feat(profile): general update.

apparmor.d/groups/freedesktop/fc-cache

@@ -7,7 +7,9 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{snap/snapd/@{int}/,}{usr/,}bin/fc-cache{,-32,-v*}
+@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin}
+
+@{exec_path} = @{bin_dirs}/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/freedesktop/xdg-mime

@@ -18,6 +18,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{bin}/{,e}grep   rix,
   @{bin}/{m,g,}awk  rix,
   @{bin}/basename   rix,
+  @{bin}/cat        rix,
   @{bin}/cut        rix,
   @{bin}/file       rix,
   @{bin}/head       rix,

apparmor.d/groups/freedesktop/xdg-screensaver

@@ -32,7 +32,7 @@ profile xdg-screensaver @{exec_path} {
   @{bin}/xset         rPx,
   @{bin}/hostname     rix,
 
-  /dev/dri/card[0-9] rw,
+  /dev/dri/card@{int} rw,
 
   owner @{HOME}/ r,
   owner @{HOME}/.Xauthority r,

apparmor.d/groups/gnome/gnome-music

@@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
-  owner /var/tmp/etilqs_@{hex} rw,
+  owner /var/tmp/etilqs_@{hex16} rw,
 
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/pacman/aurpublish

@@ -55,7 +55,7 @@ profile aurpublish @{exec_path} {
   owner @{user_cache_dirs}/makepkg/src/* rw,
   owner @{user_config_dirs}/pacman/makepkg.conf r,
 
-  owner @{tmp}/tmp.* rw,
+  owner @{tmp}/tmp.@{rand10} rw,
 
   owner @{PROC}/@{pid}/maps r,
 

apparmor.d/groups/pacman/pacman

@@ -146,6 +146,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
 
   # Silencer,
   deny @{HOME}/ r,
+  deny @{HOME}/**/ r,
   deny /tmp/ r,
 
   profile gpg {

apparmor.d/groups/virt/libvirtd

@@ -117,6 +117,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}                    rix,
   @{bin}/ip                     rix,
+  @{bin}/nft                    rix,
   @{bin}/qemu-img               rUx, # TODO: Integration with virt-aa-helper
   @{bin}/qemu-system*           rUx, # TODO: Integration with virt-aa-helper
   @{bin}/tc                     rix,

apparmor.d/profiles-a-f/acpid

@@ -18,7 +18,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/{ba,da,}sh        rix,
+  @{sh_path}               rix,
   @{bin}/logger            rix,
 
   /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn,

apparmor.d/profiles-a-f/dmesg

@@ -12,8 +12,8 @@ profile dmesg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  capability syslog,
   capability dac_read_search,
+  capability syslog,
 
   @{exec_path} mr,
 
@@ -28,8 +28,11 @@ profile dmesg @{exec_path} {
 
   /dev/kmsg r,
 
-  deny /{usr/,}local/bin/ r,
   deny @{bin}/{,*/} r,
+  deny /{usr/,}local/{,s}bin/ r,
+  deny /var/lib/flatpak/exports/bin/ r,
+  deny @{HOME}/.go/bin/ r,
+  deny @{user_bin_dirs}/ r,
 
   include if exists <local/dmesg>
 }

apparmor.d/profiles-a-f/f3fix

@@ -12,28 +12,20 @@ profile f3fix @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # To remove the following errors:
-  #  Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the
-  #  kernel of the change, probably because it/they are in use.  As a result, the old partition(s)
-  #  will remain in use.  You should reboot now before making further changes.
   capability sys_admin,
-
-  # Needed? (##FIXME##)
   capability sys_rawio,
 
