feat(profile): general update.

apparmor.d/groups/_full/default-sudo

@@ -11,8 +11,6 @@ profile default-sudo @{exec_path} {
   include <abstractions/app/sudo>
 
   capability chown,
-  capability dac_override,
-  capability dac_read_search,
   capability mknod,
   capability sys_ptrace,
 
@@ -21,7 +19,6 @@ profile default-sudo @{exec_path} {
 
   ptrace (read),
 
-  @{bin}/sudo     mr,
   @{bin}/su       mr,
 
   @{bin}/**       Px,
@@ -31,20 +28,13 @@ profile default-sudo @{exec_path} {
         /var/db/sudo/lectured/ r,
         /var/lib/extrausers/shadow r,
         /var/lib/sudo/lectured/ r,
-        /var/lib/sudo/ts/ rw,
-        /var/lib/sudo/ts/* rwk,
-        /var/log/sudo.log wk,
   owner /var/db/sudo/lectured/@{uid} rw,
   owner /var/lib/sudo/lectured/* rw,
 
   owner @{HOME}/.sudo_as_admin_successful rw,
 
-        @{run}/ r,
+  @{run}/ r,
-        @{run}/faillock/{,*} rwk,
+  @{run}/systemd/sessions/* r,
-        @{run}/systemd/sessions/* r,
-  owner @{run}/sudo/ rw,
-  owner @{run}/sudo/ts/ rw,
-  owner @{run}/sudo/ts/* rwk,
 
   include if exists <local/default-sudo>
 }

apparmor.d/groups/apps/signal-desktop

@@ -17,13 +17,10 @@ profile signal-desktop @{exec_path} {
   include <abstractions/audio-client>
   include <abstractions/common/chromium>
   include <abstractions/consoles>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/graphics>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-intel>
   include <abstractions/user-download-strict>
 
   # Needed?
@@ -60,11 +57,6 @@ profile signal-desktop @{exec_path} {
 
   @{run}/systemd/inhibit/*.ref rw,
 
-  @{sys}/devices/@{pci}/{irq,vendor,device} r,
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
-  @{sys}/fs/cgroup/** r,
-
         @{PROC}/ r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/sys/fs/inotify/max_user_watches r,

apparmor.d/groups/browsers/firefox-crashreporter

@@ -34,12 +34,12 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
   @{bin}/mv rix,
 
   owner "@{config_dirs}/firefox/Crash Reports/{,**}" rw,
-  owner @{config_dirs}/*.*/crashes/{,**} rw,
+  owner @{config_dirs}/firefox/*.*/crashes/{,**} rw,
-  owner @{config_dirs}/*.*/crashes/events/@{uuid} rw,
+  owner @{config_dirs}/firefox/*.*/crashes/events/@{uuid} rw,
-  owner @{config_dirs}/*.*/extensions/*.xpi r,
+  owner @{config_dirs}/firefox/*.*/extensions/*.xpi r,
-  owner @{config_dirs}/*.*/minidumps/{,**} rw,
+  owner @{config_dirs}/firefox/*.*/minidumps/{,**} rw,
-  owner @{config_dirs}/*.*/minidumps//@{uuid}.{dmp,extra} r,
+  owner @{config_dirs}/firefox/*.*/minidumps//@{uuid}.{dmp,extra} r,
-  owner @{config_dirs}/*.*/storage/default/* r,
+  owner @{config_dirs}/firefox/*.*/storage/default/* r,
 
   owner @{cache_dirs}/firefox/*.*/** r,
 

apparmor.d/groups/bus/dbus-system

@@ -23,12 +23,15 @@ profile dbus-system flags=(attach_disconnected) {
   capability net_admin,
   capability setgid,
   capability setuid,
+  capability sys_ptrace,
   capability sys_resource,
 
   network netlink raw,
   network bluetooth stream,
   network bluetooth seqpacket,
 
