From a8509af857da9b2a8ad68d35433333f255db3bac Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 27 Jul 2024 15:07:20 +0200
Subject: [PATCH 001/315] build: update overwrite list from upstream

fix #427
---
 dists/overwrite | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dists/overwrite b/dists/overwrite
index bea6d574b..bbeb46bea 100644
--- a/dists/overwrite
+++ b/dists/overwrite
@@ -5,6 +5,7 @@
 
 brave
 chrome
+chromium
 element-desktop
 epiphany
 firefox

From 28d5ea034e9f8b15897407c62799b3a68aeef52e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 27 Jul 2024 15:15:26 +0200
Subject: [PATCH 002/315] feat(profile): merge transmission gui profiles.

Fix conflicting file naming with upstream.

fix #429
---
 .../{transmission-gtk => transmission}        |  9 +--
 apparmor.d/profiles-s-z/transmission-qt       | 56 -------------------
 dists/flags/main.flags                        |  1 +
 dists/overwrite                               |  1 +
 4 files changed, 7 insertions(+), 60 deletions(-)
 rename apparmor.d/profiles-s-z/{transmission-gtk => transmission} (88%)
 delete mode 100644 apparmor.d/profiles-s-z/transmission-qt

diff --git a/apparmor.d/profiles-s-z/transmission-gtk b/apparmor.d/profiles-s-z/transmission
similarity index 88%
rename from apparmor.d/profiles-s-z/transmission-gtk
rename to apparmor.d/profiles-s-z/transmission
index 40586fa03..07aca1890 100644
--- a/apparmor.d/profiles-s-z/transmission-gtk
+++ b/apparmor.d/profiles-s-z/transmission
@@ -6,8 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/transmission-gtk
-profile transmission-gtk @{exec_path} {
+@{exec_path} = @{bin}/transmission-{gtk,qt}
+profile transmission @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -33,10 +33,11 @@ profile transmission-gtk @{exec_path} {
   owner @{user_config_dirs}/transmission/ rw,
   owner @{user_config_dirs}/transmission/** rwk,
 
-  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/transmission/ rw,
   owner @{user_cache_dirs}/transmission/** rwk,
 
+  owner @{tmp}/tr_session_id_* rwk,
+
   @{run}/mount/utab r,
 
         @{PROC}/@{pid}/net/route r,
@@ -48,7 +49,7 @@ profile transmission-gtk @{exec_path} {
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
-  include if exists <local/transmission-gtk>
+  include if exists <local/transmission>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/transmission-qt b/apparmor.d/profiles-s-z/transmission-qt
deleted file mode 100644
index bbfe5bff4..000000000
--- a/apparmor.d/profiles-s-z/transmission-qt
+++ /dev/null
@@ -1,56 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/transmission-qt
-profile transmission-qt @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/desktop>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
-  include <abstractions/private-files-strict>
-  include <abstractions/qt5>
-  include <abstractions/qt5-settings-write>
-  include <abstractions/ssl_certs>
-  include <abstractions/user-download-strict>
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink dgram,
-  network netlink raw,
-
-  @{exec_path} mr,
-
-  # Torrent files
-  owner @{user_torrents_dirs}/ r,
-  owner @{user_torrents_dirs}/** rw,
-
-  owner @{user_config_dirs}/transmission/ rw,
-  owner @{user_config_dirs}/transmission/** rwk,
-
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/transmission/ rw,
-  owner @{user_cache_dirs}/transmission/** rwk,
-
-  owner @{tmp}/tr_session_id_* rwk,
-
-  deny owner @{PROC}/@{pid}/cmdline r,
-       owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/mounts r,
-             @{PROC}/@{pid}/net/route r,
-             @{PROC}/sys/kernel/random/uuid r,
-
-  /usr/share/hwdata/pnp.ids r,
-
-  include if exists <local/transmission-qt>
-}
-
-# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 57862b8ce..940b7b0b1 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -368,6 +368,7 @@ systemd-userwork attach_disconnected,complain
 systemsettings complain
 totem attach_disconnected,complain
 tracker-writeback complain
+transmission complain
 udev-dmi-memory-id complain
 udisksctl complain
 udisksd attach_disconnected,complain
diff --git a/dists/overwrite b/dists/overwrite
index bbeb46bea..ec35b79cd 100644
--- a/dists/overwrite
+++ b/dists/overwrite
@@ -19,5 +19,6 @@ plasmashell
 slirp4netns
 systemd-coredump
 thunderbird
+transmission
 unix-chkpwd
 virtiofsd

From 7d9ae262c95539593e286823b009499acb3ca8e5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 2 Aug 2024 14:54:32 +0200
Subject: [PATCH 003/315] fix: borg profile mounting issues.

fix 431
---
 apparmor.d/profiles-a-f/borg | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
index 107330419..6a8eff043 100644
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@@ -21,6 +21,9 @@ profile borg @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
+  mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/,
+  mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/,
+
   @{exec_path} r,
 
   @{bin}/ r,
@@ -107,6 +110,9 @@ profile borg @{exec_path} {
 
     /etc/fuse.conf r,
 
+    @{MOUNTS}/ r,
+    @{MOUNTS}/*/ r, 
+
     @{PROC}/@{pids}/mounts r,
 
     /dev/fuse rw,

From ad60ee11ad6c43d32ef0396e340ec4e446288d69 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Mon, 5 Aug 2024 09:31:02 +0200
Subject: [PATCH 004/315] minor improvements

---
 apparmor.d/profiles-s-z/zathura | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura
index b055fe31b..d45ad5f1e 100644
--- a/apparmor.d/profiles-s-z/zathura
+++ b/apparmor.d/profiles-s-z/zathura
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/zathura 
+@{exec_path} = @{bin}/zathura{,-sandbox}
 profile zathura @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
@@ -18,11 +18,13 @@ profile zathura @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/file/{,**} r,
+  /usr/share/poppler/{,**} r,
 
   /etc/xdg/{,**} r,
   /etc/zathurarc r,
 
   owner @{user_config_dirs}/zathura/** r,
+  owner @{user_share_dirs}/zathura/ r,
   owner @{user_share_dirs}/zathura/** rwk,
 
   owner @{tmp}/gtkprint* rw,

From da27a6b27e774807554f2230c54ef9dcd79546b0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 17:46:46 +0100
Subject: [PATCH 005/315] fix: mpv needs access to /dev/snd files for the alsa
 audio backend to work

fix #433
---
 apparmor.d/profiles-m-r/mpv | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv
index 1629176dd..88a5078aa 100644
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@@ -10,7 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/mpv
 profile mpv @{exec_path} {
   include <abstractions/base>
-  include <abstractions/audio-client>
+  include <abstractions/audio-server>
   include <abstractions/consoles>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>

From e3e6c2f5b60675dd85125495f295d29c0aefae6c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 17:51:23 +0100
Subject: [PATCH 006/315] feat(profile): add NTS support for chronyd.

fix #438
---
 apparmor.d/profiles-a-f/chronyd | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd
index 5aa5c5ed2..490afddb2 100644
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@@ -12,6 +12,8 @@ include <tunables/global>
 profile chronyd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
 
   capability chown,
   capability dac_override,

From fc1ae32e4e0e5aa54edd9a3aeb0008df8be6eafa Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 17:54:34 +0100
Subject: [PATCH 007/315] fix(profile): virtlogd:  support for user libvirtd.

fix #436
---
 apparmor.d/groups/virt/virtlogd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd
index 1a3ecb06b..b06ad67f1 100644
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@@ -24,6 +24,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/libvirt/qemu/log/{,**} rw,
 
   owner @{run}/user/@{uid}/common/system.token rw,
+  owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
   owner @{run}/user/@{uid}/libvirt/virtlogd* w,
 

From 14fae89fddc4280298ec949a6b7b73cf3d2c3c52 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 17:59:24 +0100
Subject: [PATCH 008/315] fix(profile): modprobed-db access to config files.

fix #435
---
 apparmor.d/profiles-m-r/modprobed-db | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db
index 29125f192..3798332ea 100644
--- a/apparmor.d/profiles-m-r/modprobed-db
+++ b/apparmor.d/profiles-m-r/modprobed-db
@@ -28,9 +28,10 @@ profile modprobed-db @{exec_path} {
   @{bin}/uniq          rix,
   @{bin}/wc            rix,
 
+  /usr/share/modprobed-db/** r,
   /usr/share/terminfo/** r,
 
-  owner @{user_config_dirs}/modprobed-db.conf r,
+  owner @{user_config_dirs}/modprobed-db.conf rw,
   owner @{user_config_dirs}/modprobed.db rw,
 
   owner @{tmp}/.inmem rw,

From 93313422bdc71324a8a886c4cabab33bfe32a7cd Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 18:49:52 +0100
Subject: [PATCH 009/315] feat(profile): update kde profiles on openSUSE
 Tumbleweed.

See #424
---
 apparmor.d/abstractions/app/firefox           |  1 +
 apparmor.d/groups/akonadi/akonadi_control     |  2 ++
 apparmor.d/groups/browsers/firefox            | 10 ++++----
 .../groups/browsers/firefox-kmozillahelper    |  2 +-
 apparmor.d/groups/bus/dbus-accessibility      |  8 +++++++
 apparmor.d/groups/bus/dbus-system             |  1 +
 apparmor.d/groups/cron/cron                   |  5 ++--
 .../groups/display-manager/xdm-xsession       |  5 +++-
 .../polkit-kde-authentication-agent           |  2 ++
 apparmor.d/groups/freedesktop/pulseaudio      |  2 ++
 apparmor.d/groups/gpg/gpg-connect-agent       |  1 +
 apparmor.d/groups/kde/DiscoverNotifier        |  3 +++
 apparmor.d/groups/kde/gmenudbusmenuproxy      |  2 ++
 apparmor.d/groups/kde/kalendarac              |  4 +++-
 apparmor.d/groups/kde/kde-powerdevil          |  3 ++-
 apparmor.d/groups/kde/kded                    |  7 +++---
 apparmor.d/groups/kde/kglobalacceld           |  3 +++
 apparmor.d/groups/kde/kiod                    |  1 +
 apparmor.d/groups/kde/konsole                 |  9 +++++++-
 apparmor.d/groups/kde/kscreenlocker_greet     |  1 +
 apparmor.d/groups/kde/ksmserver               |  7 ++++++
 apparmor.d/groups/kde/kwalletd                |  2 ++
 apparmor.d/groups/kde/plasma_waitforname      |  1 +
 apparmor.d/groups/kde/plasmashell             |  7 +++++-
 apparmor.d/groups/kde/sddm-greeter            |  2 ++
 apparmor.d/groups/kde/startplasma             |  1 +
 apparmor.d/groups/kde/xembedsniproxy          |  2 ++
 apparmor.d/profiles-a-f/amixer                |  2 +-
 apparmor.d/profiles-a-f/dmesg                 |  2 +-
 apparmor.d/profiles-g-l/git                   | 11 +++++----
 apparmor.d/profiles-g-l/issue-generator       |  1 +
 apparmor.d/profiles-m-r/pinentry-qt           | 23 +++----------------
 apparmor.d/tunables/home.d/apparmor.d         |  2 +-
 apparmor.d/tunables/multiarch.d/system        |  1 +
 34 files changed, 93 insertions(+), 43 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 9de4359e1..7895db4e9 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -104,6 +104,7 @@
   owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
 
   @{run}/mount/utab r,
diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control
index f52c3e14f..f21b968d2 100644
--- a/apparmor.d/groups/akonadi/akonadi_control
+++ b/apparmor.d/groups/akonadi/akonadi_control
@@ -31,6 +31,8 @@ profile akonadi_control @{exec_path} {
 
   owner @{user_share_dirs}/akonadi/{,**} rwl,
   
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   /dev/tty r,
 
   include if exists <local/akonadi_control>
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 41ce67746..6d50db9dc 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -57,14 +57,14 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/@{rand6}.tmp r,
   owner @{tmp}/@{rand8}.txt w,
   owner @{tmp}/* w,  # file downloads (to anywhere)
-  owner @{tmp}/Mozilla@{uuid}-cachePurge-??????????????? rwk,
+  owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
   owner @{tmp}/mozilla* rw,
   owner @{tmp}/mozilla*/ rw,
   owner @{tmp}/mozilla*/* rwk,
-  owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk,
-  owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
-  owner @{tmp}/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
-  owner @{tmp}/Mozillato-be-removed-cachePurge-??????????????? rwk,
+  owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
+  owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
+  owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
+  owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk,
 
   # Silencer
   deny @{lib_dirs}/** w,
diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper
index d23d94bb8..b4202ed0d 100644
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@@ -10,8 +10,8 @@ include <tunables/global>
 profile firefox-kmozillahelper @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/desktop>
   include <abstractions/graphics>
+  include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-settings-write>
   include <abstractions/recent-documents-write>
diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index dc4ded9cd..1c5f8cd30 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -16,6 +16,12 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
 
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
   signal (receive) set=(term hup kill) peer=dbus-session,
   signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
 
@@ -50,6 +56,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.Xauthority r,
 
+  owner @{tmp}/xauth_@{rand6} r,
+
         @{run}/systemd/users/@{uid} r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index f001c27b7..e63d51eaa 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -66,6 +66,7 @@ profile dbus-system flags=(attach_disconnected) {
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/environ r,
         @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pid}/oom_score_adj r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index a1a04dfa3..3636138c0 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -57,9 +57,10 @@ profile cron @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/#@{int} rw,
 
-  owner @{PROC}/@{pid}/uid_map r,
-  owner @{PROC}/@{pid}/loginuid rw,
+        @{PROC}/@{pid}/fd/ r,
         @{PROC}/1/limits r,
+  owner @{PROC}/@{pid}/loginuid rw,
+  owner @{PROC}/@{pid}/uid_map r,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession
index 6278d2ac7..522d4ad58 100644
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@@ -18,9 +18,9 @@ profile xdm-xsession @{exec_path} {
 
   @{shells_path}            rix,
 
-  @{bin}/checkproc          rix,
   @{bin}/basename           rix,
   @{bin}/cat                rix,
+  @{bin}/checkproc          rix,
   @{bin}/dirname            rix,
   @{bin}/gpg-agent          rPx,
   @{bin}/gpg-connect-agent  rPx,
@@ -28,8 +28,10 @@ profile xdm-xsession @{exec_path} {
   @{bin}/locale             rix,
   @{bin}/manpath            rix,
   @{bin}/readlink           rix,
+  @{bin}/realpath           rix
   @{bin}/sed                rix,
   @{bin}/ssh-agent          rix,
+  @{bin}/tput               rix 
   @{bin}/tr                 rix,
   @{bin}/tty                rix,
   @{bin}/uname              rix,
@@ -56,6 +58,7 @@ profile xdm-xsession @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/mc/mc.sh r,
+  /usr/share/terminfo/{,**} r,
 
   @{etc_ro}/X11/xdm/scripts/{,*} r,
   @{etc_ro}/X11/xim r,
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index 7754ee09f..f8a9700f5 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -46,6 +46,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
   owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
   # owner /tmp/xauth_@{rand6} r,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   /dev/shm/#@{int} rw,
 
   @{run}/systemd/users/@{uid} r,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 0bb878ab6..5fc356133 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -84,12 +84,14 @@ profile pulseaudio @{exec_path} {
   owner @{desktop_config_dirs}/pulse/{,**}  rw,
   owner @{desktop_config_dirs}/pulse/cookie   k,
 
+  owner @{HOME}/.pulse/{,**} rw,
   owner @{user_config_dirs}/ w,
   owner @{user_config_dirs}/pulse/{,**} rw,
 
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
 
   owner @{run}/user/@{uid}/ rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/pulse/ rw,
   owner @{run}/user/@{uid}/pulse/** rwk,
   owner @{run}/user/@{uid}/systemd/notify rw,
diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent
index ae8f90ed5..1e257cfc0 100644
--- a/apparmor.d/groups/gpg/gpg-connect-agent
+++ b/apparmor.d/groups/gpg/gpg-connect-agent
@@ -20,6 +20,7 @@ profile gpg-connect-agent @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  owner @{run}/user/@{uid}/gnupg/ w,
   owner @{run}/user/@{uid}/gnupg/d.*/ rw,
 
   owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid} rw,
diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier
index db870bd82..227f4e062 100644
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@@ -40,6 +40,7 @@ profile DiscoverNotifier @{exec_path} {
   /var/lib/flatpak/{,**} r,
 
   /var/cache/swcatalog/cache/ w,
+  /var/cache/swcatalog/xml/{,**} r,
 
   owner @{user_cache_dirs}/appstream/ r,
   owner @{user_cache_dirs}/appstream/** rw,
@@ -58,6 +59,8 @@ profile DiscoverNotifier @{exec_path} {
   owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
   owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   /dev/tty r,
 
   profile gpg {
diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy
index c1a63931e..d1e48f849 100644
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@@ -25,6 +25,8 @@ profile gmenudbusmenuproxy @{exec_path} {
   owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
   owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   include if exists <local/gmenudbusmenuproxy>
 }
 
diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac
index daf880cf9..471812c7c 100644
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@@ -9,7 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/kalendarac
 profile kalendarac @{exec_path} {
   include <abstractions/base>
-  include <abstractions/audio-client>
+  include <abstractions/audio-server>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -36,6 +36,8 @@ profile kalendarac @{exec_path} {
   owner @{user_config_dirs}/kalendaracrc.lock rwk,
   owner @{user_config_dirs}/kmail2rc r,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   /dev/tty r,
 
   include if exists <local/kalendarac>
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 960747c21..09ebb0d7c 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -36,6 +36,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
 
   owner @{HOME}/ r,
 
+  owner @{user_cache_dirs}/ddcutil/* r,
   owner @{user_cache_dirs}/kcrash-metadata/{,*} rw,
 
   owner @{user_config_dirs}/#@{int} rw,
@@ -63,7 +64,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
   @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
   @{sys}/devices/**/ r,
   @{sys}/devices/i2c-@{int}/name r,
   @{sys}/devices/platform/**/i2c-@{int}/**/name r,
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index e0cc7f5b3..422fc103c 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -59,7 +59,7 @@ profile kded @{exec_path} {
   @{bin}/xsettingsd         rPx,
   @{lib}/drkonqi            rPx,
 
-  #aa:exec utempter
+  @{lib}/{,@{multiarch}/}utempter/utempter rPx,
   #aa:exec kconf_update
 
   /usr/share/color-schemes/{,**} r,
@@ -123,8 +123,7 @@ profile kded @{exec_path} {
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
   owner @{user_config_dirs}/menus/{,**} r,
   owner @{user_config_dirs}/networkmanagement.notifyrc r,
-  owner @{user_config_dirs}/plasma-nm r,
-  owner @{user_config_dirs}/plasma-welcomerc r,
+  owner @{user_config_dirs}/plasma* r,
   owner @{user_config_dirs}/touchpadrc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
@@ -151,6 +150,8 @@ profile kded @{exec_path} {
   owner @{tmp}/kded6.@{rand6} rwl -> /tmp/#@{int},
   owner @{tmp}/plasma-csd-generator.@{rand6}/{,**} rw,
 
+  @{sys}/class/leds/ r,
+
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline/ r,
         @{PROC}/@{pids}/fd/ r,
diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld
index 1995838c1..f71f9734c 100644
--- a/apparmor.d/groups/kde/kglobalacceld
+++ b/apparmor.d/groups/kde/kglobalacceld
@@ -19,6 +19,7 @@ profile kglobalacceld @{exec_path} {
 
   /etc/machine-id r,
   /etc/xdg/menus/ r,
+  /etc/xdg/menus/applications-merged/ r,
 
   owner @{user_cache_dirs}/ksycoca{5,6}_* rw,
 
@@ -29,6 +30,8 @@ profile kglobalacceld @{exec_path} {
   owner @{user_config_dirs}/menus/ r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
 
+  @{PROC}/sys/kernel/random/boot_id r,
+
   /dev/tty r,
 
   include if exists <local/kglobalacceld>
diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod
index 7462d6c5b..5b6c7184a 100644
--- a/apparmor.d/groups/kde/kiod
+++ b/apparmor.d/groups/kde/kiod
@@ -13,6 +13,7 @@ profile kiod @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   network netlink raw,
 
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 054731148..3151156a7 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -26,7 +26,9 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/@{shells}                      rUx,
   @{browsers_path}                      rPx,
 
-  #aa:exec utempter
+  @{lib}/libheif/                            r,
+  @{lib}/libheif/**                         mr,
+  @{lib}/{,@{multiarch}/}utempter/utempter rPx,
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/kf6/{,**} r,
@@ -47,12 +49,15 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{user_config_dirs}/#@{int} rwl,
   owner @{user_config_dirs}/breezerc r,
+  owner @{user_config_dirs}/kbookmarkrc r,
+  owner @{user_config_dirs}/konsole.notifyrc r,
   owner @{user_config_dirs}/konsolerc{,*} rwlk,
   owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.lock rwk,
   owner @{user_config_dirs}/kservicemenurc r,
   owner @{user_config_dirs}/menus/{,**} r,
+  owner @{user_config_dirs}/session/** rwlk,
 
   owner @{user_share_dirs}/color-schemes/{,**} r,
   owner @{user_share_dirs}/konsole/ rw,
@@ -62,6 +67,8 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/konsole.@{rand6} rw,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   @{PROC}/@{pid}/cmdline r,
   @{PROC}/@{pid}/stat r,
 
diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet
index 1884414a9..bd1666a06 100644
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
   owner @{user_config_dirs}/kscreenlockerrc r,
   owner @{user_config_dirs}/ksmserverrc r,
   owner @{user_config_dirs}/plasmarc r,
+  owner @{user_config_dirs}/plasmashellrc r,
 
   # If one is blocked, the others are probed.
   deny owner @{HOME}/#@{int} mrw,
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index b7e1858da..858bc4b9a 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -52,6 +52,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk,
 
   owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
   owner @{user_config_dirs}/kscreenlockerrc r,
   owner @{user_config_dirs}/ksmserverrc rw,
   owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
@@ -62,6 +63,12 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/kservices{5,6}/ r,
   owner @{user_share_dirs}/kservices{5,6}/ServiceMenus/ r,
 
+  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} wl -> @{run}/user/@{uid}/#@{int},
+  owner @{run}/user/@{uid}/iceauth_@{rand6}-c w,
+  owner @{run}/user/@{uid}/iceauth_@{rand6}-l wl -> @{run}/user/@{uid}/iceauth_@{rand6}-c,
+  owner @{run}/user/@{uid}/iceauth_@{rand6}-n rw,
+
   owner @{tmp}/@{rand6} rw,
 
         @{run}/systemd/inhibit/[0-9]*.ref rw,
diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd
index 5005dde31..2b2545b33 100644
--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@@ -43,6 +43,8 @@ profile kwalletd @{exec_path} {
 
   owner @{tmp}/kwalletd5.* rw,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname
index c987a4759..432c49ac3 100644
--- a/apparmor.d/groups/kde/plasma_waitforname
+++ b/apparmor.d/groups/kde/plasma_waitforname
@@ -10,6 +10,7 @@ include <tunables/global>
 profile plasma_waitforname @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/qt5>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 9a21b9dff..fe79dccd7 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -178,6 +178,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
         @{run}/mount/utab r,
         @{run}/user/@{uid}/gvfs/ r,
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/kdesud_:@{int} w,
   owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
@@ -187,9 +188,13 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{sys}/devices/platform/** r,
 
