
+
   /dev/tty r,
 
   include if exists <local/akonadi_ical_resource>
diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
index 37612c9c..d1a2f008 100644
--- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
@@ -34,7 +34,7 @@ profile akonadi_mailfilter_agent @{exec_path} {
   owner @{user_config_dirs}/emailidentities* rwl,
 
   owner @{user_config_dirs}/kmail2rc r,
-  
+
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/akonadi_mailfilter_agent.* rwl,
 
diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent
index b3541299..55fedf4e 100644
--- a/apparmor.d/groups/akonadi/akonadi_migration_agent
+++ b/apparmor.d/groups/akonadi/akonadi_migration_agent
@@ -20,7 +20,7 @@ profile akonadi_migration_agent @{exec_path} {
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 
   owner @{user_share_dirs}/akonadi_migration_agent/{,**} rw,
-  
+
   /dev/tty r,
 
   include if exists <local/akonadi_migration_agent>
diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper
index f02c0181..5a2d7dd5 100644
--- a/apparmor.d/groups/apt/apt-helper
+++ b/apparmor.d/groups/apt/apt-helper
@@ -22,7 +22,7 @@ profile apt-helper @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     capability net_admin,
 
     include if exists <local/apt-helper_systemctl>
diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key
index f73df39d..12a7b3a6 100644
--- a/apparmor.d/groups/apt/apt-key
+++ b/apparmor.d/groups/apt/apt-key
@@ -78,7 +78,7 @@ profile apt-key @{exec_path} {
     @{bin}/gpg-connect-agent rix,
 
     /usr/share/gnupg/sks-keyservers.netCA.pem r,
-  
+
     /etc/hosts r,
     /etc/inputrc r,
 
@@ -96,7 +96,7 @@ profile apt-key @{exec_path} {
     owner @{tmp}/apt-key-gpghome.*/ rw,
     owner @{tmp}/apt-key-gpghome.*/** rwkl -> /tmp/apt-key-gpghome.*/**,
     owner @{tmp}/apt-key-gpghome.*/gpgoutput.{log,err} w,
-  
+
     owner @{run}/user/@{uid}/gnupg/d.*/ rw,
 
     owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign
index b2f72f6c..68d0d418 100644
--- a/apparmor.d/groups/apt/debsign
+++ b/apparmor.d/groups/apt/debsign
@@ -34,7 +34,7 @@ profile debsign @{exec_path} {
   @{bin}/stty       rix,
 
   @{bin}/gpg{,2} rCx -> gpg,
-  
+
   /etc/devscripts.conf r,
 
   owner @{HOME}/.devscripts r,
diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug
index dfc57811..8681e46d 100644
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@@ -108,7 +108,7 @@ profile reportbug @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/reportbug_systemctl>
   }
 
diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher
index 343d3e0d..0f627310 100644
--- a/apparmor.d/groups/browsers/torbrowser-launcher
+++ b/apparmor.d/groups/browsers/torbrowser-launcher
@@ -37,7 +37,7 @@ profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
   @{bin}/tail      ix,
 
   @{lib_dirs}/execdesktop       ix,
-  @{lib_dirs}/start-tor-browser Px, # torbrowser-start 
+  @{lib_dirs}/start-tor-browser Px, # torbrowser-start
   @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
 
   /usr/share/file/** r,
diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor
index 73a11120..57a49add 100644
--- a/apparmor.d/groups/browsers/torbrowser-tor
+++ b/apparmor.d/groups/browsers/torbrowser-tor
@@ -9,7 +9,7 @@ include <tunables/global>
 @{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 @{data_dirs} = @{lib_dirs}/TorBrowser/Data/
 
-@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor 
+@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor
 profile torbrowser-tor @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index 3b8a1e14..bda678f8 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -4,7 +4,7 @@
 
 # Profile for system dbus, regardless of the dbus implementation used.
 # It does not specify an attachment path as it would be the same than
-# "dbus-session". It is intended to be used only via "Px ->" or via 
+# "dbus-session". It is intended to be used only via "Px ->" or via
 # systemd drop-in AppArmorProfile= setting.
 
 abi <abi/4.0>,
diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf
index 0a8d7bda..803f28a4 100644
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@@ -18,7 +18,7 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia
index 315a5bf0..8681e91f 100644
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@@ -9,7 +9,7 @@
 # and load the the nvidia kernel module.
 
 # Note: This profile does not specify an attachment path because it is
-# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions 
+# intended to be used only via "Px -> child-modprobe-nvidia" exec transitions
 # from other profiles.
 
 abi <abi/4.0>,
diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any
index 58847a3e..ea21f848 100644
--- a/apparmor.d/groups/children/child-open-any
+++ b/apparmor.d/groups/children/child-open-any
@@ -31,7 +31,7 @@ profile child-open-any flags=(attach_disconnected) {
   /                             r,
   /usr/                         r,
   /usr/local/bin/               r,
-  
+
   /dev/tty rw,
 
   include if exists <usr/child-open-any.d>
diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib
index 8a87bd2a..ede03068 100644
--- a/apparmor.d/groups/cron/cron-cracklib
+++ b/apparmor.d/groups/cron/cron-cracklib
@@ -12,7 +12,7 @@ profile cron-cracklib @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  
+
   @{sh_path}               rix,
   @{bin}/logger            rix,
   @{bin}/update-cracklib  rPx,
diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper
index 28a845cf..2029f884 100644
--- a/apparmor.d/groups/cron/cron-etckeeper
+++ b/apparmor.d/groups/cron/cron-etckeeper
@@ -12,7 +12,7 @@ profile cron-etckeeper @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  
+
   @{sh_path}         rix,
   @{bin}/rm          rix,
   @{bin}/find        rix,
diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat
index 4ca22b6a..20aaee7e 100644
--- a/apparmor.d/groups/cron/cron-sysstat
+++ b/apparmor.d/groups/cron/cron-sysstat
@@ -12,7 +12,7 @@ profile cron-sysstat @{exec_path} {
   include <abstractions/consoles>
 
   @{exec_path} r,
-  
+
   @{sh_path}         rix,
   @{lib}/sysstat/sa2 rPx,
 
diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession
index 69a49eec..5653b42e 100644
--- a/apparmor.d/groups/display-manager/lightdm-xsession
+++ b/apparmor.d/groups/display-manager/lightdm-xsession
@@ -32,7 +32,7 @@ profile lightdm-xsession @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     owner @{HOME}/.xsession-errors w,
 
     include if exists <local/lightdm-xsession_systemctl>
diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession
index d2f00526..44553169 100644
--- a/apparmor.d/groups/display-manager/x11-xsession
+++ b/apparmor.d/groups/display-manager/x11-xsession
@@ -68,7 +68,7 @@ profile x11-xsession @{exec_path} {
 
   profile ssh-agent {
     include <abstractions/base>
-  
+
     @{bin}/ssh-agent mr,
 
     @{sh_path}                   rix,
diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession
index 687e0e92..cfdaeed3 100644
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@@ -106,7 +106,7 @@ profile xdm-xsession @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/xdm-xsession_systemctl>
   }
 
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index 7ca73cd6..f53f4d16 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -41,7 +41,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
   owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk,
   owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**,
   owner @{user_cache_dirs}/qtshadercache-*/* r,
-  
+
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
   # owner /tmp/xauth_@{rand6} r,
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index a5e27c7d..d47b830e 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -84,7 +84,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
 
           /dev/fuse rw,
     @{att}/dev/tty@{int} rw,
-  
+
     include if exists <local/xdg-document-portal_fusermount>
   }
 
diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor
index cc664559..b7fc6a5b 100644
--- a/apparmor.d/groups/gnome/deja-dup-monitor
+++ b/apparmor.d/groups/gnome/deja-dup-monitor
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/deja-dup/deja-dup-monitor 
+@{exec_path} = @{lib}/deja-dup/deja-dup-monitor
 profile deja-dup-monitor @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory
index c6494c95..9f18395f 100644
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@@ -51,7 +51,7 @@ profile evolution-addressbook-factory @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index 2cdae783..03e77816 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -73,7 +73,7 @@ profile gdm-xsession @{exec_path} {
          peer=(name=org.freedesktop.systemd1),
 
     @{bin}/dbus-update-activation-environment mr,
-  
+
     owner @{HOME}/.xsession-errors w,
 
     /dev/tty rw,
diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes
index f44f42e6..0a5abe0a 100644
--- a/apparmor.d/groups/gnome/gnome-boxes
+++ b/apparmor.d/groups/gnome/gnome-boxes
@@ -78,7 +78,7 @@ profile gnome-boxes @{exec_path} {
 
