From 599ed6464cb7287109e99b58855e843af16d4a34 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Thu, 2 Jun 2022 19:27:15 +0300
Subject: [PATCH 01/40] Ubuntu 22.04, second batch

---
 apparmor.d/groups/apps/vlc                    | 96 ++++++++++++++++++-
 apparmor.d/groups/freedesktop/polkitd         | 20 ++++
 .../groups/ubuntu/package-system-locked       |  6 +-
 apparmor.d/profiles-m-r/pkexec                | 12 +++
 4 files changed, 128 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc
index eb065a9bd..fffbd401a 100644
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@@ -70,6 +70,13 @@ profile vlc @{exec_path} {
   include <abstractions/private-files-strict>
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf>
+  include <abstractions/ibus>
+  include if exists <abstractions/ubuntu-unity7-base>
+
+#  capability sys_ptrace,
+#  ptrace (read),
 
   signal (receive) set=(term, kill) peer=anyremote//*,
 
@@ -94,9 +101,6 @@ profile vlc @{exec_path} {
   owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
   owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**.@{vlc_ext} r,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   # VLC files
   /usr/share/vlc/{,**} r,
 
@@ -104,7 +108,7 @@ profile vlc @{exec_path} {
   owner @{HOME}/ r,
   owner @{user_config_dirs}/vlc/ rw,
   owner @{user_config_dirs}/vlc/* rwkl -> @{user_config_dirs}/vlc/#[0-9]*[0-9],
-  owner @{user_share_dirs}/vlc/{,*} rw,
+  owner @{user_share_dirs}/vlc/{,**} rw,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/vlc/{,**} rw,
@@ -119,7 +123,9 @@ profile vlc @{exec_path} {
   deny owner @{PROC}/@{pid}/cmdline r,
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
-             @{PROC}/@{pid}/net/if_inet6 r,
+       owner @{PROC}/@{pid}/comm r,
+       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+             @{PROC}/@{pids}/net/if_inet6 r,
   deny       @{PROC}/sys/kernel/random/boot_id r,
 
   # Udev enumeration
@@ -147,6 +153,84 @@ profile vlc @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
+  # DBus
+  dbus send
+    bus="session" path="/org/freedesktop/DBus"  interface="org.freedesktop.DBus" member="{RequestName,ReleaseName,GetConnectionUnixProcessID}" peer=(name="org.freedesktop.DBus"),
+
+  dbus receive
+    bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="NotificationClosed" peer=(name=":*"),
+
+  dbus send
+    bus="session" path="/org/a11y/bus"          interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.a11y.Bus"),
+
+  dbus send
+    bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name="org.kde.StatusNotifierWatcher"),
+
+  dbus send
+    bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Properties" member="{Get,RegisterStatusNotifierItem}" peer=(name="org.kde.StatusNotifierWatcher"),
+
+  dbus send
+    bus="session" path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member="RegisterStatusNotifierItem" peer=(name="org.kde.StatusNotifierWatcher"),
+
+  dbus send
+    bus="session" path="/StatusNotifierItem"    interface="org.kde.StatusNotifierItem" member="{NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}" peer=(name="org.freedesktop.DBus"),
+
+  dbus receive
+    bus="session" path="/StatusNotifierItem"    interface="org.kde.StatusNotifierItem" member="Activate" peer=(name=":*"),
+
+  dbus receive
+    bus="session" path="/StatusNotifierItem"    interface="org.freedesktop.DBus.Properties" member="{Get,GetAll}" peer=(name=":*"),
+
+  dbus send
+    bus="session" path="/ScreenSaver"           interface="org.freedesktop.ScreenSaver" member="{Inhibit,UnInhibit}" peer=(name="org.freedesktop.ScreenSaver"),
+
+  dbus receive
+    bus="session" path="/MenuBar" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
+
+  dbus send
+    bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{LayoutUpdated,ItemsPropertiesUpdated}" peer=(name="org.freedesktop.DBus"),
+
+  dbus receive
+    bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}" peer=(name=":*"),
+
+  dbus (send receive)
+    bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties"  peer=(name="{org.freedesktop.DBus,:*}"),
+
+  dbus send
+    bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Player"    peer=(name="org.freedesktop.DBus"),
+
+  dbus receive
+    bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Playlists" peer=(name=":*"),
+
+#  dbus send
+#    bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"),
+
+  dbus send
+    bus="accessibility" path="/org/freedesktop/DBus"           interface="org.freedesktop.DBus" member="{Hello,AddMatch,RemoveMatch}" peer=(name="org.freedesktop.DBus"),
+
+  dbus send
+    bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Socket" member="Embed" peer=(name="org.a11y.atspi.Registry"),
+
+  dbus receive
+    bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.freedesktop.DBus.Properties" member="Set" peer=(name=":*"),
+
+  dbus send
+    bus="accessibility" path="/org/a11y/atspi/registry"        interface="org.a11y.atspi.Registry" member="GetRegisteredEvents" peer=(name="org.a11y.atspi.Registry"),
+
+  dbus receive
+    bus="accessibility" path="/org/a11y/atspi/registry"        interface="org.a11y.atspi.Registry" member="EventListenerDeregistered" peer=(name=":*"),
+
+  dbus send
+    bus="accessibility" path="/org/a11y/atspi/registry/deviceeventcontroller" interface="org.a11y.atspi.DeviceEventController" member="{GetKeystrokeListeners,GetDeviceEventListeners}" peer=(name="org.a11y.atspi.Registry"),
+
+  dbus bind
+    bus="session" name="org.kde.StatusNotifierItem-*",
+
+  dbus bind
+    bus="session" name="org.mpris.MediaPlayer2.vlc{,.instance*}",
+
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
+  owner @{run}/user/*/dconf/user rw,
 
   profile xdg-screensaver {
     include <abstractions/base>
@@ -169,6 +253,8 @@ profile vlc @{exec_path} {
     /dev/dri/card[0-9]* rw,
     network inet stream,
     network inet6 stream,
+
+    include if exists <local/vlc_xdg-screensaver>
   }
 
   include if exists <local/vlc>
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 289496ba3..735532d1e 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -16,6 +16,7 @@ profile polkitd @{exec_path} {
   capability setuid,
   capability setgid,
   capability sys_ptrace,
+  capability sys_nice,
   audit deny capability net_admin,
 
   ptrace (read),
@@ -53,9 +54,28 @@ profile polkitd @{exec_path} {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
   @{run}/systemd/userdb/io.systemd.DynamicUser w,
+  @{run}/systemd/userdb/io.systemd.Machine rw,
 
   # Silencer
   deny /.cache/ rw,
 
+  # DBus
+  dbus send
+    bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,AddMatch,RemoveMatch,Hello,RequestName}" peer=(name="org.freedesktop.DBus"),
+
+  dbus receive
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"),
+
+  dbus receive
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"),
+
+  dbus bind
+    bus="system" name="org.freedesktop.PolicyKit1",
+
+  @{run}/dbus/system_bus_socket rw,
+
   include if exists <local/polkitd>
 }
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index d307f0eb4..7f29301c8 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -12,6 +12,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
 
   capability dac_read_search,
   capability syslog,
+  capability sys_ptrace,
 
   ptrace (read),
 
@@ -20,6 +21,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/fuser       rix,
 
+  network inet dgram,
+  network inet6 dgram,
+
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/net/unix r,
         @{PROC}/ r,
@@ -28,4 +32,4 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
         @{PROC}/swaps r,
 
   include if exists <local/package-system-locked>
-}
\ No newline at end of file
+}
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index b754183e7..2c5932f4b 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -53,5 +53,17 @@ profile pkexec @{exec_path} flags=(complain) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
+  # DBus
+  @{run}/dbus/system_bus_socket rw,
+
+  dbus send
+    bus="system" path="/org/freedesktop/DBus"                 interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="{GetAll,CheckAuthorization}" peer=(name=":*"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name=":*"),
+
   include if exists <local/pkexec>
 }

From 2bea426d278cf935bff3e5df767d5c132e799ec9 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Fri, 3 Jun 2022 23:00:08 +0300
Subject: [PATCH 02/40] polishing

---
 apparmor.d/groups/apps/vlc                        |  1 +
 apparmor.d/groups/freedesktop/polkit-agent-helper | 13 ++++++++++++-
 apparmor.d/groups/freedesktop/polkitd             |  9 +++++----
 apparmor.d/profiles-m-r/pkexec                    |  6 +++---
 4 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc
index fffbd401a..4cabe6247 100644
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@@ -118,6 +118,7 @@ profile vlc @{exec_path} {
   owner @{user_config_dirs}/qt5ct/{,**} r,
   /usr/share/qt5ct/** r,
 
+  /dev/snd/ r,
   /dev/shm/#[0-9]*[0-9] rw,
 
   deny owner @{PROC}/@{pid}/cmdline r,
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index 4e9e67fe8..4285ad4de 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -35,7 +35,18 @@ profile polkit-agent-helper @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
+
+  # DBus
+  @{run}/dbus/system_bus_socket rw,
+
+  dbus send
+    bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
+
+  dbus send
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"),
 
   include if exists <local/polkit-agent-helper>
 }
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 735532d1e..cef1ed600 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -53,8 +53,6 @@ profile polkitd @{exec_path} {
 
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-  @{run}/systemd/userdb/io.systemd.Machine rw,
 
   # Silencer
   deny /.cache/ rw,
@@ -67,10 +65,13 @@ profile polkitd @{exec_path} {
     bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
 
   dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name="{org.freedesktop.DBus,:*}"),
+    bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"),
+
+  dbus send
+    bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"),
 
   dbus receive
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent}" peer=(name=":*"),
+    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"),
 
   dbus bind
     bus="system" name="org.freedesktop.PolicyKit1",
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index 2c5932f4b..9033252a4 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -10,9 +10,9 @@ include <tunables/global>
 profile pkexec @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/authentication>
-  include <abstractions/wutmp>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
@@ -53,7 +53,7 @@ profile pkexec @{exec_path} flags=(complain) {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  # DBus
+  # DBus stricter
   @{run}/dbus/system_bus_socket rw,
 
   dbus send

From a333a77cb54304bf86b19b70543147ebe950b779 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Sun, 5 Jun 2022 15:36:10 +0300
Subject: [PATCH 03/40] polishing

---
 apparmor.d/groups/apps/vlc | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc
index 4cabe6247..dd843800d 100644
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@@ -197,11 +197,8 @@ profile vlc @{exec_path} {
   dbus (send receive)
     bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties"  peer=(name="{org.freedesktop.DBus,:*}"),
 
-  dbus send
-    bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Player"    peer=(name="org.freedesktop.DBus"),
-
-  dbus receive
-    bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.Playlists" peer=(name=":*"),
+  dbus (send receive)
+    bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.*" peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"),
 
 #  dbus send
 #    bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"),

From 355d958e2688f3a0a41d74a2dd7e2901ee3ebb57 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Thu, 18 Aug 2022 18:22:56 +0300
Subject: [PATCH 04/40] update

---
 apparmor.d/groups/apps/vlc                    | 194 +++++++++++-------
 .../groups/freedesktop/polkit-agent-helper    |  23 +--
 apparmor.d/groups/freedesktop/polkitd         |  70 ++++---
 .../groups/ubuntu/package-system-locked       |  11 +-
 apparmor.d/profiles-m-r/pkexec                |  64 +++---
 5 files changed, 206 insertions(+), 156 deletions(-)

diff --git a/apparmor.d/groups/apps/vlc b/apparmor.d/groups/apps/vlc
index dd843800d..9ebee31d2 100644
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@@ -71,9 +71,9 @@ profile vlc @{exec_path} {
   include <abstractions/ssl_certs>
   include <abstractions/devices-usb>
   include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dbus-gtk>
+  include <abstractions/dconf-write>
   include <abstractions/ibus>
-  include if exists <abstractions/ubuntu-unity7-base>
 
 #  capability sys_ptrace,
 #  ptrace (read),
@@ -86,6 +86,120 @@ profile vlc @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  dbus (send) bus=session path=/org/freedesktop/DBus 
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName,GetConnectionUnixProcessID}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (receive) bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member=NotificationClosed
+       peer=(name=:*),
+
+  dbus (send) bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus),
+
+  dbus (send) bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher),
+
+  dbus (send) bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member={Get,RegisterStatusNotifierItem}
+       peer=(name=org.kde.StatusNotifierWatcher),
+
+  dbus (send) bus=session path=/StatusNotifierWatcher
+       interface=org.kde.StatusNotifierWatcher
+       member=RegisterStatusNotifierItem
+       peer=(name=org.kde.StatusNotifierWatcher),
+
+  dbus (send) bus=session path=/StatusNotifierItem 
+       interface=org.kde.StatusNotifierItem
+       member={NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (receive) bus=session path=/StatusNotifierItem 
+       interface=org.kde.StatusNotifierItem
+       member=Activate
+       peer=(name=:*),
+
+  dbus (receive) bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=:*),
+
+  dbus (send) bus=session path=/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={Inhibit,UnInhibit}
+       peer=(name=org.freedesktop.ScreenSaver),
+
+  dbus (receive) bus=session path=/MenuBar
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus (send) bus=session path=/MenuBar
+       interface=com.canonical.dbusmenu
+       member={LayoutUpdated,ItemsPropertiesUpdated}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (receive) bus=session path=/MenuBar
+       interface=com.canonical.dbusmenu
+       member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
+       peer=(name=:*),
+
+  dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
+       interface=org.freedesktop.DBus.Properties
+       peer=(name="{org.freedesktop.DBus,:*}"), # all members
+
+  dbus (send, receive) bus=session path=/org/mpris/MediaPlayer2
+       interface=org.mpris.MediaPlayer2.*
+       peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"), # all members
+
+#  dbus (send) bus=system path=/
+#       interface=org.freedesktop.DBus.Peer
+#       member=Ping,
+#       peer=(name="org.freedesktop.Avahi"),
+
+  dbus (send) bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={Hello,AddMatch,RemoveMatch}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (receive) bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.freedesktop.DBus.Properties
+       member=Set
+       peer=(name=:*),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (receive) bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=EventListenerDeregistered
+       peer=(name=:*),
+
+  dbus (send) bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry),
+
+  dbus (bind) bus=session
+       name=org.kde.StatusNotifierItem-*,
+
+  dbus (bind) bus=session
+       name=org.mpris.MediaPlayer2.vlc{,.instance*},
+
   @{exec_path} mrix,
 
   # Which media files VLC should be able to open
@@ -154,82 +268,6 @@ profile vlc @{exec_path} {
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.anyRemote/anyremote.stdout w,
 
-  # DBus
-  dbus send
-    bus="session" path="/org/freedesktop/DBus"  interface="org.freedesktop.DBus" member="{RequestName,ReleaseName,GetConnectionUnixProcessID}" peer=(name="org.freedesktop.DBus"),
-
-  dbus receive
-    bus="session" path="/org/freedesktop/Notifications" interface="org.freedesktop.Notifications" member="NotificationClosed" peer=(name=":*"),
-
-  dbus send
-    bus="session" path="/org/a11y/bus"          interface="org.freedesktop.DBus.Properties" member="Get" peer=(name="org.a11y.Bus"),
-
-  dbus send
-    bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Introspectable" member="Introspect" peer=(name="org.kde.StatusNotifierWatcher"),
-
-  dbus send
-    bus="session" path="/StatusNotifierWatcher" interface="org.freedesktop.DBus.Properties" member="{Get,RegisterStatusNotifierItem}" peer=(name="org.kde.StatusNotifierWatcher"),
-
-  dbus send
-    bus="session" path="/StatusNotifierWatcher" interface="org.kde.StatusNotifierWatcher" member="RegisterStatusNotifierItem" peer=(name="org.kde.StatusNotifierWatcher"),
-
-  dbus send
-    bus="session" path="/StatusNotifierItem"    interface="org.kde.StatusNotifierItem" member="{NewToolTip,NewStatus,NewAttentionIcon,NewTitle,NewStatus,NewIcon}" peer=(name="org.freedesktop.DBus"),
-
-  dbus receive
-    bus="session" path="/StatusNotifierItem"    interface="org.kde.StatusNotifierItem" member="Activate" peer=(name=":*"),
-
-  dbus receive
-    bus="session" path="/StatusNotifierItem"    interface="org.freedesktop.DBus.Properties" member="{Get,GetAll}" peer=(name=":*"),
-
-  dbus send
-    bus="session" path="/ScreenSaver"           interface="org.freedesktop.ScreenSaver" member="{Inhibit,UnInhibit}" peer=(name="org.freedesktop.ScreenSaver"),
-
-  dbus receive
-    bus="session" path="/MenuBar" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
-
-  dbus send
-    bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{LayoutUpdated,ItemsPropertiesUpdated}" peer=(name="org.freedesktop.DBus"),
-
-  dbus receive
-    bus="session" path="/MenuBar" interface="com.canonical.dbusmenu" member="{GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}" peer=(name=":*"),
-
-  dbus (send receive)
-    bus="session" path="/org/mpris/MediaPlayer2" interface="org.freedesktop.DBus.Properties"  peer=(name="{org.freedesktop.DBus,:*}"),
-
-  dbus (send receive)
-    bus="session" path="/org/mpris/MediaPlayer2" interface="org.mpris.MediaPlayer2.*" peer=(name="{org.mpris.MediaPlayer2.vlc,:*,org.freedesktop.DBus}"),
-
-#  dbus send
-#    bus="system" path="/" interface="org.freedesktop.DBus.Peer" member="Ping" peer=(name="org.freedesktop.Avahi"),
-
-  dbus send
-    bus="accessibility" path="/org/freedesktop/DBus"           interface="org.freedesktop.DBus" member="{Hello,AddMatch,RemoveMatch}" peer=(name="org.freedesktop.DBus"),
-
-  dbus send
-    bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Socket" member="Embed" peer=(name="org.a11y.atspi.Registry"),
-
-  dbus receive
-    bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.freedesktop.DBus.Properties" member="Set" peer=(name=":*"),
-
-  dbus send
-    bus="accessibility" path="/org/a11y/atspi/registry"        interface="org.a11y.atspi.Registry" member="GetRegisteredEvents" peer=(name="org.a11y.atspi.Registry"),
-
-  dbus receive
-    bus="accessibility" path="/org/a11y/atspi/registry"        interface="org.a11y.atspi.Registry" member="EventListenerDeregistered" peer=(name=":*"),
-
-  dbus send
-    bus="accessibility" path="/org/a11y/atspi/registry/deviceeventcontroller" interface="org.a11y.atspi.DeviceEventController" member="{GetKeystrokeListeners,GetDeviceEventListeners}" peer=(name="org.a11y.atspi.Registry"),
-
-  dbus bind
-    bus="session" name="org.kde.StatusNotifierItem-*",
-
-  dbus bind
-    bus="session" name="org.mpris.MediaPlayer2.vlc{,.instance*}",
-
-  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
-  owner @{run}/user/*/dconf/user rw,
-
   profile xdg-screensaver {
     include <abstractions/base>
     include <abstractions/consoles>
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index 4285ad4de..32d5b102a 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/authentication>
   include <abstractions/nameservice-strict>
   include <abstractions/consoles>
@@ -28,6 +29,16 @@ profile polkit-agent-helper @{exec_path} {
   signal (receive) set=(term, kill) peer=gnome-shell,
   signal (receive) set=(term, kill) peer=pkexec,
 
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=AuthenticationAgentResponse2
+       peer=(name=:*),
+
   @{exec_path} mr,
 
   # file_inherit
@@ -36,17 +47,5 @@ profile polkit-agent-helper @{exec_path} {
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
 
-  # DBus
-  @{run}/dbus/system_bus_socket rw,
-
-  dbus send
-    bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="AuthenticationAgentResponse2" peer=(name=":*"),
-
   include if exists <local/polkit-agent-helper>
 }
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index cef1ed600..b743426b0 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,25 +11,44 @@ include <tunables/global>
 @{exec_path} += @{libexec}/polkitd
 profile polkitd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
 
-  capability setuid,
   capability setgid,
-  capability sys_ptrace,
+  capability setuid,
   capability sys_nice,
+  capability sys_ptrace,
   audit deny capability net_admin,
 
   ptrace (read),
 
-  @{exec_path} mr,
+  dbus (send) bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}
+       peer=(name=org.freedesktop.DBus),
 
-  @{PROC}/@{pids}/stat r,
-  @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pids}/task/@{tid}/stat r,
-  @{PROC}/@{pids}/cgroup r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]{,/**}
+       interface=org.freedesktop.PolicyKit[0-9]{,.**}
+       peer=(name="{org.freedesktop.DBus,:*}"), # all members
+
+  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus (send) bus=system path=/org/gnome/PolicyKit[0-9]/AuthenticationAgent
+       interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent
+       peer=(name=:*), # all members
+
+  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member={EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent,AuthenticationAgentResponse2}
+       peer=(name=:*),
+
+  dbus (bind) bus=system
+       name=org.freedesktop.PolicyKit[0-9],
+
+  @{exec_path} mr,
 
   /etc/machine-id r,
 
@@ -54,29 +73,16 @@ profile polkitd @{exec_path} {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
 
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/task/@{tid}/stat r,
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
   # Silencer
   deny /.cache/ rw,
 
-  # DBus
-  dbus send
-    bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="{GetConnectionUnixProcessID,GetConnectionUnixUser,AddMatch,RemoveMatch,Hello,RequestName}" peer=(name="org.freedesktop.DBus"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="GetAll" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1{,/**}" interface="org.freedesktop.PolicyKit1{,.**}" peer=(name="{org.freedesktop.DBus,:*}"),
-
-  dbus send
-    bus="system" path="/org/gnome/PolicyKit1/AuthenticationAgent" interface="org.freedesktop.PolicyKit1.AuthenticationAgent" peer=(name=":*"),
-
-  dbus receive
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="{EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,AuthenticationAgentResponse2}" peer=(name=":*"),
-
-  dbus bind
-    bus="system" name="org.freedesktop.PolicyKit1",
-
-  @{run}/dbus/system_bus_socket rw,
-
   include if exists <local/polkitd>
 }
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index 7f29301c8..5ad67ae78 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -11,25 +11,26 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability dac_read_search,
-  capability syslog,
   capability sys_ptrace,
+  capability syslog,
 
   ptrace (read),
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/fuser       rix,
 
-  network inet dgram,
-  network inet6 dgram,
-
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/net/unix r,
+  owner @{PROC}/@{pid}/stat r,
         @{PROC}/ r,
         @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pids}/maps r,
         @{PROC}/swaps r,
 
   include if exists <local/package-system-locked>
-}
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index 9033252a4..9d8baf1e4 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,29 +12,53 @@ profile pkexec @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/authentication>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
-  capability sys_ptrace,
   capability audit_write,
   capability dac_read_search,
-
-  # gdbus
-  capability setgid,
-  # gmain
-  capability setuid,
-
-  # Needed?
-  deny capability sys_nice,
+  capability setgid,  # gdbus
+  capability setuid,  # gmain
+  capability sys_ptrace,
+  audit deny capability sys_nice,
 
   ptrace (read),
 
   network netlink raw,
 
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*),
+
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member={EnumerateActions,CheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent}
+       peer=(name=:*),
+
+  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/Authority
+       interface=org.freedesktop.PolicyKit[0-9]*.Authority
+       member=Changed
+       peer=(name=:*),
+
+  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]*/AuthenticationAgent
+       interface=org.freedesktop.PolicyKit[0-9]*.AuthenticationAgent
+       member=BeginAuthentication
+       peer=(name=:*),
+
   @{exec_path} mr,
 
+  # Apps to be run via pkexec
+  /{usr/,}{s,}bin/*            rPUx,
+  @{libexec}/gvfs/gvfsd-admin rPUx, #(#FIXME#)
+  @{libexec}/polkit-agent-helper-[0-9] rPx,
+  @{libexec}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+  /{usr/,}lib/update-notifier/package-system-locked  rPx,
+  /usr/share/apport/apport-gtk rPx,
+
   /etc/shells r,
   /etc/environment r,
   /etc/default/locale r,
@@ -42,28 +67,9 @@ profile pkexec @{exec_path} flags=(complain) {
         @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
 
-  # Apps to be run via pkexec
-  /{usr/,}{s,}bin/*            rPUx,
-  /{usr/,}bin/*                rPUx,
-  /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
-  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
-  /{usr/,}lib/update-notifier/package-system-locked  rPx,
-
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
-  # DBus stricter
-  @{run}/dbus/system_bus_socket rw,
-
-  dbus send
-    bus="system" path="/org/freedesktop/DBus"                 interface="org.freedesktop.DBus" member="{Hello,AddMatch,StartServiceByName,GetNameOwner}" peer=(name="org.freedesktop.DBus"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.DBus.Properties" member="{GetAll,CheckAuthorization}" peer=(name=":*"),
-
-  dbus send
-    bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" peer=(name=":*"),
-
   include if exists <local/pkexec>
 }

From c0356e92e5106085edd1feec334b38eb6234f133 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Aug 2022 19:05:46 +0100
Subject: [PATCH 05/40] feat(aa-log): add support dbus session log using
 journactl.

