Merge branch 'roddhjav:main' into main

2025-02-11 12:45:10 +01:00 · 2024-10-23 13:20:38 +02:00 · 2024-10-23 13:20:38 +02:00 · f5e0472124
commit f5e0472124
parent 67fcca54e3 25049292eb
168 changed files with 283 additions and 267 deletions
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -36,8 +36,6 @@
  @{bin}/sudo     mr,
  @{lib}/sudo/**  mr,

-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
  @{etc_ro}/sudo.conf r,
  @{etc_ro}/sudoers r,
  @{etc_ro}/sudoers.d/{,*} r,
@ -53,8 +51,8 @@
  owner @{HOME}/.sudo_as_admin_successful rw,

  # yubikey support
-  owner @{HOME}/.yubico/challenge-* rw,
        @{HOME}/.yubico/ r,
+  owner @{HOME}/.yubico/challenge-* rw,

        @{run}/faillock/ rw,
        @{run}/faillock/@{user} rwk,
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -8,9 +8,9 @@
  include <abstractions/bus-system>
  include <abstractions/consoles>

-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},

-  unix (bind) type=stream addr=@@{hex16}/bus/systemctl/,
+  unix bind type=stream addr=@@{hex16}/bus/systemctl/,

  @{bin}/systemctl mr,

--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -44,17 +44,16 @@
  owner /tmp/newroot/ w,
  owner /tmp/oldroot/ w,

+               @{PROC}/sys/kernel/overflowgid r,
+               @{PROC}/sys/kernel/overflowuid r,
        @{att}/@{PROC}/sys/user/max_user_namespaces rw,
  owner @{att}/@{PROC}/@{pid}/cgroup r,
+  owner @{att}/@{PROC}/@{pid}/fd/ r,
  owner @{att}/@{PROC}/@{pid}/gid_map rw,
  owner @{att}/@{PROC}/@{pid}/mountinfo r,
  owner @{att}/@{PROC}/@{pid}/setgroups rw,
  owner @{att}/@{PROC}/@{pid}/uid_map rw,

-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
-  owner @{PROC}/@{pid}/fd/ r,
-
  include if exists <abstractions/common/bwrap.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@ -52,7 +52,7 @@

    owner @{user_cache_dirs}/#@{int} rw,
    owner @{user_cache_dirs}/icon-cache.kcache rw,
-    owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
+    owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk,

    owner @{user_config_dirs}/baloofilerc r,
    owner @{user_config_dirs}/dolphinrc r,
@ -67,7 +67,7 @@

  # else if @{DE} == xfce

-    /usr/share/xfce4/ r,
+    /usr/share/xfce{,4}/ r,

    owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
    owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -76,7 +76,7 @@
  /dev/sr@{int} rk,

  # Lookup block device by major:minor numbers
-  # See: https://apparmor.pujol.io/development/structure/#udev-rules
+  # See: https://apparmor.pujol.io/development/internal/#udev-rules

  @{sys}/block/ r,
  @{sys}/class/block/ r,
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -6,10 +6,9 @@
  abi <abi/4.0>,

  @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
-  @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
+  @{lib}/@{multiarch}/libvisual-@{version}/*/*.so mr,
  @{lib}/frei0r-@{int}/*.so mr,

-  # FIXME: not compatible with FSP mode due conflicting x modifiers 
  @{lib}/@{multiarch}/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner rix,
  @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
  @{lib}/gstreamer-1.0/gst-plugin-scanner rix,
--- a/apparmor.d/abstractions/xfce
+++ b/apparmor.d/abstractions/xfce
@ -11,7 +11,7 @@
  include <abstractions/X-strict>
  include <abstractions/xdg-desktop>

-  /usr/share/xfce4/ r,
+  /usr/share/xfce{,4}/ r,

  owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
  owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@ -16,7 +16,7 @@ include <tunables/global>
 profile dbus-system flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-system>
-  include <abstractions/consoles>
+  include <abstractions/attached/consoles>
  include <abstractions/deny-sensitive-home>
  include <abstractions/nameservice-strict>

--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/fc-list
 profile fc-list @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -65,6 +65,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/task/@{tid}/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,

  include if exists <local/xdg-desktop-portal-gnome>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gtk
 profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/attached/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gpg-agent
 profile gpg-agent @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  signal (receive) peer=pinentry-*,
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gpgsm
 profile gpgsm @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@ -172,12 +172,13 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{tmp}/#@{int} rw,
  owner @{tmp}/sddm-auth* rw,

