Merge branch 'roddhjav:main' into main

2024-07-16 07:22:22 +02:00 · 2024-07-16 07:22:22 +02:00 · 2dd6cb6cbe
commit 2dd6cb6cbe
parent d60c619929 cb30dcc4bc
77 changed files with 443 additions and 83 deletions
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -41,6 +41,7 @@
  / r,
  /etc/machine-id r,
        /var/db/sudo/lectured/ r,
  owner /var/lib/sudo/ts/ rw,   
  owner /var/lib/sudo/ts/@{uid} rwk,
  owner /var/log/sudo.log wk,
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@ -13,6 +13,8 @@
       member=Introspect 
       peer=(name=:*, label=gnome-shell),
  /usr/share/icu/@{int}.@{int}/*.dat r,
  /usr/{local/,}share/ r,
  /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
  /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@ -70,11 +70,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{MOUNTS}/** rwl,
  owner @{HOME}/{,**} rwlk,
  owner @{run}/user/@{uid}/{,**} rw,
  owner @{user_config_dirs}/** rwkl,
  owner @{user_share_dirs}/** rwkl,
  owner @{tmp}/{,**} rwk,
-
+  owner @{run}/user/@{uid}/{,**} rwlk,
  owner @{run}/user/@{uid}/{,**} rw,
  @{run}/motd.dynamic.new rw,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -30,6 +30,9 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{bin}/curl rix,
  @{bin}/mv   rix,
  @{lib_dirs}/minidump-analyzer rPx,
  @{bin}/mv rix,
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@ -42,6 +42,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
  @{sh_path}             rix,
  @{lib}/{,ibus/}ibus-*  rPUx,
  @{lib}/ibus-*/ibus-*   rPUx,
  /usr/share/ibus/{,**} r,
  /usr/share/ibus-table/{,**} r,
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@ -71,7 +71,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
    # @{sys}/module/{drm,nvidia}/initstate r,
    @{sys}/module/compression r,
-    deny  @{HOME}/.steam/** r,
+    deny @{HOME}/.steam/** r,
    include if exists <local/child-modprobe-nvidia_kmod>
  }
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -25,6 +25,7 @@ profile crontab @{exec_path} {
  @{bin}/vim.*           rCx -> editor,
  /etc/cron.{allow,deny} r,
  /etc/pam.d/* r,
        /var/spool/cron/ r,
        /var/spool/cron/crontabs/ rw,
@ -32,19 +33,18 @@ profile crontab @{exec_path} {
  owner @{tmp}/crontab.*/{,crontab} rw,
  profile editor {
    include <abstractions/base>
    include <abstractions/app/editor>
    capability fsetid,
    /etc/cron.{allow,deny} r,
          /tmp/ r,
    owner @{tmp}/crontab.*/crontab rw,
-    # file_inherit
+    include if exists <local/crontab_editor>
    /etc/cron.{allow,deny} r,
  }
  include if exists <local/crontab>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -84,6 +84,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
        @{PROC}/ r,
        @{PROC}/*/ r,
        @{PROC}/1/cgroup r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -72,6 +72,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/ r,
  owner @{HOME}/*/{,**} rw,
  owner @{MOUNTS}/ r,
  owner @{tmp}/.goutputstream-@{rand6} rw,
  owner @{tmp}/@{rand6} rw,
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@ -42,7 +42,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  / r,
  owner /.flatpak-info r,
-  owner @{HOME}/** r,
+  owner @{HOME}/ r,
  owner @{HOME}/*/{,**} rw,
  owner @{MOUNTS}/ r,
  owner @{user_share_dirs}/flatpak/db/documents r,
  owner @{user_share_dirs}/Trash/files/** r,
@ -54,8 +56,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
-          /dev/fuse rw,
+        /dev/fuse rw,
-    owner /dev/tty@{int} rw,
+  owner /dev/tty@{int} rw,
  profile fusermount {
    include <abstractions/base>
--- a/apparmor.d/groups/freedesktop/xdg-user-dir
+++ b/apparmor.d/groups/freedesktop/xdg-user-dir
@ -9,11 +9,12 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dir
 profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
-  @{sh_path}                    rix,
+  @{sh_path}  rix,
-  @{bin}/env                    rix,
+  @{bin}/env  rix,
  owner @{user_config_dirs}/user-dirs.dirs r,
--- a/apparmor.d/groups/freedesktop/xhost
+++ b/apparmor.d/groups/freedesktop/xhost
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/xhost
-profile xhost @{exec_path} {
+profile xhost @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  capability sys_tty_config,
  network netlink raw,
  network unix stream,
  signal (receive) set=term peer=gdm,
  signal (send) set=(hup term) peer=gdm-session,
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -3,6 +3,11 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # TODO: Rethink this profile:
