Merge branch 'roddhjav:main' into main

2023-11-15 10:16:37 +00:00 · 2023-11-15 10:16:37 +00:00 · 3226ccb879
commit 3226ccb879
parent cf7703131b 58b577385e
73 changed files with 511 additions and 362 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -108,6 +108,11 @@ ubuntu:
    paths:
      - $PKGDEST/*.deb

+whonix:
+  extends: debian
+  variables:
+    DISTRIBUTION: whonix
+
 opensuse:
  stage: build
  image: registry.gitlab.com/roddhjav/builders/opensuse
@ -146,15 +151,15 @@ preprocess-debian:
    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null

 preprocess-ubuntu:
-  stage: preprocess
+  extends: preprocess-debian
  image: ubuntu
  dependencies:
    - ubuntu
-  script:
-    - apt-get update -q
-    - apt-get install -y apparmor apparmor-profiles
-    - dpkg --install $PKGDEST/*
-    - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
+
+preprocess-whonix:
+  extends: preprocess-debian
+  dependencies:
+    - whonix

 preprocess-opensuse:
  stage: preprocess
--- a/README.md
+++ b/README.md
@ -34,13 +34,13 @@ most Linux based applications and processes.
    * Ubuntu 22.04
    * Debian 12
    * OpenSUSE Tumbleweed
- Support all major desktop environments:
+- Support major desktop environments:
    * Currently only Gnome
 - Fully tested (Work in progress)


-> This project is originaly based on the work from [Morfikov][upstream] and aims
-> to extend it to more Linux distributions and desktop environements.
+> This project is originally based on the work from [Morfikov][upstream] and aims
+> to extend it to more Linux distributions and desktop environments.

 ## Concepts

@ -63,9 +63,12 @@ bubblewrap, toolbox...).
 This is fundamentally different from how AppArmor is usually used on Linux servers
 as it is common to only confine the applications that face the internet and/or the users.

-**Presentation**
+**Presentations**

- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
+Building large set of AppArmor profiles:
+
+- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
+- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*

 ## Installation

--- a/apparmor.d/abstractions/chromium
+++ b/apparmor.d/abstractions/chromium
@ -56,6 +56,7 @@
  network netlink raw,

  @{lib_dirs}/{,**} r,
+  @{lib_dirs}/*.so* mr,
  @{lib_dirs}/chrome_crashpad_handler  rPx,
  @{lib_dirs}/chrome-sandbox           rPx,

--- a/apparmor.d/abstractions/chromium-common
+++ b/apparmor.d/abstractions/chromium-common
@ -3,6 +3,9 @@
 # Copyright (C) 2022-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+# This abstraction is for chromium based application. Chromium based browsers
+# need to use abstractions/chromium instead.
+
  abi <abi/3.0>,

  # The following rules are needed only when the kernel.unprivileged_userns_clone option is set
--- a/apparmor.d/abstractions/flatpak-snap
+++ b/apparmor.d/abstractions/flatpak-snap
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018 Nibaldo Gonzalez <nibgonz@gmail.com>
-#               2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2021 Mikhail Morfikov
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -23,6 +23,8 @@
  /var/lib/extrausers/passwd r,

  @{run}/nscd/db* r,
+  @{run}/resolvconf/resolv.conf r,
+  @{run}/systemd/resolve/resolv.conf r,
  @{run}/systemd/resolve/stub-resolv.conf r,

  # NSS records from systemd-userdbd.service
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@ -1,7 +1,8 @@
-# vim:syntax=apparmor
-# Author: Jamie Strandboge <jamie@canonical.com>
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) Jamie Strandboge <jamie@canonical.com>
+# SPDX-License-Identifier: GPL-2.0-only

-# Description: Limit executable access and reasonable read access. A look at
+# Limit executable access and reasonable read access. A look at
 # the gconf schema files for totem-video-thumbnailer reveals at least the
 # following files:
 #  3gpp, ac3, acm, aiff, amr-wb, ape, asf, asx, au, avi, basic, divx, dv, flac,
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@ -2,8 +2,8 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# Give read access on all defined user directories. It should only be used if
-# access to ALL folders is required.
+# This abstraction gives read access on all defined user directories. It should
+# only be used if access to **ALL** folders is required.

  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
--- a/apparmor.d/groups/_full/init
+++ b/apparmor.d/groups/_full/init
@ -1,15 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Full system policy profile.
-
-# /sbin/init (PID 1) is a link to /usr/lib/systemd/systemd
-
-# Only use this profile with a fully configured system. Otherwise it **WILL**
-# break your computer.
-# See https://apparmor.pujol.io/development/structure/#full-system-policy
-# for more information.
-
-# Distributions and other programs can add rules in the usr/init.d directory
-
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -2,137 +2,13 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# This is not /sbin/init (PID 1) but systemd --user
+# Main profile for full system policy.
+
+# Profile for systemd (PID 1), it does not specify an attachment path because
+# it is direclty used by systemd.

 # Only use this profile with a fully configured system. Otherwise it **WILL**
-# break your computer.
-# See https://apparmor.pujol.io/development/structure/#full-system-policy
-# for more information.
+# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.