+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
+
        @{run}/faillock/@{user} rwk,
        @{run}/sddm.pid rw,
        @{run}/sddm/\{@{uuid}\} rw,
        @{run}/sddm/#@{int} rw,
        @{run}/sddm/xauth_@{rand6} rwl -> @{run}/sddm/#@{int},
-        @{run}/systemd/sessions/*.ref rw,
        @{run}/user/@{uid}/xauth_@{rand6} rwl,
  owner @{run}/sddm/ rw,
  owner @{run}/user/@{uid}/ r,
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@ -59,9 +59,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/@{uuid} rw,
  owner @{tmp}/talpid-openvpn-@{uuid} rw,

+        @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
-        @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,

  /dev/net/tun rw,

--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -47,14 +47,15 @@ profile aurpublish @{exec_path} {
  /etc/makepkg.conf r,
  /etc/makepkg.conf.d/{,**} r,

-  owner @{user_build_dirs}/**/ w,
+  owner @{user_build_dirs}/{,**/} w,
  owner @{user_projects_dirs}/** r,
  owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
  owner @{user_projects_dirs}/**/.SRCINFO rw,

-  owner @{user_cache_dirs}/makepkg/src/* rw,
+  owner @{user_cache_dirs}/makepkg/src/** rw,
  owner @{user_config_dirs}/pacman/makepkg.conf r,

+  owner /tmp/*/src/ w,
  owner @{tmp}/tmp.@{rand10} rw,

  /dev/tty rw,
@ -64,14 +65,26 @@ profile aurpublish @{exec_path} {

    @{bin}/gpg{,2} mr,
    @{bin}/gpgconf mr,
+    @{bin}/gpg-agent rix,
+    @{lib}/{,gnupg/}scdaemon rix,

    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,

    owner @{user_cache_dirs}/makepkg/src/*.asc r,

+    owner @{run}/user/@{uid}/ r,
+    owner @{run}/user/@{uid}/gnupg/ r,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.browser w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.extra w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent.ssh w,
+
    owner @{tmp}/tmp.@{rand10} rw,

+    owner @{PROC}/@{pid}/fd/ r,
+
    include if exists <local/aurpublish_gpg>
  }

--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/systemd-escape
 profile systemd-escape @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/common/systemd>

  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -16,11 +16,11 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{exec_path} mr,

  @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
  @{lib}/udev/hwdb.bin w,

-  /etc/udev/.#hwdb.bind* rw,
-  /etc/udev/hwdb.bin rw,
+  /etc/udev/.#hwdb.bin@{hex16} wl ->  /etc/udev/#@{int},
+  /etc/udev/hwdb.bin w,
  /etc/udev/hwdb.d/{,*} r,

  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -64,6 +64,7 @@ profile systemd-journald @{exec_path} {
  @{run}/udev/data/b259:@{int} r,         # Block Extended Major
  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
  @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/b8:@{int} r,           # for /dev/sd*
  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
  @{run}/udev/data/c108:@{int} r,         # For /dev/ppp
  @{run}/udev/data/c18[8-9]:@{int} r,     # USB devices & USB serial converters
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@ -19,9 +19,9 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,

  # Config file locations
-  /etc/sysusers.d/*.conf r,
-  @{run}/sysusers.d/*.conf r,
-  /usr/lib/sysusers.d/*.conf r,
+  /etc/sysusers.d/{,*.conf} r,
+  @{run}/sysusers.d/{,*.conf} r,
+  /usr/lib/sysusers.d/{,*.conf} r,

  # Where the users can be created,
  /home/{,*} rw,
--- a/apparmor.d/profiles-a-f/acpid
+++ b/apparmor.d/profiles-a-f/acpid
@ -26,6 +26,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
  /etc/acpi/{,**} r,
  /etc/acpi/handler.sh rix,

+        @{run}/acpid.socket w,
  owner @{run}/acpid.socket rw,
  owner @{run}/acpid.pid rw,

--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@ -40,6 +40,10 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
  @{PROC}/partitions r,
  @{PROC}/swaps r,

+  # Other possible location of the cache file
+  /dev/.blkid.tab{,-@{rand6}} rw,
+  /dev/blkid.tab.old rwl -> /dev/blkid.tab,
+
  owner /dev/tty@{int} rw,

  include if exists <local/blkid>
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@ -60,7 +60,6 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
  /dev/pts/@{int} rw,
  /dev/tty@{int} rw,

-
  include if exists <local/btrfs>
 }

--- a/apparmor.d/profiles-a-f/dfc
+++ b/apparmor.d/profiles-a-f/dfc
@ -12,9 +12,8 @@ profile dfc @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_override,
  capability dac_read_search,
-  # No visible effect
-  deny capability dac_override,

