From 30618828097267ced9833cdf16de350eac1b05b1 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 24 Aug 2025 22:04:07 +0200
Subject: [PATCH] feat(profile): update dbus rules for Ubuntu.

---
 apparmor.d/groups/freedesktop/dconf           |  1 +
 apparmor.d/groups/freedesktop/pipewire-pulse  |  3 +++
 .../polkit-kde-authentication-agent           |  2 ++
 apparmor.d/groups/freedesktop/wireplumber     |  5 +++++
 .../groups/freedesktop/xdg-desktop-portal     |  2 ++
 .../groups/freedesktop/xdg-document-portal    |  3 ++-
 .../gnome/evolution-addressbook-factory       |  5 +++++
 apparmor.d/groups/gnome/gjs-console           |  2 ++
 apparmor.d/groups/gnome/gnome-calendar        |  2 +-
 apparmor.d/groups/gnome/gnome-characters      |  2 +-
 apparmor.d/groups/gnome/gnome-control-center  |  5 ++---
 .../groups/gnome/gnome-extension-gsconnect    |  2 ++
 apparmor.d/groups/gnome/gnome-shell           |  4 ++--
 apparmor.d/groups/gnome/gnome-software        | 11 ++++++++++
 apparmor.d/groups/gnome/gnome-system-monitor  |  4 ++++
 apparmor.d/groups/gnome/gsd-media-keys        | 14 +++++--------
 apparmor.d/groups/gnome/gsd-power             |  1 +
 .../groups/gnome/gsd-print-notifications      | 20 ++++++++++++++++++-
 apparmor.d/groups/gnome/gsd-xsettings         | 12 ++++++++++-
 apparmor.d/groups/gnome/loupe                 |  2 ++
 apparmor.d/groups/gnome/nautilus              |  8 +++++++-
 apparmor.d/groups/gnome/papers                |  1 +
 apparmor.d/groups/gnome/ptyxis                |  1 +
 apparmor.d/groups/gnome/ptyxis-agent          |  5 ++++-
 apparmor.d/groups/network/wg-quick            |  1 +
 apparmor.d/groups/polkit/polkit-agent-helper  |  4 ++--
 apparmor.d/groups/systemd/resolvectl          |  7 +++++++
 .../groups/ubuntu/software-properties-gtk     |  6 +++++-
 apparmor.d/groups/ubuntu/update-notifier      |  1 +
 apparmor.d/profiles-a-f/alacarte              |  3 +++
 apparmor.d/profiles-a-f/element-desktop       |  1 +
 apparmor.d/profiles-g-l/libreoffice           |  2 ++
 apparmor.d/profiles-m-r/pinentry-gnome3       |  4 +++-
 apparmor.d/profiles-s-z/spotify               | 11 ++++++++++
 apparmor.d/profiles-s-z/superproductivity     | 11 +++++++++-
 35 files changed, 142 insertions(+), 26 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf
index be4972f04..20b453df4 100644
--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/dconf
 profile dconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-session>
   include <abstractions/dconf-write>
 
   capability sys_nice,
diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse
index fddbe02f7..e6e6e59c5 100644
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@@ -13,12 +13,15 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
   ptrace read,
 
+  #aa:dbus own bus=session name=org.pulseaudio.Server
+
   @{exec_path} mr,
 
   @{bin}/pactl rix,
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index 8a08f02d0..5e7a75a8d 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -11,8 +11,10 @@ include <tunables/global>
 @{exec_path} += @{lib}/polkit-kde-authentication-agent-[0-9]
 profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
   include <abstractions/consoles>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
diff --git a/apparmor.d/groups/freedesktop/wireplumber b/apparmor.d/groups/freedesktop/wireplumber
index 80c3135f5..7aff8bdd2 100644
--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@@ -32,6 +32,11 @@ profile wireplumber @{exec_path} {
        member=Introspect
        peer=(name=:*, label=gnome-shell),
 
+  dbus receive bus=system path=/midi{,server@{int}}
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=@{busname}, label="@{p_bluetoothd}"),
+
   @{exec_path} mr,
 
   /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 35c81f0bc..89acacd34 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -52,6 +52,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
 