+  ptrace (read) peer=@{systemd},
+
   dbus bus=system,
 
   @{exec_path} mrix,
@@ -59,6 +62,9 @@ profile dbus-system flags=(attach_disconnected) {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_score_adj rw,

apparmor.d/groups/freedesktop/dconf-editor

@@ -22,8 +22,5 @@ profile dconf-editor @{exec_path} {
   owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
   owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-@{rand6} rw,
 
-  owner @{HOME}/.Xauthority r,
-  owner /dev/tty@{int} rw,
-
   include if exists <local/dconf-editor>
 }

apparmor.d/groups/freedesktop/update-desktop-database

@@ -28,7 +28,6 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   /var/lib/snapd/desktop/applications/mimeinfo.cache w,
 
   owner @{user_share_dirs}/.mimeinfo.cache.* rw,
-  owner @{user_share_dirs}/{,**/} r,
   owner @{user_share_dirs}/**.desktop r,
   owner @{user_share_dirs}/applications/.mimeinfo.cache.* rw,
   owner @{user_share_dirs}/applications/mimeinfo.cache w,
@@ -37,6 +36,7 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,
+  deny network netlink raw,
 
   include if exists <local/update-desktop-database>
 }

apparmor.d/groups/freedesktop/xdg-settings

@@ -59,10 +59,9 @@ profile xdg-settings @{exec_path} {
     @{bin}/dbus-send     mr,
     @{bin}/dbus-daemon  rPx,
 
-    # for dbus-launch
     owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
 
-    @{HOME}/.Xauthority r,
+    include if exists <local/xdg-settings_dbus>
   }
 
   include if exists <local/xdg-settings>

apparmor.d/groups/gnome/epiphany-search-provider

@@ -11,13 +11,11 @@ profile epiphany-search-provider @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
   include <abstractions/enchant>
-  include <abstractions/fonts>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
-  include <abstractions/X-strict>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/groups/gnome/gdm

@@ -21,6 +21,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   capability kill,
   capability net_admin,
   capability sys_nice,
+  capability sys_tty_config,
 
   network netlink raw,
 
@@ -32,6 +33,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(term) peer=gdm-session-worker,
   signal (send) set=(term) peer=gdm-session,
   signal (send) set=(term) peer=gnome-session-binary,
+  signal (send) set=(term) peer=jackdbus,
   signal (send) set=(term) peer=tracker-miner,
   signal (send) set=(term) peer=xdg-*,
   signal (send) set=(term) peer=xorg,
@@ -52,10 +54,12 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sh_path}                       rix,
+  @{bin}/chvt                      rix,
   @{bin}/pidof                     rPx,
   @{bin}/plymouth                  rPx,
   @{bin}/prime-switch             rPUx,
   @{bin}/sleep                     rix,
+  @{bin}/systemd-cat               rPx,
   @{lib}/{,gdm/}gdm-session-worker rPx,
   /etc/gdm{3,}/PrimeOff/Default    rix,
 
@@ -70,7 +74,10 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   /etc/sysconfig/displaymanager r,
   /etc/sysconfig/windowmanager r,
 
-  /var/{lib,log}/gdm{3,}/ rw,
+  /var/lib/gdm{3,}/ rw,
+  /var/lib/gdm{3,}/block-initial-setup rw,
+
+  /var/log/gdm{3,}/ rw,
 
   owner @{GDM_HOME}/block-initial-setup rw,
 
@@ -81,6 +88,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   owner @{run}/gdm{3,}.pid rw,
   owner @{run}/gdm{3,}/ rw,
   owner @{run}/gdm{3,}/custom.conf r,
+  owner @{run}/gdm{3,}/dbus/ w,
+  owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
   owner @{run}/gdm{3,}/gdm.pid rw,
 
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
@@ -92,6 +101,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/**/uevent r,
   @{sys}/devices/@{pci}/boot_vga r,
   @{sys}/devices/virtual/tty/tty@{int}/active r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cgroup.events r,
 
