Merge branch 'roddhjav:main' into main

apparmor.d/abstractions/app/sudo

@@ -41,6 +41,7 @@
   / r,
   /etc/machine-id r,
 
+        /var/db/sudo/lectured/ r,
   owner /var/lib/sudo/ts/ rw,   
   owner /var/lib/sudo/ts/@{uid} rwk,
   owner /var/log/sudo.log wk,

apparmor.d/abstractions/common/systemd

@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
 
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/fs/cgroup/system.slice/@{profile_name}.service/memory.pressure rw,

apparmor.d/abstractions/gnome-strict

@@ -13,6 +13,8 @@
        member=Introspect 
        peer=(name=:*, label=gnome-shell),
 
+  /usr/share/icu/@{int}.@{int}/*.dat r,
+
   /usr/{local/,}share/ r,
   /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
   /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,

apparmor.d/groups/_full/default

@@ -70,11 +70,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{MOUNTS}/** rwl,
   owner @{HOME}/{,**} rwlk,
   owner @{run}/user/@{uid}/{,**} rw,
-  owner @{user_config_dirs}/** rwkl,
-  owner @{user_share_dirs}/** rwkl,
   owner @{tmp}/{,**} rwk,
-
-  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{run}/user/@{uid}/{,**} rwlk,
 
   @{run}/motd.dynamic.new rw,
 

apparmor.d/groups/browsers/firefox-crashreporter

@@ -30,6 +30,9 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/curl rix,
+  @{bin}/mv   rix,
+
   @{lib_dirs}/minidump-analyzer rPx,
 
   @{bin}/mv rix,

apparmor.d/groups/bus/ibus-daemon

@@ -42,6 +42,7 @@ profile ibus-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}             rix,
   @{lib}/{,ibus/}ibus-*  rPUx,
+  @{lib}/ibus-*/ibus-*   rPUx,
 
   /usr/share/ibus/{,**} r,
   /usr/share/ibus-table/{,**} r,

apparmor.d/groups/children/child-modprobe-nvidia

@@ -71,7 +71,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
     # @{sys}/module/{drm,nvidia}/initstate r,
     @{sys}/module/compression r,
 
-    deny  @{HOME}/.steam/** r,
+    deny @{HOME}/.steam/** r,
 
     include if exists <local/child-modprobe-nvidia_kmod>
   }

apparmor.d/groups/cron/crontab

@@ -25,6 +25,7 @@ profile crontab @{exec_path} {
   @{bin}/vim.*           rCx -> editor,
 
   /etc/cron.{allow,deny} r,
+  /etc/pam.d/* r,
 
         /var/spool/cron/ r,
         /var/spool/cron/crontabs/ rw,
@@ -32,19 +33,18 @@ profile crontab @{exec_path} {
 
   owner @{tmp}/crontab.*/{,crontab} rw,
 
-
   profile editor {
     include <abstractions/base>
     include <abstractions/app/editor>
 
     capability fsetid,
 
+    /etc/cron.{allow,deny} r,
+
           /tmp/ r,
     owner @{tmp}/crontab.*/crontab rw,
 
-    # file_inherit
-    /etc/cron.{allow,deny} r,
-
+    include if exists <local/crontab_editor>
   }
 
   include if exists <local/crontab>

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -84,6 +84,11 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
 
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
         @{PROC}/ r,
         @{PROC}/*/ r,
         @{PROC}/1/cgroup r,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -72,6 +72,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/ r,
   owner @{HOME}/*/{,**} rw,
+  owner @{MOUNTS}/ r,
 
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/@{rand6} rw,

apparmor.d/groups/freedesktop/xdg-document-portal

@@ -42,7 +42,9 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   / r,
   owner /.flatpak-info r,
 
-  owner @{HOME}/** r,
+  owner @{HOME}/ r,
+  owner @{HOME}/*/{,**} rw,
+  owner @{MOUNTS}/ r,
 
   owner @{user_share_dirs}/flatpak/db/documents r,
   owner @{user_share_dirs}/Trash/files/** r,
@@ -54,8 +56,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
 
