feat(abs): add abi reference to all abstractions.

2025-02-28 20:54:43 +01:00 · 2024-10-09 22:19:01 +01:00 · 2024-10-09 22:19:01 +01:00 · fc43400c26
commit fc43400c26
parent c923cc7ccf
112 changed files with 225 additions and 1 deletions
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -2,6 +2,9 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
+
  # The unix socket to use to connect to the display
  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -3,6 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  @{bin}/**                     PUx,
  /usr/local/{s,}bin/**         PUx,

--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -3,6 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  @{bin}/**                     PUx,
  /opt/*/**                     PUx,
  /usr/share/**                 PUx,
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@ -8,6 +8,8 @@
 # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail
 # should be present here. Until this day, this profile will be a controlled mess.

+  abi <abi/4.0>,
+
  # Sandbox managers
  @{bin}/bwrap                  rPUx,
  @{bin}/firejail               rPUx,
--- a/apparmor.d/abstractions/app/bus
+++ b/apparmor.d/abstractions/app/bus
@ -4,6 +4,8 @@

 # Minimal set of rules for dbus-send/dbus-launch.

+  abi <abi/4.0>,
+
  include <abstractions/nameservice-strict>

  @{bin}/dbus-launch  mix,
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -16,6 +16,8 @@
 # or abstractions/common/electron instead.
 #

+  abi <abi/4.0>,
+
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@ -3,6 +3,8 @@
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/nameservice-strict>
  include <abstractions/consoles>

--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -12,6 +12,8 @@
 # @{cache_dirs} = @{user_cache_dirs}/mozilla/
 #

+  abi <abi/4.0>,
+
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
--- a/apparmor.d/abstractions/app/kmod
+++ b/apparmor.d/abstractions/app/kmod
@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/consoles>

  @{bin}/depmod    mr,
--- a/apparmor.d/abstractions/app/open
+++ b/apparmor.d/abstractions/app/open
@ -4,6 +4,8 @@

 # Full set of rules for child-open-* profiles.

+  abi <abi/4.0>,
+
  include <abstractions/desktop>

  @{open_path} mrix,
--- a/apparmor.d/abstractions/app/pgrep
+++ b/apparmor.d/abstractions/app/pgrep
@ -4,6 +4,8 @@

 # Minimal set of rules for pgrep/pkill.

+  abi <abi/4.0>,
+
  include <abstractions/consoles>

  capability sys_ptrace,
--- a/apparmor.d/abstractions/app/pkexec
+++ b/apparmor.d/abstractions/app/pkexec
@ -4,6 +4,8 @@

 # Minimal set of rules for pkexec.

+  abi <abi/4.0>,
+
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/consoles>
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -4,6 +4,8 @@

 # Minimal set of rules for sudo. Interactive sudo need more rules.

+  abi <abi/4.0>,
+
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/consoles>
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/bus-system>
  include <abstractions/consoles>

--- a/apparmor.d/abstractions/app/udevadm
+++ b/apparmor.d/abstractions/app/udevadm
@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  ptrace read peer=@{p_systemd},

  @{bin}/udevadm mr,
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@ -5,6 +5,8 @@
 # Most programs do not need access to audio devices, audio-client only includes
 # configuration files to be used by client applications.

+  abi <abi/4.0>,
+
  /usr/share/alsa/{,**} r,
  /usr/share/openal/hrtf/{,**} r,
  /usr/share/pipewire/client-rt.conf r,
--- a/apparmor.d/abstractions/audio-server
+++ b/apparmor.d/abstractions/audio-server
@ -5,6 +5,8 @@
 # Provide access to audio devices. It should only be used by audio servers that
 # need direct access to them. 

+  abi <abi/4.0>,
+
  include <abstractions/audio-client>

  @{run}/udev/data/+sound:card@{int} r,   # for sound card
--- a/apparmor.d/abstractions/bash-strict
+++ b/apparmor.d/abstractions/bash-strict
@ -5,6 +5,8 @@
 # This abstraction is only required when an interactive shell is started.
 # Classic shell scripts do not need it.

+  abi <abi/4.0>,
+
  /usr/share/bash-completion/{,**} r,
  /usr/share/terminfo/{,**} r,

--- a/apparmor.d/abstractions/bus-accessibility
+++ b/apparmor.d/abstractions/bus-accessibility
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=accessibility path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
--- a/apparmor.d/abstractions/bus-session
+++ b/apparmor.d/abstractions/bus-session
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
  unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
--- a/apparmor.d/abstractions/bus-system
+++ b/apparmor.d/abstractions/bus-system
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
--- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
+++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
@ -4,6 +4,8 @@