---
 apparmor.d/profiles-a-f/aa-log |  21 ++++++
 cmd/aa-log/main.go             |  71 +++++++++++++++---
 cmd/aa-log/main_test.go        | 131 ++++++++++++++++++++++++++++++++-
 3 files changed, 212 insertions(+), 11 deletions(-)

diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index ef93fd235..103c4ed96 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -13,9 +13,30 @@ profile aa-log @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/journalctl rCx -> journalctl,
+
   /var/log/audit/* r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  profile journalctl {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    /{usr/,}bin/journalctl mr,
+
+    /var/lib/dbus/machine-id r,
+    /etc/machine-id r,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/[0-9a-f]*/ r,
+    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
+    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
+
+    @{PROC}/sys/kernel/random/boot_id r,
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+  }
+
   include if exists <local/aa-log>
 }
\ No newline at end of file
diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go
index aa47d9c00..9059b298c 100644
--- a/cmd/aa-log/main.go
+++ b/cmd/aa-log/main.go
@@ -1,16 +1,19 @@
 // aa-log - Review AppArmor generated messages
-// Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+// Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
 package main
 
 import (
 	"bufio"
+	"bytes"
 	"encoding/hex"
+	"encoding/json"
 	"flag"
 	"fmt"
 	"io"
 	"os"
+	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
@@ -18,8 +21,9 @@ import (
 
 // Command line options
 var (
-	help bool
-	path string
+	dbus  bool
+	help  bool
+	path  string
 )
 
 // LogFile is the default path to the file to query
@@ -45,6 +49,11 @@ type AppArmorLog map[string]string
 // AppArmorLogs describes all apparmor log entries
 type AppArmorLogs []AppArmorLog
 
+// SystemdLog is a simplified systemd json log representation.
+type SystemdLog struct {
+	Message string `json:"MESSAGE"`
+}
+
 var (
 	quoted bool
 	isHexa = regexp.MustCompile("^[0-9A-Fa-f]+$")
@@ -84,6 +93,40 @@ func removeDuplicateLog(logs []string) []string {
 	return list
 }
 
+// getJournalctlDbusSessionLogs return a reader with the logs entries
+func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, error) {
+	var logs []SystemdLog
+	var stdout bytes.Buffer
+	var value string
+
+	if useFile {
+		content, err := io.ReadAll(file)
+		if err != nil {
+			return nil, err
+		}
+		value = string(content)
+	} else {
+		cmd := exec.Command("journalctl", "--user", "-b", "-u", "dbus.service", "-o", "json")
+		cmd.Stdout = &stdout
+		if err := cmd.Run(); err != nil {
+			return nil, err
+		}
+		value = stdout.String()
+	}
+
+	value = strings.Replace(value, "\n", ",\n", -1)
+	value = strings.TrimSuffix(value, ",\n")
+	value = `[` + value + `]`
+	if err := json.Unmarshal([]byte(value), &logs); err != nil {
+		return nil, err
+	}
+	res := ""
+	for _, log := range logs {
+		res += log.Message + "\n"
+	}
+	return strings.NewReader(res), nil
+}
+
 // NewApparmorLogs return a new ApparmorLogs list of map from a log file
 func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
 	log := ""
@@ -198,7 +241,7 @@ func (aaLogs AppArmorLogs) String() string {
 	return res
 }
 
-func aaLog(path string, profile string) error {
+func aaLog(path string, profile string, dbus bool) error {
 	file, err := os.Open(filepath.Clean(path))
 	if err != nil {
 		return err
@@ -210,21 +253,31 @@ func aaLog(path string, profile string) error {
 		}
 	}()
 
-	aaLogs := NewApparmorLogs(file, profile)
-	fmt.Print(aaLogs.String())
-	return err
+	if dbus {
+		file, err := getJournalctlDbusSessionLogs(file, path != LogFile)
+		if err != nil {
+			return err
+		}
+		aaLogs := NewApparmorLogs(file, profile)
+		fmt.Print(aaLogs.String())
+	} else {
+		aaLogs := NewApparmorLogs(file, profile)
+		fmt.Print(aaLogs.String())
+	}
+	return nil
 }
 
 func init() {
 	flag.BoolVar(&help, "h", false, "Show this help message and exit.")
 	flag.StringVar(&path, "f", LogFile,
 		"Set a log`file` or a suffix to the default log file.")
+	flag.BoolVar(&dbus, "d", false, "Show dbus session event.")
 }
 
 func main() {
 	flag.Parse()
 	if help {
-		fmt.Printf(`aa-log [-h] [-f file] [profile]
+		fmt.Printf(`aa-log [-h] [-d] [-f file] [profile]
 
   Review AppArmor generated messages in a colorful way.
   It can be given an optional profile name to filter the output with.
@@ -244,7 +297,7 @@ func main() {
 		logfile = path
 	}
 
-	err := aaLog(logfile, profile)
+	err := aaLog(logfile, profile, dbus)
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go
index 2ddca15d2..7e6dd0aa2 100644
--- a/cmd/aa-log/main_test.go
+++ b/cmd/aa-log/main_test.go
@@ -93,6 +93,40 @@ func TestAppArmorEvents(t *testing.T) {
 				},
 			},
 		},
+		{
+			name:  "dbus system",
+			event: `type=USER_AVC msg=audit(1111111111.111:1111): pid=1780 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call" bus="system" path="/org/freedesktop/PolicyKit1/Authority" interface="org.freedesktop.PolicyKit1.Authority" member="CheckAuthorization" mask="send" name="org.freedesktop.PolicyKit1" pid=1794 label="snapd" peer_pid=1790 peer_label="polkitd"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"`,
+			want: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "snapd",
+					"operation":  "dbus_method_call",
+					"name":       "org.freedesktop.PolicyKit1",
+					"mask":       "send",
+					"bus":        "system",
+					"path":       "/org/freedesktop/PolicyKit1/Authority",
+					"interface":  "org.freedesktop.PolicyKit1.Authority",
+					"member":     "CheckAuthorization",
+					"peer_label": "polkitd",
+				},
+			},
+		},
+		{
+			name:  "dbus session",
+			event: `apparmor="ALLOWED" operation="dbus_bind"  bus="session" name="org.freedesktop.portal.Documents" mask="bind" pid=2174 label="xdg-document-portal"`,
+			want: AppArmorLogs{
+				{
+					"apparmor":  "ALLOWED",
+					"profile":   "",
+					"label":     "xdg-document-portal",
+					"operation": "dbus_bind",
+					"name":      "org.freedesktop.portal.Documents",
+					"mask":      "bind",
+					"bus":       "session",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -153,6 +187,25 @@ func TestNewApparmorLogs(t *testing.T) {
 			path: "../../tests/audit.log",
 			want: refMan,
 		},
+		{
+			name: "power-profiles-daemon",
+			path: "../../tests/audit.log",
+			want: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "power-profiles-daemon",
+					"operation":  "dbus_method_call",
+					"name":       "org.freedesktop.DBus",
+					"mask":       "send",
+					"bus":        "system",
+					"path":       "/org/freedesktop/DBus",
+					"interface":  "org.freedesktop.DBus",
+					"member":     "AddMatch",
+					"peer_label": "dbus-daemon",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -164,6 +217,51 @@ func TestNewApparmorLogs(t *testing.T) {
 	}
 }
 
+func Test_getJournalctlDbusSessionLogs(t *testing.T) {
+	tests := []struct {
+		name    string
+		path    string
+		useFile bool
+		want    AppArmorLogs
+	}{
+		{
+			name:    "gsd-xsettings",
+			useFile: true,
+			path:    "../../tests/systemd.log",
+			want: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "gsd-xsettings",
+					"operation":  "dbus_method_call",
+					"name":       ":1.88",
+					"mask":       "receive",
+					"bus":        "session",
+					"path":       "/org/gtk/Settings",
+					"interface":  "org.freedesktop.DBus.Properties",
+					"member":     "GetAll",
+					"peer_label": "gnome-extension-ding",
+				},
+			},
+		},
+		{
+			name:    "journalctl",
+			useFile: false,
+			path:    "",
+			want:    AppArmorLogs{},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			file, _ := os.Open(tt.path)
+			reader, _ := getJournalctlDbusSessionLogs(file, tt.useFile)
+			if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
 func TestAppArmorLogs_String(t *testing.T) {
 	tests := []struct {
 		name   string
@@ -180,6 +278,25 @@ func TestAppArmorLogs_String(t *testing.T) {
 			aaLogs: refMan,
 			want:   "\033[1;32mALLOWED\033[0m \033[34mman\033[0m \033[33mexec\033[0m \033[35m/usr/bin/preconv\033[0m info=\"no new privs\" comm=man requested_mask=\033[1;31mx\033[0m denied_mask=\033[1;31mx\033[0m error=-1\n",
 		},
+		{
+			name: "power-profiles-daemon",
+			aaLogs: AppArmorLogs{
+				{
+					"apparmor":   "ALLOWED",
+					"profile":    "",
+					"label":      "power-profiles-daemon",
+					"operation":  "dbus_method_call",
+					"name":       "org.freedesktop.DBus",
+					"mask":       "send",
+					"bus":        "system",
+					"path":       "/org/freedesktop/DBus",
+					"interface":  "org.freedesktop.DBus",
+					"member":     "AddMatch",
+					"peer_label": "dbus-daemon",
+				},
+			},
+			want: "\033[1;32mALLOWED\033[0m \033[34mpower-profiles-daemon\033[0m \033[33mdbus_method_call\033[0m \033[35morg.freedesktop.DBus\033[0m \033[1;31msend\033[0m \033[36mbus=system\033[0m path=\033[37m/org/freedesktop/DBus\033[0m interface=\033[37morg.freedesktop.DBus\033[0m member=\033[32mAddMatch\033[0m peer_label=dbus-daemon\n",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -195,24 +312,34 @@ func Test_app(t *testing.T) {
 		name    string
 		path    string
 		profile string
+		dbus    bool
 		wantErr bool
 	}{
 		{
-			name:    "OK",
+			name:    "Test audit.log",
 			path:    "../../tests/audit.log",
 			profile: "",
+			dbus:    false,
+			wantErr: false,
+		},
+		{
+			name:    "Test Dbus Session",
+			path:    "../../tests/systemd.log",
+			profile: "",
+			dbus:    true,
 			wantErr: false,
 		},
 		{
 			name:    "No logfile",
 			path:    "../../tests/log",
 			profile: "",
+			dbus:    false,
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := aaLog(tt.path, tt.profile); (err != nil) != tt.wantErr {
+			if err := aaLog(tt.path, tt.profile, tt.dbus); (err != nil) != tt.wantErr {
 				t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})

From 169a730d3f392c9723234d42bec1aae6d7ae8b82 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:23:39 +0200
Subject: [PATCH 06/40] Add profiles for grub-mkconfig, grub-mkrelpath,
 grub-probe, grub-script-check and update-grub.

---
 apparmor.d/groups/grub/grub-mkconfig     | 78 ++++++++++++++++++++++++
 apparmor.d/groups/grub/grub-mkrelpath    | 20 ++++++
 apparmor.d/groups/grub/grub-probe        | 28 +++++++++
 apparmor.d/groups/grub/grub-script-check | 19 ++++++
 apparmor.d/groups/ubuntu/update-grub     | 18 ++++++
 5 files changed, 163 insertions(+)
 create mode 100644 apparmor.d/groups/grub/grub-mkconfig
 create mode 100644 apparmor.d/groups/grub/grub-mkrelpath
 create mode 100644 apparmor.d/groups/grub/grub-probe
 create mode 100644 apparmor.d/groups/grub/grub-script-check
 create mode 100644 apparmor.d/groups/ubuntu/update-grub

diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
new file mode 100644
index 000000000..aeae916eb
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -0,0 +1,78 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
+profile grub-mkconfig @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+
+  @{exec_path}                     rm,
+  /etc/grub.d/{**,}                rix,
+  /{usr/,}bin/{m,g,}awk            rix,
+  /{usr/,}bin/basename             rix,
+  /{usr/,}bin/cat                  rix,
+  /{usr/,}bin/chmod                rix,
+  /{usr/,}bin/cut                  rix,
+  /{usr/,}bin/date                 rix,
+  /{usr/,}bin/dirname              rix,
+  /{usr/,}bin/dpkg                 rPx,
+  /{usr/,}bin/find                 rix,
+  /{usr/,}bin/findmnt              rPx,
+  /{usr/,}bin/gettext              rix,
+  /{usr/,}bin/{e,f,}grep           rix,
+  /{usr/,}bin/lsb_release          rPx -> lsb_release,
+  /{usr/,}bin/grub-mkrelpath       rPx,
+  /{usr/,}bin/grub-script-check    rPx,
+  /{usr/,}bin/head                 rix,
+  /{usr/,}bin/id                   rPx,
+  /{usr/,}bin/ls                   rix,
+  /{usr/,}bin/mktemp               rix,
+  /{usr/,}bin/mount                rPx,
+  /{usr/,}bin/mountpoint           rix,
+  /{usr/,}bin/paste                rix,
+  /{usr/,}bin/readlink             rix,
+  /{usr/,}bin/rm                   rix,
+  /{usr/,}bin/rmdir                rix,
+  /{usr/,}bin/sed                  rix,
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/sort                 rix,
+  /{usr/,}bin/stat                 rix,
+  /{usr/,}bin/tail                 rix,
+  /{usr/,}bin/tr                   rix,
+  /{usr/,}bin/umount               rPx,
+  /{usr/,}bin/uname                rix,
+  /{usr/,}bin/which{.debianutils,} rix,
+  /{usr/,}{s,}bin/dmsetup          rPUx,
+  /{usr/,}{s,}bin/grub-probe       rPx,
+  /{usr/,}{local/,}{s,}bin/zfs     rPx,
+  /{usr/,}{local/,}{s,}bin/zpool   rPx,
+
+  /boot/{**,} r,
+  /boot/grub/{**,} rw,
+
+  /etc/default/grub r,
+  /etc/default/grub.d/{*,} r,
+
+  /usr/share/grub/{**,} r,
+
+  /.zfs/snapshot/*/etc/{machine-id,} r,
+  /.zfs/snapshot/*/{usr/,}lib/os-release r,
+
+  / r,
+
+  owner /tmp/** rw,
+
+  @{PROC}/@{pids}/mountinfo r,
+  @{PROC}/@{pids}/mounts r,
+
+  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
+
+  include if exists <local/grub-mkconfig>
+}
diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath
new file mode 100644
index 000000000..794313a3d
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
+profile grub-mkrelpath @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+  /{usr/,}{local/,}{s,}bin/zpool rPx,
+
+  @{PROC}/@{pids}/mountinfo r,
+
+  include if exists <local/grub-mkrelpath>
+}
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
new file mode 100644
index 000000000..64ad23e21
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-probe
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-probe
+profile grub-probe @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+
+  capability sys_admin,
+
+  @{exec_path} rm,
+  /{usr/,}bin/lsb_release        rPx -> lsb_release,
+  /{usr/,}bin/udevadm            rPx,
+  /{usr/,}{local/,}{s,}bin/zpool rPx,
+
+  @{PROC}/@{pids}/mountinfo r,
+  @{PROC}/devices r,
+  
+  /dev/mapper/control rw,
+
+  include if exists <local/grub-probe>
+}
diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check
new file mode 100644
index 000000000..a02d27fc2
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-script-check
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-script-check
+profile grub-script-check @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  /boot/grub/grub.cfg{.new,} rw,
+
+  include if exists <local/grub-script-check>
+}
diff --git a/apparmor.d/groups/ubuntu/update-grub b/apparmor.d/groups/ubuntu/update-grub
new file mode 100644
index 000000000..b17116334
--- /dev/null
+++ b/apparmor.d/groups/ubuntu/update-grub
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
+profile update-grub @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} rm,
+  /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}{s,}bin/grub-mkconfig rPx,
+
+  include if exists <local/update-grub>
+}

From b1112e35a70ebc0da1467d6a6ebebebc1ef09154 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:24:42 +0200
Subject: [PATCH 07/40] Add templates for all grub commands

---
 apparmor.d/groups/grub/grub-bios-setup      | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-editenv         | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-file            | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-fstest          | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-glue-efi        | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-install         | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-kbdcomp         | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-macbless        | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-menulst2cfg     | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mkdevicemap     | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mkfont          | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mkimage         | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mklayout        | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mknetdir        | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mkrescue        | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mkstandalone    | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-mount           | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-ntldr-img       | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-reboot          | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-render-label    | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-set-default     | 18 ++++++++++++++++++
 apparmor.d/groups/grub/grub-syslinux2cfg    | 18 ++++++++++++++++++
 23 files changed, 414 insertions(+)
 create mode 100644 apparmor.d/groups/grub/grub-bios-setup
 create mode 100644 apparmor.d/groups/grub/grub-editenv
 create mode 100644 apparmor.d/groups/grub/grub-file
 create mode 100644 apparmor.d/groups/grub/grub-fstest
 create mode 100644 apparmor.d/groups/grub/grub-glue-efi
 create mode 100644 apparmor.d/groups/grub/grub-install
 create mode 100644 apparmor.d/groups/grub/grub-kbdcomp
 create mode 100644 apparmor.d/groups/grub/grub-macbless
 create mode 100644 apparmor.d/groups/grub/grub-menulst2cfg
 create mode 100644 apparmor.d/groups/grub/grub-mkdevicemap
 create mode 100644 apparmor.d/groups/grub/grub-mkfont
 create mode 100644 apparmor.d/groups/grub/grub-mkimage
 create mode 100644 apparmor.d/groups/grub/grub-mklayout
 create mode 100644 apparmor.d/groups/grub/grub-mknetdir
 create mode 100644 apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
 create mode 100644 apparmor.d/groups/grub/grub-mkrescue
 create mode 100644 apparmor.d/groups/grub/grub-mkstandalone
 create mode 100644 apparmor.d/groups/grub/grub-mount
 create mode 100644 apparmor.d/groups/grub/grub-ntldr-img
 create mode 100644 apparmor.d/groups/grub/grub-reboot
 create mode 100644 apparmor.d/groups/grub/grub-render-label
 create mode 100644 apparmor.d/groups/grub/grub-set-default
 create mode 100644 apparmor.d/groups/grub/grub-syslinux2cfg

diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup
new file mode 100644
index 000000000..d6961bf9c
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-bios-setup
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
+profile grub-bios-setup @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-bios-setup>
+}
+
diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv
new file mode 100644
index 000000000..419e46c7b
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-editenv
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-editenv
+profile grub-editenv @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-editenv>
+}
+
diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file
new file mode 100644
index 000000000..9ddea365b
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-file
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-file
+profile grub-file @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-file>
+}
+
diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest
new file mode 100644
index 000000000..6258b4e44
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-fstest
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-fstest
+profile grub-fstest @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-fstest>
+}
+
diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi
new file mode 100644
index 000000000..db59cefcd
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-glue-efi
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-glue-efi
+profile grub-glue-efi @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-glue-efi>
+}
+
diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install
new file mode 100644
index 000000000..152ea426b
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-install
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-install
+profile grub-install @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-install>
+}
+
diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp
new file mode 100644
index 000000000..2760bd0a9
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-kbdcomp
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-kbdcomp
+profile grub-kbdcomp @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-kbdcomp>
+}
+
diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless
new file mode 100644
index 000000000..24e269233
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-macbless
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-macbless
+profile grub-macbless @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-macbless>
+}
+
diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg
new file mode 100644
index 000000000..7a5f063fe
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-menulst2cfg
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-menulst2cfg
+profile grub-menulst2cfg @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-menulst2cfg>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap
new file mode 100644
index 000000000..835093bfd
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
+profile grub-mkdevicemap @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mkdevicemap>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont
new file mode 100644
index 000000000..fe5d5c4fa
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkfont
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkfont
+profile grub-mkfont @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mkfont>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage
new file mode 100644
index 000000000..bd4729cfb
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkimage
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkimage
+profile grub-mkimage @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mkimage>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout
new file mode 100644
index 000000000..d01086f59
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mklayout
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mklayout
+profile grub-mklayout @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mklayout>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir
new file mode 100644
index 000000000..ea85f204f
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mknetdir
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mknetdir
+profile grub-mknetdir @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mknetdir>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
new file mode 100644
index 000000000..33ccfa78e
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
+profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mkpasswd-pbkdf2>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue
new file mode 100644
index 000000000..252c1df4d
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkrescue
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkrescue
+profile grub-mkrescue @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mkrescue>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone
new file mode 100644
index 000000000..b2be219c0
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mkstandalone
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mkstandalone
+profile grub-mkstandalone @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mkstandalone>
+}
+
diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount
new file mode 100644
index 000000000..6ea7afefa
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-mount
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-mount
+profile grub-mount @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-mount>
+}
+
diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img
new file mode 100644
index 000000000..766c505d1
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-ntldr-img
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-ntldr-img
+profile grub-ntldr-img @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-ntldr-img>
+}
+
diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot
new file mode 100644
index 000000000..229aea9a2
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-reboot
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-reboot
+profile grub-reboot @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-reboot>
+}
+
diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label
new file mode 100644
index 000000000..3a0d5034b
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-render-label
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-render-label
+profile grub-render-label @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-render-label>
+}
+
diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default
new file mode 100644
index 000000000..531beda94
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-set-default
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/grub-set-default
+profile grub-set-default @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-set-default>
+}
+
diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg
new file mode 100644
index 000000000..bbbc94a7e
--- /dev/null
+++ b/apparmor.d/groups/grub/grub-syslinux2cfg
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
+profile grub-syslinux2cfg @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/grub-syslinux2cfg>
+}
+

From 6af5c76fb8ad6cdc791ca2912323cb1315b761bc Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:25:20 +0200
Subject: [PATCH 08/40] Add and update CNI profiles

---
 apparmor.d/groups/virt/cni-calico      |  2 +-
 apparmor.d/groups/virt/cni-flannel     | 18 ++++++++++++++++++
 apparmor.d/groups/virt/cni-host-local  | 18 ++++++++++++++++++
 apparmor.d/groups/virt/cni-xtables-nft |  3 +--
 apparmor.d/groups/virt/containerd      |  3 ++-
 5 files changed, 40 insertions(+), 4 deletions(-)
 create mode 100644 apparmor.d/groups/virt/cni-flannel
 create mode 100644 apparmor.d/groups/virt/cni-host-local

diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 684676717..2789ee07b 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /opt/cni/bin/calico
+@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel
new file mode 100644
index 000000000..1c21c261a
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-flannel
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
+profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-flannel>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local
new file mode 100644
index 000000000..9ca86fb5f
--- /dev/null
+++ b/apparmor.d/groups/virt/cni-host-local
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
+profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  include if exists <local/cni-host-local>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
index e6a24a412..465b6d119 100644
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
 profile cni-xtables-nft {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
 
     capability net_admin,
@@ -30,6 +31,4 @@ profile cni-xtables-nft {
     /etc/nftables.conf rw,
 
     @{PROC}/@{pids}/net/ip_tables_names r,
-
-    /dev/pts/[0-9]* rw,
 }
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index c700d8efd..d3e3325ca 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -36,6 +36,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
 
   umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
   umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
+  umount /tmp/ctd-volume[0-9]*/,
   umount @{run}/netns/cni-@{uuid},
 
   signal (receive) set=term peer={dockerd,k3s},
@@ -84,7 +85,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   owner /var/tmp/** rwkl,
   owner /tmp/** rwkl,
         /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/ rw,
+        /tmp/ctd-volume[0-9]*/{data,} rw,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,

From 7ee9644325473dd7583a1e1458f3a04a6315a427 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:26:08 +0200
Subject: [PATCH 09/40] Add profiles for whoami, whereis, which, findmnt,
 users, sanoid and syncoid.

---
 apparmor.d/profiles-a-f/findmnt | 22 +++++++++++++++++
 apparmor.d/profiles-s-z/sanoid  | 32 ++++++++++++++++++++++++
 apparmor.d/profiles-s-z/syncoid | 32 ++++++++++++++++++++++++
 apparmor.d/profiles-s-z/users   | 22 +++++++++++++++++
 apparmor.d/profiles-s-z/whereis | 43 +++++++++++++++++++++++++++++++++
 apparmor.d/profiles-s-z/which   | 29 ++++++++++++++++++++++
 apparmor.d/profiles-s-z/whoami  | 18 ++++++++++++++
 7 files changed, 198 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/findmnt
 create mode 100644 apparmor.d/profiles-s-z/sanoid
 create mode 100644 apparmor.d/profiles-s-z/syncoid
 create mode 100644 apparmor.d/profiles-s-z/users
 create mode 100644 apparmor.d/profiles-s-z/whereis
 create mode 100644 apparmor.d/profiles-s-z/which
 create mode 100644 apparmor.d/profiles-s-z/whoami

diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt
new file mode 100644
index 000000000..36c2cea56
--- /dev/null
+++ b/apparmor.d/profiles-a-f/findmnt
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/findmnt
+profile findmnt @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /etc/fstab r,
+  /etc/mtab r,
+  
+  @{PROC}/@{pids}/mountinfo r,
+
+  include if exists <local/findmnt>
+}
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
new file mode 100644
index 000000000..8f4e7bbcf
--- /dev/null
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid
+profile sanoid @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/perl>
+
+  @{exec_path}                 rm,
+  /{usr/,}bin/{,ba,da}sh       rix,
+  /{usr/,}bin/perl             rix,
+  /{usr/,}bin/ps               rPx,
+  /{usr/,}{local/,}{s,}bin/zfs rPx,
+
+  /etc/sanoid/{*,} r,
+
+  /var/cache/sanoid/snapshots.txt rw,
+
+  /usr/share/sanoid/{**,} r,
+
+  @{run}/sanoid/sanoid_cacheupdate.lock rwk,
+  @{run}/sanoid/sanoid_pruning.lock rwk,
+
+  owner /tmp/** rw,
+
+  include if exists <local/sanoid>
+}
diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid
new file mode 100644
index 000000000..0ca3f8446
--- /dev/null
+++ b/apparmor.d/profiles-s-z/syncoid
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{local/,}{s,}bin/syncoid
+profile syncoid @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+
+  @{exec_path}                   rm,
+  /{usr/,}bin/grep               rix,
+  /{usr/,}bin/mbuffer            rix,
+  /{usr/,}bin/perl               rix,
+  /{usr/,}bin/ps                 rPx,
+  /{usr/,}bin/pv                 rix,
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}{local/,}{s,}bin/zfs   rPx,
+  /{usr/,}{local/,}{s,}bin/zpool rPx,
+
+  /etc/mbuffer.rc r,
+
+  owner /tmp/** rw,
+
+  @{PROC}/@{pids}/maps r,
+
+  include if exists <local/syncoid>
+}
diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users
new file mode 100644
index 000000000..a62d14e75
--- /dev/null
+++ b/apparmor.d/profiles-s-z/users
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/users
+profile users @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /var/log/wtmp rk,
+
+  @{run}/utmp rk,
+
+  include if exists <local/users>
+}
diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis
new file mode 100644
index 000000000..86a2075a0
--- /dev/null
+++ b/apparmor.d/profiles-s-z/whereis
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/whereis
+profile whereis @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  /{usr/,}{local/,}{s,}bin/ r,
+  /{usr/,}lib/go-*/bin/ r,
+  /{usr/,}{local/,}games/ r,
+
+  /etc/ r,
+
+  /{usr/,}lib{,32,64}/ r,
+  /usr/local/{,etc/,lib/} r,
+  /usr/include/ r,
+  /usr/share/ r,
+  /usr/share/info/{**,} r,
+  /usr/share/man/{**,} r,
+  /usr/src/{**,} r,
+
+  @{libexec}/ r,
+
+  /opt/ r,
+  /opt/cni/bin/ r,
+  /opt/containerd/bin/ r,
+
+  /snap/bin/ r,
+
+  owner @{HOME}/{.local/,}/{.,}bin/ r,
+  owner @{HOME}/.krew/bin/ r,
+  owner @{HOME}/go/bin/ r,
+
+  include if exists <local/whereis>
+}
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
new file mode 100644
index 000000000..32635f414
--- /dev/null
+++ b/apparmor.d/profiles-s-z/which
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/which{.debianutils,} 
+profile which @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}{local/,}{s,}bin/ r,
+  /{usr/,}lib/go-*/bin/ r,
+  /{usr/,}{local/,}games/ r,
+
+  /opt/cni/bin/ r,
+  /opt/containerd/bin/ r,
+
+  /snap/bin/ r,
+
+  owner @{HOME}/{.local/,}/{.,}bin/ r,
+  owner @{HOME}/.krew/bin/ r,
+  owner @{HOME}/go/bin/ r,
+
+  include if exists <local/which>
+}
diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami
new file mode 100644
index 000000000..6dca3d67b
--- /dev/null
+++ b/apparmor.d/profiles-s-z/whoami
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/whoami
+profile whoami @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/whoami>
+}

From 005dec1a53eddf199aecba63249afc78662c6bef Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:30:03 +0200
Subject: [PATCH 10/40] tty and pts are part of abstractions/consoles

---
 .../groups/apps/usr.lib.libreoffice.program.soffice.bin       | 3 +--
 apparmor.d/groups/apt/apt-mark                                | 3 +--
 apparmor.d/groups/bus/dbus-run-session                        | 4 +---
 apparmor.d/groups/freedesktop/fc-cache                        | 1 +
 apparmor.d/groups/freedesktop/plymouth                        | 1 +
 apparmor.d/groups/freedesktop/xdg-mime                        | 2 +-
 apparmor.d/groups/freedesktop/xdg-open                        | 2 +-
 apparmor.d/groups/freedesktop/xkbcomp                         | 2 +-
 apparmor.d/groups/freedesktop/xorg                            | 2 +-
 apparmor.d/groups/freedesktop/xwayland                        | 2 +-
 apparmor.d/groups/gnome/gdm-session-worker                    | 2 +-
 apparmor.d/groups/gnome/gdm-xsession                          | 1 -
 apparmor.d/groups/gnome/gjs-console                           | 2 +-
 apparmor.d/groups/gnome/gnome-extensions-app                  | 2 +-
 apparmor.d/groups/gnome/gnome-session-binary                  | 2 +-
 apparmor.d/groups/gnome/gsd-xsettings                         | 2 +-
 apparmor.d/groups/gnome/nautilus                              | 2 +-
 apparmor.d/groups/network/mullvad-gui                         | 2 +-
 apparmor.d/groups/network/nm-openvpn-service                  | 2 +-
 apparmor.d/groups/network/wg-quick                            | 2 +-
 apparmor.d/groups/pacman/archlinux-java                       | 2 +-
 apparmor.d/groups/pacman/paccache                             | 2 +-
 apparmor.d/groups/pacman/pacdiff                              | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dconf                    | 2 +-
 apparmor.d/groups/pacman/pacman-hook-depmod                   | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dkms                     | 2 +-
 apparmor.d/groups/pacman/pacman-hook-fontconfig               | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gio                      | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gtk                      | 2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install       | 2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove        | 2 +-
 apparmor.d/groups/pacman/pacman-hook-perl                     | 2 +-
 apparmor.d/groups/pacman/pacman-hook-systemd                  | 2 +-
 apparmor.d/groups/pacman/pacman-key                           | 2 +-
 apparmor.d/groups/systemd/systemd-analyze                     | 4 +---
 apparmor.d/groups/systemd/systemd-environment-d-generator     | 2 +-
 apparmor.d/groups/systemd/systemd-sleep                       | 2 +-
 apparmor.d/groups/virt/k3s                                    | 2 +-
 apparmor.d/profiles-a-f/acpid                                 | 2 +-
 apparmor.d/profiles-a-f/apparmor.systemd                      | 2 +-
 apparmor.d/profiles-a-f/askpass                               | 2 +-
 apparmor.d/profiles-a-f/augenrules                            | 2 +-
 apparmor.d/profiles-a-f/aurpublish                            | 2 +-
 apparmor.d/profiles-a-f/blueman                               | 2 +-
 apparmor.d/profiles-a-f/evince                                | 2 +-
 apparmor.d/profiles-a-f/firecfg                               | 2 +-
 apparmor.d/profiles-a-f/fwupdmgr                              | 2 +-
 apparmor.d/profiles-g-l/install-info                          | 3 +--
 apparmor.d/profiles-m-r/mount-zfs                             | 3 +--
 apparmor.d/profiles-m-r/needrestart-iucode-scan-versions      | 2 +-
 apparmor.d/profiles-m-r/pass                                  | 2 +-
 apparmor.d/profiles-m-r/pkttyagent                            | 2 +-
 apparmor.d/profiles-m-r/resolvconf                            | 2 +-
 apparmor.d/profiles-s-z/start-pulseaudio-x11                  | 2 +-
 apparmor.d/profiles-s-z/udisksctl                             | 2 +-
 apparmor.d/profiles-s-z/update-ca-trust                       | 2 +-
 apparmor.d/profiles-s-z/wl-copy                               | 2 +-
 apparmor.d/profiles-s-z/zpool                                 | 2 +-
 apparmor.d/profiles-s-z/zsysd                                 | 2 +-
 59 files changed, 58 insertions(+), 65 deletions(-)

diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
index 6ba6c30ae..fe753558b 100644
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@@ -81,6 +81,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
 
