feat(profile): general update.

apparmor.d/groups/bus/dbus-session

@@ -20,6 +20,8 @@ profile dbus-session flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  network unix stream,
+
   unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none),
 
   signal (receive) set=(term hup)      peer=gdm-session-worker,

apparmor.d/groups/children/child-modprobe-nvidia

@@ -55,6 +55,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
 
   /dev/tty@{int} rw,
 
+  deny  @{HOME}/.steam/** r,
+
   profile kmod {
     include <abstractions/base>
     include <abstractions/app/kmod>
@@ -69,6 +71,8 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
     # @{sys}/module/{drm,nvidia}/initstate r,
     @{sys}/module/compression r,
 
+    deny  @{HOME}/.steam/** r,
+
     include if exists <local/child-modprobe-nvidia_kmod>
   }
 

apparmor.d/groups/freedesktop/xdg-dbus-proxy

@@ -18,6 +18,8 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/consoles>
 
+  network unix stream,
+
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Realtime
        member=MakeThreadRealtimeWithPID

apparmor.d/groups/gnome/gnome-session-binary

@@ -111,49 +111,21 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   profile open flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/app-launcher-user>
+    include <abstractions/desktop>
 
-    @{lib}/gio-launch-desktop                               mr,
+    @{bin}/env rix,
+    @{sh_path} r,
     @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
-    @{sh_path}                                             rix,
+    @{lib}/gio-launch-desktop                               mr,
 
-    @{bin}/aa-notify                                       rPx,
+    @{lib}/**                     PUx,
-    @{bin}/blueman-applet                                  rPx,
+    @{bin}/**                     PUx,
-    @{bin}/firewall-applet                                 rPx,
+    /opt/*/**                     PUx,
-    @{bin}/gnome-keyring-daemon                            rPx,
+    /usr/share/*/**               PUx,
-    @{bin}/gnome-shell                                     rPx,
+    /usr/local/bin/**             PUx,
-    @{bin}/gnome-software                                  rPx,
+    /usr/games/**                 PUx,
-    @{bin}/im-launch                                       rPx,
-    @{bin}/keepassxc                                       rPx,
-    @{bin}/opensuse-welcome                                rPx,
-    @{bin}/parcellite                                     rPUx,
-    @{bin}/pkcs11-register                                 rPx,
-    @{bin}/snap                                           rPUx,
-    @{bin}/snapshot-detect                                rPUx,
-    @{bin}/spice-vdagent                                   rPx,
-    @{bin}/start-pulseaudio-x11                            rPx,
-    @{bin}/ubuntu-report                                   rPx,
-    @{bin}/update-notifier                                 rPx,
-    @{bin}/xbrlapi                                         rPx,
-    @{bin}/xdg-user-dirs-gtk-update                        rPx,
-    @{bin}/xdg-user-dirs-update                            rPx,
-    @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher          rPx,
-    @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx,
-    @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
-    @{lib}/caribou/caribou                                rPUx,
-    @{lib}/deja-dup/deja-dup-monitor                       rPx,
-    @{lib}/gsd-*                                           rPx,
-    @{lib}/update-notifier/ubuntu-advantage-notification   rPx,
-    @{lib}/xapps/sn-watcher/*                             rPUx,
-    @{thunderbird_path}                                    rPx,
-    /usr/share/libpam-kwallet-common/pam_kwallet_init     rPUx,
 
-    #aa:exec baloo
+    /dev/tty rw,
-    #aa:exec evolution-alarm-notify
-    @{lib}/kdeconnectd rPUx,
-    @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx,
-
-    /dev/tty@{int} rw,
 
     include if exists <usr/gnome-session-binary_open.d>
     include if exists <local/gnome-session-binary_open>

apparmor.d/groups/systemd/systemd-hostnamed

@@ -16,6 +16,8 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   capability sys_admin,  # To set a hostname
 
+  network unix stream,
+
   unix (bind) type=stream addr=@@{hex16}/bus/systemd-hostnam/system,
 
   #aa:dbus own bus=system name=org.freedesktop.hostname1

apparmor.d/groups/systemd/systemd-networkd

@@ -53,12 +53,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/network/ r,
         @{run}/systemd/network/*.network r,
         @{run}/systemd/notify rw,
-  owner @{run}/systemd/netif/.#state rw,
+  owner @{run}/systemd/netif/** rw,
-  owner @{run}/systemd/netif/.#state* rw,
-  owner @{run}/systemd/netif/leases/{,*} rw,
-  owner @{run}/systemd/netif/links/{,*} rw,
-  owner @{run}/systemd/netif/lldp/{,*} rw,
-  owner @{run}/systemd/netif/state rw,
 
   @{run}/udev/data/n@{int} r,
 

apparmor.d/groups/virt/cockpit-bridge

@@ -40,6 +40,7 @@ profile cockpit-bridge @{exec_path} {
   @{lib}/cockpit/cockpit-ssh rPx,
 
   /usr/share/cockpit/{,**} r,
+  /usr/{,local/}share/ r,
 
   /etc/cockpit/{,**} r,
   /etc/httpd/conf/mime.types r,
@@ -51,6 +52,7 @@ profile cockpit-bridge @{exec_path} {
   /etc/shells r,
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
+  owner @{user_share_dirs}/ r,
 