     @{bin}/virsh mr,
     @{bin}/pkttyagent r,
-    
+
     owner @{run}/user/@{uid}/libvirt/ r,
     owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
 
diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar
index 741be770..97309c1a 100644
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@@ -23,7 +23,7 @@ profile gnome-calendar @{exec_path} {
 
   #aa:dbus own bus=session name=org.gnome.Calendar
 
-  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory 
+  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 20aa66cf..00bc15f1 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -186,7 +186,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
     include <abstractions/common/bwrap>
 
     @{bin}/bwrap mr,
-  
+
     include if exists <local/gnome-control-center_bwrap>
   }
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
index 4695c87d..1fa7d705 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -70,7 +70,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
     include <abstractions/common/bwrap>
 
     @{bin}/bwrap mr,
-  
+
     include if exists <local/gnome-control-center-goa-helper_bwrap>
   }
 
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 7c9a8077..f74afdea 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -37,7 +37,7 @@ profile gnome-extension-ding @{exec_path} {
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=org.freedesktop.DBus, label=dbus-session),
 
   dbus send bus=session path=/org/freedesktop/DBus
diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session
index 597a47c1..cf17391b 100644
--- a/apparmor.d/groups/gnome/gnome-session
+++ b/apparmor.d/groups/gnome/gnome-session
@@ -66,7 +66,7 @@ profile gnome-session @{exec_path} {
     include <abstractions/consoles>
 
     @{bin}/flatpak mr,
-  
+
     /dev/tty@{int} rw,
 
     include if exists <local/gnome-session_flatpak>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index a2627c31..a2dd6d90 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -315,7 +315,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
   @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
   @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
-  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card* 
+  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*
   @{run}/udev/data/n@{int} r,
 
   @{sys}/**/uevent r,
@@ -374,13 +374,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   profile shell flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
-  
+
     capability sys_ptrace,
 
     ptrace (read),
 
     @{sh_path} mr,
-  
+
     @{bin}/pmap rix,
     @{bin}/grep rix,
 
@@ -414,7 +414,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
     owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
-    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, 
+    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server
index 357104e5..2f3e5167 100644
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@@ -30,7 +30,7 @@ profile gnome-shell-calendar-server @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index f462894b..a75cfee6 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -154,10 +154,10 @@ profile gnome-software @{exec_path} {
     owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
     owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
     owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
-  
+
     owner @{PROC}/@{pid}/fd/ r,
     owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  
+
     include if exists <local/gnome-software_gpg>
   }
 
diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify
index 55e6b373..6e8ae0d9 100644
--- a/apparmor.d/groups/gnome/gsd-disk-utility-notify
+++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify
@@ -17,7 +17,7 @@ profile gsd-disk-utility-notify @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index a8dc13b1..02237d93 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -79,7 +79,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   /dev/media@{int} r,
   /dev/video@{int} rw,
-  
+
   # file_inherit
   owner /dev/tty@{int} rw,
 
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index aa459250..f0dd3b46 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -34,7 +34,7 @@ profile yelp @{exec_path} {
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r,
-  
+
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
index a681f262..c1058c15 100644
--- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
@@ -16,7 +16,7 @@ profile gvfs-afc-volume-monitor @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
index 1e65e218..1b5f74ae 100644
--- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
@@ -16,7 +16,7 @@ profile gvfs-goa-volume-monitor @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   dbus send bus=session path=/org/gnome/OnlineAccounts
diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
index a8d7ffb3..f2b53463 100644
--- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
@@ -20,7 +20,7 @@ profile gvfs-gphoto2-volume-monitor @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata
index 902bbf40..f6f3820b 100644
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@@ -21,7 +21,7 @@ profile gvfsd-metadata @{exec_path} {
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent
index 38819e87..03586b29 100644
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@@ -46,7 +46,7 @@ profile gvfsd-recent @{exec_path} {
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
 
   @{run}/mount/utab r,
-  
+
   owner @{PROC}/@{pid}/mountinfo r,
 
   include if exists <local/gvfsd-recent>
diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 9c6107f6..3a25c0a5 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -51,7 +51,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
   @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
   @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
-  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card* 
+  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*
 
   @{sys}/bus/ r,
   @{sys}/class/input/ r,
diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker
index 38eccd29..78375c8b 100644
--- a/apparmor.d/groups/hyprland/hyprpicker
+++ b/apparmor.d/groups/hyprland/hyprpicker
@@ -17,7 +17,7 @@ profile hyprpicker @{exec_path} {
 
   owner @{run}/user/@{uid}/.hyprpicker* rw,
   owner /dev/shm/wlroots-@{rand6} r,
-  
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/hyprpicker>
diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index 5a4f480a..9a2f4c96 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -12,7 +12,7 @@ profile baloo @{exec_path} {
   include <abstractions/base>
   include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
-  include <abstractions/fontconfig-cache-write> 
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index c02f3f87..24d86bec 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -94,7 +94,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{user_config_dirs}/kxkbrc r,
   owner @{user_config_dirs}/menus/{,applications-merged/} r,
   owner @{user_config_dirs}/plasmarc r,
-  owner @{user_config_dirs}/session/* r, 
+  owner @{user_config_dirs}/session/* r,
 
   owner @{user_share_dirs}/kscreen/* r,
   owner @{user_share_dirs}/kwin/scripts/{,**} r,
diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular
index f7f16836..fe1c5d8d 100644
--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@@ -81,7 +81,7 @@ profile okular @{exec_path} {
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int},
   owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
-  owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, 
+  owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment,
 
   owner @{run}/user/@{uid}/#@{int} rw,
   owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 7f48fbec..a09f55c4 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -199,7 +199,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/sddm_systemctl>
   }
 
diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd
index 6d4ea3f7..ebb86197 100644
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@@ -27,7 +27,7 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
   network inet6 raw,
   network netlink raw,
   network packet raw,
-  
+
   @{exec_path} mr,
 
   @{sh_path}                      rix,
diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index 8dc29f56..55b5bda1 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -13,7 +13,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
 
   capability dac_override,
-  
+
   capability net_admin,
   capability fowner,
   capability fsetid,
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index e1c55c7e..6075f14b 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{name} = Mullvad?VPN
-@{lib_dirs} = /opt/@{name} 
+@{lib_dirs} = /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online
index 144fd84c..27a511dc 100644
--- a/apparmor.d/groups/network/nm-online
+++ b/apparmor.d/groups/network/nm-online
@@ -16,7 +16,7 @@ profile nm-online @{exec_path} {
        interface=org.freedesktop.NetworkManager.Connection.Active
        member=StateChanged
        peer=(name=:*, label=NetworkManager),
-  
+
   dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
        interface=org.freedesktop.NetworkManager.Settings.Connection
        member=GetSettings
diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled
index 7bab28a2..ac29b0b2 100644
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@@ -79,7 +79,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
 
     capability mknod,
     capability net_admin,
-  
+
     network netlink raw,
 
     /dev/net/tun rw,
diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit
index b8c622c6..7539c1c7 100644
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@@ -21,7 +21,7 @@ profile arch-audit @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  
+
   /etc/arch-audit/settings.toml r,
 
   /usr/share/terminfo/** r,
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 6f4672f9..d5abc07d 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -80,7 +80,7 @@ profile makepkg @{exec_path} {
 
     ptrace read,
 
-    signal send set=winch peer=pacman,           
+    signal send set=winch peer=pacman,
     signal send set=winch peer=pacman//systemctl,
 
     @{bin}/pacman Px,
diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf
index b57ab746..4884d248 100644
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@@ -16,7 +16,7 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   /etc/pacman.conf r,
   /etc/pacman.d/mirrorlist r,
   /etc/pacman.d/*-mirrorlist r,
-  
+
   /dev/tty@{int} rw,
 
   # Inherit Silencer
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index 09529cbb..9ee488fb 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -55,11 +55,11 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
     capability dac_read_search,
 
     @{bin}/pacman mr,
-  
+
     @{bin}/gpg rix,
     @{bin}/gpgconf rix,
     @{bin}/gpgsm rix,
-  
+
     /etc/pacman.conf r,
     /etc/pacman.d/{,**} r,
     /etc/pacman.d/gnupg/** rwkl,
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 728bd84d..287bc026 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -35,7 +35,7 @@ profile pacman-key @{exec_path} {
   /usr/share/terminfo/** r,
 
