Merge branch 'master' into ubuntu2204_3

2022-08-28 22:43:46 +00:00 · 2022-08-28 22:43:46 +00:00 · 00d3eb5efd
commit 00d3eb5efd
parent 9e0a402e28 0238adaaf1
132 changed files with 1914 additions and 363 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -42,6 +42,7 @@ tests:
  stage: test
  image: golang
  script:
    - echo '#!/usr/bin/env bash\nexit 0' > /usr/bin/journalctl
    - go test ./cmd/aa-log -v -cover
--- a/.golangci.yaml
+++ b/.golangci.yaml
@ -0,0 +1,5 @@
 ---
 linters-settings:
  staticcheck:
    checks: ["all", "-SA1019" ]
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -1,8 +1,8 @@
 # Contributing
-You want to contribute to `apparmor.d`, **thank a lot for this.** You will find
+You want to contribute to `apparmor.d`, **thank a lot for this.** Feedbacks, 
-in this page all the useful information needed to contribute.
+contributors, pull requests are all very welcome. You will find in this page all
-
+the useful information needed to contribute.
 ## How to contribute?
@ -31,7 +31,7 @@ you'll see a Compare & pull request button, fill and submit the pull request.
 ## Projects rules
- 
+
 A few rules:
 1. As these are mandatory access control policies only what it explicitly required
   should be authorized. Meaning, you should not allow everything (or a large area)
@ -75,7 +75,26 @@ profile foo @{exec_path} {
 ## Profile Guidelines
-> This profile guideline is still evloving, feel free to propose improvment
+**A common structure**
 AppArmor profiles can be written without any specific guidelines. However, when 
 you work with over 1200 profiles, you need a common structure among all the profiles. 
 The logic behind it is that if a rule is present in a profile, it should only be
 in one place, making profile review easier. 
 For example, if a program needs to run executables binary. The rules allowing it
 can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It
 is therefore easy to ensure some profile features such as: 
 * A profile has access to a given resource 
 * A profile enforces a strict [write xor execute] (W^X) policy. 
 It also improves compatibilities and makes personalization easier thanks to the use of more variables 
 **Guidelines**
 > **Note**: This profile guideline is still evolving, feel free to propose improvment
 > as long as it does not vary too much from the existing rules.
 In order to ensure a common structure across the profiles, all new profile should
 try to follow the guideline presented here.
@ -87,18 +106,20 @@ The rules in the profile should be sorted as follow:
 - mount
 - remount
 - umount
 - pivot_root
 - ptrace
 - signal
 - unix
 - dbus (send, receive) send receice 
- @{exec_path} mr,
+- @{exec_path} mr, the entry point of the profile
 - The binaries and library required: `/{usr/,}bin/`, `/{usr/,}lib/`, `/opt/`...
  It is the only place where you can have `mr`, `rix`, `rPx`, `rUx`, `rPUX` rules.
 - The shared resources: `/usr/share`...
 - The system configuration: `/etc`...
 - The system data: `/var`...
 - The user data: `owner @{HOME}/`...
 - The user configuration, cache and in general all dotfiles
- Temporary data: `/tmp/`, `@{run}/`...
+- Temporary and runtime data: `/tmp/`, `@{run}/`, `/dev/shm/`...
 - Sys files: `@{sys}/`...
 - Proc files: `@{PROC}/`... 
 - Dev files: `/dev/`...
@ -120,10 +141,10 @@ The rules in the profile should be sorted as follow:
 The included tool `aa-log` can be useful to explore the apparmor log 
-## Abstraction
+## Abstractions
 This project and the apparmor profile official project provide a large selection
-of abstraction to be included in profiles. They should be used.
+of abstractions to be included in profiles. They should be used.
 For instance, instead of writting:
 ```sh
@ -142,44 +163,61 @@ include <abstractions/user-download-strict>
 * `@{PROC}=/proc/`
 * `@{run}=/run/ /var/run/`
 * `@{sys}=/sys/`
-* The Home directory: `@{HOME}`
+* The home root: `@{HOMEDIRS}=/home/`
 * The home directories: `@{HOME}=@{HOMEDIRS}/*/ /root/`
 * Process id(s): `@{pid}`, `@{pids}`
 * User id: `@{uid}`
 * Thread id: `@{tid}`
 * Classic XDG user directories: 
-    - Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
+  - Desktop: `@{XDG_DESKTOP_DIR}="Desktop"`
-    - Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
+  - Download: `@{XDG_DOWNLOAD_DIR}="Downloads"`
-    - Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
+  - Templates: `@{XDG_TEMPLATES_DIR}="Templates"`
-    - Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
+  - Public: `@{XDG_PUBLICSHARE_DIR}="Public"`
-    - Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
+  - Documents: `@{XDG_DOCUMENTS_DIR}="Documents"`
-    - Music: `@{XDG_MUSIC_DIR}="Music"`
+  - Music: `@{XDG_MUSIC_DIR}="Music"`
-    - Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
+  - Pictures: `@{XDG_PICTURES_DIR}="Pictures"`
-    - Videos: `@{XDG_VIDEOS_DIR}="Videos"`
+  - Videos: `@{XDG_VIDEOS_DIR}="Videos"`
 **Additional variables available with this project:**
-* Common mountpoints: `@{MOUNTS}=/media/ @{run}/media /mnt`
+* Mountpoints root: `@{MOUNTDIRS}=/media/ @{run}/media/ /mnt/`
 * Common mountpoints: `@{MOUNTS}=@{MOUNTDIRS}/*/`
 * Universally unique identifier: `@{uuid}=[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*-[0-9a-f]*`
 * Hexadecimal: `@{hex}=[0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f][0-9a-f]`
 * Extended XDG user directories: 
-    - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
+  - Books: `@{XDG_BOOKS_DIR}="Books"`
-    - Books: `@{XDG_BOOKS_DIR}="Books"`
+  - Projects: `@{XDG_PROJECTS_DIR}="Projects"`
-    - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
+  - Screenshots: `@{XDG_SCREENSHOTS_DIR}="@{XDG_PICTURES_DIR}/Screenshots"`
-    - Sync: `@{XDG_SYNC_DIR}="Sync"`
+  - Sync: `@{XDG_SYNC_DIR}="Sync"`
-    - Vm: `@{XDG_VM_DIR}=".vm"`
+  - Torrents: `@{XDG_TORRENTS_DIR}="Torrents"`
-    - SSH: `@{XDG_SSH_DIR}=".ssh"`
+  - Vm: `@{XDG_VM_DIR}=".vm"`
-    - GPG: `@{XDG_GPG_DIR}=".gnupg"`
+  - Wallpapers: `@{XDG_WALLPAPERS_DIR}="@{XDG_PICTURES_DIR}/Wallpapers"`
-    - Cache:` @{XDG_CACHE_HOME}=".cache"`
+* Extended XDG dotfiles:
-    - Config: `@{XDG_CONFIG_HOME}=".config"`
+  - SSH: `@{XDG_SSH_DIR}=".ssh"`
-    - Data: `@{XDG_DATA_HOME}=".local/share"`
+  - GPG: `@{XDG_GPG_DIR}=".gnupg"`
-    - Bin: `@{XDG_BIN_HOME}=".local/bin"`
+  - Cache:` @{XDG_CACHE_HOME}=".cache"`
-    - Lib: `@{XDG_LIB_HOME}=".local/lib"`
+  - Config: `@{XDG_CONFIG_HOME}=".config"`
  - Data: `@{XDG_DATA_HOME}=".local/share"`
  - Bin: `@{XDG_BIN_HOME}=".local/bin"`
  - Lib: `@{XDG_LIB_HOME}=".local/lib"`
 * Full path of the user configuration directories
-    - Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
+  - Cache: `@{user_cache_dirs}=@{HOME}/@{XDG_CACHE_HOME}`
-    - Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
+  - Config: `@{user_config_dirs}=@{HOME}/@{XDG_CONFIG_HOME}`
-    - Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
+  - Bin: `@{user_bin_dirs}=@{HOME}/@{XDG_BIN_HOME}`
-    - Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
+  - Lib: `@{user_lib_dirs}=@{HOME}/@{XDG_LIB_HOME}`
-* Other full path user directories
+* Full path user directories
-    - Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
+  - Books: `@{user_books_dirs}=@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}`
  - Documents: `@{user_documents_dirs}=@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}`
  - Download: `@{user_download_dirs}=@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}`
  - Music: `@{user_music_dirs}=@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}`
  - Pictures: `@{user_pictures_dirs}=@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}`
  - Projects: `@{user_projects_dirs}=@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}`
  - Public: `@{user_publicshare_dirs}=@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}`
  - Sync: `@{user_sync_dirs}=@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}`
  - Templates: `@{user_templates_dirs}=@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}`
  - Torrents: `@{user_torrents_dirs}=@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}`
  - Videos: `@{user_videos_dirs}=@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}`
  - Vm: `@{user_vm_dirs}=@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
 ## Additional documentation
@ -187,3 +225,4 @@ include <abstractions/user-download-strict>
 * https://presentations.nordisch.org/apparmor/#/
 [git]: https://help.github.com/articles/set-up-git/
 [write xor execute]: https://en.wikipedia.org/wiki/W%5EX
--- a/README.md
+++ b/README.md
@ -6,8 +6,8 @@
 **Full set of AppArmor profiles**
-> Warning: This project is still in early development.