-          /dev/fuse rw,
-    owner /dev/tty@{int} rw,
+        /dev/fuse rw,
+  owner /dev/tty@{int} rw,
 
   profile fusermount {
     include <abstractions/base>

apparmor.d/groups/freedesktop/xdg-user-dir

@@ -9,11 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dir
 profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
-  @{sh_path}                    rix,
-  @{bin}/env                    rix,
+  @{sh_path}  rix,
+  @{bin}/env  rix,
 
   owner @{user_config_dirs}/user-dirs.dirs r,
 

apparmor.d/groups/freedesktop/xhost

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xhost
-profile xhost @{exec_path} {
+profile xhost @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>

apparmor.d/groups/gnome/gdm-session-worker

@@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   capability sys_tty_config,
 
   network netlink raw,
+  network unix stream,
 
   signal (receive) set=term peer=gdm,
   signal (send) set=(hup term) peer=gdm-session,

apparmor.d/groups/gnome/gio-launch-desktop

@@ -3,6 +3,11 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# TODO: Rethink this profile:
+# - Access to gio from a profile is handled by child-open-*
+# - Direct access should only be needed is some special context and it should not
+#   require access to that much resources.
+
 abi <abi/3.0>,
 
 include <tunables/global>

apparmor.d/groups/gnome/gnome-shell

@@ -218,6 +218,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /.flatpak-info r,
   /etc/fstab r,
   /etc/timezone r,
+  /etc/tpm2-tss/*.json r,
   /etc/udev/hwdb.bin r,
   /etc/xdg/menus/gnome-applications.menu r,
 
@@ -249,10 +250,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{HOME}/.face r,
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/.var/app/**/ r,
+  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
   owner @{HOME}/.var/app/**.{png,jpg,svg} r,
+  owner @{HOME}/.var/app/**/ r,
   owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,
 
   owner @{user_games_dirs}/**.{png,jpg,svg} r,
   owner @{user_music_dirs}/**.{png,jpg,svg} r,
@@ -282,6 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_cache_dirs}/vlc/**/*.jpg r,
 
         @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
+  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

apparmor.d/groups/gnome/gsd-color

@@ -21,6 +21,8 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
 
+  network inet stream,
+
   signal (receive) set=(term, hup) peer=gdm*,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color

apparmor.d/groups/gnome/gsd-keyboard

@@ -21,6 +21,8 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
 
+  network inet stream,
+
   signal (receive) set=(term, hup) peer=gdm*,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Keyboard

apparmor.d/groups/gnome/gsd-media-keys

@@ -27,6 +27,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term, hup) peer=gdm*,
 
+  network inet stream,
   network netlink raw,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys

apparmor.d/groups/gnome/gsd-power

@@ -30,6 +30,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
 
+  network inet stream,
   network netlink raw,
 
   signal (receive) set=(term, hup) peer=gdm*,

apparmor.d/groups/gnome/gsd-smartcard

@@ -31,13 +31,17 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /etc/{,opensc/}opensc.conf r,
-
-  owner @{GDM_HOME}/greeter-dconf-defaults r,
-  owner @{gdm_config_dirs}/dconf/user r,
+  /etc/tpm2-tss/* rk,
 
   /var/tmp/ r,
   /tmp/ r,
 
+  owner @{GDM_HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
+  owner @{GDM_HOME}/greeter-dconf-defaults r,
+  owner @{gdm_config_dirs}/dconf/user r,
+
+  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/gsd-smartcard>

apparmor.d/groups/gnome/session-migration

@@ -21,6 +21,8 @@ profile session-migration @{exec_path} {
   owner @{gdm_share_dirs}/session_migration-* rw,
   owner @{user_share_dirs}/session_migration-* rw,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/session-migration>
 }
 

apparmor.d/groups/gpg/gpg

@@ -44,9 +44,9 @@ profile gpg @{exec_path} {
   owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
 
   #aa:only pacman
-  owner /etc/pacman.d/gnupg/gpg.conf r,
-  owner /etc/pacman.d/gnupg/pubring.gpg r,
-  owner /etc/pacman.d/gnupg/trustdb.gpg r,
+  /etc/pacman.d/gnupg/gpg.conf r,
+  /etc/pacman.d/gnupg/pubring.gpg r,
+  /etc/pacman.d/gnupg/trustdb.gpg r,
 
   owner /var/lib/*/gnupg/ rw,
   owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,

apparmor.d/groups/hyprland/hyprctl

@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprctl
+profile hyprctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/hyprctl>
+}
+
+# vim:syntax=apparmor
+

apparmor.d/groups/hyprland/hyprlock

@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprlock
+profile hyprlock @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/fonts>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /etc/security/faillock.conf r,
+  /etc/shells r,
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
+  owner @{user_pictures_dirs}/** r,
+
+  owner @{user_config_dirs}/hypr/hyprlock.conf r,
+
+  owner @{run}/faillock/@{user} rwk,
+
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/hyprlock>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/hyprland/hyprpaper