   /etc/pacman.d/gnupg/* rw,
-  
+
   /dev/tty rw,
 
   profile gpg {
diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch
index 237a5ff7..7e0422c5 100644
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@@ -26,12 +26,12 @@ profile ssh-agent-launch @{exec_path} {
 
     dbus send bus=session path=/org/freedesktop/DBus
          interface=org.freedesktop.DBus
-         member=UpdateActivationEnvironment 
+         member=UpdateActivationEnvironment
          peer=(name=org.freedesktop.DBus, label=dbus-session),
 
     dbus send bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd1.Manager
-         member=SetEnvironment 
+         member=SetEnvironment
          peer=(name=org.freedesktop.systemd1),
 
     @{bin}/dbus-update-activation-environment mr,
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index 89a19fa1..d81933f5 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -62,7 +62,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
     /etc/inputrc r,
     /etc/gdb/** r,
-    
+
     owner /var/tmp/coredump-* rw,
 
     @{PROC}/@{pids}/fd/  r,
diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup
index 5e4b33a1..f8950c1f 100644
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@@ -27,7 +27,7 @@ profile systemd-cryptsetup @{exec_path} {
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/* rwk,
   @{run}/systemd/ask-password/* rw,
-  
+
   @{sys}/devices/virtual/bdi/*/read_ahead_kb r,
   @{sys}/fs/ r,
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd/systemd-generator-ostree
index f50544f8..ce2ecaf4 100644
--- a/apparmor.d/groups/systemd/systemd-generator-ostree
+++ b/apparmor.d/groups/systemd/systemd-generator-ostree
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator 
+@{exec_path} = @{lib}/systemd/system-generators/ostree-system-generator
 profile systemd-generator-ostree @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup
index 105f72e4..5f60b567 100644
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@@ -19,7 +19,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
-  mount options=(rw rshared) -> /, 
+  mount options=(rw rshared) -> /,
   mount options=(rw rslave) -> /,
   umount /etc/machine-id,
 
diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
index 6083fc23..3e2129d3 100644
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@@ -27,7 +27,7 @@ profile systemd-tty-ask-password-agent @{exec_path} {
   @{run}/utmp rk,
 
   @{PROC}/@{pids}/stat r,
-  
+
   @{sys}/devices/virtual/tty/console/active r,
   @{sys}/devices/virtual/tty/tty@{int}/active r,
 
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index 177431f9..b4081eac 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -18,7 +18,7 @@ profile userdbctl @{exec_path} {
   signal send set=cont peer=child-pager,
 
   @{exec_path} mr,
-  
+
   @{pager_path} rPx -> child-pager,
 
   /etc/shadow r,
diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport
index ed39c758..cd018711 100644
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/share/apport/apport 
+@{exec_path} = /usr/share/apport/apport
 profile apport @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/apt>
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 25d13672..0121dd46 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -102,7 +102,7 @@ profile apport-gtk @{exec_path} {
     include <abstractions/python>
 
     @{bin}/gdb mr,
-  
+
     @{bin}/iconv rix,
     @{bin}/* r,
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage
index abbde245..7d797bd9 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage
@@ -13,7 +13,7 @@ profile ubuntu-advantage @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
-  include <abstractions/ssl_certs> 
+  include <abstractions/ssl_certs>
 
   capability dac_read_search,
   capability setgid,
diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth
index a27f41fc..3192c705 100644
--- a/apparmor.d/groups/virt/cni-bandwidth
+++ b/apparmor.d/groups/virt/cni-bandwidth
@@ -9,7 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/cni/bandwidth /opt/cni/bin/bandwidth
 profile cni-bandwidth @{exec_path} {
   include <abstractions/base>
-  
+
   network inet dgram,
   network inet6 dgram,
   network inet stream,
@@ -17,7 +17,7 @@ profile cni-bandwidth @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
-  
+
   include if exists <local/cni-bandwidth>
 }
 
diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 878a0911..a6c9149d 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -25,15 +25,15 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
   @{exec_path}-ipam rix,
 
   / r,
-  
+
   /etc/cni/net.d/{,**}  r,
-  
+
   /var/lib/calico/{,**} r,
   /var/log/calico/cni/ r,
   /var/log/calico/cni/*.log rw,
-  
+
   /usr/share/mime/globs2 r,
-  
+
   @{run}/calico/ rw,
   @{run}/calico/ipam.lock rwk,
   @{run}/netns/cni-@{uuid} r,
diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index 30e2800c..fd4f50df 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -21,7 +21,7 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) {
 
   @{run}/netns/ r,
   @{run}/netns/cni-@{uuid} rw,
-  
+
   include if exists <local/cni-loopback>
 }
 
diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap
index bd0206c4..73ad13cb 100644
--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@@ -18,7 +18,7 @@ profile cni-portmap @{exec_path} {
   @{bin}/xtables-nft-multi rPx -> cni-xtables-nft,
 
   @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,
-  
+
   include if exists <local/cni-portmap>
 }
 
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index 7487c8e7..1766cd2f 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -76,7 +76,7 @@ profile cockpit-bridge @{exec_path} {
   /etc/shadow r,
   /etc/shells r,
 
-  / r, 
+  / r,
   @{HOME}/ r,
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd
index c1a39a89..1de016ae 100644
--- a/apparmor.d/groups/virt/cockpit-update-motd
+++ b/apparmor.d/groups/virt/cockpit-update-motd
@@ -26,7 +26,7 @@ profile cockpit-update-motd @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     capability net_admin,
     capability sys_ptrace,
 
diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper
index 74a93737..c10f4492 100644
--- a/apparmor.d/groups/virt/virt-aa-helper
+++ b/apparmor.d/groups/virt/virt-aa-helper
@@ -25,7 +25,7 @@ profile virt-aa-helper @{exec_path} {
   @{etc_rw}/apparmor.d/libvirt/libvirt-@{uuid} rw,
 
   /etc/libnl{,-3}/classid r,   # Allow reading libnl's classid file
-  
+
   # System VM images
   /var/lib/libvirt/images/{,**} r,
   /var/lib/nova/instances/_base/* r,
diff --git a/apparmor.d/groups/whonix/msgdispatcher-dispatch b/apparmor.d/groups/whonix/msgdispatcher-dispatch
index 0adfe279..5c2037c5 100644
--- a/apparmor.d/groups/whonix/msgdispatcher-dispatch
+++ b/apparmor.d/groups/whonix/msgdispatcher-dispatch
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x 
+@{exec_path} = @{lib}/msgcollector/msgdispatcher_dispatch_x
 profile msgdispatcher-dispatch @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check
index 8a5d8f53..7829b831 100644
--- a/apparmor.d/groups/whonix/tor-bootstrap-check
+++ b/apparmor.d/groups/whonix/tor-bootstrap-check
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py 
+@{exec_path} = @{lib}/helper-scripts/tor_bootstrap_check.py
 profile tor-bootstrap-check @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper
index ccdfe2ed..fc20ad0f 100644
--- a/apparmor.d/groups/whonix/torbrowser-wrapper
+++ b/apparmor.d/groups/whonix/torbrowser-wrapper
@@ -32,7 +32,7 @@ profile torbrowser-wrapper @{exec_path} {
   @{bin}/tty                      ix,
   @{bin}/whoami                   ix,
 
-  @{lib_dirs}/start-tor-browser                         Px, # torbrowser-start 
+  @{lib_dirs}/start-tor-browser                         Px, # torbrowser-start
   @{lib}/msgcollector/msgcollector                      Px,
   @{lib}/open-link-confirmation/open-link-confirmation  Px,
 
@@ -44,11 +44,11 @@ profile torbrowser-wrapper @{exec_path} {
 
   owner @{HOME}/.tb/{,**} rw,
   owner @{HOME}/.xsession-errors rw,
-  
+
   owner @{tmp}/tmp.@{rand10} rw,
 
   owner @{run}/mount/utab r,
-  
+
   owner @{PROC}/@{pid}/mountinfo r,
 
   profile sudo {
diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce
index 84abf8ce..8d91581c 100644
--- a/apparmor.d/groups/xfce/startxfce
+++ b/apparmor.d/groups/xfce/startxfce
@@ -30,7 +30,7 @@ profile startxfce @{exec_path} {
   profile systemctl flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/startxfce_systemctl>
   }
 
diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn
index c25d9452..79619414 100644
--- a/apparmor.d/profiles-a-f/acpi-powerbtn
+++ b/apparmor.d/profiles-a-f/acpi-powerbtn
@@ -57,7 +57,7 @@ profile acpi-powerbtn flags=(attach_disconnected) {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/acpi-powerbtn_systemctl>
   }
 
diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote
index 2ad4791d..b7e4a127 100644
--- a/apparmor.d/profiles-a-f/anyremote
+++ b/apparmor.d/profiles-a-f/anyremote
@@ -80,10 +80,10 @@ profile anyremote @{exec_path} {
     @{bin}/convert-im6.q16 mr,
 