 # Distributions and other programs can add rules in the usr/systemd.d directory

-abi <abi/3.0>,
- 
-include <tunables/global>
- 
-@{exec_path} = @{lib}/systemd/systemd
-profile systemd @{lib}/systemd/systemd flags=(complain) {
-  include <abstractions/base>
-  include <abstractions/dbus-session-strict>
-  include <abstractions/dbus-strict>
-  include <abstractions/nameservice-strict>
-
-  network netlink raw,
-
-  ptrace (read),
-
-  signal (send) set=(term, cont, kill),
-
-  @{exec_path} mr,
-
-  @{bin}/{,ba,da}sh  rix,
-  @{bin}/systemctl   rCx -> systemctl,
-
-  @{lib}/systemd/user-environment-generators/*  rPx,
-  @{lib}/systemd/user-environment-generators/*  rPx,
-  @{lib}/systemd/user-generators/*              rPx,
-
-  # Server
-  @{lib}/openssh/agent-launch rPx,
-
-  # Dbus
-  @{bin}/dbus-daemon                           rPx,
-  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
-
-  # Desktop
-  @{bin}/xdg-user-dirs-update rPx,
-  @{lib}/xdg-desktop-portal*   rPx,
-  @{lib}/xdg-document-portal   rPx,
-  @{lib}/xdg-permission-store  rPx,
-
-  # Audio
-  @{bin}/pipewire        rux, # FIXME: no new privs
-  @{bin}/pipewire-pulse  rux, # FIXME: no new privs
-  @{bin}/pulseaudio      rux, # FIXME: no new privs
-  @{bin}/wireplumber     rux, # FIXME: no new privs
-
-  # Gnome
-  @{bin}/gjs                            rPx,
-  @{bin}/gnome-keyring-daemon           rPx,
-  @{bin}/gnome-shell                    rPx,
-  @{bin}/gsettings                      rPx,
-  @{lib}/{,dconf/}dconf-service         rPx,
-  @{lib}/dconf/dconf-service            rPx,
-  @{lib}/evolution-addressbook-factory  rPx,
-  @{lib}/evolution-calendar-factory     rPx,
-  @{lib}/evolution-source-registry      rPx,
-  @{lib}/gnome-session-binary           rPx,
-  @{lib}/gnome-session-ctl              rPx,
-  @{lib}/gnome-terminal-server          rPx,
-  @{lib}/goa-*                          rPx,
-  @{lib}/gsd-*                          rPx,
-  @{lib}/gvfs-*                         rPx,
-  @{lib}/gvfs/gvfs-*                    rPx,
-  @{lib}/gvfs/gvfsd*                    rPx,
-  @{lib}/gvfsd*                         rPx,
-  @{lib}/tracker-extract-*              rPx,
-  @{lib}/tracker-miner-*                rPx,
-
-  # Ubuntu
-  @{bin}/snap                          rPx,
-
-  /etc/systemd/user.conf r,
-  /etc/systemd/user.conf.d/{,**} r,
-  /etc/systemd/user/{,**} r,
-
-  /usr/ r,
-
-  owner @{user_config_dirs}/systemd/user/{,**} r,
-
-  owner @{run}/user/@{uid}/{,*/,*} rw,
-  owner @{run}/user/@{uid}/*/* rw,
-  owner @{run}/user/@{uid}/systemd/{,**} rw,
-
-  @{run}/mount/utab r,
-  @{run}/systemd/notify w,
-  @{run}/udev/data/* r,
-  @{run}/udev/tags/systemd/ r,
-
-        @{sys}/devices/**/uevent r,
-        @{sys}/devices/virtual/dmi/id/product_name r,
-        @{sys}/devices/virtual/dmi/id/sys_vendor r,
-        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
-        @{sys}/module/apparmor/parameters/enabled r,
-  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
-
-        @{PROC}/@{pids}/cgroup r,
-        @{PROC}/@{pids}/comm r,
-        @{PROC}/@{pids}/stat r,
-        @{PROC}/1/cgroup r,
-        @{PROC}/cmdline r,
-        @{PROC}/swaps r,
-        @{PROC}/sys/fs/nr_open r,
-        @{PROC}/sys/kernel/osrelease r,
-        @{PROC}/sys/kernel/pid_max r,
-        @{PROC}/sys/kernel/threads-max r,
-  owner @{PROC}/@{pids}/attr/apparmor/exec w,
-  owner @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pids}/mountinfo r,
-  owner @{PROC}/@{pids}/oom_score_adj rw,
-
-  profile systemctl {
-    include <abstractions/base>
-
-    @{bin}/systemctl mr,
-
-          @{PROC}/cmdline r,
-          @{PROC}/sys/kernel/osrelease r,
-    owner @{PROC}/@{pids}/status r,
-
-    include if exists <usr/systemd_systemctl.d>
-    include if exists <local/systemd_systemctl>
-  }
-
-  include if exists <usr/systemd.d>
-  include if exists <local/systemd>
-}
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -0,0 +1,138 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Profile for 'systemd --user' (not PID 1), it does not specify an attachment 
+# path because it is intended to be used only via "Px -> systemd-user" exec 
+# transitions from the systemd profile.
+
+# Only use this profile with a fully configured system. Otherwise it **WILL**
+# break your computer. See https://apparmor.pujol.io/development/structure/#full-system-policy.
+
+# Distributions and other programs can add rules in the usr/systemd-user.d directory
+
+abi <abi/3.0>,
+ 
+include <tunables/global>
+
+@{exec_path} = @{lib}/systemd/systemd
+profile systemd-user flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  ptrace (read),
+
+  signal (send) set=(term, cont, kill),
+
+  @{exec_path} mr,
+
+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/systemctl   rCx -> systemctl,
+
+  @{lib}/systemd/user-environment-generators/*  rPx,
+  @{lib}/systemd/user-environment-generators/*  rPx,
+  @{lib}/systemd/user-generators/*              rPx,
+
+  # Server
+  @{lib}/openssh/agent-launch rPx,
+
+  # Dbus
+  @{bin}/dbus-daemon                           rPx,
+  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
+
+  # Desktop
+  @{bin}/xdg-user-dirs-update rPx,
+  @{lib}/xdg-desktop-portal*   rPx,
+  @{lib}/xdg-document-portal   rPx,
+  @{lib}/xdg-permission-store  rPx,
+
+  # Audio
+  @{bin}/pipewire        rux, # FIXME: no new privs
+  @{bin}/pipewire-pulse  rux, # FIXME: no new privs
+  @{bin}/pulseaudio      rux, # FIXME: no new privs
+  @{bin}/wireplumber     rux, # FIXME: no new privs
+
+  # Gnome
+  @{bin}/gjs                            rPx,
+  @{bin}/gnome-keyring-daemon           rPx,
+  @{bin}/gnome-shell                    rPx,
+  @{bin}/gsettings                      rPx,
+  @{lib}/{,dconf/}dconf-service         rPx,
+  @{lib}/dconf/dconf-service            rPx,
+  @{lib}/evolution-addressbook-factory  rPx,
+  @{lib}/evolution-calendar-factory     rPx,
+  @{lib}/evolution-source-registry      rPx,
+  @{lib}/gnome-session-binary           rPx,
+  @{lib}/gnome-session-ctl              rPx,
+  @{lib}/gnome-terminal-server          rPx,
+  @{lib}/goa-*                          rPx,
+  @{lib}/gsd-*                          rPx,
+  @{lib}/gvfs-*                         rPx,
+  @{lib}/gvfs/gvfs-*                    rPx,
+  @{lib}/gvfs/gvfsd*                    rPx,
+  @{lib}/gvfsd*                         rPx,
+  @{lib}/tracker-extract-*              rPx,
+  @{lib}/tracker-miner-*                rPx,
+
+  # Ubuntu
+  @{bin}/snap                          rPx,
+
+  /etc/systemd/user.conf r,
+  /etc/systemd/user.conf.d/{,**} r,
+  /etc/systemd/user/{,**} r,
+
+  /usr/ r,
+
+  owner @{user_config_dirs}/systemd/user/{,**} r,
+
+  owner @{run}/user/@{uid}/{,*/,*} rw,
+  owner @{run}/user/@{uid}/*/* rw,
+  owner @{run}/user/@{uid}/systemd/{,**} rw,
+
+  @{run}/mount/utab r,
+  @{run}/systemd/notify w,
+  @{run}/udev/data/* r,
+  @{run}/udev/tags/systemd/ r,
+
+        @{sys}/devices/**/uevent r,
+        @{sys}/devices/virtual/dmi/id/product_name r,
+        @{sys}/devices/virtual/dmi/id/sys_vendor r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
+        @{sys}/module/apparmor/parameters/enabled r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
+
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pids}/comm r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/1/cgroup r,
+        @{PROC}/cmdline r,
+        @{PROC}/swaps r,
+        @{PROC}/sys/fs/nr_open r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/pid_max r,
+        @{PROC}/sys/kernel/threads-max r,
+  owner @{PROC}/@{pids}/attr/apparmor/exec w,
+  owner @{PROC}/@{pids}/fd/ r,
+  owner @{PROC}/@{pids}/mountinfo r,
+  owner @{PROC}/@{pids}/oom_score_adj rw,
+
+  profile systemctl {
+    include <abstractions/base>
+
+    @{bin}/systemctl mr,
+
+          @{PROC}/cmdline r,
+          @{PROC}/sys/kernel/osrelease r,
+    owner @{PROC}/@{pids}/status r,
+
+    include if exists <usr/systemd_systemctl.d>
+    include if exists <local/systemd_systemctl>
+  }
+
+  include if exists <usr/systemd-user.d>
+  include if exists <local/systemd-user>
+}
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -70,7 +70,6 @@ profile apt-methods-http @{exec_path} {
  owner /tmp/apt-changelog-*/*.changelog rw,

