feat(profile): various ubuntu based improvements.

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -65,11 +65,13 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
+  /usr/share/gdm/greeter/applications/{,**} r,
   /usr/share/thumbnailers/{,**} r,
 
   owner @{desktop_cache_dirs}/dconf/user r,
   owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
   owner @{desktop_config_dirs}/dconf/user r,
+  owner @{desktop_share_dirs}/applications/{,**} r,
   owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
 
   owner @{HOME}/ r,

apparmor.d/groups/freedesktop/xkbcomp

@@ -17,6 +17,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
 
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
   unix (send,receive) type=stream addr=none peer=(label=xwayland),
+  unix (send,receive) type=stream addr=none peer=(label=kwin_wayland),
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/evolution-alarm-notify

@@ -37,6 +37,8 @@ profile evolution-alarm-notify @{exec_path} {
 
   /etc/timezone r,
 
+  owner @{user_share_dirs}/evolution/datetime-formats.ini r,
+
   include if exists <local/evolution-alarm-notify>
 }
 

apparmor.d/groups/gnome/gnome-system-monitor

@@ -36,6 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed    rix,
   @{bin}/tr     rix,
 
+  /usr/share/byobu/desktop/{,**} r,
   /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
 
   / r,

apparmor.d/groups/gnome/mutter-x11-frames

@@ -29,7 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   /usr/share/gdm/greeter-dconf-defaults r,
 
   owner @{GDM_HOME}/greeter-dconf-defaults r,
-  owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rw,
+  owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl,
   owner @{gdm_config_dirs}/dconf/user r,
 
   @{sys}/devices/@{pci}/boot_vga r,

apparmor.d/groups/gnome/nautilus

@@ -72,7 +72,9 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   @{bin}/file-roller         rPx,
   @{bin}/firejail           rPUx,
   @{bin}/net                rPUx,
-  @{bin}/tracker3           rPUx,
+
+  @{bin}/* r,
+  @{lib}/@{multiarch}/glib-2.0/gio-launch-desktop m,
 
   @{open_path}               rPx -> child-open,
 

apparmor.d/groups/gnome/ptyxis

@@ -13,6 +13,10 @@ profile ptyxis @{exec_path} {
   include <abstractions/common/gnome>
   include <abstractions/consoles>
 
+  unix type=stream peer=(label=ptyxis-agent),
+
+  #aa:dbus own bus=session name=org.gnome.Ptyxis
+
   @{exec_path} mr,
 
   @{lib}/ptyxis-agent          Px,
@@ -25,11 +29,12 @@ profile ptyxis @{exec_path} {
 
   owner @{user_config_dirs}/org.gnome.Ptyxis/ rw,
   owner @{user_config_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_config_dirs}/org.gnome.Ptyxis/**,
+  owner @{user_config_dirs}/ubuntu-xdg-terminals.list r,
 
   owner @{user_share_dirs}/org.gnome.Ptyxis/ rw,
   owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**,
 
-  owner /tmp/#@{int} w,
+  owner /tmp/#@{int} rw,
 
   /dev/ptmx rw,
 

apparmor.d/groups/gnome/ptyxis-agent

@@ -25,7 +25,9 @@ profile ptyxis-agent @{exec_path} {
   @{bin}/podman       Px,
   @{bin}/systemd-run  Cx -> shell,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  owner @{user_share_dirs}/containers/ w,
+  owner @{user_share_dirs}/containers/storage/ w,
+  owner @{user_share_dirs}/containers/storage/overlay-containers/ w,
 
   @{PROC}/@{pid}/cmdline r,
 
@@ -37,9 +39,13 @@ profile ptyxis-agent @{exec_path} {
 
     signal send,
 
+    unix bind type=stream addr=@@{udbus}/bus/systemd-run/,
+
     @{bin}/systemd-run mr,
     @{bin}/@{shells}   Ux,
 
+    owner @{run}/user/@{uid}/systemd/private rw,
+
     include if exists <local/ptyxis-agent_shell>
   }
 

apparmor.d/groups/snap/snap

@@ -52,11 +52,14 @@ profile snap @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
+  @{sh_path} mr,
   @{bin}/mount rix,
   @{bin}/getent rix,
 