     /usr/share/anyremote/cfg-data/Icons/common/*.png r,
-  
+
     /usr/share/ImageMagick-[0-9]/*.xml rw,
     /etc/ImageMagick-[0-9]/*.xml r,
-  
+
     owner @{HOME}/.anyRemote/*.png rw,
     owner @{HOME}/.kde/share/apps/amarok/albumcovers/cache/* r,
 
diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli
index 72ee1e9d..36ca9555 100644
--- a/apparmor.d/profiles-a-f/appstreamcli
+++ b/apparmor.d/profiles-a-f/appstreamcli
@@ -47,7 +47,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
         /var/log/cron-apt/temp w,
   owner /var/cache/app-info/{,**} rw,
   owner /var/cache/swcatalog/{,**} rw,
-  
+
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/appstream-cache-*.mdb rw,
   owner @{user_cache_dirs}/appstream/ rw,
diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
index 15c6b71c..dbf6c228 100644
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@@ -111,7 +111,7 @@ profile borg @{exec_path} {
     /etc/fuse.conf r,
 
     @{MOUNTS}/ r,
-    @{MOUNTS}/*/ r, 
+    @{MOUNTS}/*/ r,
 
     @{PROC}/@{pids}/mounts r,
 
diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor
index e78420e3..af98f9fc 100644
--- a/apparmor.d/profiles-a-f/briar-desktop-tor
+++ b/apparmor.d/profiles-a-f/briar-desktop-tor
@@ -14,7 +14,7 @@ profile briar-desktop-tor {
   network netlink raw,
 
   signal send set=term peer=briar-desktop-tor//obfs4proxy,
-  signal send set=term peer=briar-desktop-tor//snowflake, 
+  signal send set=term peer=briar-desktop-tor//snowflake,
 
   owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw,
   owner @{HOME}/.briar/desktop/tor/.tor/lock k,
diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs
index cdf5eb0d..82742fd4 100644
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@@ -59,7 +59,6 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
   /dev/btrfs-control rw,
   /dev/pts/@{int} rw,
   /dev/tty@{int} rw,
-  
 
   include if exists <local/btrfs>
 }
diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus
index 3f9b15dc..6e3b3849 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-dbus
+++ b/apparmor.d/profiles-a-f/cups-notifier-dbus
@@ -21,7 +21,7 @@ profile cups-notifier-dbus @{exec_path} {
   owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
 
   owner @{tmp}/cups-dbus-notifier-lockfile rwk,
-  
+
   include if exists <local/cups-notifier-dbus>
 }
 
diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd
index ac998474..f65fc834 100644
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@@ -95,7 +95,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/@{pids}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
-  
+
   owner @{tmp}/*_latest_print_info w,
 
   /dev/tty rw,
diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig
index 3e95a05d..a8b48278 100644
--- a/apparmor.d/profiles-a-f/dig
+++ b/apparmor.d/profiles-a-f/dig
@@ -27,9 +27,9 @@ profile dig @{exec_path} {
   owner @{HOME}/.digrc r,
   owner @{HOME}/batch_mode.dig  r,
   owner @{HOME}/tsig.key        r,
-  
+
   /tmp/batch_mode.dig       r,
-  
+
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
   include if exists <local/dig>
diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord
index 74d1ce74..53038a6d 100644
--- a/apparmor.d/profiles-a-f/discord
+++ b/apparmor.d/profiles-a-f/discord
@@ -12,7 +12,7 @@ include <tunables/global>
 @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
-@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB} 
+@{exec_path} = @{bin}/discord{,-ptb} @{lib_dirs}/Discord{,PTB}
 profile discord @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
diff --git a/apparmor.d/profiles-a-f/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox
index 4cfefd65..0599fa48 100644
--- a/apparmor.d/profiles-a-f/discord-chrome-sandbox
+++ b/apparmor.d/profiles-a-f/discord-chrome-sandbox
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{name} = discord
-@{lib_dirs} = /usr/share/@{name} /opt/@{name} 
+@{lib_dirs} = /usr/share/@{name} /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name} @{user_config_dirs}/discordptb
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller
index 00f1d811..ffce3092 100644
--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@@ -40,7 +40,7 @@ profile dkms-autoinstaller @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/dkms-autoinstaller_systemctl>
   }
 
diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy
index 08dad1bd..5573aaf8 100644
--- a/apparmor.d/profiles-a-f/dnscrypt-proxy
+++ b/apparmor.d/profiles-a-f/dnscrypt-proxy
@@ -27,17 +27,17 @@ profile dnscrypt-proxy @{exec_path} {
   @{exec_path} mrix,
 
   /etc/dnscrypt-proxy/{,**} r,
-  
+
   owner /etc/dnscrypt-proxy/public-resolvers.md rw,
   owner /etc/dnscrypt-proxy/public-resolvers.md.minisig rw,
   owner /etc/dnscrypt-proxy/relays.md rw,
   owner /etc/dnscrypt-proxy/relays.md.minisig rw,
   owner /etc/dnscrypt-proxy/sf-*.tmp rw,
-  
+
   /var/cache/private/dnscrypt-proxy/{,**} r,
   /var/cache/private/dnscrypt-proxy/public-resolvers.md{,.minisig} rw,
   /var/cache/private/dnscrypt-proxy/sf-*.tmp rw,
-  
+
   /var/log/dnscrypt-proxy/ r,
   /var/log/dnscrypt-proxy/*.log w,
   /var/log/private/dnscrypt-proxy/ rw,
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index e4a9bef2..05a90088 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{name} = {E,e}lement
-@{lib_dirs} = @{lib}/@{name} 
+@{lib_dirs} = @{lib}/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt
index bcffc5b8..0c027dc2 100644
--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@@ -20,7 +20,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
 
   /etc/fstab r,
   /etc/mtab r,
-  
+
   @{PROC}/@{pids}/mountinfo r,
 
   # File Inherit
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index d91b9ac5..e332f50c 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -3,11 +3,11 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Default profile for all flatpak applications. Ideally, this profile should be
-# generated by flatpak itself with settings from the flatpak manifest and 
+# generated by flatpak itself with settings from the flatpak manifest and
 # fully separated from bwrap.
 
 # Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
-# to separate bwrap from the sandboxed app itself. It was generating issue with 
+# to separate bwrap from the sandboxed app itself. It was generating issue with
 # zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
 # some applications, flatpak needs write access to the sandbox content. This is
 # done through bwrap and therefore in this profile.
@@ -15,7 +15,7 @@
 # 1. All of this will have to be improved. However, as of today, it is the only
 #    way to not break some (major) flatpak app.
 # 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
-#    This this only defence in depth. 
+#    This this only defence in depth.
 # 3. The main purpose of this profile is to ensure all processes are confined.
 
 abi <abi/4.0>,
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 7144a237..162e3b44 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -43,7 +43,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
   owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
-  
+
   owner @{PROC}/@{pids}/fd/ r,
 
   /dev/ptmx rw,
diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal
index 637cc097..7f14df0e 100644
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@@ -27,7 +27,7 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/xml/iso-codes/{,**} r,
 
-  owner @{tmp}/.@{rand6} rw, 
+  owner @{tmp}/.@{rand6} rw,
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/@{rand6} rw,
 
diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube
index 333c9f36..295cbe76 100644
--- a/apparmor.d/profiles-a-f/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{name} = {F,f}ree{T,t}ube{,-vue}
-@{lib_dirs} = @{lib}/@{name} /opt/@{name} 
+@{lib_dirs} = @{lib}/@{name} /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index b6ef68b0..40dbda8c 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -149,7 +149,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
 
     @{bin}/gpg-agent          rix,
     @{lib}/{,gnupg/}scdaemon  rix,
-  
+
     owner /var/lib/fwupd/gnupg/ rw,
     owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
 
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 4d53fdf5..f599bbc1 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -28,7 +28,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/
-  
+
   @{exec_path} mr,
 
   @{bin}/dbus-launch   Cx -> bus,
diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted
index dd7d3bff..93e65f0a 100644
--- a/apparmor.d/profiles-g-l/gparted
+++ b/apparmor.d/profiles-g-l/gparted
@@ -92,7 +92,7 @@ profile gparted @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/gparted_systemctl>
   }
 
diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin
index 6cc77b9b..e56bb573 100644
--- a/apparmor.d/profiles-g-l/gpartedbin
+++ b/apparmor.d/profiles-g-l/gpartedbin
@@ -71,7 +71,7 @@ profile gpartedbin @{exec_path} {
   owner @{tmp}/gparted-*/ rw,
 