  @{run}/ubuntu-advantage/aptnews.json rw,
-  @{run}/resolvconf/resolv.conf r,

  @{PROC}/1/cgroup r,
  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/apt/apt-methods-mirror
+++ b/apparmor.d/groups/apt/apt-methods-mirror
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,6 +11,7 @@ include <tunables/global>
 profile apt-methods-mirror @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>

  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -114,7 +114,6 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /var/log/apt/{term,history}.log w,
  /var/log/apt/eipp.log.xz w,

-        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
  owner @{run}/unattended-upgrades.lock rwk,
  owner @{run}/unattended-upgrades.pid rw,
--- a/apparmor.d/groups/bus/dbus-daemon
+++ b/apparmor.d/groups/bus/dbus-daemon
@ -14,6 +14,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-accessibility>
  include <abstractions/dbus-session>
  include <abstractions/dbus>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  capability audit_write,
@ -41,7 +42,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  @{bin}/ r,

  @{bin}/[a-z0-9]*                                                       rPUx,
-  @{lib}/{,at-spi2{,-core}/}at-spi2-registryd                             rPx,
+  @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher                           rix, # See #74, #80 & #235
  @{lib}/@{multiarch}/tumbler-1/tumblerd                                 rPUx,
  @{lib}/@{multiarch}/xfce[0-9]/xfconf/xfconfd                            rPx,
  @{lib}/*                                                               rPUx,
@ -64,11 +65,16 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  /etc/dbus-1/{,**} r,

  /usr/share/dbus-1/{,**} r,
+  /usr/share/dconf/profile/gdm r,
  /usr/share/defaults/**.conf r,
+  /usr/share/gdm/greeter-dconf-defaults r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Extra rules for GDM 
+  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/.local/share/icc/ r,
  /var/lib/gdm{3,}/.local/share/icc/edid-*.icc r,
+  /var/lib/gdm{3,}/greeter-dconf-defaults r,

  # Extra rules for Flatpak
  @{system_share_dirs}/dbus-1/{,**} r,
@ -87,6 +93,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/dbus-1/ rw,
  owner @{run}/user/@{uid}/dbus-1/services/ rw,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/systemd/notify w,

  @{sys}/kernel/security/apparmor/.access rw,
@ -94,6 +101,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
  @{sys}/module/apparmor/parameters/enabled r,

        @{PROC}/@{pids}/attr/apparmor/current r,
+        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/mounts r,
        @{PROC}/@{pids}/oom_score_adj rw,
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 # Note: This profile does not specify an attachment path because it is
@ -12,7 +13,7 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to @{bin}/dpkg by default
+@{exec_path} = @{bin}/dpkg
 profile child-dpkg {
  include <abstractions/base>
  include <abstractions/consoles>
@ -21,7 +22,7 @@ profile child-dpkg {
  capability dac_read_search,
  capability setgid,

-  @{bin}/dpkg mr,
+  @{exec_path} mr,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 # Note: This profile does not specify an attachment path because it is
@ -12,11 +13,11 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to @{bin}/dpkg-divert by default
+@{exec_path} = @{bin}/dpkg-divert
 profile child-dpkg-divert {
  include <abstractions/base>

-  @{bin}/dpkg-divert mr,
+  @{exec_path} mr,

  /var/lib/dpkg/arch r,
  /var/lib/dpkg/status r,
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@ -16,7 +16,8 @@ abi <abi/3.0>,

 include <tunables/global>

-# App allowed to open
+@{exec_path}  = @{bin}/exo-open @{bin}/xdg-open 
+@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop
 profile child-open {
  include <abstractions/base>
  include <abstractions/dri-enumerate>
@ -24,10 +25,7 @@ profile child-open {
  include <abstractions/vulkan>
  include <abstractions/xdg-open>

-  @{bin}/exo-open                                     mr,
-  @{bin}/xdg-open                                     mr,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mrix,
-  @{lib}/gio-launch-desktop                           mrix,
+  @{exec_path} mrix,

  @{bin}/{,ba,da}sh        rix,
  @{bin}/{,m,g}awk         rix,
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@ -13,7 +13,7 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to @{bin}/pager by default
+@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
 profile child-pager {
  include <abstractions/base>
  include <abstractions/consoles>
@ -24,9 +24,7 @@ profile child-pager {
  signal (receive) set=(stop, cont, term, kill),

  @{bin}/       r,
-  @{bin}/pager mr,
-  @{bin}/less  mr,
-  @{bin}/more  mr,
+  @{exec_path} mr,

  @{system_share_dirs}/terminfo/{,**} r,

--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@ -13,7 +13,7 @@ abi <abi/3.0>,

 include <tunables/global>

-# Do not attach to @{bin}/systemctl by default
+@{exec_path} = @{bin}/systemctl
 profile child-systemctl flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
@ -33,7 +33,7 @@ profile child-systemctl flags=(attach_disconnected) {
       interface=org.freedesktop.systemd[0-9].Manager
       member=GetUnitFileState,

-  @{bin}/systemctl mr,
+  @{exec_path} mr,

  /etc/machine-id r,
  /etc/systemd/user/{,**} rwl,
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2022 Mikhail Morfikov
-# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,52 +10,55 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-accessibility>
  include <abstractions/dbus-session>
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
+  include <abstractions/X-strict>