   @{sys}/devices/@{pci}/name r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/thermal/**/{name,type} r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
 
         @{PROC}/ r,
         @{PROC}/cmdline r,
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index f249d911e..dba650f2c 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -49,6 +49,8 @@ profile sddm-greeter @{exec_path} {
   owner @{SDDM_HOME}/#@{int} mrw,
   owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
 
+  owner @{HOME}/.face.icon r,
+
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma
index e575f3bb2..149df7695 100644
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@@ -22,6 +22,7 @@ profile startplasma @{exec_path} {
   @{bin}/env                rix,
   @{bin}/grep               rix,
   @{bin}/kapplymousetheme  rPUx,
+  @{bin}/kdeinit5_shutdown rPUx,
   @{bin}/ksplashqml        rPUx,
   @{bin}/plasma_session     rPx,
   @{bin}/xrdb               rPx,
diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy
index a4474a64a..57e32b960 100644
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@@ -20,6 +20,8 @@ profile xembedsniproxy @{exec_path} {
 
   owner @{tmp}/xauth_@{rand6} r,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   @{run}/user/@{uid}/xauth_@{rand6} rl,
 
   include if exists <local/xembedsniproxy>
diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer
index ea2842a74..8a625b547 100644
--- a/apparmor.d/profiles-a-f/amixer
+++ b/apparmor.d/profiles-a-f/amixer
@@ -10,7 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/amixer
 profile amixer @{exec_path} {
   include <abstractions/base>
-  include <abstractions/audio-client>
+  include <abstractions/audio-server>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg
index 6dcd5cbb8..819cd234e 100644
--- a/apparmor.d/profiles-a-f/dmesg
+++ b/apparmor.d/profiles-a-f/dmesg
@@ -24,7 +24,7 @@ profile dmesg @{exec_path} {
 
   /usr/share/terminfo/** r,
 
-  owner @{PROC}/sys/kernel/pid_max r,
+  @{PROC}/sys/kernel/pid_max r,
 
   /dev/kmsg r,
 
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index ba37f7bcc..2c0eb2fac 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -43,6 +43,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
   # These are needed for "git submodule update"
   @{sh_path}         rix,
   @{bin}/{,e}grep    rix,
+  @{bin}/alts        rix,
   @{bin}/basename    rix,
   @{bin}/cat         rix,
   @{bin}/date        rix,
@@ -78,6 +79,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
   @{bin}/vim.*           rCx -> editor,
   
   /usr/share/git{,-core}/{,**} r,
+  /usr/share/libalternatives/{,**} r,
   /usr/share/terminfo/** r,
 
   /etc/gitconfig r,
@@ -139,14 +141,15 @@ profile git @{exec_path} flags=(attach_disconnected) {
 
     @{bin}/ssh mr,
 
-    /etc/ssh/ssh_config.d/{,*} r,
-    /etc/ssh/ssh_config r,
+    @{etc_ro}/ssh/ssh_config.d/{,*} r,
+    @{etc_ro}/ssh/ssh_config r,
 
     owner @{HOME}/@{XDG_SSH_DIR}/* r,
-    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
     owner @{HOME}/@{XDG_SSH_DIR}/known_hosts.old rwl,
+    owner @{HOME}/@{XDG_SSH_DIR}/known_hosts{,.*} rw,
+    owner @{HOME}/@{XDG_SSH_DIR}/ssh_control_* rwl,
 
-    owner @{tmp}/git@*:@{int} rwl -> /tmp/git@*:@{int}.*,
+    owner @{tmp}/git@*:@{int} rwl -> @{tmp}/git@*:@{int}.*,
     owner @{tmp}/ssh-*/agent.@{int} rw,
 
     owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator
index 00600b72b..57de7cab8 100644
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@@ -21,6 +21,7 @@ profile issue-generator @{exec_path} {
   @{bin}/sort      rix,
 
   /etc/issue.d/{,**} r,
+  /etc/sysconfig/issue-generator r,
 
   @{run}/issue r,
   @{run}/issue.@{rand10} rw,
diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt
index 947350b8a..1763bd96f 100644
--- a/apparmor.d/profiles-m-r/pinentry-qt
+++ b/apparmor.d/profiles-m-r/pinentry-qt
@@ -10,40 +10,23 @@ include <tunables/global>
 @{exec_path} = @{bin}/pinentry-qt
 profile pinentry-qt @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
+  include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
-  include <abstractions/qt5>
-  include <abstractions/vulkan>
-  include <abstractions/X>
 
   @{exec_path} mr,
 
-  /usr/share/hwdata/pnp.ids r,
-  /usr/share/icu/@{int}.@{int}/*.dat r,
-
-  /var/lib/dbus/machine-id r,
   /etc/machine-id r,
-  /etc/xdg/kdeglobals r,
-  /etc/xdg/kwinrc r,
+  /var/lib/dbus/machine-id r,
 
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
-  owner @{user_config_dirs}/kdeglobals r,
-  owner @{user_config_dirs}/kwinrc r,
-
   owner @{tmp}/xauth_@{rand6} r,
   owner /dev/shm/#@{int} rw,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,
-
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/pinentry-qt>
diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d
index c23a8d956..110c562e2 100644
--- a/apparmor.d/tunables/home.d/apparmor.d
+++ b/apparmor.d/tunables/home.d/apparmor.d
@@ -39,7 +39,7 @@
 @{XDG_CONFIG_DIR}=".config"
 @{XDG_DATA_DIR}=".local/share"
 @{XDG_STATE_DIR}=".local/state"
-@{XDG_BIN_DIR}=".local/bin"
+@{XDG_BIN_DIR}="bin" ".bin" ".local/bin"
 @{XDG_LIB_DIR}=".local/lib"
 
 # Full path of the user configuration directories
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index f2e7c2563..1b4206dad 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -35,6 +35,7 @@
 @{hex8}=@{hex4}@{hex4}
 @{hex9}=@{hex8}@{h}
 @{hex10}=@{hex8}@{hex2}
+@{hex15}=@{hex8}@{hex4}@{hex2}@{h}
 @{hex16}=@{hex8}@{hex8}
 @{hex32}=@{hex16}@{hex16}
 @{hex38}=@{hex32}@{hex6}

From 4f4e37387787d45c484a897c04bda405bed9f693 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 19:07:56 +0100
Subject: [PATCH 010/315] chore:  make go vet happy.

---
 cmd/aa/main.go                |  4 ++--
 cmd/prebuild/main.go          |  2 +-
 pkg/logging/logging.go        | 12 ++++++------
 pkg/logging/logging_test.go   | 22 +++++++++++-----------
 tests/cmd/main.go             |  2 +-
 tests/integration/scenario.go |  4 ++--
 6 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/cmd/aa/main.go b/cmd/aa/main.go
index 8fa7cce66..ec64e8cfd 100644
--- a/cmd/aa/main.go
+++ b/cmd/aa/main.go
@@ -199,7 +199,7 @@ func main() {
 	case format:
 		files, err = pathsFromArgs()
 		if err != nil {
-			logging.Fatal(err.Error())
+			logging.Fatal("%s", err.Error())
 		}
 		err = aaFormat(files)
 	case tree:
@@ -207,6 +207,6 @@ func main() {
 	}
 
 	if err != nil {
-		logging.Fatal(err.Error())
+		logging.Fatal("%s", err.Error())
 	}
 }
diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index c39d4cbbd..d909cc818 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -91,6 +91,6 @@ func main() {
 		os.Exit(0)
 	}
 	if err := aaPrebuild(); err != nil {
-		logging.Fatal(err.Error())
+		logging.Fatal("%s", err.Error())
 	}
 }
diff --git a/pkg/logging/logging.go b/pkg/logging/logging.go
index e6c91ac93..7f5af2e08 100644
--- a/pkg/logging/logging.go
+++ b/pkg/logging/logging.go
@@ -37,7 +37,7 @@ func Print(msg string, a ...interface{}) int {
 
 // Println prints a formatted message. Arguments are handled in the manner of fmt.Println.
 func Println(msg string) int {
-	n, _ := fmt.Fprintf(os.Stdout, msg+"\n")
+	n, _ := fmt.Fprintf(os.Stdout, "%s\n", msg)
 	return n
 }
 
@@ -48,7 +48,7 @@ func Bulletf(msg string, a ...interface{}) string {
 
 // Bullet prints a formatted bullet point string
 func Bullet(msg string, a ...interface{}) int {
-	return Print(Bulletf(msg, a...))
+	return Print("%s", Bulletf(msg, a...))
 }
 
 // Stepf returns a formatted step string
@@ -58,7 +58,7 @@ func Stepf(msg string, a ...interface{}) string {
 
 // Step prints a step title
 func Step(msg string, a ...interface{}) int {
-	return Print(Stepf(msg, a...))
+	return Print("%s", Stepf(msg, a...))
 }
 
 // Successf returns a formatted success string
@@ -68,7 +68,7 @@ func Successf(msg string, a ...interface{}) string {
 
 // Success prints a formatted success message to stdout
 func Success(msg string, a ...interface{}) int {
-	return Print(Successf(msg, a...))
+	return Print("%s", Successf(msg, a...))
 }
 
 // Warningf returns a formatted warning string
@@ -78,12 +78,12 @@ func Warningf(msg string, a ...interface{}) string {
 
 // Warning prints a formatted warning message to stdout
 func Warning(msg string, a ...interface{}) int {
-	return Print(Warningf(msg, a...))
+	return Print("%s", Warningf(msg, a...))
 }
 
 // Fatalf returns a formatted error message
 func Error(msg string, a ...interface{}) int {
-	return Print(fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...)))
+	return Print("%s", fmt.Sprintf("%s%s%s\n", Indent, errorText, fmt.Sprintf(msg, a...)))
 }
 
 // Fatalf returns a formatted error message
diff --git a/pkg/logging/logging_test.go b/pkg/logging/logging_test.go
index ebfe48afd..eb912595e 100644
--- a/pkg/logging/logging_test.go
+++ b/pkg/logging/logging_test.go
@@ -10,7 +10,7 @@ func TestPrint(t *testing.T) {
 	msg := "Print message"
 	wantN := 13
 
-	gotN := Print(msg)
+	gotN := Print("%s", msg)
 	if gotN != wantN {
 		t.Errorf("Print() = %v, want %v", gotN, wantN)
 	}
@@ -28,7 +28,7 @@ func TestPrintln(t *testing.T) {
 func TestBulletf(t *testing.T) {
 	msg := "Bullet message"
 	want := "\033[1m ⋅ \033[0mBullet message\n"
-	if got := Bulletf(msg); got != want {
+	if got := Bulletf("%s", msg); got != want {
 		t.Errorf("Bulletf() = %v, want %v", got, want)
 	}
 }
@@ -36,7 +36,7 @@ func TestBulletf(t *testing.T) {
 func TestBullet(t *testing.T) {
 	msg := "Bullet message"
 	wantN := 28
-	gotN := Bullet(msg)
+	gotN := Bullet("%s", msg)
 	if gotN != wantN {
 		t.Errorf("Bullet() = %v, want %v", gotN, wantN)
 	}
@@ -45,7 +45,7 @@ func TestBullet(t *testing.T) {
 func TestStepf(t *testing.T) {
 	msg := "Step message"
 	want := "\033[1;32mStep message\033[0m\n"
-	if got := Stepf(msg); got != want {
+	if got := Stepf("%s", msg); got != want {
 		t.Errorf("Stepf() = %v, want %v", got, want)
 	}
 }
@@ -53,7 +53,7 @@ func TestStepf(t *testing.T) {
 func TestStep(t *testing.T) {
 	msg := "Step message"
 	wantN := 24
-	gotN := Step(msg)
+	gotN := Step("%s", msg)
 	if gotN != wantN {
 		t.Errorf("Step() = %v, want %v", gotN, wantN)
 	}
@@ -62,7 +62,7 @@ func TestStep(t *testing.T) {
 func TestSuccessf(t *testing.T) {
 	msg := "Success message"
 	want := "\033[1;32m ✓ \033[0mSuccess message\n"
-	if got := Successf(msg); got != want {
+	if got := Successf("%s", msg); got != want {
 		t.Errorf("Successf() = %v, want %v", got, want)
 	}
 }
@@ -70,7 +70,7 @@ func TestSuccessf(t *testing.T) {
 func TestSuccess(t *testing.T) {
 	msg := "Success message"
 	wantN := 32
-	gotN := Success(msg)
+	gotN := Success("%s", msg)
 	if gotN != wantN {
 		t.Errorf("Success() = %v, want %v", gotN, wantN)
 	}
@@ -79,7 +79,7 @@ func TestSuccess(t *testing.T) {
 func TestWarningf(t *testing.T) {
 	msg := "Warning message"
 	want := "\033[1;33m ‼ \033[0mWarning message\n"
-	if got := Warningf(msg); got != want {
+	if got := Warningf("%s", msg); got != want {
 		t.Errorf("Warningf() = %v, want %v", got, want)
 	}
 }
@@ -87,7 +87,7 @@ func TestWarningf(t *testing.T) {
 func TestWarning(t *testing.T) {
 	msg := "Warning message"
 	wantN := 32
-	gotN := Warning(msg)
+	gotN := Warning("%s", msg)
 	if gotN != wantN {
 		t.Errorf("Warning() = %v, want %v", gotN, wantN)
 	}
@@ -96,7 +96,7 @@ func TestWarning(t *testing.T) {
 func TestError(t *testing.T) {
 	msg := "Error message"
 	wantN := 30
-	gotN := Error(msg)
+	gotN := Error("%s", msg)
 	if gotN != wantN {
 		t.Errorf("Error() = %v, want %v", gotN, wantN)
 	}
@@ -105,7 +105,7 @@ func TestError(t *testing.T) {
 func TestFatalf(t *testing.T) {
 	msg := "Error message"
 	want := "\033[1;31m ✗ Error: \033[0mError message\n"
-	if got := Fatalf(msg); got != want {
+	if got := Fatalf("%s", msg); got != want {
 		t.Errorf("Fatalf() = %v, want %v", got, want)
 	}
 }
diff --git a/tests/cmd/main.go b/tests/cmd/main.go
index de1d27561..057994f86 100644
--- a/tests/cmd/main.go
+++ b/tests/cmd/main.go
@@ -197,6 +197,6 @@ func main() {
 		os.Exit(1)
 	}
 	if err != nil {
-		logging.Fatal(err.Error())
+		logging.Fatal("%s", err.Error())
 	}
 }
diff --git a/tests/integration/scenario.go b/tests/integration/scenario.go
index 53758fb42..94e9a728f 100644
--- a/tests/integration/scenario.go
+++ b/tests/integration/scenario.go
@@ -102,13 +102,13 @@ func (t *Test) Run(dryRun bool) (ran int, nb int, err error) {
 			if !strings.Contains(cmd, "{{") {
 				nb++
 				if dryRun {
-					logging.Bullet(cmd)
+					logging.Bullet("%s", cmd)
 				} else {
 					cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n"))
 					if cmdErr != nil {
 						logging.Error("%v", cmdErr)
 					} else {
-						logging.Success(cmd)
+						logging.Success("%s", cmd)
 					}
 				}
 			}

From dc8cc1eb09be90abf3559ddb94a70d34a4545248 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 19:09:19 +0100
Subject: [PATCH 011/315] fix: compilation issue.

---
 apparmor.d/groups/display-manager/xdm-xsession | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession
index 522d4ad58..6d6bcddff 100644
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@@ -28,7 +28,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/locale             rix,
   @{bin}/manpath            rix,
   @{bin}/readlink           rix,
-  @{bin}/realpath           rix
+  @{bin}/realpath           rix,
   @{bin}/sed                rix,
   @{bin}/ssh-agent          rix,
   @{bin}/tput               rix 

From fb6e718b9872aa0e258cc76afd8ecad67b867f52 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 19:29:43 +0100
Subject: [PATCH 012/315] feat(profile): gdm-session-worker: initial support
 for fscrypt.

fix #430
---
 apparmor.d/groups/gnome/gdm-session-worker | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index c5b220145..92744652b 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -77,6 +77,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/default/locale r,
+  /etc/fscrypt.conf r,
   /etc/gdm{3,}/custom.conf r,
   /etc/gdm{3,}/daemon.conf r,
   /etc/locale.conf r,
@@ -93,7 +94,14 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /var/lib/wtmpdb/ r,
   /var/lib/wtmpdb/* rwk,
 
+        /.fscrypt/policies/ r,
+        /.fscrypt/protectors/ r,
+  owner /.fscrypt/protectors/@{hex16} r,
+
+        /home/ r,
   owner @{HOME}/.pam_environment r,
+  owner @{HOME}/policies/@{hex32} r,
+  owner @{HOME}/protectors/@{hex16}.link r,
 
         @{run}/cockpit/inactive.motd r,
   owner @{run}/systemd/seats/seat@{int} r,
@@ -106,12 +114,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   @{run}/cockpit/active.motd r,
   @{run}/faillock/@{user} rwk,
+  @{run}/fscrypt/ rw,
+  @{run}/fscrypt/@{uid}.count rwk,
   @{run}/motd.d/{,*} r,
   @{run}/systemd/sessions/* r,
   @{run}/systemd/sessions/*.ref rw,
   @{run}/systemd/users/@{uid} r,
   @{run}/utmp rwk,
 
+        @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/1/limits r,
         @{PROC}/keys r,

From e74fade49a07d45534f7bc127cee1607c18cbb65 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 19:54:54 +0100
Subject: [PATCH 013/315] fix: compilation issue 2/2

revert adding `bin` to XDG_BIN_DIR due to undetected  conflicting x modifiers.

See #424
---
 apparmor.d/groups/display-manager/xdm-xsession | 2 +-
 apparmor.d/tunables/home.d/apparmor.d          | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession
index 6d6bcddff..962a97c3b 100644
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@@ -31,7 +31,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/realpath           rix,
   @{bin}/sed                rix,
   @{bin}/ssh-agent          rix,
-  @{bin}/tput               rix 
+  @{bin}/tput               rix,
   @{bin}/tr                 rix,
   @{bin}/tty                rix,
   @{bin}/uname              rix,
diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d
index 110c562e2..c23a8d956 100644
--- a/apparmor.d/tunables/home.d/apparmor.d
+++ b/apparmor.d/tunables/home.d/apparmor.d
@@ -39,7 +39,7 @@
 @{XDG_CONFIG_DIR}=".config"
 @{XDG_DATA_DIR}=".local/share"
 @{XDG_STATE_DIR}=".local/state"
-@{XDG_BIN_DIR}="bin" ".bin" ".local/bin"
+@{XDG_BIN_DIR}=".local/bin"
 @{XDG_LIB_DIR}=".local/lib"
 
 # Full path of the user configuration directories

From f14ed2f024a52eccf073cb44e741cee4bc5e3864 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 20:13:00 +0100
Subject: [PATCH 014/315] feat(profile): rewrite the dino profile.

see #426
---
 apparmor.d/profiles-a-f/{dino-im => dino} | 39 +++++++++++------------
 dists/flags/main.flags                    |  1 +
 2 files changed, 20 insertions(+), 20 deletions(-)
 rename apparmor.d/profiles-a-f/{dino-im => dino} (51%)

diff --git a/apparmor.d/profiles-a-f/dino-im b/apparmor.d/profiles-a-f/dino
similarity index 51%
rename from apparmor.d/profiles-a-f/dino-im
rename to apparmor.d/profiles-a-f/dino
index 07fba44a5..f7d057f8d 100644
--- a/apparmor.d/profiles-a-f/dino-im
+++ b/apparmor.d/profiles-a-f/dino
@@ -7,13 +7,16 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/dino-im
-profile dino-im @{exec_path} {
+@{exec_path} = @{bin}/dino{,-im}
+profile dino @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
 
   network inet dgram,
@@ -24,30 +27,26 @@ profile dino-im @{exec_path} {
 
   @{exec_path} mr,
 
-  # Needed for GPG/PGP support
-  @{bin}/gpg{,2}         rCx -> gpg,
-  @{bin}/gpgconf         rCx -> gpg,
-  @{bin}/gpgsm           rCx -> gpg,
+  # Not in a subprofile because of no new privs
+  @{bin}/gpg{,2}         rix,
+  @{bin}/gpgconf         rix,
+  @{bin}/gpgsm           rix,
+  @{lib}/gnupg/keyboxd   rix,
+
+  owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
   owner @{user_share_dirs}/dino/ rw,
   owner @{user_share_dirs}/dino/** rwk,
 
+  owner @{run}/user/@{uid}/gnupg/ rw,
+  owner @{run}/user/@{uid}/gnupg/S.keyboxd rw,
+
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
-  profile gpg {
-    include <abstractions/base>
-
-    @{bin}/gpg{,2} mr,
-    @{bin}/gpgconf mr,
-    @{bin}/gpgsm   mr,
-
-    owner @{HOME}/.gnupg/ rw,
-    owner @{HOME}/.gnupg/** rwkl -> @{HOME}/.gnupg/**,
-
-    include if exists <local/dino-im_gpg>
-  }
-
-  include if exists <local/dino-im>
+  include if exists <local/dino>
 }
 
 # vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 940b7b0b1..bb995d3b2 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -87,6 +87,7 @@ cups-notifier-rss complain
 cups-pk-helper-mechanism complain
 cupsd attach_disconnected,complain
 ddcutil complain
+dino attach_disconnected,complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
 dockerd attach_disconnected,complain

From 788d86593930d16bb2979f3598fb13cc2af14df5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 20:56:58 +0100
Subject: [PATCH 015/315] feat(profile): general update.