+> **Warning**: This project is still in early development. Help is very welcome
-
+> see [`CONTRIBUTING.md`](CONTRIBUTING.md) 
 ## Description 
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@ -8,6 +8,8 @@
  # The /sys/ entries probably should be tightened
  /dev/ r,
  /dev/block/ r,
  /dev/disk/{,*/} r,
  # Regular disk/partition devices
  /dev/{s,v}d[a-z]* rwk,
--- a/apparmor.d/abstractions/lightdm
+++ b/apparmor.d/abstractions/lightdm
@ -46,15 +46,15 @@
  /opt/ r,
  /opt/** rmixk,
  @{PROC}/ r,
-  @{PROC}/* rm,
+  @{PROC}/* mr,
  @{PROC}/[0-9]*/net/ r,
  @{PROC}/[0-9]*/net/dev r,
-  @{PROC}/asound rm,
+  @{PROC}/asound mr,
-  @{PROC}/asound/** rm,
+  @{PROC}/asound/** mr,
-  @{PROC}/ati rm,
+  @{PROC}/ati mr,
-  @{PROC}/ati/** rm,
+  @{PROC}/ati/** mr,
  @{PROC}/sys/vm/overcommit_memory r,
-  owner @{PROC}/** rm,
+  owner @{PROC}/** mr,
  # needed for gnome-keyring-daemon
  @{PROC}/*/status r,
  # needed for bamfdaemon and utilities such as ps and killall
@ -62,7 +62,7 @@
  /sbin/ r,
  /sbin/** rmixk,
  /sys/ r,
-  /sys/** rm,
+  /sys/** mr,
  # needed for confined trusted helpers, such as dbus-daemon
  /sys/kernel/security/apparmor/.access rw,
  /tmp/ rw,
--- a/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
+++ b/apparmor.d/groups/apps/usr.lib.libreoffice.program.soffice.bin
@ -218,9 +218,9 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
  profile gpg {
    #include <abstractions/base>
-   /usr/bin/gpgconf rm,
+   /usr/bin/gpgconf mr,
-   /usr/bin/gpg rm,
+   /usr/bin/gpg mr,
-   /usr/bin/gpgsm rm,
+   /usr/bin/gpgsm mr,
    owner @{HOME}/@{XDG_GPG_DIR}/* r,
    owner @{HOME}/@{XDG_GPG_DIR}/random_seed rk,
@ -232,7 +232,7 @@ profile libreoffice-soffice /usr/lib/libreoffice/program/soffice.bin flags=(comp
  owner @{user_config_dirs}/kdeglobals r,
  /usr/lib/libreoffice/program/lo_kde5filepicker rPUx,
  /usr/share/qt5/translations/* r,
-  /usr/lib/*/qt5/plugins/** rm,
+  /usr/lib/*/qt5/plugins/** mr,
  /usr/share/plasma/look-and-feel/**/contents/defaults r,
  # TODO: remove when rules are available in abstractions/kde
--- a/apparmor.d/groups/apps/vlc
+++ b/apparmor.d/groups/apps/vlc
@ -287,4 +287,4 @@ profile vlc @{exec_path} {
  }
  include if exists <local/vlc>
-}
+}
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@ -28,6 +28,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  capability setgid,
  capability setuid,
  capability sys_nice,
  capability sys_ptrace,
  signal (send) peer=apt-methods-*,
@ -46,7 +47,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
       member=Inhibit
       peer=(name=org.freedesktop.login[0-9]),
-  dbus send bus=system path=/org/freedesktop/DBus
+  dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
       interface=org.freedesktop.DBus{,.Introspectable}
       member={RequestName,GetConnectionUnixProcessID,Introspect}
       peer=(name=org.freedesktop.DBus),
@ -101,6 +102,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook             rPx,
  /{usr/,}lib/update-notifier/update-motd-updates-available  rPx,
  /usr/share/command-not-found/cnf-update-db                 rPx,
  /usr/share/language-tools/language-options                 rPx,
  # For editing the sources.list file
  /{usr/,}bin/sensible-editor rCx -> editor,
@ -110,6 +112,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/sensible-pager  rCx -> pager,
  /usr/share/xml/iso-codes/{,**} r,
  /usr/share/language-selector/data/pkg_depends r,
  /etc/apt/sources.list rwk,
  /etc/machine-id r,
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@ -82,6 +82,8 @@ profile apt-methods-gpgv @{exec_path} {
  # Local keyring storage
  /etc/apt/keyrings/ r,
  /etc/apt/keyrings/*.{gpg,asc} r,
  /usr/share/keyrings/ r,
  /usr/share/keyrings/*.{gpg,asc} r,
  # Extrepo keyring storage
  /var/lib/extrepo/keys/*.{gpg,asc} r,
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -76,6 +76,7 @@ profile dpkg @{exec_path} {
  owner /tmp/apt-dpkg-install-*/ r,
  /var/log/dpkg.log w,
  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
  @{run}/systemd/userdb/ r,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -49,7 +49,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
-       member={CheckPermissions,StateChanged},
+       member={CheckPermissions,StateChanged,DeviceAdded,DeviceRemoved},
  @{exec_path} mr,
@ -80,6 +80,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
  /etc/dpkg/origins/{debian,ubuntu,} r,
  /etc/issue{.net,} r,
  /etc/legal r,
  /etc/lsb-release r,
  /etc/profile.d/* r,
  /etc/update-motd.d/* r,
  /etc/update-manager/{,**} r,
  /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
--- a/apparmor.d/groups/avahi/avahi-autoipd
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@ -0,0 +1,27 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
 profile avahi-autoipd @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  signal receive set=(kill,term),
  @{exec_path} mr,
  /etc/avahi/avahi-autoipd.action rix,
  include if exists <local/avahi-autoipd>
 }
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@ -0,0 +1,32 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
 profile avahi-browse @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  dbus send bus=system path=/
      interface=org.freedesktop.DBus.Peer
      member=Ping,
  dbus send bus=system path=/
      interface=org.freedesktop.Avahi.Server
      member={GetAPIVersion,GetState,ServiceTypeBrowserNew,ServiceBrowserNew},
  dbus receive bus=system path=/Client[0-9]/ServiceTypeBrowser[0-9]
      interface=org.freedesktop.Avahi.ServiceTypeBrowser
      member={ItemNew,CacheExhausted,AllForNow},
  @{exec_path} mr,
  /{usr/,}lib/@{multiarch}/avahi/service-types.db rwk,
  include if exists <local/avahi-browse>
 }
--- a/apparmor.d/groups/avahi/avahi-daemon
+++ b/apparmor.d/groups/avahi/avahi-daemon
@ -0,0 +1,23 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-daemon
 profile avahi-daemon @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  network inet dgram,
  network inet6 dgram,
  @{exec_path} mr,
  /etc/avahi/** r,
  include if exists <local/avahi-daemon>
 }
--- a/apparmor.d/groups/avahi/avahi-publish
+++ b/apparmor.d/groups/avahi/avahi-publish
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
 profile avahi-publish @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/avahi-publish>
 }
--- a/apparmor.d/groups/avahi/avahi-resolve
+++ b/apparmor.d/groups/avahi/avahi-resolve
@ -0,0 +1,34 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
 profile avahi-resolve @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  dbus send bus=system path=/
      interface=org.freedesktop.DBus.Peer
      member=Ping,
  dbus send bus=system path=/
      interface=org.freedesktop.Avahi.Server
      member={GetAPIVersion,GetState,AddressResolverNew},
  dbus send bus=system path=/Client[0-9]/AddressResolver[0-9]
      interface=org.freedesktop.Avahi.AddressResolver
      member={Free,HostNameResolverNew,},
  dbus receive bus=system path=/Client[0-9]/AddressResolver[0-9]
      interface=org.freedesktop.Avahi.AddressResolver
      member={Failure,Found},
  @{exec_path} mr,
  include if exists <local/avahi-resolve>
 }
--- a/apparmor.d/groups/avahi/avahi-set-host-name
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/avahi-set-host-name
 profile avahi-set-host-name @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/avahi-set-host-name>
 }
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@ -32,6 +32,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  ptrace (read) peer=browserpass,
  ptrace (read) peer=chrome-gnome-shell,
  ptrace (read) peer=gnome-browser-connector-host,
  ptrace (read) peer=keepassxc-proxy,
  ptrace (read) peer=lsb_release,
  ptrace (read) peer=xdg-settings,