   #include <abstractions/audio>
   #include <abstractions/bash>
+  #include <abstractions/consoles>
   #include <abstractions/cups-client>
   #include <abstractions/dbus>
   #include <abstractions/dbus-session>
@@ -151,8 +152,6 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   /usr/bin/kgpg                         rix,
   /usr/bin/kleopatra                    rix,
 
-  /dev/tty                              rw,
-
   /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner   rmPUx,
   owner @{user_cache_dirs}/gstreamer-???/**                                 rw,
   unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),  #Gstreamer doesn't work without this
diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark
index 5fd241299..79e3285aa 100644
--- a/apparmor.d/groups/apt/apt-mark
+++ b/apparmor.d/groups/apt/apt-mark
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/apt-mark
 profile apt-mark @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/apt-common>
 
   @{exec_path} mr,
@@ -25,7 +26,5 @@ profile apt-mark @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
-  /dev/pts/[0-9]* rw,
-
   include if exists <local/apt-mark>
 }
diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session
index 4becf5e7e..49d79c73c 100644
--- a/apparmor.d/groups/bus/dbus-run-session
+++ b/apparmor.d/groups/bus/dbus-run-session
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/dbus-run-session
 profile dbus-run-session @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
 
   signal (receive) set=(term, kill, hup) peer=gdm*,
@@ -31,9 +32,6 @@ profile dbus-run-session @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  # file_inherit
-  /dev/tty rw,
-  /dev/tty[0-9]* rw,
 
   include if exists <local/dbus-run-session>
 }
diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache
index b467e8f28..8d0b9fe63 100644
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-write>
 
diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth
index 674732276..059df5a33 100644
--- a/apparmor.d/groups/freedesktop/plymouth
+++ b/apparmor.d/groups/freedesktop/plymouth
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/plymouth
 profile plymouth @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
 
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index bbc1eee60..1cf27d71f 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-mime
 profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 
   @{exec_path} r,
@@ -47,7 +48,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
 
   /dev/dri/card[0-9]* rw,
-  /dev/tty rw,
 
   # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
   # following root processes:
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index d6ddceae4..38346fb1f 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
 
   @{exec_path} r,
@@ -50,7 +51,6 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
 
   # file_inherit
   /dev/dri/card[0-9]* rw,
-  /dev/tty rw,
 
   profile dbus {
     include <abstractions/base>
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index 5143346a0..0d3882c77 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
@@ -32,7 +33,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   owner /tmp/server-[0-9]*.xkm rwk,
 
   /dev/dri/card[0-9]* rw,
-  /dev/tty rw,
   /dev/tty[0-9]* rw,
   
   deny /dev/input/event[0-9]* rw,
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 090e2ee81..d51cc9079 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -13,6 +13,7 @@ include <tunables/global>
 @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
 profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/fonts>
@@ -131,7 +132,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /dev/input/event[0-9]* rw,
   /dev/shm/#[0-9]*[0-9] rw,
   /dev/shm/shmfd-* rw,
-  /dev/tty rw,
   /dev/tty[0-9]* rw,
   /dev/vga_arbiter rw,  # Graphic card modules
 
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index 701a0de2c..429f076d2 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path}  = /{usr/,}bin/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
@@ -41,7 +42,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pids}/comm r,
 
   /dev/tty[0-9]* rw,
-  /dev/tty rw,
 
   include if exists <local/xwayland>
 }
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 548b699f8..6604d1173 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gdm-session-worker
 profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/authentication>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -87,7 +88,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
         @{PROC}/1/limits r,
         @{PROC}/keys r,
 
-  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   include if exists <local/gdm-session-worker>
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index 5f3e7745d..553ad6afd 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -43,7 +43,6 @@ profile gdm-xsession @{exec_path} {
     /{usr/,}bin/dbus-update-activation-environment mr,
 
     # file_inherit
-    /dev/tty rw,
     /dev/tty[0-9]* rw,
     owner @{HOME}/.xsession-errors w,
   }
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index fe4e1f9d0..642a0fed6 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path}  = /{usr/,}bin/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
@@ -58,7 +59,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/stat r,
 
   /dev/ r,
-  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   include if exists <local/gjs-console>
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index d4f5d0bc5..d0ee1f704 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -17,7 +18,6 @@ profile gnome-extensions-app @{exec_path} {
 
   /usr/share/terminfo/x/xterm-256color r,
 
-  /dev/tty rw,
 
   include if exists <local/gnome-extensions-app>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 6362ac80b..146050702 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -141,7 +142,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/cmdline r,
 
-  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   include if exists <usr/gnome-session-binary.d>
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index 2192ebaef..249349070 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -70,7 +71,6 @@ profile gsd-xsettings @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   profile run-parts {
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index c612512d1..d0364baf1 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -61,7 +62,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pids}/net/wireless r,
 
-  /dev/tty rw,
   /dev/dri/card[0-9]* rw,
 
   include if exists <local/nautilus>
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index d63512be5..a92254959 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = "/opt/Mullvad VPN/mullvad-gui"
 profile mullvad-gui @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/chromium-common>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
@@ -69,7 +70,6 @@ profile mullvad-gui @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/status r,
   owner @{PROC}/@{pid}/uid_map w,
 
-  /dev/tty rw,
 
   include if exists <local/mullvad-gui>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service
index 3676d6434..8d1e0a4c3 100644
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/nm-openvpn-service
 profile nm-openvpn-service @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability kill,
@@ -27,7 +28,6 @@ profile nm-openvpn-service @{exec_path} {
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
 
   /dev/net/tun rw,
-  /dev/tty rw,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index 06ccb7d60..54a9e3644 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/wg-quick
 profile wg-quick @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability net_admin,
 
@@ -39,7 +40,6 @@ profile wg-quick @{exec_path} {
 
   @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
 
-  /dev/tty rw,
 
   # Force the use as root
   deny /{usr/,}bin/sudo x,
diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java
index 06802b1f5..6a433d46c 100644
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/archlinux-java
 profile archlinux-java @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -25,7 +26,6 @@ profile archlinux-java @{exec_path} {
   /{usr/,}lib/jvm/default w,
   /{usr/,}lib/jvm/default-runtime w,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index 2dd92c43d..d592fffda 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/paccache
 profile paccache @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -35,7 +36,6 @@ profile paccache @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  /dev/tty rw,
 
   include if exists <local/paccache>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
index 2ab106458..dd32a2441 100644
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pacdiff
 profile pacdiff @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -36,7 +37,6 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   /usr/{,**} r,
   /var/{,**} r,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny /apparmor/.null rw,
diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf
index a4f0d2fa8..431f84fb1 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dconf
+++ b/apparmor.d/groups/pacman/pacman-hook-dconf
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/dconf-update
 profile pacman-hook-dconf @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -20,7 +21,6 @@ profile pacman-hook-dconf @{exec_path} {
 
   /etc/dconf/db/{,**} rw,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod
index bee1028f9..bab25a9ce 100644
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/depmod
 profile pacman-hook-depmod @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -23,7 +24,6 @@ profile pacman-hook-depmod @{exec_path} {
 
   /usr/lib/modules/*/{,**} rw,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index 4bc084b5a..4ef5907a7 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/dkms
 profile pacman-hook-dkms @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -27,7 +28,6 @@ profile pacman-hook-dkms @{exec_path} {
 
   /etc/dkms/{,*} r,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig
index 38166f030..ae89d40e4 100644
--- a/apparmor.d/groups/pacman/pacman-hook-fontconfig
+++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config
 profile pacman-hook-fontconfig @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -21,7 +22,6 @@ profile pacman-hook-fontconfig @{exec_path} {
   /etc/fonts/conf.d/* rwl,
   /usr/share/fontconfig/conf.default/* r,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio
index b748c39c6..d61c49b0a 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gio
+++ b/apparmor.d/groups/pacman/pacman-hook-gio
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/gio-querymodules
 profile pacman-hook-gio @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -23,7 +24,6 @@ profile pacman-hook-gio @{exec_path} {
 
   /usr/lib/gio/modules/ rw,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk
index e110ded46..7b5fe2e8c 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache
 profile pacman-hook-gtk @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -23,7 +24,6 @@ profile pacman-hook-gtk @{exec_path} {
 
   /usr/share/icons/{,**} rw,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
index f18699b94..ac186b9fa 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install
 profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -32,7 +33,6 @@ profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected)
   / r,
   owner /boot/vmlinuz-* rw,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
index 2280c2746..b425fc93a 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove
 profile pacman-hook-mkinitcpio-remove @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -28,7 +29,6 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
   /boot/initramfs-*.img rw,
   /boot/initramfs-*-fallback.img rw,
 
-  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl
index b18a60058..99f936a4f 100644
--- a/apparmor.d/groups/pacman/pacman-hook-perl
+++ b/apparmor.d/groups/pacman/pacman-hook-perl
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh
 profile pacman-hook-perl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -23,7 +24,6 @@ profile pacman-hook-perl @{exec_path} {
 
   /{usr/,}lib/perl[0-9]*/{,**} r,
 
-  /dev/tty rw,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index b41e0a522..6a4de3359 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/systemd-hook
 profile pacman-hook-systemd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -29,7 +30,6 @@ profile pacman-hook-systemd @{exec_path} {
 
   /usr/ rw,
 
-  /dev/tty rw,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 3f427b9a3..c13fdf13a 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -10,6 +10,7 @@ include <tunables/global>
 profile pacman-key @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -35,7 +36,6 @@ profile pacman-key @{exec_path} {
 
   /etc/pacman.d/gnupg/gpg.conf r,
 
-  /dev/tty rw,
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index 271a3eb3c..400bcac6f 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/systemd-common>
 
   capability sys_resource,
@@ -57,8 +58,5 @@ profile systemd-analyze @{exec_path} {
   owner @{PROC}/@{pid}/comm r,
         @{PROC}/swaps r,
 
-  /dev/tty rw,
-  /dev/pts/1 rw,
-
   include if exists <local/systemd-analyze>
 }
diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator
index e007b6dcb..6b3ef2f9e 100644
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-environment-d-generator
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/user-environment-generators/*
 profile systemd-environment-d-generator @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/systemd-common>
   include <abstractions/nameservice-strict>
 
@@ -24,7 +25,6 @@ profile systemd-environment-d-generator @{exec_path} {
 
   owner @{user_config_dirs}/environment.d/{,*.conf} r,
 
-  /dev/tty rw,
 
   include if exists <local/systemd-environment-d-generator>
 }
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index f23379653..fb8fab895 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-sleep
 profile systemd-sleep @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/systemd-common>
 
@@ -29,7 +30,6 @@ profile systemd-sleep @{exec_path} {
 
   @{PROC}/driver/nvidia/suspend w,
 
-  /dev/tty rw,
 
   include if exists <local/systemd-sleep>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 3f041cc45..dcf8745a8 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}bin/k3s
 profile k3s @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
@@ -166,7 +167,6 @@ profile k3s @{exec_path} {
   @{sys}/module/apparmor/parameters/enabled r,
 
   /dev/kmsg r,
-  /dev/pts/[0-9]* rw,
 
   include if exists <local/k3s>
 }
diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid
index 8074ef09b..486c40a99 100644
--- a/apparmor.d/profiles-a-f/acpid
+++ b/apparmor.d/profiles-a-f/acpid
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/acpid
 profile acpid @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -33,7 +34,6 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pids}/loginuid r,
 
   /dev/input/{,**} r,
-  /dev/tty rw,
 
   include if exists <local/acpid>
 }
diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd
index a40c42491..d3ef9890a 100644
--- a/apparmor.d/profiles-a-f/apparmor.systemd
+++ b/apparmor.d/profiles-a-f/apparmor.systemd
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
 profile apparmor.systemd @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability mac_admin,
@@ -41,7 +42,6 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
   @{PROC}/filesystems r,
   @{PROC}/mounts r,
 
-  /dev/tty rw,
 
   include if exists <local/apparmor.systemd>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/askpass b/apparmor.d/profiles-a-f/askpass
index 67938a929..da82ec52c 100644
--- a/apparmor.d/profiles-a-f/askpass
+++ b/apparmor.d/profiles-a-f/askpass
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh
 profile askpass @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   network inet dgram,
   network inet6 dgram,
@@ -25,7 +26,6 @@ profile askpass @{exec_path} {
 
   owner /tmp/tmp.* rw,
 
-  /dev/tty rw,
 
   include if exists <local/askpass>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules
index f7356dd02..211a5e0dc 100644
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/augenrules
 profile augenrules @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -19,7 +20,6 @@ profile augenrules @{exec_path} {
 
   owner /tmp/aurules.* rw,
 
-  /dev/tty rw,
 
   include if exists <local/augenrules>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish
index 879199f59..978f97bae 100644
--- a/apparmor.d/profiles-a-f/aurpublish
+++ b/apparmor.d/profiles-a-f/aurpublish
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/aurpublish/*.hook
 profile aurpublish @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   signal (receive) peer=git,
 
@@ -25,7 +26,6 @@ profile aurpublish @{exec_path} {
   owner @{user_projects_dirs}/**/.SRCINFO rw,
   owner @{user_projects_dirs}/**/PKGBUILD r,
 
-  /dev/tty rw,
 
   include if exists <local/aurpublish>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman
index 362666f71..609b75536 100644
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/blueman-*
 profile blueman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/audio>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-read>
@@ -67,7 +68,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   /dev/dri/card[0-9]* rw,
   /dev/rfkill r,
   /dev/shm/ r,
-  /dev/tty rw,
 
   profile open {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince
index 0190d4190..7768dffe8 100644
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced
 profile evince @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/gnome>
   include <abstractions/openssl>
@@ -40,7 +41,6 @@ profile evince @{exec_path} {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 
-  /dev/tty rw,
 
   include if exists <local/evince>
 }
diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg
index 55963c466..359095a95 100644
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/firecfg
 profile firecfg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -34,7 +35,6 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
   @{user_share_dirs}/applications/ r,
   @{user_share_dirs}/applications/*.desktop rw,
 
-  /dev/tty rw,
 
   deny /apparmor/.null rw,
 
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 57144bb02..f26ab2fa4 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/fwupdmgr
 profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
@@ -42,7 +43,6 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  /dev/tty rw,
 
   profile dbus {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info
index a541546cb..f54441c11 100644
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/install-info
 profile install-info @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -20,8 +21,6 @@ profile install-info @{exec_path} {
   /usr/share/info/{,**} r,
   /usr/share/info/dir rw,
 
-  /dev/tty rw,
-
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,
diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs
index eaf3104d5..6d460635a 100644
--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@@ -9,14 +9,13 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/mount.zfs
 profile mount-zfs @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability sys_admin,  # To mount anything.
 
   @{exec_path} mr,
 
-  /dev/pts/[0-9]* rw,
-
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/*/ r,
diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
index 17a723e04..d4df0d2b8 100644
--- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
+++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions
 profile needrestart-iucode-scan-versions @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -29,7 +30,6 @@ profile needrestart-iucode-scan-versions @{exec_path} {
  
   @{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r,
 
-  /dev/tty rw,
 
   include if exists <local/needrestart-iucode-scan-versions>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index b701b02b9..366584a88 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pass
 profile pass @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -65,7 +66,6 @@ profile pass @{exec_path} {
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/uptime r,
 
-  /dev/tty rw,
 
   profile editor {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent
index fb894967e..148e25e54 100644
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pkttyagent
 profile pkttyagent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
 
@@ -39,7 +40,6 @@ profile pkttyagent @{exec_path} {
 
   owner @{PROC}/@{pids}/stat r,
 
-  /dev/tty rw,
 
   include if exists <local/pkttyagent>
 }
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index d5b5fdb8c..37efaadaf 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}sbin/resolvconf
 profile resolvconf @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -33,7 +34,6 @@ profile resolvconf @{exec_path} {
   owner @{run}/resolvconf/{,**} rw,
   owner @{run}/resolvconf/run-lock wk,
 
-  /dev/tty rw,
 
   include if exists <local/resolvconf>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11
index de71e9f49..c14b8fa5f 100644
--- a/apparmor.d/profiles-s-z/start-pulseaudio-x11
+++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@@ -9,13 +9,13 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/start-pulseaudio-x11
 profile start-pulseaudio-x11 @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/pactl      rPx,
 
-  /dev/tty rw,
 
   include if exists <local/start-pulseaudio-x11>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl
index 58fca3ce9..cacf0d1b6 100644
--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/udisksctl
 profile udisksctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -19,7 +20,6 @@ profile udisksctl @{exec_path} {
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
 
-  /dev/tty rw,
 
   include if exists <local/udisksctl>
 }
diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust
index caa578b86..f80670561 100644
--- a/apparmor.d/profiles-s-z/update-ca-trust
+++ b/apparmor.d/profiles-s-z/update-ca-trust
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/update-ca-trust
 profile update-ca-trust @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/ssl_certs>
 
   capability dac_read_search,
@@ -30,7 +31,6 @@ profile update-ca-trust @{exec_path} {
   /etc/ssl/certs/{,*} rw,
   /etc/ssl/certs/java/cacerts{,.*} w,
 
-  /dev/tty rw,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy
index 880d3dc17..0a07cf860 100644
--- a/apparmor.d/profiles-s-z/wl-copy
+++ b/apparmor.d/profiles-s-z/wl-copy
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/wl-{copy,paste}
 profile wl-copy @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -19,7 +20,6 @@ profile wl-copy @{exec_path} {
 
   owner /tmp/wl-copy-buffer-*/{,**} rw,
 
-  /dev/tty rw,
 
   include if exists <local/wl-copy>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 77dae7f07..2bc62188b 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
 profile zpool @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-read>
 
   capability sys_admin,
@@ -31,7 +32,6 @@ profile zpool @{exec_path} {
   @{PROC}/@{pids}/mounts r,
   @{PROC}/sys/kernel/spl/hostid r,
 
-  /dev/pts/[0-9]* rw,
   /dev/zfs rw,
 
   include if exists <local/zpool>
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index 8862b59cd..d1dcc5acb 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl
 profile zsysd @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
 
@@ -41,7 +42,6 @@ profile zsysd @{exec_path} flags=(complain) {
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
-  /dev/pts/[0-9]* rw,
   /dev/zfs rw,
 
   include if exists <local/zsysd>

From 575d781c884cab704b17addb169f3cf0c84eda7b Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:31:06 +0200
Subject: [PATCH 11/40] Various ZFS fixes

---
 apparmor.d/profiles-s-z/zfs                     |  4 ++++
 apparmor.d/profiles-s-z/zpool                   |  1 +
 .../profiles-s-z/zsys-system-autosnapshot       | 17 ++++++++---------
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs
index 500cfec1d..7482e9ea6 100644
--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@@ -20,6 +20,10 @@ profile zfs @{exec_path} {
 
   /etc/zfs/zfs-list.cache/{,*} rwk,
 
+  # Sanoid generates temorary files with random names including underscores, directly under /tmp.
+  # https://github.com/jimsalterjrs/sanoid/issues/758
+  /tmp/* rw,
+
   @{run}/zfs-list.cache@* rw,
 
   @{PROC}/@{pids}/mounts r,
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 2bc62188b..6d9c960b8 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -29,6 +29,7 @@ profile zpool @{exec_path} {
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/[0-9]*/address r,
 
+  @{PROC}/@{pids}/mountinfo r,
   @{PROC}/@{pids}/mounts r,
   @{PROC}/sys/kernel/spl/hostid r,
 
diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
index 76b98a496..428777fb7 100644
--- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot
+++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
@@ -9,14 +9,15 @@ include <tunables/global>
 @{exec_path} = @{libexec}/zsys-system-autosnapshot
 profile zsys-system-autosnapshot @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
-  @{exec_path}           rm,
-  /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/zsysctl    rPx,
-  /{usr/,}bin/zsysd      rPx,
+  @{exec_path}            rm,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/cat         rix,
+  /{usr/,}bin/cp          rix,
+  /{usr/,}bin/rm          rix,
+  /{usr/,}{s,}bin/zsysctl rPx,
+  /{usr/,}{s,}bin/zsysd   rPx,
   
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
@@ -24,7 +25,5 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) {
   @{run}/zsys-snapshot.unattended-upgrades rw,
   @{run}/unattended-upgrades.pid r,
 
-  /dev/pts/[0-9]* rw,
-
   include if exists <local/zsys-system-autosnapshot>
 }

From 099a97cb365c8ca1a0451cf32c14124167a38845 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 1 Aug 2022 18:31:32 +0200
Subject: [PATCH 12/40] General update

---
 apparmor.d/groups/apt/apt-methods-gpgv     |  2 ++
 apparmor.d/groups/apt/dpkg                 |  1 +
 apparmor.d/groups/apt/unattended-upgrade   |  9 +++++++-
 apparmor.d/groups/freedesktop/fc-cache     |  3 +++
 apparmor.d/groups/freedesktop/pulseaudio   |  7 ++++++
 apparmor.d/groups/gpg/gpg                  |  2 ++
 apparmor.d/groups/gpg/gpgconf              |  2 ++
 apparmor.d/groups/gpg/gpgsm                |  2 ++
 apparmor.d/groups/grub/grub-editenv        |  2 ++
 apparmor.d/groups/network/ModemManager     |  4 ++++
 apparmor.d/groups/pacman/mkinitcpio        |  2 +-
 apparmor.d/groups/systemd/child-systemctl  |  2 ++
 apparmor.d/groups/systemd/systemd-analyze  | 16 +++++++++++++
 apparmor.d/groups/ubuntu/update-grub       |  1 +
 apparmor.d/groups/virt/containerd          |  2 ++
 apparmor.d/groups/virt/k3s                 |  2 +-
 apparmor.d/profiles-a-f/boltd              | 23 +++++++++++++++++-
 apparmor.d/profiles-a-f/dkms               |  9 +++++++-
 apparmor.d/profiles-a-f/dkms-autoinstaller | 11 ++++-----
 apparmor.d/profiles-a-f/fwupdmgr           | 27 ++++++++++++++++++++++
 apparmor.d/profiles-m-r/mkinitramfs        | 12 ++++++----
 apparmor.d/profiles-m-r/mount-zfs          |  1 +
 apparmor.d/profiles-m-r/run-parts          |  4 +++-
 apparmor.d/profiles-s-z/sudo               |  2 +-
 apparmor.d/profiles-s-z/zfs                |  1 +
 apparmor.d/profiles-s-z/zsysd              | 11 +++++----
 26 files changed, 137 insertions(+), 23 deletions(-)

diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv
index aa8b7ad16..74786b57b 100644
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
   # Local keyring storage
   /etc/apt/keyrings/ r,
   /etc/apt/keyrings/*.{gpg,asc} r,
+  /usr/share/keyrings/ r,
+  /usr/share/keyrings/*.{gpg,asc} r,
 
   # Extrepo keyring storage
   /var/lib/extrepo/keys/*.{gpg,asc} r,
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index 77aa271b4..0593605a0 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
   owner /tmp/apt-dpkg-install-*/ r,
 
   /var/log/dpkg.log w,
+  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   @{run}/systemd/userdb/ r,
 
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 73f581833..9ea5fe83e 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged},
+       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},
 
   @{exec_path} mr,
 
@@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
+  /etc/debian_version r,
+  /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/issue{.net,} r,
+  /etc/legal r,
+  /etc/lsb-release r,
+  /etc/profile.d/* r,
+  /etc/update-motd.d/* r,
   /etc/update-manager/{,**} r,
   /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
 
diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache
index 8d0b9fe63..f0fb0c235 100644
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -20,6 +21,8 @@ profile fc-cache @{exec_path} {
   /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
   /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
 
+  /var/tmp/mkinitramfs_*/{**,} rwl,
+
   # Silencer
   deny network inet6 stream,
   deny network inet stream,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 2a8d08deb..2518c5794 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
      member=Get
      peer=(name=/org/freedesktop/hostname[0-9]),
 
+  dbus (send)
+     bus=system
+     path=/org.freedesktop.hostname[0-9]
+     interface=org.freedesktop.DBus.Prope
+     member=Get
+     peer=(name=/org/freedesktop/hostname[0-9]),
+
   @{exec_path} mrix,
 
   /{usr/,}@{libexec}/pulse/gsettings-helper mrix,
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index e7b4d13f9..025963f03 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -14,6 +14,8 @@ profile gpg @{exec_path} {
   include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   network netlink raw,
 
   @{exec_path} mrix,
diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf
index e5ba0a3ba..ab5f2ef8f 100644
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/gpg-connect-agent rPx,
diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm
index 9792071b4..9f231c4f2 100644
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   deny /usr/bin/.gnupg/ w,
diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv
index 419e46c7b..68dcf3fb0 100644
--- a/apparmor.d/groups/grub/grub-editenv
+++ b/apparmor.d/groups/grub/grub-editenv
@@ -13,6 +13,8 @@ profile grub-editenv @{exec_path} flags=(complain) {
 
   @{exec_path} rm,
 
+  /boot/grub/grubenv rw,
+
   include if exists <local/grub-editenv>
 }
 
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 0919ba889..6e56b5372 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,
 
+  dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
   dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.PolicyKit[0-9].Authority
        member=Changed,
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 050fdd2ce..45758f40c 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/cp                  rix,
   /{usr/,}bin/dd                  rix,
   /{usr/,}bin/find                rix,
-  /{usr/,}bin/findmnt             rix,
+  /{usr/,}bin/findmnt             rPx,
   /{usr/,}bin/fsck                rix,
   /{usr/,}bin/gawk                rix,
   /{usr/,}bin/grep                rix,
diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl
index 338f4f983..d4c6def1e 100644
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {
 
   /etc/systemd/user/{,**} rwl,
 
+  @{run}/systemd/private rw,
+
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/1/environ r,
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index 400bcac6f..a59ecdd31 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -11,11 +11,24 @@ include <tunables/global>
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability sys_resource,
   capability net_admin,
 
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/systemd1
+      interface=org.freedesktop.systemd1.Manager
+      member=ListUnits,
+
+  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+
   signal (send) peer=child-pager,
 
   network inet dgram,
@@ -38,7 +51,10 @@ profile systemd-analyze @{exec_path} {
 
   owner /tmp/systemd-temporary-*/ rw,
 
+  @{run}/systemd/generator/ r,
+  @{run}/systemd/private rw,
   @{run}/systemd/system/ r,
+  @{run}/systemd/transient/ r,
   @{run}/systemd/userdb/io.systemd.DynamicUser w,
   @{run}/udev/data/* r,
   @{run}/udev/tags/systemd/ r,
diff --git a/apparmor.d/groups/ubuntu/update-grub b/apparmor.d/groups/ubuntu/update-grub
index b17116334..e9d5d335c 100644
--- a/apparmor.d/groups/ubuntu/update-grub
+++ b/apparmor.d/groups/ubuntu/update-grub
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
 profile update-grub @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} rm,
   /{usr/,}bin/{,ba,da}sh rix,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index d3e3325ca..bfdcd25e0 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   capability dac_override,
   capability fsetid,
   capability fowner,
+  capability mknod,
   capability net_admin,
+  capability setfcap,
   capability sys_admin,
 
   network inet dgram,
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index dcf8745a8..38fef08b3 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -27,7 +27,7 @@ profile k3s @{exec_path} {
   capability sys_resource,
 
   ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
 
   # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd
index e46ecbe3b..3939617a9 100644
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/org/freedesktop/DBus
+      interface=org.freedesktop.DBus
+      member=RequestName,
+  
+  dbus receive bus=system path=/org/freedesktop/bolt
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus receive bus=system path=/org/freedesktop/bolt
+      interface=org.freedesktop.bolt1.Manager
+      member=ListDevices,
+  
+  dbus bind bus=system 
+      name=org.freedesktop.bolt,
+
   @{exec_path} mr,
 
   /var/lib/boltd/{,**} rw,
 
   owner @{run}/boltd/{,**} rw,
 
+  @{run}/systemd/notify
   @{run}/systemd/journal/socket w,
   @{run}/udev/data/+thunderbolt:* r,
 
@@ -37,7 +57,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
   @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
   @{sys}/devices/platform/**/uevent r,
+  @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
   include if exists <local/boltd>
-}
\ No newline at end of file
+}
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index bd4ddff7a..1bbba64bf 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,6 +12,7 @@ include <tunables/global>
 profile dkms @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
   capability dac_read_search,
@@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/rmdir      rix,
   /{usr/,}bin/find       rix,
   /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/gawk       rix,
+  /{usr/,}bin/{,g,m}awk  rix,
   /{usr/,}bin/cp         rix,
   /{usr/,}bin/date       rix,
   /{usr/,}bin/ln         rix,
@@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
   /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
 