 # - Access to gio from a profile is handled by child-open-*
 # - Direct access should only be needed is some special context and it should not
 #   require access to that much resources.
 abi <abi/3.0>,
 include <tunables/global>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -218,6 +218,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /.flatpak-info r,
  /etc/fstab r,
  /etc/timezone r,
  /etc/tpm2-tss/*.json r,
  /etc/udev/hwdb.bin r,
  /etc/xdg/menus/gnome-applications.menu r,
@ -249,10 +250,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/.var/app/**/ r,
+  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,
  owner @{user_games_dirs}/**.{png,jpg,svg} r,
  owner @{user_music_dirs}/**.{png,jpg,svg} r,
@ -282,6 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_cache_dirs}/vlc/**/*.jpg r,
        @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -21,6 +21,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  network inet stream,
  signal (receive) set=(term, hup) peer=gdm*,
  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -21,6 +21,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  network inet stream,
  signal (receive) set=(term, hup) peer=gdm*,
  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -27,6 +27,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  signal (receive) set=(term, hup) peer=gdm*,
  network inet stream,
  network netlink raw,
  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -30,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  network inet stream,
  network netlink raw,
  signal (receive) set=(term, hup) peer=gdm*,
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -31,13 +31,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /etc/{,opensc/}opensc.conf r,
-
+  /etc/tpm2-tss/* rk,
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
  /var/tmp/ r,
  /tmp/ r,
  owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
  owner /dev/tty@{int} rw,
  include if exists <local/gsd-smartcard>
--- a/apparmor.d/groups/gnome/session-migration
+++ b/apparmor.d/groups/gnome/session-migration
@ -21,6 +21,8 @@ profile session-migration @{exec_path} {
  owner @{gdm_share_dirs}/session_migration-* rw,
  owner @{user_share_dirs}/session_migration-* rw,
  /dev/tty@{int} rw,
  include if exists <local/session-migration>
 }
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -44,9 +44,9 @@ profile gpg @{exec_path} {
  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
  #aa:only pacman
-  owner /etc/pacman.d/gnupg/gpg.conf r,
+  /etc/pacman.d/gnupg/gpg.conf r,
-  owner /etc/pacman.d/gnupg/pubring.gpg r,
+  /etc/pacman.d/gnupg/pubring.gpg r,
-  owner /etc/pacman.d/gnupg/trustdb.gpg r,
+  /etc/pacman.d/gnupg/trustdb.gpg r,
  owner /var/lib/*/gnupg/ rw,
  owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
--- a/apparmor.d/groups/hyprland/hyprctl
+++ b/apparmor.d/groups/hyprland/hyprctl
@ -0,0 +1,20 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/hyprctl
 profile hyprctl @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
  include if exists <local/hyprctl>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/hyprland/hyprlock
+++ b/apparmor.d/groups/hyprland/hyprlock
@ -0,0 +1,36 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/hyprlock
 profile hyprlock @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/fonts>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  network netlink raw,
  @{exec_path} mr,
  /etc/security/faillock.conf r,
  /etc/shells r,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
  owner @{user_pictures_dirs}/** r,
  owner @{user_config_dirs}/hypr/hyprlock.conf r,
  owner @{run}/faillock/@{user} rwk,
  owner /dev/tty@{int} rw,
  include if exists <local/hyprlock>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/hyprland/hyprpaper
+++ b/apparmor.d/groups/hyprland/hyprpaper
