Merge branch 'roddhjav:main' into main

2023-11-15 10:16:37 +00:00 · 2023-11-15 10:16:37 +00:00 · 3226ccb879
commit 3226ccb879
parent cf7703131b 58b577385e
73 changed files with 511 additions and 362 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -108,6 +108,11 @@ ubuntu:
    paths:
      - $PKGDEST/*.deb
 whonix:
  extends: debian
  variables:
    DISTRIBUTION: whonix
 opensuse:
  stage: build
  image: registry.gitlab.com/roddhjav/builders/opensuse
@ -146,15 +151,15 @@ preprocess-debian:
    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 preprocess-ubuntu:
-  stage: preprocess
+  extends: preprocess-debian
  image: ubuntu
  dependencies:
    - ubuntu
-  script:
+
-    - apt-get update -q
+preprocess-whonix:
-    - apt-get install -y apparmor apparmor-profiles
+  extends: preprocess-debian
-    - dpkg --install $PKGDEST/*
+  dependencies:
-    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
+    - whonix
 preprocess-opensuse:
  stage: preprocess
--- a/README.md
+++ b/README.md
@ -34,13 +34,13 @@ most Linux based applications and processes.
    * Ubuntu 22.04
    * Debian 12
    * OpenSUSE Tumbleweed
- Support all major desktop environments:
+- Support major desktop environments:
    * Currently only Gnome
 - Fully tested (Work in progress)
-> This project is originaly based on the work from [Morfikov][upstream] and aims
+> This project is originally based on the work from [Morfikov][upstream] and aims
-> to extend it to more Linux distributions and desktop environements.
+> to extend it to more Linux distributions and desktop environments.
 ## Concepts
@ -63,9 +63,12 @@ bubblewrap, toolbox...).
 This is fundamentally different from how AppArmor is usually used on Linux servers
 as it is common to only confine the applications that face the internet and/or the users.
-**Presentation**
+**Presentations**
- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
+Building large set of AppArmor profiles:
 - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
 - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*
 ## Installation
--- a/apparmor.d/abstractions/chromium
+++ b/apparmor.d/abstractions/chromium
@ -56,6 +56,7 @@
  network netlink raw,
  @{lib_dirs}/{,**} r,
  @{lib_dirs}/*.so* mr,
  @{lib_dirs}/chrome_crashpad_handler  rPx,
  @{lib_dirs}/chrome-sandbox           rPx,
--- a/apparmor.d/abstractions/chromium-common
+++ b/apparmor.d/abstractions/chromium-common
@ -3,6 +3,9 @@
 # Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/chromium instead.
  abi <abi/3.0>,
  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
--- a/apparmor.d/abstractions/flatpak-snap
+++ b/apparmor.d/abstractions/flatpak-snap
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018 Nibaldo Gonzalez <nibgonz@gmail.com>
-#               2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2021 Mikhail Morfikov
 # SPDX-License-Identifier: GPL-2.0-only
  abi <abi/3.0>,
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -23,6 +23,8 @@
  /var/lib/extrausers/passwd r,
  @{run}/nscd/db* r,
  @{run}/resolvconf/resolv.conf r,
  @{run}/systemd/resolve/resolv.conf r,
  @{run}/systemd/resolve/stub-resolv.conf r,
  # NSS records from systemd-userdbd.service
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@ -1,7 +1,8 @@
-# vim:syntax=apparmor
+# apparmor.d - Full set of apparmor profiles
-# Author: Jamie Strandboge <jamie@canonical.com>
+# Copyright (C) Jamie Strandboge <jamie@canonical.com>
 # SPDX-License-Identifier: GPL-2.0-only
-# Description: Limit executable access and reasonable read access. A look at
+# Limit executable access and reasonable read access. A look at
 # the gconf schema files for totem-video-thumbnailer reveals at least the
 # following files:
 #  3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac,
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@ -2,8 +2,8 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-# Give read access on all defined user directories. It should only be used if
+# This abstraction gives read access on all defined user directories. It should
-# access to ALL folders is required.
+# only be used if access to **ALL** folders is required.
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
--- a/apparmor.d/groups/_full/init
+++ b/apparmor.d/groups/_full/init
@ -1,15 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Full system policy profile.
 # /sbin/init (PID 1) is a link to /usr/lib/systemd/systemd
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer.
 # See https://apparmor.pujol.io/development/structure/#full-system-policy
 # for more information.
 # Distributions and other programs can add rules in the usr/init.d directory
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -2,137 +2,13 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-# This is not /sbin/init (PID 1) but systemd --user
+# Main profile for full system policy.
 # Profile for systemd (PID 1), it does not specify an attachment path because
 # it is direclty used by systemd.
 # Only use this profile with a fully configured system. Otherwise it **WILL**
-# break your computer.
+# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
 # See https://apparmor.pujol.io/development/structure/#full-system-policy
 # for more information.
 # Distributions and other programs can add rules in the usr/systemd.d directory
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
 profile systemd @{lib}/systemd/systemd flags=(complain) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  network netlink raw,
  ptrace (read),
  signal (send) set=(term, cont, kill),
  @{exec_path} mr,
  @{bin}/{,ba,da}sh  rix,
  @{bin}/systemctl   rCx -> systemctl,
  @{lib}/systemd/user-environment-generators/*  rPx,
  @{lib}/systemd/user-environment-generators/*  rPx,
  @{lib}/systemd/user-generators/*              rPx,
  # Server
  @{lib}/openssh/agent-launch rPx,
  # Dbus
  @{bin}/dbus-daemon                           rPx,
  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
  # Desktop
  @{bin}/xdg-user-dirs-update rPx,
  @{lib}/xdg-desktop-portal*   rPx,
  @{lib}/xdg-document-portal   rPx,
  @{lib}/xdg-permission-store  rPx,
  # Audio
  @{bin}/pipewire        rux, # FIXME: no new privs
  @{bin}/pipewire-pulse  rux, # FIXME: no new privs
  @{bin}/pulseaudio      rux, # FIXME: no new privs
  @{bin}/wireplumber     rux, # FIXME: no new privs
  # Gnome
  @{bin}/gjs                            rPx,
  @{bin}/gnome-keyring-daemon           rPx,
  @{bin}/gnome-shell                    rPx,
  @{bin}/gsettings                      rPx,
  @{lib}/{,dconf/}dconf-service         rPx,
  @{lib}/dconf/dconf-service            rPx,
  @{lib}/evolution-addressbook-factory  rPx,
  @{lib}/evolution-calendar-factory     rPx,
  @{lib}/evolution-source-registry      rPx,
  @{lib}/gnome-session-binary           rPx,
  @{lib}/gnome-session-ctl              rPx,
  @{lib}/gnome-terminal-server          rPx,
  @{lib}/goa-*                          rPx,
  @{lib}/gsd-*                          rPx,
  @{lib}/gvfs-*                         rPx,
  @{lib}/gvfs/gvfs-*                    rPx,
  @{lib}/gvfs/gvfsd*                    rPx,
  @{lib}/gvfsd*                         rPx,
  @{lib}/tracker-extract-*              rPx,
  @{lib}/tracker-miner-*                rPx,
  # Ubuntu
  @{bin}/snap                          rPx,
  /etc/systemd/user.conf r,
  /etc/systemd/user.conf.d/{,**} r,
  /etc/systemd/user/{,**} r,
  /usr/ r,
  owner @{user_config_dirs}/systemd/user/{,**} r,
  owner @{run}/user/@{uid}/{,*/,*} rw,
  owner @{run}/user/@{uid}/*/* rw,
  owner @{run}/user/@{uid}/systemd/{,**} rw,
  @{run}/mount/utab r,
  @{run}/systemd/notify w,
  @{run}/udev/data/* r,
  @{run}/udev/tags/systemd/ r,
        @{sys}/devices/**/uevent r,
        @{sys}/devices/virtual/dmi/id/product_name r,
        @{sys}/devices/virtual/dmi/id/sys_vendor r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
        @{sys}/module/apparmor/parameters/enabled r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/comm r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/swaps r,
        @{PROC}/sys/fs/nr_open r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/pid_max r,
        @{PROC}/sys/kernel/threads-max r,
  owner @{PROC}/@{pids}/attr/apparmor/exec w,
  owner @{PROC}/@{pids}/fd/ r,
  owner @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pids}/oom_score_adj rw,
  profile systemctl {
    include <abstractions/base>
    @{bin}/systemctl mr,
          @{PROC}/cmdline r,
          @{PROC}/sys/kernel/osrelease r,
    owner @{PROC}/@{pids}/status r,
    include if exists <usr/systemd_systemctl.d>
    include if exists <local/systemd_systemctl>
  }
  include if exists <usr/systemd.d>
  include if exists <local/systemd>
 }
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -0,0 +1,138 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Profile for 'systemd --user' (not PID 1), it does not specify an attachment 
 # path because it is intended to be used only via "Px -> systemd-user" exec 
 # transitions from the systemd profile.
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
 # Distributions and other programs can add rules in the usr/systemd-user.d directory
 abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
 profile systemd-user flags=(complain) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  network netlink raw,
  ptrace (read),
  signal (send) set=(term, cont, kill),
  @{exec_path} mr,
  @{bin}/{,ba,da}sh  rix,
  @{bin}/systemctl   rCx -> systemctl,
  @{lib}/systemd/user-environment-generators/*  rPx,
  @{lib}/systemd/user-environment-generators/*  rPx,
  @{lib}/systemd/user-generators/*              rPx,
  # Server
  @{lib}/openssh/agent-launch rPx,
  # Dbus
  @{bin}/dbus-daemon                           rPx,
  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
  # Desktop
  @{bin}/xdg-user-dirs-update rPx,
  @{lib}/xdg-desktop-portal*   rPx,
  @{lib}/xdg-document-portal   rPx,
  @{lib}/xdg-permission-store  rPx,
  # Audio
  @{bin}/pipewire        rux, # FIXME: no new privs
  @{bin}/pipewire-pulse  rux, # FIXME: no new privs
  @{bin}/pulseaudio      rux, # FIXME: no new privs
  @{bin}/wireplumber     rux, # FIXME: no new privs
  # Gnome
  @{bin}/gjs                            rPx,
  @{bin}/gnome-keyring-daemon           rPx,
  @{bin}/gnome-shell                    rPx,
  @{bin}/gsettings                      rPx,
  @{lib}/{,dconf/}dconf-service         rPx,
  @{lib}/dconf/dconf-service            rPx,
  @{lib}/evolution-addressbook-factory  rPx,
  @{lib}/evolution-calendar-factory     rPx,
  @{lib}/evolution-source-registry      rPx,
  @{lib}/gnome-session-binary           rPx,
  @{lib}/gnome-session-ctl              rPx,
  @{lib}/gnome-terminal-server          rPx,
  @{lib}/goa-*                          rPx,
  @{lib}/gsd-*                          rPx,
  @{lib}/gvfs-*                         rPx,
  @{lib}/gvfs/gvfs-*                    rPx,
  @{lib}/gvfs/gvfsd*                    rPx,
  @{lib}/gvfsd*                         rPx,
  @{lib}/tracker-extract-*              rPx,
  @{lib}/tracker-miner-*                rPx,
  # Ubuntu
  @{bin}/snap                          rPx,
  /etc/systemd/user.conf r,
  /etc/systemd/user.conf.d/{,**} r,
  /etc/systemd/user/{,**} r,
  /usr/ r,
  owner @{user_config_dirs}/systemd/user/{,**} r,
  owner @{run}/user/@{uid}/{,*/,*} rw,
  owner @{run}/user/@{uid}/*/* rw,
  owner @{run}/user/@{uid}/systemd/{,**} rw,
  @{run}/mount/utab r,
  @{run}/systemd/notify w,
  @{run}/udev/data/* r,
  @{run}/udev/tags/systemd/ r,
        @{sys}/devices/**/uevent r,
        @{sys}/devices/virtual/dmi/id/product_name r,
        @{sys}/devices/virtual/dmi/id/sys_vendor r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