---
 apparmor.d/abstractions/app/firefox                    | 5 +++--
 apparmor.d/abstractions/audio-client                   | 2 +-
 apparmor.d/abstractions/audio-server                   | 4 ----
 apparmor.d/groups/browsers/firefox-glxtest             | 4 ++++
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome | 1 +
 apparmor.d/groups/gnome/gnome-clocks                   | 3 +++
 apparmor.d/groups/gnome/gnome-software                 | 5 +++++
 apparmor.d/groups/gnome/gnome-system-monitor           | 2 ++
 apparmor.d/groups/gnome/gnome-tweaks                   | 2 ++
 apparmor.d/groups/gnome/gsd-datetime                   | 1 +
 apparmor.d/groups/gnome/org.gnome.NautilusPreviewer    | 1 +
 apparmor.d/groups/gnome/tracker-miner                  | 2 ++
 apparmor.d/groups/gvfs/gvfsd-mtp                       | 2 +-
 apparmor.d/groups/gvfs/gvfsd-recent                    | 2 +-
 apparmor.d/groups/pacman/pacman                        | 3 +++
 apparmor.d/groups/virt/libvirtd                        | 1 +
 apparmor.d/groups/virt/virtnodedevd                    | 1 +
 apparmor.d/groups/xfce/xfce-sensors                    | 2 +-
 apparmor.d/profiles-a-f/engrampa                       | 3 +--
 apparmor.d/profiles-a-f/firewalld                      | 5 ++---
 apparmor.d/profiles-a-f/flatpak-app                    | 1 +
 apparmor.d/profiles-g-l/htop                           | 2 +-
 apparmor.d/profiles-m-r/monitorix                      | 2 +-
 apparmor.d/profiles-m-r/mullvad-setup                  | 2 ++
 apparmor.d/profiles-m-r/qnapi                          | 1 -
 apparmor.d/profiles-s-z/YACReaderLibrary               | 9 +++++++++
 apparmor.d/profiles-s-z/sanoid                         | 2 --
 apparmor.d/profiles-s-z/sensors-detect                 | 2 +-
 apparmor.d/profiles-s-z/steam-game-proton              | 1 +
 apparmor.d/profiles-s-z/steam-gameoverlayui            | 3 ++-
 apparmor.d/profiles-s-z/syncoid                        | 2 --
 apparmor.d/profiles-s-z/system-config-printer          | 2 --
 apparmor.d/profiles-s-z/waybar                         | 3 ++-
 apparmor.d/tunables/multiarch.d/system                 | 1 +
 34 files changed, 57 insertions(+), 27 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 7895db4e9..f1443a936 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -69,11 +69,12 @@
   /usr/share/webext/{,**} r,
   /usr/share/xul-ext/kwallet5/* r,
 
+  /etc/{,opensc/}opensc.conf r,
   /etc/@{name}/{,**} r,
   /etc/fstab r,
+  /etc/lsb-release r,
   /etc/mailcap r,
   /etc/mime.types r,
-  /etc/{,opensc/}opensc.conf r,
   /etc/sysconfig/proxy r,
   /etc/xdg/* r,
   /etc/xul-ext/kwallet5.js r,
@@ -96,7 +97,7 @@
   owner @{tmp}/firefox/* rwk,
   owner @{tmp}/Temp-@{uuid}/ rw,
   owner @{tmp}/Temp-@{uuid}/* rwk,
-  owner @{tmp}/tmp-???.xpi rw,
+  owner @{tmp}/tmp-*.xpi rw,
   owner @{tmp}/tmpaddon r,
   owner @{tmp}/tmpaddon-@{int} r,
 
diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client
index ca4a8e16c..ceacbae9c 100644
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@@ -5,7 +5,7 @@
 # Most programs do not need access to audio devices, audio-client only includes
 # configuration files to be used by client applications.
 
-  /usr/share/alsa/** r,
+  /usr/share/alsa/{,**} r,
   /usr/share/openal/hrtf/{,**} r,
   /usr/share/pipewire/client-rt.conf r,
   /usr/share/pipewire/client.conf r,
diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server
index 619ba1111..ef69d2d54 100644
--- a/apparmor.d/abstractions/audio-server
+++ b/apparmor.d/abstractions/audio-server
@@ -7,10 +7,6 @@
 
   include <abstractions/audio-client>
 
-  /usr/share/alsa/{,**} r,
-
-  /etc/alsa/conf.d/{,**} r,
-
   @{run}/udev/data/+sound:card@{int} r,   # for sound card
 
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index f2526292b..995f94f8f 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -9,6 +9,7 @@ include <tunables/global>
 @{name} = firefox{,.sh,-esr,-bin}
 @{lib_dirs} = @{lib}/@{name} /opt/@{name}
 @{config_dirs} = @{HOME}/.mozilla/
+@{cache_dirs} = @{user_cache_dirs}/mozilla/
 
 @{exec_path} = @{lib_dirs}/glxtest
 profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
@@ -19,6 +20,9 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  owner @{cache_dirs}/firefox/*/startupCache/scriptCache-* r,
+  owner @{cache_dirs}/firefox/*/startupCache/startupCache* r,
+
   owner @{config_dirs}/firefox/*/.parentlock rw,
 
   owner @{tmp}/@{name}/.parentlock rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 89135381c..588d4d393 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -71,6 +71,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
 
   owner @{HOME}/ r,
+  owner @{HOME}/* r,
   owner @{HOME}/*/{,**} rw,
   owner @{MOUNTS}/ r,
 
diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks
index fbb3942f7..5ebd08e5a 100644
--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@@ -14,8 +14,11 @@ profile gnome-clocks @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/common/gnome>
+  include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
 
+  network netlink raw,
+
   #aa:dbus own bus=session name=org.gnome.clocks
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index b1a0bd8ac..2ebff5ddf 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -83,6 +83,11 @@ profile gnome-software @{exec_path} {
 
   owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/flatpak/.changed w,
+  owner @{user_share_dirs}/flatpak/{app,runtime}/ r,
+  owner @{user_share_dirs}/flatpak/{app,runtime}/*/ r,
+  owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r,
+  owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r,
+  owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r,
   owner @{user_share_dirs}/flatpak/repo/ rw,
   owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
   owner @{user_share_dirs}/gnome-software/{,**} rw,
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 126140401..8e79bd015 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -38,6 +38,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   /usr/share/gnome-system-monitor/{,**} r,
   /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
 
+  owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
+
   owner @{run}/user/@{uid}/doc/ rw,
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
 
diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks
index 84f37da76..01518446b 100644
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@@ -16,6 +16,8 @@ profile gnome-tweaks @{exec_path} {
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{bin}/ r,
diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime
index d25b4cdcc..d125cd13d 100644
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@@ -34,6 +34,7 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/geocode-glib/* r,
 
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
 
   owner /dev/tty@{int} rw,
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index ee2de80ce..6b2544a84 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -47,6 +47,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm w,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/media@{int} r,
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index b037db499..a49f28b47 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -65,7 +65,9 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_share_dirs}/applications/ r,
 
+  owner /var/tmp/etilqs_@{hex15} rw,
   owner /var/tmp/etilqs_@{hex16} rw,
+  owner @{tmp}/etilqs_@{hex15} rw,
   owner @{tmp}/etilqs_@{hex16} rw,
 
   # Allow to search user files
diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp
index d8ea92d1f..a5a4c8ce2 100644
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@@ -21,7 +21,7 @@ profile gvfsd-mtp @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{HOME}/{,**} rw,
+  owner @{HOME}/{,**} rw, # FIXME: ?
   owner @{MOUNTS}/{,**} rw,
 
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent
index ab2ea4677..9509d3184 100644
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@@ -36,7 +36,7 @@ profile gvfsd-recent @{exec_path} {
   @{exec_path} mr,
 
   # Full access to user's data
-  owner @{HOME}/{,**} rw,
+  owner @{HOME}/{,**} rw, # FIXME: ?
   owner @{MOUNTS}/{,**} rw,
 
   owner @{HOME}/.zshenv r,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 1f3d9ad8b..ab08d1f18 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -118,6 +118,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   /var/** rwlk -> /var/**,
 
   # Read packages files
+  @{user_pkg_dirs}/ r,
   @{user_pkg_dirs}/**/ r,
   @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
 
@@ -193,6 +194,8 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
     capability dac_read_search,
     capability sys_resource,
 
+    signal send set=cont peer=child-pager,
+
     @{bin}/pager       rPx -> child-pager,
     @{bin}/less        rPx -> child-pager,
     @{bin}/more        rPx -> child-pager,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 376749d9e..3fbbfc51f 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -131,6 +131,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/edk2*/{,**} rk,
   /usr/share/hwdata/* r,
+  /usr/share/iproute2/{,**} r,
   /usr/share/libvirt/{,**} r,
   /usr/share/mime/mime.cache r,
   /usr/share/misc/pci.ids r,
diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd
index 50b8e4889..a39c04504 100644
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@@ -62,6 +62,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c21:@{int} r,          # Generic SCSI access
   @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
+  @{run}/udev/data/c89:@{int}  r,         # For I2C bus interface
   @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
   @{run}/udev/data/c116:@{int} r,         # For ALSA
   @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors
index c2eb97c30..ae72f8dbc 100644
--- a/apparmor.d/groups/xfce/xfce-sensors
+++ b/apparmor.d/groups/xfce/xfce-sensors
@@ -16,7 +16,7 @@ profile xfce-sensors @{exec_path} {
   @{sys}/class/hwmon/ r,
   @{sys}/class/power_supply/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
   @{sys}/devices/**/hwmon@{int}/**/ r,
diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa
index 78fa87937..86077c89b 100644
--- a/apparmor.d/profiles-a-f/engrampa
+++ b/apparmor.d/profiles-a-f/engrampa
@@ -75,8 +75,7 @@ profile engrampa @{exec_path} {
 
   owner @{user_share_dirs}/ r,
 
-        /tmp/ r,
-  owner @{tmp}/** rw,
+  /tmp/ r,
 
   @{run}/mount/utab r,
 
diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld
index d32790f0b..e450c78cd 100644
--- a/apparmor.d/profiles-a-f/firewalld
+++ b/apparmor.d/profiles-a-f/firewalld
@@ -44,9 +44,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
 
   /usr/local/lib/python3.@{int}/dist-packages/ r,
 
-  /usr/share/libalternatives/ r,
-  /usr/share/libalternatives/ebtables*/{,*} r,
-  /usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
+  /usr/share/iproute2/{,**} r,
+  /usr/share/libalternatives/{,**} r,
 
   /etc/firewalld/{,**} rw,
   /etc/iproute2/group r,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 83be5477c..87e9b443d 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -89,6 +89,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/flatpak/app/** rw,
   owner @{run}/flatpak/doc/** rw,
   owner @{run}/ld-so-cache-dir/* rw,
+  owner @{run}/user/ r,
   owner @{run}/user/@{uid}/*.kioworker.socket r,
   owner @{run}/user/@{uid}/#@{int} rwl,
 
diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop
index d06991025..7e8faecfa 100644
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@@ -89,7 +89,7 @@ profile htop @{exec_path} {
   @{sys}/class/hwmon/ r,
   @{sys}/class/i2c-adapter/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
   @{sys}/devices/**/hwmon@{int}/**/ r,
diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix
index cb220a7b6..38cbecd71 100644
--- a/apparmor.d/profiles-m-r/monitorix
+++ b/apparmor.d/profiles-m-r/monitorix
@@ -95,7 +95,7 @@ profile monitorix @{exec_path} {
         @{PROC}/@{pids}/io r,
 
   @{sys}/class/i2c-adapter/ r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
   @{sys}/class/hwmon/ r,
   @{sys}/devices/**/thermal*/{,**} r,
   @{sys}/devices/**/hwmon*/{,**} r,
diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup
index db29113ce..46e10927b 100644
--- a/apparmor.d/profiles-m-r/mullvad-setup
+++ b/apparmor.d/profiles-m-r/mullvad-setup
@@ -9,9 +9,11 @@ include <tunables/global>
 @{exec_path} = /opt/Mullvad*/resources/mullvad-setup
 profile mullvad-setup @{exec_path}  {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
+        @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/cgroup r,
 
   # File Inherit
diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi
index 911519459..e72a6a5c6 100644
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@@ -55,7 +55,6 @@ profile qnapi @{exec_path} {
 
         /tmp/ r,
   owner @{tmp}/@{hex}.* rw,
-  owner @{tmp}/** rw,
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/QNapi-*-rc wl -> /tmp/#@{int},
   owner @{tmp}/QNapi-*-rc.lock rwk,
diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary
index 418167345..5d773292d 100644
--- a/apparmor.d/profiles-s-z/YACReaderLibrary
+++ b/apparmor.d/profiles-s-z/YACReaderLibrary
@@ -14,11 +14,16 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
   include <abstractions/desktop>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
   include <abstractions/qt5-shader-cache>
+  include <abstractions/ssl_certs>
 
+  network inet dgram,
   network inet stream,
+  network inet6 dgram,
   network inet6 stream,
   network netlink dgram,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -31,6 +36,7 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   owner @{user_books_dirs}/{,**} r,
   owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk,
+  owner @{user_books_dirs}/**/None rw,
 
   owner @{user_cache_dirs}/YACReader/ rw,
   owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw,
@@ -43,7 +49,10 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   owner @{tmp}/@{uuid} w,
 
+  @{run}/mount/utab r,
+
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   include if exists <local/YACReaderLibrary>
 }
diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
index aadad6860..755efba9b 100644
--- a/apparmor.d/profiles-s-z/sanoid
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -27,8 +27,6 @@ profile sanoid @{exec_path} flags=(complain) {
   @{run}/sanoid/sanoid_cacheupdate.lock rwk,
   @{run}/sanoid/sanoid_pruning.lock rwk,
 
-  owner @{tmp}/** rw,
-
   include if exists <local/sanoid>
 }
 
diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect
index 5eececb0b..18e4c135f 100644
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@@ -27,7 +27,7 @@ profile sensors-detect @{exec_path} {
   @{sys}/bus/pci/devices/ r,
   @{sys}/class/i2c-adapter/ r,
   @{sys}/devices/@{pci}/{class,vendor,device} r,
-  @{sys}/devices/@{pci}/i2c-@{int}/name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
   @{sys}/devices/@{pci}/modalias r,
   @{sys}/devices/virtual/dmi/id/board_{version,vendor,name} r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index 49a668996..95eec5abc 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -29,6 +29,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   network unix stream,
 
   signal receive peer=steam,
+  unix,
 
   @{exec_path} mr,
   @{bin}/bwrap mrix,
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index 077e6cf8b..d6680ac61 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -23,7 +23,8 @@ profile steam-gameoverlayui @{exec_path} flags=(attach_disconnected) {
 
   network inet stream,
   network inet6 stream,
-  network unix stream,
+
+  unix,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid
index c90665cdf..ba3e774e6 100644
--- a/apparmor.d/profiles-s-z/syncoid
+++ b/apparmor.d/profiles-s-z/syncoid
@@ -25,8 +25,6 @@ profile syncoid @{exec_path} flags=(complain) {
 
   /etc/mbuffer.rc r,
 
-  owner @{tmp}/** rw,
-
   @{PROC}/@{pids}/maps r,
 
   include if exists <local/syncoid>
diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer
index ab36047f2..f929adcae 100644
--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@@ -46,8 +46,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
         @{run}/cups/cups.sock rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
 
-  owner @{tmp}/* rw,
-
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
index d5116b043..e6cd61581 100644
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@@ -9,7 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/waybar
 profile waybar @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/audio>
+  include <abstractions/audio-client>
+  include <abstractions/app-launcher-user>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 1b4206dad..aaebe5ed1 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -48,6 +48,7 @@
 @{rand8}=@{rand4}@{rand4}
 @{rand9}=@{rand8}@{c}
 @{rand10}=@{rand8}@{rand2}
+@{rand15}=@{rand8}@{rand4}@{rand2}@{c}
 @{rand16}=@{rand8}@{rand8}
 @{rand32}=@{rand16}@{rand16}
 @{rand64}=@{rand64}@{rand64}

From 50831a2fc88e0943eb6ebfb210589716d80592af Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 20 Aug 2024 21:06:34 +0100
Subject: [PATCH 016/315] feat(abs): split steam-game abstraction to game and
 steam-game abstractions.

---
 apparmor.d/abstractions/common/game       | 112 ++++++++++++++++++++++
 apparmor.d/abstractions/common/steam-game |  94 +-----------------
 docs/development/abstractions.md          |   9 ++
 3 files changed, 122 insertions(+), 93 deletions(-)
 create mode 100644 apparmor.d/abstractions/common/game

diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game
new file mode 100644
index 000000000..a3619b164
--- /dev/null
+++ b/apparmor.d/abstractions/common/game
@@ -0,0 +1,112 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Core set of resources for any games on Linux. Runtimes such as sandboxing,
+# wine, proton, game launchers should use this abstraction. 
+
+# This abstraction use the following tunables:
+# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
+#   (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
+# - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
+
+  include <abstractions/audio-client>
+  include <abstractions/desktop>
+  include <abstractions/devices-usb>
+  include <abstractions/fontconfig-cache-write>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  @{bin}/uname          rix,
+  @{bin}/xdg-settings   rPx,
+  @{browsers_path}      rPx,
+
+  @{bin}/env r,
+
+  @{lib}/ r,
+  / r,
+  /home/ r,
+  /usr/ r,
+  /usr/local/ r,
+  /usr/local/lib/ r,
+
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  owner @{HOME}/ r,
+
+  owner @{user_games_dirs}/ r,
+  owner @{user_games_dirs}/*/ r,
+  owner @{user_games_dirs}/*/{,**} rwkl,
+
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+
+        @{tmp}/ r,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
+  owner @{tmp}/crashes/ rw,
+  owner @{tmp}/crashes/** rwk,
+  owner @{tmp}/miles_image_@{rand6} mrw,
+  owner @{tmp}/runtime-info.txt.@{rand6} rw, 
+  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
+
+  owner /dev/shm/mono.@{int} rw,
+  owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  @{sys}/ r,
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/hidraw/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/ r,
+  @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/devices/@{pci}/net/*/carrier r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+  @{sys}/devices/**/input/input@{int}/ r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/system/ r,
+  @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
+  @{sys}/devices/system/cpu/cpu@{int}/ r,
+  @{sys}/devices/virtual/dmi/id/* r,
+  @{sys}/devices/virtual/net/*/carrier r,
+  @{sys}/kernel/ r,
+
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max  r,
+
+        @{PROC}/uptime r,
+        @{PROC}/version r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/pagemap r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+
+  /dev/ r,
+  /dev/hidraw@{int} rw,
+  /dev/input/ r,
+  /dev/input/event@{int} rw,
+  /dev/tty rw,
+  /dev/uinput rw,
+
+  include if exists <abstractions/common/game.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game
index c6a7aff75..4bd211f27 100644
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@@ -2,45 +2,13 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  include <abstractions/audio-client>
-  include <abstractions/desktop>
-  include <abstractions/devices-usb>
-  include <abstractions/fontconfig-cache-write>
-  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
-
-  @{bin}/uname          rix,
-  @{bin}/xdg-settings   rPx,
-  @{browsers_path}      rPx,
-
-  @{bin}/env r,
+  include <abstractions/common/game>
 
   @{lib_dirs}/ r,
-  @{lib}/ r,
-  / r,
-  /home/ r,
-  /usr/ r,
-  /usr/local/ r,
-  /usr/local/lib/ r,
 
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
-  owner @{HOME}/ r,
   owner @{HOME}/.steam/steam.pid r,
   owner @{HOME}/.steam/steam.pipe r,
 
-  owner @{user_games_dirs}/ r,
-  owner @{user_games_dirs}/*/ r,
-  owner @{user_games_dirs}/*/{,**} rwkl,
-
-  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
-  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
-
-  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
-  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
-
   owner @{app_dirs}/ r,
   owner @{app_dirs}/[^S]*/** rwlk, # No access to "SteamLinuxRuntime_sniper"
 
@@ -56,19 +24,6 @@
   owner @{share_dirs}/steamapps/appmanifest_* rw, 
   owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
 
-        @{tmp}/ r,
-  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
-  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
-  owner @{tmp}/#@{int} rw,
-  owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
-  owner @{tmp}/crashes/ rw,
-  owner @{tmp}/crashes/** rwk,
-  owner @{tmp}/miles_image_@{rand6} mrw,
-  owner @{tmp}/runtime-info.txt.@{rand6} rw, 
-  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
-
-  owner /dev/shm/mono.@{int} rw,
-  owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@@ -76,53 +31,6 @@
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
   owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
-
-  @{sys}/ r,
-  @{sys}/bus/ r,
-  @{sys}/class/ r,
-  @{sys}/class/hidraw/ r,
-  @{sys}/class/input/ r,
-  @{sys}/devices/ r,
-  @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/net/*/carrier r,
-  @{sys}/devices/**/input@{int}/ r,
-  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
-  @{sys}/devices/**/input@{int}/capabilities/* r,
-  @{sys}/devices/**/input/input@{int}/ r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/system/ r,
-  @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
-  @{sys}/devices/system/cpu/cpu@{int}/ r,
-  @{sys}/devices/virtual/dmi/id/* r,
-  @{sys}/devices/virtual/net/*/carrier r,
-  @{sys}/kernel/ r,
-
-        @{sys}/fs/cgroup/user.slice/cpu.max r,
-        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
-        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
-  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max  r,
-
-        @{PROC}/uptime r,
-        @{PROC}/version r,
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/pagemap r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/task/ r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  owner @{PROC}/@{pid}/task/@{tid}/stat r,
-
-  /dev/ r,
-  /dev/hidraw@{int} rw,
-  /dev/input/ r,
-  /dev/input/event@{int} rw,
-  /dev/tty rw,
-  /dev/uinput rw,
-
   include if exists <abstractions/common/steam-game.d>
 
 # vim:syntax=apparmor
diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md
index 82c7f4b04..1e075e66c 100644
--- a/docs/development/abstractions.md
+++ b/docs/development/abstractions.md
@@ -122,6 +122,15 @@ A minimal set of rules for all electron based UI applications. It works as a *fu
     @{cache_dirs} = @{user_cache_dirs}/@{name}
     ```
 
+### **`common/game`**
+
+Core set of resources for any games on Linux. Runtimes such as sandboxing, wine, proton, game launchers should use this abstraction. 
+
+This abstraction uses the following tunables:
+
+- `@{XDG_GAMESSTUDIO_DIR}` for game studio and game engines specific directories (Default: `@{XDG_GAMESSTUDIO_DIR}="unity3d"`)
+- `@{user_games_dirs}` for user specific game directories (e.g.: steam storage dir)
+
 ### **`common/systemd`**
 
 Common set of rules for internal systemd suite.

From 03639c56bc879a71988123ba3dfa76699eb9edc9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 21 Aug 2024 10:01:36 +0100
Subject: [PATCH 017/315] fix(profile): add graphics to dino.

See #426
---
 apparmor.d/profiles-a-f/dino | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-a-f/dino b/apparmor.d/profiles-a-f/dino
index f7d057f8d..dad921850 100644
--- a/apparmor.d/profiles-a-f/dino
+++ b/apparmor.d/profiles-a-f/dino
@@ -14,6 +14,7 @@ profile dino @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>

From 006ed3f681783dda476ede44101ed4bf39db96ba Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 21 Aug 2024 10:10:28 +0100
Subject: [PATCH 018/315] fix(profile): fscrypt works on a specific homedir.

fix #430
---
 apparmor.d/groups/gnome/gdm-session-worker | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 92744652b..f50e30311 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -99,9 +99,11 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   owner /.fscrypt/protectors/@{hex16} r,
 
         /home/ r,
+        /home/.fscrypt/policies/ r,
+  owner /home/.fscrypt/policies/@{hex32} r,
+  owner /home/.fscrypt/protectors/@{hex16}.link r,
+
   owner @{HOME}/.pam_environment r,
-  owner @{HOME}/policies/@{hex32} r,
-  owner @{HOME}/protectors/@{hex16}.link r,
 
         @{run}/cockpit/inactive.motd r,
   owner @{run}/systemd/seats/seat@{int} r,

From 6b822d01341568d3648ae1bc2b35523efd317392 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 21 Aug 2024 10:26:12 +0100
Subject: [PATCH 019/315] feat(profile): add veracrypt.