@ -49,6 +50,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,
  /{usr/,}bin/chrome-gnome-shell                rPx,
  /{usr/,}bin/gnome-browser-connector-host      rPx,
  /{usr/,}lib/chromium/chrome-sandbox           rPx,
  /{usr/,}lib/chromium/chrome_crashpad_handler  rPx,
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -9,8 +10,9 @@ include <tunables/global>
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
  include <abstractions/base>
-  include <abstractions/fonts>
+  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  @{exec_path} mr,
@ -19,6 +21,8 @@ profile fc-cache @{exec_path} {
  /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
  /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,
  /var/tmp/mkinitramfs_*/{**,} rwl,
  # Silencer
  deny network inet6 stream,
  deny network inet stream,
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -33,7 +33,6 @@ profile pipewire @{exec_path} {
  /usr/share/pipewire/pipewire.conf r,
  /etc/machine-id r,
  /etc/pipewire/client.conf r,
  /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
  /etc/pipewire/pipewire.conf r,
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@ -11,6 +11,7 @@ include <tunables/global>
 profile pipewire-media-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
@ -44,11 +45,11 @@ profile pipewire-media-session @{exec_path} {
  owner @{HOME}/.local/state/ rw,
  owner @{HOME}/.local/state/pipewire/{,**} rw,
  owner @{user_config_dirs}/pipewire/ rw,
  owner @{user_config_dirs}/pipewire/** rw,
  owner @{user_config_dirs}/pulse/ rw,
  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
  @{run}/udev/data/+sound:card[0-9]* r, # For sound
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@ -29,13 +29,15 @@ profile polkit-agent-helper @{exec_path} {
  signal (receive) set=(term, kill) peer=gnome-shell,
  signal (receive) set=(term, kill) peer=pkexec,
-  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
       interface=org.freedesktop.DBus.Properties
-       member=GetAll,
+       member=GetAll
       peer=(name=:*),
-  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+  dbus (send) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
       interface=org.freedesktop.PolicyKit[0-9].Authority
-       member=AuthenticationAgentResponse2,
+       member=AuthenticationAgentResponse2
       peer=(name=:*),
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -23,13 +23,14 @@ profile polkitd @{exec_path} {
  ptrace (read),
  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
-       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*},
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
-  dbus send bus=system path=/org/freedesktop/DBus
+  dbus (send) bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
-       member={GetConnectionUnixUser,GetConnectionUnixProcessID,RequestName},
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,RequestName}
       peer=(name=org.freedesktop.DBus),
-  dbus bind bus=system 
+  dbus (bind) bus=system
       name=org.freedesktop.PolicyKit[0-9],
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -127,6 +127,13 @@ profile pulseaudio @{exec_path} {
     member=Get
     peer=(name=/org/freedesktop/hostname[0-9]),
  dbus (send)
     bus=system
     path=/org.freedesktop.hostname[0-9]
     interface=org.freedesktop.DBus.Prope
     member=Get
     peer=(name=/org/freedesktop/hostname[0-9]),
  @{exec_path} mrix,
  /{usr/,}@{libexec}/pulse/gsettings-helper mrix,
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/xdg-document-portal
 profile xdg-document-portal @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  ptrace (read) peer=xdg-desktop-portal,
@ -23,7 +24,6 @@ profile xdg-document-portal @{exec_path} {
  owner @{user_share_dirs}/flatpak/db/documents r,
  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/doc/ rw,
  owner @{PROC}/@{pid}/fd/ r,
@ -36,7 +36,7 @@ profile xdg-document-portal @{exec_path} {
  profile flatpak {
    include <abstractions/base>
-    /{usr/,}bin/flatpak rm,
+    /{usr/,}bin/flatpak mr,
    / r,
    /etc/flatpak/remotes.d/{,*} r,
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -11,6 +11,7 @@ profile gdm-wayland-session @{exec_path} {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
@ -53,7 +54,6 @@ profile gdm-wayland-session @{exec_path} {
  /etc/default/im-config r,
  /etc/gdm{3,}/custom.conf r,
  /etc/machine-id r,
  /etc/shells r,
  /etc/X11/xinit/xinputrc r,
  /etc/X11/Xsession.d/*im-config_launch r,
@ -61,8 +61,7 @@ profile gdm-wayland-session @{exec_path} {
  /usr/share/gdm/gdm.schemas r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  owner @{run}/user/@{uid}/bus rw,
+  @{run}/gdm/custom.conf r,
        @{run}/gdm/custom.conf r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -46,16 +46,17 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/gstreamer-1.0/ rw,
  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
        @{run}/user/@{uid}/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
  @{sys}/devices/system/cpu/possible r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  /dev/ r,
  /dev/tty rw,
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@ -24,6 +24,8 @@ profile gnome-characters-backgroudservice @{exec_path} {
  /etc/gtk-3.0/settings.ini r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -34,6 +34,9 @@ profile gnome-extension-ding @{exec_path} {
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
  dbus bind bus=session
       name=com.rastersoft.ding,
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh            rix,
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@ -9,6 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
  include <abstractions/base>
  # include <abstractions/vulkan>
  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/opencl>
  @{exec_path} mr,
@ -16,6 +24,15 @@ profile gnome-extensions-app @{exec_path} {
  /{usr/,}bin/gjs-console rix,
  /usr/share/terminfo/x/xterm-256color r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/gnome-shell/org.gnome.Extensions* r,
  /usr/share/X11/xkb/{,**} r,
  @{sys}/devices/system/cpu/possible r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/task/@{tid}/stat r,
  /dev/tty rw,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-terminal-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -34,8 +35,6 @@ profile gnome-terminal-server @{exec_path} {
  /etc/shells r,
  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -10,6 +10,7 @@ include <tunables/global>
 profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/gnome>
@ -21,6 +22,20 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
  dbus (send, receive) bus=session path=/org/gnome/Nautilus{,/*}
       interface={org.freedesktop.DBus.{Properties,Introspectable},org.gtk.Actions},
  dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
       interface=org.gtk.Private.RemoteVolumeMonitor
       member={IsSupported,List}
       peer=(name=:*),
  dbus bind bus=session
       name=org.gnome.Nautilus,
  dbus bind bus=session
       name=org.freedesktop.FileManager1,
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh rix,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/tracker-extract-3
 profile tracker-extract @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/disks-read>
  include <abstractions/fonts>
@ -51,8 +52,7 @@ profile tracker-extract @{exec_path} {
  owner /tmp/tracker-extract-3-files.*/{,*} rw,
-  owner @{run}/user/@{uid}/bus rw,
+  @{run}/blkid/blkid.tab r,
        @{run}/blkid/blkid.tab r,
  @{run}/udev/data/c235:* r,
  @{run}/udev/data/c236:* r,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2017-2021 Mikhail Morfikov
+# Copyright (C) 2017-2022 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -11,22 +11,25 @@ include <tunables/global>