        @{sys}/module/apparmor/parameters/enabled r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/comm r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/1/cgroup r,
        @{PROC}/cmdline r,
        @{PROC}/swaps r,
        @{PROC}/sys/fs/nr_open r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/pid_max r,
        @{PROC}/sys/kernel/threads-max r,
  owner @{PROC}/@{pids}/attr/apparmor/exec w,
  owner @{PROC}/@{pids}/fd/ r,
  owner @{PROC}/@{pids}/mountinfo r,
  owner @{PROC}/@{pids}/oom_score_adj rw,
  profile systemctl {
    include <abstractions/base>
    @{bin}/systemctl mr,
          @{PROC}/cmdline r,
          @{PROC}/sys/kernel/osrelease r,
    owner @{PROC}/@{pids}/status r,
    include if exists <usr/systemd_systemctl.d>
    include if exists <local/systemd_systemctl>
  }
  include if exists <usr/systemd-user.d>
  include if exists <local/systemd-user>
 }
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -70,7 +70,6 @@ profile apt-methods-http @{exec_path} {
  owner /tmp/apt-changelog-*/*.changelog rw,
  @{run}/ubuntu-advantage/aptnews.json rw,
  @{run}/resolvconf/resolv.conf r,
  @{PROC}/1/cgroup r,
  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/apt/apt-methods-mirror
+++ b/apparmor.d/groups/apt/apt-methods-mirror
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -10,6 +11,7 @@ include <tunables/global>
 profile apt-methods-mirror @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -114,7 +114,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /var/log/apt/{term,history}.log w,
  /var/log/apt/eipp.log.xz w,
        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
  owner @{run}/unattended-upgrades.lock rwk,
  owner @{run}/unattended-upgrades.pid rw,
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -14,6 +14,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-accessibility>
  include <abstractions/dbus-session>
  include <abstractions/dbus>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  capability audit_write,
@ -41,7 +42,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  @{bin}/ r,
  @{bin}/[a-z0-9]*                                                       rPUx,
-  @{lib}/{,at-spi2{,-core}/}at-spi2-registryd                             rPx,
+  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher                           rix, # See #74, #80 & #235
  @{lib}/@{multiarch}/tumbler-1/tumblerd                                 rPUx,
  @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd                            rPx,
  @{lib}/*                                                               rPUx,
@ -64,11 +65,16 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  /etc/dbus-1/{,**} r,
  /usr/share/dbus-1/{,**} r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/defaults/**.conf r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  # Extra rules for GDM 
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.local/share/icc/ r,
  /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  # Extra rules for Flatpak
  @{system_share_dirs}/dbus-1/{,**} r,
@ -87,6 +93,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/systemd/notify w,
  @{sys}/kernel/security/apparmor/.access rw,
@ -94,6 +101,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  @{sys}/module/apparmor/parameters/enabled r,
        @{PROC}/@{pids}/attr/apparmor/current r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/mounts r,
        @{PROC}/@{pids}/oom_score_adj rw,
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Note: This profile does not specify an attachment path because it is
@ -12,7 +13,7 @@ abi <abi/3.0>,
 include <tunables/global>
-# Do not attach to @{bin}/dpkg by default
+@{exec_path} = @{bin}/dpkg
 profile child-dpkg {
  include <abstractions/base>
  include <abstractions/consoles>
@ -21,7 +22,7 @@ profile child-dpkg {
  capability dac_read_search,
  capability setgid,
-  @{bin}/dpkg mr,
+  @{exec_path} mr,
  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Note: This profile does not specify an attachment path because it is
@ -12,11 +13,11 @@ abi <abi/3.0>,
 include <tunables/global>
-# Do not attach to @{bin}/dpkg-divert by default
+@{exec_path} = @{bin}/dpkg-divert
 profile child-dpkg-divert {
  include <abstractions/base>
-  @{bin}/dpkg-divert mr,
+  @{exec_path} mr,
  /var/lib/dpkg/arch r,
  /var/lib/dpkg/status r,
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -16,7 +16,8 @@ abi <abi/3.0>,
 include <tunables/global>
-# App allowed to open
+@{exec_path}  = @{bin}/exo-open @{bin}/xdg-open 
@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
 profile child-open {
  include <abstractions/base>
  include <abstractions/dri-enumerate>
@ -24,10 +25,7 @@ profile child-open {
  include <abstractions/vulkan>
  include <abstractions/xdg-open>
-  @{bin}/exo-open                                     mr,
+  @{exec_path} mrix,
  @{bin}/xdg-open                                     mr,
  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
  @{lib}/gio-launch-desktop                           mrix,
  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,m,g}awk         rix,
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@ -13,7 +13,7 @@ abi <abi/3.0>,
 include <tunables/global>
-# Do not attach to @{bin}/pager by default
+@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
 profile child-pager {
  include <abstractions/base>
  include <abstractions/consoles>
@ -24,9 +24,7 @@ profile child-pager {
  signal (receive) set=(stop, cont, term, kill),
  @{bin}/       r,
-  @{bin}/pager mr,
+  @{exec_path} mr,
  @{bin}/less  mr,
  @{bin}/more  mr,
  @{system_share_dirs}/terminfo/{,**} r,
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -13,7 +13,7 @@ abi <abi/3.0>,
 include <tunables/global>
-# Do not attach to @{bin}/systemctl by default
+@{exec_path} = @{bin}/systemctl
 profile child-systemctl flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
       interface=org.freedesktop.systemd[0-9].Manager
       member=GetUnitFileState,
-  @{bin}/systemctl mr,
+  @{exec_path} mr,
  /etc/machine-id r,
  /etc/systemd/user/{,**} rwl,
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2022 Mikhail Morfikov
-# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -10,52 +10,55 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-accessibility>
  include <abstractions/dbus-session>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>
-  signal (receive) set=(term hup kill) peer=dbus-daemon,
+  network inet stream, # TODO: local only
  signal (receive) set=(term hup kill) peer=gdm*,
  signal (receive) set=(term hup kill) peer=gnome-session-binary,
  signal (send)    set=(term hup kill) peer=dbus-daemon,
  unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