   @{run}/mount/utab r,
-  
+
         @{PROC}/devices r,
         @{PROC}/partitions r,
         @{PROC}/swaps r,
diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe
index 7c960482..f5c1ecdd 100644
--- a/apparmor.d/profiles-g-l/hw-probe
+++ b/apparmor.d/profiles-g-l/hw-probe
@@ -72,7 +72,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
   @{bin}/nmcli           rPx,
   @{bin}/pacman          rCx -> pacman,
   @{bin}/rfkill          rPx,
-  @{bin}/rpm             rCx -> rpm, 
+  @{bin}/rpm             rCx -> rpm,
   @{bin}/sensors         rPx,
   @{bin}/smartctl        rPx,
   @{bin}/systemctl       rCx -> systemctl,
@@ -220,7 +220,7 @@ profile hw-probe @{exec_path} flags=(attach_disconnected) {
   profile systemctl flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/hw-probe_systemctl>
   }
 
diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth
index b3dbef04..03c8650d 100644
--- a/apparmor.d/profiles-g-l/iceauth
+++ b/apparmor.d/profiles-g-l/iceauth
@@ -14,7 +14,7 @@ profile iceauth @{exec_path} {
   @{exec_path} mr,
 
   owner @{tmp}/.xfsm-ICE-@{rand6} r,
-  owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r, 
+  owner @{tmp}/user/@{uid}/.xfsm-ICE-@{rand6} r,
 
   owner @{run}/user/@{uid}/ICEauthority rl -> @{run}/user/@{uid}/ICEauthority-n,
   owner @{run}/user/@{uid}/ICEauthority-c w,
diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec
index 272679ed..074b4e73 100644
--- a/apparmor.d/profiles-g-l/initd-kexec
+++ b/apparmor.d/profiles-g-l/initd-kexec
@@ -41,7 +41,7 @@ profile initd-kexec @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     capability sys_resource,
 
     @{bin}/systemd-tty-ask-password-agent rix,
diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi
index 97bd3bfe..eafcab79 100644
--- a/apparmor.d/profiles-g-l/inxi
+++ b/apparmor.d/profiles-g-l/inxi
@@ -153,7 +153,7 @@ profile inxi @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/inxi_systemctl>
   }
 
diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
index e27e226c..e5c739bd 100644
--- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
@@ -28,7 +28,7 @@ profile landscape-sysinfo.wrapper @{exec_path} {
 
   / r,
   /etc/default/locale r,
-  
+
   /var/lib/landscape/landscape-sysinfo.cache rw,
 
   @{PROC}/loadavg r,
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index f9845715..7990fb27 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -88,7 +88,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
   profile pgrep {
     include <abstractions/base>
     include <abstractions/app/pgrep>
-  
+
     include if exists <local/logrotate_pgrep>
   }
 
diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx
index a1f4ced8..0fce66a9 100644
--- a/apparmor.d/profiles-g-l/lynx
+++ b/apparmor.d/profiles-g-l/lynx
@@ -23,7 +23,7 @@ profile lynx @{exec_path} {
 
   @{exec_path} mr,
   @{sh_path}        rix,
-  
+
   /usr/share/terminfo/{,**} r,
   /usr/share/doc/lynx-common/** r,
 
diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard
index df180631..281be7e0 100644
--- a/apparmor.d/profiles-m-r/molly-guard
+++ b/apparmor.d/profiles-m-r/molly-guard
@@ -36,7 +36,7 @@ profile molly-guard @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/molly-guard_systemctl>
   }
 
diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs
index 3fafd269..26f3e2d5 100644
--- a/apparmor.d/profiles-m-r/mount-nfs
+++ b/apparmor.d/profiles-m-r/mount-nfs
@@ -64,7 +64,7 @@ profile mount-nfs @{exec_path} flags=(complain) {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/mount-nfs_systemctl>
   }
 
diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt
index 6a96796a..fb1e94c1 100644
--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@@ -29,7 +29,7 @@ profile mutt @{exec_path} {
   @{sh_path}                      rix,
 
   @{lib}/{,sendmail/}sendmail    rPUx,
-  @{bin}/ispell                  rPUx, 
+  @{bin}/ispell                  rPUx,
   @{bin}/abook                   rPUx,
   @{bin}/mutt_dotlock             rix,
   # Misc mutt scripts
@@ -84,13 +84,13 @@ profile mutt @{exec_path} {
 
   # Used When viewing attachments
   owner /{var/,}tmp/* lrw,
-  
+
   profile html-renderer {
     include <abstractions/base>
 
     @{bin}/w3m     mrix,
     @{bin}/lynx    mrix,
-    
+
     owner @{HOME}/.w3m/* rw,
     owner @{user_mail_dirs}/{,**} r,
     owner @{user_mail_dirs}/tmp/{,**} rw,
@@ -142,9 +142,9 @@ profile mutt @{exec_path} {
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
-  
+
     owner /{var/,}tmp/mutt* lrw,
-    
+
     include if exists <local/mutt_gpg>
   }
 
diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest
index 166404df..ba9d813c 100644
--- a/apparmor.d/profiles-m-r/popularity-contest
+++ b/apparmor.d/profiles-m-r/popularity-contest
@@ -46,7 +46,7 @@ profile popularity-contest @{exec_path} {
   /var/log/popularity-contest.new w,
 
   owner @{tmp}/#@{int} rw,
-  
+
   @{PROC}/ r,
 
   include if exists <local/popularity-contest>
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core
index 81f27c40..4de73d71 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# To force the use of the Gnome Keyring or Kwallet secret-service, add the 
+# To force the use of the Gnome Keyring or Kwallet secret-service, add the
 # following lines in your local/protonmail-bridge-core file:
 #   deny @{bin}/pass x,
 #   deny owner @{user_password_store_dirs}/** r,
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index 6601b816..c050ce97 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -50,7 +50,7 @@ profile resolvconf @{exec_path} {
 
     include if exists <local/resolvconf_systemctl>
   }
-  
+
   include if exists <local/resolvconf>
 }
 
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index 69e8c4d0..c20b305e 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -23,7 +23,7 @@ profile run-parts @{exec_path} {
   capability mknod,
 
   @{exec_path} mrix,
-  
+
   @{sh_path}         rix,
   @{bin}/anacron     rix,
   @{bin}/cat         rix,
@@ -114,7 +114,7 @@ profile run-parts @{exec_path} {
   /etc/update-motd.d/ r,
   /etc/update-motd.d/* rCx -> motd,
 
-  # Kernel 
+  # Kernel
   /etc/kernel/header_postinst.d/ r,
   /etc/kernel/header_postinst.d/dkms          rCx -> kernel,
 
@@ -169,7 +169,7 @@ profile run-parts @{exec_path} {
     @{bin}/sort       rix,
     @{bin}/tr         rix,
     @{bin}/uname      rix,
-  
+
     @{bin}/snap                                                   rPUx,
     @{lib}/ubuntu-release-upgrader/release-upgrade-motd            rPx,
     @{lib}/update-notifier/update-motd-fsck-at-reboot              rPx,
@@ -238,7 +238,7 @@ profile run-parts @{exec_path} {
     # For shell pwd
     / r,
     /boot/ r,
-  
+
     /etc/apt/apt.conf.d/ r,
     /etc/apt/apt.conf.d/01autoremove-kernels{,.dpkg-new} rw,
     /etc/modprobe.d/ r,
diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs
index 985f124d..dab3593b 100644
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@@ -48,10 +48,10 @@ profile s3fs @{exec_path} {
 
     mount fstype=fuse.s3fs -> @{MOUNTS}/,
     mount fstype=fuse.s3fs -> @{MOUNTS}/*/,
-  
+
     umount @{MOUNTS}/,
     umount @{MOUNTS}/*/,
-  
+
     @{bin}/fusermount{,3} mr,
 
     /etc/fuse.conf r,
diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop
index 98b194fb..4817f330 100644
--- a/apparmor.d/profiles-s-z/session-desktop
+++ b/apparmor.d/profiles-s-z/session-desktop
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{name} = {S,s}ession
-@{lib_dirs} = /opt/@{name} 
+@{lib_dirs} = /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure
index e9bef6d4..a4f89f55 100644
--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@@ -24,7 +24,7 @@ profile snap-failure @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+
     include if exists <local/snap-failure_systemctl>
   }
 