 profile gpg @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/user-download-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/user-download-strict>
  include <abstractions/user-read>
  capability dac_read_search,
  network netlink raw,
  @{exec_path} mrix,
  /{usr/,}bin/gpgconf           rPx,
  /{usr/,}bin/gpg-connect-agent rPx,
  /{usr/,}bin/gpg-agent         rPx,
  /{usr/,}bin/dirmngr           rPx,
  /{usr/,}bin/gpg-agent         rPx,
  /{usr/,}bin/gpg-connect-agent rPx,
  /{usr/,}bin/gpgconf           rPx,
  /{usr/,}bin/gpgsm             rPx,
  /{usr/,}lib/gnupg/scdaemon    rPx,
-  # GPG config files
+  /etc/inputrc r,
-  owner @{HOME}/ r,
+
  owner @{HOME}/@{XDG_GPG_DIR}/ rw,
  owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -39,54 +42,9 @@ profile gpg @{exec_path} {
  owner /var/lib/*/.gnupg/ rw,
  owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
  # For flatpak
  owner /tmp/ostree-gpg-*/ r,
  owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
  # For ToR Browser
  owner @{user_share_dirs}/torbrowser/gnupg_homedir/ r,
  owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
  # For spamassassin
  owner /var/lib/spamassassin/sa-update-keys/** rwkl -> /var/lib/spamassassin/sa-update-keys/**,
  # For lintian
  owner /tmp/temp-lintian-lab-*/**/debian/upstream/signing-key.asc r,
  owner /tmp/lintian-pool-*/**/debian/upstream/signing-key.asc r,
  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid} rw,
  owner /tmp/*/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
  owner /tmp/*/trustdb.gpg rw,
  owner /tmp/*/trustdb.gpg.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
  owner /tmp/*/pubring.kbx rw,
  owner /tmp/*/pubring.kbx.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
  owner /tmp/*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x[0-9a-f]*.*.@{pid},
  owner /tmp/*.gpg rw,
  owner /tmp/*.gpg~ w,
  owner /tmp/*.gpg.tmp rw,
  owner /tmp/*.gpg.lock rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid} rw,
  owner /tmp/.#lk0x[0-9a-f]*.*.@{pid}x rwl -> /tmp/.#lk0x[0-9a-f]*.*.@{pid},
  owner @{run}/user/@{uid}/gnupg/d.*/ rw,
  # APT upstream/user keyrings
  /usr/share/keyrings/*.{gpg,asc} r,
  /etc/apt/keyrings/*.{gpg,asc} r,
  # APT repositories
  /var/lib/apt/lists/*_InRelease r,
  # Verify files
  owner @{HOME}/** r,
  owner @{MOUNTS}/** r,
  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/fd/ r,
-
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  /etc/inputrc r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat rw,
  # file_inherit
  /tmp/#[0-9]*[0-9] rw,
  include if exists <local/gpg>
 }
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@ -12,6 +12,8 @@ profile gpgconf @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  capability dac_read_search,
  @{exec_path} mrix,
  /{usr/,}bin/gpg-connect-agent rPx,
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@ -11,6 +11,8 @@ profile gpgsm @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  capability dac_read_search,
  @{exec_path} mr,
  deny /usr/bin/.gnupg/ w,
--- a/apparmor.d/groups/grub/grub-bios-setup
+++ b/apparmor.d/groups/grub/grub-bios-setup
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-bios-setup
 profile grub-bios-setup @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-bios-setup>
 }
--- a/apparmor.d/groups/grub/grub-editenv
+++ b/apparmor.d/groups/grub/grub-editenv
@ -0,0 +1,20 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-editenv
 profile grub-editenv @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  /boot/grub/grubenv rw,
  include if exists <local/grub-editenv>
 }
--- a/apparmor.d/groups/grub/grub-file
+++ b/apparmor.d/groups/grub/grub-file
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-file
 profile grub-file @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-file>
 }
--- a/apparmor.d/groups/grub/grub-fstest
+++ b/apparmor.d/groups/grub/grub-fstest
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-fstest
 profile grub-fstest @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-fstest>
 }
--- a/apparmor.d/groups/grub/grub-glue-efi
+++ b/apparmor.d/groups/grub/grub-glue-efi
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-glue-efi
 profile grub-glue-efi @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-glue-efi>
 }
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-install
 profile grub-install @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-install>
 }
--- a/apparmor.d/groups/grub/grub-kbdcomp
+++ b/apparmor.d/groups/grub/grub-kbdcomp
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-kbdcomp
 profile grub-kbdcomp @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-kbdcomp>
 }
--- a/apparmor.d/groups/grub/grub-macbless
+++ b/apparmor.d/groups/grub/grub-macbless
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-macbless
 profile grub-macbless @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-macbless>
 }
--- a/apparmor.d/groups/grub/grub-menulst2cfg
+++ b/apparmor.d/groups/grub/grub-menulst2cfg
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-menulst2cfg
 profile grub-menulst2cfg @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-menulst2cfg>
 }
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@ -0,0 +1,78 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkconfig
 profile grub-mkconfig @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  @{exec_path}                     mr,
  /etc/grub.d/{**,}                rix,
  /{usr/,}bin/{m,g,}awk            rix,
  /{usr/,}bin/basename             rix,
  /{usr/,}bin/cat                  rix,
  /{usr/,}bin/chmod                rix,
  /{usr/,}bin/cut                  rix,
  /{usr/,}bin/date                 rix,
  /{usr/,}bin/dirname              rix,
  /{usr/,}bin/dpkg                 rPx,
  /{usr/,}bin/find                 rix,
  /{usr/,}bin/findmnt              rPx,
  /{usr/,}bin/gettext              rix,
  /{usr/,}bin/{e,f,}grep           rix,
  /{usr/,}bin/lsb_release          rPx -> lsb_release,
  /{usr/,}bin/grub-mkrelpath       rPx,
  /{usr/,}bin/grub-script-check    rPx,
  /{usr/,}bin/head                 rix,
  /{usr/,}bin/id                   rPx,
  /{usr/,}bin/ls                   rix,
  /{usr/,}bin/mktemp               rix,
  /{usr/,}bin/mount                rPx,
  /{usr/,}bin/mountpoint           rix,
  /{usr/,}bin/paste                rix,
  /{usr/,}bin/readlink             rix,
  /{usr/,}bin/rm                   rix,
  /{usr/,}bin/rmdir                rix,
  /{usr/,}bin/sed                  rix,
  /{usr/,}bin/{,ba,da}sh           rix,
  /{usr/,}bin/sort                 rix,
  /{usr/,}bin/stat                 rix,
  /{usr/,}bin/tail                 rix,
  /{usr/,}bin/tr                   rix,
  /{usr/,}bin/umount               rPx,
  /{usr/,}bin/uname                rix,
  /{usr/,}bin/which{.debianutils,} rix,
  /{usr/,}{s,}bin/dmsetup          rPUx,
  /{usr/,}{s,}bin/grub-probe       rPx,
  /{usr/,}{local/,}{s,}bin/zfs     rPx,
  /{usr/,}{local/,}{s,}bin/zpool   rPx,
  /boot/{**,} r,
  /boot/grub/{**,} rw,
  /etc/default/grub r,
  /etc/default/grub.d/{*,} r,
  /usr/share/grub/{**,} r,
  /.zfs/snapshot/*/etc/{machine-id,} r,
  /.zfs/snapshot/*/{usr/,}lib/os-release r,
  / r,
  owner /tmp/** rw,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/@{pids}/mounts r,
  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
  include if exists <local/grub-mkconfig>
 }
--- a/apparmor.d/groups/grub/grub-mkdevicemap
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkdevicemap
 profile grub-mkdevicemap @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mkdevicemap>
 }
--- a/apparmor.d/groups/grub/grub-mkfont
+++ b/apparmor.d/groups/grub/grub-mkfont
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkfont
 profile grub-mkfont @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mkfont>
 }
--- a/apparmor.d/groups/grub/grub-mkimage
+++ b/apparmor.d/groups/grub/grub-mkimage
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkimage
 profile grub-mkimage @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mkimage>
 }
--- a/apparmor.d/groups/grub/grub-mklayout
+++ b/apparmor.d/groups/grub/grub-mklayout
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mklayout
 profile grub-mklayout @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mklayout>
 }
--- a/apparmor.d/groups/grub/grub-mknetdir
+++ b/apparmor.d/groups/grub/grub-mknetdir
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mknetdir
 profile grub-mknetdir @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mknetdir>
 }
--- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
+++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkpasswd-pbkdf2
 profile grub-mkpasswd-pbkdf2 @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mkpasswd-pbkdf2>
 }
--- a/apparmor.d/groups/grub/grub-mkrelpath
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@ -0,0 +1,20 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-mkrelpath
 profile grub-mkrelpath @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  /{usr/,}{local/,}{s,}bin/zpool rPx,
  @{PROC}/@{pids}/mountinfo r,
  include if exists <local/grub-mkrelpath>
 }
--- a/apparmor.d/groups/grub/grub-mkrescue
+++ b/apparmor.d/groups/grub/grub-mkrescue
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkrescue
 profile grub-mkrescue @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mkrescue>
 }
--- a/apparmor.d/groups/grub/grub-mkstandalone
+++ b/apparmor.d/groups/grub/grub-mkstandalone
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mkstandalone
 profile grub-mkstandalone @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mkstandalone>
 }
--- a/apparmor.d/groups/grub/grub-mount
+++ b/apparmor.d/groups/grub/grub-mount
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-mount
 profile grub-mount @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-mount>
 }
--- a/apparmor.d/groups/grub/grub-ntldr-img
+++ b/apparmor.d/groups/grub/grub-ntldr-img
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-ntldr-img
 profile grub-ntldr-img @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-ntldr-img>
 }
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@ -0,0 +1,28 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-probe
 profile grub-probe @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>
  capability sys_admin,
  @{exec_path} mr,
  /{usr/,}bin/lsb_release        rPx -> lsb_release,
  /{usr/,}bin/udevadm            rPx,
  /{usr/,}{local/,}{s,}bin/zpool rPx,
  @{PROC}/@{pids}/mountinfo r,
  @{PROC}/devices r,
  /dev/mapper/control rw,
  include if exists <local/grub-probe>
 }
--- a/apparmor.d/groups/grub/grub-reboot
+++ b/apparmor.d/groups/grub/grub-reboot
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-reboot
 profile grub-reboot @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-reboot>
 }
--- a/apparmor.d/groups/grub/grub-render-label
+++ b/apparmor.d/groups/grub/grub-render-label
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-render-label
 profile grub-render-label @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-render-label>
 }
--- a/apparmor.d/groups/grub/grub-script-check
+++ b/apparmor.d/groups/grub/grub-script-check
@ -0,0 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-script-check
 profile grub-script-check @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  /boot/grub/grub.cfg{.new,} rw,
  include if exists <local/grub-script-check>
 }
--- a/apparmor.d/groups/grub/grub-set-default
+++ b/apparmor.d/groups/grub/grub-set-default
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/grub-set-default
 profile grub-set-default @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-set-default>
 }
--- a/apparmor.d/groups/grub/grub-syslinux2cfg
+++ b/apparmor.d/groups/grub/grub-syslinux2cfg
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/grub-syslinux2cfg
 profile grub-syslinux2cfg @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  include if exists <local/grub-syslinux2cfg>
 }
--- a/apparmor.d/groups/grub/update-grub
+++ b/apparmor.d/groups/grub/update-grub
@ -0,0 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/update-grub{2,}
 profile update-grub @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}{s,}bin/grub-mkconfig rPx,
  include if exists <local/update-grub>
 }
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  @{exec_path} mr,
@ -20,7 +21,6 @@ profile gvfsd @{exec_path} {
  /usr/share/gvfs/{,**} r,
  owner @{run}/user/@{uid}/bus rw,
  owner @{run}/user/@{uid}/gvfs/ rw,
  owner @{run}/user/@{uid}/gvfsd/ rw,
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@ -31,6 +31,10 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects,
  dbus receive bus=system path=/org/freedesktop/ModemManager[0-9]
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
       interface=org.freedesktop.PolicyKit[0-9].Authority
       member=Changed,
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} {
  @{exec_path} mrix,
-  "/opt/Mullvad VPN/*.so*" rm,
+  "/opt/Mullvad VPN/*.so*" mr,
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/gsettings   rix,
@ -53,6 +53,7 @@ profile mullvad-gui @{exec_path} {
  @{sys}/bus/pci/devices/ r,
  @{sys}/devices/virtual/tty/tty[0-9]*/active r,
  @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r,
  @{sys}/devices/system/cpu/possible r,
        @{PROC}/ r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@ -8,7 +8,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/nm-dispatcher
@{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher
-profile nm-dispatcher @{exec_path} {
+profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@ -27,7 +27,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/cp                  rix,
  /{usr/,}bin/dd                  rix,
  /{usr/,}bin/find                rix,
-  /{usr/,}bin/findmnt             rix,
+  /{usr/,}bin/findmnt             rPx,
  /{usr/,}bin/fsck                rix,
  /{usr/,}bin/gawk                rix,
  /{usr/,}bin/grep                rix,
@ -77,10 +77,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
  # Can copy any program to the initframs
  /{usr/,}bin/ r,
-  /{usr/,}bin/[a-z0-9]* rm,
+  /{usr/,}bin/[a-z0-9]* mr,
-  /{usr/,}lib/plymouth/plymouthd-* rm,
+  /{usr/,}lib/plymouth/plymouthd-* mr,
-  /{usr/,}lib/systemd/systemd-* rm,
+  /{usr/,}lib/systemd/systemd-* mr,
-  /{usr/,}lib/udev/[a-z0-9]* rm,
+  /{usr/,}lib/udev/[a-z0-9]* mr,
  # Manage /boot
  / r,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -83,6 +83,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
  owner @{run}/sshd{,.init}.pid wl,
        @{run}/motd.d/{,*} r,
        @{run}/motd.dynamic rw,
        @{run}/motd.dynamic.new rw,
        @{run}/resolvconf/resolv.conf r,
--- a/apparmor.d/groups/systemd/child-systemctl
+++ b/apparmor.d/groups/systemd/child-systemctl
@ -27,7 +27,7 @@ profile child-systemctl flags=(attach_disconnected) {
  network inet stream,
  network inet6 stream,
-  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit
       interface=org.freedesktop.systemd[0-9].Manager
       member=GetUnitFileState,
@ -35,6 +35,8 @@ profile child-systemctl flags=(attach_disconnected) {
  /etc/systemd/user/{,**} rwl,
  @{run}/systemd/private rw,
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/1/environ r,
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/networkctl
-profile networkctl @{exec_path} flags=(complain) {
+profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
@ -39,9 +39,6 @@ profile networkctl @{exec_path} flags=(complain) {