-  signal (receive) set=(term hup kill) peer=dbus-daemon,
-  signal (receive) set=(term hup kill) peer=gdm*,
-  signal (receive) set=(term hup kill) peer=gnome-session-binary,
-  signal (send)    set=(term hup kill) peer=dbus-daemon,
-
-  unix (send, receive, connect) type=stream peer=(addr=@/tmp/.X11-unix/*, label=xorg),
-
-  network inet  stream,
+  network inet stream, # TODO: local only
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

+  signal (receive) set=(term hup kill) peer=dbus-daemon,
+  signal (receive) set=(term hup kill) peer=gdm*,
+  signal (receive) set=(term hup kill) peer=gnome-session-binary,
+
  @{exec_path} mr,

-  @{bin}/dbus-daemon         rPx,
  @{bin}/dbus-broker-launch rPUx,
+  @{bin}/dbus-daemon         rix,
+  @{lib}/at-spi2-registryd   rPx,

-  /usr/share/gdm/greeter-dconf-defaults r,
+  /usr/share/dbus-1/accessibility-services/ r,
+  /usr/share/dbus-1/accessibility-services/org.a11y.atspi.Registry.service r,
  /usr/share/dconf/profile/gdm r,
+  /usr/share/defaults/at-spi2/accessibility.conf r,
+  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{HOME}/.Xauthority r,
-  owner @{HOME}/.xsession-errors w,
-
-  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_@{rand6} r,
-
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/xauth_@{rand6} r,
-
-  /var/lib/lightdm/.Xauthority r,
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,
-
+  /var/lib/lightdm/.Xauthority r,
  /var/log/lightdm/seat[0-9]*-greeter.log w,

+  @{run}/systemd/users/@{uid} r,
+
+  @{sys}/kernel/security/apparmor/.access rw,
+  @{sys}/kernel/security/apparmor/features/dbus/mask r,
+  @{sys}/module/apparmor/parameters/enabled r,
+
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/oom_score_adj r,
+        @{PROC}/@{pids}/mounts r,
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/attr/apparmor/current r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/1/cgroup r,

-  owner /dev/tty@{int} rw,  # file_inherit
+  owner /dev/tty@{int} rw,

  include if exists <local/at-spi-bus-launcher>
 }
--- a/apparmor.d/groups/freedesktop/at-spi2-registryd
+++ b/apparmor.d/groups/freedesktop/at-spi2-registryd
@ -10,14 +10,18 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dbus-session-strict>
-  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session>
+  include <abstractions/dbus-accessibility>
  include <abstractions/nameservice-strict>
+  include <abstractions/X-strict>

  signal (receive) set=(term hup)      peer=gdm*,
  signal (receive) set=(term hup kill) peer=dbus-daemon,

-  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
+  dbus bind bus=accessibility name=org.a11y.atspi.Registry,
+
+  dbus (send, receive) bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry,

  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -53,16 +57,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
       member=Embed
       peer=(name=:*), # all peer's labels

-  dbus send    bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name=org.freedesktop.DBus), # all peer's labels
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=:*), # all peer's labels
-
  dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
       interface=org.a11y.atspi.DeviceEventController
       member={GetKeystrokeListeners,GetDeviceEventListeners}
@ -78,22 +72,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
       member=Introspect
       peer=(name=:*, label=gnome-shell),

-  dbus bind bus=accessibility
-       name=org.a11y.atspi.Registry,
-
  @{exec_path} mr,

-  /var/lib/lightdm/.Xauthority r,
-
-  owner @{HOME}/.Xauthority r,
-  owner @{HOME}/.xsession-errors w,
-
-  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/xauth_@{rand6} r,
-
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/xauth_@{rand6} r,
-
  owner /dev/tty@{int} rw,

  include if exists <local/at-spi2-registryd>
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -24,27 +24,32 @@ profile gdm-xsession @{exec_path} {
  @{bin}/gettext         rix,
  @{bin}/gettext.sh      r,
  @{bin}/gnome-session   rix,
-  @{bin}/gsettings       rPx,
  @{bin}/id              rix,
  @{bin}/locale          rix,
  @{bin}/locale-check    rix,
  @{bin}/mktemp          rix,
+  @{bin}/run-parts       rix,
  @{bin}/sed             rix,
+  @{bin}/ssh-agent       rix,
+  @{bin}/tail            rix,
  @{bin}/tr              rix,
  @{bin}/truncate        rix,
  @{bin}/tty             rix,
+  @{bin}/which{,.debianutils}  rix,
  @{bin}/zsh             rix,

-  @{etc_ro}/X11/xdm/Xsession                        rPx,
  @{bin}/dbus-update-activation-environment    rCx -> dbus,
+  @{bin}/dpkg-query                            rpx,
  @{bin}/flatpak                               rPUx,
+  @{bin}/gpgconf                               rPx,
+  @{bin}/gsettings                             rPx,
+  @{bin}/im-launch                             rPx,
  @{bin}/systemctl                             rPx -> child-systemctl,
  @{bin}/xbrlapi                               rPx,
  @{bin}/xhost                                 rPx,
-  @{bin}/im-launch                             rPx,
-  @{bin}/gpgconf                               rPx,
+  @{bin}/xrdb                                  rPx,
+  @{etc_ro}/X11/xdm/Xsession                   rPx,
  @{lib}/gnome-session-binary                  rPx,
-  @{bin}/dpkg-query                            rpx,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/im-config/data/{,*} r,
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -13,6 +13,7 @@ profile gnome-disk-image-mounter @{exec_path} {
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
+  include <abstractions/X-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@ -40,6 +40,7 @@ profile gnome-extension-manager @{exec_path} {
  /usr/share/X11/xkb/{,**} r,

        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+  owner @{PROC}/@{pid}/cmdline r,

  # Silencer
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -60,6 +60,7 @@ profile gvfsd-fuse @{exec_path} {

    /dev/fuse rw,

+    include if exists <local/gvfsd-fuse_fusermount>
  }

  include if exists <local/gvfsd-fuse>
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@ -10,6 +10,7 @@ include <tunables/global>
 profile dolphin @{exec_path} {
  include <abstractions/base>
  include <abstractions/deny-sensitive-home>
+  include <abstractions/devices-usb>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@ -52,6 +52,8 @@ profile kconf_update @{exec_path} {
  owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/dolphinrc.lock rwk,
  owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**,
+  owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
  owner @{user_config_dirs}/kateschemarc.lock rwk,
  owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kcminputrc.lock rwk,
@ -83,9 +85,8 @@ profile kconf_update @{exec_path} {
  owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kxkbrc.lock rwk,
  owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/plasmashellrc r,
-  owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
  owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw,
+  owner @{user_config_dirs}/plasmashellrc r,
  owner @{user_config_dirs}/sed@{rand6} rw,
  owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,