  @{exec_path} mr,

--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -30,6 +30,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  @{bin}/bc         rix,
  @{bin}/gcc        rix,
  @{bin}/getconf    rix,
+  @{bin}/kill       rix,
  @{bin}/kmod       rCx -> kmod,
  @{bin}/ld         rix,
  @{bin}/lsb_release rPx -> lsb_release,
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
  /usr/share/com.github.johnfactotum.Foliate/{,**} r,

  owner /bindfile@{rand6} rw,
-  owner @{att}/.flatpak-info r,
+  owner /.flatpak-info r,

  owner @{user_books_dirs}/{,**} r,
  owner @{user_torrents_dirs}/{,**} r,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -66,11 +66,8 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/pki/fwupd/{,**} r,

-  /var/cache/fwupd/{,**} rw,
-  /var/lib/flatpak/exports/share/mime/mime.cache r,
-  /var/lib/fwupd/{,**} rw,
-  /var/lib/fwupd/pending.db rwk,
-  /var/tmp/etilqs_@{hex16} rw,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,

  /boot/{,**} r,
  /boot/EFI/*/.goutputstream-@{rand6} rw,
@ -78,8 +75,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  /boot/EFI/*/fwupdx@{int}.efi rw,
  @{lib}/fwupd/efi/fwupdx@{int}.efi{,.signed} r,

-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+        /var/lib/flatpak/exports/share/mime/mime.cache r,
+        /var/tmp/etilqs_@{hex16} rw,
+  owner /var/cache/fwupd/ rw,
+  owner /var/cache/fwupd/** rwk,
+  owner /var/lib/fwupd/ rw,
+  owner /var/lib/fwupd/** rwk,

  # In order to get to this file, the attach_disconnected flag has to be set
  owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
@ -88,8 +89,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/**/ r,
  @{sys}/devices/** r,

-  @{sys}/bus/hid/drivers/*/uevent r,
-  @{sys}/bus/usb/drivers/usbhid/uevent r,
  @{sys}/firmware/acpi/** r,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
@ -99,9 +98,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
  @{sys}/firmware/efi/efivars/fwupd-* rw,
  @{sys}/kernel/security/lockdown r,
  @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r,
-  @{sys}/module/*/uevent r,
-  @{sys}/module/uhid/uevent r,
-  @{sys}/module/usbhid/uevent r,
+  @{sys}/**/uevent r,
  @{sys}/power/mem_sleep r,

  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/issue-generator
 profile issue-generator @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/lsblk
+++ b/apparmor.d/profiles-g-l/lsblk
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/lsblk
-profile lsblk @{exec_path} {
+profile lsblk @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -50,6 +50,7 @@ profile mkinitramfs @{exec_path} {
  @{bin}/touch      rix,
  @{bin}/tr         rix,
  @{bin}/tsort      rix,
+  @{bin}/uniq       rix,
  @{bin}/xargs      rix,
  @{bin}/xz         rix,
  @{bin}/zstd       rix,
@ -85,13 +86,15 @@ profile mkinitramfs @{exec_path} {
  owner /boot/initrd.img-*.new rw,

        /var/tmp/ r,
-        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
-  owner /var/tmp/mkinitramfs_*/ rw,
-  owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**,
-  owner /var/tmp/mkinitramfs-* rw,
+        /var/tmp/modules_@{rand6} rw,
+        /var/tmp/mkinitramfs_@{rand6}/@{lib}/modules/*/modules.{order,builtin} rw,
+  owner /var/tmp/mkinitramfs_@{rand6} rw,
+  owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_*/**,
+  owner /var/tmp/mkinitramfs-@{rand6} rw,

  @{sys}/devices/platform/ r,
-  @{sys}/devices/platform/reg-dummy/{,**}/ r,
+  @{sys}/devices/platform/**/ r,
+  @{sys}/devices/platform/**/modalias r,
  @{sys}/module/compression r,

        @{PROC}/cmdline r,
@ -126,18 +129,18 @@ profile mkinitramfs @{exec_path} {
    @{sh_path}               rix,
    @{bin}/ldconfig.real     rix,

-    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
-    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r,
+    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r,

-    owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r,
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r,
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw,
-    owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw,

-    owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw,

-    owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw,
-    owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw,

    include if exists <local/mkinitramfs_ldconfig>
  }
@ -156,7 +159,7 @@ profile mkinitramfs @{exec_path} {
    /usr/share/initramfs-tools/scripts/{,**/} r,
    /etc/initramfs-tools/scripts/{,**/} r,

-    owner /var/tmp/mkinitramfs_*/{,**/} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r,

    include if exists <local/mkinitramfs_find>
  }
@ -165,11 +168,13 @@ profile mkinitramfs @{exec_path} {
    include <abstractions/base>
    include <abstractions/app/kmod>