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  @{run}/systemd/netif/links/[0-9]* r,
  @{run}/systemd/netif/state r,
  # To be able to read logs
  @{run}/log/ r,
  /{run,var}/log/journal/ r,
@ -50,12 +47,16 @@ profile networkctl @{exec_path} flags=(complain) {
  /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
  /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* r,
  @{run}/systemd/netif/links/[0-9]* r,
  @{run}/systemd/netif/state r,
  @{run}/systemd/notify w,
  @{sys}/devices/**/net/**/uevent r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,
        @{PROC}/filesystems r,
        @{PROC}/sys/kernel/random/boot_id r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/stat r,
  include if exists <local/networkctl>
 }
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@ -10,17 +10,32 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/systemd-common>
  capability sys_resource,
  capability net_admin,
  signal (send) peer=child-pager,
  network inet dgram,
  network netlink raw,
  signal (send) peer=child-pager,
  dbus send bus=system path=/org/freedesktop/systemd1
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  dbus send bus=system path=/org/freedesktop/systemd1
      interface=org.freedesktop.systemd1.Manager
      member=ListUnits,
  dbus send bus=system path=/org/freedesktop/systemd1/unit/*
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  @{exec_path} mr,
  /{usr/,}lib/systemd/system-environment-generators/* rix,
  /{usr/,}bin/pager     rPx -> child-pager,
@ -37,7 +52,10 @@ profile systemd-analyze @{exec_path} {
  owner /tmp/systemd-temporary-*/ rw,
  @{run}/systemd/generator/ r,
  @{run}/systemd/private rw,
  @{run}/systemd/system/ r,
  @{run}/systemd/transient/ r,
  @{run}/systemd/userdb/io.systemd.DynamicUser w,
  @{run}/udev/data/* r,
  @{run}/udev/tags/systemd/ r,
@ -52,13 +70,12 @@ profile systemd-analyze @{exec_path} {
  @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/comm r,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/comm r,
  owner @{PROC}/@{pid}/mountinfo r,
  /dev/tty rw,
  /dev/pts/1 rw,
  include if exists <local/systemd-analyze>
 }
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@ -17,11 +17,17 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName},
+       member={RequestName,ReleaseName,GetConnectionUnixUser}
       peer=(name=org.freedesktop.DBus),
  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=CheckAuthorization
       peer=(name=org.freedesktop.PolicyKit1),
  dbus receive bus=system path=/org/freedesktop/hostname[0-9]
       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll},
+       member={Get,GetAll,SetHostname},
  dbus bind bus=system 
       name=org.freedesktop.hostname[0-9],
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/systemd-hwdb
 profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -7,40 +8,68 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/systemd/systemd-networkd
-profile systemd-networkd @{exec_path} flags=(complain) {
+profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/systemd-common>
  capability net_admin,
  capability net_raw,
  capability net_bind_service,
  network inet dgram,
  network inet6 dgram,
  network inet raw,
  network inet6 raw,
  network netlink raw,
  network packet dgram,
  network packet raw,
  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=RequestName
       peer=(name=org.freedesktop.DBus),
  dbus send bus=system path=/org/freedesktop/hostname[0-9]
       interface=org.freedesktop.hostname1
       member=SetHostname
       peer=(name=org.freedesktop.hostname1),
  dbus receive bus=system path=/org/freedesktop/network[0-9]
       interface=org.freedesktop.DBus.Properties
       member=Get,
  dbus bind bus=system
       name=org.freedesktop.network1,
  @{exec_path} mr,
  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
  /etc/systemd/networkd.conf r,
  /etc/systemd/network/ r,
  /etc/systemd/network/[0-9][0-9]-*.{netdev,network,link} r,
  /etc/networkd-dispatcher/carrier.d/{,*} r,
        @{run}/systemd/network/ r,
        @{run}/systemd/network/*.network r,
  owner @{run}/systemd/netif/.#state rw,
  owner @{run}/systemd/netif/.#state* rw,
  owner @{run}/systemd/netif/leases/.#* rw,
  owner @{run}/systemd/netif/leases/[0-9]* rw,
  owner @{run}/systemd/netif/links/.#* rw,
  owner @{run}/systemd/netif/links/[0-9]* rw,
  owner @{run}/systemd/netif/leases/[0-9]* rw,
  owner @{run}/systemd/netif/leases/.#* rw,
  owner @{run}/systemd/netif/.#state* rw,
  owner @{run}/systemd/netif/.#state rw,
  owner @{run}/systemd/netif/state rw,
  # To be able to configure network interfaces
        @{PROC}/sys/net/ipv{4,6}/** rw,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
  @{sys}/devices/**/net/** r,
  @{run}/udev/data/n[0-9]* r,
-  /var/lib/dbus/machine-id r,
+  @{sys}/devices/**/net/** r,
-  /etc/machine-id r,
+  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{PROC}/sys/net/ipv{4,6}/** rw,
  include if exists <local/systemd-networkd>
 }
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@ -11,6 +11,10 @@ profile systemd-networkd-wait-online @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/systemd-common>
  capability net_admin,
  network netlink raw,
  @{exec_path} mr,
  @{run}/systemd/netif/links/[0-9]* r,
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -17,9 +17,15 @@ profile apport-gtk @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  capability sys_ptrace,
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  @{exec_path} mr,
  /{usr/,}{s,}bin/killall5          rix,
@ -50,21 +56,22 @@ profile apport-gtk @{exec_path} {
  /usr/share/themes/{,**} r,
  /usr/share/X11/xkb/{,**} r,
-  /etc/apport/blacklist.d/apport r,
+  /etc/apport/{,**} r,
  /etc/apport/blacklist.d/README.blacklist r,
  /etc/apport/crashdb.conf r,
  /etc/bash_completion.d/apport_completion r,
  /etc/cron.daily/apport r,
  /etc/default/apport r,
  /etc/init.d/apport r,
  /etc/logrotate.d/apport r,
  /etc/xdg/autostart/*.desktop r,
  /etc/gtk-3.0/settings.ini r,
-  /var/crash/{,*.@{uid}.crash} r,
+  /var/crash/{,*.@{uid}.crash} rw,
  /var/lib/dpkg/info/ r,
  /var/lib/dpkg/info/*.list r,
  /var/lib/dpkg/info/*.md5sums r,
  /var/log/installer/media-info r,
        @{run}/snapd.socket rw,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,
  /tmp/[a-z0-9]* rw,
@ -83,8 +90,9 @@ profile apport-gtk @{exec_path} {
  profile gdb {
    include <abstractions/base>
-    include <abstractions/python>
+    include <abstractions/dconf>
    include <abstractions/fonts>
    include <abstractions/python>
    /{usr/,}bin/gdb mr,
@ -92,6 +100,9 @@ profile apport-gtk @{exec_path} {
    /{usr/,}{s,}bin/* r,
    /usr/share/gdb/{,**} r,
    /usr/share/themes/{,**} r,
    /usr/share/gnome-shell/{,**} r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
    /etc/gdb/{,**} r,
--- a/apparmor.d/groups/ubuntu/notify-reboot-required
+++ b/apparmor.d/groups/ubuntu/notify-reboot-required
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/update-notifier/notify-reboot-required
 profile notify-reboot-required @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -14,7 +14,9 @@ profile software-properties-gtk @{exec_path} {
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  dbus send bus=system path=/{,com/canonical/UbuntuAdvantage/Manager}
      interface=org.freedesktop.DBus.Introspectable
@ -51,10 +53,13 @@ profile software-properties-gtk @{exec_path} {
  /usr/share/X11/xkb/{,**} r,
  /usr/share/xml/iso-codes/{,**} r,
  /etc/apport/blacklist.d/{,*} r,
  /etc/default/apport r,
  /etc/gtk-3.0/settings.ini r,
  /etc/machine-id r,
  /etc/update-manager/release-upgrades r,
  /var/crash/*software-properties-gtk.@{uid}.crash rw,
  /var/lib/snapd/desktop/icons/ r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