@ -0,0 +1,30 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/hyprpaper
 profile hyprpaper @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
  /usr/share/icons/** r,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
  owner @{user_config_dirs}/hypr/hyprpaper.conf r,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/.hyprpaper* rw,
  owner @{run}/user/@{uid}/hypr/*/.hyprpaper.sock w,
  owner @{run}/user/@{uid}/hyprpaper.lock rw,
  include if exists <local/hyprpaper>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/hyprland/hyprpicker
+++ b/apparmor.d/groups/hyprland/hyprpicker
@ -0,0 +1,24 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/hyprpicker
 profile hyprpicker @{exec_path} {
  include <abstractions/base>
  @{exec_path} mr,
  @{bin}/wl-copy Px,
  /usr/share/icons/** r,
  owner @{run}/user/@{uid}/.hyprpicker* rw,
  include if exists <local/hyprpicker>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/hyprland/hyprpm
+++ b/apparmor.d/groups/hyprland/hyprpm
@ -0,0 +1,40 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/hyprpm
 profile hyprpm @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-tmp>
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  @{exec_path} mr,
  @{bin}/** rix,
  @{lib}/gcc/** rix,
  @{lib}/git-core/** rix,
  /usr/include/** r,
  /usr/share/git-core/** r,
  /usr/share/pkgconfig/** r,
  owner @{HOME}/.gitconfig r,
  owner @{user_share_dirs}/hyprpm/{,**} rw,
  /tmp/hyprpm/** rw,
  include if exists <local/hyprpm>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@ -39,20 +39,12 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
  @{bin}/sed                      rix,
  @{lib}/dhcpcd/dhcpcd-run-hooks  rix,
  /var/lib/dhcpcd/*.lease{,6} rw,
  /var/lib/dhcpcd/secret rw,
  /etc/dhcpcd.conf r,
  /etc/resolv.conf rw,
-  @{run}/dhcpcd/{.pid,pid} rwk,
+  /var/lib/dhcpcd/** rw,
-  @{run}/dhcpcd/{.sock,sock} w,
+
-  @{run}/dhcpcd/*.pid wk,
+  @{run}/dhcpcd/** rwk,
  @{run}/dhcpcd/*.sock w,
  @{run}/dhcpcd/hook-state/ rw,
  @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw,
  @{run}/dhcpcd/hook-state/resolv.conf/ rw,
  @{run}/dhcpcd/unpriv.sock w,
  @{run}/udev/data/n@{int} r,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -29,7 +29,7 @@ profile aurpublish @{exec_path} {
  @{bin}/date        rix,
  @{bin}/gettext     rix,
  @{bin}/git         rPx,
-  @{bin}/gpg{,2}     rPx,
+  @{bin}/gpg{,2}     rCx -> gpg,
  @{bin}/grep        rix,
  @{bin}/makepkg     rix,
  @{bin}/mkdir       rix,
@ -48,10 +48,9 @@ profile aurpublish @{exec_path} {
  /etc/makepkg.conf.d/{,**} r,
  owner @{user_build_dirs}/**/ w,
-  owner @{user_projects_dirs}/**/ r,
+  owner @{user_projects_dirs}/** r,
  owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
  owner @{user_projects_dirs}/**/.SRCINFO rw,
  owner @{user_projects_dirs}/**/PKGBUILD r,
  owner @{user_cache_dirs}/makepkg/src/* rw,
  owner @{user_config_dirs}/pacman/makepkg.conf r,
@ -62,6 +61,22 @@ profile aurpublish @{exec_path} {
  /dev/tty rw,
  profile gpg {
    include <abstractions/base>
    @{bin}/gpg{,2} mr,
    @{bin}/gpgconf mr,
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
    owner @{user_cache_dirs}/makepkg/src/*.asc r,
    owner @{tmp}/tmp.@{rand10} rw,
    include if exists <local/aurpublish_gpg>
  }
  include if exists <local/aurpublish>
 }
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@ -12,6 +12,7 @@ profile systemd-cryptsetup @{exec_path} {
  include <abstractions/common/systemd>
  include <abstractions/disks-write>
  capability dac_read_search,
  capability ipc_lock,
  capability net_admin,
  capability sys_admin,
--- a/apparmor.d/groups/systemd/systemd-generator-fstab
+++ b/apparmor.d/groups/systemd/systemd-generator-fstab
@ -13,6 +13,7 @@ profile systemd-generator-fstab @{exec_path} {
  capability dac_override,
