feat(profile): general update.

apparmor.d/groups/_full/default

@@ -34,7 +34,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   network netlink dgram,
   network netlink raw,
 
-  signal (receive) set=(hup),
+  signal receive set=hup,
 
   @{bin}/bwrap           rPx -> bwrap,
   @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,

apparmor.d/groups/browsers/chrome

@@ -14,7 +14,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/google-@{name}
 
 @{exec_path} = @{lib_dirs}/@{name}
-profile chrome @{exec_path} {
+profile chrome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/chromium>
 

apparmor.d/groups/browsers/chromium

@@ -14,7 +14,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{lib_dirs}/@{name}
-profile chromium @{exec_path} {
+profile chromium @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/chromium>
 

apparmor.d/groups/browsers/chromium-wrapper

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/chromium
-profile chromium-wrapper @{exec_path} {
+profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/mesa>

apparmor.d/groups/browsers/epiphany

@@ -38,12 +38,15 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
   @{bin}/xdg-dbus-proxy  rix,
   @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
 
+  /usr/share/enchant*/{,**} r,
+
   owner /bindfile@{rand6} rw,
   owner @{att}/.flatpak-info r,
 
   owner @{user_config_dirs}/glib-2.0/ w,
   owner @{user_config_dirs}/glib-2.0/settings/ w,
 
+  owner @{tmp}/ContentRuleList@{rand6} rw,
   owner @{tmp}/epiphany-*-@{rand6}/{,**} rw,
   owner @{tmp}/Serialized@{rand9} rw,
   owner @{tmp}/WebKit-Media-@{rand6} rw,

apparmor.d/groups/children/child-modprobe-nvidia

@@ -19,6 +19,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/nvidia-modprobe
 profile child-modprobe-nvidia flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/consoles>
 
   capability chown,

apparmor.d/groups/freedesktop/update-desktop-database

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/update-desktop-database
 profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -48,6 +48,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   owner @{desktop_cache_dirs}/dconf/user r,
   owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
+  owner @{desktop_config_dirs}/dconf/user r,
   owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
 
   owner @{HOME}/ r,

apparmor.d/groups/freedesktop/xdg-document-portal

@@ -57,7 +57,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
 
-        /dev/fuse rw,
+  /dev/fuse rw,
 
   profile fusermount flags=(attach_disconnected) {
     include <abstractions/base>

apparmor.d/groups/freedesktop/xdg-open

@@ -35,6 +35,8 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
   @{bin}/xdg-mime             Px,
   @{open_path}                Px -> child-open-any,
 
+  @{PROC}/version r,
+
   profile bus {
     include <abstractions/base>
     include <abstractions/app/bus>

apparmor.d/groups/freedesktop/xkbcomp

@@ -11,6 +11,7 @@ include <tunables/global>
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/attached/consoles>
+  include <abstractions/consoles>
   include <abstractions/mesa>
   include <abstractions/X-strict>
 
@@ -29,6 +30,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,
 
         /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w,
+        /var/log/Xorg.@{int}.log w,
   owner /var/log/lightdm/x-@{int}.log w,
 
   owner @{run}/user/@{uid}/server-@{int}.xkm rwk,
@@ -38,9 +40,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   /dev/dri/card@{int} rw,
   /dev/fb@{int} rw,
   /dev/tty rw,
-
-  deny /dev/input/event@{int} rw,
-  deny /var/log/Xorg.@{int}.log w,
+  /dev/input/event@{int} rw,
 
   include if exists <local/xkbcomp>
 }

apparmor.d/groups/freedesktop/xorg

@@ -134,6 +134,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /dev/shm/shmfd-* rw,
   /dev/tty rw,
   /dev/tty@{int} rw,
+  /dev/udmabuf rw,
   /dev/vga_arbiter rw,  # Graphic card modules
 
   profile pkexec {

apparmor.d/groups/pacman/makepkg

@@ -10,6 +10,12 @@ include <tunables/global>
 profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/python>
+  include <abstractions/shells>
+  include <abstractions/ssl_certs>
+  include <abstractions/wutmp>
 
   network inet stream,
   network inet6 stream,

apparmor.d/groups/pacman/pacman-hook-systemd

@@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/bash  rix,
+  @{sh_path}   rix,
   @{bin}/touch rix,
 
   @{bin}/journalctl             rPx,
   @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
   @{bin}/systemd-hwdb           rPx,
+  @{bin}/systemd-notify         rPx,
   @{bin}/systemd-sysusers       rPx,
   @{bin}/systemd-tmpfiles       rPx,
   @{bin}/udevadm                rPx,

apparmor.d/groups/pacman/yay

@@ -55,6 +55,10 @@ profile yay @{exec_path} {
 
     /usr/share/git{,-core}/{,**} r,
 
+    owner @{user_build_dirs}/**/.git/** r,
+    owner @{user_pkg_dirs}/**/.git/** r,
+    owner @{user_projects_dirs}/**/.git/** r,
+
     owner @{HOME}/.gitconfig r,
     owner @{user_cache_dirs}/yay/ rw,
     owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,

apparmor.d/groups/systemd/systemd-journald

@@ -61,7 +61,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+usb:*       r,
   @{run}/udev/data/+virtio:*    r,
   @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
-  @{run}/udev/data/b259:@{int} r,
+  @{run}/udev/data/b259:@{int} r,         # Block Extended Major
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features

apparmor.d/groups/systemd/systemd-resolved

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-3.0-only
+# SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
 

apparmor.d/groups/virt/dockerd

@@ -45,15 +45,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   mount options=(rw rslave)                                 -> /,
 
   remount /tmp/containerd-mount@{int10}/,
-  remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
+  remount /var/lib/docker/**/,
 
   umount /.pivot_root@{int}/,
   umount /run/docker/netns/*,
   umount /tmp/containerd-mount@{int}/,
-  umount /var/lib/docker/buildkit/**/,
-  umount /var/lib/docker/rootfs/**/,
-  umount /var/lib/docker/overlay*/**/,
-  umount /var/lib/docker/tmp/buildkit-mount@{int}/,
+  umount /var/lib/docker/**/,
 
   pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/               /var/lib/docker/overlay2/**/,
   pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,