-  # Needed?
+  ptrace read,
-  ptrace (read),
 
   @{exec_path} mr,
 
-  @{sh_path}         rix,
+  @{sh_path}  rix,
 
   @{bin}/dmidecode  rPx,
+  @{bin}/udevadm    rCx -> udevadm,
 
-  @{bin}/udevadm     rCx -> udevadm,
-
-  owner @{PROC}/@{pid}/mounts r,
         @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,
 
   profile udevadm {
     include <abstractions/base>

apparmor.d/profiles-a-f/fatresize

@@ -12,27 +12,20 @@ profile fatresize @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # Needed to inform the system of newly created/removed partitions
-  # ioctl(3, BLKFLSBUF)              = -1 EACCES (Permission denied)
   capability sys_admin,
-
-  # Needed? (##FIXME##)
   capability sys_rawio,
 
-  # Needed?
+  ptrace read,
-  ptrace (read),
 
   @{exec_path} mr,
 
-  @{sh_path}         rix,
+  @{sh_path}  rix,
 
   @{bin}/dmidecode  rPx,
+  @{bin}/udevadm    rCx -> udevadm,
 
-  @{bin}/udevadm     rCx -> udevadm,
-
-  owner @{PROC}/@{pid}/mounts r,
         @{PROC}/swaps r,
-
+  owner @{PROC}/@{pid}/mounts r,
 
   profile udevadm {
     include <abstractions/base>

apparmor.d/profiles-a-f/findmnt

@@ -14,6 +14,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/disks-read>
 
   capability dac_read_search,
+  capability sys_rawio,
 
   @{exec_path} mr,
 

apparmor.d/profiles-g-l/gpartedbin

@@ -7,30 +7,26 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/gpartedbin
+@{exec_path} = @{bin}/gpartedbin @{lib}/{,gparted/}gpartedbin
-@{exec_path} += @{lib}/gpartedbin
-@{exec_path} += @{lib}/gparted/gpartedbin
 profile gpartedbin @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/disks-write>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
 
   capability dac_read_search,
   capability ipc_lock,
   capability sys_admin,
   capability sys_rawio,
 
-  ptrace (read),
+  ptrace read,
 
-  signal (send) peer=mke2fs,
+  signal send peer=mke2fs,
 
   @{exec_path} mr,
 
-  @{sh_path}         rix,
+  @{sh_path}        rix,
 
   @{bin}/blkid      rPx,
   @{bin}/dmidecode  rPx,
@@ -84,29 +80,21 @@ profile gpartedbin @{exec_path} {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
 
-  /dev/mapper/control rw,
-
   profile mount {
     include <abstractions/base>
+    include <abstractions/disks-read>
 
     capability sys_admin,
 
-    mount /dev/{s,v}d[a-z]*[0-9]* -> /tmp/gparted-*/,
+    mount /dev/{s,v}d[a-z]*@{int} -> /tmp/gparted-*/,
 
-    mount /dev/{s,v}d[a-z]*[0-9]* -> /boot/,
+    mount /dev/{s,v}d[a-z]*@{int} -> /boot/,
-    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
+    mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/,
-    mount /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
+    mount /dev/{s,v}d[a-z]*@{int} -> @{MOUNTS}/*/,
 
     @{bin}/mount mr,
 
-    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/ r,
+    include if exists <local/gpartedbin_umount>
-    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/dev r,
-    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/ r,
-    @{sys}/devices/@{pci}/block/{s,v}d[a-z]/{s,v}d[a-z][0-9]*/{start,size} r,
-
-    /dev/{s,v}d[a-z]* r,
-    /dev/{s,v}d[a-z]*[0-9]* r,
-
   }
 
   profile umount {
@@ -128,6 +116,7 @@ profile gpartedbin @{exec_path} {
 
     owner @{PROC}/@{pid}/mountinfo r,
 
+    include if exists <local/gpartedbin_umount>
   }
 
   profile udevadm {

apparmor.d/profiles-g-l/gpodder

@@ -10,14 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/gpodder
 profile gpodder @{exec_path} {
   include <abstractions/base>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/gtk>
-  include <abstractions/python>
   include <abstractions/nameservice-strict>
-  include <abstractions/user-download-strict>
+  include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -32,64 +30,30 @@ profile gpodder @{exec_path} {
   @{sh_path}        rix,
   @{bin}/uname      rix,
 