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/1/environ r,

apparmor.d/groups/gnome/gdm-session

@@ -52,7 +52,7 @@ profile gdm-session @{exec_path} {
 
   owner @{gdm_cache_dirs}/gdm/ rw,
   owner @{gdm_cache_dirs}/gdm/Xauthority rw,
-  owner @{gdm_config_dirs}/.config/dconf/user r,
+  owner @{gdm_config_dirs}/dconf/user r,
   owner @{GDM_HOME}/greeter-dconf-defaults r,
 
   owner @{run}/gdm{3,}/custom.conf r,

apparmor.d/groups/gnome/gdm-session-worker

@@ -69,6 +69,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /usr/share/wayland-sessions/*.desktop r,
   /usr/share/xsessions/gnome-xorg.desktop r,
 
+  # Add user; set password on first login
+  /etc/.pwd.lock wk,
+  /etc/nshadow rw,
+  /etc/shadow w,
+
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/default/locale r,
@@ -93,30 +98,28 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   owner @{run}/systemd/seats/seat@{int} r,
   owner @{run}/user/@{uid}/keyring/control rw,
 
+        @{run}/gdm{3,}/custom.conf r,
+  owner @{run}/gdm{3,}/dbus/ w,
+  owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
+
   @{run}/cockpit/active.motd r,
   @{run}/faillock/[a-zA-z0-9]* rwk,
-  @{run}/gdm{3,}/custom.conf r,
   @{run}/motd.d/{,*} r,
   @{run}/systemd/sessions/* r,
   @{run}/systemd/sessions/*.ref rw,
   @{run}/systemd/users/@{uid} r,
   @{run}/utmp rwk,
 
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/1/limits r,
+        @{PROC}/keys r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid rw,
   owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,
   owner @{PROC}/@{pid}/uid_map r,
-        @{PROC}/@{pids}/cgroup r,
-        @{PROC}/1/limits r,
-        @{PROC}/keys r,
 
   /dev/tty rw,
   /dev/tty@{int} rw,
 
-  # Add user; set password on first login
-  /etc/.pwd.lock wk,
-  /etc/nshadow rw,
-  /etc/shadow w,
-
   include if exists <local/gdm-session-worker>
 }

apparmor.d/groups/gnome/gkbd-keyboard-display

@@ -9,12 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/gkbd-keyboard-display
 profile gkbd-keyboard-display @{exec_path} {
   include <abstractions/base>
-  include <abstractions/fonts>
+  include <abstractions/gnome-strict>
   include <abstractions/dconf-write>
 
   @{exec_path} mr,
 
-  /usr/share/X11/{,**} r,
-
   include if exists <local/gkbd-keyboard-display>
 }

apparmor.d/groups/gnome/gnome-control-center

@@ -60,6 +60,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /usr/share/language-tools/language2locale      rix,
   /usr/share/language-tools/language-options    rPUx,
 
+  @{open_path}                                   rPx -> child-open-browsers,
+
   /opt/**/share/icons/{,**} r,
   /snap/*/@{int}/**.png r,
   /usr/share/backgrounds/{,**} r,
@@ -99,6 +101,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
   owner @{user_cache_dirs}/thumbnails/{,**} rw,
 
+  owner @{user_config_dirs}/background rw,
   owner @{user_config_dirs}/gnome-control-center/{,**} rw,
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,

apparmor.d/groups/gnome/gnome-desktop-thumbnailers

@@ -17,6 +17,7 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
   @{bin}/bwrap mr,
   @{bin}/*-thumbnailer rix,
 
+  /usr/share/ladspa/rdf/{,**} r,
   /usr/share/poppler/{,**} r,
 
   owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,

apparmor.d/groups/gnome/gnome-session-binary

@@ -76,7 +76,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   owner @{gdm_cache_dirs}/gdm/Xauthority r,
-  owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
   owner @{gdm_config_dirs}/dconf/user rw,
   owner @{gdm_config_dirs}/gnome-session/ rw,
   owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
@@ -140,7 +139,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
     @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher          rPx,
     @{lib}/{,gnome-shell/}gnome-shell-overrides-migration.sh rPx,
     @{lib}/@{multiarch}/xapps/sn-watcher/xapp-sn-watcher  rPUx,
-    @{lib}/baloo_file                                      rPx,
     @{lib}/caribou/caribou                                rPUx,
     @{lib}/deja-dup/deja-dup-monitor                       rPx,
     @{lib}/gsd-disk-utility-notify                         rPx,
@@ -149,6 +147,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
     @{thunderbird_path}                                    rPx,
     /usr/share/libpam-kwallet-common/pam_kwallet_init     rPUx,
 