+  #aa:dbus talk bus=session name=org.freedesktop.FileManager1 label=nautilus
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome
   #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
 
   dbus receive bus=session
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index d2db2612e..84c0fce42 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -30,7 +30,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
 
   unix (send receive) type=stream peer=(label=xdg-document-portal//fusermount),
 
-  #aa:dbus own bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents
+  #aa:dbus own bus=session name=org.freedesktop.portal.{Documents,FileTransfer} path=/org/freedesktop/portal/documents
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory
index 98c94c79e..c9a9d72c9 100644
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@@ -55,6 +55,11 @@ profile evolution-addressbook-factory @{exec_path} {
        member=Introspect
        peer=(name=@{busname}, label=gnome-shell),
 
+  dbus receive bus=session path=/org/gnome/evolution/dataserver/**
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=obexd),
+
   @{exec_path} mr,
   @{exec_path}-subprocess rix,
 
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index 0cfd4c420..6d6d6ea85 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -17,8 +17,10 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.Shell.Introspect>
+  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar
index 235c0ce9e..7d6d5246d 100644
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@@ -23,7 +23,6 @@ profile gnome-calendar @{exec_path} {
   network netlink raw,
 
   #aa:dbus own bus=session name=org.gnome.Calendar
-  #aa-dbus own bus=session name=org.gnome.Calendar.SearchProvider interface+=org.gnome.Shell.SearchProvider2
 
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
@@ -32,6 +31,7 @@ profile gnome-calendar @{exec_path} {
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry
   #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
+  #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell
   #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
 
   dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters
index 9af2b7d5f..7ce936e52 100644
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@@ -11,13 +11,13 @@ profile gnome-characters @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gnome.Shell.SearchProvider2>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
 
   #aa:dbus own bus=session name=org.gnome.Characters
-  #aa-dbus talk bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 41b62df09..1c35a8ec1 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -14,6 +14,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/cups-client>
@@ -42,9 +43,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
   #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
   #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
-  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
-  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power
-  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
+  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*"
   #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
 
   #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences
diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect
index 8887ce797..3f57b3035 100644
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@@ -17,6 +17,8 @@ profile gnome-extension-gsconnect @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/bus/org.freedesktop.hostname1>
   include <abstractions/bus/org.freedesktop.login1.Session>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.gtk.Notifications>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 0f91b7283..b7706ccf4 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -25,7 +25,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/bus/org.freedesktop.locale1>
   include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.Notifications>
   include <abstractions/bus/org.freedesktop.PackageKit>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
@@ -87,7 +86,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
   #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
   #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
+  #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
+  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}"
   #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
 
   #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 7e817f490..71141595b 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -9,6 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-software
 profile gnome-software @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.Accounts>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.gnome.Shell.SearchProvider2>
+  include <abstractions/bus/org.gtk.Notifications>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/nameservice-strict>
@@ -24,6 +30,11 @@ profile gnome-software @{exec_path} {
   mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
   umount /var/tmp/flatpak-cache-*/*/,
 
+  #aa:dbus own bus=session name=org.freedesktop.PackageKit
+  #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application
+
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}"
+
   @{exec_path} mr,
 
   @{bin}/baobab              rPUx,
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index a3d039dea..a99d566c0 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -9,6 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-system-monitor
 profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
+  include <abstractions/bus/org.gtk.vfs.Daemon>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index 6cae2d49b..7f02d8bf4 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-media-keys
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
@@ -21,6 +20,8 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/bus/org.mpris.MediaPlayer2.Player>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
@@ -38,7 +39,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=PowerOff
-       peer=(name=:*, label="@{p_systemd_logind}"),
+       peer=(name=@{busname}, label="@{p_systemd_logind}"),
 
   dbus send bus=session path=/
        interface=org.freedesktop.DBus
@@ -48,17 +49,12 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   dbus send bus=session path=/org/gnome/SettingsDaemon/Power
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gsd-power),
+       peer=(name=@{busname}, label=gsd-power),
 