   @{bin}/gpg{,2}          rCx -> gpg,
   @{bin}/systemctl        rCx -> systemctl,
+  @{bin}/systemd-run      rCx -> run, # Start snap from the cli
+  @{bin}/xdg-settings     rCx -> xdg-settings,
 
   @{lib_dirs}/**          mr,
   @{lib_dirs}/snapd/snap-confine     rPx,
@@ -98,7 +101,7 @@ profile snap @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/random/uuid r,
         @{PROC}/sys/kernel/seccomp/actions_avail r,
         @{PROC}/version r,
-  owner @{PROC}/@{pid}/attr/apparmor/current r,
+        @{PROC}/@{pid}/attr/apparmor/current r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/tty@{int} rw,
@@ -125,6 +128,49 @@ profile snap @{exec_path} flags=(attach_disconnected) {
     include if exists <local/snap_gpg>
   }
 
+  profile xdg-settings {
+    include <abstractions/base>
+    include <abstractions/desktop-files>
+
+    @{bin}/xdg-settings mr,
+
+    @{sh_path}       r,
+    @{bin}/{,e}grep  rix,
+    @{bin}/basename  rix,
+    @{bin}/cat        ix,
+    @{bin}/cut       rix,
+    @{bin}/head       ix,
+    @{bin}/mkdir      ix,
+    @{bin}/mktemp     ix,
+    @{bin}/mv         ix,
+    @{bin}/readlink   ix,
+    @{bin}/realpath  rix,
+    @{bin}/rm         ix,
+    @{bin}/sed        ix,
+    @{bin}/sleep      ix,
+    @{bin}/sort       ix,
+    @{bin}/touch      ix,
+    @{bin}/tr         ix,
+    @{bin}/uname      ix,
+    @{bin}/wc         ix,
+
+    @{bin}/xdg-mime   Px,
+
+    include if exists <local/snap_xdg-settings>
+  }
+
+  profile run {
+    include <abstractions/base>
+
+    unix bind type=stream addr=@@{udbus}/bus/systemd-run/,
+
+    @{bin}/systemd-run mr,
+
+    owner @{run}/user/@{uid}/systemd/private rw,
+
+    include if exists <local/snap_run>
+  }
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>

apparmor.d/groups/snap/snap-update-ns

@@ -61,6 +61,7 @@ profile snap-update-ns @{exec_path} {
 
   @{sys}/fs/cgroup/{,**/} r,
   @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.scope/cgroup.freeze rw,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
 
   @{PROC}/@{pids}/cgroup r,

apparmor.d/groups/ssh/ssh

@@ -45,8 +45,8 @@ profile ssh @{exec_path} {
 
   audit owner @{tmp}/ssh-*/{,agent.@{int}} rwkl,
 
-  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
-  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} wl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
+  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
+  owner @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand} rwl -> @{run}/user/@{uid}/gvfsd-sftp/@{hex}.@{rand},
   owner @{run}/user/@{uid}/keyring/ssh rw,
 
   @{sys}/ r,

apparmor.d/groups/systemd/systemd-coredump

@@ -37,6 +37,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
   /opt/** r,
   /usr/share/*/** r,
   @{user_lib_dirs}/** r,
+  /snap/*/@{int}/opt/** r,
+  /snap/*/@{int}/usr/** r,
 
   /etc/systemd/coredump.conf r,
   /etc/systemd/coredump.conf.d/{,**} r,
@@ -45,6 +47,8 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   /var/lib/systemd/coredump/{,**} rwl,
 
+  owner @{run}/user/@{uid}/snap.*/.org.chromium.Chromium.@{rand6} r,
+
   @{att}/@{run}/systemd/coredump rw,
   @{run}/systemd/coredump rw,
 

apparmor.d/groups/systemd/systemd-udevd

@@ -35,6 +35,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
+  unix type=stream addr=@@{udbus}/bus/udevadm/,
+
   @{exec_path} mrix,
 
   @{sh_path}                               rix,

apparmor.d/groups/ubuntu/apport

@@ -43,6 +43,11 @@ profile apport @{exec_path} flags=(attach_disconnected) {
   /var/lib/dpkg/info/ r,
   /var/lib/dpkg/info/*.list r,
   /var/lib/dpkg/info/*.md5sums r,
+  /var/lib/dpkg/diversions r,
+  /var/lib/dpkg/triggers/* r,
+  /var/lib/dpkg/updates/ r,
+
+  /var/lib/systemd/coredump/*.zst r,
 