  capability dac_read_search,
  capability mknod,
  @{exec_path} mr,
--- a/apparmor.d/groups/systemd/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart
@ -16,6 +16,8 @@ profile systemd-generator-user-autostart @{exec_path} {
  @{exec_path} mr,
  @{system_share_dirs}/applications/*.desktop r,
  @{etc_ro}/xdg/autostart/{,*.desktop} r,
  owner @{user_config_dirs}/autostart/{,*.desktop} r,
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@ -63,6 +63,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
  /var/lib/systemd/linger/ r,
  @{run}/.#nologin* rw,
  @{run}/credentials/getty@tty@{int}.service/ r,
  @{run}/host/container-manager r,
  @{run}/nologin rw,
  @{run}/utmp rk,
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@ -49,6 +49,9 @@ profile systemd-machined @{exec_path} {
  @{PROC}/pressure/io r,
  @{PROC}/pressure/memory r,
  /dev/ptmx rw,
  /dev/pts/@{int} rw,
  include if exists <local/systemd-machined>
 }
--- a/apparmor.d/groups/systemd/systemd-sleep-tlp
+++ b/apparmor.d/groups/systemd/systemd-sleep-tlp
@ -12,6 +12,7 @@ profile systemd-sleep-tlp @{exec_path} {
  @{exec_path} mr,
  @{sh_path} rix,
  @{bin}/tlp rPUx,
  include if exists <local/systemd-sleep-tlp>
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -52,6 +52,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
  @{bin}/more             rPx -> child-pager,
  @{bin}/multipath        rPx,
  @{bin}/nfsrahead        rix,
  @{bin}/nvidia-modprobe  rPx -> child-modprobe-nvidia,
  @{bin}/pager            rPx -> child-pager,
  @{bin}/perl             rix,
  @{bin}/setfacl          rix,
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@ -51,6 +51,7 @@ profile apport-gtk @{exec_path} {
  @{bin}/pkexec                 rPx, # TODO: rCx or something
  @{bin}/systemctl              rCx -> systemctl,
  @{bin}/systemd-detect-virt    rPx,
  @{bin}/uname                  rix,
  @{bin}/which{,.debianutils}   rix,
  @{lib}/{,colord/}colord-sane  rPx,
  @{lib}/@{multiarch}/ld*.so*   rix,
@ -60,8 +61,8 @@ profile apport-gtk @{exec_path} {
  /usr/share/apport/general-hooks/*.py r,
  /etc/apport/{,**} r,
  /etc/cloud/cloud.cfg.d/{,**} r,
  /etc/bash_completion.d/apport_completion r,
  /etc/cloud/{,**} r,
  /etc/cron.daily/apport r,
  /etc/default/apport r,
  /etc/gtk-3.0/settings.ini r,
@ -69,13 +70,15 @@ profile apport-gtk @{exec_path} {
  /etc/logrotate.d/apport r,
  /etc/xdg/autostart/*.desktop r,
  /var/crash/{,*.@{uid}.crash} rw,
  /var/lib/dpkg/info/ r,
  /var/lib/dpkg/info/*.list r,
  /var/lib/usbutils/*.ids r,
  /var/lib/dpkg/info/*.md5sums r,
  /var/log/installer/media-info r,
        /var/crash/ rw,
  owner /var/crash/*.@{uid}.{crash,upload} rw,
   @{run}/snapd.socket rw,
  /tmp/[a-z0-9]* rw,
@ -104,6 +107,7 @@ profile apport-gtk @{exec_path} {
    @{bin}/* r,
    /usr/share/gcc/python/{,**/}__pycache__/{,**} rw,
    /usr/share/gdb/python/{,**/}__pycache__/{,**} rw,
    /usr/share/gdb/{,**} r,
    /usr/share/glib-2.0/schemas/gschemas.compiled r,
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -34,6 +34,7 @@ profile agetty @{exec_path} {
  /etc/os-release r,
  /usr/etc/login.defs r,
        @{run}/credentials/getty@tty@{int}.service/ r,
        @{run}/credentials/serial-getty@ttyS@{int}.service/ r,
  owner @{run}/agetty.reload rw,
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@ -25,6 +25,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
  / r,
  /boot/ r,
  /home/ r,
  /.snapshots/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/ext2_saved/ rw,
--- a/apparmor.d/profiles-a-f/cmus
+++ b/apparmor.d/profiles-a-f/cmus
@ -0,0 +1,31 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/cmus
 profile cmus @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
  @{exec_path} mr,
  /usr/share/cmus/{,**} r,
  /usr/share/terminfo/{,**} r,
  /etc/machine-id r,
  owner @{user_music_dirs}/{,**} r,