 # Access required for connecting to/communicating with the Unity Launcher

+  abi <abi/4.0>,
+
  dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
       interface=com.canonical.Unity.LauncherEntry
       member=Update
--- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu
+++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+

  include if exists <abstractions/bus/com.canonical.dbusmenu.d>

--- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
+++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/fi/w1/wpa_supplicant1
       interface=org.freedesktop.DBus.Properties
       member={GetAll,PropertiesChanged}
--- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
+++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/net/hadess/PowerProfiles
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
+++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/net/hadess/SwitcherooControl
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/net.reactivated.Fprint
+++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/net/reactivated/Fprint/Manager
       interface=net.reactivated.Fprint.Manager
       member={GetDevices,GetDefaultDevice}
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  # Accessibility bus

  dbus receive bus=accessibility path=/org/a11y/atspi/registry
--- a/apparmor.d/abstractions/bus/org.bluez
+++ b/apparmor.d/abstractions/bus/org.bluez
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus receive bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=InterfacesRemoved
--- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/Accounts
       interface=org.freedesktop.Accounts
       member={FindUserByName,ListCachedUsers}
--- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.Peer
       member=Ping
--- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/ColorManager
       interface=org.freedesktop.ColorManager
       member=GetDevices
--- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/FileManager1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/ModemManager1
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/Notifications
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/PackageKit
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=Changed
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.DBus.Properties
       member=Get
--- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/ScreenSaver
       interface=org.freedesktop.ScreenSaver
       member={Inhibit,UnInhibit}
--- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
       interface=org.freedesktop.DBus.Peer
       member=Ping
--- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/UDisks2
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.UPower
       member=EnumerateDevices
--- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
+++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/background/monitor
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/hostname1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
--- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
+++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/locale1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=GetSession
--- a/apparmor.d/abstractions/bus/org.freedesktop.network1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.network1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/network1
       interface=org.freedesktop.DBus.Properties
       member=Get
--- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
+++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/portal/desktop
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll,Read}
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.resolve1.Manager
       member={SetLink*,ResolveHostname}
--- a/apparmor.d/abstractions/bus/org.freedesktop.secrets
+++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/secrets{,/**}
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member={Get,GetAll}
--- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/freedesktop/timedate1
       interface=org.freedesktop.DBus.Properties
       member=Get
--- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
+++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/ArchiveManager1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager
+++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=system path=/org/gnome/DisplayManager/Manager
       interface=org.gnome.DisplayManager.Manager
       member=RegisterDisplay
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
       interface=org.gnome.Mutter.DisplayConfig
       member={GetResources,GetCrtcGamma}
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
--- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
+++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/ScreenSaver
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.gnome.SessionManager
+++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager
@ -4,6 +4,8 @@

 # FIXME: Too large, restrict it.

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/SessionManager
       interface=org.gnome.SessionManager
       member={RegisterClient,IsSessionRunning}
--- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
+++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gnome/Shell/Introspect
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
+++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
       interface=org.gtk.Private.RemoteVolumeMonitor
       member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded}
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gtk/vfs/Daemon
       interface=org.gtk.vfs.Daemon
       member={GetConnection,ListMonitorImplementations,ListMountableInfo}
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gtk/vfs/metadata
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/org/gtk/vfs/mounttracker
       interface=org.gtk.vfs.MountTracker
       member=ListMountableInfo
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
@ -2,6 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,

  include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>

--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  dbus send bus=session path=/StatusNotifierWatcher
       interface=org.freedesktop.DBus.Properties
       member=Get
--- a/apparmor.d/abstractions/bus/org.kde.kwalletd
+++ b/apparmor.d/abstractions/bus/org.kde.kwalletd
@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include if exists <abstractions/bus/org.kde.kwalletd.d>

 # vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -9,6 +9,8 @@
 # applications (bwrap) that have no way to restrict access depending on the
 # application being confined.

+  abi <abi/4.0>,
+
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
--- a/apparmor.d/abstractions/common/apt
+++ b/apparmor.d/abstractions/common/apt
@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,

--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -7,6 +7,8 @@
 # - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'

+  abi <abi/4.0>,
+
  userns,

  capability net_admin,
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@ -6,6 +6,8 @@
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/chromium instead.

+  abi <abi/4.0>,
+
  userns,

  capability setgid, # If kernel.unprivileged_userns_clone = 1
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@ -12,6 +12,8 @@
 # @{cache_dirs} = @{user_cache_dirs}/@{name}
 #

+  abi <abi/4.0>,
+
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/graphics>
--- a/apparmor.d/abstractions/common/game
+++ b/apparmor.d/abstractions/common/game
@ -10,6 +10,8 @@
 #   (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
 # - @{user_games_dirs} for user specific game directories (eg: steam storage dir)

+  abi <abi/4.0>,
+
  include <abstractions/audio-client>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@ -4,6 +4,8 @@

 # Minimal set of rules for all gnome based UI application.

+  abi <abi/4.0>,
+
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/common/game>

  @{lib_dirs}/ r,
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  ptrace read peer=@{p_systemd},

  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
--- a/apparmor.d/abstractions/dconf-write
+++ b/apparmor.d/abstractions/dconf-write
@ -5,6 +5,8 @@
 # Permissions for querying dconf settings with write access; use the dconf
 # abstraction first, and dconf-write only for specific application's profile.