         /var/crash/ rw,
         /var/crash/*.@{uid}.crash rw,

apparmor.d/groups/ubuntu/software-properties-gtk

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/software-properties-gtk
-profile software-properties-gtk @{exec_path} {
+profile software-properties-gtk @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
@@ -62,6 +62,10 @@ profile software-properties-gtk @{exec_path} {
   owner @{tmp}/tmp@{word8}/ rw,
   owner @{tmp}/tmp@{word8}/apt.conf rw,
 
+        /dev/shm/ r,
+  owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6},
+  owner /dev/shm/sem.mp-@{rand8} rw,
+
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
 
   @{sys}/devices/ r,
@@ -75,6 +79,7 @@ profile software-properties-gtk @{exec_path} {
   owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/stat r,
 
   # Silencer
   deny @{user_share_dirs}/gvfs-metadata/* r,

apparmor.d/groups/ubuntu/ubuntu-advantage

@@ -52,6 +52,8 @@ profile ubuntu-advantage @{exec_path} {
 
   /etc/machine-id r,
 
+  owner @{user_cache_dirs}/ubuntu-pro/{,**} rw,
+
   owner @{tmp}/tmp[0-9a-z]*/apt.conf r,
   owner @{tmp}/[0-9a-z]*{,/} rw,
   owner @{tmp}/[0-9a-z]*/apt-helper-output rw,

apparmor.d/groups/utils/who

@@ -20,6 +20,8 @@ profile who @{exec_path} {
 
   @{run}/systemd/sessions/* r,
 
+  # file_inherit
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   deny owner @{user_share_dirs}/zed/**/data.mdb rw,
 

apparmor.d/profiles-a-f/fwupdmgr

@@ -42,6 +42,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
 
+  owner /var/lib/fwupd/ w,
   owner /var/lib/fwupd/.cache/ w,
 
         @{user_cache_dirs}/dconf/user rw,

apparmor.d/profiles-m-r/mkinitramfs

@@ -174,6 +174,7 @@ profile mkinitramfs @{exec_path} {
     /usr/share/initramfs-tools/scripts/{,**/} r,
     /etc/initramfs-tools/scripts/{,**/} r,
 
+    owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/{,**/} r,
     owner /var/tmp/mkinitramfs_@{rand6}/{,**/} r,
 
     include if exists <local/mkinitramfs_find>
@@ -189,6 +190,12 @@ profile mkinitramfs @{exec_path} {
     owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/{,**/} r,
     owner /var/tmp/mkinitramfs_@{rand6}/usr/lib/modules/*/kernel/**/*.ko* r,
 
+    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/ r,
+    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/modules.* rw,
+    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/updates/{,**} r,
+    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/{,**/} r,
+    owner /tmp/tmp.@{rand10}/usr/lib/modules/*/kernel/**/*.ko* r,
+
     @{sys}/module/compression r,
 
     include if exists <local/mkinitramfs_kmod>

apparmor.d/profiles-m-r/motd

@@ -10,6 +10,7 @@ include <tunables/global>
 profile motd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   capability net_admin,
 

apparmor.d/profiles-m-r/on-ac-power

@@ -14,6 +14,7 @@ profile on-ac-power @{exec_path} {
   @{exec_path} r,
   @{sh_path}        rix,
 
+  @{bin}/{,e}grep   rix,
   @{bin}/{m,g,}awk  rix,
   @{bin}/cat        rix,
 

apparmor.d/profiles-s-z/swtpm_setup

@@ -21,9 +21,9 @@ profile swtpm_setup @{exec_path} {
   /var/log/swtpm/{,**} w,
   /var/lib/libvirt/swtpm/@{uuid}/tpm2/ r,
 
-  owner @{tmp}/swtpm_setup.certs.*/ w,
-  owner @{tmp}/swtpm_setup.certs.*/*.cert rw,
-  owner @{tmp}/.swtpm_setup.pidfile* rw,
+  owner @{tmp}/.swtpm_setup.pidfile.@{rand6} rw,
+  owner @{tmp}/swtpm_setup.certs.@{rand6}/ w,
+  owner @{tmp}/swtpm_setup.certs.@{rand6}/*.cert rw,
 
   include if exists <local/swtpm_setup>
 }