  owner @{user_config_dirs}/ r,
  owner @{user_config_dirs}/cmus/{,**} rw,
  owner @{run}/user/@{uid}/cmus-socket w,
  /dev/shm/ r,
  include if exists <local/cmus>
 }
--- a/apparmor.d/profiles-a-f/dino-im
+++ b/apparmor.d/profiles-a-f/dino-im
@ -11,10 +11,8 @@ include <tunables/global>
 profile dino-im @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
@ -46,6 +44,7 @@ profile dino-im @{exec_path} {
    owner @{HOME}/.gnupg/ rw,
    owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
    include if exists <local/dino-im_gpg>
  }
  include if exists <local/dino-im>
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@ -104,7 +104,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
    owner /boot/System.map-* r,
-    audit owner @{tmp}/tmp.* r,
+    owner @{tmp}/tmp.@{rand10} r,
    @{sys}/module/compression r,
--- a/apparmor.d/profiles-a-f/dunst
+++ b/apparmor.d/profiles-a-f/dunst
@ -17,10 +17,13 @@ profile dunst @{exec_path} {
  @{exec_path} mr,
  /etc/xdg/dunst/dunstrc r,
  owner @{user_config_dirs}/dunst/dunstrc r,
  owner @{HOME}/.Xauthority r,
  owner /dev/shm/dunst-@{rand6} rw,
  include if exists <local/dunst>
 }
--- a/apparmor.d/profiles-a-f/dunstify
+++ b/apparmor.d/profiles-a-f/dunstify
@ -13,6 +13,8 @@ profile dunstify @{exec_path} {
  @{exec_path} mr,
  owner @{PROC}/@{pid}/cgroup r,
  # file_inherit
  owner /dev/tty@{int} rw,
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@ -23,6 +23,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /usr/share/xml/iso-codes/{,**} r,
  owner @{tmp}/.@{rand6} rw, 
  owner @{tmp}/.goutputstream-@{rand6} rw,
  owner @{tmp}/@{rand6} rw,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -142,7 +142,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
    owner /var/lib/fwupd/gnupg/ rw,
    owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
-    owner @{PROC}/@{pids}/fd/ r,
+    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
    include if exists <local/fwupd_gpg>
  }
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,
-  signal (send) peer=aurpublish,
+  signal send peer=aurpublish,
  @{exec_path} mrix,
--- a/apparmor.d/profiles-g-l/id
+++ b/apparmor.d/profiles-g-l/id
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/id
-profile id @{exec_path} {
+profile id @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@ -26,6 +26,8 @@ profile issue-generator @{exec_path} {
  @{run}/issue.@{rand10} rw,
  @{run}/issue.d/{,**} r,
  /dev/tty rw,
  include if exists <local/issue-generator>
 }
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@ -74,6 +74,7 @@ profile keepassxc @{exec_path} {
  owner @{tmp}/keepassxc-*.socket rw,
  owner @{tmp}/keepassxc.lock rw,
  owner @{tmp}/keepassxc.socket rw,
  owner @{tmp}/runtime-user/ w,
  owner @{run}/user/@{pid}/app/ w,
  owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,
--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@ -37,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/@{pci}/** r,
  @{sys}/module/compression r,
  @{PROC}/bus/pci/devices r,
  @{PROC}/cmdline r,
  @{PROC}/ioports r,
--- a/apparmor.d/profiles-m-r/nemo
+++ b/apparmor.d/profiles-m-r/nemo
@ -10,15 +10,32 @@ include <tunables/global>
@{exec_path} = @{bin}/nemo
 profile nemo @{exec_path} {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
  include <abstractions/trash-strict>
  network inet stream,
  network inet6 stream,
  @{exec_path} mr,
-#   @{lib}/@{multiarch}/nemo/** mrix,
+  /usr/share/nemo/** r,
  # Full access to user's data
  / r,
  /*/ r,
  @{bin}/ r,
  @{lib}/ r,
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/** rw,
  owner @{HOME}/{,**} rw,
  owner @{run}/user/@{uid}/{,**} rw,
  owner @{tmp}/{,**} rw,
  @{run}/mount/utab r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@ -20,9 +20,9 @@ profile nft @{exec_path} {
  @{exec_path} mr,