---
 apparmor.d/profiles-s-z/veracrypt | 96 +++++++++++++++++++++++++++++++
 dists/flags/main.flags            |  1 +
 2 files changed, 97 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/veracrypt

diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt
new file mode 100644
index 000000000..148d28957
--- /dev/null
+++ b/apparmor.d/profiles-s-z/veracrypt
@@ -0,0 +1,96 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/veracrypt
+profile veracrypt @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/kmod>
+  include <abstractions/app/sudo>
+  include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
+
+  capability chown,
+  capability dac_read_search,
+  capability fsetid,
+  capability sys_admin,
+  capability sys_ptrace,
+
+  mount fstype=fuse.veracrypt options=(rw nodev nosuid) veracrypt -> /tmp/.veracrypt_*/,
+
+  @{exec_path} mrix,
+
+  @{sh_path}       rix,
+  @{open_path}     rPx -> child-open-help,
+  @{bin}/dmsetup   rPx,
+  @{bin}/grep      rix,
+  @{bin}/kmod      rix,
+  @{bin}/ldconfig  rix,
+  @{bin}/losetup   rCx -> losetup,
+  @{bin}/mount     rPx,
+  @{bin}/sudo      rix,
+  @{bin}/umount    rCx -> umount,
+  @{bin}/wc        rix,
+  @{file_explorers_path} rPx,
+
+  /home/ r,
+
+  # Mount points
+  @{MOUNTS}/ rw,
+  @{MOUNTS}/*/ rw,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/.VeraCrypt-lock-@{user} rwk,
+
+  owner @{user_config_dirs}/VeraCrypt/ rw,
+  owner @{user_config_dirs}/VeraCrypt/** rwk,
+
+  /tmp/.veracrypt_*/ rw,
+  /tmp/.veracrypt_*/** rwk,
+
+  @{sys}/module/compression r,
+  @{sys}/module/dm_mod/initstate r,
+
+        @{PROC}/partitions r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/fuse rw,
+  /dev/tty rw,
+
+  profile umount {
+    include <abstractions/base>
+
+    capability sys_admin,
+
+    umount /tmp/.veracrypt_*/,
+    umount @{MOUNTS}/{,*/},
+
+    @{bin}/umount mr,
+
+    owner @{run}/mount/utab r,
+
+    include if exists <local/veracrypt_umount>
+  }
+
+  profile losetup {
+    include <abstractions/base>
+    include <abstractions/disks-write>
+
+    capability sys_rawio,
+
+    @{bin}/losetup mr,
+
+    include if exists <local/veracrypt_losetup>
+  }
+
+  include if exists <local/veracrypt>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index bb995d3b2..f37e7f991 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -377,6 +377,7 @@ update-grub complain
 update-secureboot-policy complain
 userdbctl complain
 utempter attach_disconnected,complain
+veracrypt complain
 virt-manager attach_disconnected,complain
 virtinterfaced attach_disconnected,complain
 virtiofsd complain,attach_disconnected

From c25b76c2334f22d764d62f4d08b9492e9dafbf90 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 21 Aug 2024 11:55:04 +0200
Subject: [PATCH 020/315] allow read access to atool config files

---
 apparmor.d/profiles-a-f/atool | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool
index 947245d2a..5568b9e15 100644
--- a/apparmor.d/profiles-a-f/atool
+++ b/apparmor.d/profiles-a-f/atool
@@ -38,6 +38,7 @@ profile atool @{exec_path} {
   @{bin}/lzma rix,
   @{bin}/lzop rix,
   @{bin}/lzop rix,
+  @{lib}/p7zip/7z rix,
   @{bin}/rar rix,
   @{bin}/tar rix,
   @{bin}/unace rix,
@@ -47,6 +48,9 @@ profile atool @{exec_path} {
   @{bin}/xz rix,
   @{bin}/zip rix,
 
+  /etc/atool.conf r,
+  owner @{HOME}/.atoolrc r,
+
   include if exists <local/atool>
 }
 

From f4330796c454bea5dd0a1c7289d4d4ff9914318c Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 21 Aug 2024 12:34:14 +0200
Subject: [PATCH 021/315] add write permissions to remove metadata

---
 apparmor.d/profiles-a-f/exiftool | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool
index 23aac34d4..9db5d83ea 100644
--- a/apparmor.d/profiles-a-f/exiftool
+++ b/apparmor.d/profiles-a-f/exiftool
@@ -11,6 +11,7 @@ profile exiftool @{exec_path} {
   include <abstractions/base>
   include <abstractions/perl>
   include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
 
   @{exec_path} mr,
 

From 909d3062b570e8183f6661aa419975ab8e11a5fb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 22 Aug 2024 17:43:00 +0100
Subject: [PATCH 022/315] feat(profile): ssh: add sshd-session

fix #442
---
 apparmor.d/groups/ssh/sshd | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index 1410d090f..3746c4261 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -67,6 +67,7 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   @{bin}/nologin              rPx,
   @{bin}/passwd               rPx,
   @{lib}/openssh/sftp-server  rPx,
+  @{lib}/ssh/sshd-session     rix,
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,

From 96d774a9ebae3fe61623029389d763e0c73aa362 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 25 Aug 2024 07:28:12 -0300
Subject: [PATCH 023/315] Update systemd-journald

apparmor="DENIED" operation="open" class="file" profile="systemd-journald" name="/run/udev/data/+mdio_bus:r8169-0-300:00"  comm="systemd-journal" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 FSUID="root" OUID="root"
---
 apparmor.d/groups/systemd/systemd-journald | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 29191a95d..3d1fdfa6d 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -50,6 +50,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+mdio_bus:* r,
   @{run}/udev/data/+pci:*       r,
   @{run}/udev/data/+platform:*   r,
   @{run}/udev/data/+scsi:*      r,

From 1655a9f5ab0956142d78a8795d491a9e836d1ad9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 18:30:39 +0100
Subject: [PATCH 024/315] feat(profile): more kde integration.

fix #442
---
 apparmor.d/abstractions/bash-strict           |  1 +
 .../groups/akonadi/akonadi_birthdays_resource |  1 +
 .../groups/akonadi/akonadi_maildir_resource   |  2 +
 .../akonadi/akonadi_unifiedmailbox_agent      |  1 +
 .../groups/browsers/firefox-kmozillahelper    |  5 ++
 .../groups/display-manager/xdm-xsession       |  5 +-
 apparmor.d/groups/freedesktop/pulseaudio      |  2 +
 apparmor.d/groups/kde/kaccess                 |  3 ++
 apparmor.d/groups/kde/kde-powerdevil          |  3 +-
 apparmor.d/groups/kde/kded                    | 15 ++++--
 apparmor.d/groups/kde/konsole                 |  5 ++
 apparmor.d/groups/kde/ksmserver               |  4 +-
 apparmor.d/groups/kde/kwin_x11                |  2 +-
 apparmor.d/groups/kde/okular                  | 54 ++++++++++++++++++-
 apparmor.d/groups/kde/plasmashell             |  3 ++
 apparmor.d/groups/kde/sddm-greeter            |  2 +-
 apparmor.d/groups/network/nm-dispatcher       |  5 +-
 apparmor.d/groups/systemd/systemd-udevd       |  7 +--
 apparmor.d/profiles-a-f/btrfs                 | 16 +++---
 apparmor.d/profiles-g-l/issue-generator       |  1 +
 apparmor.d/profiles-m-r/pass                  |  8 +--
 apparmor.d/profiles-m-r/pinentry-qt           |  1 +
 apparmor.d/profiles-s-z/su                    |  2 +
 apparmor.d/profiles-s-z/xauth                 |  1 +
 apparmor.d/profiles-s-z/xclip                 |  3 +-
 25 files changed, 120 insertions(+), 32 deletions(-)

diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict
index eb4f65230..832f2add6 100644
--- a/apparmor.d/abstractions/bash-strict
+++ b/apparmor.d/abstractions/bash-strict
@@ -24,6 +24,7 @@
 
   owner @{HOME}/.alias r,
   owner @{HOME}/.bash_aliases r,
+  owner @{HOME}/.bash_complete r,
   owner @{HOME}/.bash_history rw,
   owner @{HOME}/.bash_profile r,
   owner @{HOME}/.bashrc r,
diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
index 14b354b7e..70ff765b3 100644
--- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource
+++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
@@ -19,6 +19,7 @@ profile akonadi_birthdays_resource @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner @{user_config_dirs}/akonadi_birthdays_resourcerc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 
diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource
index a534c7aad..7340d58a2 100644
--- a/apparmor.d/groups/akonadi/akonadi_maildir_resource
+++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource
@@ -17,6 +17,8 @@ profile akonadi_maildir_resource @{exec_path} {
 
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
 
+  owner @{user_mail_dirs}/{,**} rw,
+
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r,
diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
index 94c63a06b..d8af9fa47 100644
--- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
+++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
@@ -17,6 +17,7 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565
   owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper
index b4202ed0d..cac83b364 100644
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@@ -47,6 +47,11 @@ profile firefox-kmozillahelper @{exec_path} {
   owner @{user_config_dirs}/kmozillahelperrc r,
   owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
   owner @{user_config_dirs}/kwinrc r,
+  owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
+
+  owner @{user_share_dirs}/kservices5/ r,
+  owner @{user_share_dirs}/kservices5/searchproviders/ r,
 
   owner @{run}/user/@{uid}/kmozillahelper@{rand6}.@{int}.kioworker.socket wl,
   owner @{run}/user/@{uid}/xauth_@{rand6} rl,
diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession
index 962a97c3b..346f0e5b1 100644
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@@ -22,6 +22,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/cat                rix,
   @{bin}/checkproc          rix,
   @{bin}/dirname            rix,
+  @{bin}/fortune           rPUx,
   @{bin}/gpg-agent          rPx,
   @{bin}/gpg-connect-agent  rPx,
   @{bin}/grep               rix,
@@ -36,6 +37,7 @@ profile xdm-xsession @{exec_path} {
   @{bin}/tty                rix,
   @{bin}/uname              rix,
   @{bin}/whoami             rix,
+  @{bin}/xmodmap           rPUx,
 
   @{bin}/dbus-update-activation-environment rCx -> dbus,
   @{bin}/flatpak                            rPx,
@@ -53,7 +55,7 @@ profile xdm-xsession @{exec_path} {
   @{etc_ro}/X11/xdm/sys.xsession                    rix,
   @{etc_ro}/X11/xinit/xinitrc.d/50-systemd-user.sh  rix,
   @{etc_ro}/X11/xinit/xinitrc.d/xdg-user-dirs.sh    rix,
-  @{HOME}/.xinitrc                                 rPix,
+  @{HOME}/.xinitrc                                 rPix, # TODO: rCx
   @{lib}/xinit/xinitrc                          rix,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
@@ -73,6 +75,7 @@ profile xdm-xsession @{exec_path} {
   /etc/sysconfig/* r,
 
   owner @{HOME}/ r,
+  owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
 
   owner @{user_share_dirs}/sddm/xorg-session.log rw,
 
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 5fc356133..029d7d4ad 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -78,6 +78,8 @@ profile pulseaudio @{exec_path} {
 
   /etc/pulse/{,**} r,
 
+  / r,
+
   owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
   owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
   owner @{desktop_config_dirs}/dconf/user   r,
diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess
index fb6a01c8a..7d6e4867e 100644
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/kaccess
 profile kaccess @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -19,6 +20,8 @@ profile kaccess @{exec_path} {
 
   /usr/share/icons/{,**} r,
 
+  /etc/machine-id r,
+
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/breezerc r,
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 09ebb0d7c..64371caaa 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -57,14 +57,15 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{sys}/class/i2c-dev/ r,
   @{sys}/class/usbmisc/ r,
   @{sys}/devices/ r,
+  @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
   @{sys}/devices/@{pci}/card@{int}/*/dpms r,
   @{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/enabled r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/status r,
-  @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
   @{sys}/devices/@{pci}/i2c-@{int}/{,**/}name r,
+  @{sys}/devices/@{pci}/i2c-@{int}/**/dev r,
   @{sys}/devices/**/ r,
   @{sys}/devices/i2c-@{int}/name r,
   @{sys}/devices/platform/**/i2c-@{int}/**/name r,
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index 422fc103c..64fa472bb 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -12,10 +12,10 @@ profile kded @{exec_path} {
   include <abstractions/audio-client>
   include <abstractions/bus-system>
   include <abstractions/bus/org.bluez>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/bus/org.bluez>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/devices-usb>
   include <abstractions/graphics>
   include <abstractions/gtk>
   include <abstractions/kde-strict>
@@ -31,7 +31,8 @@ profile kded @{exec_path} {
 
   ptrace (read),
 
-  signal (send) set=hup peer=xsettingsd,
+  signal send set=hup peer=xsettingsd,
+  signal send set=term peer=kioworker,
 
   #aa:dbus own bus=system name=com.redhat.NewPrinterNotification
   #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
@@ -54,6 +55,7 @@ profile kded @{exec_path} {
   @{bin}/plasma-welcome    rPUx,
   @{bin}/python3.@{int}     rix,
   @{bin}/setxkbmap          rix,
+  @{bin}/xmodmap           rPUx,
   @{bin}/xrdb               rPx,
   @{bin}/xsetroot           rPx,
   @{bin}/xsettingsd         rPx,
@@ -73,6 +75,7 @@ profile kded @{exec_path} {
 
   /etc/fstab r,
   /etc/xdg/accept-languages.codes r,
+  /etc/xdg/baloofilerc r,
   /etc/xdg/kcminputrc r,
   /etc/xdg/kde* r,
   /etc/xdg/kioslaverc r,
@@ -83,6 +86,7 @@ profile kded @{exec_path} {
 
   / r,
 
+  owner @{HOME}/ r,
   owner @{HOME}/.gtkrc-2.0 rw,
 
         @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
@@ -94,6 +98,7 @@ profile kded @{exec_path} {
         @{user_config_dirs}/kcookiejarrc.lock rwk,
         @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
   owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/breezerc r,
@@ -125,20 +130,22 @@ profile kded @{exec_path} {
   owner @{user_config_dirs}/networkmanagement.notifyrc r,
   owner @{user_config_dirs}/plasma* r,
   owner @{user_config_dirs}/touchpadrc r,
+  owner @{user_config_dirs}/trashrc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
   owner @{user_config_dirs}/xsettingsd/{,**} rw,
 
-  owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
   owner @{user_share_dirs}/icc/{,edid-*} r,
   owner @{user_share_dirs}/kcookiejar/#@{int} rw,
   owner @{user_share_dirs}/kcookiejar/cookies.lock rwk,
+  owner @{user_share_dirs}/kcookiejar/cookies{,.@{rand6}} rwkl -> @{user_share_dirs}/kcookiejar/#@{int},
   owner @{user_share_dirs}/kded{5,6}/{,**} rw,
   owner @{user_share_dirs}/kscreen/{,**} rwl,
   owner @{user_share_dirs}/kservices{5,6}/{,**} r,
   owner @{user_share_dirs}/ktp/cache.db rwk,
   owner @{user_share_dirs}/remoteview/ r,
   owner @{user_share_dirs}/services5/{,**} r,
+  owner @{user_share_dirs}/user-places.xbel r,
 
         @{run}/mount/utab r,
         @{run}/udev/data/c189:@{int} r,                # for /dev/bus/usb/**
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 3151156a7..359297e42 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -64,6 +64,11 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/konsole/** rwlk,
   owner @{user_share_dirs}/kxmlgui5/konsole/{,**} r,
 
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/konsolestaterc rw,
+  owner @{user_state_dirs}/konsolestaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int},
+  owner @{user_state_dirs}/konsolestaterc.lock rwk,
+
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/konsole.@{rand6} rw,
 
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 858bc4b9a..edfc3adea 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -16,11 +16,11 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
 
-  signal (send) set=(usr1,term) peer=kscreenlocker-greet,
+  signal send set=(usr1,term) peer=kscreenlocker_greet,
 
   ptrace (read) peer=kbuildsycoca5,
 
-  unix (send, receive) type=stream peer=(label="kscreenlocker-greet",addr=none),
+  unix (send, receive) type=stream peer=(label="kscreenlocker_greet",addr=none),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11
index a52a22330..8ee46455e 100644
--- a/apparmor.d/groups/kde/kwin_x11
+++ b/apparmor.d/groups/kde/kwin_x11
@@ -50,7 +50,7 @@ profile kwin_x11 @{exec_path} {
 
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
-  owner @{user_config_dirs}/kwinoutputconfig.json r,
+  owner @{user_config_dirs}/kwinoutputconfig.json rw,
   owner @{user_config_dirs}/kwinrc.lock rwk,
   owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl,
   owner @{user_config_dirs}/kwinrulesrc r,
diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular
index d732ee0f7..775491bdd 100644
--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@@ -11,27 +11,47 @@ include <tunables/global>
 profile okular @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/devices-usb>
   include <abstractions/graphics>
+  include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
+  network netlink raw,
+
+  signal send set=term peer=kioworker,
+
   @{exec_path} mr,
 
   @{bin}/ps2pdf   rPUx,
 
   @{bin}/gpg{,2}  rCx -> gpg,
-  @{bin}/gpgcon   rCx -> gpg,
+  @{bin}/gpgconf  rCx -> gpg,
   @{bin}/gpgsm    rCx -> gpg,
 
   @{open_path}    rPx -> child-open,
+  #aa:exec kioworker
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/okular/{,**} r,
   /usr/share/poppler/{,**} r,
 
+  /etc/fstab r,
+  /etc/xdg/baloofilerc r,
+  /etc/xdg/dolphinrc r,
+  /etc/xdg/menus/ r,
+  /etc/xdg/menus/applications-merged/ r,
+
+  / r,
+  @{MOUNTS}/ r,
+
+  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
+  owner @{user_cache_dirs}/okular/{,**} rw,
+
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/okularpartrc rw,
   owner @{user_config_dirs}/okularpartrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
@@ -39,22 +59,52 @@ profile okular @{exec_path} {
   owner @{user_config_dirs}/okularrc rw,
   owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/okularrc.lock rwk,
+  owner @{user_config_dirs}/baloofilerc r,
+  owner @{user_config_dirs}/dolphinrc r,
+  owner @{user_config_dirs}/okular-generator-popplerrc r,
+  owner @{user_config_dirs}/KDE/*.conf r,
+  owner @{user_config_dirs}/kioslaverc r,
+  owner @{user_config_dirs}/kservicemenurc r,
+  owner @{user_config_dirs}/kwalletrc r,
+  owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
+  owner @{user_config_dirs}/trashrc r,
 
+  owner @{user_share_dirs}/#@{int} rw,
+  owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r,
   owner @{user_share_dirs}/okular/ rw,
   owner @{user_share_dirs}/okular/** rwlk -> @{user_share_dirs}/okular/**,
+  owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl -> @{user_share_dirs}/#@{int},
+  owner @{user_share_dirs}/recently-used.xbel.lock rk,
+  owner @{user_share_dirs}/user-places.xbel r,
 
-  owner @{user_cache_dirs}/okular/{,**} rw,
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/okularstaterc rw,
+  owner @{user_state_dirs}/okularstaterc.@{rand6} rwl -> @{user_state_dirs}/#@{int},
+  owner @{user_state_dirs}/okularstaterc.lock rwk,
 
   owner @{tmp}/#@{int} rw,
+  owner @{tmp}/okular.@{rand6} rwl -> /tmp/#@{int},
   owner @{tmp}/okular_@{rand6}.ps rwl -> /tmp/#@{int},
+  owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, 
+
+  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+  owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
+
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
   profile gpg {
     include <abstractions/base>
+    include <abstractions/consoles>
 
     @{bin}/gpg{,2}  mr,
     @{bin}/gpgcon   mr,
     @{bin}/gpgsm    mr,
 
+    owner @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
     owner @{run}/user/@{uid}/ r,
     owner @{run}/user/@{uid}/gnupg/ r,
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index fe79dccd7..06a816026 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -90,6 +90,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
 
   /var/lib/AccountsService/icons/* r,
 
+  @{MOUNTS}/ r,
+
         @{HOME}/ r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
@@ -197,6 +199,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
 
         @{PROC}/ r,
+        @{PROC}/@{pid}/stat r,
         @{PROC}/cmdline r,
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index dba650f2c..4872716fc 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -49,7 +49,7 @@ profile sddm-greeter @{exec_path} {
   owner @{SDDM_HOME}/#@{int} mrw,
   owner @{sddm_cache_dirs}/** mrwkl -> @{sddm_cache_dirs}/**,
 
-  owner @{HOME}/.face.icon r,
+  @{HOME}/.face.icon r,
 
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index 9e2904a54..1a82fdbf5 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -31,20 +31,21 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sh_path}                rix,
-  @{bin}/python3.@{int}     rix,
   @{bin}/basename           rix,
   @{bin}/cat                rix,
-  @{bin}/chronyc           rPUx,
   @{bin}/chown              rix,
+  @{bin}/chronyc           rPUx,
   @{bin}/date               rix,
   @{bin}/gawk               rix,
   @{bin}/grep               rix,
   @{bin}/id                 rix,
   @{bin}/invoke-rc.d        rCx -> invoke-rc,
+  @{bin}/logger             rix,
   @{bin}/mkdir              rix,
   @{bin}/mktemp             rix,
   @{bin}/netconfig         rPUx,
   @{bin}/nmcli              rix,
+  @{bin}/python3.@{int}     rix,
   @{bin}/readlink           rix,
   @{bin}/rm                 rix,
   @{bin}/run-parts          rCx -> run-parts,
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 8b1351997..fa096a35d 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -89,15 +89,16 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/network/ r,
   /etc/systemd/network/@{int2}-*.link r,
 
-  @{run}/udev/ rw,
-  @{run}/udev/** rwk,
-
   @{run}/credentials/systemd-udev-load-credentials.service/ r,
+  @{run}/modprobe.d/ r,
   @{run}/systemd/network/ r,
   @{run}/systemd/network/*.link rw,
   @{run}/systemd/notify rw,
   @{run}/systemd/seats/seat@{int} r,
 
+  @{run}/udev/ rw,
+  @{run}/udev/** rwk,
+
   @{sys}/** rw,
 
         @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs
index 45e50da9c..41e6fff57 100644
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@@ -24,9 +24,15 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
   /var/lib/btrfs/scrub.status.@{uuid}{,_tmp} rwk,
 
   / r,
-  /boot/ r,
-  /home/ r,
   /.snapshots/ r,
+  /boot/ r,
+  /boot/**/ r,
+  /home/ r,
+  /opt/ r,
+  /root/ r,
+  /srv/ r,
+  /usr/local/ r,
+  /var/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/ext2_saved/ rw,
   @{MOUNTS}/ext2_saved/image rw,
@@ -44,10 +50,8 @@ profile btrfs @{exec_path} flags=(attach_disconnected) {
   @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
   @{run}/snapper-tools-*/ r,
   @{run}/snapper-tools-@{rand6}/@/.snapshots/@{int}/snapshot r,
-  
-  @{sys}/fs/btrfs/@{uuid}/exclusive_operation r,
-  @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/fsid r,
-  @{sys}/fs/btrfs/@{uuid}/devinfo/@{int}/scrub_speed_max r,
+
+  @{sys}/fs/btrfs/@{uuid}/** r,
 
         @{PROC}/partitions r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator
index 57de7cab8..60f5f22ee 100644
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@@ -13,6 +13,7 @@ profile issue-generator @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path}       r,
   @{bin}/basename  rix,
   @{bin}/cat       rix,
   @{bin}/cmp       rix,
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index 7c4f697e0..5bd851921 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -74,16 +74,10 @@ profile pass @{exec_path} {
 
   profile pkill {
     include <abstractions/base>
-
-    capability sys_ptrace,
-
-    ptrace read,
+    include <abstractions/app/pgrep>
 
     @{bin}/pkill mr,
 
-    @{PROC}/@{pid}/cgroup r,
-    @{PROC}/tty/drivers r,
-
     include if exists <local/pass_pkill>
   }
 
diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt
index 1763bd96f..93dc4aded 100644
--- a/apparmor.d/profiles-m-r/pinentry-qt
+++ b/apparmor.d/profiles-m-r/pinentry-qt
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pinentry-qt
 profile pinentry-qt @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su
index 237d5ed02..d292cab8b 100644
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@@ -28,6 +28,8 @@ profile su @{exec_path} {
 
   @{etc_ro}/default/su r,
 
+  @{HOME}/.xauth@{rand6} rw,
+
   include if exists <local/su>
 }
 
diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth
index f051fdc0c..ad57f8615 100644
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xauth
 profile xauth @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip
index 378e8cae3..9f82aff64 100644
--- a/apparmor.d/profiles-s-z/xclip
+++ b/apparmor.d/profiles-s-z/xclip
@@ -10,14 +10,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/xclip
 profile xclip @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/X-strict>
 
   network unix stream,
 
   @{exec_path} mr,
 
-  deny /dev/tty rw,
-
   include if exists <local/xclip>
 }
 

From f9169bc40b2d04d4a12172e2e21c2f6247d91064 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 18:43:34 +0100
Subject: [PATCH 025/315] feat(profile): use the kde-globals-write abstaction
 when needed.