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index 79204827..04837d87 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -32,7 +32,7 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=session path=/
        interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
        peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher
index 12138e36..0bd8c67d 100644
--- a/apparmor.d/profiles-s-z/steam-launcher
+++ b/apparmor.d/profiles-s-z/steam-launcher
@@ -23,7 +23,7 @@ profile steam-launcher @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{lib_dirs}/** mr,
-  
+
   include if exists <local/steam-launcher>
 }
 
diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime
index abf84d3c..2a3e839f 100644
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@@ -62,7 +62,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
   owner link @{app_dirs}/@{runtime}/var/** -> @{app_dirs}/@{runtime}/sniper_platform_*/**,
 
   owner @{share_dirs}/config/config.vdf{,.*} rw,
-  owner @{share_dirs}/steamapps/appmanifest_* rw, 
+  owner @{share_dirs}/steamapps/appmanifest_* rw,
 
   owner @{tmp}/ r,
   owner @{tmp}/#@{int} rw,
diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter
index 8214a1fb..27fe69be 100644
--- a/apparmor.d/profiles-s-z/steamerrorreporter
+++ b/apparmor.d/profiles-s-z/steamerrorreporter
@@ -27,7 +27,7 @@ profile steamerrorreporter @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.steam/steam.pipe r,
 
-  owner @{lib_dirs}/{,**} r, 
+  owner @{lib_dirs}/{,**} r,
   owner @{runtime_dirs}/pinned_libs_{32,64}/ r,
   owner @{share_dirs}/ r,
 
diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control
index b2df1a34..e1b9ab7d 100644
--- a/apparmor.d/profiles-s-z/switcheroo-control
+++ b/apparmor.d/profiles-s-z/switcheroo-control
@@ -23,7 +23,7 @@ profile switcheroo-control @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+drm:card@{int}-* r,   # for screen outputs
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
 
-  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card* 
+  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task
index 598e5934..3cffb074 100644
--- a/apparmor.d/profiles-s-z/task
+++ b/apparmor.d/profiles-s-z/task
@@ -41,7 +41,7 @@ profile task @{exec_path} {
 
     include if exists <local/task_editor>
   }
-  
+
   include if exists <local/task>
 }
 
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 1ee9f094..f4fb49f8 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{name} = thunderbird{,-bin} 
+@{name} = thunderbird{,-bin}
 @{lib_dirs} = @{lib}/@{name}
 @{config_dirs} = @{HOME}/.@{name}/
 @{cache_dirs} = @{user_cache_dirs}/@{name}/
diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id
index a26c4a26..1d658031 100644
--- a/apparmor.d/profiles-s-z/udev-dmi-memory-id
+++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/udev/dmi_memory_id 
+@{exec_path} = @{lib}/udev/dmi_memory_id
 profile udev-dmi-memory-id @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed
index 048f2410..bb160a5e 100644
--- a/apparmor.d/profiles-s-z/zed
+++ b/apparmor.d/profiles-s-z/zed
@@ -10,11 +10,11 @@ include <tunables/global>
 profile zed @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>
-  
+
   capability sys_admin,
 
   network netlink raw,
-  
+
   @{exec_path} mr,
 
   @{bin}/{m,g,}awk rix,
@@ -48,7 +48,7 @@ profile zed @{exec_path} {
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/@{int}/address r,
   @{sys}/module/zfs/parameters/zfs_zevent_len_max rw,
-  
+
         @{PROC}/@{pids}/mounts r,
   owner @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pid}/task/@{tid}/comm rw,
diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs
index 9ba71f45..e28a2e43 100644
--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@@ -10,13 +10,13 @@ include <tunables/global>
 profile zfs @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  
+
   capability sys_admin,
   capability dac_read_search,
 
   mount fstype=zfs,
   umount fstype=zfs,
-  
+
   @{exec_path} mr,
 
   /etc/zfs/zfs-list.cache/{,*} rwk,
diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
index cbf48ba4..79926248 100644
--- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot
+++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
@@ -12,7 +12,7 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) {
   include <abstractions/consoles>
 
   @{exec_path}            mr,
-  
+
   @{sh_path}         rix,
   @{bin}/cat         rix,
   @{bin}/cp          rix,
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index 30a17a6a..8ac23a07 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -24,7 +24,7 @@ profile zsysd @{exec_path} flags=(complain) {
 
   /etc/hostid r,
   /etc/zsys.conf r,
-  
+
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   @{run}/systemd/notify rw,
diff --git a/tests/check.sh b/tests/check.sh
index 71fc244a..4d36c80c 100644
--- a/tests/check.sh
+++ b/tests/check.sh
@@ -16,8 +16,8 @@ readonly HEADERS=(
 )
 
 _die() {
-    echo " ✗ $*"
-    exit 1
+    echo -e "\033[1;31m ✗ Error: \033[0m$*"
+    #exit 1
 }
 
 _ensure_header() {
@@ -46,6 +46,9 @@ _ensure_indentation() {
             in_profile=true
             first_line_after_profile=true
 
+        elif [[ "$line" =~ [[:space:]]+$ ]]; then
+            _die "$file:$line_number: line has trailing whitespace."
+
         elif $in_profile; then
             if $first_line_after_profile; then
                 local leading_spaces="${line%%[! ]*}"
@@ -104,9 +107,10 @@ _ensure_vim() {
 }
 
 check_profiles() {
-    echo " ⋅ Checking if all profiles contain:"
+    echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:"
     echo "    - apparmor.d header & license"
     echo "    - Check indentation: 2 spaces"
+    echo "    - Check for trailing whitespaces"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'profile <profile_name>'"
     echo "    - 'include if exists <local/*>'"
@@ -140,9 +144,10 @@ check_profiles() {
 }
 
 check_abstractions() {
-    echo " ⋅ Checking if all abstractions contain:"
+    echo -e "\033[1m ⋅ \033[0mChecking if all abstractions contain:"
     echo "    - apparmor.d header & license"
     echo "    - Check indentation: 2 spaces"
+    echo "    - Check for trailing whitespaces"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'include if exists <abstractions/*.d>'"
     echo "    - vim:syntax=apparmor"

From 897302bc5b1f96aae795f6716c9174c6fcd837ac Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 22 Oct 2024 20:07:11 +0100
Subject: [PATCH 2/4] chore(profile): remove  trailing whitespace in profiles
 (2).

---
 apparmor.d/abstractions/audio-server | 2 +-
 tests/check.sh                       | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server
index 97850305..10bcef42 100644
--- a/apparmor.d/abstractions/audio-server
+++ b/apparmor.d/abstractions/audio-server
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Provide access to audio devices. It should only be used by audio servers that
-# need direct access to them. 
+# need direct access to them.
 
   abi <abi/4.0>,
 
diff --git a/tests/check.sh b/tests/check.sh
index 4d36c80c..3ddda982 100644
--- a/tests/check.sh
+++ b/tests/check.sh
@@ -17,7 +17,7 @@ readonly HEADERS=(
 
 _die() {
     echo -e "\033[1;31m ✗ Error: \033[0m$*"
-    #exit 1
+    exit 1
 }
 
 _ensure_header() {

From d9208e06480922239ed0391760e628564a293635 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 22 Oct 2024 22:04:04 +0100
Subject: [PATCH 3/4] feat(profile): general update and fixes.

---
 apparmor.d/abstractions/app/sudo              |  4 +-
 apparmor.d/abstractions/app/systemctl         |  4 +-
 apparmor.d/abstractions/common/bwrap          |  7 ++-
 apparmor.d/abstractions/desktop               |  4 +-
 apparmor.d/abstractions/disks-read            |  2 +-
 apparmor.d/abstractions/gstreamer             |  2 +-
 apparmor.d/abstractions/xfce                  |  2 +-
 apparmor.d/groups/bus/dbus-system             |  2 +-
 .../freedesktop/xdg-desktop-portal-gnome      |  1 +
 .../groups/freedesktop/xdg-desktop-portal-gtk |  1 +
 apparmor.d/groups/kde/sddm                    |  3 +-
 apparmor.d/groups/network/mullvad-daemon      |  2 +-
 apparmor.d/groups/pacman/aurpublish           | 17 ++++++-
 apparmor.d/profiles-a-f/acpid                 |  3 +-
 apparmor.d/profiles-a-f/dfc                   |  5 +--
 apparmor.d/profiles-a-f/dkms                  |  1 +
 apparmor.d/profiles-a-f/foliate               |  2 +-
 apparmor.d/profiles-a-f/fwupd                 | 21 ++++-----
 apparmor.d/profiles-m-r/mkinitramfs           | 45 ++++++++++---------
 apparmor.d/profiles-s-z/vesktop               |  1 +
 apparmor.d/profiles-s-z/vnstat                | 28 +++---------
 21 files changed, 78 insertions(+), 79 deletions(-)

diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index 14e3dfb7..385ded54 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -36,8 +36,6 @@
   @{bin}/sudo     mr,
   @{lib}/sudo/**  mr,
 