+  /var/lib/dkms/**/dkms.postbuild rix,
+
   / r,
   /{usr/,}lib/modules/*/updates/ rw,
   /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
@@ -106,6 +110,9 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
     /{usr/,}bin/kmod mr,
 
+    /etc/depmod.d/{,ubuntu.conf} r,
+    /etc/ssl/openssl.cnf r,
+
     @{PROC}/cmdline r,
 
     /{usr/,}lib/modules/*/modules.* rw,
diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller
index 8dd6e33b6..677acfbb8 100644
--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} {
 
   @{exec_path} r,
   /{usr/,}bin/{,ba,da}sh rix,
-
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/tput       rix,
+  /{usr/,}{s,}bin/dkms   rPx,
   /{usr/,}bin/echo       rix,
-
-  /{usr/,}{s,}bin/dkms      rPx,
-
+  /{usr/,}bin/plymouth   rix,
+  /{usr/,}bin/readlink   rix,
   /{usr/,}bin/run-parts  rCx -> run-parts,
   /{usr/,}bin/systemctl  rPx -> child-systemctl,
+  /{usr/,}bin/tput       rix,
 
   # For shell pwd
   / r,
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index f26ab2fa4..e5f5e4724 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -17,14 +17,40 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
+  capability sys_nice,
+
   signal (send),
 
+
+ALLOWED fwupdmgr dbus_method_call org.freedesktop.fwupd send bus=system path=/ interface=org.freedesktop.fwupd member=UpdateMetadata peer_label=unconfined
+
+
   network inet stream,
   network inet6 stream,
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/
+      interface=org.freedesktop.fwupd
+      member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
+  
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+      interface=org.freedesktop.DBus.Properties
+      member=GetAll,
+  
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+      interface=org.freedesktop.systemd[0-9].Manager
+      member={GetDefaultTarget,GetUnit},
+
+  dbus receive bus=system path=/
+      interface=org.freedesktop.fwupd
+      member=Changed,
+
   @{exec_path} mr,
 
   /{usr/,}bin/dbus-launch  rCx -> dbus,
@@ -38,6 +64,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
 
   owner @{user_cache_dirs}/ rw,
+        @{user_cache_dirs}/dconf/user rw,
   owner @{user_cache_dirs}/fwupd/ rw,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
 
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index 35c7caba8..c2e4c5b7d 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -53,10 +54,11 @@ profile mkinitramfs @{exec_path} {
   /{usr/,}bin/xz         rix,
   /{usr/,}bin/zstd       rix,
 
-  /{usr/,}bin/ldd        rCx -> ldd,
-  /{usr/,}sbin/ldconfig  rCx -> ldconfig,
-  /{usr/,}bin/find       rCx -> find,
-  /{usr/,}bin/kmod       rCx -> kmod,
+  /{usr/,}bin/ldd                  rCx -> ldd,
+  /{usr/,}lib{32,64}/ld-linux.so.2 rCx -> ldd,
+  /{usr/,}sbin/ldconfig            rCx -> ldconfig,
+  /{usr/,}bin/find                 rCx -> find,
+  /{usr/,}bin/kmod                 rCx -> kmod,
 
   /{usr/,}bin/dpkg          rPx -> child-dpkg,
   /{usr/,}bin/linux-version rPx,
@@ -103,7 +105,7 @@ profile mkinitramfs @{exec_path} {
     /{usr/,}lib/initramfs-tools/bin/* mr,
 
     /{usr/,}lib/@{multiarch}/ld-*.so*  rix,
-    /{usr/,}lib{,x}32/ld-*.so          rix,
+    /{usr/,}lib{,x}32/ld-*.so{,.2}     rix,
 
   }
 
diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs
index 6d460635a..723a7480e 100644
--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@@ -12,6 +12,7 @@ profile mount-zfs @{exec_path} flags=(complain) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability sys_admin,  # To mount anything.
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index be940b18b..a7d9750da 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2022 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -142,6 +143,7 @@ profile run-parts @{exec_path} {
   profile kernel {
     include <abstractions/base>
     include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
 
     capability sys_module,
 
@@ -151,7 +153,7 @@ profile run-parts @{exec_path} {
     /{usr/,}bin/chmod      rix,
     /{usr/,}bin/cut        rix,
     /{usr/,}bin/dirname    rix,
-    /{usr/,}bin/gawk       rix,
+    /{usr/,}bin/{,m,g}awk  rix,
     /{usr/,}bin/kmod       rix,
     /{usr/,}bin/mv         rix,
     /{usr/,}bin/rm         rix,
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index ed41a2e3c..cc89bfd43 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -37,7 +37,7 @@ profile sudo @{exec_path} {
 
   signal (send) peer=unconfined,
   signal (send) set=(cont,hup) peer=su,
-  signal (send) set=winch peer=apt,
+  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},
 
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs
index 7482e9ea6..cb36774d0 100644
--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
 profile zfs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   
   capability sys_admin,
   capability dac_read_search,
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index d1dcc5acb..a0141ae1a 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -23,7 +23,8 @@ profile zsysd @{exec_path} flags=(complain) {
   @{exec_path}                   rmix,
   /{usr/,}{local/,}{s,}bin/zfs   rPx,
   /{usr/,}{local/,}{s,}bin/zpool rPx,
-  /{usr/,}{s,}bin/update-grub    rPUx,
+  # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1
+  /{usr/,}{s,}bin/update-grub    rPx,
 
   /etc/hostid r,
   /etc/zsys.conf r,
@@ -35,10 +36,10 @@ profile zsysd @{exec_path} flags=(complain) {
   @{run}/zsys-snapshot.unattended-upgrades rw,
   @{run}/zsysd.sock rw,
 
-  owner @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/mounts r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/spl/hostid r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/mounts r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/spl/hostid r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 

From cf63b97c9b3b58234e35a1c6f20be235a95eedbc Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 16:38:50 +0200
Subject: [PATCH 13/40] Add avahi

---
 apparmor.d/groups/avahi/avahi-autoipd       | 27 ++++++++++++++++
 apparmor.d/groups/avahi/avahi-browse        | 32 +++++++++++++++++++
 apparmor.d/groups/avahi/avahi-daemon        | 23 ++++++++++++++
 apparmor.d/groups/avahi/avahi-publish       | 18 +++++++++++
 apparmor.d/groups/avahi/avahi-resolve       | 34 +++++++++++++++++++++
 apparmor.d/groups/avahi/avahi-set-host-name | 18 +++++++++++
 6 files changed, 152 insertions(+)
 create mode 100644 apparmor.d/groups/avahi/avahi-autoipd
 create mode 100644 apparmor.d/groups/avahi/avahi-browse
 create mode 100644 apparmor.d/groups/avahi/avahi-daemon
 create mode 100644 apparmor.d/groups/avahi/avahi-publish
 create mode 100644 apparmor.d/groups/avahi/avahi-resolve
 create mode 100644 apparmor.d/groups/avahi/avahi-set-host-name

diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
new file mode 100644
index 000000000..2a68007c6
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
+profile avahi-autoipd @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal receive set=kill,term,
+
+  @{exec_path} rm,
+  /etc/avahi/avahi-autoipd.action rix,
+
+  include if exists <local/avahi-autoipd>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
new file mode 100644
index 000000000..e46b439b1
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -0,0 +1,32 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
+profile avahi-browse @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Peer
+      member=Ping,
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.Avahi.Server
+      member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
+
+  dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
+      interface=org.freedesktop.Avahi.ServiceTypeBrowser
+      member={ItemNew,CacheExhausted,AllForNow},
+
+  @{exec_path} rm,
+
+  /{usr/,}lib/x86_64-linux-gnu/avahi/service-types.db rwk,
+
+  include if exists <local/avahi-browse>
+}
diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon
new file mode 100644
index 000000000..439377d13
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-daemon
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-daemon
+profile avahi-daemon @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet dgram,
+  network inet6 dgram,
+
+  @{exec_path} rm,
+
+  /etc/avahi/** r,
+
+  include if exists <local/avahi-daemon>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish
new file mode 100644
index 000000000..16256223b
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-publish
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
+profile avahi-publish @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/avahi-publish>
+}
+
diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve
new file mode 100644
index 000000000..b4dca2949
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-resolve
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
+profile avahi-resolve @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.DBus.Peer
+      member=Ping,
+
+  dbus send bus=system path=/
+      interface=org.freedesktop.Avahi.Server
+      member={GetAPIVersion,GetState,AddressResolverNew},
+
+  dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
+      interface=org.freedesktop.Avahi.AddressResolver
+      member={Free,HostNameResolverNew,},
+
+  dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
+      interface=org.freedesktop.Avahi.AddressResolver
+      member={Failure,Found},
+
+  @{exec_path} rm,
+
+  include if exists <local/avahi-resolve>
+}
diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name
new file mode 100644
index 000000000..f970b63ca
--- /dev/null
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/avahi-set-host-name
+profile avahi-set-host-name @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  include if exists <local/avahi-set-host-name>
+}
+

From 689f48b217b060b517b8095e5899fd1e0eadf4d8 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 16:48:16 +0200
Subject: [PATCH 14/40] motd fixes

---
 apparmor.d/groups/ssh/sshd        | 1 +
 apparmor.d/profiles-m-r/run-parts | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index ff37f0cae..01615f949 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -83,6 +83,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
 
   owner @{run}/sshd{,.init}.pid wl,
+        @{run}/motd.d/{,*} r,
         @{run}/motd.dynamic rw,
         @{run}/motd.dynamic.new rw,
         @{run}/resolvconf/resolv.conf r,
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index a7d9750da..7b2694f35 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -138,6 +138,8 @@ profile run-parts @{exec_path} {
 
     /var/lib/update-notifier/updates-available r,
 
+    @{run}/motd.d/{,*} r,
+
   }
 
   profile kernel {

From 7621dc99744ac0f4595df03f6473b86d95a5c7b6 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 16:57:43 +0200
Subject: [PATCH 15/40] Fix typo's

---
 apparmor.d/groups/avahi/avahi-autoipd | 2 +-
 apparmor.d/profiles-a-f/boltd         | 2 +-
 apparmor.d/profiles-a-f/fwupdmgr      | 4 ----
 3 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
index 2a68007c6..464d89290 100644
--- a/apparmor.d/groups/avahi/avahi-autoipd
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -17,7 +17,7 @@ profile avahi-autoipd @{exec_path} flags=(complain) {
   network inet6 stream,
   network netlink raw,
 
-  signal receive set=kill,term,
+  signal receive set={kill,term},
 
   @{exec_path} rm,
   /etc/avahi/avahi-autoipd.action rix,
diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd
index 3939617a9..5a0123ffd 100644
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@@ -41,7 +41,7 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/boltd/{,**} rw,
 
-  @{run}/systemd/notify
+  @{run}/systemd/notify rw,
   @{run}/systemd/journal/socket w,
   @{run}/udev/data/+thunderbolt:* r,
 
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index e5f5e4724..54e3f66e3 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -21,10 +21,6 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
 
   signal (send),
 
-
-ALLOWED fwupdmgr dbus_method_call org.freedesktop.fwupd send bus=system path=/ interface=org.freedesktop.fwupd member=UpdateMetadata peer_label=unconfined
-
-
   network inet stream,
   network inet6 stream,
   network inet dgram,

From 20f7e01ccc544a6a5ddc94a888852e926c4f06d3 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 17:02:28 +0200
Subject: [PATCH 16/40] Brackets

---
 apparmor.d/groups/avahi/avahi-autoipd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
index 464d89290..e1c676da9 100644
--- a/apparmor.d/groups/avahi/avahi-autoipd
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -17,7 +17,7 @@ profile avahi-autoipd @{exec_path} flags=(complain) {
   network inet6 stream,
   network netlink raw,
 
-  signal receive set={kill,term},
+  signal receive set=(kill,term),
 
   @{exec_path} rm,
   /etc/avahi/avahi-autoipd.action rix,

From e62465b72f3b67a9de21b957ed887f3b4fc79548 Mon Sep 17 00:00:00 2001
From: Jeroen <Jeroen0494@users.noreply.github.com>
Date: Sat, 13 Aug 2022 20:53:14 +0200
Subject: [PATCH 17/40] Use multiarch for lib

Co-authored-by: Alex <roddhjav@users.noreply.github.com>
---
 apparmor.d/groups/avahi/avahi-browse | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
index e46b439b1..f50c2d39c 100644
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -26,7 +26,7 @@ profile avahi-browse @{exec_path} flags=(complain) {
 
   @{exec_path} rm,
 
-  /{usr/,}lib/x86_64-linux-gnu/avahi/service-types.db rwk,
+  /{usr/,}lib/@{multiarch}/avahi/service-types.db rwk,
 
   include if exists <local/avahi-browse>
 }

From af0c622b35c03dfc40716a60ec075fc12b04376a Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 21:02:42 +0200
Subject: [PATCH 18/40] Replace rm with mr.

---
 apparmor.d/abstractions/lightdm               | 14 ++++----
 .../usr.lib.libreoffice.program.soffice.bin   |  8 ++---
 apparmor.d/groups/avahi/avahi-autoipd         |  2 +-
 apparmor.d/groups/avahi/avahi-browse          |  2 +-
 apparmor.d/groups/avahi/avahi-daemon          |  2 +-
 apparmor.d/groups/avahi/avahi-publish         |  2 +-
 apparmor.d/groups/avahi/avahi-resolve         |  2 +-
 apparmor.d/groups/avahi/avahi-set-host-name   |  2 +-
 .../groups/freedesktop/xdg-document-portal    |  2 +-
 apparmor.d/groups/grub/grub-bios-setup        |  2 +-
 apparmor.d/groups/grub/grub-editenv           |  2 +-
 apparmor.d/groups/grub/grub-file              |  2 +-
 apparmor.d/groups/grub/grub-fstest            |  2 +-
 apparmor.d/groups/grub/grub-glue-efi          |  2 +-
 apparmor.d/groups/grub/grub-install           |  2 +-
 apparmor.d/groups/grub/grub-kbdcomp           |  2 +-
 apparmor.d/groups/grub/grub-macbless          |  2 +-
 apparmor.d/groups/grub/grub-menulst2cfg       |  2 +-
 apparmor.d/groups/grub/grub-mkconfig          |  2 +-
 apparmor.d/groups/grub/grub-mkdevicemap       |  2 +-
 apparmor.d/groups/grub/grub-mkfont            |  2 +-
 apparmor.d/groups/grub/grub-mkimage           |  2 +-
 apparmor.d/groups/grub/grub-mklayout          |  2 +-
 apparmor.d/groups/grub/grub-mknetdir          |  2 +-
 apparmor.d/groups/grub/grub-mkpasswd-pbkdf2   |  2 +-
 apparmor.d/groups/grub/grub-mkrelpath         |  2 +-
 apparmor.d/groups/grub/grub-mkrescue          |  2 +-
 apparmor.d/groups/grub/grub-mkstandalone      |  2 +-
 apparmor.d/groups/grub/grub-mount             |  2 +-
 apparmor.d/groups/grub/grub-ntldr-img         |  2 +-
 apparmor.d/groups/grub/grub-probe             |  2 +-
 apparmor.d/groups/grub/grub-reboot            |  2 +-
 apparmor.d/groups/grub/grub-render-label      |  2 +-
 apparmor.d/groups/grub/grub-script-check      |  2 +-
 apparmor.d/groups/grub/grub-set-default       |  2 +-
 apparmor.d/groups/grub/grub-syslinux2cfg      |  2 +-
 apparmor.d/groups/network/mullvad-gui         |  2 +-
 apparmor.d/groups/pacman/mkinitcpio           |  8 ++---
 apparmor.d/groups/ubuntu/update-grub          |  2 +-
 apparmor.d/profiles-a-f/anyremote             |  2 +-
 apparmor.d/profiles-m-r/man                   | 32 +++++++++----------
 apparmor.d/profiles-s-z/sanoid                |  2 +-
 apparmor.d/profiles-s-z/syncoid               |  2 +-
 apparmor.d/profiles-s-z/zpool                 |  2 +-
 .../profiles-s-z/zsys-system-autosnapshot     |  2 +-
 45 files changed, 72 insertions(+), 72 deletions(-)

diff --git a/apparmor.d/abstractions/lightdm b/apparmor.d/abstractions/lightdm
index e9fe5ec3d..984aea2f4 100644
--- a/apparmor.d/abstractions/lightdm
+++ b/apparmor.d/abstractions/lightdm
@@ -46,15 +46,15 @@
   /opt/ r,
   /opt/** rmixk,
   @{PROC}/ r,
-  @{PROC}/* rm,
+  @{PROC}/* mr,
   @{PROC}/[0-9]*/net/ r,
   @{PROC}/[0-9]*/net/dev r,
-  @{PROC}/asound rm,
-  @{PROC}/asound/** rm,
-  @{PROC}/ati rm,
-  @{PROC}/ati/** rm,
+  @{PROC}/asound mr,
+  @{PROC}/asound/** mr,
+  @{PROC}/ati mr,
+  @{PROC}/ati/** mr,
   @{PROC}/sys/vm/overcommit_memory r,
-  owner @{PROC}/** rm,
+  owner @{PROC}/** mr,
   # needed for gnome-keyring-daemon
   @{PROC}/*/status r,
   # needed for bamfdaemon and utilities such as ps and killall
@@ -62,7 +62,7 @@
   /sbin/ r,
   /sbin/** rmixk,
   /sys/ r,
-  /sys/** rm,
+  /sys/** mr,
   # needed for confined trusted helpers, such as dbus-daemon
   /sys/kernel/security/apparmor/.access rw,
   /tmp/ rw,
diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
index fe753558b..985c43558 100644
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@@ -217,9 +217,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   profile gpg {
     #include <abstractions/base>
 
-   /usr/bin/gpgconf rm,
-   /usr/bin/gpg rm,
-   /usr/bin/gpgsm rm,
+   /usr/bin/gpgconf mr,
+   /usr/bin/gpg mr,
+   /usr/bin/gpgsm mr,
 
     owner @{HOME}/@{XDG_GPG_DIR}/* r,
     owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk,
@@ -231,7 +231,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   owner @{user_config_dirs}/kdeglobals r,
   /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
   /usr/share/qt5/translations/* r,
-  /usr/lib/*/qt5/plugins/** rm,
+  /usr/lib/*/qt5/plugins/** mr,
   /usr/share/plasma/look-and-feel/**/contents/defaults r,
 
   # TODO: remove when rules are available in abstractions/kde
diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
index e1c676da9..ddb4a1f5a 100644
--- a/apparmor.d/groups/avahi/avahi-autoipd
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -19,7 +19,7 @@ profile avahi-autoipd @{exec_path} flags=(complain) {
 
   signal receive set=(kill,term),
 
-  @{exec_path} rm,
+  @{exec_path} mr,
   /etc/avahi/avahi-autoipd.action rix,
 
   include if exists <local/avahi-autoipd>
diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
index f50c2d39c..837961c3b 100644
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -24,7 +24,7 @@ profile avahi-browse @{exec_path} flags=(complain) {
       interface=org.freedesktop.Avahi.ServiceTypeBrowser
       member={ItemNew,CacheExhausted,AllForNow},
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /{usr/,}lib/@{multiarch}/avahi/service-types.db rwk,
 
diff --git a/apparmor.d/groups/avahi/avahi-daemon b/apparmor.d/groups/avahi/avahi-daemon
index 439377d13..5a972463e 100644
--- a/apparmor.d/groups/avahi/avahi-daemon
+++ b/apparmor.d/groups/avahi/avahi-daemon
@@ -14,7 +14,7 @@ profile avahi-daemon @{exec_path} flags=(complain) {
   network inet dgram,
   network inet6 dgram,
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /etc/avahi/** r,
 
diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish
index 16256223b..5895d6a8f 100644
--- a/apparmor.d/groups/avahi/avahi-publish
+++ b/apparmor.d/groups/avahi/avahi-publish
@@ -11,7 +11,7 @@ profile avahi-publish @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/avahi-publish>
 }
diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve
index b4dca2949..fe279ac7e 100644
--- a/apparmor.d/groups/avahi/avahi-resolve
+++ b/apparmor.d/groups/avahi/avahi-resolve
@@ -28,7 +28,7 @@ profile avahi-resolve @{exec_path} flags=(complain) {
       interface=org.freedesktop.Avahi.AddressResolver
       member={Failure,Found},
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/avahi-resolve>
 }
diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name
index f970b63ca..ead18ed2e 100644
--- a/apparmor.d/groups/avahi/avahi-set-host-name
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@@ -11,7 +11,7 @@ profile avahi-set-host-name @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/avahi-set-host-name>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index ca2b2c3ad..ade99e795 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} {
   profile flatpak {
     include <abstractions/base>
 
-    /{usr/,}bin/flatpak rm,
+    /{usr/,}bin/flatpak mr,
 
     / r,
     /etc/flatpak/remotes.d/{,*} r,
diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup
index d6961bf9c..2abd381b8 100644
--- a/apparmor.d/groups/grub/grub-bios-setup
+++ b/apparmor.d/groups/grub/grub-bios-setup
@@ -11,7 +11,7 @@ profile grub-bios-setup @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-bios-setup>
 }
diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv
index 68dcf3fb0..042887e3d 100644
--- a/apparmor.d/groups/grub/grub-editenv
+++ b/apparmor.d/groups/grub/grub-editenv
@@ -11,7 +11,7 @@ profile grub-editenv @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /boot/grub/grubenv rw,
 
diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file
index 9ddea365b..ccf58d6c4 100644
--- a/apparmor.d/groups/grub/grub-file
+++ b/apparmor.d/groups/grub/grub-file
@@ -11,7 +11,7 @@ profile grub-file @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-file>
 }
diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest
index 6258b4e44..caf64ee2c 100644
--- a/apparmor.d/groups/grub/grub-fstest
+++ b/apparmor.d/groups/grub/grub-fstest
@@ -11,7 +11,7 @@ profile grub-fstest @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-fstest>
 }
diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi
index db59cefcd..aeb59a8df 100644
--- a/apparmor.d/groups/grub/grub-glue-efi
+++ b/apparmor.d/groups/grub/grub-glue-efi
@@ -11,7 +11,7 @@ profile grub-glue-efi @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-glue-efi>
 }
diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install
index 152ea426b..cca0605c2 100644
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@@ -11,7 +11,7 @@ profile grub-install @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-install>
 }
diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp
index 2760bd0a9..fce678809 100644
--- a/apparmor.d/groups/grub/grub-kbdcomp
+++ b/apparmor.d/groups/grub/grub-kbdcomp
@@ -11,7 +11,7 @@ profile grub-kbdcomp @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-kbdcomp>
 }
diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless
index 24e269233..49f08fd1e 100644
--- a/apparmor.d/groups/grub/grub-macbless
+++ b/apparmor.d/groups/grub/grub-macbless
@@ -11,7 +11,7 @@ profile grub-macbless @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-macbless>
 }
diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg
index 7a5f063fe..b2f5ca590 100644
--- a/apparmor.d/groups/grub/grub-menulst2cfg
+++ b/apparmor.d/groups/grub/grub-menulst2cfg
@@ -11,7 +11,7 @@ profile grub-menulst2cfg @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-menulst2cfg>
 }
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index aeae916eb..3341b30c6 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -13,7 +13,7 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
 
   capability dac_read_search,
 
-  @{exec_path}                     rm,
+  @{exec_path}                     mr,
   /etc/grub.d/{**,}                rix,
   /{usr/,}bin/{m,g,}awk            rix,
   /{usr/,}bin/basename             rix,
diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap
index 835093bfd..306173901 100644
--- a/apparmor.d/groups/grub/grub-mkdevicemap
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@@ -11,7 +11,7 @@ profile grub-mkdevicemap @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mkdevicemap>
 }
diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont
index fe5d5c4fa..a0ace1a2a 100644
--- a/apparmor.d/groups/grub/grub-mkfont
+++ b/apparmor.d/groups/grub/grub-mkfont
@@ -11,7 +11,7 @@ profile grub-mkfont @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mkfont>
 }
diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage
index bd4729cfb..2b6212a0a 100644
--- a/apparmor.d/groups/grub/grub-mkimage
+++ b/apparmor.d/groups/grub/grub-mkimage
@@ -11,7 +11,7 @@ profile grub-mkimage @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mkimage>
 }
diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout
index d01086f59..b9a514b72 100644
--- a/apparmor.d/groups/grub/grub-mklayout
+++ b/apparmor.d/groups/grub/grub-mklayout
@@ -11,7 +11,7 @@ profile grub-mklayout @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mklayout>
 }
diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir
index ea85f204f..4f37e31a0 100644
--- a/apparmor.d/groups/grub/grub-mknetdir
+++ b/apparmor.d/groups/grub/grub-mknetdir
@@ -11,7 +11,7 @@ profile grub-mknetdir @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mknetdir>
 }
diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
index 33ccfa78e..ef9e5c6da 100644
--- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
+++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
@@ -11,7 +11,7 @@ profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mkpasswd-pbkdf2>
 }
diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath
index 794313a3d..76e7c0a3f 100644
--- a/apparmor.d/groups/grub/grub-mkrelpath
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@@ -11,7 +11,7 @@ profile grub-mkrelpath @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
   /{usr/,}{local/,}{s,}bin/zpool rPx,
 
   @{PROC}/@{pids}/mountinfo r,
diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue
index 252c1df4d..9948ac15f 100644
--- a/apparmor.d/groups/grub/grub-mkrescue
+++ b/apparmor.d/groups/grub/grub-mkrescue
@@ -11,7 +11,7 @@ profile grub-mkrescue @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mkrescue>
 }
diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone
index b2be219c0..90e3a4c46 100644
--- a/apparmor.d/groups/grub/grub-mkstandalone
+++ b/apparmor.d/groups/grub/grub-mkstandalone
@@ -11,7 +11,7 @@ profile grub-mkstandalone @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mkstandalone>
 }
diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount
index 6ea7afefa..b855d7e45 100644
--- a/apparmor.d/groups/grub/grub-mount
+++ b/apparmor.d/groups/grub/grub-mount
@@ -11,7 +11,7 @@ profile grub-mount @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-mount>
 }
diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img
index 766c505d1..6b8c10722 100644
--- a/apparmor.d/groups/grub/grub-ntldr-img
+++ b/apparmor.d/groups/grub/grub-ntldr-img
@@ -11,7 +11,7 @@ profile grub-ntldr-img @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-ntldr-img>
 }
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
index 64ad23e21..416d25e1c 100644
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@@ -14,7 +14,7 @@ profile grub-probe @{exec_path} flags=(complain) {
 
   capability sys_admin,
 
-  @{exec_path} rm,
+  @{exec_path} mr,
   /{usr/,}bin/lsb_release        rPx -> lsb_release,
   /{usr/,}bin/udevadm            rPx,
   /{usr/,}{local/,}{s,}bin/zpool rPx,
diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot
index 229aea9a2..f16643fff 100644
--- a/apparmor.d/groups/grub/grub-reboot
+++ b/apparmor.d/groups/grub/grub-reboot
@@ -11,7 +11,7 @@ profile grub-reboot @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-reboot>
 }
diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label
index 3a0d5034b..8749c265c 100644
--- a/apparmor.d/groups/grub/grub-render-label
+++ b/apparmor.d/groups/grub/grub-render-label
@@ -11,7 +11,7 @@ profile grub-render-label @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-render-label>
 }
diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check
index a02d27fc2..643797e1a 100644
--- a/apparmor.d/groups/grub/grub-script-check
+++ b/apparmor.d/groups/grub/grub-script-check
@@ -11,7 +11,7 @@ profile grub-script-check @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /boot/grub/grub.cfg{.new,} rw,
 
diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default
index 531beda94..fe8201d6c 100644
--- a/apparmor.d/groups/grub/grub-set-default
+++ b/apparmor.d/groups/grub/grub-set-default
@@ -11,7 +11,7 @@ profile grub-set-default @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-set-default>
 }
diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg
index bbbc94a7e..487e61680 100644
--- a/apparmor.d/groups/grub/grub-syslinux2cfg
+++ b/apparmor.d/groups/grub/grub-syslinux2cfg
@@ -11,7 +11,7 @@ profile grub-syslinux2cfg @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   include if exists <local/grub-syslinux2cfg>
 }
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index a92254959..fb6d2b895 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -33,7 +33,7 @@ profile mullvad-gui @{exec_path} {
 
   @{exec_path} mrix,
 
-  "/opt/Mullvad VPN/*.so*" rm,
+  "/opt/Mullvad VPN/*.so*" mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/gsettings   rix,
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 45758f40c..acb81dbc0 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -77,10 +77,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Can copy any program to the initframs
   /{usr/,}bin/ r,
-  /{usr/,}bin/[a-z0-9]* rm,
-  /{usr/,}lib/plymouth/plymouthd-* rm,
-  /{usr/,}lib/systemd/systemd-* rm,
-  /{usr/,}lib/udev/[a-z0-9]* rm,
+  /{usr/,}bin/[a-z0-9]* mr,
+  /{usr/,}lib/plymouth/plymouthd-* mr,
+  /{usr/,}lib/systemd/systemd-* mr,
+  /{usr/,}lib/udev/[a-z0-9]* mr,
 