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpaper
+profile hyprpaper @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /usr/share/icons/** r,
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/** r,
+
+  owner @{user_config_dirs}/hypr/hyprpaper.conf r,
+
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/.hyprpaper* rw,
+  owner @{run}/user/@{uid}/hypr/*/.hyprpaper.sock w,
+  owner @{run}/user/@{uid}/hyprpaper.lock rw,
+
+  include if exists <local/hyprpaper>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/hyprland/hyprpicker

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpicker
+profile hyprpicker @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+  @{bin}/wl-copy Px,
+
+  /usr/share/icons/** r,
+
+  owner @{run}/user/@{uid}/.hyprpicker* rw,
+
+  include if exists <local/hyprpicker>
+}
+
+# vim:syntax=apparmor
+

apparmor.d/groups/hyprland/hyprpm

@@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/hyprpm
+profile hyprpm @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-tmp>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  @{bin}/** rix,
+  @{lib}/gcc/** rix,
+  @{lib}/git-core/** rix,
+
+  /usr/include/** r,
+  /usr/share/git-core/** r,
+  /usr/share/pkgconfig/** r,
+
+  owner @{HOME}/.gitconfig r,
+
+  owner @{user_share_dirs}/hyprpm/{,**} rw,
+
+  /tmp/hyprpm/** rw,
+
+  include if exists <local/hyprpm>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/network/dhcpcd

@@ -39,20 +39,12 @@ profile dhcpcd @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed                      rix,
   @{lib}/dhcpcd/dhcpcd-run-hooks  rix,
 
-  /var/lib/dhcpcd/*.lease{,6} rw,
-  /var/lib/dhcpcd/secret rw,
-
   /etc/dhcpcd.conf r,
   /etc/resolv.conf rw,
 
-  @{run}/dhcpcd/{.pid,pid} rwk,
-  @{run}/dhcpcd/{.sock,sock} w,
-  @{run}/dhcpcd/*.pid wk,
-  @{run}/dhcpcd/*.sock w,
-  @{run}/dhcpcd/hook-state/ rw,
-  @{run}/dhcpcd/hook-state/resolv.conf.*.{dhcp,link} rw,
-  @{run}/dhcpcd/hook-state/resolv.conf/ rw,
-  @{run}/dhcpcd/unpriv.sock w,
+  /var/lib/dhcpcd/** rw,
+
+  @{run}/dhcpcd/** rwk,
 
   @{run}/udev/data/n@{int} r,
 

apparmor.d/groups/pacman/aurpublish

@@ -29,7 +29,7 @@ profile aurpublish @{exec_path} {
   @{bin}/date        rix,
   @{bin}/gettext     rix,
   @{bin}/git         rPx,
-  @{bin}/gpg{,2}     rPx,
+  @{bin}/gpg{,2}     rCx -> gpg,
   @{bin}/grep        rix,
   @{bin}/makepkg     rix,
   @{bin}/mkdir       rix,
@@ -48,10 +48,9 @@ profile aurpublish @{exec_path} {
   /etc/makepkg.conf.d/{,**} r,
 
   owner @{user_build_dirs}/**/ w,
-  owner @{user_projects_dirs}/**/ r,
+  owner @{user_projects_dirs}/** r,
   owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
   owner @{user_projects_dirs}/**/.SRCINFO rw,
-  owner @{user_projects_dirs}/**/PKGBUILD r,
 
   owner @{user_cache_dirs}/makepkg/src/* rw,
   owner @{user_config_dirs}/pacman/makepkg.conf r,
@@ -62,6 +61,22 @@ profile aurpublish @{exec_path} {
 
   /dev/tty rw,
 
+  profile gpg {
+    include <abstractions/base>
+
+    @{bin}/gpg{,2} mr,
+    @{bin}/gpgconf mr,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    owner @{user_cache_dirs}/makepkg/src/*.asc r,
+
+    owner @{tmp}/tmp.@{rand10} rw,
+
+    include if exists <local/aurpublish_gpg>
+  }
+
   include if exists <local/aurpublish>
 }
 

apparmor.d/groups/systemd/systemd-cryptsetup

@@ -12,6 +12,7 @@ profile systemd-cryptsetup @{exec_path} {
   include <abstractions/common/systemd>
   include <abstractions/disks-write>
 