-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
   @{etc_ro}/sudo.conf r,
   @{etc_ro}/sudoers r,
   @{etc_ro}/sudoers.d/{,*} r,
@@ -53,8 +51,8 @@
   owner @{HOME}/.sudo_as_admin_successful rw,
 
   # yubikey support
-  owner @{HOME}/.yubico/challenge-* rw,
         @{HOME}/.yubico/ r,
+  owner @{HOME}/.yubico/challenge-* rw,
 
         @{run}/faillock/ rw,
         @{run}/faillock/@{user} rwk,
diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl
index 38126c96..7857f992 100644
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@@ -8,9 +8,9 @@
   include <abstractions/bus-system>
   include <abstractions/consoles>
 
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,
+  unix bind type=stream addr=@@{hex16}/bus/systemctl/,
 
   @{bin}/systemctl mr,
 
diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap
index fca42427..b5b119d0 100644
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@@ -44,17 +44,16 @@
   owner /tmp/newroot/ w,
   owner /tmp/oldroot/ w,
 
+               @{PROC}/sys/kernel/overflowgid r,
+               @{PROC}/sys/kernel/overflowuid r,
         @{att}/@{PROC}/sys/user/max_user_namespaces rw,
   owner @{att}/@{PROC}/@{pid}/cgroup r,
+  owner @{att}/@{PROC}/@{pid}/fd/ r,
   owner @{att}/@{PROC}/@{pid}/gid_map rw,
   owner @{att}/@{PROC}/@{pid}/mountinfo r,
   owner @{att}/@{PROC}/@{pid}/setgroups rw,
   owner @{att}/@{PROC}/@{pid}/uid_map rw,
 
-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
-  owner @{PROC}/@{pid}/fd/ r,
-
   include if exists <abstractions/common/bwrap.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index a856cbd3..743dfaf2 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -52,7 +52,7 @@
 
     owner @{user_cache_dirs}/#@{int} rw,
     owner @{user_cache_dirs}/icon-cache.kcache rw,
-    owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
+    owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk,
 
     owner @{user_config_dirs}/baloofilerc r,
     owner @{user_config_dirs}/dolphinrc r,
@@ -67,7 +67,7 @@
 
   # else if @{DE} == xfce
 
-    /usr/share/xfce4/ r,
+    /usr/share/xfce{,4}/ r,
 
     owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
     owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read
index 143a6ea7..62e24b70 100644
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@@ -76,7 +76,7 @@
   /dev/sr@{int} rk,
 
   # Lookup block device by major:minor numbers
-  # See: https://apparmor.pujol.io/development/structure/#udev-rules
+  # See: https://apparmor.pujol.io/development/internal/#udev-rules
 
   @{sys}/block/ r,
   @{sys}/class/block/ r,
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index de2adb33..1cf8869c 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -6,7 +6,7 @@
   abi <abi/4.0>,
 
   @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
-  @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
+  @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr,
   @{lib}/frei0r-@{int}/*.so mr,
 
   @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce
index 936504e7..3046c8f6 100644
--- a/apparmor.d/abstractions/xfce
+++ b/apparmor.d/abstractions/xfce
@@ -11,7 +11,7 @@
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>
 
-  /usr/share/xfce4/ r,
+  /usr/share/xfce{,4}/ r,
 
   owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
   owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index bda678f8..6ef4e44e 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -16,7 +16,7 @@ include <tunables/global>
 profile dbus-system flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
-  include <abstractions/consoles>
+  include <abstractions/attached/consoles>
   include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index e9bdfde1..17d26e3b 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -65,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/@{tid}/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
   include if exists <local/xdg-desktop-portal-gnome>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
index 0daa7789..d4fa3dc1 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index a09f55c4..5e024adf 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -172,12 +172,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/sddm-auth* rw,
 
+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
+
         @{run}/faillock/@{user} rwk,
         @{run}/sddm.pid rw,
         @{run}/sddm/\{@{uuid}\} rw,
         @{run}/sddm/#@{int} rw,
         @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
-        @{run}/systemd/sessions/*.ref rw,
         @{run}/user/@{uid}/xauth_@{rand6} rwl,
   owner @{run}/sddm/ rw,
   owner @{run}/user/@{uid}/ r,
diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index 55b5bda1..ee98720b 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -59,9 +59,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/@{uuid} rw,
   owner @{tmp}/talpid-openvpn-@{uuid} rw,
 
+        @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
-        @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
 
   /dev/net/tun rw,
 
diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index 82f935dc..a7a7bf22 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -47,14 +47,15 @@ profile aurpublish @{exec_path} {
   /etc/makepkg.conf r,
   /etc/makepkg.conf.d/{,**} r,
 
-  owner @{user_build_dirs}/**/ w,
+  owner @{user_build_dirs}/{,**/} w,
   owner @{user_projects_dirs}/** r,
   owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
   owner @{user_projects_dirs}/**/.SRCINFO rw,
 
-  owner @{user_cache_dirs}/makepkg/src/* rw,
+  owner @{user_cache_dirs}/makepkg/src/** rw,
   owner @{user_config_dirs}/pacman/makepkg.conf r,
 
+  owner /tmp/*/src/ w,
   owner @{tmp}/tmp.@{rand10} rw,
 
   /dev/tty rw,
@@ -64,14 +65,26 @@ profile aurpublish @{exec_path} {
 
     @{bin}/gpg{,2} mr,
     @{bin}/gpgconf mr,
+    @{bin}/gpg-agent rix,
+    @{lib}/{,gnupg/}scdaemon rix,
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
     owner @{user_cache_dirs}/makepkg/src/*.asc r,
 
+    owner @{run}/user/@{uid}/ r,
+    owner @{run}/user/@{uid}/gnupg/ r,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w,
+
     owner @{tmp}/tmp.@{rand10} rw,
 
+    owner @{PROC}/@{pid}/fd/ r,
+
     include if exists <local/aurpublish_gpg>
   }
 
diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid
index 7c1a7d4b..5bf6c433 100644
--- a/apparmor.d/profiles-a-f/acpid
+++ b/apparmor.d/profiles-a-f/acpid
@@ -26,8 +26,9 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   /etc/acpi/{,**} r,
   /etc/acpi/handler.sh rix,
 
+        @{run}/acpid.socket w,
   owner @{run}/acpid.socket rw,
-  owner @{run}/acpid.pid    rw,
+  owner @{run}/acpid.pid rw,
 
   owner @{PROC}/@{pids}/fd/ r,
   owner @{PROC}/@{pids}/loginuid r,
diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc
index d23028a4..65f94463 100644
--- a/apparmor.d/profiles-a-f/dfc
+++ b/apparmor.d/profiles-a-f/dfc
@@ -12,9 +12,8 @@ profile dfc @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-       capability dac_read_search,
-  # No visible effect
-  deny capability dac_override,
+  capability dac_override,
+  capability dac_read_search,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index 5e8a3ea0..ecf1d1c6 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -30,6 +30,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{bin}/bc         rix,
   @{bin}/gcc        rix,
   @{bin}/getconf    rix,
+  @{bin}/kill       rix,
   @{bin}/kmod       rCx -> kmod,
   @{bin}/ld         rix,
   @{bin}/lsb_release rPx -> lsb_release,
diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate
index 42265208..b1c48540 100644
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
   /usr/share/com.github.johnfactotum.Foliate/{,**} r,
 
   owner /bindfile@{rand6} rw,
-  owner @{att}/.flatpak-info r,
+  owner /.flatpak-info r,
 
   owner @{user_books_dirs}/{,**} r,
   owner @{user_torrents_dirs}/{,**} r,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 40dbda8c..6cee42be 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -66,11 +66,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /etc/pki/fwupd-metadata/{,**} r,
   /etc/pki/fwupd/{,**} r,
 
-  /var/cache/fwupd/{,**} rw,
-  /var/lib/flatpak/exports/share/mime/mime.cache r,
-  /var/lib/fwupd/{,**} rw,
-  /var/lib/fwupd/pending.db rwk,
-  /var/tmp/etilqs_@{hex16} rw,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
   /boot/{,**} r,
   /boot/EFI/*/.goutputstream-@{rand6} rw,
@@ -78,8 +75,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /boot/EFI/*/fwupdx@{int}.efi rw,
   @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,
 
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+        /var/lib/flatpak/exports/share/mime/mime.cache r,
+        /var/tmp/etilqs_@{hex16} rw,
+  owner /var/cache/fwupd/ rw,
+  owner /var/cache/fwupd/** rwk,
+  owner /var/lib/fwupd/ rw,
+  owner /var/lib/fwupd/** rwk,
 
   # In order to get to this file, the attach_disconnected flag has to be set
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
@@ -88,8 +89,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/**/ r,
   @{sys}/devices/** r,
 