+    #aa:exec baloo
     #aa:exec evolution-alarm-notify
     @{lib}/kdeconnectd rPUx,
     @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx,

apparmor.d/groups/gnome/gnome-shell

@@ -87,6 +87,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   # Talk with gnome-shell
 
+  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
   #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
 
   #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
@@ -109,15 +110,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        member={RegisterWithCapabilities,Unregister}
        peer=(name=:*, label=NetworkManager),
 
-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=DeleteDevice
-       peer=(name=:*, label=colord),
-  dbus receive bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=ProfileAdded
-       peer=(name=:*, label=colord),
-
   dbus receive bus=system path=/org/freedesktop/login1/seat/seat@{int}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
@@ -252,11 +244,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{gdm_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
   owner @{gdm_cache_dirs}/ibus/dbus-@{rand8} rw,
   owner @{gdm_cache_dirs}/libgweather/ r,
-  owner @{gdm_cache_dirs}/mesa_shader_cache/ rw,
-  owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/ rw,
-  owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex} rw,
-  owner @{gdm_cache_dirs}/mesa_shader_cache/@{h}@{h}/@{hex}.tmp rwk,
-  owner @{gdm_cache_dirs}/mesa_shader_cache/index rw,
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_config_dirs}/ibus/ rw,
   owner @{gdm_config_dirs}/ibus/bus/ rw,
@@ -314,7 +301,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
         /tmp/.X@{int}-lock rw,
         /tmp/dbus-@{rand8} rw,
-  owner /tmp/[0-9A-Z]*.shell-extension.zip rw,
+  owner /tmp/@{rand6}.shell-extension.zip rw,
   owner /tmp/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
   @{run}/systemd/users/@{uid} r,

apparmor.d/groups/gnome/kgx

@@ -11,13 +11,9 @@ profile kgx @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
   include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/nvidia>
-  include <abstractions/vulkan>
 
   capability sys_ptrace,
 

apparmor.d/groups/gnome/loupe

@@ -13,7 +13,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/user-read>
+  include <abstractions/trash-strict>
 
   signal (send) set=(kill) peer=loupe//bwrap,
 
@@ -23,6 +23,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/glycin-loaders/{,**} r,
 
+  / r,
+
   @{sys}/fs/cgroup/user.slice/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,

apparmor.d/groups/gnome/org.gnome.NautilusPreviewer

@@ -27,9 +27,9 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
 
   @{open_path}         rPx -> child-open,
 
+  /usr/share/ladspa/rdf/{,**} r,
   /usr/share/poppler/{,**} r,
   /usr/share/sushi/org.gnome.NautilusPreviewer.*.gresource r,
-  /usr/share/ladspa/rdf/{,**} r,
 
   /etc/machine-id r,
 

apparmor.d/groups/gnome/tracker-miner

@@ -31,11 +31,23 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.Files
   #aa:dbus own bus=session name=org.freedesktop.Tracker3.Miner.RSS
 
+  dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=:*, label=nautilus),
+  dbus receive bus=session path=/org/freedesktop/Tracker3/Endpoint
+       interface=org.freedesktop.Tracker3.Endpoint
+       member=Query
+       peer=(name=:*, label=nautilus),
+
   @{exec_path} mr,
 
+  @{lib}/tracker-extract-3 rix,
+
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
   /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
+  /usr/share/ladspa/rdf/{,**} r,
   /usr/share/tracker3-miners/{,**} r,
   /usr/share/tracker3/{,**} r,
 

apparmor.d/groups/gpg/gpg

@@ -54,6 +54,7 @@ profile gpg @{exec_path} {
   owner /var/tmp/zypp.@{rand6}/ rw,
   owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
 