---
 apparmor.d/groups/browsers/firefox-kmozillahelper    | 3 +--
 apparmor.d/groups/freedesktop/xdg-desktop-portal-kde | 3 +--
 apparmor.d/groups/kde/kconf_update                   | 4 +---
 apparmor.d/groups/kde/kded                           | 4 +---
 apparmor.d/groups/kde/startplasma                    | 6 ++----
 5 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper
index cac83b364..d7162578b 100644
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@@ -11,6 +11,7 @@ profile firefox-kmozillahelper @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/graphics>
+  include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-settings-write>
@@ -42,8 +43,6 @@ profile firefox-kmozillahelper @{exec_path} {
 
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
   owner @{user_config_dirs}/kdedefaults/kwinrc r,
-  owner @{user_config_dirs}/kdeglobals r,
-  owner @{user_config_dirs}/kdeglobals.@{rand6} rwl,
   owner @{user_config_dirs}/kmozillahelperrc r,
   owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
   owner @{user_config_dirs}/kwinrc r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
index a5329097b..3b6fa1112 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@@ -11,6 +11,7 @@ include <tunables/global>
 profile xdg-desktop-portal-kde @{exec_path} {
   include <abstractions/base>
   include <abstractions/graphics>
+  include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
 
@@ -30,10 +31,8 @@ profile xdg-desktop-portal-kde @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
-  owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
   owner @{user_config_dirs}/breezerc r,
-  owner @{user_config_dirs}/kdeglobals{,.*} rwlk,
   owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk,
 
   owner @{run}/user/@{uid}/xdg-desktop-portal-kde@{rand6}.*.socket rw,
diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update
index bcab6d31b..5d0914b52 100644
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@@ -13,6 +13,7 @@ profile kconf_update @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/graphics>
   include <abstractions/gtk>
+  include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/perl>
@@ -45,7 +46,6 @@ profile kconf_update @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
-  owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/akregatorrc.lock rwk,
   owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/dolphinrc.lock rwk,
@@ -58,8 +58,6 @@ profile kconf_update @{exec_path} {
   owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/kconf_updaterc.lock rwk,
   owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kdeglobals.lock rwk,
-  owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
   owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/khotkeysrc.lock rwk,
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index 64fa472bb..5620d7dee 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -18,6 +18,7 @@ profile kded @{exec_path} {
   include <abstractions/devices-usb>
   include <abstractions/graphics>
   include <abstractions/gtk>
+  include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
@@ -97,7 +98,6 @@ profile kded @{exec_path} {
 
         @{user_config_dirs}/kcookiejarrc.lock rwk,
         @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
   owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
@@ -112,8 +112,6 @@ profile kded @{exec_path} {
   owner @{user_config_dirs}/kded{5,6}rc.lock rwk,
   owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl,
   owner @{user_config_dirs}/kdedefaults/{,**} r,
-  owner @{user_config_dirs}/kdeglobals.lock rwk,
-  owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl,
   owner @{user_config_dirs}/khotkeysrc.lock rwk,
   owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma
index 149df7695..81b1a1243 100644
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@@ -10,8 +10,9 @@ include <tunables/global>
 profile startplasma @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/kde-strict>
   include <abstractions/bus-session>
+  include <abstractions/kde-globals-write>
+  include <abstractions/kde-strict>
 
   signal (receive) set=(hup) peer=@{p_systemd},
   signal (receive) set=(term) peer=sddm,
@@ -50,13 +51,10 @@ profile startplasma @{exec_path} {
   owner @{user_cache_dirs}/kcrash-metadata/ rw,
   owner @{user_cache_dirs}/plasma-svgelements rw,
 
-  owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/gtkrc{,*} rwlk,
   owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kdedefaults/ rw,
   owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
-  owner @{user_config_dirs}/kdeglobals.lock rwk,
-  owner @{user_config_dirs}/kdeglobals{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/ksplashrc r,
   owner @{user_config_dirs}/kwinkdeglobalsrc.lock rwk,
   owner @{user_config_dirs}/menus/{,**} r,

From c13aa711da3546053de4644c3a50fc51f20bb2c1 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 18:46:35 +0100
Subject: [PATCH 026/315] feat(abs): add user bin to the app launch abs.

---
 apparmor.d/abstractions/app-launcher-user | 3 +++
 apparmor.d/groups/kde/ksmserver           | 2 --
 apparmor.d/profiles-s-z/waybar            | 1 -
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index 5e7c50824..edf96b05a 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -21,6 +21,9 @@
   /usr/                         r,
   /usr/local/bin/               r,
 
+  @{user_bin_dirs}/             r,
+  @{user_bin_dirs}/**         PUx,
+
   include if exists <abstractions/app-launcher-user.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index edfc3adea..5f6c9ceb6 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -31,8 +31,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:exec drkonqi
   #aa:exec kscreenlocker_greet
 
-  @{user_bin_dirs}/** rPUx,
-
   /usr/share/color-schemes/{,**} r,
   /usr/share/knotifications{5,6}/*.notifyrc r,
   /usr/share/kservices{5,6}/{,**} r,
diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
index e6cd61581..250a6a731 100644
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@@ -10,7 +10,6 @@ include <tunables/global>
 profile waybar @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/app-launcher-user>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/nameservice-strict>

From ec7715aaf3e35cd307f94129bec7fbb43215cc05 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 18:52:55 +0100
Subject: [PATCH 027/315] feat(profile): general update.

---
 apparmor.d/groups/gnome/gnome-music           |  1 +
 apparmor.d/groups/gnome/gnome-session         |  3 ++-
 apparmor.d/groups/gnome/gnome-software        |  3 +++
 .../groups/gnome/org.gnome.NautilusPreviewer  |  3 +++
 apparmor.d/groups/gnome/tracker-miner         |  2 ++
 apparmor.d/groups/kde/kreadconfig             |  7 +----
 apparmor.d/groups/virt/cockpit-bridge         | 16 ++++++++---
 apparmor.d/profiles-a-f/element-desktop       |  3 ++-
 apparmor.d/profiles-g-l/keepassxc             |  2 ++
 apparmor.d/profiles-m-r/pinentry-kwallet      | 27 ++++++-------------
 apparmor.d/profiles-m-r/qt5ct                 |  2 --
 apparmor.d/profiles-s-z/YACReaderLibrary      |  3 +--
 apparmor.d/profiles-s-z/steam-launch          |  3 +++
 apparmor.d/profiles-s-z/thunderbird-vaapitest |  2 +-
 apparmor.d/profiles-s-z/waybar                |  1 +
 apparmor.d/profiles-s-z/whereis               |  2 +-
 16 files changed, 44 insertions(+), 36 deletions(-)

diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index be07256ae..69273720e 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -48,6 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
+  owner /var/tmp/etilqs_@{hex15} rw,
   owner /var/tmp/etilqs_@{hex16} rw,
 
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session
index e349d85c1..171a93338 100644
--- a/apparmor.d/groups/gnome/gnome-session
+++ b/apparmor.d/groups/gnome/gnome-session
@@ -17,8 +17,8 @@ profile gnome-session @{exec_path} {
 
   @{shells_path}               rix,
   @{bin}/cat                   rix,
-  @{bin}/gettext.sh              r,
   @{bin}/gettext               rix,
+  @{bin}/gettext.sh              r,
   @{bin}/grep                  rix,
   @{bin}/head                  rix,
   @{bin}/id                    rix,
@@ -28,6 +28,7 @@ profile gnome-session @{exec_path} {
   @{bin}/readlink              rix,
   @{bin}/realpath              rix,
   @{bin}/sed                   rix,
+  @{bin}/tput                  rix,
   @{bin}/tr                    rix,
   @{bin}/tty                   rix,
   @{bin}/uname                 rPx,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 2ebff5ddf..f5652135a 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -109,9 +109,12 @@ profile gnome-software @{exec_path} {
   owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
 
   @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/sessions/@{int} r,
+  @{run}/systemd/users/@{uid} r,
 
   @{sys}/module/nvidia/version r,
 
+        @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pids}/mounts r,
         @{PROC}/sys/fs/pipe-max-size r,
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index 6b2544a84..cc08462e8 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -39,9 +39,11 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
+  @{sys}/devices/system/node/node@{int}/cpumap r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
+        @{PROC}/devices r,
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cmdline r,
@@ -51,6 +53,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/media@{int} r,
+  /dev/nvidia-uvm rw,
 
   include if exists <local/org.gnome.NautilusPreviewer>
 }
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index a49f28b47..9ebdd9fe8 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -87,8 +87,10 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/sys/fs/fanotify/max_user_marks r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/vm/mmap_min_addr r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
         /dev/media@{int} rw,
         /dev/video@{int} rw,
diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig
index fc14b9536..33cf23a9b 100644
--- a/apparmor.d/groups/kde/kreadconfig
+++ b/apparmor.d/groups/kde/kreadconfig
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/kreadconfig5
 profile kreadconfig @{exec_path} {
   include <abstractions/base>
+  include <abstractions/kde-strict>
 
   capability dac_read_search,
 
@@ -16,14 +17,8 @@ profile kreadconfig @{exec_path} {
 
   @{exec_path} mr,
 
-  /usr/share/icu/@{int}.@{int}/*.dat r,
-
-  /etc/xdg/kdeglobals r,
   /etc/xdg/kioslaverc r,
 
-  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
-  owner @{user_config_dirs}/kdeglobals r,
-
   include if exists <local/kreadconfig>
 }
 
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index c4337d77a..0a6ae6246 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -35,9 +35,18 @@ profile cockpit-bridge @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/journalctl rPx,
-  @{lib}/cockpit/cockpit-pcp rPx,
-  @{lib}/cockpit/cockpit-ssh rPx,
+  @{bin}/cat                  ix,
+  @{bin}/date                 ix,
+  @{bin}/findmnt              Px,
+  @{bin}/journalctl           Px,
+  @{bin}/python3.@{int}       ix,
+  @{bin}/ssh-agent            Px,
+  @{bin}/sudo                 Px, # TODO: rCx -> privilieged ? or rix?
+  @{lib}/cockpit/cockpit-pcp  Px,
+  @{lib}/cockpit/cockpit-ssh  Px,
+
+  # The shell is not confined on purpose.
+  @{bin}/@{shells}            Ux,
 
   /usr/share/cockpit/{,**} r,
   /usr/{,local/}share/ r,
@@ -64,6 +73,7 @@ profile cockpit-bridge @{exec_path} {
   @{sys}/fs/cgroup/**/ r,
   @{sys}/fs/cgroup/**/cpu.{stat,weight} r,
   @{sys}/fs/cgroup/**/memory* r,
+  @{sys}/kernel/kexec_crash_size r,
 
         @{PROC}/ r,
         @{PROC}/@{pids}/cgroup r,
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index 1dd15b4b9..b3cd7e34b 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -31,7 +31,8 @@ profile element-desktop @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path} r,
-  @{open_path}     rPx -> child-open-strict,
+  @{open_path}         rPx -> child-open-strict,
+  @{bin}/xdg-settings  rPx,
 
   /usr/share/webapps/element/{,**} r,
 
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index f79a3464e..4315fb6e5 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -43,6 +43,8 @@ profile keepassxc @{exec_path} {
 
   /etc/fstab r,
 
+  @{bin}/ r,
+
   owner @{HOME}/ r,
   owner @{HOME}/.mozilla/native-messaging-hosts/org.keepassxc.keepassxc_browser.json rw,
   owner @{HOME}/@{XDG_SSH_DIR}/ r,
diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet
index 235c256a7..c9dc12ba1 100644
--- a/apparmor.d/profiles-m-r/pinentry-kwallet
+++ b/apparmor.d/profiles-m-r/pinentry-kwallet
@@ -11,42 +11,31 @@ include <tunables/global>
 profile pinentry-kwallet @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/freedesktop.org>
+  include <abstractions/kde-strict>
 
   signal (send) set=(term, kill) peer=gpg-agent,
 
   @{exec_path} mr,
 
-  @{bin}/pinentry-*        rPx,
-
-  @{bin}/kwalletcli_getpin rix,
-  @{bin}/kwalletcli        rCx -> kwalletcli,
-
-  # when wrong PIN is provided
   @{bin}/date              rix,
-
-  @{bin}/mksh              rix,
   @{bin}/env               rix,
-
-  owner @{HOME}/.Xauthority r,
-
-  /usr/share/hwdata/pnp.ids r,
-
+  @{bin}/kwalletcli        rCx -> kwalletcli,
+  @{bin}/kwalletcli_getpin rix,
+  @{bin}/mksh              rix,
+  @{bin}/pinentry-*        rPx,
 
   profile kwalletcli {
     include <abstractions/base>
+    include <abstractions/kde-strict>
 
     @{bin}/kwalletcli mr,
 
-    owner @{user_config_dirs}/kdeglobals r,
-    owner @{user_config_dirs}/kwalletrc r,
     @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
     @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
 
-   owner @{HOME}/.Xauthority r,
-
-   /usr/share/hwdata/pnp.ids r,
+    owner @{user_config_dirs}/kwalletrc r,
 
+    include if exists <local/pinentry-kwallet_kwalletcli>
   }
 
   include if exists <local/pinentry-kwallet>
diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct
index 43964d950..3052736b6 100644
--- a/apparmor.d/profiles-m-r/qt5ct
+++ b/apparmor.d/profiles-m-r/qt5ct
@@ -28,8 +28,6 @@ profile qt5ct @{exec_path} {
   owner @{user_config_dirs}/fontconfig/** rw,
   owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int},
 
-  owner @{user_config_dirs}/kdeglobals r,
-
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary
index 5d773292d..19bf0e9c2 100644
--- a/apparmor.d/profiles-s-z/YACReaderLibrary
+++ b/apparmor.d/profiles-s-z/YACReaderLibrary
@@ -34,9 +34,8 @@ profile YACReaderLibrary @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   /etc/machine-id r,
 
-  owner @{user_books_dirs}/{,**} r,
+  owner @{user_books_dirs}/{,**} rw,
   owner @{user_books_dirs}/**/.yacreaderlibrary/{,**} rwk,
-  owner @{user_books_dirs}/**/None rw,
 
   owner @{user_cache_dirs}/YACReader/ rw,
   owner @{user_cache_dirs}/YACReader/YACReaderLibrary/ rw,
diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch
index 877181b61..11c7b76b2 100644
--- a/apparmor.d/profiles-s-z/steam-launch
+++ b/apparmor.d/profiles-s-z/steam-launch
@@ -23,6 +23,7 @@ profile steam-launch @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}         rix,
+  @{bin}/cmp         rix,
   @{bin}/cp          rix,
   @{bin}/dirname     rix,
   @{bin}/env         rix,
@@ -33,6 +34,8 @@ profile steam-launch @{exec_path} {
   @{lib}/steam/bin_steam.sh  rix,
   @{share_dirs}/steam.sh     rPx,
 
+  @{runtime_dirs}/@{arch}/steam-runtime-steam-remote rPUx,
+
   /usr/ r,
   /usr/local/ r,
 
diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest
index 85c1a08cb..a401173f1 100644
--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@@ -12,7 +12,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}/
 
 @{exec_path} = @{lib_dirs}/vaapitest
-profile thunderbird-vaapitest @{exec_path} {
+profile thunderbird-vaapitest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
 
diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
index 250a6a731..8da427a64 100644
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis
index 330957a62..e7bc743a5 100644
--- a/apparmor.d/profiles-s-z/whereis
+++ b/apparmor.d/profiles-s-z/whereis
@@ -30,7 +30,7 @@ profile whereis @{exec_path} {
   /opt/cni/bin/ r,
   /opt/containerd/bin/ r,
 
-  /etc/ r,
+  @{etc_ro}/ r,
 
   /snap/bin/ r,
   /var/lib/flatpak/exports/bin/ r,

From 72d8d144805aefa7a5d2e440266ff43f219337ae Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 18:53:31 +0100
Subject: [PATCH 028/315] feat(tunables): expand coreutils with findutils &
 diffutils.

---
 apparmor.d/tunables/multiarch.d/programs | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index f72e56921..e8c6b9022 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -15,15 +15,15 @@
 # All interactive shells users may want to use
 @{shells} = sh zsh bash dash fish rbash ksh tcsh csh
 
-# Coreutils programs that should not have dedicated profile
+# Coreutils programs that should not have dedicated profile. Also includes findutils and diffutils.
 @{coreutils}  = {,g,m}awk b2sum base32 base64 basename basenc cat chcon chgrp chmod chown
-@{coreutils} += cksum comm cp csplit cut date dd df dir dircolors dirname diff du echo env expand
+@{coreutils} += cksum cmp comm cp csplit cut date dd df dir dircolors dirname diff diff3 du echo env expand
 @{coreutils} += expr factor false find fmt fold {,e,f}grep head hostid id install join link
-@{coreutils} += ln logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
+@{coreutils} += ln locate logname ls md5sum mkdir mkfifo mknod mktemp mv nice nl nohup nproc numfmt
 @{coreutils} += od paste pathchk pinky pr printenv printf ptx pwd readlink realpath rm rmdir
-@{coreutils} += runcon sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep
+@{coreutils} += runcon sdiff sed seq sha1sum sha224sum sha256sum sha384sum sha512sum shred shuf sleep
 @{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true
-@{coreutils} += truncate tsort tty uname unexpand uniq unlink vdir wc who whoami xargs yes
+@{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes
 
 # Browsers
 

From 09aef5131eb9322b60a79976562c0c45e6822bbf Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 18:59:51 +0100
Subject: [PATCH 029/315] fix(profile): gpg key generation.

---
 apparmor.d/groups/gpg/gpg       |  2 ++
 apparmor.d/groups/gpg/gpg-agent | 20 ++++++++++----------
 2 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index b549f1477..a4f2a11ea 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -28,6 +28,8 @@ profile gpg @{exec_path} {
   @{bin}/gpgsm             rPx,
   @{lib}/{,gnupg/}scdaemon rPx,
 
+  /usr/share/terminfo/** r,
+
   /etc/inputrc r,
 
   owner @{HOME}/@{XDG_GPG_DIR}/ rw,
diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index f7580a8aa..d97327969 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -24,37 +24,37 @@ profile gpg-agent @{exec_path} {
   /usr/share/gnupg/* r,
 
   owner @{HOME}/@{XDG_GPG_DIR}/ rw,
-  owner @{HOME}/@{XDG_GPG_DIR}/gpg-agent.conf r,
+  owner @{HOME}/@{XDG_GPG_DIR}/*.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
-  owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw,
   owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
 
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
-  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/gpg-agent.conf r,
+  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/*.conf r,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
-  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key rw,
+  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
 
   owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
-  owner @{user_projects_dirs}/**/{.,}gnupg/gpg-agent.conf r,
+  owner @{user_projects_dirs}/**/{.,}gnupg/*.conf r,
   owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
-  owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
+  owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
   owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
 
   owner @{run}/user/@{uid}/gnupg/ rw,
-  owner @{run}/user/@{uid}/gnupg/gpg-agent.conf r,
+  owner @{run}/user/@{uid}/gnupg/*.conf r,
   owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
-  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key rw,
+  owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
   owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{run}/user/@{uid}/gnupg/sshcontrol r,
 
   owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/gpg-agent.conf r,
+  owner @{user_tmp_dirs}/**/{.,}gnupg/*.conf r,
   owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key rw,
+  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
 

From bb1c4e053724f7f3035ec4e377dc3df40ed891ba Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 19:19:21 +0100
Subject: [PATCH 030/315] feat(profile): modernise the crontab profile.

fix #428
---
 apparmor.d/abstractions/app/editor  |  9 ++++++---
 apparmor.d/groups/cron/crontab      | 10 ++++++++--
 apparmor.d/profiles-a-f/flatpak     |  2 ++
 apparmor.d/profiles-a-f/flatpak-app |  5 +++--
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor
index f0972f3e7..023696e31 100644
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@@ -1,16 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
   include <abstractions/nameservice-strict>
 
+  @{sh_path}                   rix,
+  @{bin}/nvim                 mrix,
   @{bin}/sensible-editor        mr,
   @{bin}/vim{,.*}             mrix,
-  @{sh_path}                   rix,
   @{bin}/which{,.debianutils}  rix,
 
-  /usr/share/vim/{,**} r,
+  /usr/share/nvim/{,**} r,
   /usr/share/terminfo/** r,
+  /usr/share/vim/{,**} r,
 
   /etc/vimrc r,
   /etc/vim/{,**} r,
@@ -19,11 +22,11 @@
   owner @{HOME}/.viminf@{c}{,.tmp} rw,
   owner @{HOME}/.vimrc r,
 
-  # Vim swap file 
   owner @{HOME}/ r,
   owner @{user_cache_dirs}/ r,
   owner @{user_cache_dirs}/vim/{,**} rw,
   owner @{user_config_dirs}/vim/{,**} r,
+  owner @{user_state_dirs}/nvim/{,**} rw,
 
   include if exists <abstractions/app/editor.d>
 
diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index 3490199a1..82d3c543f 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -10,9 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/crontab
 profile crontab @{exec_path} {
   include <abstractions/base>
+  include <abstractions/authentication>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+  capability net_admin,
   capability setgid,
   capability setuid,
 
@@ -23,15 +26,17 @@ profile crontab @{exec_path} {
   # When editing the crontab file
   @{bin}/sensible-editor rCx -> editor,
   @{bin}/vim.*           rCx -> editor,
+  @{bin}/nvim            rCx -> editor,
 
   /etc/cron.{allow,deny} r,
   /etc/pam.d/* r,
 
         /var/spool/cron/ r,
         /var/spool/cron/crontabs/ rw,
+        /var/spool/cron/user r,
   owner /var/spool/cron/crontabs/* rw,
 
-  owner @{tmp}/crontab.*/{,crontab} rw,
+  owner @{tmp}/crontab.@{rand6}/{,crontab} rw,
 
   profile editor {
     include <abstractions/base>
@@ -42,7 +47,8 @@ profile crontab @{exec_path} {
     /etc/cron.{allow,deny} r,
 