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
   @{run}/utmp r,

apparmor.d/profiles-a-f/adb

@@ -9,14 +9,16 @@ include <tunables/global>
 
 @{exec_path}  = @{bin}/adb
 @{exec_path} += @{lib}/android-sdk/platform-tools/adb
-profile adb @{exec_path} {
+profile adb @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/devices-usb>
   include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
 
   network inet stream,
   network inet6 stream,
+  network netlink raw,
 
   signal (receive) set=(kill) peer=scrcpy,
 

apparmor.d/profiles-m-r/mount

@@ -49,7 +49,6 @@ profile mount @{exec_path} flags=(attach_disconnected) {
   @{MOUNTS}/ rw,
   @{MOUNTS}/*/ rw,
   @{MOUNTS}/*/*/ rw,
-  /media/cdrom[0-9]/ r,
 
   # Mount iso/img files
   owner @{user_img_dirs}/{,**} rwk,

apparmor.d/profiles-m-r/ntfs-3g

@@ -9,8 +9,9 @@ include <tunables/global>
 
 @{exec_path}  = @{bin}/{low,}ntfs{,-3g}
 @{exec_path} += @{bin}/mount.{low,}ntfs{,-3g}
-profile ntfs-3g @{exec_path} {
+profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/nameservice-strict>
 

apparmor.d/profiles-m-r/ollama

@@ -48,3 +48,5 @@ profile ollama @{exec_path} flags=(attach_disconnected) {
 
   include if exists <local/ollama>
 }
+
+# vim:syntax=apparmor

apparmor.d/profiles-m-r/pam-tmpdir-helper

@@ -15,7 +15,7 @@ profile pam-tmpdir-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{tmp}/user/ rw,
+  owner /tmp/user/ rw,
   owner @{tmp}/ rw,
 
   /dev/ptmx rw,

apparmor.d/profiles-m-r/run-parts

@@ -137,7 +137,7 @@ profile run-parts @{exec_path} {
 
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/$anacron* rw,
-  owner @{tmp}/file@{rand6} ra,
+  owner @{tmp}/file@{rand6} rw,
   
   owner @{sys}/class/power_supply/            r,
 

apparmor.d/profiles-s-z/scrcpy

@@ -34,6 +34,8 @@ profile scrcpy @{exec_path} {
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/scrcpy>

apparmor.d/profiles-s-z/smplayer

@@ -12,22 +12,13 @@ profile smplayer @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/consoles>
-  include <abstractions/dri-enumerate>
+  include <abstractions/graphics>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/user-download-strict>
-  include <abstractions/wayland>
-  include <abstractions/X>
-
-  # Needed for hardware decoding
-  ##include <abstractions/nvidia>
 
   signal (send) set=(term, kill),
   signal (receive) set=(term, kill),

apparmor.d/profiles-s-z/steam

@@ -84,14 +84,14 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{lib_dirs}/**                mr,
   @{lib_dirs}/*driverquery      rix,
-  @{lib_dirs}/fossilize_replay  rpx,
+  @{lib_dirs}/fossilize_replay  rpx, # steam-fossilize
-  @{lib_dirs}/gameoverlayui     rpx,
+  @{lib_dirs}/gameoverlayui     rpx, # steam-gameoverlayui
   @{lib_dirs}/reaper            rpx, # steam-runtime
   @{lib_dirs}/steam*            rix,
 
   @{app_dirs}/@{runtime}/*entry-point rpx -> steam-runtime,
 
-  @{share_dirs}/linux{32,64}/steamerrorreporter rpx,
+  @{share_dirs}/linux{32,64}/steamerrorreporter rpx, # steamerrorreporter
 
   @{runtime_dirs}/*entry-point                                                      rix,
   @{runtime_dirs}/@{arch}/@{bin}/srt-logger                                         rix,
@@ -101,7 +101,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-input-monitor                        rix,
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launch-*                             rix,
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-interface-@{int}            rix,
-  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service                     rpx,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-launcher-service                     rpx, # steam-launcher
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-libcurl-*                            rix,
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote                         rix,
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-supervisor                           rix,
@@ -125,14 +125,10 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /var/lib/dbus/machine-id r,
 
   / r,
-
   @{bin}/ r,
   @{lib}/ r,
-
   /etc/ r,
-
   /home/ r,
-
   /usr/ r,
   /usr/local/ r,
   /usr/local/lib/ r,
@@ -350,6 +346,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     @{sys}/class/*/ r,
     @{sys}/devices/**/report_descriptor r,
     @{sys}/devices/**/uevent r,
+    @{sys}/devices/@{pci}/usb@{int}/**/{idVendor,idProduct,interface} r,
     @{sys}/devices/system/cpu/kernel_max r,
     @{sys}/devices/virtual/tty/tty@{int}/active r,
 
@@ -365,6 +362,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     owner @{PROC}/@{pid}/task/@{tid}/comm r,
     owner @{PROC}/@{pid}/task/@{tid}/status r,
 
+    /dev/ r,
     /dev/hidraw@{int} rw,
     /dev/tty rw,
 

apparmor.d/profiles-s-z/steam-game-native

@@ -19,15 +19,15 @@ profile steam-game-native @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/steam-game>
 
   network inet dgram,
-  network inet6 dgram,
   network inet stream,
+  network inet6 dgram,
   network inet6 stream,
   network netlink raw,
   network unix stream,
 
   signal receive peer=steam,
 
-  @{exec_path} rmix,
+  @{exec_path} mrix,
 
   @{sh_path} rix,
 

apparmor.d/profiles-s-z/steam-runtime

@@ -22,6 +22,8 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/wayland>
   include <abstractions/X-strict>
 
+  network inet stream,
+  network inet6 stream,
   network unix stream,
 
   @{exec_path} mr,