@ -67,6 +72,10 @@ profile software-properties-gtk @{exec_path} {
  @{sys}/devices/**/modalias r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/asound/cards r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/environ r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -38,6 +38,8 @@ profile update-notifier @{exec_path} {
  /usr/share/apport/apport-checkreports               rPx,
  /usr/share/apport/apport-gtk                        rPx,
  /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
  /usr/share/applications/{,**} r,
  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@ -6,7 +6,7 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /opt/cni/bin/calico
+@{exec_path} = /{usr/,}lib/cni/calico /opt/cni/bin/calico
 profile cni-calico @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
--- a/apparmor.d/groups/virt/cni-flannel
+++ b/apparmor.d/groups/virt/cni-flannel
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/flannel /opt/cni/bin/flannel
 profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
  include <abstractions/base>
  @{exec_path} mr,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  include if exists <local/cni-flannel>
 }
--- a/apparmor.d/groups/virt/cni-host-local
+++ b/apparmor.d/groups/virt/cni-host-local
@ -0,0 +1,18 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}lib/cni/host-local /opt/cni/bin/host-local
 profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
  include <abstractions/base>
  @{exec_path} mr,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  include if exists <local/cni-host-local>
 }
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ b/apparmor.d/groups/virt/cni-xtables-nft
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}{s,}bin/xtables-nft-multi
 profile cni-xtables-nft {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>
    capability net_admin,
@ -30,6 +31,4 @@ profile cni-xtables-nft {
    /etc/nftables.conf rw,
    @{PROC}/@{pids}/net/ip_tables_names r,
    /dev/pts/[0-9]* rw,
 }
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -20,7 +20,9 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  capability dac_override,
  capability fsetid,
  capability fowner,
  capability mknod,
  capability net_admin,
  capability setfcap,
  capability sys_admin,
  network inet dgram,
@ -36,6 +38,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  umount @{run}/containerd/io.containerd.grpc.v1.cri/sandboxes/[0-9a-f]*/shm/,
  umount /var/lib/containerd/tmpmounts/containerd-mount[0-9]*/,
  umount /tmp/ctd-volume[0-9]*/,
  umount @{run}/netns/cni-@{uuid},
  signal (receive) set=term peer={dockerd,k3s},
@ -84,7 +87,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  owner /var/tmp/** rwkl,
  owner /tmp/** rwkl,
        /tmp/cri-containerd.apparmor.d[0-9]* rwl,
-        /tmp/ctd-volume[0-9]*/ rw,
+        /tmp/ctd-volume[0-9]*/{data,} rw,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/profiles r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -0,0 +1,100 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/dockerd
 profile dockerd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  capability chown, 
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability mknod,
  capability net_admin,
  capability sys_admin,
  capability sys_chroot,
  capability kill,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  mount options=(rw, bind) -> /run/docker/netns/*,
  mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
  mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
  mount options=(rw, rslave) -> /,
  umount /.pivot_root[0-9]*/,
  umount /run/docker/netns/*,
  umount /var/lib/docker/overlay*/**/,
  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
  ptrace (read) peer=unconfined,
  signal (send) set=kill peer=docker-*,
  signal (send) set=term peer=containerd,
  @{exec_path} mrix,
  /{usr/,}{s,}bin/apparmor_parser     rPx,
  /{usr/,}{s,}bin/runc                rUx,
  /{usr/,}{s,}bin/xtables-nft-multi   rix,
  /{usr/,}bin/containerd              rPx,
  /{usr/,}bin/docker-init             rix,
  /{usr/,}bin/kmod                    rPx,
  /{usr/,}bin/ps                      rPx,
  /{usr/,}bin/unpigz                  rix,
  # Docker needs full access of its containers.
  # TODO: should be in a sub profile started with pivot_root, not supported yet.
  /{,**} rw,
  deny /boot/{,**} rw,
  deny /dev/{,**} rw,
  deny /media/{,**} rw,
  deny /mnt/{,**} rw,
  owner /{usr/,}lib/docker/overlay2/*/work/{,**} rw,
  owner /var/lib/docker/{,**} rwk,
  owner /var/lib/docker/tmp/qemu-check[0-9]*/check rix,
  @{sys}/fs/cgroup/cgroup.controllers r,
  @{sys}/fs/cgroup/cpuset.cpus.effective r,
  @{sys}/fs/cgroup/cpuset.mems.effective r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/profiles r,
  @{sys}/module/apparmor/parameters/enabled r,
        @{PROC}/1/cgroup r,
        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/keys/root_maxkeys r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/threads-max r,
        @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
        @{PROC}/sys/net/core/somaxconn r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
        @{PROC}/sys/net/ipv{4,6}/conf/docker[0-9]*/accept_ra rw,
        @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
  owner @{PROC}/@{pids}/attr/current r,
  owner @{PROC}/@{pids}/cgroup r,
  owner @{PROC}/@{pids}/fd/ r,
  owner @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pids}/net/ip_tables_names r,
  owner @{PROC}/@{pids}/uid_map r,
  include if exists <local/dockerd>
 }
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@ -26,7 +26,7 @@ profile k3s @{exec_path} {
  capability sys_resource,
  ptrace peer=@{profile_name},
-  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,kubernetes-pause,mount,unconfined},
+  ptrace (read) peer={cri-containerd.apparmor.d,cni-xtables-nft,ip,kubernetes-pause,mount,unconfined},
  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
  # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
@ -109,16 +109,11 @@ profile k3s @{exec_path} {
  owner @{PROC}/@{pids}/oom_score_adj rw,
  owner @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/uid_map r,
-  
+
        @{PROC}/diskstats r,
        @{PROC}/loadavg r,
        @{PROC}/modules r,
        @{PROC}/sys/fs/pipe-max-size r,
        @{PROC}/sys/net/core/somaxconn r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
        @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
        @{PROC}/sys/net/netfilter/* rw,
        @{PROC}/sys/kernel/keys/* r,
        @{PROC}/sys/kernel/panic rw,
        @{PROC}/sys/kernel/panic_on_oom rw,
@ -126,11 +121,16 @@ profile k3s @{exec_path} {
        @{PROC}/sys/kernel/pid_max r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/threads-max r,
        @{PROC}/sys/net/core/somaxconn r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/* rw,
        @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
        @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
        @{PROC}/sys/net/netfilter/* rw,
        @{PROC}/sys/vm/overcommit_memory rw,
        @{PROC}/sys/vm/panic_on_oom r,
  @{sys}/class/net/ r,
-  
+
  @{sys}/devices/pci[0-9]*/**/net/*/{address,mtu,speed} r,
  @{sys}/devices/system/edac/mc/ r,
  @{sys}/devices/system/cpu/ r,
@ -138,14 +138,15 @@ profile k3s @{exec_path} {
  @{sys}/devices/system/cpu/cpu[0-9]*/topology/{,**} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
  @{sys}/devices/system/cpu/present{,/} r,
  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/ r,
  @{sys}/devices/system/node/node[0-9]*/{cpumap,distance,meminfo} r,
  @{sys}/devices/system/node/node[0-9]*/hugepages/{,**} r,
  @{sys}/devices/virtual/block/*/** r,
  @{sys}/devices/virtual/dmi/id/* r,