-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r,
-    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/ r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/modules.* rw,
+    owner /var/tmp/mkinitramfs_@{rand6}usr/lib/modules/*/updates/{,**} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
+    owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
+
+    @{sys}/module/compression r,

    include if exists <local/mkinitramfs_kmod>
  }
--- a/apparmor.d/profiles-s-z/sync
+++ b/apparmor.d/profiles-s-z/sync
@ -13,6 +13,10 @@ profile sync @{exec_path} {

  @{exec_path} mr,

+  # Common paths where sync is used to flush all write operations on a single file to disk
+  # TODO: /** rw, ?
+  /boot/initrd-*-default rw,
+
  include if exists <local/sync>
 }

--- a/apparmor.d/profiles-s-z/vesktop
+++ b/apparmor.d/profiles-s-z/vesktop
@ -4,6 +4,7 @@
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/4.0>,
+
 include <tunables/global>

@{name} = vesktop
--- a/apparmor.d/profiles-s-z/vnstat
+++ b/apparmor.d/profiles-s-z/vnstat
@ -12,35 +12,17 @@ profile vnstat @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

-  # The following rules are needed when adding a new interface to the vnstat database. Usually this
-  # action is performed as root, but the vnstatd daemon is run as vnstat (user/group), and all the
-  # database files under /var/lib/vnstat/ are owned by vnstat:vnstat. Because of the above, the
-  # dac_override CAP is needed to allow writing files in that dir.
-  #
-  # If this CAP was denied, then the following error is printed when adding new interfaces:
-  #
-  #  Error: Exec step failed (8: attempt to write a readonly database): "insert into interface
-  #  (name, active, created, updated, rxcounter, txcounter, rxtotal, txtotal) values ('eth0', 1,
-  #  datetime('now', 'localtime'), datetime('now', 'localtime'), 0, 0, 0, 0)"
-  #  Error: Adding interface "ifb0" to database failed.
-  #
-  capability dac_override,
-  #
-  # Also the vnstat.db file has to have the write permission:
-  /var/lib/vnstat/vnstat.db w,
-  /var/lib/vnstat/vnstat.db-journal rw,
-  #
-  # This is needed to change the owner:group to vnstat:vnstat of the database file.
  capability chown,
+  capability dac_override,

  @{exec_path} mr,

-  # Many apps/users can query vnstat database, so don't use owner here.
-  /var/lib/vnstat/ r,
-  /var/lib/vnstat/vnstat.db rk,
-
  /etc/vnstat.conf r,

+  /var/lib/vnstat/ r,
+  /var/lib/vnstat/vnstat.db rwk,
+  /var/lib/vnstat/vnstat.db-journal rw,
+
  @{sys}/class/net/ r,

  @{sys}/devices/@{pci}/net/*/statistics/{tx,rx}_{bytes,packets} r,
--- a/tests/check.sh
+++ b/tests/check.sh
@ -16,7 +16,7 @@ readonly HEADERS=(
 )

 _die() {
-    echo " ✗ $*"
+    echo -e "\033[1;31m ✗ Error: \033[0m$*"
    exit 1
 }

@ -46,6 +46,9 @@ _ensure_indentation() {
            in_profile=true
            first_line_after_profile=true

+        elif [[ "$line" =~ [[:space:]]+$ ]]; then
+            _die "$file:$line_number: line has trailing whitespace."
+
        elif $in_profile; then
            if $first_line_after_profile; then
                local leading_spaces="${line%%[! ]*}"
@ -104,9 +107,10 @@ _ensure_vim() {
 }

 check_profiles() {
-    echo " ⋅ Checking if all profiles contain:"
+    echo -e "\033[1m ⋅ \033[0mChecking if all profiles contain:"
    echo "    - apparmor.d header & license"
    echo "    - Check indentation: 2 spaces"
+    echo "    - Check for trailing whitespaces"
    echo "    - 'abi <abi/4.0>,'"
    echo "    - 'profile <profile_name>'"
    echo "    - 'include if exists <local/*>'"
@ -140,9 +144,10 @@ check_profiles() {
 }

 check_abstractions() {
-    echo " ⋅ Checking if all abstractions contain:"
+    echo -e "\033[1m ⋅ \033[0mChecking if all abstractions contain:"
    echo "    - apparmor.d header & license"
    echo "    - Check indentation: 2 spaces"
+    echo "    - Check for trailing whitespaces"
    echo "    - 'abi <abi/4.0>,'"
    echo "    - 'include if exists <abstractions/*.d>'"
    echo "    - vim:syntax=apparmor"