  network inet  stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  signal (receive) set=(term hup kill) peer=dbus-daemon,
  signal (receive) set=(term hup kill) peer=gdm*,
  signal (receive) set=(term hup kill) peer=gnome-session-binary,
  @{exec_path} mr,
  @{bin}/dbus-daemon         rPx,
  @{bin}/dbus-broker-launch rPUx,
  @{bin}/dbus-daemon         rix,
  @{lib}/at-spi2-registryd   rPx,
-  /usr/share/gdm/greeter-dconf-defaults r,
+  /usr/share/dbus-1/accessibility-services/ r,
  /usr/share/dbus-1/accessibility-services/org.a11y.atspi.Registry.service r,
  /usr/share/dconf/profile/gdm r,
  /usr/share/defaults/at-spi2/accessibility.conf r,
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,
  owner /tmp/runtime-*/xauth_@{rand6} r,
  owner /tmp/xauth_@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/xauth_@{rand6} r,
  /var/lib/lightdm/.Xauthority r,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
-
+  /var/lib/lightdm/.Xauthority r,
  /var/log/lightdm/seat[0-9]*-greeter.log w,
  @{run}/systemd/users/@{uid} r,
  @{sys}/kernel/security/apparmor/.access rw,
  @{sys}/kernel/security/apparmor/features/dbus/mask r,
  @{sys}/module/apparmor/parameters/enabled r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/oom_score_adj r,
        @{PROC}/@{pids}/mounts r,
        @{PROC}/1/cgroup r,
  owner @{PROC}/@{pid}/attr/apparmor/current r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/1/cgroup r,
-  owner /dev/tty@{int} rw,  # file_inherit
+  owner /dev/tty@{int} rw,
  include if exists <local/at-spi-bus-launcher>
 }
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -10,14 +10,18 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-session>
-  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-accessibility>
  include <abstractions/nameservice-strict>
  include <abstractions/X-strict>
  signal (receive) set=(term hup)      peer=gdm*,
  signal (receive) set=(term hup kill) peer=dbus-daemon,
-  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
+  dbus bind bus=accessibility name=org.a11y.atspi.Registry,
  dbus (send, receive) bus=accessibility path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry,
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -53,16 +57,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
       member=Embed
       peer=(name=:*), # all peer's labels
  dbus send    bus=accessibility path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry
       member=EventListenerDeregistered
       peer=(name=org.freedesktop.DBus), # all peer's labels
  dbus receive bus=accessibility path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry
       member=GetRegisteredEvents
       peer=(name=:*), # all peer's labels
  dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
       interface=org.a11y.atspi.DeviceEventController
       member={GetKeystrokeListeners,GetDeviceEventListeners}
@ -78,22 +72,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
       member=Introspect
       peer=(name=:*, label=gnome-shell),
  dbus bind bus=accessibility
       name=org.a11y.atspi.Registry,
  @{exec_path} mr,
  /var/lib/lightdm/.Xauthority r,
  owner @{HOME}/.Xauthority r,
  owner @{HOME}/.xsession-errors w,
  owner /tmp/runtime-*/xauth_@{rand6} r,
  owner /tmp/xauth_@{rand6} r,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/xauth_@{rand6} r,
  owner /dev/tty@{int} rw,
  include if exists <local/at-spi2-registryd>
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -24,27 +24,32 @@ profile gdm-xsession @{exec_path} {
  @{bin}/gettext         rix,
  @{bin}/gettext.sh      r,
  @{bin}/gnome-session   rix,
  @{bin}/gsettings       rPx,
  @{bin}/id              rix,
  @{bin}/locale          rix,
  @{bin}/locale-check    rix,
  @{bin}/mktemp          rix,
  @{bin}/run-parts       rix,
  @{bin}/sed             rix,
  @{bin}/ssh-agent       rix,
  @{bin}/tail            rix,
  @{bin}/tr              rix,
  @{bin}/truncate        rix,
  @{bin}/tty             rix,
  @{bin}/which{,.debianutils}  rix,
  @{bin}/zsh             rix,
  @{etc_ro}/X11/xdm/Xsession                        rPx,
  @{bin}/dbus-update-activation-environment    rCx -> dbus,
  @{bin}/dpkg-query                            rpx,
  @{bin}/flatpak                               rPUx,
  @{bin}/gpgconf                               rPx,
  @{bin}/gsettings                             rPx,
  @{bin}/im-launch                             rPx,
  @{bin}/systemctl                             rPx -> child-systemctl,
  @{bin}/xbrlapi                               rPx,
  @{bin}/xhost                                 rPx,
-  @{bin}/im-launch                             rPx,
+  @{bin}/xrdb                                  rPx,
-  @{bin}/gpgconf                               rPx,
+  @{etc_ro}/X11/xdm/Xsession                   rPx,
  @{lib}/gnome-session-binary                  rPx,
  @{bin}/dpkg-query                            rpx,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/im-config/data/{,*} r,
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -13,6 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/X-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@ -40,6 +40,7 @@ profile gnome-extension-manager @{exec_path} {
  /usr/share/X11/xkb/{,**} r,
        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
  owner @{PROC}/@{pid}/cmdline r,
  # Silencer
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -60,6 +60,7 @@ profile gvfsd-fuse @{exec_path} {
    /dev/fuse rw,
    include if exists <local/gvfsd-fuse_fusermount>
  }
  include if exists <local/gvfsd-fuse>
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@ -10,6 +10,7 @@ include <tunables/global>
 profile dolphin @{exec_path} {
  include <abstractions/base>
  include <abstractions/deny-sensitive-home>
  include <abstractions/devices-usb>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -52,6 +52,8 @@ profile kconf_update @{exec_path} {
  owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/dolphinrc.lock rwk,
  owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**,
  owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
  owner @{user_config_dirs}/kateschemarc.lock rwk,
  owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kcminputrc.lock rwk,
@ -83,9 +85,8 @@ profile kconf_update @{exec_path} {
  owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kxkbrc.lock rwk,
  owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/plasmashellrc r,
  owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
  owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw,
  owner @{user_config_dirs}/plasmashellrc r,
  owner @{user_config_dirs}/sed@{rand6} rw,
  owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -50,10 +50,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/sys/kernel/random/boot_id r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
-  @{sys}/bus/ r,
+  @{sys}/class/i2c-dev/ r,
  @{sys}/class/usbmisc/ r,
  @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
  @{sys}/devices/i2c-[0-9]*/name r,
  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
  @{sys}/devices/platform/*/i2c-[0-9]*/name r,
  /dev/tty rw,
  /dev/rfkill r,
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@ -74,28 +74,29 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
  owner @{user_cache_dirs}/ r,
  owner @{user_cache_dirs}/#@{int} rw,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
  owner @{user_share_dirs}/kscreen/* r,
  owner @{user_cache_dirs}/ksycoca5_* r,
  owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
  owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw,
  owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
-  owner @{user_cache_dirs}/plasma-svgelements r,
+  owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
  owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
  owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw,
  owner @{user_cache_dirs}/plasma-svgelements r,
  owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
  owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
  owner @{user_share_dirs}/kscreen/* r,
  owner @{user_config_dirs}/#@{int} rwl,
  owner @{user_config_dirs}/kcminputrc r,
  owner @{user_config_dirs}/kdedefaults/* r,
  owner @{user_config_dirs}/kdeglobals r,
  owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
  owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kscreenlockerrc r,
  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrc.lock rwk,
  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrulesrc r,
  owner @{user_config_dirs}/kxkbrc r,
  owner @{user_config_dirs}/menus/{,applications-merged/} r,
  owner @{user_config_dirs}/session/* r, 
  @{run}/systemd/inhibit/*.ref rw,
--- a/apparmor.d/groups/kde/plasma-browser-integration-host
+++ b/apparmor.d/groups/kde/plasma-browser-integration-host
@ -11,11 +11,12 @@ profile plasma-browser-integration-host @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
  include <abstractions/nameservice-strict>
  capability sys_ptrace,
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -38,7 +38,7 @@ profile aurpublish @{exec_path} {
  @{bin}/mv          rix,
  @{bin}/nproc       rix,
  @{bin}/rm          rix,
-  @{bin}/sha512sum   rix,
+  @{bin}/sha*sum     rix,
  @{bin}/tput        rix,
  @{bin}/wc          rix,
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -93,7 +93,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
        @{run}/motd.d/{,*} r,
        @{run}/motd.dynamic rw,
        @{run}/motd.dynamic.new rw,
        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/notify w,
        @{run}/systemd/sessions/*.ref rw,
  owner @{run}/sshd{,.init}.pid wl,
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -9,11 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-binfmt
 profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/systemd-common>
  capability net_admin,
  ptrace (read) peer=unconfined,
  @{exec_path} mr,
  @{bin}/* r,
@ -23,12 +22,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  @{run}/binfmt.d/{,*.conf} r,
  /usr/lib/binfmt.d/{,*.conf} r,
        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
  @{PROC}/sys/fs/binfmt_misc/register w,
  @{PROC}/sys/fs/binfmt_misc/status w,
        @{PROC}/sys/kernel/osrelease r,
  owner @{PROC}/@{pid}/stat r,
  /dev/tty@{int} rw,
  /dev/pts/@{int} rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -14,8 +14,11 @@ profile systemd-journald @{exec_path} {
  include <abstractions/systemd-common>
  capability audit_control,
  capability audit_read,
  capability chown,
  capability dac_override,
  capability dac_read_search,
-  capability kill,
+  capability fowner,
  capability setgid,
  capability setuid,
  capability sys_admin,
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@ -12,6 +12,11 @@ profile ubuntu-report @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  @{exec_path} mr,
  @{bin}/dpkg  rPx -> child-dpkg,
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@ -47,6 +47,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/{,**} rw,
  @{sys}/fs/cgroup/kubepods/{,**} rw,
  @{sys}/kernel/mm/hugepages/ r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@ -36,7 +36,7 @@ profile aa-notify @{exec_path} {
  owner @{HOME}/.inputrc r,
  owner @{HOME}/.terminfo/@{int}/dumb r,
-  owner /tmp/_@{c}@{rand6} rw,
+  owner /tmp/*@{rand6} rw,
  owner /tmp/apparmor-bugreport-*.txt rw,
  @{PROC}/ r,
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -33,7 +33,6 @@ profile agetty @{exec_path} {
  /etc/os-release r,
  /usr/etc/login.defs r,
        @{run}/resolvconf/resolv.conf r,
  owner @{run}/agetty.reload rw,
        /dev/tty@{int}   rw,
--- a/apparmor.d/profiles-a-f/auditctl
+++ b/apparmor.d/profiles-a-f/auditctl
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/auditctl
-profile auditctl @{exec_path} {
+profile auditctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  capability audit_control,
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@ -7,19 +7,20 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/augenrules
-profile augenrules @{exec_path} {
+profile augenrules @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  @{exec_path} mr,
  @{bin}/{,ba,da}sh  rix,
  @{bin}/{,e,f}grep  rix,
  @{bin}/{,g,m}awk   rix,
  @{bin}/auditctl    rPx,
  @{bin}/cat         rix,
  @{bin}/chmod       rix,
  @{bin}/cmp         rix,
  @{bin}/cp          rix,
  @{bin}/{,g,m}awk rix,
  @{bin}/{,e,f}grep rix,
  @{bin}/ls          rix,
  @{bin}/mktemp      rix,
  @{bin}/rm          rix,
--- a/apparmor.d/profiles-a-f/cctk
+++ b/apparmor.d/profiles-a-f/cctk
@ -12,6 +12,7 @@ profile cctk @{exec_path} {
  include <abstractions/consoles>
  capability mknod,
  capability sys_admin,
  capability sys_rawio,
  @{exec_path} mr,
@ -19,6 +20,8 @@ profile cctk @{exec_path} {
  @{lib}/ r,
  /opt/dell/dcc/*.so* mr,
  /opt/dell/srvadmin/{,**} r,
  /opt/dell/srvadmin/lib64/*.so* rm,
  /opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@ -57,8 +57,6 @@ profile etckeeper @{exec_path} {
  owner @{HOME}/.netrc r,
  owner @{user_config_dirs}/git/{,*} rw,
  @{run}/resolvconf/resolv.conf r,
  owner /tmp/etckeeper-git* rw,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-a-f/exim4
+++ b/apparmor.d/profiles-a-f/exim4
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -10,9 +11,19 @@ include <tunables/global>
 profile exim4 @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability net_admin,