  @{sys}/devices/virtual/net/cali[0-9a-f]*/{address,mtu,speed} r,
  @{sys}/devices/virtual/net/vxlan.calico/{address,mtu,speed} r,
  @{sys}/fs/cgroup/{,*,*/} r,
  @{sys}/fs/cgroup/cgroup.subtree_control rw,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -103,7 +103,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  /{usr/,}{s,}bin/dmidecode                            rPx,
  /{usr/,}{s,}bin/dnsmasq                              rPx,
  /{usr/,}{s,}bin/virtiofsd                            rux, # TODO: WIP
-  /{usr/,}{s,}bin/virtlogd                             rPX,
+  /{usr/,}{s,}bin/virtlogd                             rPx,
  /{usr/,}bin/lvm                                      rUx,
  /{usr/,}bin/mdevctl                                  rPx,
  /{usr/,}bin/swtpm                                    rPx,
@ -155,6 +155,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/+bluetooth:* r,
  @{run}/udev/data/+dmi:id r,
  @{run}/udev/data/+drm:* r,
  @{run}/udev/data/+hid:* r,
  @{run}/udev/data/+input* r,       # for mouse, keyboard, touchpad
  @{run}/udev/data/+leds:* r,
  @{run}/udev/data/+pci* r,
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@ -13,9 +13,30 @@ profile aa-log @{exec_path} {
  @{exec_path} mr,
  /{usr/,}bin/journalctl rCx -> journalctl,
  /var/log/audit/* r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  profile journalctl {
    include <abstractions/base>
    include <abstractions/consoles>
    /{usr/,}bin/journalctl mr,
    /var/lib/dbus/machine-id r,
    /etc/machine-id r,
    /{run,var}/log/journal/ r,
    /{run,var}/log/journal/[0-9a-f]*/ r,
    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}*.journal* r,
    /{run,var}/log/journal/[0-9a-f]*/user-@{uid}.journal r,
    @{PROC}/sys/kernel/random/boot_id r,
    @{PROC}/sys/kernel/cap_last_cap r,
  }
  include if exists <local/aa-log>
 }
--- a/apparmor.d/profiles-a-f/anyremote
+++ b/apparmor.d/profiles-a-f/anyremote
@ -18,7 +18,7 @@ profile anyremote @{exec_path} {
  network inet stream,
  network inet6 stream,
-  @{exec_path} rm,
+  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/cat        rix,
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@ -16,12 +16,32 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
  network netlink raw,
  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  dbus send bus=system path=/org/freedesktop/DBus
      interface=org.freedesktop.DBus
      member=RequestName,
  dbus receive bus=system path=/org/freedesktop/bolt
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  dbus receive bus=system path=/org/freedesktop/bolt
      interface=org.freedesktop.bolt1.Manager
      member=ListDevices,
  dbus bind bus=system 
      name=org.freedesktop.bolt,
  @{exec_path} mr,
  /var/lib/boltd/{,**} rw,
  owner @{run}/boltd/{,**} rw,
  @{run}/systemd/notify rw,
  @{run}/systemd/journal/socket w,
  @{run}/udev/data/+thunderbolt:* r,
@ -37,7 +57,8 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/**/{vendor,device}_name r,
  @{sys}/devices/pci[0-9]*/**/domain[0-9]*/iommu_dma_protection r,
  @{sys}/devices/platform/**/uevent r,
  @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
  include if exists <local/boltd>
-}
+}
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -11,6 +12,7 @@ include <tunables/global>
 profile dkms @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  capability dac_read_search,
@ -37,7 +39,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/rmdir      rix,
  /{usr/,}bin/find       rix,
  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/gawk       rix,
+  /{usr/,}bin/{,g,m}awk  rix,
  /{usr/,}bin/cp         rix,
  /{usr/,}bin/date       rix,
  /{usr/,}bin/ln         rix,
@ -62,6 +64,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  /{usr/,}lib/linux-kbuild-*/tools/objtool/objtool rix,
  /{usr/,}lib/modules/*/build/tools/objtool/objtool rix,
  /var/lib/dkms/**/dkms.postbuild rix,
  / r,
  /{usr/,}lib/modules/*/updates/ rw,
  /{usr/,}lib/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
@ -103,6 +107,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
  profile kmod {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/openssl>
    /{usr/,}bin/kmod mr,
--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -13,15 +14,13 @@ profile dkms-autoinstaller @{exec_path} {
  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,
-
+  /{usr/,}{s,}bin/dkms   rPx,
  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/tput       rix,
  /{usr/,}bin/echo       rix,
-
+  /{usr/,}bin/plymouth   rix,
-  /{usr/,}{s,}bin/dkms      rPx,
+  /{usr/,}bin/readlink   rix,
  /{usr/,}bin/run-parts  rCx -> run-parts,
  /{usr/,}bin/systemctl  rPx -> child-systemctl,
  /{usr/,}bin/tput       rix,
  # For shell pwd
  / r,
--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@ -0,0 +1,22 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/findmnt
 profile findmnt @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  @{exec_path} mr,
  /etc/fstab r,
  /etc/mtab r,
  @{PROC}/@{pids}/mountinfo r,
  include if exists <local/findmnt>
 }
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@ -16,6 +16,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
  include <abstractions/openssl>
  include <abstractions/ssl_certs>
  capability sys_nice,
  signal (send),
  network inet stream,
@ -24,6 +26,26 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
  network inet6 dgram,
  network netlink raw,
  dbus send bus=system path=/
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  dbus send bus=system path=/
      interface=org.freedesktop.fwupd
      member={GetDevices,GetPlugins,GetRemotes,SetFeatureFlags,SetHints,UpdateMetadata},
  dbus send bus=system path=/org/freedesktop/systemd[0-9]
      interface=org.freedesktop.DBus.Properties
      member=GetAll,
  dbus send bus=system path=/org/freedesktop/systemd[0-9]
      interface=org.freedesktop.systemd[0-9].Manager
      member={GetDefaultTarget,GetUnit},
  dbus receive bus=system path=/
      interface=org.freedesktop.fwupd
      member=Changed,
  @{exec_path} mr,
  /{usr/,}bin/dbus-launch  rCx -> dbus,
@ -37,6 +59,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
  owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
  owner @{user_cache_dirs}/ rw,
        @{user_cache_dirs}/dconf/user rw,
  owner @{user_cache_dirs}/fwupd/ rw,
  owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
--- a/apparmor.d/profiles-g-l/glib-compile-schemas
+++ b/apparmor.d/profiles-g-l/glib-compile-schemas
@ -19,5 +19,7 @@ profile glib-compile-schemas @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled.[A-Z0-9]* rw,
  /usr/share/glib-2.0/schemas/gschemas.compiled rw,
  /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
  include if exists <local/glib-compile-schemas>
 }
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/install-info
 profile install-info @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
--- a/apparmor.d/profiles-g-l/language-validate
+++ b/apparmor.d/profiles-g-l/language-validate
@ -6,18 +6,17 @@ abi <abi/3.0>,
 include <tunables/global>
-@{exec_path} = /usr/share/language-tools/language-validate
+@{exec_path} = /usr/share/language-tools/language-{options,validate}
 profile language-validate @{exec_path} {
  include <abstractions/base>
  capability setgid,
-  @{exec_path} mr,
+  @{exec_path} mrix,
-  /{usr/,}bin/{,ba,da}sh                      rix,
+  /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/grep                            rix,
+  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/locale                          rix,
+  /{usr/,}bin/locale      rix,
  /usr/share/language-tools/language-options  rix,
  /usr/share/locale-langpack/{,*} r,
  /usr/share/language-tools/{,*} r,
--- a/Show more
+++ b/Show more