-  owner @{HOME}/ r,
+  @{bin}/xdg-settings    rPx,
-  owner @{HOME}/gPodder/ rw,
+  @{open_path}           rPx -> child-open,
-  owner @{HOME}/gPodder/** rwk,
-
-  /usr/share/gpodder/{,**} r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/mountinfo r,
-
-  /etc/fstab r,
-
-  owner /var/tmp/etilqs_@{hex} rw,
-
-  /etc/mime.types r,
-
-  /usr/share/*/*.desktop r,
-
-  @{bin}/xdg-settings    rPUx,
-
-  @{bin}/xdg-open                                    rCx -> open,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
 
   # A/V players
   @{bin}/smplayer        rPUx,
   @{bin}/vlc             rPUx,
   @{bin}/mpv             rPUx,
 
-  # Open in a web browser
+  /usr/share/gpodder/{,**} r,
-  @{lib}/firefox/firefox rPUx,
+
+  /etc/fstab r,
+  /etc/mime.types r,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/gPodder/ rw,
+  owner @{HOME}/gPodder/** rwk,
+
+  owner /var/tmp/etilqs_@{hex16} rw,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
-  # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/gpodder>
 }

apparmor.d/profiles-g-l/hw-probe

@@ -8,9 +8,10 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/hw-probe
-profile hw-probe @{exec_path} {
+profile hw-probe @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/perl>
+  include <abstractions/X-strict>
 
   capability sys_admin,
 
@@ -20,111 +21,134 @@ profile hw-probe @{exec_path} {
   @{exec_path} rm,
   @{bin}/perl r,
 
-  @{sh_path}         rix,
+  @{sh_path}             rix,
-  @{bin}/{,e}grep    rix,
+  @{bin}/{,e}grep        rix,
-  @{bin}/{m,g,}awk   rix,
+  @{bin}/{m,g,}awk       rix,
-  @{bin}/dd          rix,
+  @{bin}/dd              rix,
-  @{bin}/efibootmgr  rix,
+  @{bin}/efibootmgr      rix,
-  @{bin}/efivar      rix,
+  @{bin}/efivar          rix,
-  @{bin}/md5sum      rix,
+  @{bin}/find            rix,
-  @{bin}/pwd         rix,
+  @{bin}/md5sum          rix,
-  @{bin}/sleep       rix,
+  @{bin}/pwd             rix,
-  @{bin}/tar         rix,
+  @{bin}/sleep           rix,
-  @{bin}/uname       rix,
+  @{bin}/sort            rix,
-
+  @{bin}/tar             rix,
-  @{bin}/lsb_release rPx -> lsb_release,
+  @{bin}/uname           rix,
-  @{bin}/dpkg        rPx -> child-dpkg,
-
-  @{bin}/acpi        rPx,
-  @{bin}/amixer      rPx,
-  @{bin}/aplay       rPx,
-  @{bin}/biosdecode  rPx,
-  @{bin}/cpuid       rPx,
-  @{bin}/cpupower    rPx,
-  @{bin}/df          rPx,
-  @{bin}/dkms        rPx,
-  @{bin}/dmesg       rPx,
-  @{bin}/dmidecode   rPx,
-  @{bin}/edid-decode rPx,
-  @{bin}/fdisk       rPx,
-  @{bin}/glxgears    rPx,
-  @{bin}/glxinfo     rPx,
-  @{bin}/hciconfig   rPx,
-  @{bin}/hdparm      rPx,
-  @{bin}/hwinfo      rPx,
-  @{bin}/i2cdetect   rPx,
-  @{bin}/inxi        rPx,
-  @{bin}/lsblk       rPx,
-  @{bin}/lscpu       rPx,
-  @{bin}/lspci       rPx,
-  @{bin}/lsusb       rPx,
-  @{bin}/memtester   rPx,
-  @{bin}/rfkill      rPx,
-  @{bin}/sensors     rPx,
-  @{bin}/smartctl    rPx,
-  @{bin}/upower      rPx,
-  @{bin}/uptime      rPx,
-  @{bin}/usb-devices rPx,
-  @{bin}/xdpyinfo    rPx,
-  @{bin}/xinput      rPx,
-  @{bin}/xrandr      rPx,
 