   # Manage /boot
   / r,
diff --git a/apparmor.d/groups/ubuntu/update-grub b/apparmor.d/groups/ubuntu/update-grub
index e9d5d335c..a59d80b9c 100644
--- a/apparmor.d/groups/ubuntu/update-grub
+++ b/apparmor.d/groups/ubuntu/update-grub
@@ -11,7 +11,7 @@ profile update-grub @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} rm,
+  @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}{s,}bin/grub-mkconfig rPx,
 
diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote
index 27e1945a7..76f648ede 100644
--- a/apparmor.d/profiles-a-f/anyremote
+++ b/apparmor.d/profiles-a-f/anyremote
@@ -18,7 +18,7 @@ profile anyremote @{exec_path} {
   network inet stream,
   network inet6 stream,
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/cat        rix,
diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man
index e32ab8c76..392735390 100644
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@@ -58,14 +58,14 @@ profile man_groff {
 
   signal peer=man,
 
-  /{usr/,}bin/eqn      rm,
-  /{usr/,}bin/grap     rm,
-  /{usr/,}bin/pic      rm,
-  /{usr/,}bin/preconv  rm,
-  /{usr/,}bin/refer    rm,
-  /{usr/,}bin/tbl      rm,
-  /{usr/,}bin/troff    rm,
-  /{usr/,}bin/vgrind   rm,
+  /{usr/,}bin/eqn      mr,
+  /{usr/,}bin/grap     mr,
+  /{usr/,}bin/pic      mr,
+  /{usr/,}bin/preconv  mr,
+  /{usr/,}bin/refer    mr,
+  /{usr/,}bin/tbl      mr,
+  /{usr/,}bin/troff    mr,
+  /{usr/,}bin/vgrind   mr,
 
   /{usr/,}lib/groff/site-tmac/** r,
   /usr/share/groff/** r,
@@ -83,14 +83,14 @@ profile man_filter {
 
   signal peer=man,
 
-  /{usr/,}bin/bzip2      rm,
-  /{usr/,}bin/gzip       rm,
-  /{usr/,}bin/col        rm,
-  /{usr/,}bin/compress   rm,
-  /{usr/,}bin/iconv      rm,
-  /{usr/,}bin/lzip.lzip  rm,
-  /{usr/,}bin/tr         rm,
-  /{usr/,}bin/xz         rm,
+  /{usr/,}bin/bzip2      mr,
+  /{usr/,}bin/gzip       mr,
+  /{usr/,}bin/col        mr,
+  /{usr/,}bin/compress   mr,
+  /{usr/,}bin/iconv      mr,
+  /{usr/,}bin/lzip.lzip  mr,
+  /{usr/,}bin/tr         mr,
+  /{usr/,}bin/xz         mr,
 
   # Manual pages can be more or less anywhere, especially with "man -l", and
   # there's no harm in allowing wide read access here since the worst it can
diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
index 8f4e7bbcf..8e5f2167f 100644
--- a/apparmor.d/profiles-s-z/sanoid
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -11,7 +11,7 @@ profile sanoid @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/perl>
 
-  @{exec_path}                 rm,
+  @{exec_path}                 mr,
   /{usr/,}bin/{,ba,da}sh       rix,
   /{usr/,}bin/perl             rix,
   /{usr/,}bin/ps               rPx,
diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid
index 0ca3f8446..4cc4f0d97 100644
--- a/apparmor.d/profiles-s-z/syncoid
+++ b/apparmor.d/profiles-s-z/syncoid
@@ -12,7 +12,7 @@ profile syncoid @{exec_path} flags=(complain) {
   include <abstractions/consoles>
   include <abstractions/perl>
 
-  @{exec_path}                   rm,
+  @{exec_path}                   mr,
   /{usr/,}bin/grep               rix,
   /{usr/,}bin/mbuffer            rix,
   /{usr/,}bin/perl               rix,
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 6d9c960b8..845d4c1f6 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -14,7 +14,7 @@ profile zpool @{exec_path} {
 
   capability sys_admin,
 
-  @{exec_path} rm,
+  @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}{local/,}lib/zfs-linux/zpool.d/* rix,
diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
index 428777fb7..d4d227408 100644
--- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot
+++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
@@ -11,7 +11,7 @@ profile zsys-system-autosnapshot @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path}            rm,
+  @{exec_path}            mr,
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/cat         rix,
   /{usr/,}bin/cp          rix,

From 75a66e573ef31c24c99b9194dc63db3b90b46559 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 13 Aug 2022 21:04:38 +0200
Subject: [PATCH 19/40] Use openssl abstraction

---
 apparmor.d/profiles-a-f/dkms | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index 1bbba64bf..c4ad09191 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -107,12 +107,10 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   profile kmod {
     include <abstractions/base>
     include <abstractions/consoles>
+    include <abstractions/openssl>
 
     /{usr/,}bin/kmod mr,
 
-    /etc/depmod.d/{,ubuntu.conf} r,
-    /etc/ssl/openssl.cnf r,
-
     @{PROC}/cmdline r,
 
     /{usr/,}lib/modules/*/modules.* rw,

From 5c6bf4c91b4519188c96eb9a24f1cf58b528fc9d Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 14 Aug 2022 10:38:18 +0200
Subject: [PATCH 20/40] Remove duplicate consoles

---
 apparmor.d/groups/freedesktop/xdg-open | 1 -
 apparmor.d/groups/pacman/pacman-key    | 1 -
 2 files changed, 2 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 38346fb1f..a1030197b 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -10,7 +10,6 @@ include <tunables/global>
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
 
   @{exec_path} r,
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index c13fdf13a..7cc79722b 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -10,7 +10,6 @@ include <tunables/global>
 profile pacman-key @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,

From f5634b280303fbcce0d1ce415d6b945f525c22b3 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 14 Aug 2022 10:41:14 +0200
Subject: [PATCH 21/40] Move update-grub to grub

---
 apparmor.d/groups/{ubuntu => grub}/update-grub | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename apparmor.d/groups/{ubuntu => grub}/update-grub (100%)

diff --git a/apparmor.d/groups/ubuntu/update-grub b/apparmor.d/groups/grub/update-grub
similarity index 100%
rename from apparmor.d/groups/ubuntu/update-grub
rename to apparmor.d/groups/grub/update-grub

From 3c634e8967da1b0bf39984cdbe7423ef3334d6cc Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Wed, 17 Aug 2022 17:27:06 +0200
Subject: [PATCH 22/40] Create sanoid under run

---
 apparmor.d/profiles-s-z/sanoid | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
index 8e5f2167f..949c9ebe7 100644
--- a/apparmor.d/profiles-s-z/sanoid
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -23,6 +23,7 @@ profile sanoid @{exec_path} flags=(complain) {
 
   /usr/share/sanoid/{**,} r,
 
+  @{run}/sanoid/ rw,
   @{run}/sanoid/sanoid_cacheupdate.lock rwk,
   @{run}/sanoid/sanoid_pruning.lock rwk,
 

From e64011c4dece4cf1a003bd02569d25d9dfbc7564 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 19 Aug 2022 10:31:10 +0200
Subject: [PATCH 23/40] zed temp file

---
 apparmor.d/profiles-s-z/zed   | 4 ++++
 apparmor.d/profiles-s-z/zpool | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed
index a37053b93..8994f68d6 100644
--- a/apparmor.d/profiles-s-z/zed
+++ b/apparmor.d/profiles-s-z/zed
@@ -22,9 +22,11 @@ profile zed @{exec_path} {
   /{usr/,}bin/expr rix,
   /{usr/,}bin/flock rix,
   /{usr/,}bin/grep rix,
+  /{usr/,}bin/hostname rix,
   /{usr/,}bin/ls rix,
   /{usr/,}bin/logger rix,
   /{usr/,}bin/mawk rix,
+  /{usr/,}bin/mktemp rix,
   /{usr/,}bin/rm rix,
   /{usr/,}bin/realpath rix,
   /{usr/,}bin/sort rix,
@@ -39,6 +41,8 @@ profile zed @{exec_path} {
   @{run}/zed.state rwkl,
   @{run}/zfs-list.cache@* rw,
 
+  owner /tmp/tmp.* rw,
+
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/[0-9]*/address r,
   
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 845d4c1f6..59a1e2692 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -26,6 +26,8 @@ profile zpool @{exec_path} {
   @{run}/blkid/blkid.tab.old rwl,
   @{run}/blkid/blkid.tab-* rwl,
 
+  /tmp/tmp.* rw,
+
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/[0-9]*/address r,
 

From c680dfe7db190ac1f3fc099a6ffb63e57892eaa7 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 19 Aug 2022 10:31:23 +0200
Subject: [PATCH 24/40] sort rules

---
 apparmor.d/groups/virt/k3s | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 38fef08b3..a370a5121 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -110,16 +110,11 @@ profile k3s @{exec_path} {
   owner @{PROC}/@{pids}/oom_score_adj rw,
   owner @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pids}/uid_map r,
-  
+
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,
         @{PROC}/modules r,
         @{PROC}/sys/fs/pipe-max-size r,
-        @{PROC}/sys/net/core/somaxconn r,
-        @{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
-        @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
-        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
-        @{PROC}/sys/net/netfilter/* rw,
         @{PROC}/sys/kernel/keys/* r,
         @{PROC}/sys/kernel/panic rw,
         @{PROC}/sys/kernel/panic_on_oom rw,
@@ -127,11 +122,16 @@ profile k3s @{exec_path} {
         @{PROC}/sys/kernel/pid_max r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/threads-max r,
+        @{PROC}/sys/net/core/somaxconn r,
+        @{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
+        @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
+        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
+        @{PROC}/sys/net/netfilter/* rw,
         @{PROC}/sys/vm/overcommit_memory rw,
         @{PROC}/sys/vm/panic_on_oom r,
 
   @{sys}/class/net/ r,
-  
+
   @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r,
   @{sys}/devices/system/edac/mc/ r,
   @{sys}/devices/system/cpu/ r,
@@ -139,14 +139,15 @@ profile k3s @{exec_path} {
   @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   @{sys}/devices/system/cpu/present{,/} r,
-
-  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
-  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/ r,
   @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r,
   @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r,
+
+  @{sys}/devices/virtual/block/*/** r,
   @{sys}/devices/virtual/dmi/id/* r,
+  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
+  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
 
   @{sys}/fs/cgroup/{,*,*/} r,
   @{sys}/fs/cgroup/cgroup.subtree_control rw,

From be2a66afff3607979857fe852f2c33971dfc5513 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 19 Aug 2022 10:31:57 +0200
Subject: [PATCH 25/40] read all block devices

---
 apparmor.d/profiles-s-z/udisksd | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 552227bc9..e5776e7b8 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -50,7 +50,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.PolicyKit[0-9].Authority
        member=CheckAuthorization,
 
-  dbus bind bus=system 
+  dbus bind bus=system
        name=org.freedesktop.UDisks2,
 
   @{exec_path} mr,
@@ -130,8 +130,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
 
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
-  @{sys}/devices/virtual/block/dm-[0-9]*/ w,
-  @{sys}/devices/virtual/block/dm-[0-9]*/** w,
+  @{sys}/devices/virtual/block/*/** r,
   @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
 
   # For powering off USB devices

From d538d2a718b46ac2405a2f2338d5a4bdd16428f2 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 19 Aug 2022 11:55:39 +0200
Subject: [PATCH 26/40] Add write to block

---
 apparmor.d/profiles-s-z/udisksd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index e5776e7b8..d2224522f 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -130,7 +130,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
 
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
-  @{sys}/devices/virtual/block/*/** r,
+  @{sys}/devices/virtual/block/*/** rw,
   @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
 
   # For powering off USB devices

From 35087ea4bb79524eda9fe10fb1ad8dbeafc22b7f Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 19 Aug 2022 11:58:52 +0200
Subject: [PATCH 27/40] Add missing brackets

---
 apparmor.d/profiles-s-z/udisksd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index d2224522f..fd5e41692 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -130,7 +130,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
 
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
-  @{sys}/devices/virtual/block/*/** rw,
+  @{sys}/devices/virtual/block/*/{,**} rw,
   @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
 
   # For powering off USB devices

From af603fbc62efcfbd7d1cd116df101c59a0fe3100 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Fri, 19 Aug 2022 20:05:15 +0200
Subject: [PATCH 28/40] Revert "tty and pts are part of abstractions/consoles"

This reverts commit 51a33f3f5e536b3d5c45e434e76339db3495e9cd.
---
 .../groups/apps/usr.lib.libreoffice.program.soffice.bin       | 3 ++-
 apparmor.d/groups/apt/apt-mark                                | 3 ++-
 apparmor.d/groups/bus/dbus-run-session                        | 4 +++-
 apparmor.d/groups/freedesktop/fc-cache                        | 1 -
 apparmor.d/groups/freedesktop/plymouth                        | 1 -
 apparmor.d/groups/freedesktop/xdg-mime                        | 2 +-
 apparmor.d/groups/freedesktop/xdg-open                        | 1 +
 apparmor.d/groups/freedesktop/xkbcomp                         | 2 +-
 apparmor.d/groups/freedesktop/xorg                            | 2 +-
 apparmor.d/groups/freedesktop/xwayland                        | 2 +-
 apparmor.d/groups/gnome/gdm-session-worker                    | 2 +-
 apparmor.d/groups/gnome/gdm-xsession                          | 1 +
 apparmor.d/groups/gnome/gjs-console                           | 2 +-
 apparmor.d/groups/gnome/gnome-extensions-app                  | 2 +-
 apparmor.d/groups/gnome/gnome-session-binary                  | 2 +-
 apparmor.d/groups/gnome/gsd-xsettings                         | 2 +-
 apparmor.d/groups/gnome/nautilus                              | 2 +-
 apparmor.d/groups/network/mullvad-gui                         | 2 +-
 apparmor.d/groups/network/nm-openvpn-service                  | 2 +-
 apparmor.d/groups/network/wg-quick                            | 2 +-
 apparmor.d/groups/pacman/archlinux-java                       | 2 +-
 apparmor.d/groups/pacman/paccache                             | 2 +-
 apparmor.d/groups/pacman/pacdiff                              | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dconf                    | 2 +-
 apparmor.d/groups/pacman/pacman-hook-depmod                   | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dkms                     | 2 +-
 apparmor.d/groups/pacman/pacman-hook-fontconfig               | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gio                      | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gtk                      | 2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install       | 2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove        | 2 +-
 apparmor.d/groups/pacman/pacman-hook-perl                     | 2 +-
 apparmor.d/groups/pacman/pacman-hook-systemd                  | 2 +-
 apparmor.d/groups/pacman/pacman-key                           | 1 +
 apparmor.d/groups/systemd/systemd-analyze                     | 4 +++-
 apparmor.d/groups/systemd/systemd-environment-d-generator     | 2 +-
 apparmor.d/groups/systemd/systemd-sleep                       | 2 +-
 apparmor.d/groups/virt/k3s                                    | 2 +-
 apparmor.d/profiles-a-f/acpid                                 | 2 +-
 apparmor.d/profiles-a-f/apparmor.systemd                      | 2 +-
 apparmor.d/profiles-a-f/askpass                               | 2 +-
 apparmor.d/profiles-a-f/augenrules                            | 2 +-
 apparmor.d/profiles-a-f/aurpublish                            | 2 +-
 apparmor.d/profiles-a-f/blueman                               | 2 +-
 apparmor.d/profiles-a-f/evince                                | 2 +-
 apparmor.d/profiles-a-f/firecfg                               | 2 +-
 apparmor.d/profiles-a-f/fwupdmgr                              | 2 +-
 apparmor.d/profiles-g-l/install-info                          | 3 ++-
 apparmor.d/profiles-m-r/mount-zfs                             | 3 ++-
 apparmor.d/profiles-m-r/needrestart-iucode-scan-versions      | 2 +-
 apparmor.d/profiles-m-r/pass                                  | 2 +-
 apparmor.d/profiles-m-r/pkttyagent                            | 2 +-
 apparmor.d/profiles-m-r/resolvconf                            | 2 +-
 apparmor.d/profiles-s-z/start-pulseaudio-x11                  | 2 +-
 apparmor.d/profiles-s-z/udisksctl                             | 2 +-
 apparmor.d/profiles-s-z/update-ca-trust                       | 2 +-
 apparmor.d/profiles-s-z/wl-copy                               | 2 +-
 apparmor.d/profiles-s-z/zpool                                 | 2 +-
 apparmor.d/profiles-s-z/zsysd                                 | 2 +-
 59 files changed, 65 insertions(+), 56 deletions(-)

diff --git a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
index 985c43558..e57eca1ad 100644
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@@ -81,7 +81,6 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
 
   #include <abstractions/audio>
   #include <abstractions/bash>
-  #include <abstractions/consoles>
   #include <abstractions/cups-client>
   #include <abstractions/dbus>
   #include <abstractions/dbus-session>
@@ -152,6 +151,8 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
   /usr/bin/kgpg                         rix,
   /usr/bin/kleopatra                    rix,
 
+  /dev/tty                              rw,
+
   /usr/lib{,32,64}/@{multiarch}/gstreamer???/gstreamer-???/gst-plugin-scanner   rmPUx,
   owner @{user_cache_dirs}/gstreamer-???/**                                 rw,
   unix peer=(addr=@/tmp/.ICE-unix/* label=unconfined),  #Gstreamer doesn't work without this
diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark
index 79e3285aa..5fd241299 100644
--- a/apparmor.d/groups/apt/apt-mark
+++ b/apparmor.d/groups/apt/apt-mark
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/apt-mark
 profile apt-mark @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/apt-common>
 
   @{exec_path} mr,
@@ -26,5 +25,7 @@ profile apt-mark @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
+  /dev/pts/[0-9]* rw,
+
   include if exists <local/apt-mark>
 }
diff --git a/apparmor.d/groups/bus/dbus-run-session b/apparmor.d/groups/bus/dbus-run-session
index 49d79c73c..4becf5e7e 100644
--- a/apparmor.d/groups/bus/dbus-run-session
+++ b/apparmor.d/groups/bus/dbus-run-session
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/dbus-run-session
 profile dbus-run-session @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dconf-write>
 
   signal (receive) set=(term, kill, hup) peer=gdm*,
@@ -32,6 +31,9 @@ profile dbus-run-session @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  # file_inherit
+  /dev/tty rw,
+  /dev/tty[0-9]* rw,
 
   include if exists <local/dbus-run-session>
 }
diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache
index f0fb0c235..9736bc759 100644
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-write>
 
diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth
index 059df5a33..674732276 100644
--- a/apparmor.d/groups/freedesktop/plymouth
+++ b/apparmor.d/groups/freedesktop/plymouth
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/plymouth
 profile plymouth @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   unix (send, receive, connect) type=stream peer=(addr="@/org/freedesktop/plymouthd"),
 
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index 1cf27d71f..bbc1eee60 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-mime
 profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 
   @{exec_path} r,
@@ -48,6 +47,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/platform/**/hwmon/hwmon[0-9]*/fan* r,
 
   /dev/dri/card[0-9]* rw,
+  /dev/tty rw,
 
   # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
   # following root processes:
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index a1030197b..d6ddceae4 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -50,6 +50,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
 
   # file_inherit
   /dev/dri/card[0-9]* rw,
+  /dev/tty rw,
 
   profile dbus {
     include <abstractions/base>
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index 0d3882c77..5143346a0 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
@@ -33,6 +32,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   owner /tmp/server-[0-9]*.xkm rwk,
 
   /dev/dri/card[0-9]* rw,
+  /dev/tty rw,
   /dev/tty[0-9]* rw,
   
   deny /dev/input/event[0-9]* rw,
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index d51cc9079..090e2ee81 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -13,7 +13,6 @@ include <tunables/global>
 @{exec_path} += /{usr/,}lib/xorg/Xorg{,.wrap}
 profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/fonts>
@@ -132,6 +131,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /dev/input/event[0-9]* rw,
   /dev/shm/#[0-9]*[0-9] rw,
   /dev/shm/shmfd-* rw,
+  /dev/tty rw,
   /dev/tty[0-9]* rw,
   /dev/vga_arbiter rw,  # Graphic card modules
 
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index 429f076d2..701a0de2c 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path}  = /{usr/,}bin/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
@@ -42,6 +41,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pids}/comm r,
 
   /dev/tty[0-9]* rw,
+  /dev/tty rw,
 
   include if exists <local/xwayland>
 }
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 6604d1173..548b699f8 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gdm-session-worker
 profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/authentication>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
@@ -88,6 +87,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
         @{PROC}/1/limits r,
         @{PROC}/keys r,
 
+  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   include if exists <local/gdm-session-worker>
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index 553ad6afd..5f3e7745d 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -43,6 +43,7 @@ profile gdm-xsession @{exec_path} {
     /{usr/,}bin/dbus-update-activation-environment mr,
 
     # file_inherit
+    /dev/tty rw,
     /dev/tty[0-9]* rw,
     owner @{HOME}/.xsession-errors w,
   }
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index 642a0fed6..fe4e1f9d0 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path}  = /{usr/,}bin/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
@@ -59,6 +58,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/stat r,
 
   /dev/ r,
+  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   include if exists <local/gjs-console>
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index d0ee1f704..d4f5d0bc5 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -18,6 +17,7 @@ profile gnome-extensions-app @{exec_path} {
 
   /usr/share/terminfo/x/xterm-256color r,
 
+  /dev/tty rw,
 
   include if exists <local/gnome-extensions-app>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 146050702..6362ac80b 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -142,6 +141,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/cmdline r,
 
+  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   include if exists <usr/gnome-session-binary.d>
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index 249349070..2192ebaef 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gsd-xsettings
 profile gsd-xsettings @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -71,6 +70,7 @@ profile gsd-xsettings @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/tty rw,
   /dev/tty[0-9]* rw,
 
   profile run-parts {
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index d0364baf1..c612512d1 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -62,6 +61,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pids}/net/wireless r,
 
+  /dev/tty rw,
   /dev/dri/card[0-9]* rw,
 
   include if exists <local/nautilus>
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index fb6d2b895..793734605 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = "/opt/Mullvad VPN/mullvad-gui"
 profile mullvad-gui @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/chromium-common>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
@@ -70,6 +69,7 @@ profile mullvad-gui @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/status r,
   owner @{PROC}/@{pid}/uid_map w,
 
+  /dev/tty rw,
 
   include if exists <local/mullvad-gui>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service
index 8d1e0a4c3..3676d6434 100644
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/nm-openvpn-service
 profile nm-openvpn-service @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability kill,
@@ -28,6 +27,7 @@ profile nm-openvpn-service @{exec_path} {
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
 
   /dev/net/tun rw,
+  /dev/tty rw,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index 54a9e3644..06ccb7d60 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/wg-quick
 profile wg-quick @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability net_admin,
 
@@ -40,6 +39,7 @@ profile wg-quick @{exec_path} {
 
   @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,
 
+  /dev/tty rw,
 
   # Force the use as root
   deny /{usr/,}bin/sudo x,
diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java
index 6a433d46c..06802b1f5 100644
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/archlinux-java
 profile archlinux-java @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -26,6 +25,7 @@ profile archlinux-java @{exec_path} {
   /{usr/,}lib/jvm/default w,
   /{usr/,}lib/jvm/default-runtime w,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index d592fffda..2dd92c43d 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/paccache
 profile paccache @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -36,6 +35,7 @@ profile paccache @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/tty rw,
 
   include if exists <local/paccache>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
index dd32a2441..2ab106458 100644
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pacdiff
 profile pacdiff @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -37,6 +36,7 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   /usr/{,**} r,
   /var/{,**} r,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny /apparmor/.null rw,
diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf
index 431f84fb1..a4f0d2fa8 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dconf
+++ b/apparmor.d/groups/pacman/pacman-hook-dconf
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/dconf-update
 profile pacman-hook-dconf @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -21,6 +20,7 @@ profile pacman-hook-dconf @{exec_path} {
 
   /etc/dconf/db/{,**} rw,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod
index bab25a9ce..bee1028f9 100644
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/depmod
 profile pacman-hook-depmod @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -24,6 +23,7 @@ profile pacman-hook-depmod @{exec_path} {
 
   /usr/lib/modules/*/{,**} rw,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index 4ef5907a7..4bc084b5a 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/dkms
 profile pacman-hook-dkms @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -28,6 +27,7 @@ profile pacman-hook-dkms @{exec_path} {
 
   /etc/dkms/{,*} r,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig
index ae89d40e4..38166f030 100644
--- a/apparmor.d/groups/pacman/pacman-hook-fontconfig
+++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/40-fontconfig-config
 profile pacman-hook-fontconfig @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -22,6 +21,7 @@ profile pacman-hook-fontconfig @{exec_path} {
   /etc/fonts/conf.d/* rwl,
   /usr/share/fontconfig/conf.default/* r,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio
index d61c49b0a..b748c39c6 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gio
+++ b/apparmor.d/groups/pacman/pacman-hook-gio
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/gio-querymodules
 profile pacman-hook-gio @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -24,6 +23,7 @@ profile pacman-hook-gio @{exec_path} {
 
   /usr/lib/gio/modules/ rw,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk
index 7b5fe2e8c..e110ded46 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/gtk-update-icon-cache
 profile pacman-hook-gtk @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -24,6 +23,7 @@ profile pacman-hook-gtk @{exec_path} {
 
   /usr/share/icons/{,**} rw,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
index ac186b9fa..f18699b94 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-install
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-install
 profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -33,6 +32,7 @@ profile pacman-hook-mkinitcpio-install @{exec_path} flags=(attach_disconnected)
   / r,
   owner /boot/vmlinuz-* rw,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
index b425fc93a..2280c2746 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/mkinitcpio-remove
 profile pacman-hook-mkinitcpio-remove @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -29,6 +28,7 @@ profile pacman-hook-mkinitcpio-remove @{exec_path} {
   /boot/initramfs-*.img rw,
   /boot/initramfs-*-fallback.img rw,
 
+  /dev/tty rw,
 
   # Inherit Silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl
index 99f936a4f..b18a60058 100644
--- a/apparmor.d/groups/pacman/pacman-hook-perl
+++ b/apparmor.d/groups/pacman/pacman-hook-perl
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/detect-old-perl-modules.sh
 profile pacman-hook-perl @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
@@ -24,6 +23,7 @@ profile pacman-hook-perl @{exec_path} {
 
   /{usr/,}lib/perl[0-9]*/{,**} r,
 
+  /dev/tty rw,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index 6a4de3359..b41e0a522 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/systemd-hook
 profile pacman-hook-systemd @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -30,6 +29,7 @@ profile pacman-hook-systemd @{exec_path} {
 
   /usr/ rw,
 
+  /dev/tty rw,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 7cc79722b..3f427b9a3 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -35,6 +35,7 @@ profile pacman-key @{exec_path} {
 
   /etc/pacman.d/gnupg/gpg.conf r,
 
+  /dev/tty rw,
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index a59ecdd31..1f0613070 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
@@ -74,5 +73,8 @@ profile systemd-analyze @{exec_path} {
   owner @{PROC}/@{pid}/comm r,
         @{PROC}/swaps r,
 
+  /dev/tty rw,
+  /dev/pts/1 rw,
+
   include if exists <local/systemd-analyze>
 }
diff --git a/apparmor.d/groups/systemd/systemd-environment-d-generator b/apparmor.d/groups/systemd/systemd-environment-d-generator
index 6b3ef2f9e..e007b6dcb 100644
--- a/apparmor.d/groups/systemd/systemd-environment-d-generator
+++ b/apparmor.d/groups/systemd/systemd-environment-d-generator
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/user-environment-generators/*
 profile systemd-environment-d-generator @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/systemd-common>
   include <abstractions/nameservice-strict>
 
@@ -25,6 +24,7 @@ profile systemd-environment-d-generator @{exec_path} {
 
   owner @{user_config_dirs}/environment.d/{,*.conf} r,
 
+  /dev/tty rw,
 
   include if exists <local/systemd-environment-d-generator>
 }
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index fb8fab895..f23379653 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-sleep
 profile systemd-sleep @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/systemd-common>
 
@@ -30,6 +29,7 @@ profile systemd-sleep @{exec_path} {
 
   @{PROC}/driver/nvidia/suspend w,
 
+  /dev/tty rw,
 
   include if exists <local/systemd-sleep>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index a370a5121..1a5e667e3 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}bin/k3s
 profile k3s @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
@@ -168,6 +167,7 @@ profile k3s @{exec_path} {
   @{sys}/module/apparmor/parameters/enabled r,
 
   /dev/kmsg r,
+  /dev/pts/[0-9]* rw,
 
   include if exists <local/k3s>
 }
diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid
index 486c40a99..8074ef09b 100644
--- a/apparmor.d/profiles-a-f/acpid
+++ b/apparmor.d/profiles-a-f/acpid
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/acpid
 profile acpid @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -34,6 +33,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pids}/loginuid r,
 