           /tmp/ r,
-    owner @{tmp}/crontab.*/crontab rw,
+    owner @{tmp}/crontab.@{rand6}/crontab rw,
+    owner @{tmp}/crontab.@{rand6} rw,
 
     include if exists <local/crontab_editor>
   }
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index 8722612d1..f61879407 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -35,6 +35,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   ptrace (read) peer=flatpak-app,
 
+  signal send peer=flatpak-app,
+
   @{exec_path} mr,
 
   @{bin}/bwrap               rPx -> flatpak-app,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 87e9b443d..58d4713bd 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -44,8 +44,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   ptrace (read),
   ptrace trace peer=flatpak-app,
 
-  signal (receive) set=(int term) peer=flatpak-portal,
-  signal (receive) set=(int) peer=flatpak-session-helper,
+  signal receive peer=flatpak,
+  signal receive set=(int term) peer=flatpak-portal,
+  signal receive set=(int) peer=flatpak-session-helper,
 
   @{bin}/**                            rmix,
   @{lib}/**                            rmix,

From ce26fa103b49f33df7682be757b184254f159ae1 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Wed, 28 Aug 2024 18:00:11 +0200
Subject: [PATCH 031/315] permit read access

---
 apparmor.d/profiles-a-f/atool | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool
index 5568b9e15..a027f7a4f 100644
--- a/apparmor.d/profiles-a-f/atool
+++ b/apparmor.d/profiles-a-f/atool
@@ -11,6 +11,7 @@ profile atool @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/perl>
+  include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
   @{exec_path} mr,

From cecd0a6284c1fb220730eab813df5de86330d759 Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Fri, 23 Aug 2024 22:53:56 +0800
Subject: [PATCH 032/315] initial support for ufw

---
 apparmor.d/profiles-s-z/sysctl |  2 ++
 apparmor.d/profiles-s-z/ufw    | 57 ++++++++++++++++++++++++++++++++++
 2 files changed, 59 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/ufw

diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl
index 4e50430be..02964dd7d 100644
--- a/apparmor.d/profiles-s-z/sysctl
+++ b/apparmor.d/profiles-s-z/sysctl
@@ -30,6 +30,8 @@ profile sysctl @{exec_path} {
   deny network inet6 stream,
   deny network inet stream,
 
+  /etc/ufw/sysctl.conf r, # Add support for ufw
+
   include if exists <local/sysctl>
 }
 
diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
new file mode 100644
index 000000000..63352e655
--- /dev/null
+++ b/apparmor.d/profiles-s-z/ufw
@@ -0,0 +1,57 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 EricLin
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ufw
+profile ufw @{exec_path} {
+
+    include <abstractions/base>
+
+    capability dac_read_search,
+    capability net_admin,
+
+    network netlink raw,
+    network inet dgram,
+    network inet6 dgram,
+
+    @{exec_path} mr,
+
+    @{bin}/ r,
+    @{bin}/python3* ix,
+    @{bin}/cat ix,
+    @{bin}/xtables-nft-multi ix,
+
+    @{lib}/ufw/ufw-init ix,
+
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pid}/net/ip_tables_names r,
+
+    owner @{bin}/env r,
+
+    /etc/ufw/{,**} rwk,
+
+    /etc/default/ufw r,
+
+    /run/ufw.lock wk,
+
+    /etc/gai.conf r,
+    /etc/nsswitch.conf r,
+    /etc/passwd r,
+    /etc/services r,
+
+    /var/tmp/* rw,
+    /tmp/* rw,
+
+    /dev/pts/[0-9]* rw,
+    /dev/tty rw, 
+
+    include if exists <local/ufw>
+
+}
+
+# vim:syntax=apparmor

From d5ee5c51cba17bea2647e068e90f610e820e6aff Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Sat, 24 Aug 2024 19:35:21 +0800
Subject: [PATCH 033/315] Tighten the permissions of ufw

---
 apparmor.d/profiles-s-z/ufw | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 63352e655..add5865ef 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2024 EricLin
+# Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -44,8 +44,10 @@ profile ufw @{exec_path} {
     /etc/passwd r,
     /etc/services r,
 
-    /var/tmp/* rw,
-    /tmp/* rw,
+    /var/tmp/@{rand8} rw,
+    /var/tmp/tmp* rw,
+    /tmp/@{rand8} rw,
+    /tmp/tmp* rw,
 
     /dev/pts/[0-9]* rw,
     /dev/tty rw, 

From 7716c8a191a86a2c67c86ae861b8600db5e3de06 Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Tue, 27 Aug 2024 21:00:20 +0800
Subject: [PATCH 034/315] Rewrite the profile for ufw

---
 apparmor.d/profiles-s-z/ufw | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index add5865ef..55437c180 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -8,8 +8,9 @@ include <tunables/global>
 
 @{exec_path} = @{bin}/ufw
 profile ufw @{exec_path} {
-
     include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/python>
 
     capability dac_read_search,
     capability net_admin,
@@ -21,34 +22,28 @@ profile ufw @{exec_path} {
     @{exec_path} mr,
 
     @{bin}/ r,
-    @{bin}/python3* ix,
+    @{bin}/env r,
+    @{bin}/python3.@{int} ix,
     @{bin}/cat ix,
     @{bin}/xtables-nft-multi ix,
 
     @{lib}/ufw/ufw-init ix,
 
-    @{PROC}/@{pid}/stat r,
-    @{PROC}/@{pid}/fd/ r,
-    @{PROC}/@{pid}/net/ip_tables_names r,
-
-    owner @{bin}/env r,
-
     /etc/ufw/{,**} rwk,
 
     /etc/default/ufw r,
 
-    /run/ufw.lock wk,
-
-    /etc/gai.conf r,
-    /etc/nsswitch.conf r,
-    /etc/passwd r,
-    /etc/services r,
+    @{run}/ufw.lock rwk,
 
     /var/tmp/@{rand8} rw,
     /var/tmp/tmp* rw,
     /tmp/@{rand8} rw,
     /tmp/tmp* rw,
 
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/@{pid}/fd/ r,
+    @{PROC}/@{pid}/net/ip_tables_names r,
+
     /dev/pts/[0-9]* rw,
     /dev/tty rw, 
 

From 1f83ca358e22ee55ec2f7defe8dcfd6b4e815e62 Mon Sep 17 00:00:00 2001
From: EliasTheGrandMasterOfMistakes <eliascontato@protonmail.com>
Date: Mon, 26 Aug 2024 17:22:55 -0300
Subject: [PATCH 035/315] gnome-shell: Integrate nm-openvpn-auth-dialog on
 gnome-shell

VPNs that uses gnome authentication like ProtonVPN
depends of gnome-shell acess nm-openvpn-auth-dialog

Co-authored-by: Alexandre Pujol <alexandre@pujol.io>
---
 apparmor.d/groups/gnome/gnome-shell | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 0e68c90a9..c76b81abe 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -187,7 +187,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sh_path}                                           rCx -> shell,
   @{lib}/gio-launch-desktop                            rCx -> open,
   @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop   rCx -> open,
-
+  
+  # nm-openvpn-auth-dialog
+  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
+  
   @{user_share_dirs}/gnome-shell/extensions/*/**       rPUx,
   /usr/share/gnome-shell/extensions/*/**               rPUx,
 

From 04898e20f96e94e014e8c9edae74831c12dfe8a0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 28 Aug 2024 19:48:01 +0100
Subject: [PATCH 036/315] fix: conflicting x modifiers.

---
 apparmor.d/groups/virt/cockpit-bridge | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index 0a6ae6246..3da2c19ea 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = @{bin}/cockpit-bridge
 profile cockpit-bridge @{exec_path} {
   include <abstractions/base>
-  include <abstractions/app-launcher-root>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/python>

From a1eaf58427d7485227edba2aaaad99e318824ec8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 29 Aug 2024 19:05:37 +0100
Subject: [PATCH 037/315] feat(profile): minor update.

---
 apparmor.d/groups/cron/crontab   | 2 ++
 apparmor.d/groups/gpg/scdaemon   | 1 +
 apparmor.d/profiles-m-r/pinentry | 1 +
 3 files changed, 4 insertions(+)

diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index 82d3c543f..c5aaf5546 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -29,7 +29,9 @@ profile crontab @{exec_path} {
   @{bin}/nvim            rCx -> editor,
 
   /etc/cron.{allow,deny} r,
+  /etc/environment r,
   /etc/pam.d/* r,
+  /etc/security/*.conf r,
 
         /var/spool/cron/ r,
         /var/spool/cron/crontabs/ rw,
diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon
index eeb1a618e..92be0bdcc 100644
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@@ -20,6 +20,7 @@ profile scdaemon @{exec_path} {
   @{exec_path} mr,
 
   owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r,
+  owner @{HOME}/@{XDG_GPG_DIR}common.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw,
 
   owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry
index c30bc5def..c466f05aa 100644
--- a/apparmor.d/profiles-m-r/pinentry
+++ b/apparmor.d/profiles-m-r/pinentry
@@ -15,6 +15,7 @@ profile pinentry @{exec_path} {
 
   @{bin}/pinentry-*        rPx,
   @{sh_path}               rix,
+  @{bin}/ldd               rix,
 
   /etc/pinentry/preexec r,
 

From 21bef5a0420f3c26d0680fcdbfcb023f38fde820 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 22 Aug 2024 11:17:07 -0300
Subject: [PATCH 038/315] Create xdg-desktop-portal-hyprland

---
 .../freedesktop/xdg-desktop-portal-hyprland   | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
new file mode 100644
index 000000000..460523d19
--- /dev/null
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
@@ -0,0 +1,40 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/xdg-desktop-portal-hyprland
+profile xdg-desktop-portal-hyprland @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/audio-client>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/dri-enumerate>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{sh_path} ix,
+  @{bin}/hyprland-share-picker rix,
+  @{bin}/slurp rix,
+
+  owner /tmp/hypr/ rw,
+  owner /tmp/hypr/\#@{int} rwkl,
+  owner /tmp/hypr/hyprland-share-picker.conf* rwkl,
+
+  /sys/devices/virtual/dmi/id/bios_vendor r,
+  /sys/devices/virtual/dmi/id/board_vendor r,
+  /sys/devices/virtual/dmi/id/product_name r,
+  /sys/devices/virtual/dmi/id/sys_vendor r,
+
+  owner @{PROC}/@{pid}/cmdline r,
+
+  include if exists <local/xdg-desktop-portal-hyprland>
+}
+
+# vim:syntax=apparmor

From 75fba4c6c77919cd688528d481b18a93411530ff Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 22 Aug 2024 11:22:46 -0300
Subject: [PATCH 039/315] Update xdg-desktop-portal

---
 apparmor.d/groups/freedesktop/xdg-desktop-portal | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 59ef5a734..702b0088d 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -78,7 +78,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/gdm{,3}/greeter-dconf-defaults r,
 
-  @{user_config_dirs}/kioslaverc r,
+  owner @{user_config_dirs}/xdg-desktop-portal/* r,
+        @{user_config_dirs}/kioslaverc r,
 
   owner @{tmp}/icon* rw,
 

From a224adc42e5582acc1bfbfe02b8962f1bb6a3a21 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 22 Aug 2024 21:37:26 -0300
Subject: [PATCH 040/315] Update xdg-desktop-portal-hyprland

---
 apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
index 460523d19..73e8e734a 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
@@ -9,11 +9,9 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-desktop-portal-hyprland
 profile xdg-desktop-portal-hyprland @{exec_path} {
   include <abstractions/base>
-  include <abstractions/audio>
   include <abstractions/audio-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
-  include <abstractions/dri-enumerate>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
@@ -21,6 +19,7 @@ profile xdg-desktop-portal-hyprland @{exec_path} {
 
   @{sh_path} ix,
   @{bin}/hyprland-share-picker rix,
+  @{bin}/sleep rix,
   @{bin}/slurp rix,
 
   owner /tmp/hypr/ rw,

From fe327207656467ff8ddac1b9ea2fac7f5cee9f77 Mon Sep 17 00:00:00 2001
From: Nishit Majithia <nishit.nm@gmail.com>
Date: Fri, 30 Aug 2024 22:26:04 +0530
Subject: [PATCH 041/315] socat: add apparmor profile (#454)

* socat: add apparmor profile

Signed-off-by: Nishit Majithia <nishit.nm@gmail.com>

* socat: update profile

 - Follow profile guideline
 - Change copyright texts
 - Update to use abi 3.0
 - Use `ssl_certs` and `console` abstractions instead of explicit rules

Signed-off-by: Nishit Majithia <nishit.nm@gmail.com>

* socat: minor fix in the profile

 - Use @{bin}
 - Allow executable mapping and read for the binary

Signed-off-by: Nishit Majithia <nishit.nm@gmail.com>

---------

Signed-off-by: Nishit Majithia <nishit.nm@gmail.com>
---
 apparmor.d/groups/network/socat | 49 +++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 apparmor.d/groups/network/socat

diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat
new file mode 100644
index 000000000..df5e874d1
--- /dev/null
+++ b/apparmor.d/groups/network/socat
@@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Nishit Majithia (nishitm)
+# SPDX-License-Identifier: GPL-2.0-only
+# vim: ft=apparmor
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/socat
+profile socat @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+  include <abstractions/consoles>
+
+  capability dac_read_search,
+  capability dac_override,
+  capability net_raw,
+  capability net_admin,
+  capability sys_module,
+  capability sys_admin,
+  capability fsetid,
+  capability chown,
+  capability net_bind_service,
+  capability sys_resource,
+
+  # Allow creation of network sockets and `socat` uses dccp for some
+  # fuctionalities that is why it is necessary to allow whole `network`
+  network,
+
+  @{exec_path} mr,
+
+  # Enale /dev/ptmx access for testsuite
+  # /dev/ptmx rw,
+
+  # TUN/TAP device
+  /dev/net/tun rw,
+
+  # Process-specific access
+  @{PROC}/@{pid}/fdinfo/@{int} rw,
+  @{PROC}/@{pid}/stat           r,
+
+  # For bi-directional communication between vms and host/hypervisor
+  /dev/vsock r,
+
+  # Site-specific additions and overrides. See local/README for details.
+  include if exists <local/socat>
+}

From fb29e8ba74aa9712b5b06c20e935a7f4cd208b8c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 30 Aug 2024 20:38:30 +0100
Subject: [PATCH 042/315] doc: general update.

---
 README.md                      |  16 +--
 docs/development/dbus.md       |   8 ++
 docs/development/guidelines.md |  19 ++-
 docs/development/index.md      |   2 +-
 docs/development/install.md    |  47 ++++---
 docs/development/structure.md  |  41 ++----
 docs/enforce.md                |  68 ++++++----
 docs/full-system-policy.md     |  62 +++++----
 docs/index.md                  |  19 +--
 docs/install.md                | 227 +++++++++++++++++++++------------
 docs/report.md                 |  40 ++++--
 docs/usage.md                  |   4 +-
 docs/variables.md              |  13 +-
 mkdocs.yml                     |   7 +-
 14 files changed, 350 insertions(+), 223 deletions(-)

diff --git a/README.md b/README.md
index ae9899b70..7aed183da 100644
--- a/README.md
+++ b/README.md
@@ -27,15 +27,15 @@
 
 - Target both desktops and servers
 - Support all distributions that support AppArmor:
-    * Arch Linux
-    * Ubuntu 22.04
-    * Debian 12
-    * OpenSUSE Tumbleweed
+    * [Arch Linux](https://apparmor.pujol.io/install#archlinux)
+    * [Ubuntu 24.04/22.04](https://apparmor.pujol.io/install#ubuntu)
+    * [Debian 12](https://apparmor.pujol.io/install#debian)
+    * [OpenSUSE Tumbleweed](https://apparmor.pujol.io/install#opensuse)
 - Support for all major desktop environments:
-    * Gnome
-    * KDE
-    * XFCE *(work in progress)*
-- Fully tested (Work in progress)
+    * Gnome (GDM)
+    * KDE (SDDM)
+    * XFCE (Lightdm) *(work in progress)*
+- Fully tested *(work in progress)*
 
 
 > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
diff --git a/docs/development/dbus.md b/docs/development/dbus.md
index 98b46501c..c8efda0c5 100644
--- a/docs/development/dbus.md
+++ b/docs/development/dbus.md
@@ -26,6 +26,14 @@ Access to common dbus interfaces is done using the abstractions under **[`abstra
 
 For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive.
 
+There is a trade of between security and maintenance to make:
+
+- `aa:dbus talk` will generate less issue as it give full talk access
+- `abstractions/bus/*` will provide more restriction, and possibly more issue.
+
+Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call.
+
+
 ## Dbus Directive
 
 We use a special [directive](directives.md) to generate more advanced dbus access. The directive format is on purpose very similar to the AppArmor dbus rule.
diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md
index b359576aa..3d83fea5f 100644
--- a/docs/development/guidelines.md
+++ b/docs/development/guidelines.md
@@ -78,7 +78,7 @@ The file block should be sorted as follows:
 The dbus block should be sorted as follows:
 
 - The system bus should be sorted *before* the session bus
-- The bind rules should be sorted *after* the send & receive rules
+- The bind rules should be sorted *after* send & receive rules
 
 For DBus, try to determine peer's label when possible. E.g.:
 ```
@@ -115,6 +115,23 @@ If there is no predictable label it can be omitted.
     /var/lib/dbus/machine-id r,
     ```
 
+#### :material-numeric-5-circle: Limit the use of `deny`
+
+:   The use of `deny` should be limited to the minimum:
+
+    - In MAC policies, we only allow access ([Rule :material-numeric-1-circle:](index.md#rule-mandatory-access-control "Mandatory Access Control"))
+    - `deny` rules are enforced even in complain mode,
+    - If it works on your machine does not mean it will work on others ([Rule :material-numeric-4-circle:](index.md#rule-distribution-and-devices-agnostic "Distribution and devices agnostic")).
+
+#### :material-numeric-6-circle: Comments
+
+:   Ensure you only have useful comments. E.g.:
+    ```
+    # Config files for foo
+    owner @{user_config_dirs}/foo/{,**} r,
+    ```
+    Does not help, and if generalized it would add a lot of complexity to any profiles.
+
 
 ## Additional recommended documentation
 
diff --git a/docs/development/index.md b/docs/development/index.md
index c12226a7a..c68745e26 100644
--- a/docs/development/index.md
+++ b/docs/development/index.md
@@ -70,7 +70,7 @@ If you're looking to contribute to `apparmor.d` you can get started by going to
    Here is the bare minimum for the program `foo`:
 ``` sh
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 You <your@email>
+# Copyright (C) 2024 You <your@email>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
diff --git a/docs/development/install.md b/docs/development/install.md
index 74271c13c..6b1f47581 100644
--- a/docs/development/install.md
+++ b/docs/development/install.md
@@ -11,28 +11,39 @@ title: Installation
     See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`.
 
 
-**:material-docker: Docker**
+=== ":material-arch: Archlinux"
 
-For any system with docker installed you can simply build the package with:
-```sh
-make package dist=<distribution>
-```
-Then you can install the package with `dpkg`, `pacman` or `rpm`.
+    ```sh
+    make pkg
+    ```
 
-**:material-arch: Arch Linux**
-```sh
-make pkg
-```
+=== ":material-ubuntu: Ubuntu"
 
-**:material-ubuntu: Ubuntu & :material-debian: Debian**
-```sh
-make dpkg
-```
+    ```sh
+    make dpkg
+    ```
 
-**:simple-suse: openSUSE**
-```sh
-make rpm
-```
+=== ":material-debian: Debian"
+
+    ```sh
+    make dpkg
+    ```
+
+=== ":simple-suse: openSUSE"
+
+    ```sh
+    make rpm
+    ```
+
+=== ":material-docker: Docker"
+
+    For any system with docker installed you can simply build the package with:
+
+    ```sh
+    make package dist=<distribution>
+    ```
+
+    Then you can install the package with `dpkg`, `pacman` or `rpm`.
 
 
 ## Profile flags
diff --git a/docs/development/structure.md b/docs/development/structure.md
index 0035b6c90..c6b82e29f 100644
--- a/docs/development/structure.md
+++ b/docs/development/structure.md
@@ -9,7 +9,7 @@ Description of common structure found across various AppArmor profiles
 
 Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why.
 
-These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theater.
+These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre.
 