+  @{bin}/acpi            rPx,
+  @{bin}/amixer          rPx,
+  @{bin}/aplay           rPx,
+  @{bin}/biosdecode      rPx,
+  @{bin}/cpuid           rPx,
+  @{bin}/cpupower        rPx,
   @{bin}/curl            rCx -> curl,
+  @{bin}/df              rPx,
+  @{bin}/dkms            rPx,
+  @{bin}/dmesg           rPx,
+  @{bin}/dmidecode       rPx,
+  @{bin}/dpkg            rPx -> child-dpkg,
+  @{bin}/edid-decode     rPx,
   @{bin}/ethtool         rCx -> netconfig,
-  @{bin}/find            rCx -> find,
+  @{bin}/fdisk           rPx,
+  @{bin}/glxgears        rPx,
+  @{bin}/glxinfo         rPx,
+  @{bin}/hciconfig       rPx,
+  @{bin}/hdparm          rPx,
+  @{bin}/hwinfo          rPx,
+  @{bin}/i2cdetect       rPx,
   @{bin}/ifconfig        rCx -> netconfig,
+  @{bin}/inxi            rPx,
   @{bin}/iw              rCx -> netconfig,
   @{bin}/iwconfig        rCx -> netconfig,
   @{bin}/journalctl      rCx -> journalctl,
   @{bin}/killall         rCx -> killall,
-  @{bin}/kmod            rCx -> kmod,
+  @{bin}/kmod            rix,
+  @{bin}/lsb_release     rPx -> lsb_release,
+  @{bin}/lsblk           rPx,
+  @{bin}/lscpu           rPx,
+  @{bin}/lspci           rPx,
+  @{bin}/lsusb           rPx,
+  @{bin}/memtester       rPx,
+  @{bin}/nmcli           rPx,
+  @{bin}/pacman          rCx -> pacman,
+  @{bin}/rfkill          rPx,
+  @{bin}/rpm             rCx -> rpm, 
+  @{bin}/sensors         rPx,
+  @{bin}/smartctl        rPx,
   @{bin}/systemctl       rCx -> systemctl,
   @{bin}/systemd-analyze rPx,
   @{bin}/udevadm         rCx -> udevadm,
-
+  @{bin}/upower          rPx,
-  /usr/share/X11/xorg.conf.d/{,*.conf} r,
+  @{bin}/uptime          rPx,
+  @{bin}/usb-devices     rPx,
+  @{bin}/xdpyinfo        rPx,
+  @{bin}/xinput          rPx,
+  @{bin}/xrandr          rPx,
 
   /etc/modprobe.d/{,*.conf} r,
-  /etc/X11/xorg.conf.d/{,*.conf} r,
 
-  /var/log/Xorg.[0-9].log{,.old} r,
+  owner @{HOME}/HW_PROBE/{,**} rw,
 
-  owner /root/HW_PROBE/{,**} rw,
+  audit owner @{tmp}/*/ rw,
-
-  owner @{tmp}/*/ rw,
   owner @{tmp}/*/cpu_perf rw,
 
   @{sys}/class/drm/ r,
   @{sys}/class/power_supply/ r,
-
-  @{sys}/devices/virtual/dmi/id/* r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
   @{sys}/devices/**/power_supply/*/uevent r,
-
+  @{sys}/devices/virtual/dmi/id/* r,
   @{sys}/firmware/efi/efivars/ r,
   @{sys}/firmware/efi/efivars/* r,
+  @{sys}/module/*/ r,
+  @{sys}/module/*/{coresize,refcnt} r,
+  @{sys}/module/*/holders/ r,
 