--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@ -50,10 +50,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
  @{PROC}/sys/kernel/core_pattern r,
  @{PROC}/sys/kernel/random/boot_id r,

+  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
-  @{sys}/bus/ r,
+  @{sys}/class/i2c-dev/ r,
+  @{sys}/class/usbmisc/ r,
  @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
+  @{sys}/devices/i2c-[0-9]*/name r,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/name r,
+  @{sys}/devices/platform/*/i2c-[0-9]*/name r,

  /dev/tty rw,
  /dev/rfkill r,
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@ -74,28 +74,29 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
  owner @{user_cache_dirs}/ r,
  owner @{user_cache_dirs}/#@{int} rw,
  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_share_dirs}/kscreen/* r,
  owner @{user_cache_dirs}/ksycoca5_* r,
-  owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
  owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc rw,
  owner @{user_cache_dirs}/kwin/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/kwin/qmlcache/#@{int},
-  owner @{user_cache_dirs}/plasma-svgelements r,
-  owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
-  owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
+  owner @{user_cache_dirs}/kwin/qmlcache/#@{int} rw,
  owner @{user_cache_dirs}/plasma_theme_default_v*.kcache rw,
+  owner @{user_cache_dirs}/plasma-svgelements r,
+  owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rwl -> @{user_cache_dirs}/#@{int},
+  owner @{user_cache_dirs}/plasma-svgelements.lock rwk,
+  owner @{user_share_dirs}/kscreen/* r,

  owner @{user_config_dirs}/#@{int} rwl,
  owner @{user_config_dirs}/kcminputrc r,
  owner @{user_config_dirs}/kdedefaults/* r,
  owner @{user_config_dirs}/kdeglobals r,
-  owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
+  owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kscreenlockerrc r,
-  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrc.lock rwk,
+  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
  owner @{user_config_dirs}/kwinrulesrc r,
  owner @{user_config_dirs}/kxkbrc r,
  owner @{user_config_dirs}/menus/{,applications-merged/} r,
+  owner @{user_config_dirs}/session/* r, 

  @{run}/systemd/inhibit/*.ref rw,

--- a/apparmor.d/groups/kde/plasma-browser-integration-host
+++ b/apparmor.d/groups/kde/plasma-browser-integration-host
@ -11,11 +11,12 @@ profile plasma-browser-integration-host @{exec_path} {
  include <abstractions/base>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/vulkan>
-  include <abstractions/nameservice-strict>

  capability sys_ptrace,

--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@ -38,7 +38,7 @@ profile aurpublish @{exec_path} {
  @{bin}/mv          rix,
  @{bin}/nproc       rix,
  @{bin}/rm          rix,
-  @{bin}/sha512sum   rix,
+  @{bin}/sha*sum     rix,
  @{bin}/tput        rix,
  @{bin}/wc          rix,

--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@ -93,7 +93,6 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
        @{run}/motd.d/{,*} r,
        @{run}/motd.dynamic rw,
        @{run}/motd.dynamic.new rw,
-        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/notify w,
        @{run}/systemd/sessions/*.ref rw,
  owner @{run}/sshd{,.init}.pid wl,
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@ -9,11 +9,10 @@ include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd-binfmt
 profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/systemd-common>

  capability net_admin,

-  ptrace (read) peer=unconfined,
-
  @{exec_path} mr,

  @{bin}/* r,
@ -23,12 +22,8 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
  @{run}/binfmt.d/{,*.conf} r,
  /usr/lib/binfmt.d/{,*.conf} r,

-        @{PROC}/1/environ r,
-        @{PROC}/cmdline r,
  @{PROC}/sys/fs/binfmt_misc/register w,
  @{PROC}/sys/fs/binfmt_misc/status w,
-        @{PROC}/sys/kernel/osrelease r,
-  owner @{PROC}/@{pid}/stat r,

  /dev/tty@{int} rw,
  /dev/pts/@{int} rw,
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@ -14,8 +14,11 @@ profile systemd-journald @{exec_path} {
  include <abstractions/systemd-common>

  capability audit_control,
+  capability audit_read,
+  capability chown,
+  capability dac_override,
  capability dac_read_search,
-  capability kill,
+  capability fowner,
  capability setgid,
  capability setuid,
  capability sys_admin,
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@ -12,6 +12,11 @@ profile ubuntu-report @{exec_path} {
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
  @{exec_path} mr,

  @{bin}/dpkg  rPx -> child-dpkg,
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@ -47,6 +47,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {

  @{sys}/fs/cgroup/{,**} rw,
  @{sys}/fs/cgroup/kubepods/{,**} rw,
+  @{sys}/kernel/mm/hugepages/ r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

  @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@ -36,7 +36,7 @@ profile aa-notify @{exec_path} {
  owner @{HOME}/.inputrc r,
  owner @{HOME}/.terminfo/@{int}/dumb r,

-  owner /tmp/_@{c}@{rand6} rw,
+  owner /tmp/*@{rand6} rw,
  owner /tmp/apparmor-bugreport-*.txt rw,

  @{PROC}/ r,
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@ -33,7 +33,6 @@ profile agetty @{exec_path} {
  /etc/os-release r,
  /usr/etc/login.defs r,

-        @{run}/resolvconf/resolv.conf r,
  owner @{run}/agetty.reload rw,

        /dev/tty@{int}   rw,
--- a/apparmor.d/profiles-a-f/auditctl
+++ b/apparmor.d/profiles-a-f/auditctl
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/auditctl
-profile auditctl @{exec_path} {
+profile auditctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>

  capability audit_control,
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@ -7,19 +7,20 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = @{bin}/augenrules
-profile augenrules @{exec_path} {
+profile augenrules @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,

+  @{bin}/{,ba,da}sh  rix,
+  @{bin}/{,e,f}grep  rix,
+  @{bin}/{,g,m}awk   rix,
  @{bin}/auditctl    rPx,
  @{bin}/cat         rix,
  @{bin}/chmod       rix,
  @{bin}/cmp         rix,
  @{bin}/cp          rix,
-  @{bin}/{,g,m}awk rix,
-  @{bin}/{,e,f}grep rix,
  @{bin}/ls          rix,
  @{bin}/mktemp      rix,
  @{bin}/rm          rix,
--- a/apparmor.d/profiles-a-f/cctk
+++ b/apparmor.d/profiles-a-f/cctk
@ -12,6 +12,7 @@ profile cctk @{exec_path} {
  include <abstractions/consoles>

  capability mknod,
+  capability sys_admin,
  capability sys_rawio,

  @{exec_path} mr,
@ -19,6 +20,8 @@ profile cctk @{exec_path} {
  @{lib}/ r,
  /opt/dell/dcc/*.so* mr,
  /opt/dell/srvadmin/{,**} r,
+  /opt/dell/srvadmin/lib64/*.so* rm,
+  /opt/dell/srvadmin/var/lib/openmanage/.ipc/* rwk,