 It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule:
 ```sh
@@ -76,20 +76,17 @@ You do not protect these programs. *Protect the usage you have of these programs
 [Toolbox]: https://containertoolbx.org/
 
 
+## Open Resources
 
-## Abstractions
+The standard way to allow opening resource in this project is to use one of the 
+child-open profile. Eg: `@{open_path} rPx -> child-open,`
 
-This project and the apparmor-profiles official project provide a large selection of abstractions to be included in profiles. They should be used.
+They are available in the [`children`][children] group.
 
-For instance, to allow download directory access, instead of writing:
-```sh
-owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
-```
-
-You should write:
-```sh
-include <abstractions/user-download-strict>
-```
+* **`child-open`**: Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
+* **`child-open-browsers`**: This version of child-open only allow to open browsers.
+* **`child-open-help`**: This version of child-open only allow to open browsers and help programs.
+* **`child-open-strict`**: This version of child-open only allow to open browsers & folders.
 
 
 ## Children profiles
@@ -104,31 +101,11 @@ Usually, a child profile is in the [`children`][children] group. They have the f
 
 Here is an overview of the current children profile:
 
-1. **`child-open`**: To open resources. Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
-
 2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk.
 
 3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you.
 
 
-## Browsers
-
-Chromium based browsers share a similar structure. Therefore, they share the same abstraction: [`abstractions/chromium`][chromium] that includes most of the profile content.
-
-This abstraction requires the following variables defined in the profile header:
-```sh
-@{name} = chromium
-@{domain} = org.chromium.Chromium
-@{lib_dirs} = @{lib}/chromium
-@{config_dirs} = @{user_config_dirs}/chromium
-@{cache_dirs} = @{user_cache_dirs}/chromium
-```
-
-If your application requires chromium to run (like electron) use [`abstractions/chromium-common`][chromium-common] instead.
-
-[chromium]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium
-[chromium-common]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/abstractions/chromium-common
-
 ## Udev rules
 
 See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`.
diff --git a/docs/enforce.md b/docs/enforce.md
index 52241859e..692cbd1e3 100644
--- a/docs/enforce.md
+++ b/docs/enforce.md
@@ -4,37 +4,59 @@ title: Enforce Mode
 
 The default package configuration installs all profiles in *complain* mode. This is a safety measure to ensure you are not going to break your system on initial installation. Once you have tested it, and it works fine, you can easily switch to *enforce* mode. The profiles that are not considered stable are kept in complain mode, they can be tracked in the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory.
 
-!!! warning
+!!! danger
 
-    - Please test in complain mode first and ensure your system boots!
-    - When reporting an issue, please ensure the affected profiles are in complain mode.
+    - You **must** test in complain mode first and ensure your system works as expected.
+    - You **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log) and [report](report.md) issues first.
+    - When reporting an issue, you **must** ensure the affected profiles are in complain mode.
 
 
-#### :material-arch: Arch Linux
+=== ":material-arch: Archlinux"
 
-In `PKGBUILD`, replace `make` by `make enforce`:
-```diff
--  make DISTRIBUTION=arch
-+  make enforce DISTRIBUTION=arch
-```
+    In the `PKGBUILD`, replace `make` by `make enforce`:
 
-#### :material-ubuntu: Ubuntu & :material-debian: Debian
+    ```diff
+    -  make DISTRIBUTION=arch
+    +  make enforce DISTRIBUTION=arch
+    ```
 
-In `debian/rules`, add the following lines:
+    Then, build the package with: `make pkg`
 
-```make
-override_dh_auto_build:
-	make enforce
-```
+=== ":material-ubuntu: Ubuntu"
 
-#### :simple-suse: openSUSE
+    In `debian/rules`, add the following lines:
 
-In `dists/apparmor.d.spec`, replace `%make_build` by `make enforce`
-```diff
--  %make_build
-+  %make_build enforce
-```
+    ```make
+    override_dh_auto_build:
+        make enforce
+    ```
 
-#### Partial install
+    Then, build the package with: `make dpkg`
 
-Use the `make enforce` command to build instead of `make`
+=== ":material-debian: Debian"
+    
+    In `debian/rules`, add the following lines:
+
+    ```make
+    override_dh_auto_build:
+        make enforce
+    ```
+
+    Then, build the package with: `make dpkg`
+
+=== ":simple-suse: openSUSE"
+
+    In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build enforce`
+
+    ```diff
+    -  %make_build
+    +  %make_build enforce
+    ```
+
+    Then, build the package with: `make rpm`
+
+=== ":material-home: Partial Install"
+
+    Use the `make enforce` command to build instead of `make`
+
+[aur]: https://aur.archlinux.org/packages/apparmor.d-git
diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md
index 2b9f57454..d37cf3071 100644
--- a/docs/full-system-policy.md
+++ b/docs/full-system-policy.md
@@ -31,7 +31,7 @@ Particularly:
 - In FSP mode, all sandbox managers **must** have a profile. Then user sandboxed applications (flatpak, snap, etc) will work as expected.
 
 
-## Install
+## Installation
 
 
 This feature is only enabled when the project is built with `make full`. [Early policy](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorInSystemd#early-policy-loads) load **must** also be enabled. Once `apparmor.d` has been installed in FSP mode, it is required to reboot to apply the changes.
@@ -43,35 +43,53 @@ cache-loc /etc/apparmor/earlypolicy/
 Optimize=compress-fast
 ```
 
-**:material-arch: Arch Linux**
+=== ":material-arch: Archlinux"
 
-In `PKGBUILD`, replace `make` by `make full`:
-```diff
--  make
-+  make full
-```
+    In `PKGBUILD`, replace `make` by `make full`:
 
-**:material-ubuntu: Ubuntu & :material-debian: Debian**
+    ```diff
+    -  make
+    +  make full
+    ```
 
-In `debian/rules`, add the following lines:
+    Then, build the package with: `make pkg`
 
-```make
-override_dh_auto_build:
-	make full
-```
+=== ":material-ubuntu: Ubuntu"
 
-**:simple-suse: openSUSE**
+    In `debian/rules`, add the following lines:
 
-In `dists/apparmor.d.spec`, replace `%make_build` by `make full`
-```diff
--  %make_build
-+  %make_build full
-```
+    ```make
+    override_dh_auto_build:
+        make full
+    ```
 
-**Partial install**
+    Then, build the package with: `make dpkg`
 
-Use the `make full` command to build instead of `make`
+=== ":material-debian: Debian"
+    
+    In `debian/rules`, add the following lines:
 
+    ```make
+    override_dh_auto_build:
+        make full
+    ```
+
+    Then, build the package with: `make dpkg`
+
+=== ":simple-suse: openSUSE"
+
+    In `dists/apparmor.d.spec`, replace `%make_build` by `%make_build full`
+
+    ```diff
+    -  %make_build
+    +  %make_build full
+    ```
+
+    Then, build the package with: `make rpm`
+
+=== ":material-home: Partial Install"
+
+    Use the `make full` command to build instead of `make`
 
 
 ## Structure
@@ -113,7 +131,7 @@ To work as intended, userland services started by `systemd --user` **should** ha
 
 !!! info
 
-    To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
+    To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/structure.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
     ```
     @{lib}/foo rPx -> systemd//&foo,
     ```
diff --git a/docs/index.md b/docs/index.md
index 3a9381ccd..b57bae7a3 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -2,13 +2,7 @@
 title: AppArmor.d
 ---
 
-<!-- https://youtu.be/9dqHOrM4KHo?t=146
-
-Business Benefits of an LSM
-
-- Increased IT productivity -> ????
-- Regulatory Compliance
-- Peace of mind: Protect against unknown threats and "zero-days" attacks -->
+<style>.md-typeset .md-content__button { display: none; }</style>
 
 **Full set of AppArmor profiles**
 
@@ -34,13 +28,14 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
 - Target both desktops and servers
 - Support for all distributions that support AppArmor:
     * [:material-arch: Arch Linux](install.md#archlinux)
-    * [:material-ubuntu: Ubuntu 22.04](install.md#ubuntu-debian)
-    * [:material-debian: Debian 12](install.md#ubuntu-debian)
+    * [:material-ubuntu: Ubuntu 24.04/22.04](install.md#ubuntu)
+    * [:material-debian: Debian 12](install.md#debian)
     * [:simple-suse: openSUSE Tumbleweed](install.md#opensuse)
 - Support for all major desktop environments:
-    - [x] :material-gnome: Gnome
-    - [ ] :simple-kde: KDE *(work in progress)*
-- Fully tested (Work in progress)
+    - [x] :material-gnome: Gnome (GDM)
+    - [x] :simple-kde: KDE (SDDM)
+    - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
+- Fully tested *(work in progress)*
 
 **Presentations**
 
diff --git a/docs/install.md b/docs/install.md
index c08072343..5afac9c77 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -2,15 +2,23 @@
 title: Installation
 ---
 
-!!! warning
-
-    To prevent the risk of breaking your system, the default package configuration installs all profiles in complain mode. They can be enforced later. See the [Enforce Mode](enforce.md) page.
-
-    After installation, you **must** regularly check AppArmor log with [`aa-log`](usage.md#apparmor-log). You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).
+## Setup
 
 !!! danger
 
-    Do **not** expect this project to work correctly if your Desktop Environment and Display Manager are not supported. Your Desktop Environment or Display Manager might not load, and that would be a feature.
+    Do **not** expect this project to work correctly on your desktop if your Desktop Environment (DE) and Display Manager (DM) are not supported. Your DE/DM might not load, and that would be a **feature**.
+
+Due to the development stage of this project, the default package configuration installs all profiles in **complain** mode. The recommended installation workflow is as-follow:
+
+1. [Install](#installation) *apparmor.d* in the (default) complain mode.
+1. Configure [apparmor settings](configuration.md#apparmor) as well as your [personal directories](configuration.md#personal-directories).
+1. Ensure you have reloaded the profiles in the kernel: `sudo systemctl restart apparmor.service`.
+1. Reboot your system.
+1. You **must** check for any AppArmor logs with [`aa-log`](usage.md#apparmor-log).
+1. [Report](https://apparmor.pujol.io/report/) any raised logs.
+1. Use the profiles in complain mode for a while (a week), regularly check for new AppArmor logs.
+1. Only if there are no logs raised for your daily usage, install it in [enforce mode](enforce.md).
+
 
 ## Requirements
 
@@ -22,105 +30,156 @@ An `AppArmor` supported Linux distribution is required. The default profiles and
 
 The following desktop environments are supported:
 
-  - [x] :material-gnome: Gnome
-  - [x] :simple-kde: KDE
-  - [ ] :simple-xfce: XFCE *(work in progress)*
+  - [x] :material-gnome: Gnome (GDM)
+  - [x] :simple-kde: KDE (SDDM)
+  - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
 
 **Build dependency**
 
-* Go >= 1.18
-
-## :material-arch: Arch Linux
-
-`apparmor.d-git` is available in the [Arch User Repository][aur]:
-```
-yay -S apparmor.d-git  # or your preferred AUR install method
-```
-
-Or without an AUR helper:
-```sh
-git clone https://aur.archlinux.org/apparmor.d-git.git
-cd apparmor.d-git
-makepkg -si
-```
+* Go >= 1.21
 
 
-## :material-ubuntu: Ubuntu & :material-debian: Debian
+## Installation
 
-Build the package from sources:
-```sh
-sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
-git clone https://github.com/roddhjav/apparmor.d.git
-cd apparmor.d
-dpkg-buildpackage -b -d --no-sign
-sudo dpkg -i ../apparmor.d_*.deb
-```
+=== ":material-arch: Archlinux"
 
-!!! tip
+    `apparmor.d-git` is available in the [Arch User Repository][aur]:
 
-    If you have `devscripts` installed, you can use the one liner:
     ```sh
-    make dpkg
+    yay -S apparmor.d-git  # or your preferred AUR install method
     ```
 
-!!! note
+    Or without an AUR helper:
 
-    Debian user may need golang from the backports repository to build:
     ```sh
-    echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
-    sudo apt update
-    sudo apt install -t bookworm-backports golang-go
+    git clone https://aur.archlinux.org/apparmor.d-git.git
+    cd apparmor.d-git
+    makepkg -si
     ```
 
-!!! warning
+=== ":material-ubuntu: Ubuntu"
 
-    **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.
+    Build the package from sources:
 
-    If your distribution is based on Ubuntu or Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian` if is Debian based, or `DISTRIBUTION=ubuntu` if it is Ubuntu based.
-
-## :simple-suse: openSUSE
-
-openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS
-```sh
-zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
-zypper refresh
-zypper install apparmor.d
-```
-
-
-## Partial install
-
-For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
-
-```sh
-make
-sudo make profile-names...
-```
-
-!!! warning
-
-    Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))
-
-    For instance, `sudo make pass` gives:
     ```sh
-    Warning: profile dependencies fallback to unconfined.
-    @{bin}/wl-{copy,paste} rPx,
-    @{bin}/xclip           rPx,
-    @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
-        @{bin}/pager         rPx -> child-pager,
-        @{bin}/less          rPx -> child-pager,
-        @{bin}/more          rPx -> child-pager,
-    '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
+    sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
+    git clone https://github.com/roddhjav/apparmor.d.git
+    cd apparmor.d
+    dpkg-buildpackage -b -d --no-sign
+    sudo dpkg -i ../apparmor.d_*.deb
     ```
-    So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.
+
+    !!! tip
+
+        If you have `devscripts` installed, you can use the one liner:
+
+        ```sh
+        make dpkg
+        ```
+
+    !!! warning
+
+        **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.
+
+        If your distribution is based on Ubuntu, you may want to manually set the target distribution by exporting `DISTRIBUTION=ubuntu`.
+
+=== ":material-debian: Debian"
+
+    Build the package from sources:
+
+    ```sh
+    sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
+    git clone https://github.com/roddhjav/apparmor.d.git
+    cd apparmor.d
+    dpkg-buildpackage -b -d --no-sign
+    sudo dpkg -i ../apparmor.d_*.deb
+    ```
+
+    !!! tip
+
+        If you have `devscripts` installed, you can use the one liner:
+
+        ```sh
+        make dpkg
+        ```
+
+    !!! note
+
+        You may need golang from the backports repository to build:
+
+        ```sh
+        echo 'deb http://deb.debian.org/debian bookworm-backports main contrib non-free' | sudo tee -a /etc/apt/sources.list
+        sudo apt update
+        sudo apt install -t bookworm-backports golang-go
+        ```
+
+    !!! warning
+
+        **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.
+
+        If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`.
+
+=== ":simple-suse: openSUSE"
+
+    openSUSE users need to add [cboltz](https://en.opensuse.org/User:Cboltz) repo on OBS:
+
+    ```sh
+    zypper addrepo https://download.opensuse.org/repositories/home:cboltz/openSUSE_Factory/home:cboltz.repo
+    zypper refresh
+    zypper install apparmor.d
+    ```
+
+=== ":material-home: Partial"
+
+    For test purposes, you can install specific profiles with the following commands. Abstractions, tunable, and most of the OS dependent post-processing is managed.
+
+    ```sh
+    make
+    sudo make profile-names...
+    ```
+
+    !!! warning
+
+        Partial installation is discouraged because profile dependencies are not fetched. To prevent some AppArmor issues, the dependencies are automatically switched to unconfined (`rPx` -> `rPUx`). The installation process warns on the missing profiles so that you can easily install them if desired. (PR is welcome see [#77](https://github.com/roddhjav/apparmor.d/issues/77))
+
+        For instance, `sudo make pass` gives:
+        ```sh
+        Warning: profile dependencies fallback to unconfined.
+        @{bin}/wl-{copy,paste} rPx,
+        @{bin}/xclip           rPx,
+        @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
+            @{bin}/pager         rPx -> child-pager,
+            @{bin}/less          rPx -> child-pager,
+            @{bin}/more          rPx -> child-pager,
+        '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
+        ```
+        So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.
 
 
-## Uninstall
+## Uninstallation
 
-- :material-arch: Arch Linux `sudo pacman -R apparmor.d`
-- :material-ubuntu: Ubuntu & :material-debian: Debian `sudo apt purge apparmor.d`
-- :simple-suse: openSUSE `sudo zypper remove apparmor.d`
+=== ":material-arch: Archlinux"
+
+    ```sh
+    sudo pacman -R apparmor.d
+    ```
+
+=== ":material-ubuntu: Ubuntu"
+
+    ```sh
+    sudo apt purge apparmor.d
+    ```
+
+=== ":material-debian: Debian"
+
+    ```sh
+    sudo apt purge apparmor.d
+    ```
+
+=== ":simple-suse: openSUSE"
+
+    ```sh
+    sudo zypper remove apparmor.d
+    ```
 