   dbus receive bus=session path=/org/gnome/SettingsDaemon/Power
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gsd-power),
-
-  dbus send bus=session path=/org/mpris/MediaPlayer2
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*),
+       peer=(name=@{busname}, label=gsd-power),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 2fa0b0b1f..379f7b814 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.hostname1>
   include <abstractions/bus/org.freedesktop.login1.Session>
   include <abstractions/bus/org.freedesktop.login1>
+  include <abstractions/bus/org.freedesktop.Notifications>
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/bus/org.freedesktop.UPower.PowerProfiles>
   include <abstractions/bus/org.freedesktop.UPower>
diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications
index af5ff2f05..59123f485 100644
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/cups/cupsd/Notifier
        interface=org.cups.cupsd.Notifier
-       member=ServerStarted
+       member={ServerStarted,PrinterDeleted,PrinterStopped}
        peer=(name=@{busname}, label=cups-notifier-dbus),
 
   dbus receive bus=session
@@ -38,6 +38,24 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
        member=Introspect
        peer=(name=@{busname}, label=gnome-shell),
 
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=RecordBrowserNew
+       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+  dbus send bus=system path=/Client@{int}/RecordBrowser@{int}
+       interface=org.freedesktop.Avahi.RecordBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+
+  dbus receive bus=system path=/Client@{int}/RecordBrowser@{int}
+       interface=org.freedesktop.Avahi.RecordBrowser
+       member={CacheExhausted,ItemNew}
+       peer=(name=@{busname}, label=avahi-daemon),
+  dbus receive bus=system path=/Client4/RecordBrowser3
+       interface=org.freedesktop.Avahi.RecordBrowser
+       member=ItemNew
+       peer=(name=@{busname}, label=avahi-daemon),
+
   @{exec_path} mr,
   @{lib}/gsd-printer rPx,
 
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index abf30bc40..2e21750b9 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -36,10 +36,20 @@ profile gsd-xsettings @{exec_path} {
 
   #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell
 
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=GetId
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
+
+  dbus receive bus=system path=/org/freedesktop/Accounts
+       interface=org.freedesktop.Accounts
+       member=UserAdded
+       peer=(name=@{busname}, label="@{p_accounts_daemon}"),
+
   dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.Accounts.User
        member=SetInputSources
-       peer=(name=:*, label="@{p_accounts_daemon}"),
+       peer=(name=@{busname}, label="@{p_accounts_daemon}"),
 
   @{exec_path} mr,
   @{sh_path} mr,
diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe
index d89d4d6f9..398b2b679 100644
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@@ -12,6 +12,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index fc9b923d8..17bdc5f13 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -31,9 +31,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   unix type=stream peer=(label=gnome-shell),
 
   #aa:dbus own bus=session name=org.freedesktop.FileManager1
-  #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}"
+  #aa:dbus own bus=session name=org.gnome.Nautilus interface+=org.gtk.{Application,Actions}
   #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2
 
+  #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*"
   #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center
   #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
   #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
@@ -49,6 +50,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
        member=Print
        peer=(name=@{busname}, label=nautilus),
 
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
+
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=ListActivatableNames
diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers
index 6f5a137a3..9a22e3de8 100644
--- a/apparmor.d/groups/gnome/papers
+++ b/apparmor.d/groups/gnome/papers
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/papers
 profile papers @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/common/gnome>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
diff --git a/apparmor.d/groups/gnome/ptyxis b/apparmor.d/groups/gnome/ptyxis
index a6f7e5b63..a0a57d516 100644
--- a/apparmor.d/groups/gnome/ptyxis
+++ b/apparmor.d/groups/gnome/ptyxis
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/ptyxis
 profile ptyxis @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
   include <abstractions/consoles>
 
diff --git a/apparmor.d/groups/gnome/ptyxis-agent b/apparmor.d/groups/gnome/ptyxis-agent
index ce60a26c3..7a05b2254 100644
--- a/apparmor.d/groups/gnome/ptyxis-agent
+++ b/apparmor.d/groups/gnome/ptyxis-agent
@@ -9,9 +9,12 @@ include <tunables/global>
 @{exec_path} = @{lib}/ptyxis-agent
 profile ptyxis-agent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
   include <abstractions/dconf-write>
+  include <abstractions/gsettings>
+  include <abstractions/nameservice-strict>
 