-  owner /etc/iproute2/** r,
+  /etc/iproute2/** r,
-
+  /etc/nftables.conf r,
-  owner /etc/nftables/**.nft r,
+  /etc/nftables/{,**} r,
  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
--- a/apparmor.d/profiles-m-r/ouch
+++ b/apparmor.d/profiles-m-r/ouch
@ -0,0 +1,26 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/ouch
 profile ouch @{exec_path} {
  include <abstractions/base>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>
  @{exec_path} mr,
  owner @{HOME}/.tmp@{rand6}/{,**} rw,
  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
  owner @{PROC}/@{pid}/cgroup r,
  include if exists <local/ouch>
 }
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -35,13 +35,10 @@ profile pkexec @{exec_path} {
  @{exec_path} mr,
-  # Apps to be run via pkexec
+  @{bin}/*       PUx,
-  @{bin}/*            rPUx,
+  @{lib}/**      PUx,
-  @{lib}/{,gvfs/}gvfsd-admin    rPx,
+  /opt/*/**      PUx,
-  @{lib}/cc-remote-login-helper rPx,
+  /usr/share/**  PUx,
  @{lib}/update-notifier/package-system-locked  rPx,
  /usr/share/apport/apport-gtk rPx,
  #aa:exec polkit-agent-helper
  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*} r,
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -14,7 +14,9 @@ profile run-parts @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
-  @{exec_path} mr,
+  capability mknod,
  @{exec_path} mrix,
  @{sh_path}         rix,
  @{bin}/anacron     rix,
@ -29,6 +31,7 @@ profile run-parts @{exec_path} {
  /etc/ r,
  /etc/anacrontab                                      r,
  /etc/conf.d/snapper{,**}                             r,
  /etc/default/*                                       r,
  /etc/snapper/configs/root                            r,
  # Crontab
@ -42,7 +45,6 @@ profile run-parts @{exec_path} {
  /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rPUx,
  /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rPUx,
  /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime     rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/debsums              rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/debtags              rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rPx,
@ -55,6 +57,7 @@ profile run-parts @{exec_path} {
  /etc/cron.{hourly,daily,weekly,monthly}/passwd              rPUx,
  /etc/cron.{hourly,daily,weekly,monthly}/plocate              rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/snapper             rPUx,
  /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rPUx,
  /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rPx,
  /etc/cron.{hourly,daily,weekly,monthly}/tor                 rPUx,
@ -134,10 +137,14 @@ profile run-parts @{exec_path} {
  /usr/share/landscape/landscape-sysinfo.wrapper rPUx,
  /root/ r,
  /var/spool/anacron/cron.daily k,
  owner @{tmp}/#@{int} rw,
-  owner @{tmp}/$anacron* rw,
+  owner @{tmp}/$anacron@{rand6} rw,
  owner @{tmp}/file@{rand6} rw,
-  
+
  owner @{sys}/class/power_supply/            r,
  /dev/tty@{int} rw,
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -40,6 +40,7 @@ profile snapd @{exec_path} {
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  network unix stream,
  mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/,
  umount /tmp/syscheck-mountpoint-@{int}/,
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -41,6 +41,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
  @{run}/spice-vdagentd/spice-vdagent-sock rw,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  owner @{PROC}/@{pids}/task/@{tid}/comm rw,
  owner /dev/tty@{int} rw,
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@ -18,6 +18,7 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/graphics>
  network inet stream,
--- a/apparmor.d/profiles-s-z/strawberry
+++ b/apparmor.d/profiles-s-z/strawberry
@ -8,10 +8,11 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/strawberry