  capability net_bind_service,
  capability setgid,
  capability setuid,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
@ -21,59 +32,26 @@ profile exim4 @{exec_path} {
  @{exec_path} mrix,
  # To bind to port 25/tcp
  capability net_bind_service,
  # To remove the following error:
  #  exim4[]: exim: setgroups() failed: Operation not permitted
  capability setgid,
  # To remove the following error:
  #  exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher
  capability setuid,
  # To remove the following error:
  # exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110
  capability dac_read_search,
  capability dac_override,
  # To remove the following error:
  #  exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not
  #  permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391
  capability chown,
  # To remove the following error:
  #  Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted
  capability fowner,
  # Needed?
  audit deny capability net_admin,
  /var/lib/exim4/config.autogenerated{,.tmp} r,
  /etc/email-addresses r,
  /etc/aliases r,
  /var/lib/exim4/config.autogenerated{,.tmp} r,
  /var/lib/dpkg/status r,
  /var/log/cron-apt/lastfullmessage r,
  /var/log/exim4/ w,
  /var/log/exim4/mainlog w,
  /var/log/exim4/paniclog w,
  /var/log/exim4/rejectlog w,
  /var/spool/exim4/ r,
  /var/spool/exim4/** rwk,
  owner /var/mail/* rwkl -> /var/mail/*,
  /tmp/#@{int} rw,
        @{run}/exim4/ r,
  owner @{run}/exim4/exim.pid rw,
        @{run}/resolvconf/resolv.conf r,
  owner @{run}/dbus/system_bus_socket rw,
  # file_inherit
  /tmp/#@{int} rw,
  /var/lib/dpkg/status r,
  /var/log/cron-apt/lastfullmessage r,
  include if exists <local/exim4>
 }
--- a/apparmor.d/profiles-a-f/fail2ban-server
+++ b/apparmor.d/profiles-a-f/fail2ban-server
@ -35,7 +35,6 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) {
  @{run}/fail2ban/fail2ban.pid rw,
  @{run}/fail2ban/fail2ban.sock rw,
  @{run}/resolvconf/resolv.conf r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@ -13,6 +13,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>
  capability net_admin,
  capability sys_nice,
  network netlink raw,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -21,6 +21,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  capability dac_read_search,
  capability linux_immutable,
  capability mknod,
  capability net_admin,
  capability sys_admin,
  capability sys_nice,
  capability sys_rawio,
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@ -21,9 +21,9 @@ profile gsettings @{exec_path} {
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
  /dev/tty@{int} rw,
  owner @{run}/user/@{uid}/bus rw,
  /dev/tty@{int} rw,
  include if exists <local/gsettings>
 }
--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@ -20,8 +20,6 @@ profile hostname @{exec_path} {
  @{exec_path} mr,
  @{run}/resolvconf/resolv.conf r,
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  include if exists <local/hostname>
--- a/apparmor.d/profiles-g-l/im-launch
+++ b/apparmor.d/profiles-g-l/im-launch
@ -13,14 +13,16 @@ profile im-launch @{exec_path} {
  @{exec_path} mr,
  @{bin}/{,ba,da}sh            rix,
  @{bin}/gnome-session rix,
  @{bin}/env         rix,
  @{bin}/locale      rix,
  @{bin}/gettext{,.sh} rix,
  @{bin}/true        rix,
  @{bin}/sed         rix,
  @{bin}/dpkg-query            rpx,
  @{bin}/env                   rix,
  @{bin}/gettext{,.sh}         rix,
  @{bin}/gnome-session         rix,
  @{bin}/gsettings             rPx,
  @{bin}/locale                rix,
  @{bin}/sed                   rix,
  @{bin}/true                  rix,
  @{bin}/uim-toolbar-gtk3     rPUx,
  @{lib}/gnome-session-binary  rPx,
  /usr/share/im-config/{,**} r,
@ -30,7 +32,6 @@ profile im-launch @{exec_path} {
  owner @{HOME}/.xinputrc r,
  # file inherit
  owner /dev/tty@{int} rw,
  include if exists <local/im-launch>
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@ -20,6 +20,7 @@ profile install-info @{exec_path} {
  /usr/share/info/{,**} r,
  /usr/share/info/dir rw,
  /usr/share/info/dir-@{rand6} rw,
  /dev/tty rw,
--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@ -16,6 +16,10 @@ profile irqbalance @{exec_path} {
  @{exec_path} mr,
  /etc/default/irqbalance r,
  / r,
  @{run}/irqbalance/irqbalance[0-9]*.sock w,
  @{sys}/bus/pci/devices/ r,
--- a/apparmor.d/profiles-m-r/mkswap
+++ b/apparmor.d/profiles-m-r/mkswap
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -13,11 +14,12 @@ profile mkswap @{exec_path} {
  @{exec_path} mr,
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/swaps r,