   signal send set=hup peer=unconfined,
 
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index c89a12a47..33de68147 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wg-quick
 profile wg-quick @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-system>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/groups/polkit/polkit-agent-helper b/apparmor.d/groups/polkit/polkit-agent-helper
index 5799ced5b..f761ecf29 100644
--- a/apparmor.d/groups/polkit/polkit-agent-helper
+++ b/apparmor.d/groups/polkit/polkit-agent-helper
@@ -35,12 +35,12 @@ profile polkit-agent-helper @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label="@{p_polkitd}"),
+       peer=(name=@{busname}, label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=AuthenticationAgentResponse2
-       peer=(name=:*, label="@{p_polkitd}"),
+       peer=(name=@{busname}, label="@{p_polkitd}"),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl
index 58f2d88f8..3013d8ae6 100644
--- a/apparmor.d/groups/systemd/resolvectl
+++ b/apparmor.d/groups/systemd/resolvectl
@@ -21,8 +21,15 @@ profile resolvectl @{exec_path} flags=(attach_disconnected) {
 
   signal send set=cont peer=child-pager,
 
+  unix bind type=stream addr=@@{udbus}/bus/resolvconf/system,
+
   #aa:dbus talk bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
+
   #aa:dbus talk bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
+  dbus send bus=system path=/org/freedesktop/network1
+       interface=org.freedesktop.network1.Manager
+       member=SetLinkDNSEx
+       peer=(name=org.freedesktop.network1),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index bb31d8867..15a49066c 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -9,19 +9,23 @@ include <tunables/global>
 @{exec_path} = @{bin}/software-properties-gtk
 profile software-properties-gtk @{exec_path} {
   include <abstractions/base>
-  include <abstractions/common/apt>
+  include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/common/apt>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
   #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties
+
   #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon
+  #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties path=/ label=software-properties-dbus
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 9754aa231..8e9cddd54 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -14,6 +14,7 @@ profile update-notifier @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.Notifications>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/common/apt>
diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte
index 700c6d517..b4cfb56e6 100644
--- a/apparmor.d/profiles-a-f/alacarte
+++ b/apparmor.d/profiles-a-f/alacarte
@@ -9,6 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/alacarte
 profile alacarte @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/python>
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index 7891b67e1..ec7ee9c65 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -17,6 +17,7 @@ profile element-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
+  include <abstractions/bus/com.canonical.Unity.LauncherEntry>
   include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/common/electron>
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 4bed50f13..0a9e6dfc2 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -18,6 +18,8 @@ profile libreoffice @{exec_path} {
   include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
+  include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3
index a955a9c6d..f4a61b07b 100644
--- a/apparmor.d/profiles-m-r/pinentry-gnome3
+++ b/apparmor.d/profiles-m-r/pinentry-gnome3
@@ -10,9 +10,11 @@ include <tunables/global>
 profile pinentry-gnome3 @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.gnome.keyring.internal.Prompter>
+  include <abstractions/bus/org.gnome.ScreenSaver>
   include <abstractions/consoles>
 
-  signal (receive) set=(int) peer=gpg-agent,
+  signal receive set=int,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index 0eb5eab43..f245e4312 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -21,10 +21,13 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/bus/org.freedesktop.secrets>
+  include <abstractions/bus/org.gnome.SettingsDaemon.MediaKeys>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/bus/org.kde.StatusNotifierWatcher>
+  include <abstractions/bus/org.mpris.MediaPlayer2.Player>
   include <abstractions/bus/session/org.freedesktop.systemd1>
   include <abstractions/common/electron>
   include <abstractions/devices-usb-read>
@@ -36,8 +39,16 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   #aa:dbus own bus=session name=org.mpris.MediaPlayer2.spotify
+
   #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
   #aa:dbus talk bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal
+  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Secret
+       member=RetrieveSecret
+       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
+
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity
index c49a96621..73a86672f 100644
--- a/apparmor.d/profiles-s-z/superproductivity
+++ b/apparmor.d/profiles-s-z/superproductivity
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{name} = super{p,P}roductivity
+@{name} = super{p,P}roductivity Super?Productivity
 @{domain} = org.chromium.Chromium
 @{lib_dirs} = /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name}
@@ -16,7 +16,16 @@ include <tunables/global>
 profile superproductivity @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
+  include <abstractions/bus/com.canonical.dbusmenu>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
+  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/bus/org.kde.StatusNotifierItem>
   include <abstractions/common/electron>
 
   network inet stream,