+  #aa:exclude ubuntu
   owner /tmp/ostree-gpg-*/ r,
   owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
 

apparmor.d/groups/kde/konsole

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/konsole
-profile konsole @{exec_path} flags=(attach_disconnected) {
+profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>

apparmor.d/groups/pacman/pacman-hook-dkms

@@ -16,10 +16,10 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/bash rix,
+  @{sh_path}    rix,
-  @{bin}/dkms rPx,
+  @{bin}/dkms   rPx,
-  @{bin}/kmod rPx,
+  @{bin}/kmod   rPx,
-  @{bin}/nproc rix,
+  @{bin}/nproc  rix,
 
   /usr/src/ r,
   /usr/src/**.conf r,

apparmor.d/groups/ssh/sshd

@@ -83,8 +83,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/ssh/sshd_config.d/{,*} r,
   /etc/ssh/ssh_host_* r,
 
-  /var/lib/extrausers/shadow r,
-
   # For scp
   owner @{user_download_dirs}/{,**} rwl,
   owner @{user_sync_dirs}/{,**} rwl,

apparmor.d/groups/systemd/systemd-path

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/systemd-path
 profile systemd-path @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/groups/ubuntu/update-notifier

@@ -39,6 +39,10 @@ profile update-notifier @{exec_path} {
        member={AboutToShow,GetGroupProperties,GetLayout}
        peer=(name=:*, label=gnome-shell),
 
+  dbus send bus=session path=/org/ayatana/NotificationItem/*
+       interface=org.kde.StatusNotifierItem
+       peer=(name=org.freedesktop.DBus, label=gnome-shell),
+
   @{exec_path} mr,
 
   @{sh_path}                                     rix,

apparmor.d/profiles-a-f/boltd

@@ -19,15 +19,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=system name=org.freedesktop.bolt
 
-  dbus receive bus=system path=/org/freedesktop/bolt
-       interface=org.freedesktop.bolt1.Manager
-       member=ListDevices
-       peer=(name=:*, label=kded),
-
-  dbus (send,receive) bus=system path=/org/freedesktop/bolt{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member=Get,
-
   @{exec_path} mr,
 
   /var/lib/boltd/{,**} rw,
@@ -42,14 +33,16 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
   @{sys}/bus/thunderbolt/devices/ r,
   @{sys}/bus/wmi/devices/ r,
   @{sys}/class/ r,
+  @{sys}/devices/@{pci}/@{uuid}/uevent r,
   @{sys}/devices/@{pci}/device r,
-  @{sys}/devices/@{pci}/domain@{int}/boot_acl rw,
+  @{sys}/devices/@{pci}/domain@{int}/ r,
   @{sys}/devices/@{pci}/domain@{int}/{security,uevent} r,
   @{sys}/devices/@{pci}/domain@{int}/**/ r,
   @{sys}/devices/@{pci}/domain@{int}/**/{authorized,generation} r,
-  @{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r,
   @{sys}/devices/@{pci}/domain@{int}/**/{boot,rx_lanes,rx_speed,tx_lanes,tx_speed} r,
+  @{sys}/devices/@{pci}/domain@{int}/**/{uevent,unique_id} r,
   @{sys}/devices/@{pci}/domain@{int}/**/{vendor,device}_name r,
+  @{sys}/devices/@{pci}/domain@{int}/boot_acl rw,
   @{sys}/devices/@{pci}/domain@{int}/iommu_dma_protection r,
   @{sys}/devices/platform/**/uevent r,
   @{sys}/devices/platform/*/wmi_bus/wmi_bus-*/@{uuid}/force_power rw,

apparmor.d/profiles-a-f/dkms

@@ -24,46 +24,20 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{exec_path} rm,
 