+  capability dac_read_search,
   capability ipc_lock,
   capability net_admin,
   capability sys_admin,

apparmor.d/groups/systemd/systemd-generator-fstab

@@ -13,6 +13,7 @@ profile systemd-generator-fstab @{exec_path} {
 
   capability dac_override,
   capability dac_read_search,
+  capability mknod,
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-generator-user-autostart

@@ -16,6 +16,8 @@ profile systemd-generator-user-autostart @{exec_path} {
 
   @{exec_path} mr,
 
+  @{system_share_dirs}/applications/*.desktop r,
+
   @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   owner @{user_config_dirs}/autostart/{,*.desktop} r,

apparmor.d/groups/systemd/systemd-logind

@@ -63,6 +63,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   /var/lib/systemd/linger/ r,
 
   @{run}/.#nologin* rw,
+  @{run}/credentials/getty@tty@{int}.service/ r,
   @{run}/host/container-manager r,
   @{run}/nologin rw,
   @{run}/utmp rk,

apparmor.d/groups/systemd/systemd-machined

@@ -49,6 +49,9 @@ profile systemd-machined @{exec_path} {
   @{PROC}/pressure/io r,
   @{PROC}/pressure/memory r,
 
+  /dev/ptmx rw,
+  /dev/pts/@{int} rw,
+
   include if exists <local/systemd-machined>
 }
 

apparmor.d/groups/systemd/systemd-sleep-tlp

@@ -12,6 +12,7 @@ profile systemd-sleep-tlp @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path} rix,
   @{bin}/tlp rPUx,
 
   include if exists <local/systemd-sleep-tlp>

apparmor.d/groups/systemd/systemd-udevd

@@ -52,6 +52,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   @{bin}/more             rPx -> child-pager,
   @{bin}/multipath        rPx,
   @{bin}/nfsrahead        rix,
+  @{bin}/nvidia-modprobe  rPx -> child-modprobe-nvidia,
   @{bin}/pager            rPx -> child-pager,
   @{bin}/perl             rix,
   @{bin}/setfacl          rix,

apparmor.d/groups/ubuntu/apport-gtk

@@ -51,6 +51,7 @@ profile apport-gtk @{exec_path} {
   @{bin}/pkexec                 rPx, # TODO: rCx or something
   @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
+  @{bin}/uname                  rix,
   @{bin}/which{,.debianutils}   rix,
   @{lib}/{,colord/}colord-sane  rPx,
   @{lib}/@{multiarch}/ld*.so*   rix,
@@ -60,8 +61,8 @@ profile apport-gtk @{exec_path} {
   /usr/share/apport/general-hooks/*.py r,
 
   /etc/apport/{,**} r,
-  /etc/cloud/cloud.cfg.d/{,**} r,
   /etc/bash_completion.d/apport_completion r,
+  /etc/cloud/{,**} r,
   /etc/cron.daily/apport r,
   /etc/default/apport r,
   /etc/gtk-3.0/settings.ini r,
@@ -69,13 +70,15 @@ profile apport-gtk @{exec_path} {
   /etc/logrotate.d/apport r,
   /etc/xdg/autostart/*.desktop r,
 
-  /var/crash/{,*.@{uid}.crash} rw,
   /var/lib/dpkg/info/ r,
   /var/lib/dpkg/info/*.list r,
   /var/lib/usbutils/*.ids r,
   /var/lib/dpkg/info/*.md5sums r,
   /var/log/installer/media-info r,
 
+        /var/crash/ rw,
+  owner /var/crash/*.@{uid}.{crash,upload} rw,
+
    @{run}/snapd.socket rw,
 
   /tmp/[a-z0-9]* rw,
@@ -104,6 +107,7 @@ profile apport-gtk @{exec_path} {
     @{bin}/* r,
 
     /usr/share/gcc/python/{,**/}__pycache__/{,**} rw,
+    /usr/share/gdb/python/{,**/}__pycache__/{,**} rw,
 
     /usr/share/gdb/{,**} r,
     /usr/share/glib-2.0/schemas/gschemas.compiled r,

apparmor.d/profiles-a-f/agetty

@@ -34,6 +34,7 @@ profile agetty @{exec_path} {
   /etc/os-release r,
   /usr/etc/login.defs r,
 