   @{PROC}/bus/input/devices r,
+  @{PROC}/cmdline r,
   @{PROC}/interrupts r,
   @{PROC}/ioports r,
+  @{PROC}/modules r,
   @{PROC}/scsi/scsi r,
 
-  profile find {
+  /dev/{,**} r,
+
+  profile pacman flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/consoles>
+
+    @{bin}/pacman mr,
+
+    @{bin}/gpg      rPx -> pacman//gpg,
+    @{bin}/gpgconf  rPx -> pacman//gpg,
+    @{bin}/gpgsm    rPx -> pacman//gpg,
+
+    /etc/pacman.conf r,
+    /etc/pacman.d/{,**} r,
+
+    /var/lib/pacman/{,**} r,
+
+    include if exists <local/hw-probe_pacman>
+  }
+
+  profile rpm flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/consoles>
 
     capability dac_read_search,
 
-    @{bin}/find mr,
+    @{bin}/rpm mr,
 
-    /root/ r,
+    /var/ r,
+    /var/lib/ r,
+    /var/lib/rpm/ r,
+    /var/lib/rpm/rpmdb.sqlite rk,
+    /var/lib/rpm/rpmdb.sqlite-shm rwk,
+    /var/lib/rpm/rpmdb.sqlite-wal rw,
 
-    /dev/{,**} r,
+    include if exists <local/hw-probe_rpm>
-
-    include if exists <local/hw-probe_find>
   }
 
-  profile journalctl {
+  profile journalctl flags=(attach_disconnected) {
     include <abstractions/base>
 
     @{bin}/journalctl mr,
@@ -133,18 +157,18 @@ profile hw-probe @{exec_path} {
     /etc/machine-id r,
 
     @{run}/log/ rw,
-    /{run,var}/log/journal/ rw,
+    /{run,var}/log/journal/ r,
-    /{run,var}/log/journal/@{hex32}/ rw,
+    /{run,var}/log/journal/@{hex32}/ r,
-    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
-    /{run,var}/log/journal/@{hex32}/system.journal* rw,
+    /{run,var}/log/journal/@{hex32}/system.journal* r,
-    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw,
+    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* r,
 
     owner @{PROC}/@{pid}/stat r,
 
     include if exists <local/hw-probe_journalctl>
   }
 
-  profile killall {
+  profile killall flags=(attach_disconnected) {
     include <abstractions/base>
 
     capability sys_ptrace,
@@ -155,8 +179,6 @@ profile hw-probe @{exec_path} {
 
     @{bin}/killall mr,
 
-    # The /proc/ dir is needed to avoid the following error:
-    #  /proc: Permission denied
     @{PROC}/ r,
     @{PROC}/@{pids}/stat r,
 
@@ -170,22 +192,7 @@ profile hw-probe @{exec_path} {
     include if exists <local/hw-probe_udevadm>
   }
 
-  profile kmod {
+  profile netconfig flags=(attach_disconnected) {
-    include <abstractions/base>
-
-    @{bin}/kmod mr,
-
-    @{sys}/module/*/ r,
-    @{sys}/module/*/{coresize,refcnt} r,
-    @{sys}/module/*/holders/ r,
-
-    @{PROC}/cmdline r,
-    @{PROC}/modules r,
-
-    include if exists <local/hw-probe_kmod>
-  }
-
-  profile netconfig {
     include <abstractions/base>
 
     # Not needed
@@ -210,7 +217,7 @@ profile hw-probe @{exec_path} {
     include if exists <local/hw-probe_netconfig>
   }
 
-  profile systemctl {
+  profile systemctl flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/systemctl>
   

apparmor.d/profiles-g-l/hwinfo

@@ -12,19 +12,10 @@ profile hwinfo @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>
 