   /dev/input/{,**} r,
+  /dev/tty rw,
 
   include if exists <local/acpid>
 }
diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd
index d3ef9890a..a40c42491 100644
--- a/apparmor.d/profiles-a-f/apparmor.systemd
+++ b/apparmor.d/profiles-a-f/apparmor.systemd
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/apparmor/apparmor.systemd
 profile apparmor.systemd @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability mac_admin,
@@ -42,6 +41,7 @@ profile apparmor.systemd @{exec_path} flags=(complain) {
   @{PROC}/filesystems r,
   @{PROC}/mounts r,
 
+  /dev/tty rw,
 
   include if exists <local/apparmor.systemd>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/askpass b/apparmor.d/profiles-a-f/askpass
index da82ec52c..67938a929 100644
--- a/apparmor.d/profiles-a-f/askpass
+++ b/apparmor.d/profiles-a-f/askpass
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/code/extensions/git/dist/askpass.sh
 profile askpass @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   network inet dgram,
   network inet6 dgram,
@@ -26,6 +25,7 @@ profile askpass @{exec_path} {
 
   owner /tmp/tmp.* rw,
 
+  /dev/tty rw,
 
   include if exists <local/askpass>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules
index 211a5e0dc..f7356dd02 100644
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/augenrules
 profile augenrules @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -20,6 +19,7 @@ profile augenrules @{exec_path} {
 
   owner /tmp/aurules.* rw,
 
+  /dev/tty rw,
 
   include if exists <local/augenrules>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/aurpublish b/apparmor.d/profiles-a-f/aurpublish
index 978f97bae..879199f59 100644
--- a/apparmor.d/profiles-a-f/aurpublish
+++ b/apparmor.d/profiles-a-f/aurpublish
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /usr/share/aurpublish/*.hook
 profile aurpublish @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   signal (receive) peer=git,
 
@@ -26,6 +25,7 @@ profile aurpublish @{exec_path} {
   owner @{user_projects_dirs}/**/.SRCINFO rw,
   owner @{user_projects_dirs}/**/PKGBUILD r,
 
+  /dev/tty rw,
 
   include if exists <local/aurpublish>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman
index 609b75536..362666f71 100644
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/blueman-*
 profile blueman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/audio>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-read>
@@ -68,6 +67,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   /dev/dri/card[0-9]* rw,
   /dev/rfkill r,
   /dev/shm/ r,
+  /dev/tty rw,
 
   profile open {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince
index 7768dffe8..0190d4190 100644
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/evince /{usr/,}lib/evinced
 profile evince @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/gnome>
   include <abstractions/openssl>
@@ -41,6 +40,7 @@ profile evince @{exec_path} {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 
+  /dev/tty rw,
 
   include if exists <local/evince>
 }
diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg
index 359095a95..55963c466 100644
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/firecfg
 profile firecfg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -35,6 +34,7 @@ profile firecfg @{exec_path} flags=(attach_disconnected) {
   @{user_share_dirs}/applications/ r,
   @{user_share_dirs}/applications/*.desktop rw,
 
+  /dev/tty rw,
 
   deny /apparmor/.null rw,
 
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 54e3f66e3..5d5c558e5 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/fwupdmgr
 profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
@@ -66,6 +65,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/tty rw,
 
   profile dbus {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info
index f54441c11..a541546cb 100644
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/install-info
 profile install-info @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   capability dac_read_search,
 
@@ -21,6 +20,8 @@ profile install-info @{exec_path} {
   /usr/share/info/{,**} r,
   /usr/share/info/dir rw,
 
+  /dev/tty rw,
+
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,
diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs
index 723a7480e..b13322333 100644
--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/mount.zfs
 profile mount-zfs @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
@@ -17,6 +16,8 @@ profile mount-zfs @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
+  /dev/pts/[0-9]* rw,
+
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/*/ r,
diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
index d4df0d2b8..17a723e04 100644
--- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
+++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/needrestart/iucode-scan-versions
 profile needrestart-iucode-scan-versions @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -30,6 +29,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
  
   @{sys}/devices/system/cpu/cpu[0-9]*/microcode/processor_flags r,
 
+  /dev/tty rw,
 
   include if exists <local/needrestart-iucode-scan-versions>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index 366584a88..b701b02b9 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pass
 profile pass @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -66,6 +65,7 @@ profile pass @{exec_path} {
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/uptime r,
 
+  /dev/tty rw,
 
   profile editor {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent
index 148e25e54..fb894967e 100644
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/pkttyagent
 profile pkttyagent @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
 
@@ -40,6 +39,7 @@ profile pkttyagent @{exec_path} {
 
   owner @{PROC}/@{pids}/stat r,
 
+  /dev/tty rw,
 
   include if exists <local/pkttyagent>
 }
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index 37efaadaf..d5b5fdb8c 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}sbin/resolvconf
 profile resolvconf @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -34,6 +33,7 @@ profile resolvconf @{exec_path} {
   owner @{run}/resolvconf/{,**} rw,
   owner @{run}/resolvconf/run-lock wk,
 
+  /dev/tty rw,
 
   include if exists <local/resolvconf>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11
index c14b8fa5f..de71e9f49 100644
--- a/apparmor.d/profiles-s-z/start-pulseaudio-x11
+++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@@ -9,13 +9,13 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/start-pulseaudio-x11
 profile start-pulseaudio-x11 @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
   /{usr/,}bin/pactl      rPx,
 
+  /dev/tty rw,
 
   include if exists <local/start-pulseaudio-x11>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl
index cacf0d1b6..58fca3ce9 100644
--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@@ -10,7 +10,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/udisksctl
 profile udisksctl @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -20,6 +19,7 @@ profile udisksctl @{exec_path} {
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
 
+  /dev/tty rw,
 
   include if exists <local/udisksctl>
 }
diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust
index f80670561..caa578b86 100644
--- a/apparmor.d/profiles-s-z/update-ca-trust
+++ b/apparmor.d/profiles-s-z/update-ca-trust
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/update-ca-trust
 profile update-ca-trust @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/ssl_certs>
 
   capability dac_read_search,
@@ -31,6 +30,7 @@ profile update-ca-trust @{exec_path} {
   /etc/ssl/certs/{,*} rw,
   /etc/ssl/certs/java/cacerts{,.*} w,
 
+  /dev/tty rw,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy
index 0a07cf860..880d3dc17 100644
--- a/apparmor.d/profiles-s-z/wl-copy
+++ b/apparmor.d/profiles-s-z/wl-copy
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/wl-{copy,paste}
 profile wl-copy @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
 
   @{exec_path} mr,
 
@@ -20,6 +19,7 @@ profile wl-copy @{exec_path} {
 
   owner /tmp/wl-copy-buffer-*/{,**} rw,
 
+  /dev/tty rw,
 
   include if exists <local/wl-copy>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 59a1e2692..f1ae419f4 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}{s,}bin/zpool
 profile zpool @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/disks-read>
 
   capability sys_admin,
@@ -35,6 +34,7 @@ profile zpool @{exec_path} {
   @{PROC}/@{pids}/mounts r,
   @{PROC}/sys/kernel/spl/hostid r,
 
+  /dev/pts/[0-9]* rw,
   /dev/zfs rw,
 
   include if exists <local/zpool>
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index a0141ae1a..d8a6c4514 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{s,}bin/zsysd /{usr/,}{s,}bin/zsysctl
 profile zsysd @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
 
@@ -43,6 +42,7 @@ profile zsysd @{exec_path} flags=(complain) {
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  /dev/pts/[0-9]* rw,
   /dev/zfs rw,
 
   include if exists <local/zsysd>

From 4d8439bea2c866e3edeeec8fe9f82733ca4b49d8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Aug 2022 20:56:53 +0100
Subject: [PATCH 29/40] ci: ensure journalctl exit a valid output.

---
 .gitlab-ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7291de6a2..4c4c5d095 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -42,6 +42,7 @@ tests:
   stage: test
   image: golang
   script:
+    - echo '#!/usr/bin/env bash\nexit 0' > /usr/bin/journalctl
     - go test ./cmd/aa-log -v -cover
 
 

From 802cfb3278ea737e3eefbcb4a110c5fcb1fddf4f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Aug 2022 20:59:40 +0100
Subject: [PATCH 30/40] ci: add/update missing tests files.

---
 tests/audit.log   |  6 ++++++
 tests/systemd.log | 12 ++++++++++++
 2 files changed, 18 insertions(+)
 create mode 100644 tests/systemd.log

diff --git a/tests/audit.log b/tests/audit.log
index 4f05b1cb8..1d236b7e6 100644
--- a/tests/audit.log
+++ b/tests/audit.log
@@ -26,3 +26,9 @@ type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="open" pro
 type=AVC msg=audit(1111111111.111:1111): apparmor="DENIED" operation="open" profile="chrome-gnome-shell" name="/home/user/.netrc" pid=9119 comm="chrome-gnome-sh" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000FSUID="user" OUID="user"
 type=BPF msg=audit(1111111111.111:1111): prog-id=26 op=LOAD
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="exec" info="no new privs" error=-1 profile="man" name="/usr/bin/preconv" pid=60755 comm="man" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0 target="man_groff"FSUID="user" OUID="root"
+type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.3" mask="receive" label="dbus-daemon" peer_pid=1667 peer_label="power-profiles-daemon"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
+type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" parent=16001 profile=666F6F20626172 name="/home/foo/.bash_history" pid=17011 comm="bash" requested_mask="rw" denied_mask="rw" fsuid=0 ouid=1000
+type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" mask="send" name="org.freedesktop.DBus" pid=1667 label="power-profiles-daemon" peer_label="dbus-daemon"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
+type=USER_AVC msg=audit(1111111111.111:1111): pid=1648 uid=102 auid=4294967295 ses=4294967295 subj=? msg='apparmor="ALLOWED" operation="dbus_method_call"  bus="system" path="/org/freedesktop/DBus" interface="org.freedesktop.DBus" member="AddMatch" name=":1.4" mask="receive" label="dbus-daemon" peer_pid=1 peer_label="unconfined"  exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
+type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="bind" profile="gnome-shell" pid=2027 comm="gnome-shell" family="unix" sock_type="stream" protocol=0 requested_mask="bind" denied_mask="bind" addr="@/tmp/.X11-unix/X1"
+type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="file_perm" profile="gnome-session-binary" pid=1995 comm="gnome-session-b" family="unix" sock_type="stream" protocol=0 requested_mask="send receive" denied_mask="send receive" addr="@/tmp/.ICE-unix/1995" peer_addr=none peer="gnome-shell"
diff --git a/tests/systemd.log b/tests/systemd.log
new file mode 100644
index 000000000..7d2efccf7
--- /dev/null
+++ b/tests/systemd.log
@@ -0,0 +1,12 @@
+{"_EXE":"/usr/bin/dbus-daemon","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_IDENTIFIER":"dbus-daemon","__REALTIME_TIMESTAMP":"1660508874368560","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","SYSLOG_FACILITY":"1","_SOURCE_REALTIME_TIMESTAMP":"1660508874363660","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:54 ","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/dev_2dloop10_2edevice\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"","_TRANSPORT":"syslog","SYSLOG_PID":"2134","_SYSTEMD_UNIT":"user@1000.service","_COMM":"dbus-daemon","__MONOTONIC_TIMESTAMP":"4450642","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","_UID":"1000","_PID":"2134","PRIORITY":"5","_GID":"1000","_HOSTNAME":"ubuntu","_SYSTEMD_SLICE":"user-1000.slice","_AUDIT_LOGINUID":"1000","SYSLOG_RAW":"<13>Aug 14 21:27:54 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/dev_2dloop10_2edevice\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"\n","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=5fb1;b=b08dfa6083e7567a1921a715000001fb;m=43e952;t=5e639599a6630;x=83188ca2cb9a0a03","_SYSTEMD_USER_SLICE":"app.slice","_CAP_EFFECTIVE":"0"}
+{"_PID":"2134","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/gnome_2dsession_2dwayland_40ubuntu_2etarget\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"","SYSLOG_IDENTIFIER":"dbus-daemon","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=5fb2;b=b08dfa6083e7567a1921a715000001fb;m=43e98d;t=5e639599a666b;x=c9cd50322836b032","SYSLOG_PID":"2134","_SYSTEMD_USER_SLICE":"app.slice","_SYSTEMD_UNIT":"user@1000.service","_AUDIT_LOGINUID":"1000","__MONOTONIC_TIMESTAMP":"4450701","__REALTIME_TIMESTAMP":"1660508874368619","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:54 ","SYSLOG_RAW":"<13>Aug 14 21:27:54 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1/unit/gnome_2dsession_2dwayland_40ubuntu_2etarget\" interface=\"org.freedesktop.DBus.Introspectable\" member=\"Introspect\" mask=\"send\" name=\":1.1\" pid=2336 label=\"gnome-shell\" peer_pid=1969 peer_label=\"unconfined\"\n","PRIORITY":"5","SYSLOG_FACILITY":"1","_TRANSPORT":"syslog","_CAP_EFFECTIVE":"0","_GID":"1000","_SOURCE_REALTIME_TIMESTAMP":"1660508874363712","_EXE":"/usr/bin/dbus-daemon","_UID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_SYSTEMD_SLICE":"user-1000.slice","_HOSTNAME":"ubuntu","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","_COMM":"dbus-daemon"}
+{"_SYSTEMD_USER_SLICE":"app.slice","_CAP_EFFECTIVE":"0","__MONOTONIC_TIMESTAMP":"15127876","SYSLOG_IDENTIFIER":"dbus-daemon","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","SYSLOG_RAW":"<13>Aug 14 21:28:05 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RemoveMatch\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2786 label=\"nautilus\" peer_label=\"dbus-daemon\"\n","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=65a6;b=b08dfa6083e7567a1921a715000001fb;m=e6d544;t=5e6395a3d5222;x=bb43e5245930ae54","_PID":"2134","__REALTIME_TIMESTAMP":"1660508885045794","_HOSTNAME":"ubuntu","SYSLOG_PID":"2134","SYSLOG_FACILITY":"1","_SYSTEMD_USER_UNIT":"dbus.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_TRANSPORT":"syslog","SYSLOG_TIMESTAMP":"Aug 14 21:28:05 ","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_COMM":"dbus-daemon","_AUDIT_LOGINUID":"1000","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_SYSTEMD_SLICE":"user-1000.slice","_SOURCE_REALTIME_TIMESTAMP":"1660508885045724","_UID":"1000","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_GID":"1000","_SYSTEMD_UNIT":"user@1000.service","_EXE":"/usr/bin/dbus-daemon","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RemoveMatch\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2786 label=\"nautilus\" peer_label=\"dbus-daemon\"","PRIORITY":"5","_AUDIT_SESSION":"2"}
+{"_SOURCE_REALTIME_TIMESTAMP":"1660508875210386","_TRANSPORT":"syslog","_SYSTEMD_USER_UNIT":"dbus.service","SYSLOG_PID":"2134","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","SYSLOG_IDENTIFIER":"dbus-daemon","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=6467;b=b08dfa6083e7567a1921a715000001fb;m=50c1d8;t=5e63959a73eb6;x=3e2f0ec03be78562","PRIORITY":"5","__REALTIME_TIMESTAMP":"1660508875210422","_EXE":"/usr/bin/dbus-daemon","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_RAW":"<13>Aug 14 21:27:55 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/Nautilus\" interface=\"org.gtk.Actions\" member=\"DescribeAll\" name=\":1.98\" mask=\"receive\" pid=2786 label=\"nautilus\" peer_pid=3211 peer_label=\"nautilus\"\n","_GID":"1000","_HOSTNAME":"ubuntu","_AUDIT_SESSION":"2","_CAP_EFFECTIVE":"0","_SYSTEMD_SLICE":"user-1000.slice","__MONOTONIC_TIMESTAMP":"5292504","SYSLOG_TIMESTAMP":"Aug 14 21:27:55 ","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/Nautilus\" interface=\"org.gtk.Actions\" member=\"DescribeAll\" name=\":1.98\" mask=\"receive\" pid=2786 label=\"nautilus\" peer_pid=3211 peer_label=\"nautilus\"","_UID":"1000","SYSLOG_FACILITY":"1","_SYSTEMD_UNIT":"user@1000.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_PID":"2134","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_COMM":"dbus-daemon","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_AUDIT_LOGINUID":"1000"}
+{"_CAP_EFFECTIVE":"0","_AUDIT_SESSION":"2","__REALTIME_TIMESTAMP":"1660508875210574","_SYSTEMD_USER_SLICE":"app.slice","_AUDIT_LOGINUID":"1000","SYSLOG_RAW":"<13>Aug 14 21:27:55 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.84\" pid=3024 label=\"gnome-extension-ding\" peer_pid=2999 peer_label=\"gsd-xsettings\"\n","_GID":"1000","PRIORITY":"5","_SOURCE_REALTIME_TIMESTAMP":"1660508875210536","SYSLOG_IDENTIFIER":"dbus-daemon","SYSLOG_PID":"2134","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:55 ","_COMM":"dbus-daemon","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_SYSTEMD_UNIT":"user@1000.service","_TRANSPORT":"syslog","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_FACILITY":"1","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.84\" pid=3024 label=\"gnome-extension-ding\" peer_pid=2999 peer_label=\"gsd-xsettings\"","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=6468;b=b08dfa6083e7567a1921a715000001fb;m=50c270;t=5e63959a73f4e;x=893876022610c36e","_SYSTEMD_OWNER_UID":"1000","__MONOTONIC_TIMESTAMP":"5292656","_SYSTEMD_USER_UNIT":"dbus.service","_PID":"2134","_EXE":"/usr/bin/dbus-daemon","_HOSTNAME":"ubuntu","_UID":"1000","_SYSTEMD_SLICE":"user-1000.slice","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service"}
+{"_COMM":"dbus-daemon","SYSLOG_PID":"2134","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","__REALTIME_TIMESTAMP":"1660508875210632","SYSLOG_FACILITY":"1","_EXE":"/usr/bin/dbus-daemon","SYSLOG_IDENTIFIER":"dbus-daemon","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" name=\":1.88\" mask=\"receive\" pid=2999 label=\"gsd-xsettings\" peer_pid=3024 peer_label=\"gnome-extension-ding\"","_UID":"1000","__MONOTONIC_TIMESTAMP":"5292714","_TRANSPORT":"syslog","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:55 ","_PID":"2134","PRIORITY":"5","SYSLOG_RAW":"<13>Aug 14 21:27:55 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gtk/Settings\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" name=\":1.88\" mask=\"receive\" pid=2999 label=\"gsd-xsettings\" peer_pid=3024 peer_label=\"gnome-extension-ding\"\n","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SYSTEMD_OWNER_UID":"1000","_GID":"1000","_SYSTEMD_UNIT":"user@1000.service","_SYSTEMD_USER_UNIT":"dbus.service","_AUDIT_LOGINUID":"1000","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=6469;b=b08dfa6083e7567a1921a715000001fb;m=50c2aa;t=5e63959a73f88;x=5c93993eebd934c","_SYSTEMD_SLICE":"user-1000.slice","_SYSTEMD_USER_SLICE":"app.slice","_AUDIT_SESSION":"2","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_HOSTNAME":"ubuntu","_CAP_EFFECTIVE":"0","_SOURCE_REALTIME_TIMESTAMP":"1660508875210544"}
+{"_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_UID":"1000","_AUDIT_SESSION":"2","_SOURCE_REALTIME_TIMESTAMP":"1660508873116974","SYSLOG_IDENTIFIER":"dbus-daemon","_COMM":"dbus-daemon","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"UpdateActivationEnvironment\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2175 label=\"gnome-session-binary\" peer_label=\"dbus-daemon\"\n","_SYSTEMD_USER_UNIT":"dbus.service","_HOSTNAME":"ubuntu","_CAP_EFFECTIVE":"0","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_AUDIT_LOGINUID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_TRANSPORT":"syslog","__REALTIME_TIMESTAMP":"1660508873116986","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","__MONOTONIC_TIMESTAMP":"3199068","_PID":"2134","_SYSTEMD_OWNER_UID":"1000","_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_PID":"2134","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=559d;b=b08dfa6083e7567a1921a715000001fb;m=30d05c;t=5e63959874d3a;x=b24fce16294858e3","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_EXE":"/usr/bin/dbus-daemon","_SYSTEMD_UNIT":"user@1000.service","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","_SYSTEMD_SLICE":"user-1000.slice","SYSLOG_FACILITY":"1","_GID":"1000","PRIORITY":"5","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"UpdateActivationEnvironment\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2175 label=\"gnome-session-binary\" peer_label=\"dbus-daemon\""}
+{"_AUDIT_SESSION":"2","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1\" interface=\"org.freedesktop.systemd1.Manager\" member=\"SetEnvironment\" mask=\"send\" name=\"org.freedesktop.systemd1\" pid=2289 label=\"gnome-session-binary\" peer_pid=1969 peer_label=\"unconfined\"","_PID":"2134","_GID":"1000","_TRANSPORT":"syslog","_CAP_EFFECTIVE":"0","_SYSTEMD_SLICE":"user-1000.slice","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","SYSLOG_FACILITY":"1","_SYSTEMD_UNIT":"user@1000.service","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_SYSTEMD_USER_UNIT":"dbus.service","_AUDIT_LOGINUID":"1000","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","__REALTIME_TIMESTAMP":"1660508873179343","SYSLOG_PID":"2134","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=55dd;b=b08dfa6083e7567a1921a715000001fb;m=31c3f1;t=5e639598840cf;x=669640969915bdb7","_SOURCE_REALTIME_TIMESTAMP":"1660508873179332","_EXE":"/usr/bin/dbus-daemon","_SYSTEMD_OWNER_UID":"1000","PRIORITY":"5","_HOSTNAME":"ubuntu","_SYSTEMD_USER_SLICE":"app.slice","_COMM":"dbus-daemon","_UID":"1000","__MONOTONIC_TIMESTAMP":"3261425","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/systemd1\" interface=\"org.freedesktop.systemd1.Manager\" member=\"SetEnvironment\" mask=\"send\" name=\"org.freedesktop.systemd1\" pid=2289 label=\"gnome-session-binary\" peer_pid=1969 peer_label=\"unconfined\"\n","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_IDENTIFIER":"dbus-daemon"}
+{"_SYSTEMD_SLICE":"user-1000.slice","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/a11y/bus\" interface=\"org.a11y.Bus\" member=\"GetAddress\" mask=\"send\" name=\"org.a11y.Bus\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2321 peer_label=\"at-spi-bus-launcher\"\n","_SYSTEMD_OWNER_UID":"1000","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_GID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=58c7;b=b08dfa6083e7567a1921a715000001fb;m=3d1a91;t=5e6395993976f;x=7672612d85202a41","SYSLOG_FACILITY":"1","_COMM":"dbus-daemon","__MONOTONIC_TIMESTAMP":"4004497","_CAP_EFFECTIVE":"0","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_TRANSPORT":"syslog","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_HOSTNAME":"ubuntu","_AUDIT_LOGINUID":"1000","_UID":"1000","_SYSTEMD_UNIT":"user@1000.service","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/a11y/bus\" interface=\"org.a11y.Bus\" member=\"GetAddress\" mask=\"send\" name=\"org.a11y.Bus\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2321 peer_label=\"at-spi-bus-launcher\"","_SOURCE_REALTIME_TIMESTAMP":"1660508873922402","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","__REALTIME_TIMESTAMP":"1660508873922415","PRIORITY":"5","SYSLOG_PID":"2134","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","_SYSTEMD_USER_SLICE":"app.slice","_EXE":"/usr/bin/dbus-daemon","_PID":"2134","SYSLOG_IDENTIFIER":"dbus-daemon","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 "}
+{"_SYSTEMD_UNIT":"user@1000.service","_SYSTEMD_USER_UNIT":"dbus.service","_EXE":"/usr/bin/dbus-daemon","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","SYSLOG_FACILITY":"1","SYSLOG_IDENTIFIER":"dbus-daemon","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SYSTEMD_SLICE":"user-1000.slice","_PID":"2134","_GID":"1000","_TRANSPORT":"syslog","_AUDIT_SESSION":"2","_COMM":"dbus-daemon","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/SessionManager\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.29\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2289 peer_label=\"gnome-session-binary\"\n","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","__REALTIME_TIMESTAMP":"1660508873925953","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=58dc;b=b08dfa6083e7567a1921a715000001fb;m=3d2863;t=5e6395993a541;x=40d5952488f76012","_HOSTNAME":"ubuntu","PRIORITY":"5","_SYSTEMD_OWNER_UID":"1000","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/gnome/SessionManager\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.29\" pid=2807 label=\"at-spi2-registryd\" peer_pid=2289 peer_label=\"gnome-session-binary\"","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_SOURCE_REALTIME_TIMESTAMP":"1660508873925692","_CAP_EFFECTIVE":"0","_SYSTEMD_USER_SLICE":"app.slice","__MONOTONIC_TIMESTAMP":"4008035","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","SYSLOG_PID":"2134","_AUDIT_LOGINUID":"1000","_UID":"1000"}
+{"_PID":"2134","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RequestName\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2808 label=\"gjs-console\" peer_label=\"dbus-daemon\"","_EXE":"/usr/bin/dbus-daemon","_CAP_EFFECTIVE":"0","_TRANSPORT":"syslog","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","__MONOTONIC_TIMESTAMP":"4075041","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_FACILITY":"1","SYSLOG_PID":"2134","_SYSTEMD_UNIT":"user@1000.service","_SYSTEMD_SLICE":"user-1000.slice","_AUDIT_LOGINUID":"1000","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_AUDIT_SESSION":"2","_SYSTEMD_USER_UNIT":"dbus.service","SYSLOG_IDENTIFIER":"dbus-daemon","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=59fa;b=b08dfa6083e7567a1921a715000001fb;m=3e2e21;t=5e6395994aaff;x=7943c0d544e18263","PRIORITY":"5","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/DBus\" interface=\"org.freedesktop.DBus\" member=\"RequestName\" mask=\"send\" name=\"org.freedesktop.DBus\" pid=2808 label=\"gjs-console\" peer_label=\"dbus-daemon\"\n","_SOURCE_REALTIME_TIMESTAMP":"1660508873992950","_GID":"1000","_HOSTNAME":"ubuntu","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","__REALTIME_TIMESTAMP":"1660508873992959","_UID":"1000","_SYSTEMD_OWNER_UID":"1000","_COMM":"dbus-daemon","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0"}
+{"_SYSTEMD_USER_SLICE":"app.slice","SYSLOG_RAW":"<13>Aug 14 21:27:53 dbus-daemon[2134]: apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/Notifications\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.37\" pid=2808 label=\"gjs-console\" peer_pid=2336 peer_label=\"gnome-shell\"\n","_SELINUX_CONTEXT":"dbus-daemon (complain)\n","_SYSTEMD_INVOCATION_ID":"a2df70e9ec4d4a02a84b116cef31a4c0","_SYSTEMD_UNIT":"user@1000.service","_PID":"2134","_TRANSPORT":"syslog","_SYSTEMD_SLICE":"user-1000.slice","__CURSOR":"s=b08dfa6083e7567a1921a715000001fb;i=5a22;b=b08dfa6083e7567a1921a715000001fb;m=3e3cf0;t=5e6395994b9ce;x=530c8e8f82a22c96","_CAP_EFFECTIVE":"0","SYSLOG_FACILITY":"1","_SYSTEMD_CGROUP":"/user.slice/user-1000.slice/user@1000.service/app.slice/dbus.service","_SOURCE_REALTIME_TIMESTAMP":"1660508873996745","_AUDIT_LOGINUID":"1000","SYSLOG_PID":"2134","_UID":"1000","__MONOTONIC_TIMESTAMP":"4078832","__REALTIME_TIMESTAMP":"1660508873996750","_GID":"1000","_SYSTEMD_USER_UNIT":"dbus.service","SYSLOG_IDENTIFIER":"dbus-daemon","_CMDLINE":"/usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only","PRIORITY":"5","_HOSTNAME":"ubuntu","_SYSTEMD_OWNER_UID":"1000","_BOOT_ID":"b08dfa6083e7567a1921a715000001fb","_COMM":"dbus-daemon","SYSLOG_TIMESTAMP":"Aug 14 21:27:53 ","_EXE":"/usr/bin/dbus-daemon","_MACHINE_ID":"b08dfa6083e7567a1921a715000001fb","MESSAGE":"apparmor=\"ALLOWED\" operation=\"dbus_method_call\"  bus=\"session\" path=\"/org/freedesktop/Notifications\" interface=\"org.freedesktop.DBus.Properties\" member=\"GetAll\" mask=\"send\" name=\":1.37\" pid=2808 label=\"gjs-console\" peer_pid=2336 peer_label=\"gnome-shell\"","_AUDIT_SESSION":"2"}

From e6c91fdfd777f3b0ab5ac63e77f04d1de3bf8d31 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Aug 2022 21:10:10 +0100
Subject: [PATCH 31/40] feat(profiles): general update.