  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@ -57,8 +57,6 @@ profile etckeeper @{exec_path} {
  owner @{HOME}/.netrc r,
  owner @{user_config_dirs}/git/{,*} rw,

-  @{run}/resolvconf/resolv.conf r,
-
  owner /tmp/etckeeper-git* rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-a-f/exim4
+++ b/apparmor.d/profiles-a-f/exim4
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,9 +11,19 @@ include <tunables/global>
 profile exim4 @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability net_admin,
+  capability net_bind_service,
+  capability setgid,
+  capability setuid,
+
  network inet dgram,
  network inet6 dgram,
  network inet stream,
@ -21,59 +32,26 @@ profile exim4 @{exec_path} {

  @{exec_path} mrix,

-  # To bind to port 25/tcp
-  capability net_bind_service,
-
-  # To remove the following error:
-  #  exim4[]: exim: setgroups() failed: Operation not permitted
-  capability setgid,
-
-  # To remove the following error:
-  #  exim4[]: unable to set gid=110 or uid=105 (euid=0): calling tls_validate_require_cipher
-  capability setuid,
-
-  # To remove the following error:
-  # exim4[]: Cannot open main log file "/var/log/exim4/mainlog": Permission denied: euid=0 egid=110
-  capability dac_read_search,
-  capability dac_override,
-
-  # To remove the following error:
-  #  exim.c:774: chown(/var/spool/exim4//msglog//1kqH5Z-000RUf-UR, 105:110) failed (Operation not
-  #  permitted). Please contact the authors and refer to https://bugs.exim.org/show_bug.cgi?id=2391
-  capability chown,
-
-  # To remove the following error:
-  #  Couldn't chmod message log /var/spool/exim4//msglog//1kqH6c-000S7r-Ni: Operation not permitted
-  capability fowner,
-
-  # Needed?
-  audit deny capability net_admin,
-
-  /var/lib/exim4/config.autogenerated{,.tmp} r,
-
  /etc/email-addresses r,
  /etc/aliases r,

+  /var/lib/exim4/config.autogenerated{,.tmp} r,
+
+  /var/lib/dpkg/status r,
+  /var/log/cron-apt/lastfullmessage r,
  /var/log/exim4/ w,
  /var/log/exim4/mainlog w,
  /var/log/exim4/paniclog w,
  /var/log/exim4/rejectlog w,
-
  /var/spool/exim4/ r,
  /var/spool/exim4/** rwk,

  owner /var/mail/* rwkl -> /var/mail/*,

+  /tmp/#@{int} rw,
+
        @{run}/exim4/ r,
  owner @{run}/exim4/exim.pid rw,

-        @{run}/resolvconf/resolv.conf r,
-  owner @{run}/dbus/system_bus_socket rw,
-
-  # file_inherit
-  /tmp/#@{int} rw,
-  /var/lib/dpkg/status r,
-  /var/log/cron-apt/lastfullmessage r,
-
  include if exists <local/exim4>
 }
--- a/apparmor.d/profiles-a-f/fail2ban-server
+++ b/apparmor.d/profiles-a-f/fail2ban-server
@ -35,7 +35,6 @@ profile fail2ban-server @{exec_path} flags=(attach_disconnected) {

  @{run}/fail2ban/fail2ban.pid rw,
  @{run}/fail2ban/fail2ban.sock rw,
-  @{run}/resolvconf/resolv.conf r,

  owner @{PROC}/@{pid}/fd/ r,

--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@ -13,6 +13,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
  include <abstractions/devices-usb>
  include <abstractions/nameservice-strict>

+  capability net_admin,
  capability sys_nice,

  network netlink raw,
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@ -21,6 +21,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
  capability dac_read_search,
  capability linux_immutable,
  capability mknod,
+  capability net_admin,
  capability sys_admin,
  capability sys_nice,
  capability sys_rawio,
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@ -21,9 +21,9 @@ profile gsettings @{exec_path} {
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

-  /dev/tty@{int} rw,
-
  owner @{run}/user/@{uid}/bus rw,

+  /dev/tty@{int} rw,
+
  include if exists <local/gsettings>
 }
--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@ -20,8 +20,6 @@ profile hostname @{exec_path} {

  @{exec_path} mr,

-  @{run}/resolvconf/resolv.conf r,
-
  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/hostname>
--- a/apparmor.d/profiles-g-l/im-launch
+++ b/apparmor.d/profiles-g-l/im-launch
@ -13,14 +13,16 @@ profile im-launch @{exec_path} {
  @{exec_path} mr,

  @{bin}/{,ba,da}sh            rix,
-  @{bin}/gnome-session rix,
-  @{bin}/env         rix,
-  @{bin}/locale      rix,
-  @{bin}/gettext{,.sh} rix,
-  @{bin}/true        rix,
-  @{bin}/sed         rix,
  @{bin}/dpkg-query            rpx,
+  @{bin}/env                   rix,
+  @{bin}/gettext{,.sh}         rix,
+  @{bin}/gnome-session         rix,
+  @{bin}/gsettings             rPx,
+  @{bin}/locale                rix,
+  @{bin}/sed                   rix,
+  @{bin}/true                  rix,
  @{bin}/uim-toolbar-gtk3     rPUx,
+  @{lib}/gnome-session-binary  rPx,

  /usr/share/im-config/{,**} r,

@ -30,7 +32,6 @@ profile im-launch @{exec_path} {

  owner @{HOME}/.xinputrc r,

-  # file inherit
  owner /dev/tty@{int} rw,

  include if exists <local/im-launch>
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@ -20,6 +20,7 @@ profile install-info @{exec_path} {

  /usr/share/info/{,**} r,
  /usr/share/info/dir rw,
+  /usr/share/info/dir-@{rand6} rw,

  /dev/tty rw,

--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@ -16,6 +16,10 @@ profile irqbalance @{exec_path} {

  @{exec_path} mr,

+  /etc/default/irqbalance r,
+
+  / r,
+
  @{run}/irqbalance/irqbalance[0-9]*.sock w,

  @{sys}/bus/pci/devices/ r,
--- a/apparmor.d/profiles-m-r/mkswap
+++ b/apparmor.d/profiles-m-r/mkswap
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -13,11 +14,12 @@ profile mkswap @{exec_path} {