-  # Without the sys_admin CAP, some information, for instance the reserved I/O port address range
+  capability net_raw, # Needed for network related options
-  # in the /proc/ioports, will be hidden.
+  capability sys_admin, # Needed for /proc/ioports
-  capability sys_admin,
+  capability sys_rawio, # Needed for disk related options
-
+  capability syslog, # Needed for /proc/kmsg
-  # For the kernel log entries to be shown in the output
-  capability syslog,
-
-  # To remove the following errors:
-  #  eth0: socket failed: Operation not permitted
-  capability net_raw,
-
-  # Needed when passed disk related options (--block, --partition, --floppy)
-  capability sys_rawio,
 
   network inet dgram,
   network inet6 dgram,
@@ -36,58 +27,61 @@ profile hwinfo @{exec_path} {
 
   @{bin}/kmod       rCx -> kmod,
   @{bin}/udevadm    rCx -> udevadm,
+  @{bin}/acpidump   rPUx,
 
   @{bin}/dmraid rPUx,
 
-  @{PROC}/version r,
+  /usr/share/hwinfo/{,**} r,
-  @{PROC}/cmdline r,
-  @{PROC}/dma r,
-  @{PROC}/interrupts r,
-  @{PROC}/modules r,
-  @{PROC}/tty/driver/serial r,
-  @{PROC}/ioports r,
-  @{PROC}/bus/input/devices r,
-  @{PROC}/partitions r,
-  @{PROC}/driver/nvram r,
-  @{PROC}/sys/dev/cdrom/info r,
 
-  /dev/mem r,
+  /var/lib/hardware/udi/{,**} r,
-  /dev/nvram r,
+
-  /dev/psaux r,
+  owner @{tmp}/hwinfo*.txt rw,
-  /dev/console rw,
-  /dev/ttyS@{int} r,
-  /dev/fb@{int} r,
 
   @{sys}/bus/{,**/} r,
   @{sys}/class/*/ r,
-  @{sys}/devices/@{pci_bus}/** r,
+  @{sys}/devices/@{pci}/** r,
-  @{sys}/devices/**/input/**/dev r,
   @{sys}/devices/**/{modalias,uevent} r,
+  @{sys}/devices/**/input/**/dev r,
   @{sys}/devices/virtual/net/*/{type,carrier,address} r,
   @{sys}/firmware/dmi/tables/DMI r,
   @{sys}/firmware/dmi/tables/smbios_entry_point r,
   @{sys}/firmware/edd/{,**} r,
 
-  /var/lib/hardware/udi/ r,
+  @{PROC}/bus/input/devices r,
-
+  @{PROC}/cmdline r,
-  # For a log file
+  @{PROC}/dma r,
-  owner @{tmp}/hwinfo*.txt rw,
+  @{PROC}/driver/nvram r,
+  @{PROC}/interrupts r,
+  @{PROC}/ioports r,
+  @{PROC}/modules r,
+  @{PROC}/partitions r,
+  @{PROC}/sys/dev/cdrom/info r,
+  @{PROC}/tty/driver/serial r,
+  @{PROC}/version r,
 
+  /dev/console rw,
+  /dev/fb@{int} r,
+  /dev/mem r,
+  /dev/nvram r,
+  /dev/psaux r,
+  /dev/ttyS@{int} r,
 
   profile kmod {
     include <abstractions/base>
+    include <abstractions/consoles>
 
     @{bin}/kmod mr,
 
     /etc/modprobe.d/{,*.conf} r,
 
-    @{PROC}/cmdline r,
-
-    # file_inherit
-    /dev/ttyS@{int} r,
     owner @{tmp}/hwinfo*.txt rw,
+
     @{sys}/devices/@{pci}/drm/card@{int}/ r,
 
+    @{PROC}/cmdline r,
+    @{PROC}/modules r,
+
+    include if exists <local/hwinfo_udevadm>
   }
 
   profile udevadm {

apparmor.d/profiles-g-l/libreoffice

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/libreoffice/program/soffice
 profile libreoffice @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/dconf-write>
   include <abstractions/desktop>

apparmor.d/profiles-m-r/parted

@@ -12,40 +12,26 @@ profile parted @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # Needed to inform the system of newly created/removed partitions
-  #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
-  #
-  #  Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the
-  #  kernel of the change, probably because it/they are in use.  As a result, the old partition(s)
-  #  will remain in use.  You should reboot now before making further changes.
   capability sys_admin,
-
-  # Needed? (#FIXME#)
   capability sys_rawio,
 