-profile strawberry @{exec_path} {
+profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/fontconfig-cache-read>
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -35,6 +35,8 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
  /opt/*/**                         PUx,
  /snap/snapd/@{int}@{bin}/snap    rPUx,
  /etc/default/locale r,
        /var/db/sudo/lectured/ r,
  owner /var/db/sudo/lectured/@{uid} rw,
  owner /var/lib/extrausers/shadow r,
--- a/apparmor.d/profiles-s-z/totem
+++ b/apparmor.d/profiles-s-z/totem
@ -35,6 +35,9 @@ profile totem @{exec_path} flags=(attach_disconnected) {
  /usr/share/grilo-plugins/{,**} r,
  /usr/share/thumbnailers/{,**} r,
  owner @{HOME}/ r,
  owner @{MOUNTS}/ r,
  owner @{user_music_dirs}/{,**} rw,
  owner @{user_pictures_dirs}/{,**} rw,
  owner @{user_torrents_dirs}/{,**} rw,
@ -50,6 +53,8 @@ profile totem @{exec_path} flags=(attach_disconnected) {
  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
  owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
  @{run}/mount/utab r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/task/@{tid}/comm w,
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@ -118,12 +118,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  @{sys}/bus/ r,
  @{sys}/bus/pci/slots/ r,
  @{sys}/bus/pci/slots/@{int}/address r,
  @{sys}/class/ r,
  @{sys}/class/nvme-subsystem/ r,
  @{sys}/class/nvme/ r,
  @{sys}/devices/@{pci}/uevent r,
  @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
  @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
  @{sys}/devices/@{pci}/uevent r,
  @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
  @{sys}/devices/virtual/block/*/{,**} rw,
  @{sys}/devices/virtual/block/loop@{int}/uevent rw,
--- a/apparmor.d/profiles-s-z/update-ca-trust
+++ b/apparmor.d/profiles-s-z/update-ca-trust
@ -26,7 +26,7 @@ profile update-ca-trust @{exec_path} {
  /etc/ca-certificates/extracted/** rw,
  /etc/ssl/certs/{,*} rw,
-  /etc/ssl/certs/java/cacerts{,.*} w,
+  /etc/ssl/certs/java/** rw,
  /dev/tty rw,
--- a/apparmor.d/profiles-s-z/usbguard-daemon
+++ b/apparmor.d/profiles-s-z/usbguard-daemon
@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /etc/usbguard/{,**} r,
  /etc/usbguard/*.conf rw,
  /etc/usbguard/IPCAccessControl.d/{,*} r,
  owner @{run}/usbguard.pid rwk,
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -84,8 +84,12 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
  @{sys}/devices/virtual/drm/ttm/uevent r,
  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
        @{PROC}/@{pids}/net/route r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@ -41,6 +41,7 @@ profile vlc @{exec_path} {
  @{exec_path} mrix,
  @{open_path}           rPx -> child-open-help,
  @{bin}/xdg-screensaver rPx,
  /usr/share/vlc/{,**} r,
@ -48,6 +49,8 @@ profile vlc @{exec_path} {
  /etc/fstab r,
  owner @{HOME}/ r,
  owner @{MOUNTS}/ r,
  owner @{user_music_dirs}/{,**} rw,
  owner @{user_pictures_dirs}/{,**} rw,
  owner @{user_torrents_dirs}/{,**} rw,
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@ -0,0 +1,33 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/waybar
 profile waybar @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/nameservice-strict>
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  @{exec_path} mr,
  @{bin}/** rPUx,
  @{user_bin_dirs}/** rPUx,
  owner @{user_config_dirs}/waybar/{,**} r,
  owner /dev/tty@{int} rw,
  include if exists <local/waybar>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/wmctrl
+++ b/apparmor.d/profiles-s-z/wmctrl
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = @{bin}/wmctrl
 profile wmctrl @{exec_path} {
  include <abstractions/base>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/profiles-s-z/xsel
+++ b/apparmor.d/profiles-s-z/xsel
@ -11,6 +11,7 @@ include <tunables/global>