   @{sh_path}        rix,
-  @{bin}/{,e,f}grep rix,
+  @{coreutils_path} rix,
-  @{bin}/{,g,m}awk  rix,
   @{bin}/as         rix,
-  @{bin}/cat        rix,
-  @{bin}/cp         rix,
-  @{bin}/cut        rix,
-  @{bin}/date       rix,
-  @{bin}/diff       rix,
-  @{bin}/echo       rix,
-  @{bin}/find       rix,
   @{bin}/gcc        rix,
   @{bin}/getconf    rix,
-  @{bin}/head       rix,
-  @{bin}/id         rPx,
   @{bin}/kmod       rCx -> kmod,
   @{bin}/ld         rix,
-  @{bin}/ln         rix,
-  @{bin}/ls         rix,
   @{bin}/lsb_release rPx -> lsb_release,
   @{bin}/make       rix,
-  @{bin}/mkdir      rix,
-  @{bin}/mktemp     rix,
-  @{bin}/mv         rix,
-  @{bin}/nproc      rix,
   @{bin}/objcopy    rix,
   @{bin}/pahole     rix,
-  @{bin}/pwd        rix,
   @{bin}/readelf    rix,
-  @{bin}/readlink   rix,
+  @{bin}/rpm       rPUx,
-  @{bin}/rm         rix,
-  @{bin}/rmdir      rix,
-  @{bin}/sed        rix,
-  @{bin}/sleep      rix,
-  @{bin}/sort       rix,
   @{bin}/strip      rix,
-  @{bin}/uname      rix,
-  @{bin}/uniq       rix,
   @{bin}/update-secureboot-policy rPUx,
-  @{bin}/wc         rix,
-  @{bin}/xargs      rix,
   @{bin}/zstd       rix,
 
   @{lib}/gcc/@{multiarch}/@{int}*/*            rix,
@@ -84,11 +58,17 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{lib}/modules/*/updates/dkms/{,*,*/,**.ko.xz,**.ko.zst} rw,
   @{lib}/modules/*/kernel/drivers/{,*,*/,**.ko.xz,**.ko.zst} rw,
 
+  /etc/lsb-release r,
+  /etc/dkms/{,**} r,
+
+  /var/ r,
+  /var/lib/ r,
+
   /var/lib/dkms/ r,
   /var/lib/dkms/** rw,
 
-  /etc/lsb-release r,
+  /var/lib/rpm/ r,
-  /etc/dkms/{,**} r,
+  /var/lib/rpm/** rw,
 
   # For building module in /usr/src/ subdirs
   /usr/include/**.h r,

apparmor.d/profiles-a-f/engrampa

@@ -16,30 +16,12 @@ profile engrampa @{exec_path} {
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
   include <abstractions/ibus>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
-  include <abstractions/X-strict>
-
-  dbus send bus=session path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=GetId
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
-
-  dbus receive bus=session path=/org/gtk/Application/anonymous
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
-
-  dbus receive bus=session path=/org/gtk/Application/anonymous{,/window/@{int}}
-       interface=org.gtk.Actions
-       member=DescribeAll
-       peer=(name=:*),
 
   @{exec_path} mr,
 

apparmor.d/profiles-g-l/glib-compile-schemas

@@ -17,10 +17,15 @@ profile glib-compile-schemas @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/{,*} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled.[A-Z0-9]* rw,
+  /usr/share/glib-2.0/schemas/gschemas.compiled.@{rand6} rw,
   /usr/share/glib-2.0/schemas/gschemas.compiled rw,
 
   /usr/share/gnome-shell/extensions/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
 
+  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/ r,
+  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/gschemas.compiled rw,
+  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/gschemas.compiled.@{rand6} rw,
+  owner @{user_share_dirs}/gnome-shell/extension-updates/*/schemas/org.gnome.shell.extensions.*.gschema.xml r,
+
   include if exists <local/glib-compile-schemas>
 }

apparmor.d/profiles-g-l/jackdbus

@@ -7,11 +7,19 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/jackdbus
-profile jackdbus @{exec_path} {
+profile jackdbus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-session>
+
+  signal (receive) set=(term) peer=gdm,
+
+  #aa:dbus own bus=session name=org.jackaudio.service
 