-  @{sys}/bus/hid/drivers/*/uevent r,
-  @{sys}/bus/usb/drivers/usbhid/uevent r,
   @{sys}/firmware/acpi/** r,
   @{sys}/firmware/dmi/tables/DMI r,
   @{sys}/firmware/dmi/tables/smbios_entry_point r,
@@ -99,9 +98,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/firmware/efi/efivars/fwupd-* rw,
   @{sys}/kernel/security/lockdown r,
   @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r,
-  @{sys}/module/*/uevent r,
-  @{sys}/module/uhid/uevent r,
-  @{sys}/module/usbhid/uevent r,
+  @{sys}/**/uevent r,
   @{sys}/power/mem_sleep r,
 
   @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index 3b02d97c..774dfa9f 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -50,6 +50,7 @@ profile mkinitramfs @{exec_path} {
   @{bin}/touch      rix,
   @{bin}/tr         rix,
   @{bin}/tsort      rix,
+  @{bin}/uniq       rix,
   @{bin}/xargs      rix,
   @{bin}/xz         rix,
   @{bin}/zstd       rix,
@@ -85,13 +86,15 @@ profile mkinitramfs @{exec_path} {
   owner /boot/initrd.img-*.new rw,
 
         /var/tmp/ r,
-        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
-  owner /var/tmp/mkinitramfs_*/ rw,
-  owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**,
-  owner /var/tmp/mkinitramfs-* rw,
+        /var/tmp/modules_@{rand6} rw,
+        /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw,
+  owner /var/tmp/mkinitramfs_@{rand6} rw,
+  owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**,
+  owner /var/tmp/mkinitramfs-@{rand6} rw,
 
   @{sys}/devices/platform/ r,
-  @{sys}/devices/platform/reg-dummy/{,**}/ r,
+  @{sys}/devices/platform/**/ r,
+  @{sys}/devices/platform/**/modalias r,
   @{sys}/module/compression r,
 
         @{PROC}/cmdline r,
@@ -126,18 +129,18 @@ profile mkinitramfs @{exec_path} {
     @{sh_path}               rix,
     @{bin}/ldconfig.real     rix,
 
-    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
-    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r,
+    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r,
 
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r,
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r,
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw,
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw,
 
-    owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw,
 
-    owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw,
-    owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw,
 
     include if exists <local/mkinitramfs_ldconfig>
   }
@@ -156,7 +159,7 @@ profile mkinitramfs @{exec_path} {
     /usr/share/initramfs-tools/scripts/{,**/} r,
     /etc/initramfs-tools/scripts/{,**/} r,
 
-    owner /var/tmp/mkinitramfs_*/{,**/} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r,
 
     include if exists <local/mkinitramfs_find>
   }
@@ -165,11 +168,13 @@ profile mkinitramfs @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/kmod>
 
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw,
+    owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
+
+    @{sys}/module/compression r,
 
     include if exists <local/mkinitramfs_kmod>
   }
diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop
index a3c3f5a0..b4b63fe7 100644
--- a/apparmor.d/profiles-s-z/vesktop
+++ b/apparmor.d/profiles-s-z/vesktop
@@ -4,6 +4,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
+
 include <tunables/global>
 
 @{name} = vesktop
diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat
index b780eb8d..edce3184 100644
--- a/apparmor.d/profiles-s-z/vnstat
+++ b/apparmor.d/profiles-s-z/vnstat
@@ -12,35 +12,17 @@ profile vnstat @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  # The following rules are needed when adding a new interface to the vnstat database. Usually this
-  # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
-  # database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the
-  # dac_override CAP is needed to allow writing files in that dir.
-  #
-  # If this CAP was denied, then the following error is printed when adding new interfaces:
-  #
-  #  Error: Exec step failed (8: attempt to write a readonly database): "insert into interface
-  #  (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1,
-  #  datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)"
-  #  Error: Adding interface "ifb0" to database failed.
-  #
-  capability dac_override,
-  #
-  # Also the vnstat.db file has to have the write permission:
-  /var/lib/vnstat/vnstat.db w,
-  /var/lib/vnstat/vnstat.db-journal rw,
-  #
-  # This is needed to change the owner:group to vnstat:vnstat of the database file.
   capability chown,
+  capability dac_override,
 
   @{exec_path} mr,
 
-  # Many apps/users can query vnstat database, so don't use owner here.
-  /var/lib/vnstat/ r,
-  /var/lib/vnstat/vnstat.db rk,
-
   /etc/vnstat.conf r,
 
+  /var/lib/vnstat/ r,
+  /var/lib/vnstat/vnstat.db rwk,
+  /var/lib/vnstat/vnstat.db-journal rw,
+
   @{sys}/class/net/ r,
 
   @{sys}/devices/@{pci}/net/*/statistics/{tx,rx}_{bytes,packets} r,

From 25049292ebd9f02dd0bfc4925dcacb2144a94b62 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 23 Oct 2024 11:39:49 +0100
Subject: [PATCH 4/4] feat(profile): improve integration with Tumbleweed.

see #576
---
 apparmor.d/groups/freedesktop/fc-list      | 1 +
 apparmor.d/groups/gpg/gpg-agent            | 1 +
 apparmor.d/groups/gpg/gpgsm                | 1 +
 apparmor.d/groups/systemd/systemd-escape   | 1 +
 apparmor.d/groups/systemd/systemd-hwdb     | 6 +++---
 apparmor.d/groups/systemd/systemd-journald | 1 +
 apparmor.d/groups/systemd/systemd-sysusers | 6 +++---
 apparmor.d/profiles-a-f/blkid              | 4 ++++
 apparmor.d/profiles-g-l/issue-generator    | 1 +
 apparmor.d/profiles-g-l/lsblk              | 2 +-
 apparmor.d/profiles-s-z/sync               | 4 ++++
 11 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list
index 3f2fb4e0..ffe996c5 100644
--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/fc-list
 profile fc-list @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
 
diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index 75bb7583..708ccc5f 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gpg-agent
 profile gpg-agent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   signal (receive) peer=pinentry-*,
diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm
index 364c05f7..bfa71cf5 100644
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gpgsm
 profile gpgsm @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape
index 0a38bf0f..4a542497 100644
--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/systemd-escape
 profile systemd-escape @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/common/systemd>
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 5664cde0..9b6203e9 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{exec_path} mr,
 
   @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
   @{lib}/udev/hwdb.bin w,
 
-  /etc/udev/.#hwdb.bind* rw,
-  /etc/udev/hwdb.bin rw,
+  /etc/udev/.#hwdb.bin@{hex16} wl ->  /etc/udev/#@{int},
+  /etc/udev/hwdb.bin w,
   /etc/udev/hwdb.d/{,*} r,
 
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 4f95bed4..cc1f541d 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/b259:@{int} r,         # Block Extended Major
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/b8:@{int} r,           # for /dev/sd*
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c108:@{int} r,         # For /dev/ppp
   @{run}/udev/data/c18[8-9]:@{int} r,     # USB devices & USB serial converters
diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index d6b1cb26..e1ca76d5 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   # Config file locations
-  /etc/sysusers.d/*.conf r,
-  @{run}/sysusers.d/*.conf r,
-  /usr/lib/sysusers.d/*.conf r,
+  /etc/sysusers.d/{,*.conf} r,
+  @{run}/sysusers.d/{,*.conf} r,
+  /usr/lib/sysusers.d/{,*.conf} r,
 
   # Where the users can be created,
   /home/{,*} rw,
diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid
index 4aea919b..903e2cb6 100644
--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@@ -40,6 +40,10 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
   @{PROC}/partitions r,
   @{PROC}/swaps r,
 
+  # Other possible location of the cache file
+  /dev/.blkid.tab{,-@{rand6}} rw,
+  /dev/blkid.tab.old rwl -> /dev/blkid.tab,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/blkid>
diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator
index 6c6d61c4..3602a1a1 100644
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/issue-generator
 profile issue-generator @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk
index 147e1ba2..7559e4e4 100644
--- a/apparmor.d/profiles-g-l/lsblk
+++ b/apparmor.d/profiles-g-l/lsblk
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/lsblk
-profile lsblk @{exec_path} {
+profile lsblk @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>
diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync
index 3b18ad36..907def2b 100644
--- a/apparmor.d/profiles-s-z/sync
+++ b/apparmor.d/profiles-s-z/sync
@@ -13,6 +13,10 @@ profile sync @{exec_path} {
 
   @{exec_path} mr,
 
+  # Common paths where sync is used to flush all write operations on a single file to disk
+  # TODO: /** rw, ?
+  /boot/initrd-*-default rw,
+
   include if exists <local/sync>
 }