  # SWAP file common locations
  owner /swapfile rw,
  owner /swap/swapfile rw,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mounts r,
  include if exists <local/mkswap>
 }
--- a/apparmor.d/profiles-m-r/nullmailer-send
+++ b/apparmor.d/profiles-m-r/nullmailer-send
@ -21,7 +21,5 @@ profile nullmailer-send @{exec_path} {
  /var/spool/nullmailer/{,**} rw,
  @{run}/resolvconf/resolv.conf r,
  include if exists <local/nullmailer-send>
 }
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@ -65,6 +65,8 @@ profile s3fs @{exec_path} {
    @{PROC}/@{pids}/mounts r,
    /dev/fuse rw,
    include if exists <local/s3fs_fusermount>
  }
  include if exists <local/s3fs>
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -73,6 +73,7 @@ profile sudo @{exec_path} {
        /var/lib/sudo/ts/ rw,
        /var/lib/sudo/ts/* rwk,
        /var/log/sudo.log wk,
  owner /var/db/sudo/lectured/@{uid} rw,
  owner /var/lib/sudo/lectured/* rw,
  owner @{HOME}/.sudo_as_admin_successful rw,
@ -80,7 +81,6 @@ profile sudo @{exec_path} {
        @{run}/ r,
        @{run}/faillock/{,*} rwk,
        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/sessions/* r,
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
--- a/debian/apparmor.d.hide
+++ b/debian/apparmor.d.hide
@ -3,8 +3,6 @@
 # SPDX-License-Identifier: GPL-2.0-only
 /etc/apparmor.d/usr.bin.firefox
 /etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
 /etc/apparmor.d/usr.sbin.cups-browsed
 /etc/apparmor.d/usr.sbin.cupsd
 /etc/apparmor.d/usr.sbin.libvirtd
 /etc/apparmor.d/usr.sbin.rsyslogd
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -1,6 +1,7 @@
 # Common profile flags definition for all distributions
 # One profile by line using the format: '<profile> <flags>'
 aa-load complain
 acpid attach_disconnected,complain
 agetty complain
 akonadi_akonotes_resource complain
@ -143,6 +144,7 @@ gsd-media-keys attach_disconnected,complain
 gsd-print-notifications attach_disconnected,complain
 gsd-printer attach_disconnected,complain
 gsettings complain
 gvfs-udisks2-volume-monitor attach_disconnected,complain
 gvfsd-dav complain
 hostnamectl complain
 ibus-engine-table complain
@ -213,6 +215,7 @@ nvidia-persistenced complain
 os-prober attach_disconnected,complain
 packagekitd attach_disconnected,complain
 pass-import complain
 passim complain
 passimd attach_disconnected,complain
 pidof complain
 pinentry complain
@ -326,6 +329,7 @@ virtnetworkd complain,attach_disconnected
 virtnodedevd attach_disconnected,complain
 virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
 vlc complain
 wg complain
 wg-quick complain
 xdg-dbus-proxy attach_disconnected,complain
--- a/dists/ignore/arch.ignore
+++ b/dists/ignore/arch.ignore
@ -4,3 +4,6 @@ apparmor.d/groups/apt
 # Ubuntu specific definition 
 apparmor.d/groups/ubuntu
 # OpenSUSE specific definition
 apparmor.d/groups/suse
--- a/dists/ignore/debian.ignore
+++ b/dists/ignore/debian.ignore
@ -5,5 +5,10 @@ root/usr/share/libalpm
 # Ubuntu specific definition 
 apparmor.d/groups/ubuntu
 # OpenSUSE specific definition
 apparmor.d/groups/suse
 # Profiles provided by they own package
 chronyd
 libvirt
 virt-aa-helper
--- a/dists/ignore/ubuntu.ignore
+++ b/dists/ignore/ubuntu.ignore
@ -3,5 +3,10 @@ apparmor.d/groups/pacman
 root/etc/xdg/autostart/apparmor-notify.desktop
 root/usr/share/libalpm
 # OpenSUSE specific definition
 apparmor.d/groups/suse
 # Profiles provided by they own package
 chronyd
 libvirt
 virt-aa-helper
--- a/dists/ignore/whonix.ignore
+++ b/dists/ignore/whonix.ignore
@ -0,0 +1,18 @@
 # Archlinux specific definition
 apparmor.d/groups/pacman
 root/usr/share/libalpm
 # OpenSUSE specific definition
 apparmor.d/groups/suse
 # Whonix does not have them
 apparmor.d/groups/akonadi
 apparmor.d/groups/browsers
 apparmor.d/groups/gnome
 apparmor.d/groups/kde
 apparmor.d/groups/pacman
 apparmor.d/groups/ubuntu
 apparmor.d/groups/virt
 # Profiles provided by they own package
 chronyd
--- a/docs/index.md
+++ b/docs/index.md
@ -37,6 +37,10 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
    * Currently only :material-gnome: Gnome
 - Fully tested (Work in progress)
-**Presentation**
+**Presentations**
 Building large set of AppArmor profiles:
 - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
 - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*
 - [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
--- a/pkg/prebuild/prepare.go
+++ b/pkg/prebuild/prepare.go
@ -173,11 +173,10 @@ func SetFlags() error {
 	return nil
 }
-// Set AppArmor for full system policy
+// Set AppArmor for (experimental) full system policy.