---
 apparmor.d/abstractions/disks-write           |   2 +
 apparmor.d/groups/apt/apt                     |   5 +-
 apparmor.d/groups/browsers/chromium-chromium  |   2 +
 apparmor.d/groups/freedesktop/fc-cache        |   3 +-
 apparmor.d/groups/gnome/gjs-console           |   7 +-
 apparmor.d/groups/gnome/gnome-extensions-app  |  17 +++
 apparmor.d/groups/network/mullvad-gui         |   1 +
 apparmor.d/groups/network/nm-dispatcher       |   2 +-
 apparmor.d/groups/systemd/child-systemctl     |   2 +-
 apparmor.d/groups/systemd/systemd-analyze     |  19 +--
 apparmor.d/groups/systemd/systemd-hwdb        |   1 +
 .../groups/ubuntu/notify-reboot-required      |   1 +
 .../groups/ubuntu/software-properties-gtk     |   1 +
 apparmor.d/groups/ubuntu/update-notifier      |   2 +
 apparmor.d/profiles-g-l/glib-compile-schemas  |   2 +
 apparmor.d/profiles-g-l/install-info          |   1 +
 apparmor.d/profiles-g-l/language-validate     |  11 +-
 apparmor.d/profiles-m-r/rsyslogd              |  27 ++---
 apparmor.d/profiles-m-r/rtkit-daemon          |   2 +-
 apparmor.d/profiles-s-z/snap                  |   6 +-
 apparmor.d/profiles-s-z/snapd                 |  27 +++--
 apparmor.d/profiles-s-z/steam                 |  19 ++-
 apparmor.d/profiles-s-z/steam-game            |   3 +
 apparmor.d/profiles-s-z/steam-gameoverlayui   |   9 +-
 apparmor.d/profiles-s-z/udisksd               | 111 ++++++++----------
 apparmor.d/profiles-s-z/wpa-supplicant        |   2 +-
 26 files changed, 163 insertions(+), 122 deletions(-)

diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write
index fd5c7b734..f6adf946d 100644
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@@ -8,6 +8,8 @@
   # The /sys/ entries probably should be tightened
 
   /dev/ r,
+  /dev/block/ r,
+  /dev/disk/{,*/} r,
 
   # Regular disk/partition devices
   /dev/{s,v}d[a-z]* rwk,
diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index b7ee1e980..867c76795 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -28,6 +28,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setuid,
   capability sys_nice,
+  capability sys_ptrace,
 
   signal (send) peer=apt-methods-*,
 
@@ -46,7 +47,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
        member=Inhibit
        peer=(name=org.freedesktop.login[0-9]),
 
-  dbus send bus=system path=/org/freedesktop/DBus
+  dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
        interface=org.freedesktop.DBus{,.Introspectable}
        member={RequestName,GetConnectionUnixProcessID,Introspect}
        peer=(name=org.freedesktop.DBus),
@@ -101,6 +102,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook             rPx,
   /{usr/,}lib/update-notifier/update-motd-updates-available  rPx,
   /usr/share/command-not-found/cnf-update-db                 rPx,
+  /usr/share/language-tools/language-options                 rPx,
 
   # For editing the sources.list file
   /{usr/,}bin/sensible-editor rCx -> editor,
@@ -110,6 +112,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/sensible-pager  rCx -> pager,
 
   /usr/share/xml/iso-codes/{,**} r,
+  /usr/share/language-selector/data/pkg_depends r,
 
   /etc/apt/sources.list rwk,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/browsers/chromium-chromium b/apparmor.d/groups/browsers/chromium-chromium
index f1cfd87dd..b6bf4ff65 100644
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@@ -32,6 +32,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read) peer=browserpass,
   ptrace (read) peer=chrome-gnome-shell,
+  ptrace (read) peer=gnome-browser-connector-host,
   ptrace (read) peer=keepassxc-proxy,
   ptrace (read) peer=lsb_release,
   ptrace (read) peer=xdg-settings,
@@ -49,6 +50,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   /{usr/,}bin/chrome-gnome-shell                rPx,
+  /{usr/,}bin/gnome-browser-connector-host      rPx,
   /{usr/,}lib/chromium/chrome-sandbox           rPx,
   /{usr/,}lib/chromium/chrome_crashpad_handler  rPx,
 
diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache
index 9736bc759..1bfe02a61 100644
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@@ -10,8 +10,9 @@ include <tunables/global>
 @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
   include <abstractions/base>
-  include <abstractions/fonts>
+  include <abstractions/consoles>
   include <abstractions/fontconfig-cache-write>
+  include <abstractions/fonts>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index fe4e1f9d0..fc30ca94d 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -46,16 +46,17 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gstreamer-1.0/ rw,
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
 
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
         @{run}/user/@{uid}/wayland-cursor-shared-* rw,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{sys}/devices/system/cpu/possible r,
 
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/task/ r,
-  owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/ r,
   /dev/tty rw,
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index d4f5d0bc5..944782d40 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -9,6 +9,14 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
+  # include <abstractions/vulkan>
+  include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/opencl>
 
   @{exec_path} mr,
 
@@ -16,6 +24,15 @@ profile gnome-extensions-app @{exec_path} {
   /{usr/,}bin/gjs-console rix,
 
   /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/gnome-shell/org.gnome.Extensions* r,
+  /usr/share/X11/xkb/{,**} r,
+
+  @{sys}/devices/system/cpu/possible r,
+
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/task/@{tid}/stat r,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index 793734605..cce44eee5 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -53,6 +53,7 @@ profile mullvad-gui @{exec_path} {
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r,
+  @{sys}/devices/system/cpu/possible r,
 
         @{PROC}/ r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index 11dfdf161..15f077331 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -8,7 +8,7 @@ include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/nm-dispatcher
 @{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher
-profile nm-dispatcher @{exec_path} {
+profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
diff --git a/apparmor.d/groups/systemd/child-systemctl b/apparmor.d/groups/systemd/child-systemctl
index d4c6def1e..99f2dee8c 100644
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@@ -27,7 +27,7 @@ profile child-systemctl flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
-  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit
        interface=org.freedesktop.systemd[0-9].Manager
        member=GetUnitFileState,
 
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index 1f0613070..2a4179786 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -10,12 +10,18 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability sys_resource,
   capability net_admin,
 
+  network inet dgram,
+  network netlink raw,
+
+  signal (send) peer=child-pager,
+
   dbus send bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
@@ -28,12 +34,8 @@ profile systemd-analyze @{exec_path} {
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
 
-  signal (send) peer=child-pager,
-
-  network inet dgram,
-  network netlink raw,
-
   @{exec_path} mr,
+
   /{usr/,}lib/systemd/system-environment-generators/* rix,
 
   /{usr/,}bin/pager     rPx -> child-pager,
@@ -68,13 +70,12 @@ profile systemd-analyze @{exec_path} {
   @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,
 
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/comm r,
         @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/tty rw,
-  /dev/pts/1 rw,
 
   include if exists <local/systemd-analyze>
 }
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 51f4ff123..6c3a80cf7 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-hwdb
 profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required
index 0ef30e5f2..1fc19b408 100644
--- a/apparmor.d/groups/ubuntu/notify-reboot-required
+++ b/apparmor.d/groups/ubuntu/notify-reboot-required
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/update-notifier/notify-reboot-required
 profile notify-reboot-required @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index f5e7e6d94..69d34c76c 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -67,6 +67,7 @@ profile software-properties-gtk @{exec_path} {
   @{sys}/devices/**/modalias r,
 
         @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/asound/cards r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
 
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index dbf9eba3c..63dec833f 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -38,6 +38,8 @@ profile update-notifier @{exec_path} {
   /usr/share/apport/apport-checkreports               rPx,
   /usr/share/apport/apport-gtk                        rPx,
 
+  /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
+
   /usr/share/applications/{,**} r,
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas
index 3af156984..c812c59c2 100644
--- a/apparmor.d/profiles-g-l/glib-compile-schemas
+++ b/apparmor.d/profiles-g-l/glib-compile-schemas
@@ -19,5 +19,7 @@ profile glib-compile-schemas @{exec_path} {
   /usr/share/glib-2.0/schemas/gschemas.compiled.[A-Z0-9]* rw,
   /usr/share/glib-2.0/schemas/gschemas.compiled rw,
 
+  /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
+
   include if exists <local/glib-compile-schemas>
 }
diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info
index a541546cb..997a523eb 100644
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/install-info
 profile install-info @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate
index 3c878be31..1737430b5 100644
--- a/apparmor.d/profiles-g-l/language-validate
+++ b/apparmor.d/profiles-g-l/language-validate
@@ -6,18 +6,17 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/share/language-tools/language-validate
+@{exec_path} = /usr/share/language-tools/language-{options,validate}
 profile language-validate @{exec_path} {
   include <abstractions/base>
 
   capability setgid,
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
-  /{usr/,}bin/{,ba,da}sh                      rix,
-  /{usr/,}bin/grep                            rix,
-  /{usr/,}bin/locale                          rix,
-  /usr/share/language-tools/language-options  rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/grep        rix,
+  /{usr/,}bin/locale      rix,
 
   /usr/share/locale-langpack/{,*} r,
   /usr/share/language-tools/{,*} r,
diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd
index 10fc5bd92..d586dbaca 100644
--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -20,35 +21,31 @@ profile rsyslogd @{exec_path} {
   capability net_admin,  # For remote logs
   capability setgid,  # For downgrading privileges
   capability setuid,
+  capability sys_nice,
   capability syslog,
-  
+
   @{exec_path} mr,
 
   /{usr/,}lib/@{multiarch}/rsyslog/*.so mr,
 
-  # rsyslog configuration
   /etc/rsyslog.conf r,
   /etc/rsyslog.d/{,**} r,
-  /var/spool/rsyslog/ r,
-  /var/spool/rsyslog/** rw,
 
-  owner @{run}/rsyslogd.pid{,.tmp} rwk,
-  owner @{run}/systemd/journal/syslog w,
-        @{run}/systemd/notify rw,
-
-  # log files and devices
-  /var/log/** rw,
-  @{PROC}/kmsg r,
-
-  # a cert for gtls module
   /etc/CA/*.crt r,
   /etc/CA/*.key r,
 
+  /var/log/** rw,
+  /var/spool/rsyslog/ r,
+  /var/spool/rsyslog/** rw,
+
+        @{run}/systemd/notify rw,
+  owner @{run}/rsyslogd.pid{,.tmp} rwk,
+  owner @{run}/systemd/journal/syslog w,
+
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
+  @{PROC}/kmsg r,
   @{PROC}/sys/kernel/osrelease r,
 
-  @{run}/systemd/notify w,
-
   include if exists <local/rsyslogd>
 }
diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon
index 82302316e..71e444334 100644
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@@ -9,7 +9,7 @@ include <tunables/global>
 
 
 @{exec_path} = @{libexec}/rtkit-daemon
-profile rtkit-daemon @{exec_path} {
+profile rtkit-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index 38567f5c1..5aaf88e65 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -16,9 +16,9 @@ profile snap @{exec_path} {
   @{exec_path} mrix,
 
   /snap/{,**} rw,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-confine  rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp  rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snapd r,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine  rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp  rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd r,
 
   /etc/fstab r,
 
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index ef2ce90e4..cfa8d3710 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -18,8 +18,11 @@ profile snapd @{exec_path} {
   include <abstractions/ssl_certs>
 
   capability audit_write,
+  capability chown,
   capability dac_override,
   capability dac_read_search,
+  capability fowner,
+  capability fsetid,
   capability net_admin,
   capability setgid,
   capability setuid,
@@ -56,6 +59,7 @@ profile snapd @{exec_path} {
   /{usr/,}bin/cp                       rix,
   /{usr/,}bin/gzip                     rix,
   /{usr/,}bin/mount                    rix,
+  /{usr/,}bin/snap                     rPx,
   /{usr/,}bin/sync                     rix,
   /{usr/,}bin/systemctl                rix,
   /{usr/,}bin/systemd-detect-virt      rPx,
@@ -65,15 +69,15 @@ profile snapd @{exec_path} {
   /{usr/,}bin/unsquashfs               rix,
   /{usr/,}bin/update-desktop-database  rPx,
 
-  /snap/snapd/[0-9]*/lib/@{multiarch}/**            mr,
-  /snap/snapd/[0-9]*/lib/@{multiarch}/ld-*.so       rix,
-  /snap/snapd/[0-9]*/usr/bin/snap                   rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-discard-ns  rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-seccomp     rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snap-update-ns   rPx,
-  /snap/snapd/[0-9]*/usr/lib/snapd/snapd            rix,
-  /snap/snapd/[0-9]*/usr/bin/fc-cache-*             rPx -> fc-cache,
-  /snap/snapd/[0-9]*/usr/bin/xdelta3                rix, # TODO: rPx ?
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/**        mr,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so   rix,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap                   rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns  rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp     rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns   rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd            rix,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-*             rPx -> fc-cache,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3                rix, # TODO: rPx ?
 
   /usr/share/bash-completion/completions/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@@ -104,6 +108,7 @@ profile snapd @{exec_path} {
   /tmp/syscheck-squashfs-[0-9]* rw,
   /tmp/read-file[0-9]*/{,**} rw,
 
+  /home/ r,
   @{HOME}/ r,
   @{HOME}/snap/{,**} rw,
 
@@ -114,8 +119,8 @@ profile snapd @{exec_path} {
   owner @{run}/user/{,@{uid}/} r,
   owner @{run}/user/snap.*/{,**} rw,
 
-  @{run}/snapd-snap.socket rw,
-  @{run}/snapd.socket rw,
+  @{run}/snapd*.socket rw,
+  @{run}/snapd/{,**} rw,
   @{run}/snapd/lock/*.lock rwk,
   @{run}/systemd/notify rw,
   @{run}/systemd/private rw,
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index dd688cfbb..13e39571d 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -37,12 +37,16 @@ profile steam @{exec_path} {
   signal (send) peer=steam-game,
   signal (read),
 
+  unix (receive) type=stream,
+
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh             rix,
+  /{usr/,}bin/*sum                   rix,
   /{usr/,}bin/basename               rix,
   /{usr/,}bin/cat                    rix,
   /{usr/,}bin/cmp                    rix,
+  /{usr/,}bin/cp                     rix,
   /{usr/,}bin/cut                    rix,
   /{usr/,}bin/dirname                rix,
   /{usr/,}bin/gawk                   rix,
@@ -53,18 +57,23 @@ profile steam @{exec_path} {
   /{usr/,}bin/ldd                    rix,
   /{usr/,}bin/ln                     rix,
   /{usr/,}bin/lspci                  rPx,
+  /{usr/,}bin/mkdir                  rix,
+  /{usr/,}bin/mv                     rix,
   /{usr/,}bin/readlink               rix,
   /{usr/,}bin/realpath               rix,
   /{usr/,}bin/rm                     rix,
   /{usr/,}bin/sed                    rix,
   /{usr/,}bin/steam-runtime-urlopen  rix,
   /{usr/,}bin/tail                   rix,
+  /{usr/,}bin/tar                    rix,
+  /{usr/,}bin/touch                  rix,
   /{usr/,}bin/tr                     rix,
   /{usr/,}bin/uname                  rix,
   /{usr/,}bin/which                  rix,
   /{usr/,}bin/xdg-icon-resource      rPx,
-
-  /{usr/,}lib{32,64}/ld-linux.so* rix,
+  /{usr/,}bin/xz                     rix,
+  /{usr/,}bin/zenity                 rix,
+  /{usr/,}lib{32,64}/ld-linux.so*    rix,
 
   @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
   @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
@@ -116,6 +125,7 @@ profile steam @{exec_path} {
   owner @{user_share_dirs}/icons/hicolor/**/apps/steam*.png rw,
   owner @{user_share_dirs}/Steam/ rw,
   owner @{user_share_dirs}/Steam/** rwkl -> @{user_share_dirs}/Steam/**,
+  owner @{user_share_dirs}/vulkan/implicit_layer.d/steam*.json rwk,
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
@@ -125,6 +135,7 @@ profile steam @{exec_path} {
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
   owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
+  owner /tmp/dumps/ rw,
   owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
   owner /tmp/sh-thd.* rw,
   owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
@@ -162,6 +173,7 @@ profile steam @{exec_path} {
   @{sys}/power/suspend_stats/success rk,
 
         @{PROC}/ r,
+        @{PROC}/@{pids}/comm rk,
         @{PROC}/@{pids}/net/route r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
@@ -170,7 +182,6 @@ profile steam @{exec_path} {
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/sys/user/max_user_namespaces r,
         @{PROC}/version r,
-  owner @{PROC}/@{pid}/comm rk,
   owner @{PROC}/@{pid}/autogroup rw,
   owner @{PROC}/@{pid}/cmdline rk,
   owner @{PROC}/@{pid}/fd/ r,
@@ -184,5 +195,7 @@ profile steam @{exec_path} {
   /dev/input/ r,
   /dev/tty rw,
 
+  audit deny /**.steam_exec_test.sh rw,
+
   include if exists <local/steam>
 }
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index 807b79594..9a7f939cf 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -36,6 +36,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/ssl_certs>
   include <abstractions/vulkan>
 
+  capability dac_override,
+  capability dac_read_search,
   capability setpcap,
   capability sys_admin,
   capability sys_ptrace,
@@ -159,6 +161,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner /dev/shm/mono.* rw,
   owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
+  owner /dev/shm/ValveIPCSHM_@{uid} rw,
   owner /dev/shm/wine-*-fsync rw,
 
   owner /tmp/.wine-@{uid}/server-*/* rwk,
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index 35598b9db..c59845280 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -9,8 +9,9 @@ include <tunables/global>
 @{exec_path} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui
 profile steam-gameoverlayui @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nvidia>
+  include <abstractions/audio>
   include <abstractions/fonts>
+  include <abstractions/nvidia>
 
   network inet stream,
   network inet6 stream,
@@ -34,15 +35,19 @@ profile steam-gameoverlayui @{exec_path} {
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_share_dirs}/Steam/{,**} r,
   owner @{user_share_dirs}/Steam/config/DialogConfigOverlay*.vdf rw,
-  owner @{user_share_dirs}/Steam/public/url_list.txt rk,
+  owner @{user_share_dirs}/Steam/public/* rk,
+  owner @{user_share_dirs}/Steam/resource/{,**} rk,
+  owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
   owner /dev/shm/u@{uid}-Shm_[0-9a-f]* rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-* rwk,
+  owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
   owner /tmp/gameoverlayui.log* rw,
   owner /tmp/steam_chrome_overlay_uid@{uid}_spid@{pids} rw,
+  owner /tmp/miles_image_* mrw,
 
   @{sys}/ r,
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index fd5e41692..c89a78e60 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -27,6 +27,28 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  # Allow mounting of removable devices
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*       -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]*          -> @{MOUNTS}/*/,
+
+  # Allow mounting of loop devices (ISO files)
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*        -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
+
+  # Allow mounting of cdrom
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
+  mount fstype={iso9660,udf,ntfs3}                 /dev/sr[0-9]*   -> /media/cdrom[0-9]/,
+
+  # Allow mounting od sd cards
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
+
+  # Allow unmounting
+  umount @{MOUNTS}/,
+  umount @{MOUNTS}/*/,
+  umount /media/cdrom[0-9]/,
+
   dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
        interface=org.freedesktop.{DBus*,UDisks2*},
 
@@ -71,85 +93,46 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/systemctl       rPx -> child-systemctl,
   /{usr/,}bin/systemd-escape  rPx,
 
-  # Allow mounting of removable devices
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*       -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/dm-[0-9]*     -> @{MOUNTS}/*/,
-  # Allow mounting of loop devices (ISO files)
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*        -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-  # Allow mounting of cdrom
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
-  mount fstype={iso9660,udf,ntfs3}                 /dev/sr[0-9]*   -> /media/cdrom[0-9]/,
-  # Allow mounting od sd cards
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-  # Allow unmounting
-  umount @{MOUNTS}/,
-  umount @{MOUNTS}/*/,
-  umount /media/cdrom[0-9]/,
+  /etc/udisks2/{,**} r,
+  /etc/libblockdev/{,**} r,
+  /etc/fstab r,
+  /etc/crypttab r,
+
+  /var/lib/udisks2/ r,
+  /var/lib/udisks2/mounted-fs{,*} rw,
 
   # Be able to create/delete dirs for removable media
   @{MOUNTS}/ rw,
   @{MOUNTS}/*/ rw,
-  /media/cdrom[0-9]/ rw,
 
-  # Udisks2 config files
-  /etc/udisks2/ r,
-  /etc/udisks2/udisks2.conf r,
-
-  /etc/libblockdev/conf.d/ r,
-  /etc/libblockdev/conf.d/[0-9][0-9]-default.cfg r,
-
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/cmdline r,
-        @{PROC}/devices r,
-        @{PROC}/swaps r,
-
-  # To be able to initialize device-mapper disk devices
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
-
-  # The special /dev/loop-control file can be used to create and destroy loop devices or to find
-  # the first available loop device.
-  /dev/loop-control rw,
-
-  # To check whether the x-udisks-auth option was used to specify that additional authorization is
-  # required to mount/unlock a device
-  /etc/fstab r,
-  /etc/crypttab r,
-
-  # To be able to operate on encryted devices
+  @{run}/ r,
+  @{run}/mount/utab{,.*} rw,
+  @{run}/mount/utab.lock rwk,
+  @{run}/udisks2/{,**} rw,
+  @{run}/systemd/seats/seat[0-9]* r,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/L* rwk,
 
-  @{sys}/fs/ r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
-
+  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
   @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}uevent w,
+  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
   @{sys}/devices/virtual/block/*/{,**} rw,
   @{sys}/devices/virtual/block/loop[0-9]*/uevent rw,
+  @{sys}/fs/ r,
 
-  # For powering off USB devices
-  @{sys}/devices/pci[0-9]*/**/{ata,usb,mmc}[0-9]/{,**/}remove rw,
+        @{PROC}/cmdline r,
+        @{PROC}/devices r,
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
-  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
-
-  @{run}/ r,
-
-  # Info on mounted devices
-  @{run}/mount/utab{,.*} rw,
-  @{run}/mount/utab.lock rwk,
-  /var/lib/udisks2/ r,
-  /var/lib/udisks2/mounted-fs{,*} rw,
-
-  @{run}/udisks2/{,**} rw,
-
-  @{run}/systemd/seats/seat[0-9]* r,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  /dev/loop-control rw,
+  /dev/mapper/ r,
+  /dev/mapper/control rw,
 
   include if exists <local/udisksd>
 }
diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant
index 93e75bf29..32472fb93 100644
--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/wpa_supplicant
-profile wpa-supplicant @{exec_path} {
+profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice>
   include <abstractions/openssl>

From 79860f207d61c2f5ece76692be9237dac9af9e83 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Aug 2022 21:26:17 +0100
Subject: [PATCH 32/40] feat(profiles): initial support for dockerd.

---
 apparmor.d/groups/virt/dockerd | 100 +++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 apparmor.d/groups/virt/dockerd

diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
new file mode 100644
index 000000000..3c9284d46
--- /dev/null
+++ b/apparmor.d/groups/virt/dockerd
@@ -0,0 +1,100 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/dockerd
+profile dockerd @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  capability chown, 
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability mknod,
+  capability net_admin,
+  capability sys_admin,
+  capability sys_chroot,
+  capability kill,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  mount options=(rw, bind) -> /run/docker/netns/*,
+  mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
+  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
+  mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
+  mount options=(rw, rslave) -> /,
+  umount /.pivot_root[0-9]*/,
+  umount /run/docker/netns/*,
+  umount /var/lib/docker/overlay*/**/,
+
+  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
+  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
+
+  ptrace (read) peer=unconfined,
+
+  signal (send) set=kill peer=docker-*,
+  signal (send) set=term peer=containerd,
+
+  @{exec_path} mrix,
+
+  /{usr/,}{s,}bin/apparmor_parser     rPx,
+  /{usr/,}{s,}bin/runc                rUx,
+  /{usr/,}{s,}bin/xtables-nft-multi   rix,
+  /{usr/,}bin/containerd              rPx,
+  /{usr/,}bin/docker-init             rix,
+  /{usr/,}bin/kmod                    rPx,
+  /{usr/,}bin/ps                      rPx,
+  /{usr/,}bin/unpigz                  rix,
+
+  # Docker needs full access of its containers.
+  # TODO: should be in a sub profile started with pivot_root, not supported yet.
+  /{,**} rw,
+  deny /boot/{,**} rw,
+  deny /dev/{,**} rw,
+  deny /media/{,**} rw,
+  deny /mnt/{,**} rw,
+
+  owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
+  owner /var/lib/docker/{,**} rwk,
+  owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
+
+  @{sys}/fs/cgroup/cgroup.controllers r,
+  @{sys}/fs/cgroup/cpuset.cpus.effective r,
+  @{sys}/fs/cgroup/cpuset.mems.effective r,
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  @{sys}/kernel/security/apparmor/profiles r,
+  @{sys}/module/apparmor/parameters/enabled r,
+
+        @{PROC}/1/cgroup r,
+        @{PROC}/1/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/keys/root_maxkeys r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/threads-max r,
+        @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
+        @{PROC}/sys/net/core/somaxconn r,
+        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
+        @{PROC}/sys/net/ipv{4,6}/conf/docker[0-9]*/accept_ra rw,
+        @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
+        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+  owner @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pids}/cgroup r,
+  owner @{PROC}/@{pids}/fd/ r,
+  owner @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pids}/net/ip_tables_names r,
+  owner @{PROC}/@{pids}/uid_map r,
+
+  include if exists <local/dockerd>
+}
\ No newline at end of file

From 7752493e739fc7462b02f4797fd18e003f7e3f62 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 19 Aug 2022 21:27:32 +0100
Subject: [PATCH 33/40] ci: temporarily disable not working in CI.

---
 cmd/aa-log/main_test.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/cmd/aa-log/main_test.go b/cmd/aa-log/main_test.go
index 7e6dd0aa2..c33c5f5a9 100644
--- a/cmd/aa-log/main_test.go
+++ b/cmd/aa-log/main_test.go
@@ -244,12 +244,12 @@ func Test_getJournalctlDbusSessionLogs(t *testing.T) {
 				},
 			},
 		},
-		{
-			name:    "journalctl",
-			useFile: false,
-			path:    "",
-			want:    AppArmorLogs{},
-		},
+		// {
+		// 	name:    "journalctl",
+		// 	useFile: false,
+		// 	path:    "",
+		// 	want:    AppArmorLogs{},
+		// },
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

From e1e7d611edb05df6dd342381347d16c7f7551e5e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 20 Aug 2022 13:45:42 +0100
Subject: [PATCH 34/40] fix(profiles): ensure pinentry can start. See #66.

---
 apparmor.d/profiles-m-r/pinentry        | 1 +
 apparmor.d/profiles-m-r/pinentry-curses | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry
index 7b817df47..4c904ce09 100644
--- a/apparmor.d/profiles-m-r/pinentry
+++ b/apparmor.d/profiles-m-r/pinentry
@@ -14,6 +14,7 @@ profile pinentry @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/pinentry-*        rPx,
+  /{usr/,}bin/{,ba,da}sh        rix,
 
   /etc/pinentry/preexec r,
 
diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses
index 6cd6a660d..ba6390b17 100644
--- a/apparmor.d/profiles-m-r/pinentry-curses
+++ b/apparmor.d/profiles-m-r/pinentry-curses
@@ -13,7 +13,7 @@ profile pinentry-curses @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/bash      rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
 
   /usr/share/terminfo/x/xterm-256color r,
 

From ef08e11aa6a03912ba40a9b7657774baca0db372 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 20 Aug 2022 13:46:45 +0100
Subject: [PATCH 35/40] fix(aa-log): ensure compatibility with Debian.

---
 cmd/aa-log/main.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go
index 9059b298c..bf89402dd 100644
--- a/cmd/aa-log/main.go
+++ b/cmd/aa-log/main.go
@@ -12,6 +12,7 @@ import (
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -100,7 +101,7 @@ func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, erro
 	var value string
 
 	if useFile {
-		content, err := io.ReadAll(file)
+		content, err := ioutil.ReadAll(file)
 		if err != nil {
 			return nil, err
 		}

From e69851bf3586a662fa19f6065ebafc4649eda498 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 20 Aug 2022 14:35:28 +0100
Subject: [PATCH 36/40] ci: ignore SA1019 to support compatibility with Debian.

---
 .golangci.yaml | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .golangci.yaml

diff --git a/.golangci.yaml b/.golangci.yaml
new file mode 100644
index 000000000..7718ccda2
--- /dev/null
+++ b/.golangci.yaml
@@ -0,0 +1,5 @@
+---
+
+linters-settings:
+  staticcheck:
+    checks: ["all", "-SA1019" ]

From e6e0ef90677cfe33ad2114f9ca507df38805e6b1 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 20 Aug 2022 15:06:20 +0100
Subject: [PATCH 37/40] doc: update profiles guideline.