  @{exec_path} mr,

-  owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/swaps r,
-
  # SWAP file common locations
  owner /swapfile rw,
+  owner /swap/swapfile rw,
+
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,

  include if exists <local/mkswap>
 }
--- a/apparmor.d/profiles-m-r/nullmailer-send
+++ b/apparmor.d/profiles-m-r/nullmailer-send
@ -21,7 +21,5 @@ profile nullmailer-send @{exec_path} {

  /var/spool/nullmailer/{,**} rw,

-  @{run}/resolvconf/resolv.conf r,
-
  include if exists <local/nullmailer-send>
 }
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@ -65,6 +65,8 @@ profile s3fs @{exec_path} {
    @{PROC}/@{pids}/mounts r,

    /dev/fuse rw,
+
+    include if exists <local/s3fs_fusermount>
  }

  include if exists <local/s3fs>
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@ -73,6 +73,7 @@ profile sudo @{exec_path} {
        /var/lib/sudo/ts/ rw,
        /var/lib/sudo/ts/* rwk,
        /var/log/sudo.log wk,
+  owner /var/db/sudo/lectured/@{uid} rw,
  owner /var/lib/sudo/lectured/* rw,

  owner @{HOME}/.sudo_as_admin_successful rw,
@ -80,7 +81,6 @@ profile sudo @{exec_path} {

        @{run}/ r,
        @{run}/faillock/{,*} rwk,
-        @{run}/resolvconf/resolv.conf r,
        @{run}/systemd/sessions/* r,
  owner @{run}/sudo/ rw,
  owner @{run}/sudo/ts/ rw,
--- a/debian/apparmor.d.hide
+++ b/debian/apparmor.d.hide
@ -3,8 +3,6 @@
 # SPDX-License-Identifier: GPL-2.0-only

 /etc/apparmor.d/usr.bin.firefox
-/etc/apparmor.d/usr.lib.libvirt.virt-aa-helper
 /etc/apparmor.d/usr.sbin.cups-browsed
 /etc/apparmor.d/usr.sbin.cupsd
-/etc/apparmor.d/usr.sbin.libvirtd
 /etc/apparmor.d/usr.sbin.rsyslogd
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -1,6 +1,7 @@
 # Common profile flags definition for all distributions
 # One profile by line using the format: '<profile> <flags>'

+aa-load complain
 acpid attach_disconnected,complain
 agetty complain
 akonadi_akonotes_resource complain
@ -143,6 +144,7 @@ gsd-media-keys attach_disconnected,complain
 gsd-print-notifications attach_disconnected,complain
 gsd-printer attach_disconnected,complain
 gsettings complain
+gvfs-udisks2-volume-monitor attach_disconnected,complain
 gvfsd-dav complain
 hostnamectl complain
 ibus-engine-table complain
@ -213,6 +215,7 @@ nvidia-persistenced complain
 os-prober attach_disconnected,complain
 packagekitd attach_disconnected,complain
 pass-import complain
+passim complain
 passimd attach_disconnected,complain
 pidof complain
 pinentry complain
@ -326,6 +329,7 @@ virtnetworkd complain,attach_disconnected
 virtnodedevd attach_disconnected,complain
 virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
+vlc complain
 wg complain
 wg-quick complain
 xdg-dbus-proxy attach_disconnected,complain
--- a/dists/ignore/arch.ignore
+++ b/dists/ignore/arch.ignore
@ -4,3 +4,6 @@ apparmor.d/groups/apt

 # Ubuntu specific definition 
 apparmor.d/groups/ubuntu
+
+# OpenSUSE specific definition
+apparmor.d/groups/suse
--- a/dists/ignore/debian.ignore
+++ b/dists/ignore/debian.ignore
@ -5,5 +5,10 @@ root/usr/share/libalpm
 # Ubuntu specific definition 
 apparmor.d/groups/ubuntu

+# OpenSUSE specific definition
+apparmor.d/groups/suse
+
 # Profiles provided by they own package
 chronyd
+libvirt
+virt-aa-helper
--- a/dists/ignore/ubuntu.ignore
+++ b/dists/ignore/ubuntu.ignore
@ -3,5 +3,10 @@ apparmor.d/groups/pacman
 root/etc/xdg/autostart/apparmor-notify.desktop
 root/usr/share/libalpm

+# OpenSUSE specific definition
+apparmor.d/groups/suse
+
 # Profiles provided by they own package
 chronyd
+libvirt
+virt-aa-helper
--- a/dists/ignore/whonix.ignore
+++ b/dists/ignore/whonix.ignore
@ -0,0 +1,18 @@
+# Archlinux specific definition
+apparmor.d/groups/pacman
+root/usr/share/libalpm
+
+# OpenSUSE specific definition
+apparmor.d/groups/suse
+
+# Whonix does not have them
+apparmor.d/groups/akonadi
+apparmor.d/groups/browsers
+apparmor.d/groups/gnome
+apparmor.d/groups/kde
+apparmor.d/groups/pacman
+apparmor.d/groups/ubuntu
+apparmor.d/groups/virt
+
+# Profiles provided by they own package
+chronyd
--- a/docs/index.md
+++ b/docs/index.md
@ -37,6 +37,10 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
    * Currently only :material-gnome: Gnome
 - Fully tested (Work in progress)

-**Presentation**
+**Presentations**
+
+Building large set of AppArmor profiles:
+
+- [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
+- [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/))*

- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
--- a/pkg/prebuild/prepare.go
+++ b/pkg/prebuild/prepare.go
@ -173,11 +173,10 @@ func SetFlags() error {
 	return nil
 }

-// Set AppArmor for full system policy
-// See https://gitlab.com/apparmor/apparmor/-/wikis/FullSystemPolicy
-// https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads
+// Set AppArmor for (experimental) full system policy.
+// See https://apparmor.pujol.io/development/structure/#full-system-policy
 func SetFullSystemPolicy() error {
-	for _, name := range []string{"init", "systemd"} {
+	for _, name := range []string{"systemd", "systemd-user"} {
 		err := paths.New("apparmor.d/groups/_full/" + name).CopyTo(RootApparmord.Join(name))
 		if err != nil {
 			return err
--- a/tests/boxes.yml
+++ b/tests/boxes.yml
@ -32,6 +32,12 @@ boxes:
    ram: '6144'
    cpu: '6'