 profile xsel @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/X-strict>
  @{exec_path} mr,
@ -18,9 +19,6 @@ profile xsel @{exec_path} {
  owner @{user_cache_dirs}/ rw,
  owner @{user_cache_dirs}/xsel.log rw,
  owner @{HOME}/.Xauthority r,
  owner @{tmp}/xauth-@{int}-_[0-9] r,
  # file_inherit
  owner /dev/tty@{int} rw,
  owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@ -31,7 +31,7 @@
@{emails_path} = @{thunderbird_path} @{bin}/@{emails_names}
 # Open
-@{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio
+@{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@ -55,8 +55,8 @@
@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
 # Username & group valid characters
-@{u}=[a-z0-9_]
+@{u}=[a-zA-Z0-9_]
-@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
+@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
@{group}=@{user}
 # Shortcut for PCI device
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -173,6 +173,11 @@ gsettings complain
 gvfsd-dav complain
 gvfsd-wsdd complain
 hostnamectl complain
 hyprctl complain
 hyprlock complain
 hyprpaper attach_disconnected,complain
 hyprpicker complain
 hyprpm complain
 ibus-engine-table complain
 ibus-memconf attach_disconnected,complain
 im-launch complain
@ -306,6 +311,7 @@ steam-launch attach_disconnected,complain
 steam-launcher attach_disconnected,complain
 steam-runtime attach_disconnected,complain
 steamerrorreporter attach_disconnected,complain
 strawberry attach_disconnected,mediate_deleted,complain
 sulogin complain
 switcherooctl complain
 swtpm complain
@ -352,6 +358,7 @@ systemd-portabled complain
 systemd-remount-fs complain
 systemd-resolve complain
 systemd-shutdown complain
 systemd-sleep-tlp complain
 systemd-socket-proxyd complain
 systemd-udevd attach_disconnected,complain
 systemd-user-sessions complain
@ -374,6 +381,7 @@ virtnetworkd complain,attach_disconnected
 virtnodedevd attach_disconnected,complain
 virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
 waybar attach_disconnected,complain
 wg complain
 wg-quick complain
 wsdd complain
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@ -14,6 +14,7 @@ code-wrapper
 man
 # Work in progress profiles
 dunst
 plasma-discover
 steam
 steam-fossilize
--- a/pkg/prebuild/builder/core_test.go
+++ b/pkg/prebuild/builder/core_test.go
@ -228,14 +228,8 @@ func TestBuilder_Apply(t *testing.T) {
 				include if exists <local/foo>
 			  }`,
-			want: `
+			want:    "",
-			  profile foo /usr/bin/foo {
+			wantErr: true,
 			    include <abstractions/base>
 			    /usr/bin/foo mr,
 				include if exists <local/foo>
 			  }`,
 		},
 	}
 	for _, tt := range tests {
--- a/pkg/prebuild/builder/userspace.go
+++ b/pkg/prebuild/builder/userspace.go
@ -5,6 +5,7 @@
 package builder
 import (
 	"fmt"
 	"regexp"
 	"strings"
@ -12,8 +13,10 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
 )
 const tokATTACHMENT = "@{exec_path}"
 var (
-	regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
+	regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`)
 )
 type Userspace struct {
@ -41,13 +44,18 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) {
 	if _, err := f.Parse(profile); err != nil {
 		return "", err
 	}
 	if len(f.GetDefaultProfile().Attachments) > 0 &&
 		f.GetDefaultProfile().Attachments[0] != tokATTACHMENT {
 		return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT)
 	}
 	if err := f.Resolve(); err != nil {
 		return "", err
 	}
-	att := f.GetDefaultProfile().GetAttachments()
+
 	matches := regAttachments.FindAllString(profile, -1)
 	if len(matches) > 0 {
-		strheader := strings.Replace(matches[0], "@{exec_path}", att, -1)
+		att := f.GetDefaultProfile().GetAttachments()
 		strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1)
 		return regAttachments.ReplaceAllLiteralString(profile, strheader), nil
 	}
 	return profile, nil