+        @{run}/credentials/getty@tty@{int}.service/ r,
         @{run}/credentials/serial-getty@ttyS@{int}.service/ r,
   owner @{run}/agetty.reload rw,
 

apparmor.d/profiles-a-f/btrfs

@@ -25,6 +25,7 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
 
   / r,
   /boot/ r,
+  /home/ r,
   /.snapshots/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/ext2_saved/ rw,

apparmor.d/profiles-a-f/cmus

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/cmus
+profile cmus @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+
+  @{exec_path} mr,
+
+  /usr/share/cmus/{,**} r,
+  /usr/share/terminfo/{,**} r,
+
+  /etc/machine-id r,
+
+  owner @{user_music_dirs}/{,**} r,
+
+  owner @{user_config_dirs}/ r,
+  owner @{user_config_dirs}/cmus/{,**} rw,
+
+  owner @{run}/user/@{uid}/cmus-socket w,
+
+  /dev/shm/ r,
+
+  include if exists <local/cmus>
+}

apparmor.d/profiles-a-f/dino-im

@@ -11,10 +11,8 @@ include <tunables/global>
 profile dino-im @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
@@ -46,6 +44,7 @@ profile dino-im @{exec_path} {
     owner @{HOME}/.gnupg/ rw,
     owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
 
+    include if exists <local/dino-im_gpg>
   }
 
   include if exists <local/dino-im>

apparmor.d/profiles-a-f/dkms

@@ -104,7 +104,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
     owner /boot/System.map-* r,
 
-    audit owner @{tmp}/tmp.* r,
+    owner @{tmp}/tmp.@{rand10} r,
 
     @{sys}/module/compression r,
 

apparmor.d/profiles-a-f/dunst

@@ -17,10 +17,13 @@ profile dunst @{exec_path} {
   @{exec_path} mr,
 
   /etc/xdg/dunst/dunstrc r,
+
   owner @{user_config_dirs}/dunst/dunstrc r,
 
   owner @{HOME}/.Xauthority r,
 
+  owner /dev/shm/dunst-@{rand6} rw,
+
   include if exists <local/dunst>
 }
 

apparmor.d/profiles-a-f/dunstify

@@ -13,6 +13,8 @@ profile dunstify @{exec_path} {
 
   @{exec_path} mr,
 
+  owner @{PROC}/@{pid}/cgroup r,
+
   # file_inherit
   owner /dev/tty@{int} rw,
 

apparmor.d/profiles-a-f/fractal

@@ -23,6 +23,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /usr/share/xml/iso-codes/{,**} r,
+
   owner @{tmp}/.@{rand6} rw, 
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/@{rand6} rw,

apparmor.d/profiles-a-f/fwupd

@@ -142,7 +142,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
     owner /var/lib/fwupd/gnupg/ rw,
     owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
 
-    owner @{PROC}/@{pids}/fd/ r,
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
     include if exists <local/fwupd_gpg>
   }

apparmor.d/profiles-g-l/git

@@ -24,7 +24,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
-  signal (send) peer=aurpublish,
+  signal send peer=aurpublish,
 
   @{exec_path} mrix,
 

apparmor.d/profiles-g-l/id

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/id
-profile id @{exec_path} {
+profile id @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-g-l/issue-generator

@@ -26,6 +26,8 @@ profile issue-generator @{exec_path} {
   @{run}/issue.@{rand10} rw,
   @{run}/issue.d/{,**} r,
 
+  /dev/tty rw,
+
   include if exists <local/issue-generator>
 }
 

apparmor.d/profiles-g-l/keepassxc

@@ -74,6 +74,7 @@ profile keepassxc @{exec_path} {
   owner @{tmp}/keepassxc-*.socket rw,
   owner @{tmp}/keepassxc.lock rw,
   owner @{tmp}/keepassxc.socket rw,
+  owner @{tmp}/runtime-user/ w,
 
   owner @{run}/user/@{pid}/app/ w,
   owner @{run}/user/@{pid}/app/org.keepassxc.KeePassXC/{,**} rw,

apparmor.d/profiles-g-l/lspci

@@ -37,6 +37,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/** r,
   @{sys}/module/compression r,
 
