feat(profile): general update.

apparmor.d/abstractions/chromium

@@ -148,12 +148,13 @@
   @{sys}/bus/ r,
   @{sys}/bus/**/devices/ r,
   @{sys}/class/**/ r,
-  @{sys}/devices/**/uevent r,
   @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
   @{sys}/devices/@{pci}/boot_vga r,
   @{sys}/devices/@{pci}/report_descriptor r,
+  @{sys}/devices/**/uevent r,
   @{sys}/devices/system/cpu/kernel_max r,
   @{sys}/devices/virtual/**/report_descriptor r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/_full/systemd

@@ -169,7 +169,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/tty/console/active r,
-  @{sys}/fs/**/ r,
+  @{sys}/fs/fuse/connections/ r,
+  @{sys}/fs/pstore/ r,
   @{sys}/fs/cgroup/{,**} rw,
   @{sys}/kernel/**/ r,
   @{sys}/module/**/uevent r,

apparmor.d/groups/freedesktop/pipewire-media-session

@@ -23,6 +23,8 @@ profile pipewire-media-session @{exec_path} {
   network bluetooth stream,
   network netlink raw,
 
+  signal (receive) set=(cont term) peer=@{systemd_user},
+
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect

apparmor.d/groups/freedesktop/polkitd

@@ -25,7 +25,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
-       member={GetConnectionUnixProcessID,GetConnectionUnixUser}
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
   @{exec_path} mr,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -37,6 +37,10 @@ profile xdg-desktop-portal-gtk @{exec_path} {
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.impl.portal.Settings
        peer=(name=:*),
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.impl.portal.Settings
+       member=SettingChanged
+       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
 
   dbus send bus=session path=/org/gtk/Notifications
        interface=org.freedesktop.DBus.Properties

apparmor.d/groups/gnome/tracker-extract

@@ -25,6 +25,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  signal (receive) set=(cont term) peer=@{systemd_user},
   signal (receive) set=(term) peer=gdm,
 
   # dbus: own bus=session name=org.freedesktop.Tracker3.Miner.Extract

apparmor.d/groups/gnome/tracker-miner

@@ -25,6 +25,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  signal (receive) set=(cont term)  peer=@{systemd_user},
   signal (receive) set=(term, kill) peer=gdm,
   signal (receive) set=(hup)        peer=gdm-session-worker,
 

apparmor.d/groups/ssh/sshd

@@ -54,6 +54,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read,trace) peer=@{systemd},
 
+  unix (bind) type=stream addr=@@{hex}/bus/sshd/system,
+
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}

apparmor.d/groups/systemd/networkctl

@@ -16,14 +16,16 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
   capability sys_module,
   audit capability sys_resource,
 
-  ptrace (read) peer=@{systemd},
-
-  signal send peer=child-pager,
-
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
+  signal send peer=child-pager,
+
+  ptrace (read) peer=@{systemd},
+
+  unix (bind) type=stream addr=@@{hex}/bus/networkctl/system,
+
   # dbus: talk bus=system name=org.freedesktop.network1 label=systemd-networkd
 
   @{exec_path} mr,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -16,6 +16,8 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   capability sys_admin,  # To set a hostname
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-hostnam/system,
+
   # dbus: own bus=system name=org.freedesktop.hostname1
 
   dbus send bus=system path=/org/freedesktop/DBus

apparmor.d/groups/systemd/systemd-logind

@@ -29,6 +29,8 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
 
   # mqueue r type=posix /,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-logind/system,
+
   # dbus: own bus=system name=org.freedesktop.login1
 
   # dbus: talk bus=system name=org.freedesktop.systemd1 label="@{systemd}"

apparmor.d/groups/systemd/systemd-networkd

@@ -27,6 +27,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   network packet dgram,
   network packet raw,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-network/bus-api-network,
+
   # dbus: own bus=system name=org.freedesktop.network1
 
   dbus send bus=system path=/org/freedesktop/hostname1

apparmor.d/groups/systemd/systemd-timedated

@@ -15,6 +15,8 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
 
   capability sys_time,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-timedat/system,
+
   # dbus: own bus=system name=org.freedesktop.timedate1
 
   dbus send bus=system path=/org/freedesktop/systemd1/unit/*

apparmor.d/groups/systemd/systemd-timesyncd

@@ -21,6 +21,8 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-timesyn/bus-api-timesync,
+
   # dbus: own bus=system name=org.freedesktop.timesync1
 
   @{exec_path} mr,

apparmor.d/groups/systemd/systemd-update-utmp

@@ -17,6 +17,8 @@ profile systemd-update-utmp @{exec_path} {
 
   network netlink raw,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-update-/,
+
   @{exec_path} mr,
 
   @{run}/host/container-manager r,

apparmor.d/groups/systemd/systemd-user-runtime-dir

@@ -23,6 +23,8 @@ profile systemd-user-runtime-dir @{exec_path} {
   mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
   umount @{run}/user/@{uid}/,
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemd-user-ru/system,
+
   @{exec_path} mr,
 
   /etc/machine-id r,

apparmor.d/profiles-g-l/lvm

@@ -23,9 +23,12 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
+  # mqueue r type=posix /,
+
   @{exec_path} rm,
 
   @{etc_rw}/lvm/** rwkl,
+  /etc/multipath.conf r,
 
   @{run}/lock/ rw,
   @{run}/lock/lvm/ rw,

apparmor.d/profiles-s-z/snapd

@@ -48,6 +48,8 @@ profile snapd @{exec_path} {
   ptrace (read) peer=snap,
   ptrace (read) peer=@{systemd},
 
+  unix (bind) type=stream addr=@@{hex}/bus/systemctl/,
+
   dbus send bus=system path=/org/freedesktop/
          interface=org.freedesktop.login1.Manager
          member={SetWallMessage,ScheduleShutdown}

apparmor.d/tunables/home.d/apparmor.d

@@ -46,7 +46,7 @@
 @{user_lib_dirs}=@{HOME}/@{XDG_LIB_DIR}
 
 # User build directories and output
-@{user_build_dirs}="/tmp/"
+@{user_build_dirs}="/tmp/build/"
 @{user_pkg_dirs}="/tmp/pkg/"
 @{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
 @{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}

apparmor.d/tunables/multiarch.d/paths

@@ -4,9 +4,11 @@
 
 # Define some paths for some commonly used programs
 
-# All the shells
+# Default distribution shells
 @{sh} = sh zsh bash dash
 @{sh_path} = @{bin}/@{sh}
+
+# All interactive shells users may want to use
 @{shells} = sh zsh bash dash fish rbash ksh tcsh csh
 @{shells_path} = @{bin}/@{shells}