-  # Needed?
+  ptrace read,
-  ptrace (read),
 
   @{exec_path} mr,
 
   @{sh_path}        rix,
 
   @{bin}/udevadm    rCx -> udevadm,
-
+  @{bin}/dmidecode  rPx,
-  @{bin}/dmidecode rPx,
 
   /etc/inputrc r,
 
-  # Image files
   owner @{user_img_dirs}/{,**} rwk,
 
         @{PROC}/devices r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,
 
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
-
   profile udevadm {
     include <abstractions/base>
     include <abstractions/app/udevadm>

apparmor.d/profiles-m-r/partprobe

@@ -12,34 +12,21 @@ profile partprobe @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # To remove the following errors:
-  #  device-mapper: version ioctl on   failed: Permission denied
-  #  Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version).
   capability sys_admin,
-
-  # To remove the following errors:
-  #  kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required
-  #  privilege.
   capability sys_rawio,
 
-  # Needed?
+  ptrace read,
-  ptrace (read),
 
   @{exec_path} mr,
 
   @{sh_path}        rix,
 
   @{bin}/udevadm    rCx -> udevadm,
+  @{bin}/dmidecode  rPx,
 
-  @{bin}/dmidecode rPx,
-
-  owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/swaps r,
         @{PROC}/devices r,
-
+        @{PROC}/swaps r,
-  /dev/mapper/ r,
+  owner @{PROC}/@{pid}/mounts r,
-  /dev/mapper/control rw,
-
 
   profile udevadm {
     include <abstractions/base>

apparmor.d/profiles-m-r/pass-import

@@ -9,8 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/pimport
 profile pass-import @{exec_path} {
   include <abstractions/base>
-  include <abstractions/python>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/pkexec

@@ -37,12 +37,11 @@ profile pkexec @{exec_path} {
 
   # Apps to be run via pkexec
   @{bin}/*            rPUx,
+  @{lib}/{,gvfs/}gvfsd-admin    rPx,
   @{lib}/cc-remote-login-helper rPx,
-  @{lib}/gvfs/gvfsd-admin rPUx, #(#FIXME#)
-  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
-  @{lib}/polkit-agent-helper-[0-9]              rPx,
   @{lib}/update-notifier/package-system-locked  rPx,
   /usr/share/apport/apport-gtk rPx,
+  #aa:exec polkit-agent-helper
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*} r,
@@ -59,7 +58,7 @@ profile pkexec @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   # Silencer
-deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/pkexec>
 }

apparmor.d/profiles-m-r/protonmail-bridge

@@ -41,6 +41,8 @@ profile protonmail-bridge @{exec_path} {
   owner @{share_dirs}/ rw,
   owner @{share_dirs}/** rwlk -> @{share_dirs}/**,
 
+  owner @{tmp}/@{uuid}.txt w,
+
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/protonmail-bridge>

apparmor.d/profiles-s-z/usb-devices

@@ -13,17 +13,19 @@ profile usb-devices @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/devices-usb>
 
-       capability dac_read_search,
+  capability dac_override,
-  deny capability dac_override,
+  capability dac_read_search,
+
+  @{exec_path} mr,
 
-  @{exec_path} r,
   @{sh_path}        rix,
-
-  @{bin}/cat        rix,
-  @{bin}/cut        rix,
   @{bin}/{,e}grep   rix,
   @{bin}/basename   rix,
+  @{bin}/cat        rix,
+  @{bin}/cut        rix,
+  @{bin}/find       rix,
   @{bin}/readlink   rix,
+  @{bin}/sort       rix,
 
   # For shell pwd
   /root/ r,