+  @{PROC}/bus/pci/devices r,
   @{PROC}/cmdline r,
   @{PROC}/ioports r,
 

apparmor.d/profiles-m-r/nemo

@@ -10,15 +10,32 @@ include <tunables/global>
 @{exec_path} = @{bin}/nemo
 profile nemo @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/desktop>
   include <abstractions/nameservice-strict>
+  include <abstractions/trash-strict>
 
   network inet stream,
   network inet6 stream,
 
   @{exec_path} mr,
 
-#   @{lib}/@{multiarch}/nemo/** mrix,
+  /usr/share/nemo/** r,
+
+  # Full access to user's data
+  / r,
+  /*/ r,
+  @{bin}/ r,
+  @{lib}/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/** rw,
+  owner @{HOME}/{,**} rw,
+  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{tmp}/{,**} rw,
+
+  @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-m-r/nft

@@ -20,9 +20,9 @@ profile nft @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /etc/iproute2/** r,
-
-  owner /etc/nftables/**.nft r,
+  /etc/iproute2/** r,
+  /etc/nftables.conf r,
+  /etc/nftables/{,**} r,
 
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,

apparmor.d/profiles-m-r/ouch

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ouch
+profile ouch @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
+
+  @{exec_path} mr,
+
+  owner @{HOME}/.tmp@{rand6}/{,**} rw,
+
+  @{sys}/fs/cgroup/user.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
+
+  owner @{PROC}/@{pid}/cgroup r,
+
+  include if exists <local/ouch>
+}

apparmor.d/profiles-m-r/pkexec

@@ -35,13 +35,10 @@ profile pkexec @{exec_path} {
 
   @{exec_path} mr,
 
-  # Apps to be run via pkexec
-  @{bin}/*            rPUx,
-  @{lib}/{,gvfs/}gvfsd-admin    rPx,
-  @{lib}/cc-remote-login-helper rPx,
-  @{lib}/update-notifier/package-system-locked  rPx,
-  /usr/share/apport/apport-gtk rPx,
-  #aa:exec polkit-agent-helper
+  @{bin}/*       PUx,
+  @{lib}/**      PUx,
+  /opt/*/**      PUx,
+  /usr/share/**  PUx,
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*} r,

apparmor.d/profiles-m-r/run-parts

@@ -14,7 +14,9 @@ profile run-parts @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  @{exec_path} mr,
+  capability mknod,
+
+  @{exec_path} mrix,
   
   @{sh_path}         rix,
   @{bin}/anacron     rix,
@@ -29,6 +31,7 @@ profile run-parts @{exec_path} {
   /etc/ r,
   /etc/anacrontab                                      r,
   /etc/conf.d/snapper{,**}                             r,
+  /etc/default/*                                       r,
   /etc/snapper/configs/root                            r,
 
   # Crontab
@@ -42,7 +45,6 @@ profile run-parts @{exec_path} {
   /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rPx,
   /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rPUx,
   /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rPUx,
-  /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime     rPx,
   /etc/cron.{hourly,daily,weekly,monthly}/debsums              rPx,
   /etc/cron.{hourly,daily,weekly,monthly}/debtags              rPx,
   /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rPx,
@@ -55,6 +57,7 @@ profile run-parts @{exec_path} {
   /etc/cron.{hourly,daily,weekly,monthly}/passwd              rPUx,
   /etc/cron.{hourly,daily,weekly,monthly}/plocate              rPx,
   /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/snapper             rPUx,
   /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rPUx,
   /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rPx,
   /etc/cron.{hourly,daily,weekly,monthly}/tor                 rPUx,
@@ -134,10 +137,14 @@ profile run-parts @{exec_path} {
 
   /usr/share/landscape/landscape-sysinfo.wrapper rPUx,
 
+  /root/ r,
+
+  /var/spool/anacron/cron.daily k,
+
   owner @{tmp}/#@{int} rw,
-  owner @{tmp}/$anacron* rw,
+  owner @{tmp}/$anacron@{rand6} rw,
   owner @{tmp}/file@{rand6} rw,
-  
+
   owner @{sys}/class/power_supply/            r,
 
   /dev/tty@{int} rw,

apparmor.d/profiles-s-z/snapd

@@ -40,6 +40,7 @@ profile snapd @{exec_path} {
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
+  network unix stream,
 
   mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/,
   umount /tmp/syscheck-mountpoint-@{int}/,

apparmor.d/profiles-s-z/spice-vdagent

@@ -41,6 +41,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   @{run}/spice-vdagentd/spice-vdagent-sock rw,
 