---
 CONTRIBUTING.md | 113 ++++++++++++++++++++++++++++++++----------------
 README.md       |   4 +-
 2 files changed, 78 insertions(+), 39 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c65cda9f3..e00b0fb8a 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,8 +1,8 @@
 # Contributing
 
-You want to contribute to `apparmor.d`, **thank a lot for this.** You will find
-in this page all the useful information needed to contribute.
-
+You want to contribute to `apparmor.d`, **thank a lot for this.** Feedbacks, 
+contributors, pull requests are all very welcome. You will find in this page all
+the useful information needed to contribute.
 
 ## How to contribute?
 
@@ -31,7 +31,7 @@ you'll see a Compare & pull request button, fill and submit the pull request.
 
 
 ## Projects rules
- 
+
 A few rules:
 1. As these are mandatory access control policies only what it explicitly required
    should be authorized. Meaning, you should not allow everything (or a large area)
@@ -75,7 +75,26 @@ profile foo @{exec_path} {
 
 ## Profile Guidelines
 
-> This profile guideline is still evloving, feel free to propose improvment
+**A common structure**
+
+AppArmor profiles can be written without any specific guidelines. However, when 
+you work with over 1200 profiles, you need a common structure among all the profiles. 
+
+The logic behind it is that if a rule is present in a profile, it should only be
+in one place, making profile review easier. 
+
+For example, if a program needs to run executables binary. The rules allowing it
+can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It
+is therefore easy to ensure some profile features such as: 
+* A profile has access to a given resource 
+* A profile enforces a strict [write xor execute] (W^X) policy. 
+
+It also improves compatibilities and makes personalization easier thanks to the use of more variables 
+ 
+**Guidelines**
+
+> **Note**: This profile guideline is still evolving, feel free to propose improvment
+> as long as it does not vary too much from the existing rules.
 
 In order to ensure a common structure across the profiles, all new profile should
 try to follow the guideline presented here.
@@ -87,18 +106,20 @@ The rules in the profile should be sorted as follow:
 - mount
 - remount
 - umount
+- pivot_root
 - ptrace
 - signal
 - unix
 - dbus (send, receive) send receice 
-- @{exec_path} mr,
+- @{exec_path} mr, the entry point of the profile
 - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
+  It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules.
 - The shared resources: `/usr/share`...
 - The system configuration: `/etc`...
 - The system data: `/var`...
 - The user data: `owner @{HOME}/`...
 - The user configuration, cache and in general all dotfiles
-- Temporary data: `/tmp/`, `@{run}/`...
+- Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`...
 - Sys files: `@{sys}/`...
 - Proc files: `@{PROC}/`... 
 - Dev files: `/dev/`...
@@ -120,10 +141,10 @@ The rules in the profile should be sorted as follow:
 
 The included tool `aa-log` can be useful to explore the apparmor log 
 
-## Abstraction
+## Abstractions
 
 This project and the apparmor profile official project provide a large selection
-of abstraction to be included in profiles. They should be used.
+of abstractions to be included in profiles. They should be used.
 
 For instance, instead of writting:
 ```sh
@@ -142,44 +163,61 @@ include <abstractions/user-download-strict>
 * `@{PROC}=/proc/`
 * `@{run}=/run/ /var/run/`
 * `@{sys}=/sys/`
-* The Home directory: `@{HOME}`
+* The home root: `@{HOMEDIRS}=/home/`
+* The home directories: `@{HOME}=@{HOMEDIRS}/*/ /root/`
 * Process id(s): `@{pid}`, `@{pids}`
 * User id: `@{uid}`
 * Thread id: `@{tid}`
 * Classic XDG user directories: 
-    - Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
-    - Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
-    - Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
-    - Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
-    - Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
-    - Music: `@{XDG_MUSIC_DIR}="Music"`
-    - Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
-    - Videos: `@{XDG_VIDEOS_DIR}="Videos"`
+  - Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
+  - Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
+  - Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
+  - Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
+  - Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
+  - Music: `@{XDG_MUSIC_DIR}="Music"`
+  - Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
+  - Videos: `@{XDG_VIDEOS_DIR}="Videos"`
 
 **Additional variables available with this project:**
 
-* Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
+* Mountpoints root: `@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/`
+* Common mountpoints: `@{MOUNTS}=@{MOUNTDIRS}/*/`
 * Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
+* Hexadecimal: `@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]`
 * Extended XDG user directories: 
-    - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
-    - Books: `@{XDG_BOOKS_DIR}="Books"`
-    - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
-    - Sync: `@{XDG_SYNC_DIR}="Sync"`
-    - Vm: `@{XDG_VM_DIR}=".vm"`
-    - SSH: `@{XDG_SSH_DIR}=".ssh"`
-    - GPG: `@{XDG_GPG_DIR}=".gnupg"`
-    - Cache:` @{XDG_CACHE_HOME}=".cache"`
-    - Config: `@{XDG_CONFIG_HOME}=".config"`
-    - Data: `@{XDG_DATA_HOME}=".local/share"`
-    - Bin: `@{XDG_BIN_HOME}=".local/bin"`
-    - Lib: `@{XDG_LIB_HOME}=".local/lib"`
+  - Books: `@{XDG_BOOKS_DIR}="Books"`
+  - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
+  - Screenshots: `@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots"`
+  - Sync: `@{XDG_SYNC_DIR}="Sync"`
+  - Torrents: `@{XDG_TORRENTS_DIR}="Torrents"`
+  - Vm: `@{XDG_VM_DIR}=".vm"`
+  - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
+* Extended XDG dotfiles:
+  - SSH: `@{XDG_SSH_DIR}=".ssh"`
+  - GPG: `@{XDG_GPG_DIR}=".gnupg"`
+  - Cache:` @{XDG_CACHE_HOME}=".cache"`
+  - Config: `@{XDG_CONFIG_HOME}=".config"`
+  - Data: `@{XDG_DATA_HOME}=".local/share"`
+  - Bin: `@{XDG_BIN_HOME}=".local/bin"`
+  - Lib: `@{XDG_LIB_HOME}=".local/lib"`
 * Full path of the user configuration directories
-    - Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
-    - Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
-    - Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
-    - Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
-* Other full path user directories
-    - Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
+  - Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
+  - Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
+  - Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
+  - Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
+* Full path user directories
+  - Books: `@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}`
+  - Documents: `@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}`
+  - Download: `@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}`
+  - Music: `@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}`
+  - Pictures: `@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}`
+  - Projects: `@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}`
+  - Public: `@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}`
+  - Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
+  - Templates: `@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}`
+  - Torrents: `@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}`
+  - Videos: `@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}`
+  - Vm: `@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
 
 ## Additional documentation
 
@@ -187,3 +225,4 @@ include <abstractions/user-download-strict>
 * https://presentations.nordisch.org/apparmor/#/
 
 [git]: https://help.github.com/articles/set-up-git/
+[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
diff --git a/README.md b/README.md
index 51f6a2768..ab38c6555 100644
--- a/README.md
+++ b/README.md
@@ -6,8 +6,8 @@
 
 **Full set of AppArmor profiles**
 
-> Warning: This project is still in early development.
-
+> **Warning**: This project is still in early development. Help is very welcome
+> see [`CONTRIBUTING.md`](CONTRIBUTING.md) 
 
 ## Description 
 

From 9d4956df0da61ae82939883e84920a9cdd28c985 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 21 Aug 2022 20:16:29 +0100
Subject: [PATCH 38/40] feat(profiles): general update.

---
 apparmor.d/groups/freedesktop/pipewire        |  1 -
 .../groups/freedesktop/pipewire-media-session |  3 +-
 .../groups/freedesktop/xdg-document-portal    |  2 +-
 apparmor.d/groups/gnome/gdm-wayland-session   |  5 +-
 .../gnome/gnome-characters-backgroudservice   |  2 +
 apparmor.d/groups/gnome/gnome-extension-ding  |  3 +
 apparmor.d/groups/gnome/gnome-terminal-server |  3 +-
 apparmor.d/groups/gnome/nautilus              | 15 +++++
 apparmor.d/groups/gnome/tracker-extract       |  4 +-
 apparmor.d/groups/gpg/gpg                     | 66 ++++---------------
 apparmor.d/groups/gvfs/gvfsd                  |  2 +-
 apparmor.d/groups/systemd/networkctl          | 13 ++--
 apparmor.d/groups/systemd/systemd-hostnamed   | 10 ++-
 apparmor.d/groups/systemd/systemd-networkd    | 59 ++++++++++++-----
 .../systemd/systemd-networkd-wait-online      |  4 ++
 apparmor.d/groups/ubuntu/apport-gtk           | 21 ++++--
 .../groups/ubuntu/software-properties-gtk     |  8 +++
 apparmor.d/groups/virt/libvirtd               |  3 +-
 apparmor.d/profiles-m-r/run-parts             |  8 ++-
 apparmor.d/profiles-s-z/snapd                 |  8 +--
 apparmor.d/profiles-s-z/steam                 |  2 +-
 apparmor.d/profiles-s-z/steam-game            |  3 +
 cmd/aa-log/main.go                            |  6 +-
 23 files changed, 147 insertions(+), 104 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index 09d3cb55b..46c7cd733 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -33,7 +33,6 @@ profile pipewire @{exec_path} {
 
   /usr/share/pipewire/pipewire.conf r,
 
-  /etc/machine-id r,
   /etc/pipewire/client.conf r,
   /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
   /etc/pipewire/pipewire.conf r,
diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session
index eca96bdf1..4e49fe8a7 100644
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire-media-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/devices-usb>
   include <abstractions/nameservice-strict>
@@ -44,11 +45,11 @@ profile pipewire-media-session @{exec_path} {
 
   owner @{HOME}/.local/state/ rw,
   owner @{HOME}/.local/state/pipewire/{,**} rw,
+
   owner @{user_config_dirs}/pipewire/ rw,
   owner @{user_config_dirs}/pipewire/** rw,
   owner @{user_config_dirs}/pulse/ rw,
 
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
 
   @{run}/udev/data/+sound:card[0-9]* r, # For sound
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index ade99e795..3a0453645 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/xdg-document-portal
 profile xdg-document-portal @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
 
   ptrace (read) peer=xdg-desktop-portal,
 
@@ -23,7 +24,6 @@ profile xdg-document-portal @{exec_path} {
 
   owner @{user_share_dirs}/flatpak/db/documents r,
 
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/doc/ rw,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session
index 1805b7631..dbcca15d8 100644
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
   include <abstractions/base>
   include <abstractions/bash>
   include <abstractions/consoles>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
@@ -53,7 +54,6 @@ profile gdm-wayland-session @{exec_path} {
 
   /etc/default/im-config r,
   /etc/gdm{3,}/custom.conf r,
-  /etc/machine-id r,
   /etc/shells r,
   /etc/X11/xinit/xinputrc r,
   /etc/X11/Xsession.d/*im-config_launch r,
@@ -61,8 +61,7 @@ profile gdm-wayland-session @{exec_path} {
   /usr/share/gdm/gdm.schemas r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-  owner @{run}/user/@{uid}/bus rw,
-        @{run}/gdm/custom.conf r,
+  @{run}/gdm/custom.conf r,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
index 8735c2fe3..648e83f58 100644
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@@ -24,6 +24,8 @@ profile gnome-characters-backgroudservice @{exec_path} {
 
   /etc/gtk-3.0/settings.ini r,
 
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
+
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 07a34d14a..3db55197d 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -34,6 +34,9 @@ profile gnome-extension-ding @{exec_path} {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus bind bus=session
+       name=com.rastersoft.ding,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh            rix,
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index 9054d9f4f..20ca500e2 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-terminal-server @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
@@ -34,8 +35,6 @@ profile gnome-terminal-server @{exec_path} {
 
   /etc/shells r,
 
-  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index c612512d1..93c4e7280 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -10,6 +10,7 @@ include <tunables/global>
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/gnome>
@@ -21,6 +22,20 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*}
+       interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions},
+
+  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
+       interface=org.gtk.Private.RemoteVolumeMonitor
+       member={IsSupported,List}
+       peer=(name=:*),
+
+  dbus bind bus=session
+       name=org.gnome.Nautilus,
+
+  dbus bind bus=session
+       name=org.freedesktop.FileManager1,
+
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
 
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index f3fa89e54..99799a9c4 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{libexec}/tracker-extract-3
 profile tracker-extract @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/disks-read>
   include <abstractions/fonts>
@@ -51,8 +52,7 @@ profile tracker-extract @{exec_path} {
 
   owner /tmp/tracker-extract-3-files.*/{,*} rw,
 
-  owner @{run}/user/@{uid}/bus rw,
-        @{run}/blkid/blkid.tab r,
+  @{run}/blkid/blkid.tab r,
 
   @{run}/udev/data/c235:* r,
   @{run}/udev/data/c236:* r,
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index 025963f03..5195c203e 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2017-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2017-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,8 +11,9 @@ include <tunables/global>
 profile gpg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read>
 
   capability dac_read_search,
 
@@ -20,15 +21,15 @@ profile gpg @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/gpgconf           rPx,
-  /{usr/,}bin/gpg-connect-agent rPx,
-  /{usr/,}bin/gpg-agent         rPx,
   /{usr/,}bin/dirmngr           rPx,
+  /{usr/,}bin/gpg-agent         rPx,
+  /{usr/,}bin/gpg-connect-agent rPx,
+  /{usr/,}bin/gpgconf           rPx,
   /{usr/,}bin/gpgsm             rPx,
   /{usr/,}lib/gnupg/scdaemon    rPx,
 
-  # GPG config files
-  owner @{HOME}/ r,
+  /etc/inputrc r,
+
   owner @{HOME}/@{XDG_GPG_DIR}/ rw,
   owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
@@ -41,54 +42,9 @@ profile gpg @{exec_path} {
   owner /var/lib/*/.gnupg/ rw,
   owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
 
-  # For flatpak
-  owner /tmp/ostree-gpg-*/ r,
-  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
-
-  # For ToR Browser
-  owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r,
-  owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
-
-  # For spamassassin
-  owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
-
-  # For lintian
-  owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
-  owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
-  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
-  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*/trustdb.gpg rw,
-  owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*/pubring.kbx rw,
-  owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/*.gpg rw,
-  owner /tmp/*.gpg~ w,
-  owner /tmp/*.gpg.tmp rw,
-  owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
-  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
-  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
-  owner @{run}/user/@{uid}/gnupg/d.*/ rw,
-
-  # APT upstream/user keyrings
-  /usr/share/keyrings/*.{gpg,asc} r,
-  /etc/apt/keyrings/*.{gpg,asc} r,
-
-  # APT repositories
-  /var/lib/apt/lists/*_InRelease r,
-
-  # Verify files
-  owner @{HOME}/** r,
-  owner @{MOUNTS}/** r,
-
-  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/fd/ r,
-
-  /etc/inputrc r,
-
-  # file_inherit
-  /tmp/#[0-9]*[0-9] rw,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
 
   include if exists <local/gpg>
 }
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 701adf2b9..18f55c822 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-session-strict>
 
   @{exec_path} mr,
 
@@ -20,7 +21,6 @@ profile gvfsd @{exec_path} {
 
   /usr/share/gvfs/{,**} r,
 
-  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/gvfs/ rw,
   owner @{run}/user/@{uid}/gvfsd/ rw,
 
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index 698fd2f3c..40fcb4c8f 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/networkctl
-profile networkctl @{exec_path} flags=(complain) {
+profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
@@ -39,9 +39,6 @@ profile networkctl @{exec_path} flags=(complain) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  @{run}/systemd/netif/links/[0-9]* r,
-  @{run}/systemd/netif/state r,
-
   # To be able to read logs
   @{run}/log/ r,
   /{run,var}/log/journal/ r,
@@ -50,12 +47,16 @@ profile networkctl @{exec_path} flags=(complain) {
   /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
   /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
 
+  @{run}/systemd/netif/links/[0-9]* r,
+  @{run}/systemd/netif/state r,
+  @{run}/systemd/notify w,
+
   @{sys}/devices/**/net/**/uevent r,
 
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/stat r,
         @{PROC}/filesystems r,
         @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/networkctl>
 }
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index 8cc0dc4f6..4a3f945fc 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -17,11 +17,17 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName},
+       member={RequestName,ReleaseName,GetConnectionUnixUser}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.PolicyKit1.Authority
+       member=CheckAuthorization
+       peer=(name=org.freedesktop.PolicyKit1),
 
   dbus receive bus=system path=/org/freedesktop/hostname[0-9]
        interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll},
+       member={Get,GetAll,SetHostname},
 
   dbus bind bus=system 
        name=org.freedesktop.hostname[0-9],
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 38d22fea5..4b9646942 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -7,40 +8,68 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-networkd
-profile systemd-networkd @{exec_path} flags=(complain) {
+profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability net_admin,
   capability net_raw,
   capability net_bind_service,
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/org/freedesktop/hostname[0-9]
+       interface=org.freedesktop.hostname1
+       member=SetHostname
+       peer=(name=org.freedesktop.hostname1),
+
+  dbus receive bus=system path=/org/freedesktop/network[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
+  dbus bind bus=system
+       name=org.freedesktop.network1,
+
   @{exec_path} mr,
 
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
   /etc/systemd/networkd.conf r,
   /etc/systemd/network/ r,
   /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
 
+  /etc/networkd-dispatcher/carrier.d/{,*} r,
+
+        @{run}/systemd/network/ r,
+        @{run}/systemd/network/*.network r,
+  owner @{run}/systemd/netif/.#state rw,
+  owner @{run}/systemd/netif/.#state* rw,
+  owner @{run}/systemd/netif/leases/.#* rw,
+  owner @{run}/systemd/netif/leases/[0-9]* rw,
   owner @{run}/systemd/netif/links/.#* rw,
   owner @{run}/systemd/netif/links/[0-9]* rw,
-  owner @{run}/systemd/netif/leases/[0-9]* rw,
-  owner @{run}/systemd/netif/leases/.#* rw,
-  owner @{run}/systemd/netif/.#state* rw,
-  owner @{run}/systemd/netif/.#state rw,
   owner @{run}/systemd/netif/state rw,
 
-  # To be able to configure network interfaces
-        @{PROC}/sys/net/ipv{4,6}/** rw,
-
-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
-
-  @{sys}/devices/**/net/** r,
-
   @{run}/udev/data/n[0-9]* r,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  @{sys}/devices/**/net/** r,
+  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+
+  @{PROC}/sys/net/ipv{4,6}/** rw,
 
   include if exists <local/systemd-networkd>
 }
diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online
index 4f1f4c6c2..7dc88b71c 100644
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@@ -11,6 +11,10 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
+  capability net_admin,
+
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{run}/systemd/netif/links/[0-9]* r,
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 4cb03377b..97c3a1f4c 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -17,9 +17,15 @@ profile apport-gtk @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   capability sys_ptrace,
 
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   /{usr/,}{s,}bin/killall5          rix,
@@ -50,21 +56,22 @@ profile apport-gtk @{exec_path} {
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
-  /etc/apport/blacklist.d/apport r,
-  /etc/apport/blacklist.d/README.blacklist r,
-  /etc/apport/crashdb.conf r,
+  /etc/apport/{,**} r,
   /etc/bash_completion.d/apport_completion r,
   /etc/cron.daily/apport r,
   /etc/default/apport r,
   /etc/init.d/apport r,
   /etc/logrotate.d/apport r,
   /etc/xdg/autostart/*.desktop r,
+  /etc/gtk-3.0/settings.ini r,
 
-  /var/crash/{,*.@{uid}.crash} r,
+  /var/crash/{,*.@{uid}.crash} rw,
   /var/lib/dpkg/info/ r,
+  /var/lib/dpkg/info/*.list r,
   /var/lib/dpkg/info/*.md5sums r,
   /var/log/installer/media-info r,
 
+        @{run}/snapd.socket rw,
   owner @{run}/user/@{uid}/wayland-[0-9] rw,
 
   /tmp/[a-z0-9]* rw,
@@ -83,8 +90,9 @@ profile apport-gtk @{exec_path} {
 
   profile gdb {
     include <abstractions/base>
-    include <abstractions/python>
+    include <abstractions/dconf>
     include <abstractions/fonts>
+    include <abstractions/python>
 
     /{usr/,}bin/gdb mr,
   
@@ -92,6 +100,9 @@ profile apport-gtk @{exec_path} {
     /{usr/,}{s,}bin/* r,
 
     /usr/share/gdb/{,**} r,
+    /usr/share/themes/{,**} r,
+    /usr/share/gnome-shell/{,**} r,
+    /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
     /etc/gdb/{,**} r,
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 69d34c76c..26838b924 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -14,7 +14,9 @@ profile software-properties-gtk @{exec_path} {
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
+  include <abstractions/nameservice-strict>
   include <abstractions/openssl>
+  include <abstractions/python>
 
   dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager}
       interface=org.freedesktop.DBus.Introspectable
@@ -51,10 +53,13 @@ profile software-properties-gtk @{exec_path} {
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,
 
+  /etc/apport/blacklist.d/{,*} r,
+  /etc/default/apport r,
   /etc/gtk-3.0/settings.ini r,
   /etc/machine-id r,
   /etc/update-manager/release-upgrades r,
 
+  /var/crash/*software-properties-gtk.@{uid}.crash rw,
   /var/lib/snapd/desktop/icons/ r,
 
   owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@@ -68,6 +73,9 @@ profile software-properties-gtk @{exec_path} {
 
         @{PROC}/@{pids}/mountinfo r,
         @{PROC}/asound/cards r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
 
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 8134925c9..4a3f57beb 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -103,7 +103,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}{s,}bin/dmidecode                            rPx,
   /{usr/,}{s,}bin/dnsmasq                              rPx,
   /{usr/,}{s,}bin/virtiofsd                            rux, # TODO: WIP
-  /{usr/,}{s,}bin/virtlogd                             rPX,
+  /{usr/,}{s,}bin/virtlogd                             rPx,
   /{usr/,}bin/lvm                                      rUx,
   /{usr/,}bin/mdevctl                                  rPx,
   /{usr/,}bin/swtpm                                    rPx,
@@ -155,6 +155,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+dmi:id r,
   @{run}/udev/data/+drm:* r,
+  @{run}/udev/data/+hid:* r,
   @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
   @{run}/udev/data/+leds:* r,
   @{run}/udev/data/+pci* r,
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index 7b2694f35..de6c971e7 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -119,11 +119,13 @@ profile run-parts @{exec_path} {
     include <abstractions/base>
 
     /{usr/,}bin/{,ba,da}sh rix,
+    /{usr/,}bin/{e,}grep   rix,
     /{usr/,}bin/cat        rix,
     /{usr/,}bin/cut        rix,
     /{usr/,}bin/find       rix,
-    /{usr/,}bin/grep       rix,
+    /{usr/,}bin/head       rix,
     /{usr/,}bin/id         rix,
+    /{usr/,}bin/sort       rix,
     /{usr/,}bin/tr         rix,
     /{usr/,}bin/uname      rix,
 
@@ -133,13 +135,17 @@ profile run-parts @{exec_path} {
     /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,
 
     / r,
+    /etc/default/motd-news r,
     /etc/lsb-release r,
     /etc/update-motd.d/[0-9]*-[a-z]* r,
 
+    /var/cache/motd-news r,
     /var/lib/update-notifier/updates-available r,
 
     @{run}/motd.d/{,*} r,
 
+    @{PROC}/@{pids}/mounts r,
+
   }
 
   profile kernel {
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index cfa8d3710..f16c2042b 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -69,15 +69,15 @@ profile snapd @{exec_path} {
   /{usr/,}bin/unsquashfs               rix,
   /{usr/,}bin/update-desktop-database  rPx,
 
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-*             mr,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap                   rPx,
+  /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3                rix, # TODO: rPx ?
   /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/**        mr,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/@{multiarch}/ld-*.so   rix,
-  /{snap/snapd/[0-9]*/,}{usr/,}bin/snap                   rPx,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-discard-ns  rPx,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp     rPx,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-update-ns   rPx,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snapd            rix,
-  /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache-*             rPx -> fc-cache,
-  /{snap/snapd/[0-9]*/,}{usr/,}bin/xdelta3                rix, # TODO: rPx ?
 
   /usr/share/bash-completion/completions/{,**} r,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
@@ -133,7 +133,6 @@ profile snapd @{exec_path} {
   @{sys}/kernel/security/apparmor/features/ r,
   @{sys}/kernel/security/apparmor/profiles r,
 
-  owner @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/cgroups r,
@@ -141,6 +140,7 @@ profile snapd @{exec_path} {
         @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/sys/kernel/seccomp/actions_avail r,
         @{PROC}/version r,
+  owner @{PROC}/@{pids}/mountinfo r,
 
   /dev/loop-control rw,
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 13e39571d..524c33381 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -32,7 +32,7 @@ profile steam @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
-  ptrace (read) peer=steam-*,
+  ptrace (read),
 
   signal (send) peer=steam-game,
   signal (read),
diff --git a/apparmor.d/profiles-s-z/steam-game b/apparmor.d/profiles-s-z/steam-game
index 9a7f939cf..65b78b491 100644
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@@ -91,6 +91,8 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{steamruntime}/pressure-vessel/lib{,exec}/** mrix,
   @{steamruntime}/run rix,
 
+  @{user_share_dirs}/Steam/bin/ r,
+  @{user_share_dirs}/Steam/bin/* mr,
   @{user_share_dirs}/Steam/legacycompat/ r,
   @{user_share_dirs}/Steam/legacycompat/** mr,
   @{user_share_dirs}/Steam/linux{32,64}/ r,
@@ -139,6 +141,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/ r,
   owner @{user_share_dirs}/Steam/* r,
   owner @{user_share_dirs}/Steam/*log* rw,
+  owner @{user_share_dirs}/Steam/shader_cache_temp*/fozpipelinesv*/{,**} rw,
   owner @{user_share_dirs}/Steam/steamapps/ r,
   owner @{user_share_dirs}/Steam/steamapps/common/ r,
   owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go
index bf89402dd..05d0e8654 100644
--- a/cmd/aa-log/main.go
+++ b/cmd/aa-log/main.go
@@ -22,9 +22,9 @@ import (
 
 // Command line options
 var (
-	dbus  bool
-	help  bool
-	path  string
+	dbus bool
+	help bool
+	path string
 )
 
 // LogFile is the default path to the file to query

From 43a366cca330fd5b8ba2129885158079c2b06ac7 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Sun, 21 Aug 2022 21:23:05 +0000
Subject: [PATCH 39/40] Update polkitd

---
 apparmor.d/groups/freedesktop/polkitd | 21 +++------------------
 1 file changed, 3 insertions(+), 18 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index d153b6bab..b88b613ca 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -22,29 +22,14 @@ profile polkitd @{exec_path} {
 
   ptrace (read),
 
+  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
+
   dbus (send) bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}
        peer=(name=org.freedesktop.DBus),
 
-  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]{,/**}
-       interface=org.freedesktop.PolicyKit[0-9]{,.**}
-       peer=(name="{org.freedesktop.DBus,:*}"), # all members
-
-  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
-
-  dbus (send) bus=system path=/org/gnome/PolicyKit[0-9]/AuthenticationAgent
-       interface=org.freedesktop.PolicyKit[0-9].AuthenticationAgent
-       peer=(name=:*), # all members
-
-  dbus (receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
-       interface=org.freedesktop.PolicyKit[0-9].Authority
-       member={EnumerateActions,CheckAuthorization,CancelCheckAuthorization,RegisterAuthenticationAgent,UnregisterAuthenticationAgent,AuthenticationAgentResponse2}
-       peer=(name=:*),
-
   dbus (bind) bus=system
        name=org.freedesktop.PolicyKit[0-9],
 

From bea1aab15ac4b1150a52b5b3f2d4564879c0af24 Mon Sep 17 00:00:00 2001
From: nobodysu <nobodysu@users.noreply.github.com>
Date: Sun, 21 Aug 2022 21:24:20 +0000
Subject: [PATCH 40/40] Update pkexec

---
 apparmor.d/profiles-m-r/pkexec | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index 02fef93e0..9136dc223 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -52,10 +52,10 @@ profile pkexec @{exec_path} flags=(complain) {
   @{exec_path} mr,
 
   # Apps to be run via pkexec
-  /{usr/,}{s,}bin/* rPUx,
-  @{libexec}/gvfs/gvfsd-admin rPUx, #(#FIXME#)
-  @{libexec}/polkit-agent-helper-[0-9] rPx,
-  @{libexec}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+  /{usr/,}{s,}bin/*            rPUx,
+  /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
+  /{usr/,}lib/polkit-agent-helper-[0-9]              rPx,
+  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
   /{usr/,}lib/update-notifier/package-system-locked  rPx,
   /usr/share/apport/apport-gtk rPx,