+  - name: debian-gnome
+    box: aa-debian-gnome
+    uefi: true
+    ram: '6144'
+    cpu: '6'
+
  - name: opensuse-kde
    box: aa-opensuse-kde
    uefi: true
--- a/tests/packer/builds.pkr.hcl
+++ b/tests/packer/builds.pkr.hcl
@ -7,6 +7,7 @@ build {
    "source.qemu.archlinux-gnome",
    "source.qemu.archlinux-kde",
    "source.qemu.debian-server",
+    "source.qemu.debian-gnome",
    "source.qemu.opensuse-kde",
    "source.qemu.ubuntu-desktop",
    "source.qemu.ubuntu-server",
@ -31,7 +32,7 @@ build {
  }

  provisioner "file" {
-    only        = ["qemu.debian-server", "qemu.ubuntu-server", "qemu.ubuntu-desktop"]
+    only        = ["qemu.debian-server", "qemu.debian-gnome", "qemu.ubuntu-server", "qemu.ubuntu-desktop"]
    destination = "/tmp/src/"
    sources     = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"]
  }
--- a/tests/packer/debian.pkr.hcl
+++ b/tests/packer/debian.pkr.hcl
@ -37,3 +37,39 @@ source "qemu" "debian-server" {
    )
  }
 }
+
+source "qemu" "debian-gnome" {
+  disk_image         = true
+  iso_url            = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2"
+  iso_checksum       = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS"
+  iso_target_path    = "${var.iso_dir}/debian-cloudimg-amd64.img"
+  cpus               = 4
+  memory             = 2048
+  disk_size          = var.disk_size
+  accelerator        = "kvm"
+  headless           = true
+  ssh_username       = var.username
+  ssh_password       = var.password
+  ssh_port           = 22
+  ssh_wait_timeout   = "1000s"
+  disk_compression   = true
+  disk_detect_zeroes = "unmap"
+  disk_discard       = "unmap"
+  output_directory   = "${var.output}/"
+  vm_name            = "${var.prefix}${source.name}.qcow2"
+  boot_wait          = "10s"
+  firmware           = var.firmware
+  shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
+  cd_label           = "cidata"
+  cd_content = {
+    "meta-data" = ""
+    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
+      {
+        username = "${var.username}"
+        password = "${var.password}"
+        ssh_key  = file("${var.ssh_publickey}")
+        hostname = "${var.prefix}${source.name}"
+      }
+    )
+  }
+}
--- a/tests/packer/init/archlinux-gnome.user-data.yml
+++ b/tests/packer/init/archlinux-gnome.user-data.yml
@ -59,8 +59,6 @@ runcmd:
  # Regenerate grub.cfg
  - [ grub-mkconfig, -o, /boot/grub/grub.cfg ]

-  # Enable firewall
-
  # Enable core services
  - [ systemctl, enable, apparmor ]
  - [ systemctl, enable, auditd ]
--- a/tests/packer/init/archlinux-kde.user-data.yml
+++ b/tests/packer/init/archlinux-kde.user-data.yml
@ -61,8 +61,6 @@ runcmd:
  # Regenerate grub.cfg
  - [ grub-mkconfig, -o, /boot/grub/grub.cfg ]

-  # Enable firewall
-
  # Enable core services
  - [ systemctl, enable, apparmor ]
  - [ systemctl, enable, auditd ]
--- a/tests/packer/init/debian-gnome.user-data.yml
+++ b/tests/packer/init/debian-gnome.user-data.yml
@ -0,0 +1,56 @@
+#cloud-config
+
+hostname: ${hostname}
+locale: en_IE
+keyboard:
+  layout: ie
+
+ssh_pwauth: true
+users:
+  - name: ${username}
+    plain_text_passwd: ${password}
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${ssh_key}
+    lock_passwd: false
+    sudo: ALL=(ALL) NOPASSWD:ALL
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: false
+packages:
+  - apparmor-profiles
+  - auditd
+  - build-essential
+  - config-package-dev
+  - debhelper
+  - devscripts
+  - htop
+  - qemu-guest-agent
+  - rsync
+  - vim
+  - task-gnome-desktop
+
+runcmd:
+  - apt-get update -y
+  - apt-get install -y -t bookworm-backports golang-go
+
+write_files:
+
+  - path: /etc/apt/sources.list
+    append: true
+    content: deb http://deb.debian.org/debian bookworm-backports main contrib non-free
+
+  # Network configuration
+  - path: /etc/systemd/network/20-wired.network
+    owner: 'root:root'
+    permissions: '0644'
+    content: |
+      [Match]
+      Name=en*
+
+      [Network]
+      DHCP=yes
+
+      [DHCPv4]
+      RouteMetric=10
--- a/tests/packer/init/debian-server.user-data.yml
+++ b/tests/packer/init/debian-server.user-data.yml
@ -20,6 +20,7 @@ package_upgrade: true
 package_reboot_if_required: false
 packages:
  - apparmor-profiles
+  - auditd
  - build-essential
  - config-package-dev
  - debhelper
--- a/tests/packer/init/ubuntu-desktop.user-data.yml
+++ b/tests/packer/init/ubuntu-desktop.user-data.yml
@ -43,30 +43,37 @@ snap:

 runcmd:

-  # Let NetworkManager handle network
-  - rm /etc/netplan/*
-  - >-
-    printf "network:\n  version: 2\n  renderer: NetworkManager" > /etc/netplan/01-network-manager.yaml
-
  # Remove default filesystem and related tools not used with the suggested
  # storage layout. These may yet be required if different partitioning schemes
  # are used.
-  - apt-get -y remove btrfs-progs cryptsetup* lvm2 xfsprogs
+  - apt-get -y purge btrfs-progs cryptsetup* lvm2 xfsprogs

  # Remove other packages present by default in Ubuntu Server but not
  # normally present in Ubuntu Desktop.
  - >-
-    apt-get -y remove
-      ubuntu-server ubuntu-server-minimal
+    apt-get -y purge
+      ubuntu-server ubuntu-server-minimal netplan.io cloud-init
      binutils byobu curl dmeventd finalrd gawk
      kpartx mdadm ncurses-term needrestart open-iscsi
      sg3-utils ssh-import-id sssd thin-provisioning-tools tmux
      sosreport screen open-vm-tools motd-news-config lxd-agent-loader
      landscape-common fonts-ubuntu-console ethtool

-  # Keep cloud-init, as it performs some of the installation on first boot.
-  - apt-get -y install cloud-init
-
  # Finally, remove things only installed as dependencies of other things
  # we have already removed.
  - apt-get -y autoremove
+
+write_files:
+
+  - path: /etc/systemd/network/20-wired.network
+    owner: 'root:root'
+    permissions: '0644'
+    content: |
+      [Match]
+      Name=en*
+
+      [Network]
+      DHCP=yes
+
+      [DHCPv4]
+      RouteMetric=10
--- a/tests/packer/init/ubuntu-server.user-data.yml
+++ b/tests/packer/init/ubuntu-server.user-data.yml
@ -20,6 +20,7 @@ package_upgrade: true
 package_reboot_if_required: false
 packages:
  - apparmor-profiles
+  - auditd
  - build-essential
  - config-package-dev
  - debhelper