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
   owner /dev/tty@{int} rw,

apparmor.d/profiles-s-z/steam-gameoverlayui

@@ -18,6 +18,7 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
 
   network inet stream,

apparmor.d/profiles-s-z/strawberry

@@ -8,10 +8,11 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/strawberry
-profile strawberry @{exec_path} {
+profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/consoles>
+  include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>

apparmor.d/profiles-s-z/sudo

@@ -35,6 +35,8 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
   /opt/*/**                         PUx,
   /snap/snapd/@{int}@{bin}/snap    rPUx,
 
+  /etc/default/locale r,
+
         /var/db/sudo/lectured/ r,
   owner /var/db/sudo/lectured/@{uid} rw,
   owner /var/lib/extrausers/shadow r,

apparmor.d/profiles-s-z/totem

@@ -35,6 +35,9 @@ profile totem @{exec_path} flags=(attach_disconnected) {
   /usr/share/grilo-plugins/{,**} r,
   /usr/share/thumbnailers/{,**} r,
 
+  owner @{HOME}/ r,
+  owner @{MOUNTS}/ r,
+
   owner @{user_music_dirs}/{,**} rw,
   owner @{user_pictures_dirs}/{,**} rw,
   owner @{user_torrents_dirs}/{,**} rw,
@@ -50,6 +53,8 @@ profile totem @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=**/ r,
   owner @{run}/user/@{uid}/gvfs/smb-share:server=*,share=** r,
 
+  @{run}/mount/utab r,
+
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/@{tid}/comm w,
 

apparmor.d/profiles-s-z/udisksd

@@ -118,12 +118,13 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/bus/ r,
   @{sys}/bus/pci/slots/ r,
+  @{sys}/bus/pci/slots/@{int}/address r,
   @{sys}/class/ r,
   @{sys}/class/nvme-subsystem/ r,
   @{sys}/class/nvme/ r,
-  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/@{pci}/{ata,usb,mmc,virtio}[0-9]/{,**/}uevent w,
   @{sys}/devices/@{pci}/{ata,usb,mmc}[0-9]/{,**/}remove rw,
+  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/virtual/bdi/**/read_ahead_kb r,
   @{sys}/devices/virtual/block/*/{,**} rw,
   @{sys}/devices/virtual/block/loop@{int}/uevent rw,

apparmor.d/profiles-s-z/update-ca-trust

@@ -26,7 +26,7 @@ profile update-ca-trust @{exec_path} {
 
   /etc/ca-certificates/extracted/** rw,
   /etc/ssl/certs/{,*} rw,
-  /etc/ssl/certs/java/cacerts{,.*} w,
+  /etc/ssl/certs/java/** rw,
 
   /dev/tty rw,
 

apparmor.d/profiles-s-z/usbguard-daemon

@@ -24,8 +24,8 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/usbguard/{,**} r,
   /etc/usbguard/*.conf rw,
-  /etc/usbguard/IPCAccessControl.d/{,*} r,
 
   owner @{run}/usbguard.pid rwk,
 

apparmor.d/profiles-s-z/virt-manager

@@ -84,8 +84,12 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/**/hwmon/**/{,name,temp*,fan*} r,
   @{sys}/devices/virtual/drm/ttm/uevent r,
+  @{sys}/fs/cgroup/user.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
 
         @{PROC}/@{pids}/net/route r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-s-z/vlc

@@ -41,6 +41,7 @@ profile vlc @{exec_path} {
 
   @{exec_path} mrix,
 
+  @{open_path}           rPx -> child-open-help,
   @{bin}/xdg-screensaver rPx,
 
   /usr/share/vlc/{,**} r,
@@ -48,6 +49,8 @@ profile vlc @{exec_path} {
   /etc/fstab r,
 
   owner @{HOME}/ r,
+  owner @{MOUNTS}/ r,
+
   owner @{user_music_dirs}/{,**} rw,
   owner @{user_pictures_dirs}/{,**} rw,
   owner @{user_torrents_dirs}/{,**} rw,

apparmor.d/profiles-s-z/waybar

@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/waybar
+profile waybar @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/** rPUx,
+  @{user_bin_dirs}/** rPUx,
+
+  owner @{user_config_dirs}/waybar/{,**} r,
+
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/waybar>
+}
+
+# vim:syntax=apparmor

apparmor.d/profiles-s-z/wmctrl

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wmctrl
 profile wmctrl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/xsel

@@ -11,6 +11,7 @@ include <tunables/global>
 profile xsel @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
@@ -18,9 +19,6 @@ profile xsel @{exec_path} {
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/xsel.log rw,
 