   @{exec_path} mr,
 
+  owner @{DESKTOP_HOME}/.log/ w,
+  owner @{DESKTOP_HOME}/.log/jack/{,**} rw,
+
   owner @{HOME}/.log/ w,
   owner @{HOME}/.log/jack/{,**} rw,
 

apparmor.d/profiles-g-l/locale-gen

@@ -32,6 +32,8 @@ profile locale-gen @{exec_path} {
 
   /etc/locale.gen r,
 
+  /var/lib/locales/supported.d/{,**} r,
+
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/profiles-m-r/pkexec

@@ -49,6 +49,7 @@ profile pkexec @{exec_path} {
   /etc/default/locale r,
   /etc/shells r,
 
+        @{PROC}/@{pid}/fdinfo/@{int} r,
         @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,

apparmor.d/profiles-s-z/YACReader

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/YACReader
 profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/graphics>
@@ -36,11 +37,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/YACReader/YACReader/ rw,
   owner @{user_share_dirs}/YACReader/YACReader/** rwlk,
 
-  owner @{user_config_dirs}/pulse/client.conf r,
-  owner @{user_config_dirs}/pulse/cookie rk,
-
-  owner @{run}/user/@{uid}/pulse/ r,
-
   /dev/shm/ r,
 
   owner @{PROC}/@{pid}/cmdline r,

apparmor.d/profiles-s-z/spice-vdagent

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/spice-vdagent
 profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/audio-server>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>

apparmor.d/profiles-s-z/umount

@@ -46,8 +46,7 @@ profile umount @{exec_path} {
   owner @{PROC}/@{pid}/mountinfo r,
 
   owner @{run}/mount/ rw,
-  owner @{run}/mount/utab.lock wk,
+  owner @{run}/mount/utab{,.*} rwk,
-        @{run}/mount/utab{,.*} rw,
 
   include if exists <local/umount>
 }

apparmor.d/profiles-s-z/update-cracklib

@@ -11,6 +11,8 @@ profile update-cracklib @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   @{sh_path}                  rix,

apparmor.d/profiles-s-z/vlc

@@ -85,8 +85,6 @@ profile vlc @{exec_path} {
 
   @{bin}/xdg-screensaver rPx,
 
-  /usr/share/hwdata/pnp.ids r,
-  /usr/share/qt5ct/** r,
   /usr/share/vlc/{,**} r,
 
   /etc/fstab r,

apparmor.d/profiles-s-z/vlc-cache-gen

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/vlc/vlc-cache-gen
 profile vlc-cache-gen @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/wireshark

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2002-2005 Novell/SUSE
-#               2018-2021 Mikhail Morfikov
+# Copyright (C) 2018-2021 Mikhail Morfikov
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
@@ -8,60 +8,47 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-# pcap pcapng
-@{wireshark_ext} = [pP][cC][aA][pP]{,[nN][gG]}
-
 @{exec_path} = @{bin}/wireshark
 profile wireshark @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/consoles>
-  include <abstractions/dri-enumerate>
+  include <abstractions/desktop>
-  include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
-  include <abstractions/fonts>
+  include <abstractions/nameservice-strict>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
-  include <abstractions/nameservice>
-  include <abstractions/nvidia>
-  include <abstractions/private-files-strict>
-  include <abstractions/qt5-compose-cache-write>
-  include <abstractions/qt5-settings-write>
   include <abstractions/user-download-strict>
-  include <abstractions/X>
+  include <abstractions/user-read>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   signal (send) peer=dumpcap,
 
   @{exec_path} mr,
 
   @{bin}/dumpcap          rPx,
-  @{bin}/xdg-open         rCx -> open,
+  @{open_path}            rPx -> child-open-browsers,
 