+  abi <abi/4.0>,
+
  dbus send bus=session path=/ca/desrt/dconf/Writer/user
       interface=ca.desrt.dconf.Writer
       member=Change
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@ -11,6 +11,8 @@

 # The only legitimate use in this project is for file browser and search engine.

+  abi <abi/4.0>,
+
  # User defined private directories
  deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**}  mrxwlk,
  deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**}    mrxwlk,
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@ -7,6 +7,8 @@
 # When supported in apparmor, condition will be used in this abstraction to filter
 # resources specific for supported DE.

+  abi <abi/4.0>,
+
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
--- a/apparmor.d/abstractions/devices-usb
+++ b/apparmor.d/abstractions/devices-usb
@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  /dev/ r,
  /dev/bus/usb/ r,
  /dev/bus/usb/@{int}/ r,
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -5,6 +5,8 @@

  # The /sys/ entries probably should be tightened

+  abi <abi/4.0>,
+
  /dev/ r,
  /dev/block/ r,
  /dev/disk/{,*/} r,
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@ -5,6 +5,8 @@

  # The /sys/ entries probably should be tightened

+  abi <abi/4.0>,
+
  /dev/ r,
  /dev/block/ r,
  /dev/disk/{,*/} r,
--- a/apparmor.d/abstractions/dri
+++ b/apparmor.d/abstractions/dri
@ -6,6 +6,8 @@
 # Linux graphics stack which allows unprivileged user-space programs to issue 
 # commands to graphics hardware without conflicting with other programs.

+  abi <abi/4.0>,
+
  @{lib}/dri/**                 mr,
  @{lib}/@{multiarch}/dri/**    mr,
  @{lib}/fglrx/dri/**           mr,
--- a/apparmor.d/abstractions/fish
+++ b/apparmor.d/abstractions/fish
@ -5,6 +5,8 @@
 # This abstraction is only required when an interactive shell is started.
 # Classic shell scripts do not need it.

+  abi <abi/4.0>,
+
  /usr/share/fish/{,**} r,

  /etc/fish/{,**} r,
--- a/apparmor.d/abstractions/fontconfig-cache-read
+++ b/apparmor.d/abstractions/fontconfig-cache-read
@ -9,6 +9,8 @@
  # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
  # the "fontconfig-cache-write" abstraction.

+  abi <abi/4.0>,
+
       owner @{user_cache_dirs}/fontconfig/ r,
  deny       @{user_cache_dirs}/fontconfig/ w,
  deny       @{user_cache_dirs}/fontconfig/** w,
--- a/apparmor.d/abstractions/fontconfig-cache-write
+++ b/apparmor.d/abstractions/fontconfig-cache-write
@ -3,6 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  owner @{user_cache_dirs}/fontconfig/ rw,
  owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
  owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
--- a/apparmor.d/abstractions/glfw
+++ b/apparmor.d/abstractions/glfw
@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw,

  include if exists <abstractions/glfw.d>
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@ -2,6 +2,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
--- a/apparmor.d/abstractions/graphics
+++ b/apparmor.d/abstractions/graphics
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/dri>
  include <abstractions/mesa>
  include <abstractions/nvidia-strict>
--- a/apparmor.d/abstractions/graphics-full
+++ b/apparmor.d/abstractions/graphics-full
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/graphics>

  /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
  @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
  @{lib}/frei0r-@{int}/*.so mr,
--- a/apparmor.d/abstractions/kde-strict
+++ b/apparmor.d/abstractions/kde-strict
@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/qt5>
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -6,6 +6,8 @@
 # Many programs wish to perform nameservice-like operations, such as looking up
 # users by name or id, groups by name or id, hosts by name or IP, etc.

+  abi <abi/4.0>,
+
  include <abstractions/nss-systemd>

  @{etc_ro}/default/nss r,
--- a/apparmor.d/abstractions/nvidia-strict
+++ b/apparmor.d/abstractions/nvidia-strict
@ -2,6 +2,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia,

  /usr/share/nvidia/nvidia-application-profiles-* r,
--- a/apparmor.d/abstractions/qt5-shader-cache
+++ b/apparmor.d/abstractions/qt5-shader-cache
@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  abi <abi/4.0>,
+
  owner @{user_cache_dirs}/ w,
  owner @{user_cache_dirs}/qtshadercache/ rw,
  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
--- a/Show more
+++ b/Show more