-  owner @{HOME}/.Xauthority r,
-  owner @{tmp}/xauth-@{int}-_[0-9] r,
-
   # file_inherit
   owner /dev/tty@{int} rw,
   owner @{HOME}/.xsession-errors w,

apparmor.d/tunables/multiarch.d/paths

@@ -31,7 +31,7 @@
 @{emails_path} = @{thunderbird_path} @{bin}/@{emails_names}
 
 # Open
-@{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio
+@{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
 @{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
 @{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 

apparmor.d/tunables/multiarch.d/system

@@ -55,8 +55,8 @@
 @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
 
 # Username & group valid characters
-@{u}=[a-z0-9_]
-@{user}=[a-z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
+@{u}=[a-zA-Z0-9_]
+@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
 @{group}=@{user}
 
 # Shortcut for PCI device

dists/flags/main.flags

@@ -173,6 +173,11 @@ gsettings complain
 gvfsd-dav complain
 gvfsd-wsdd complain
 hostnamectl complain
+hyprctl complain
+hyprlock complain
+hyprpaper attach_disconnected,complain
+hyprpicker complain
+hyprpm complain
 ibus-engine-table complain
 ibus-memconf attach_disconnected,complain
 im-launch complain
@@ -306,6 +311,7 @@ steam-launch attach_disconnected,complain
 steam-launcher attach_disconnected,complain
 steam-runtime attach_disconnected,complain
 steamerrorreporter attach_disconnected,complain
+strawberry attach_disconnected,mediate_deleted,complain
 sulogin complain
 switcherooctl complain
 swtpm complain
@@ -352,6 +358,7 @@ systemd-portabled complain
 systemd-remount-fs complain
 systemd-resolve complain
 systemd-shutdown complain
+systemd-sleep-tlp complain
 systemd-socket-proxyd complain
 systemd-udevd attach_disconnected,complain
 systemd-user-sessions complain
@@ -374,6 +381,7 @@ virtnetworkd complain,attach_disconnected
 virtnodedevd attach_disconnected,complain
 virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
+waybar attach_disconnected,complain
 wg complain
 wg-quick complain
 wsdd complain

dists/ignore/main.ignore

@@ -14,6 +14,7 @@ code-wrapper
 man
 
 # Work in progress profiles
+dunst
 plasma-discover
 steam
 steam-fossilize

pkg/prebuild/builder/core_test.go

@@ -228,14 +228,8 @@ func TestBuilder_Apply(t *testing.T) {
 
 				include if exists <local/foo>
 			  }`,
-			want: `
-			  profile foo /usr/bin/foo {
-			    include <abstractions/base>
-
-			    /usr/bin/foo mr,
-
-				include if exists <local/foo>
-			  }`,
+			want:    "",
+			wantErr: true,
 		},
 	}
 	for _, tt := range tests {

pkg/prebuild/builder/userspace.go

@@ -5,6 +5,7 @@
 package builder
 
 import (
+	"fmt"
 	"regexp"
 	"strings"
 
@@ -12,8 +13,10 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
 )
 
+const tokATTACHMENT = "@{exec_path}"
+
 var (
-	regAttachments = regexp.MustCompile(`(profile .* @{exec_path})`)
+	regAttachments = regexp.MustCompile(`(profile .* ` + tokATTACHMENT + `)`)
 )
 
 type Userspace struct {
@@ -41,13 +44,18 @@ func (b Userspace) Apply(opt *Option, profile string) (string, error) {
 	if _, err := f.Parse(profile); err != nil {
 		return "", err
 	}
+	if len(f.GetDefaultProfile().Attachments) > 0 &&
+		f.GetDefaultProfile().Attachments[0] != tokATTACHMENT {
+		return "", fmt.Errorf("missing '%s' attachment", tokATTACHMENT)
+	}
 	if err := f.Resolve(); err != nil {
 		return "", err
 	}
-	att := f.GetDefaultProfile().GetAttachments()
+
 	matches := regAttachments.FindAllString(profile, -1)
 	if len(matches) > 0 {
-		strheader := strings.Replace(matches[0], "@{exec_path}", att, -1)
+		att := f.GetDefaultProfile().GetAttachments()
+		strheader := strings.Replace(matches[0], tokATTACHMENT, att, -1)
 		return regAttachments.ReplaceAllLiteralString(profile, strheader), nil
 	}
 	return profile, nil