-  # For reading pcaps
-        / r,
-        /tmp/ r,
-        /home/ r,
-  owner @{HOME}/ r,
-  owner @{HOME}/**/ r,
-        @{MOUNTS}/ r,
-  owner @{MOUNTS}/**/ r,
-  owner /{tmp,home,media}/**.@{wireshark_ext}{,.gz} rw,
-
-  # Wireshark files
-  /usr/share/wireshark/** r,
   @{lib}/@{multiarch}/wireshark/extcap/* rix,
   @{lib}/@{multiarch}/wireshark/plugins/*/{codecs,epan,wiretap}/*.so mr,
-  /etc/wireshark/init.lua r,
 
-  # Wireshark home files
+  /usr/share/GeoIP/{,**} r,
+  /usr/share/wireshark/** r,
+
+  /etc/wireshark/init.lua r,
+  /etc/fstab r,
+
+  # For reading pcaps
+  owner @{user_projects_dirs}/{,**} r,
+
   owner @{HOME}/.wireshark/{,**} rw,
   owner @{user_config_dirs}/wireshark/{,**} rw,
 
-  # To configure Qt5 settings (theme, font, icons, etc.) under DE/WM without Qt integration
+  owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw,
-  owner @{user_config_dirs}/qt5ct/{,**} r,
-  /usr/share/qt5ct/** r,
-  /usr/share/qt5/translations/*.qm r,
 
   deny       @{PROC}/sys/kernel/random/boot_id r,
   deny owner @{PROC}/@{pid}/cmdline r,
@@ -71,46 +58,8 @@ profile wireshark @{exec_path} {
              @{PROC}/@{pid}/mountinfo r,
              @{PROC}/@{pid}/mounts r,
 
-  /etc/fstab r,
+  owner /dev/shm/#@{int} rw,
-
-  /usr/share/hwdata/pnp.ids r,
-
-  /usr/share/GeoIP/{,**} r,
-
-  /dev/shm/#@{int} rw,
-
-  owner /tmp/wireshark_extcap_ciscodump_@{int}_* rw,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-    include if exists <local/wireshark_open>
-  }
-
   include if exists <local/wireshark>
 }

apparmor.d/tunables/multiarch.d/paths

@@ -49,9 +49,9 @@
 @{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 
 # Coreutils programs that should not have dedicated profile
-@{coreutils}  = {,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
+@{coreutils}  = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
-@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname du echo env expand
+@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand
-@{coreutils} += expr factor false find fmt fold gawk grep head hostid id install join link
+@{coreutils} += expr factor false find fmt fold gawk {,e,f}grep head hostid id install join link
 @{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
 @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir
 @{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep

dists/flags/main.flags

@@ -84,9 +84,9 @@ cups-notifier-mailto complain
 cups-notifier-rss complain
 cups-pk-helper-mechanism complain
 cupsd attach_disconnected,complain
-dbus-broker attach_disconnected,complain
+dbus-accessibility attach_disconnected,complain
-dbus-broker-launch attach_disconnected,complain
+dbus-session attach_disconnected,complain
-dbus-daemon attach_disconnected,complain
+dbus-system attach_disconnected,complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
 docker-proxy complain
@@ -200,7 +200,7 @@ kio_http_cache_cleaner complain
 kiod complain
 kioworker complain
 kmod attach_disconnected,complain
-konsole attach_disconnected,complain
+konsole attach_disconnected,mediate_deleted,complain
 kscreen_backend_launcher complain
 kscreen_osd_service complain
 ksmserver attach_disconnected,mediate_deleted,complain
@@ -213,7 +213,6 @@ landscape-sysinfo.wrapper complain
 language-validate attach_disconnected,complain
 last complain
 lastlog complain
-ldconfig.service complain
 libvirt-dbus complain
 libvirtd attach_disconnected,complain
 lightdm attach_disconnected,complain
@@ -330,7 +329,6 @@ systemd-generator-run attach_disconnected,complain
 systemd-generator-system-update attach_disconnected,complain
 systemd-generator-user-autostart complain
 systemd-generator-user-environment complain
-systemd-generator-user-environment-flatpak complain
 systemd-generator-veritysetup attach_disconnected,complain
 systemd-homed attach_disconnected,complain
 systemd-homework complain