-// See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
+// See https://apparmor.pujol.io/development/structure/#full-system-policy
 // https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads
 func SetFullSystemPolicy() error {
-	for _, name := range []string{"init", "systemd"} {
+	for _, name := range []string{"systemd", "systemd-user"} {
 		err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name))
 		if err != nil {
 			return err
--- a/tests/boxes.yml
+++ b/tests/boxes.yml
@ -32,6 +32,12 @@ boxes:
    ram: '6144'
    cpu: '6'
  - name: debian-gnome
    box: aa-debian-gnome
    uefi: true
    ram: '6144'
    cpu: '6'
  - name: opensuse-kde
    box: aa-opensuse-kde
    uefi: true
--- a/tests/packer/builds.pkr.hcl
+++ b/tests/packer/builds.pkr.hcl
@ -7,6 +7,7 @@ build {
    "source.qemu.archlinux-gnome",
    "source.qemu.archlinux-kde",
    "source.qemu.debian-server",
    "source.qemu.debian-gnome",
    "source.qemu.opensuse-kde",
    "source.qemu.ubuntu-desktop",
    "source.qemu.ubuntu-server",
@ -31,7 +32,7 @@ build {
  }
  provisioner "file" {
-    only        = ["qemu.debian-server", "qemu.ubuntu-server", "qemu.ubuntu-desktop"]
+    only        = ["qemu.debian-server", "qemu.debian-gnome", "qemu.ubuntu-server", "qemu.ubuntu-desktop"]
    destination = "/tmp/src/"
    sources     = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"]
  }
--- a/tests/packer/debian.pkr.hcl
+++ b/tests/packer/debian.pkr.hcl
@ -37,3 +37,39 @@ source "qemu" "debian-server" {
    )
  }
 }
 source "qemu" "debian-gnome" {
  disk_image         = true
  iso_url            = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2"
  iso_checksum       = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS"
  iso_target_path    = "${var.iso_dir}/debian-cloudimg-amd64.img"
  cpus               = 4
  memory             = 2048
  disk_size          = var.disk_size
  accelerator        = "kvm"
  headless           = true
  ssh_username       = var.username
  ssh_password       = var.password
  ssh_port           = 22
  ssh_wait_timeout   = "1000s"
  disk_compression   = true
  disk_detect_zeroes = "unmap"
  disk_discard       = "unmap"
  output_directory   = "${var.output}/"
  vm_name            = "${var.prefix}${source.name}.qcow2"
  boot_wait          = "10s"
  firmware           = var.firmware
  shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
  cd_label           = "cidata"
  cd_content = {
    "meta-data" = ""
    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
      {
        username = "${var.username}"
        password = "${var.password}"
        ssh_key  = file("${var.ssh_publickey}")
        hostname = "${var.prefix}${source.name}"
      }
    )
  }
 }
--- a/tests/packer/init/archlinux-gnome.user-data.yml
+++ b/tests/packer/init/archlinux-gnome.user-data.yml
@ -59,8 +59,6 @@ runcmd:
  # Regenerate grub.cfg
  - [ grub-mkconfig, -o, /boot/grub/grub.cfg ]
  # Enable firewall
  # Enable core services
  - [ systemctl, enable, apparmor ]
  - [ systemctl, enable, auditd ]
--- a/tests/packer/init/archlinux-kde.user-data.yml
+++ b/tests/packer/init/archlinux-kde.user-data.yml
@ -61,8 +61,6 @@ runcmd:
  # Regenerate grub.cfg
  - [ grub-mkconfig, -o, /boot/grub/grub.cfg ]
  # Enable firewall
  # Enable core services
  - [ systemctl, enable, apparmor ]
  - [ systemctl, enable, auditd ]
--- a/tests/packer/init/debian-gnome.user-data.yml
+++ b/tests/packer/init/debian-gnome.user-data.yml
@ -0,0 +1,56 @@
 #cloud-config
 hostname: ${hostname}
 locale: en_IE
 keyboard:
  layout: ie
 ssh_pwauth: true
 users:
  - name: ${username}
    plain_text_passwd: ${password}
    shell: /bin/bash
    ssh_authorized_keys:
      - ${ssh_key}
    lock_passwd: false
    sudo: ALL=(ALL) NOPASSWD:ALL
 package_update: true
 package_upgrade: true
 package_reboot_if_required: false
 packages:
  - apparmor-profiles
  - auditd
  - build-essential
  - config-package-dev
  - debhelper
  - devscripts
  - htop
  - qemu-guest-agent
  - rsync
  - vim
  - task-gnome-desktop
 runcmd:
  - apt-get update -y
  - apt-get install -y -t bookworm-backports golang-go
 write_files:
  - path: /etc/apt/sources.list
    append: true
    content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free
  # Network configuration
  - path: /etc/systemd/network/20-wired.network
    owner: 'root:root'
    permissions: '0644'
    content: |
      [Match]
      Name=en*
      [Network]
      DHCP=yes
      [DHCPv4]
      RouteMetric=10
--- a/tests/packer/init/debian-server.user-data.yml
+++ b/tests/packer/init/debian-server.user-data.yml
@ -20,6 +20,7 @@ package_upgrade: true
 package_reboot_if_required: false
 packages:
  - apparmor-profiles
  - auditd
  - build-essential
  - config-package-dev
  - debhelper
--- a/tests/packer/init/ubuntu-desktop.user-data.yml
+++ b/tests/packer/init/ubuntu-desktop.user-data.yml
@ -43,30 +43,37 @@ snap:
 runcmd:
  # Let NetworkManager handle network
  - rm /etc/netplan/*
  - >-
    printf "network:\n  version: 2\n  renderer: NetworkManager" > /etc/netplan/01-network-manager.yaml
  # Remove default filesystem and related tools not used with the suggested
  # storage layout. These may yet be required if different partitioning schemes
  # are used.
-  - apt-get -y remove btrfs-progs cryptsetup* lvm2 xfsprogs
+  - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs
  # Remove other packages present by default in Ubuntu Server but not
  # normally present in Ubuntu Desktop.
  - >-
-    apt-get -y remove
+    apt-get -y purge
-      ubuntu-server ubuntu-server-minimal
+      ubuntu-server ubuntu-server-minimal netplan.io cloud-init
      binutils byobu curl dmeventd finalrd gawk
      kpartx mdadm ncurses-term needrestart open-iscsi
      sg3-utils ssh-import-id sssd thin-provisioning-tools tmux
      sosreport screen open-vm-tools motd-news-config lxd-agent-loader
      landscape-common fonts-ubuntu-console ethtool
  # Keep cloud-init, as it performs some of the installation on first boot.
  - apt-get -y install cloud-init
  # Finally, remove things only installed as dependencies of other things
  # we have already removed.
  - apt-get -y autoremove
 write_files:
  - path: /etc/systemd/network/20-wired.network
    owner: 'root:root'
    permissions: '0644'
    content: |
      [Match]
      Name=en*
      [Network]
      DHCP=yes
      [DHCPv4]
      RouteMetric=10
--- a/tests/packer/init/ubuntu-server.user-data.yml
+++ b/tests/packer/init/ubuntu-server.user-data.yml
@ -20,6 +20,7 @@ package_upgrade: true
 package_reboot_if_required: false
 packages:
  - apparmor-profiles
  - auditd
  - build-essential
  - config-package-dev
  - debhelper