 [aur]: https://aur.archlinux.org/packages/apparmor.d-git
-[repo]: https://repo.pujol.io/
-[keys]: https://repo.pujol.io/gpgkey
diff --git a/docs/report.md b/docs/report.md
index e13ac9e9f..e82d4e9e7 100644
--- a/docs/report.md
+++ b/docs/report.md
@@ -11,25 +11,39 @@ When creating [an issue on Github][newissue], please post a link to the [paste]
 aa-log -R
 ```
 
-If this command produce nothing, try:
+??? question "No logs with `aa-log`?"
+
+    If the log file is empty, check that Auditd is running:
+
+    ```sh
+    sudo systemctl status auditd.service
+    ```
+
+    If Auditd is disabled aa-log will not have new results, you can enable Auditd with:
+
+    ```sh
+    sudo systemctl enable auditd.service --now
+    ```
+
+If this command produces nothing, use `-s` to provide all logs since boot time (provided that `journalctl` collected them):
 ```sh
 aa-log -s -R
 ```
 
-If the log file is empty, check that Auditd is running:
+??? question "No logs with `aa-log -s`?"
+
+    On certain distributions/configurations, AppArmor logs in journal could be taken over by *auditd* when it is installed. To overcome this, `systemd-journald-audit.socket` could be enabled:
+
+    ```sh
+    sudo systemctl enable systemd-journald-audit.socket
+    ```
+
+You can get older logs with:
+
 ```sh
-sudo systemctl status auditd.service
+aa-log -R -f <nb>
 ```
-
-If Auditd is disabled aa-log will not have new results, you can enable Auditd by doing the following command:
-```sh
-sudo systemctl enable auditd.service --now
-```
-
-You can get more logs with:
-
-1. `aa-log -R -s` that will provide all apparmor logs since boot time (if journalctl collect them)
-2. `aa-log -R -f <nb>` where `<nb>` is `1`, `2`, `3` and `4` (the rotated audit log file)
+Where `<nb>` is `1`, `2`, `3` and `4` (the rotated audit log file).
 
 [newissue]: https://github.com/roddhjav/apparmor.d/issues/new
 [paste]: https://pastebin.com/
diff --git a/docs/usage.md b/docs/usage.md
index 70eaaa292..9690733b1 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -76,9 +76,9 @@ ps (complain)                   user        ps auxZ
 
 ## AppArmor Log
 
-Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colorful way.
+Ensure that `Auditd` is installed and running on your system in order to read AppArmor log from `/var/log/audit/audit.log`. Then you can see the log with the provided command `aa-log` allowing you to review AppArmor generated messages in a colourful way.
 
-Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected.
+Other AppArmor userspace tools such as `aa-enforce`, `aa-complain`, and `aa-logprof` should work as expected. You can also configure [a desktop notification on denied actions](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions).
 
 
 ### Basic use
diff --git a/docs/variables.md b/docs/variables.md
index a70358263..b45df411f 100644
--- a/docs/variables.md
+++ b/docs/variables.md
@@ -26,9 +26,10 @@ title: Variables References
 | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` |
 | Sync | `@{XDG_SYNC_DIR}` | `Sync` |
 | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` |
-| Vm | `@{XDG_VM_DIR}` | `.vm`
-| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares`
+| Vm | `@{XDG_VM_DIR}` | `.vm` |
+| Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` |
 | Disk images | `@{XDG_IMG_DIR}` | `images` |
+| Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` |
 
 ### Dotfiles
 
@@ -56,7 +57,7 @@ title: Variables References
 | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` |
 | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` |
 | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
-| Build | `@{user_build_dirs}` | `/tmp/` |
+| Build | `@{user_build_dirs}` | `/tmp//build/` |
 | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` |
 | Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` |
 
@@ -80,9 +81,9 @@ title: Variables References
 | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` |
 | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` |
 | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` |
-| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
-| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}`
-| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
+| Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` |
+| Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
+| Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` |
 
 
 ## System variables
diff --git a/mkdocs.yml b/mkdocs.yml
index d72fd86b7..67d8cc5a8 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -43,8 +43,10 @@ theme:
     - content.action.edit
     - content.code.annotate
     - content.code.copy
+    - content.tabs.link
     - content.tooltips
     - navigation.indexes
+    - navigation.instant
     - navigation.sections
     - navigation.tabs
     - navigation.top
@@ -118,6 +120,9 @@ markdown_extensions:
           format: !!python/name:pymdownx.superfences.fence_code_format
   - pymdownx.tabbed:
       alternate_style: true
+      slugify: !!python/object/apply:pymdownx.slugs.slugify
+        kwds:
+          case: lower
   - pymdownx.tasklist:
       custom_checkbox: true
 
@@ -130,13 +135,13 @@ nav:
       - install.md
       - configuration.md
       - usage.md
+      - report.md
     - Advanced:
       - variables.md
       - enforce.md
       - full-system-policy.md
     - Troubleshooting:
       - issues.md
-      - report.md
       - recovery.md
   - Development:
     - development/index.md

From aa4f4de6dd0dbc5d46f095a988d3398bd326a743 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Sep 2024 15:17:43 +0100
Subject: [PATCH 043/315] feat(abs): update mesa shader cache paths.

fix: #450 #451
---
 apparmor.d/abstractions/mesa.d/complete | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete
index 976b6cc47..85c647b43 100644
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@@ -13,4 +13,11 @@
 
   owner @{user_cache_dirs}/mesa_shader_cache/marker rw,
 
+  owner @{user_cache_dirs}/mesa_shader_cache_db/ w,
+  owner @{user_cache_dirs}/mesa_shader_cache_db/index rw,
+  owner @{user_cache_dirs}/mesa_shader_cache_db/marker rw,
+  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw,
+  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk,
+  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk,
+
 # vim:syntax=apparmor

From 60e00f8c5352287face865d24fad584f8701b7ab Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Sep 2024 15:22:05 +0100
Subject: [PATCH 044/315] fix(profile): zramctl doesn't show algorithm, data,
 compression, total, streams, mountpoint

fix #456
---
 apparmor.d/groups/systemd/zramctl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/systemd/zramctl
index 0d1632924..289dc4f0f 100644
--- a/apparmor.d/groups/systemd/zramctl
+++ b/apparmor.d/groups/systemd/zramctl
@@ -14,7 +14,13 @@ profile zramctl @{exec_path} {
   @{exec_path} mr,
 
   @{sys}/devices/virtual/block/zram@{int}/ r,
+  @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r,
   @{sys}/devices/virtual/block/zram@{int}/disksize r,
+  @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r,
+  @{sys}/devices/virtual/block/zram@{int}/mm_stat r,
+
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,
 
   /dev/ r,
   /dev/zram@{int} rw,

From 7e3c546e3dd311bb2a451a815a3d260c2cf2e906 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Sep 2024 15:25:43 +0100
Subject: [PATCH 045/315] fix(profile): xdg-mime mimetype path.

fix #455
---
 apparmor.d/groups/freedesktop/xdg-mime | 3 +++
 apparmor.d/profiles-m-r/mimetype       | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index c279c41ad..1a217a2b6 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -35,6 +35,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{bin}/gio        rPx,
   @{bin}/kbuildsycoca5 rPx,
   @{bin}/ktraderclient5 rPUx,
+  @{bin}/vendor_perl/mimetype rPx,
   @{bin}/mimetype   rPx,
   @{bin}/xprop      rPx,
 
@@ -47,6 +48,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/ r,
 
+  owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
+
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
 
diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype
index da56703c3..d9e34f8b5 100644
--- a/apparmor.d/profiles-m-r/mimetype
+++ b/apparmor.d/profiles-m-r/mimetype
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/mimetype
+@{exec_path} = @{bin}/mimetype @{bin}/*_perl/mimetype
 profile mimetype @{exec_path} {
   include <abstractions/base>
   include <abstractions/perl>

From 265e3928c118ca9341d9ecc4d2a2f71bede52be4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Sep 2024 20:13:51 +0100
Subject: [PATCH 046/315] feat(profile): mesa: mesa_shader_cache_db is often
 passed as fd.

---
 apparmor.d/abstractions/mesa.d/complete     | 1 +
 apparmor.d/groups/browsers/chromium-wrapper | 1 +
 apparmor.d/groups/freedesktop/xkbcomp       | 1 +
 apparmor.d/groups/gnome/gnome-shell         | 1 +
 apparmor.d/profiles-s-z/terminator          | 1 +
 5 files changed, 5 insertions(+)

diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete
index 85c647b43..0e437190f 100644
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@@ -4,6 +4,7 @@
 
   # Extra Mesa rules for desktop environments
   owner @{desktop_cache_dirs}/ w,
+  owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper
index 0a5017727..4368d6b20 100644
--- a/apparmor.d/groups/browsers/chromium-wrapper
+++ b/apparmor.d/groups/browsers/chromium-wrapper
@@ -11,6 +11,7 @@ include <tunables/global>
 profile chromium-wrapper @{exec_path} {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index ef719d673..c055b9be2 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/mesa>
   include <abstractions/X-strict>
 
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index c76b81abe..d39c25b24 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -404,6 +404,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   profile open flags=(attach_disconnected,mediate_deleted,complain) {
     include <abstractions/base>
+    include <abstractions/mesa>
 
     network inet stream,
     network unix stream,
diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator
index 3f9ba6e25..3d6470dbc 100644
--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@@ -15,6 +15,7 @@ profile terminator @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
+  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 

From b223e2eb8e9ba676c642a06833f577750cb0c496 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Sep 2024 20:36:23 +0100
Subject: [PATCH 047/315] feat(profile): general update.

---
 apparmor.d/groups/browsers/chromium-wrapper |  3 --
 apparmor.d/groups/freedesktop/xdg-mime      |  5 +--
 apparmor.d/groups/network/socat             | 34 ++++++++----------
 apparmor.d/groups/ssh/ssh-agent             |  5 +--
 apparmor.d/groups/systemd/systemd-hostnamed |  2 +-
 apparmor.d/groups/virt/cockpit-bridge       | 39 ++++++++++++++++-----
 apparmor.d/groups/virt/cockpit-session      |  5 +--
 apparmor.d/groups/virt/libvirtd             |  8 ++---
 apparmor.d/groups/virt/qemu-bridge-helper   | 35 ++++++++++++++++++
 apparmor.d/profiles-g-l/git                 |  3 --
 apparmor.d/profiles-s-z/smartd              |  2 --
 apparmor.d/profiles-s-z/virt-manager        |  8 ++---
 dists/flags/main.flags                      |  2 +-
 13 files changed, 98 insertions(+), 53 deletions(-)
 create mode 100644 apparmor.d/groups/virt/qemu-bridge-helper

diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper
index 4368d6b20..9300e46e7 100644
--- a/apparmor.d/groups/browsers/chromium-wrapper
+++ b/apparmor.d/groups/browsers/chromium-wrapper
@@ -40,11 +40,8 @@ profile chromium-wrapper @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   owner @{tmp}/chromiumargs.@{rand6} rw,
-  owner @{tmp}/tmp.*/ rw,
-  owner @{tmp}/tmp.*/** rwk,
 
   owner /dev/tty@{int} rw,
-        /dev/dri/card[0-9] rw,
 
   # Silencer
   deny @{user_share_dirs}/gvfs-metadata/* r,
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index 1a217a2b6..28c1836c9 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -53,11 +53,11 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
 
+  @{PROC}/version r,
+
   /dev/dri/card@{int} rw,
   /dev/tty rw,
 
-  @{PROC}/version r,
-
   # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
   # following root processes:
   #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
@@ -82,6 +82,7 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
           @{HOME}/.Xauthority r,
     owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
 
+    include if exists <local/xdg-mime_dbus>
   }
 
   include if exists <local/xdg-mime>
diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat
index df5e874d1..8ffa2f9bf 100644
--- a/apparmor.d/groups/network/socat
+++ b/apparmor.d/groups/network/socat
@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 Nishit Majithia (nishitm)
 # SPDX-License-Identifier: GPL-2.0-only
-# vim: ft=apparmor
 
 abi <abi/3.0>,
 
@@ -10,19 +10,19 @@ include <tunables/global>
 @{exec_path} = @{bin}/socat
 profile socat @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/consoles>
 
-  capability dac_read_search,
-  capability dac_override,
-  capability net_raw,
-  capability net_admin,
-  capability sys_module,
-  capability sys_admin,
-  capability fsetid,
   capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fsetid,
+  capability net_admin,
   capability net_bind_service,
+  capability net_raw,
+  capability sys_admin,
+  capability sys_module,
   capability sys_resource,
 
   # Allow creation of network sockets and `socat` uses dccp for some
@@ -31,19 +31,13 @@ profile socat @{exec_path} {
 
   @{exec_path} mr,
 
-  # Enale /dev/ptmx access for testsuite
-  # /dev/ptmx rw,
-
-  # TUN/TAP device
-  /dev/net/tun rw,
-
-  # Process-specific access
   @{PROC}/@{pid}/fdinfo/@{int} rw,
-  @{PROC}/@{pid}/stat           r,
+  @{PROC}/@{pid}/stat r,
 
-  # For bi-directional communication between vms and host/hypervisor
-  /dev/vsock r,
+  /dev/net/tun rw,
+  /dev/vsock r,  # For bi-directional communication between vms and host/hypervisor
 
-  # Site-specific additions and overrides. See local/README for details.
   include if exists <local/socat>
 }
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index ec82ea1bc..d6dc90447 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -12,8 +12,8 @@ profile ssh-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  signal (receive) set=term peer=cockpit-bridge,
-  signal (receive) set=term peer=gnome-keyring-daemon,
+  signal receive set=term peer=cockpit-bridge,
+  signal receive set=term peer=gnome-keyring-daemon,
 
   @{exec_path} mr,
 
@@ -34,6 +34,7 @@ profile ssh-agent @{exec_path} {
   owner @{run}/user/@{uid}/gcr/.ssh w,
 
   /dev/tty@{int} rw,
+  /dev/tty rw,
 
   include if exists <local/ssh-agent>
 }
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index 39fcd9886..52e6f0894 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-hostnamed
-profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
+profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index 3da2c19ea..a2b773499 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -22,33 +22,44 @@ profile cockpit-bridge @{exec_path} {
   network inet stream,
   network inet6 dgram,
   network inet6 stream,
+  network netlink raw,
 
-  ptrace (read),
+  ptrace read,
 
-  signal (send) set=term peer=cockpit-pcp,
-  signal (send) set=term peer=dbus-daemon,
-  signal (send) set=term peer=journalctl,
-  signal (send) set=term peer=ssh-agent,
-  signal (send) set=term peer=sudo,
-  signal (send) set=term peer=unconfined,
+  signal send set=term peer=cockpit-pcp,
+  signal send set=term peer=dbus-daemon,
+  signal send set=term peer=journalctl,
+  signal send set=term peer=ssh-agent,
+  signal send set=term peer=sudo,
+  signal send set=term peer=unconfined,
 
   @{exec_path} mr,
 
   @{bin}/cat                  ix,
   @{bin}/date                 ix,
+  @{bin}/find                 ix,
+  @{bin}/ip                   ix,
+  @{bin}/python3.@{int}       ix,
+  @{bin}/test                 ix,
+
   @{bin}/findmnt              Px,
   @{bin}/journalctl           Px,
-  @{bin}/python3.@{int}       ix,
+  @{bin}/lastlog              Px,
+  @{bin}/passwd               Px,
   @{bin}/ssh-agent            Px,
   @{bin}/sudo                 Px, # TODO: rCx -> privilieged ? or rix?
+  @{bin}/udevadm              Cx -> udevadm,
+  @{bin}/virt-install        PUx, # TODO: rPx
   @{lib}/cockpit/cockpit-pcp  Px,
   @{lib}/cockpit/cockpit-ssh  Px,
+  @{bin}/virsh               rPUx,
 
   # The shell is not confined on purpose.
   @{bin}/@{shells}            Ux,
 
-  /usr/share/cockpit/{,**} r,
   /usr/{,local/}share/ r,
+  /usr/share/cockpit/{,**} r,
+  /usr/share/iproute2/* r,
 
   /etc/cockpit/{,**} r,
   /etc/httpd/conf/mime.types r,
@@ -59,6 +70,8 @@ profile cockpit-bridge @{exec_path} {
   /etc/shadow r,
   /etc/shells r,
 
+  / r,
+
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
   owner @{user_share_dirs}/ r,
 
@@ -66,6 +79,7 @@ profile cockpit-bridge @{exec_path} {
   @{run}/utmp r,
 
   @{sys}/class/hwmon/ r,
+  @{sys}/class/net/ r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
   @{sys}/fs/cgroup/ r,
@@ -89,6 +103,13 @@ profile cockpit-bridge @{exec_path} {
 
   /dev/ptmx rw,
 
+  profile udevadm {
+    include <abstractions/base>
+    include <abstractions/app/udevadm>
+
+    include if exists <local/cockpit-bridge_udevadm>
+  }
+
   include if exists <local/cockpit-bridge>
 }
 
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index 74ddd9e70..fda673c6e 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -36,11 +36,12 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   /etc/motd.d/ r,
   /etc/shells r,
 
+  @{run}/cockpit/active.motd r,
+  @{run}/cockpit/inactive.motd r,
   @{run}/faillock/@{user} rwk,
+  @{run}/motd.d/{,*} r,
   @{run}/systemd/sessions/*.ref rw,
   @{run}/utmp rwk,
-  @{run}/motd.d/{,*} r,
-  @{run}/cockpit/active.motd r,
 
   /var/log/btmp rw,
   /var/log/lastlog rw,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 3fbbfc51f..a755c1672 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -68,6 +68,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read,trace) peer=@{profile_name},
   ptrace (read,trace) peer=dnsmasq,
+  ptrace (read,trace) peer=gnome-boxes,
   ptrace (read,trace) peer=libvirt-@{uuid},
   ptrace (read,trace) peer=libvirt-dbus,
   ptrace (read,trace) peer=unconfined,
@@ -93,15 +94,14 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{lib}/libvirt/libvirt_iohelper                   rix,
   @{lib}/libvirt/libvirt_parthelper                 rix,
 
+  @{lib}/{,qemu/}qemu-bridge-helper                 rPx,
+  @{lib}/{,qemu/}vhost-user-gpu                    rPUx,
+  @{lib}/{,qemu/}virtiofsd                         rux, # TODO: WIP
   @{lib}/udev/scsi_id                              rPUx,
   @{lib}/xen-*/bin/libxl-save-helper               rPUx,
   @{lib}/xen-*/bin/pygrub                          rPUx,
   @{lib}/xen-common/bin/xen-toolstack              rPUx,
   @{lib}/xen/bin/*                                 rPUx,
-  /{usr/,}{lib,lib64,lib/qemu,libexec}/vhost-user-gpu  rPUx,
-  /{usr/,}{lib,lib64,lib/qemu,libexec}/virtiofsd        rux, # TODO: WIP
-
-  /{usr/,}{lib,lib64,lib/qemu,libexec}/qemu-bridge-helper Cx -> qemu_bridge_helper,
 
   @{bin}/dmidecode                            rPx,
   @{bin}/dnsmasq                              rPx,
diff --git a/apparmor.d/groups/virt/qemu-bridge-helper b/apparmor.d/groups/virt/qemu-bridge-helper
new file mode 100644
index 000000000..a814dd265
--- /dev/null
+++ b/apparmor.d/groups/virt/qemu-bridge-helper
@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/{,qemu/}qemu-bridge-helper
+profile qemu-bridge-helper @{exec_path} {
+  include <abstractions/base>
+
+  capability net_admin,
+  capability setpcap,
+
+  network inet stream,
+
+  unix (send, receive) type=stream addr=none peer=(label=libvirtd),
+
+  signal receive set=term peer=libvirtd,
+
+  @{exec_path} mr,
+
+  /etc/qemu/bridge.conf r,
+
+  @{sys}/devices/system/node/ r,
+
+  owner @{PROC}/@{pids}/status r,
+
+  /dev/net/tun rw,
+
+  include if exists <local/qemu-bridge-helper>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 2c0eb2fac..47450b8e6 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -92,9 +92,6 @@ profile git @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/*/ rw,
   owner @{user_cache_dirs}/*/** rwkl -> @{user_cache_dirs}/*/**,
 
-  owner @{tmp}/**        rwkl -> /tmp/**,
-  owner @{tmp}/**/bin/*  rCx -> exec,
-
   owner @{HOME}/.gitconfig* rw,
   owner @{HOME}/.netrc r,
   owner @{user_config_dirs}/git/{,*} rw,
diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd
index bdac4d92f..9222fbbbd 100644
--- a/apparmor.d/profiles-s-z/smartd
+++ b/apparmor.d/profiles-s-z/smartd
@@ -39,8 +39,6 @@ profile smartd @{exec_path} {
   /var/lib/smartmontools/smartd.*.state{,~} rw,
   /var/lib/smartmontools/attrlog.*.csv rw,
 
-  /tmp/tmp.* rw,
-
   @{run}/systemd/notify rw,
 
   @{sys}/class/scsi_host/ r,
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index c1bd7fbde..fbfcaf7b9 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -61,15 +61,15 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   /etc/fstab r,
   /etc/libnl/classid r,
 
-  owner @{HOME}/ r,
-  owner @{user_cache_dirs}/virt-manager/{,**} rw,
+  # System VM images
+  /var/lib/libvirt/images/{,**} rw,
 
   # For disk images
   @{MOUNTS}/ r,
   @{user_img_dirs}/{,**} r,
 
-  # System VM images
-  /var/lib/libvirt/images/{,**} rw,
+  owner @{HOME}/ r,
+  owner @{user_cache_dirs}/virt-manager/{,**} rw,
 
   # User VM images
   owner @{user_share_dirs}/ r,
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index f37e7f991..53782aa9c 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -279,6 +279,7 @@ plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
 qdbus complain
+qemu-bridge-helper complain
 realmd complain
 remmina complain
 run-parts complain
@@ -369,7 +370,6 @@ systemd-userwork attach_disconnected,complain
 systemsettings complain
 totem attach_disconnected,complain
 tracker-writeback complain
-transmission complain
 udev-dmi-memory-id complain
 udisksctl complain
 udisksd attach_disconnected,complain

From 7c560e1e8f1990469f4df799df1a3ddd8c13c27e Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 1 Sep 2024 18:01:19 -0300
Subject: [PATCH 048/315] Update chronyd (#458)

apparmor="DENIED" operation="create" class="net" profile="chronyd"  comm="chronyd" family="inet" sock_type="stream" protocol=0 requested_mask="create" denied_mask="create"
---
 apparmor.d/profiles-a-f/chronyd | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd
index 490afddb2..a7d265e29 100644
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@@ -29,6 +29,8 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
 
   network inet dgram,
   network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
   network netlink raw,
 
   @{exec_path} mr,

From 52d2cd63b972f29579015370eab4de748a41fbdc Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 1 Sep 2024 18:03:13 -0300
Subject: [PATCH 049/315] Create cemu (#459)

---
 apparmor.d/profiles-a-f/cemu | 51 ++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/cemu

diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu
new file mode 100644
index 000000000..44d4098da
--- /dev/null
+++ b/apparmor.d/profiles-a-f/cemu
@@ -0,0 +1,51 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/cemu
+profile cemu @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/Cemu/{,**} r,
+
+  owner @{user_cache_dirs}/Cemu/{,**} rw,
+  owner @{user_config_dirs}/Cemu/{,**} rw,
+  owner @{user_share_dirs}/Cemu/{,**} rw,
+
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/statm r,
+  
+  owner @{sys}/class/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r,
+  @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r,
+  @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r,
+  @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r,
+
+  /dev/input/ r,
+  /dev/input/event@{int} rw,
+  /dev/input/js@{int} rw,
+
+  include if exists <local/cemu>
+}
+
+# vim:syntax=apparmor

From bf2025db09d3bf9a54b8ffbac641625bab0f4bd9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 1 Sep 2024 22:09:00 +0100
Subject: [PATCH 050/315] feat(profile): gpg: ensure compatibility with
 torbrowser profile from upstream.

see #407
---
 apparmor.d/groups/gpg/gpg | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index a4f2a11ea..43cb9cadf 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -41,6 +41,10 @@ profile gpg @{exec_path} {
   owner @{user_projects_dirs}/**/gnupg/ rw,
   owner @{user_projects_dirs}/**/gnupg/** rwkl -> @{user_projects_dirs}/**/gnupg/**,
 
+  # TODO: For compatibility with torbrowser profile from upstream.
+  owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
+  owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
+
   #aa:only apt
   owner /etc/apt/keyrings/ rw,
   owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,

From 3c066ea0876bd18c3aed8bc86bd87bd799fa54b3 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 1 Sep 2024 22:22:42 -0300
Subject: [PATCH 051/315] Update waybar

---
 apparmor.d/profiles-s-z/waybar | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
index 8da427a64..127945081 100644
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/waybar
 profile waybar @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/app-launcher-user>
   include <abstractions/audio-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -21,11 +22,15 @@ profile waybar @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/** rPUx,
-  @{user_bin_dirs}/** rPUx,
-
   owner @{user_config_dirs}/waybar/{,**} r,
 
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/waybar>

From 26641f585c0db421e06c0d4fb6c1d335db7924fa Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 2 Sep 2024 14:14:16 +0100
Subject: [PATCH 052/315] feat(profile): add gnome-boxes

see  #457
---
 apparmor.d/groups/gnome/gnome-boxes | 94 +++++++++++++++++++++++++++++
 dists/flags/main.flags              |  1 +
 2 files changed, 95 insertions(+)
 create mode 100644 apparmor.d/groups/gnome/gnome-boxes

diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes
new file mode 100644
index 000000000..9d82ad369
--- /dev/null
+++ b/apparmor.d/groups/gnome/gnome-boxes
@@ -0,0 +1,94 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/gnome-boxes
+profile gnome-boxes @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.timedate1>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{open_path}  rPx -> child-open,
+
+  @{bin}/virtqemud  rPUx,
+  @{bin}/virsh      rCx -> virsh,
+
+  /usr/share/osinfo/{,**} r,
+  /usr/share/gnome-boxes/{,**} r,
+  /usr/share/hwdata/*.ids r,
+
+  /etc/qemu/bridge.conf r,
+
+        @{MOUNTS}/ r,
+  owner @{HOME}/ r,
+
+  # For disk images
+  owner @{user_img_dirs}/{,**} rw,
+  owner @{user_vm_dirs}/{,**} rw,
+
+  owner @{user_cache_dirs}/gnome-boxes/ rw,
+  owner @{user_cache_dirs}/gnome-boxes/** rwk,
+  owner @{user_cache_dirs}/libvirt/qemu/log/*.log r,
+
+  owner @{user_config_dirs}/gnome-boxes/ rw,
+  owner @{user_config_dirs}/gnome-boxes/** rwk,
+
+  owner @{tmp}/.goutputstream-@{rand6} rw,
+  owner @{tmp}/*.iso-@{rand6} rw,
+  owner @{tmp}/*.svg-@{rand6} rw,
+
+  owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
+
+  @{run}/mount/utab r,
+
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-dbus*org.gnome.Boxes.slice/*/memory.* r,
+
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+        @{PROC}/zoneinfo r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
+  profile virsh {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    @{bin}/virsh mr,
+    @{bin}/pkttyagent r,
+    
+    owner @{run}/user/@{uid}/libvirt/ r,
+    owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
+
+    @{sys}/devices/system/node/ r,
+
+    include if exists <local/gnome-boxes_virsh>
+  }
+
+  include if exists <local/gnome-boxes>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 53782aa9c..e051078a6 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -125,6 +125,7 @@ gdm-runtime-config complain
 gdm-session attach_disconnected,complain
 gdm-xsession complain
 gmenudbusmenuproxy complain
+gnome-boxes complain
 gnome-browser-connector-host complain
 gnome-control-center attach_disconnected,complain
 gnome-control-center-goa-helper complain

From a93400280e22763d8901f26cfdd1eae982c3badc Mon Sep 17 00:00:00 2001
From: EricLin0509 <143688917+EricLin0509@users.noreply.github.com>
Date: Wed, 4 Sep 2024 01:29:03 +0800
Subject: [PATCH 053/315] Add support for wemeet (#462)

* initial support for wemeet

* Some small fixes
---
 apparmor.d/profiles-s-z/wemeet | 63 ++++++++++++++++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/wemeet

diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet
new file mode 100644
index 000000000..e866b5e51
--- /dev/null
+++ b/apparmor.d/profiles-s-z/wemeet
@@ -0,0 +1,63 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/wemeet
+@{exec_path} += /opt/wemeet/bin/wemeetapp
+@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
+profile wemeet @{exec_path} flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/common/bwrap>
+    include <abstractions/common/chromium>
+    include <abstractions/graphics>
+    include <abstractions/desktop>
+    include <abstractions/ssl_certs>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/audio-client>
+
+    network netlink raw,
+    network netlink dgram,
+    network inet stream,
+    network inet dgram,
+    network inet6 dgram,
+    network inet6 stream,
+
+    @{exec_path} mr,
+
+    @{sh_path} r,
+    @{bin}/basename rix,
+    @{bin}/bwrap rix,
+    @{bin}/id rix,
+    @{bin}/mkdir rix,
+    /opt/wemeet/bin/** rix,
+
+    /etc/machine-id r,
+    /var/cache/ w,
+
+    owner @{user_share_dirs}/wemeetapp/ rw,
+    owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
+
+    @{PROC}/ r,
+    @{PROC}/asound/ r,
+    @{PROC}/@{pid}/net/route r,
+    @{PROC}/@{pid}/net/wireless r,
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/@{pid}/statm r,
+    @{PROC}/sys/fs/inotify/max_user_watches r,
+    owner @{PROC}/@{pid}/cmdline r,
+
+    /dev/ r,
+    /dev/tty rw,
+    /dev/shm/ r,
+    /dev/pts/@{int} rw,
+
+    include if exists <local/wemeet>
+
+}
+
+# vim:syntax=apparmor

From 35dcde9d90e4f9cfe218163b61bbfc9ff3c34944 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 5 Sep 2024 14:05:35 +0100
Subject: [PATCH 054/315] feat(tunable): add the new version variable.

---
 apparmor.d/groups/gnome/gio-launch-desktop   | 2 +-
 apparmor.d/groups/gnome/gnome-session-binary | 6 +++---
 apparmor.d/groups/gnome/gnome-shell          | 8 ++++----
 apparmor.d/groups/xfce/xfce-panel            | 2 +-
 apparmor.d/profiles-a-f/exo-open             | 4 ++--
 apparmor.d/profiles-g-l/gsmartcontrol        | 2 +-
 apparmor.d/profiles-g-l/gtk-youtube-viewer   | 4 ++--
 apparmor.d/profiles-g-l/jdownloader          | 4 ++--
 apparmor.d/profiles-m-r/orage                | 2 +-
 apparmor.d/tunables/multiarch.d/paths        | 2 +-
 apparmor.d/tunables/multiarch.d/system       | 3 +++
 docs/variables.md                            | 2 +-
 pkg/aa/apparmor.go                           | 3 +++
 13 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 8e6d80f9e..639b7a144 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -14,7 +14,7 @@ include <tunables/global>
 
 @{exec_path}  = @{bin}/gio
 @{exec_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
-@{exec_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
+@{exec_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 962897ea8..2f00b527a 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -59,8 +59,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   @{lib}/gnome-session-check-accelerated-gles-helper   rix,
   @{lib}/gnome-session-failed                          rix,
 
-  @{lib}/gio-launch-desktop                            rCx -> open,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop   rCx -> open,
+  @{lib}/gio-launch-desktop                               rCx -> open,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
@@ -112,7 +112,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
     @{bin}/env rix,
     @{sh_path} r,
-    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
+    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  mr,
     @{lib}/gio-launch-desktop                               mr,
 
     @{lib}/**                     PUx,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index d39c25b24..256309abd 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -184,9 +184,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{lib}/mutter-x11-frames      rPx,
   #aa:exec polkit-agent-helper
 
-  @{sh_path}                                           rCx -> shell,
-  @{lib}/gio-launch-desktop                            rCx -> open,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop   rCx -> open,
+  @{sh_path}                                              rCx -> shell,
+  @{lib}/gio-launch-desktop                               rCx -> open,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
   
   # nm-openvpn-auth-dialog
   @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
@@ -409,7 +409,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     network inet stream,
     network unix stream,
 
-    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
+    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  mr,
     @{lib}/gio-launch-desktop                               mr,
 
     @{lib}/**                     PUx,
diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel
index 44c9be032..44f237f4b 100644
--- a/apparmor.d/groups/xfce/xfce-panel
+++ b/apparmor.d/groups/xfce/xfce-panel
@@ -20,7 +20,7 @@ profile xfce-panel @{exec_path} {
   @{bin}/exo-open                                     rix,
   @{bin}/xfce4-mime-helper                            rix,
   @{lib}/{,@{multiarch}/}xfce4/panel/wrapper-2.0      rix,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rix,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rix,
   @{lib}/gio-launch-desktop                           rix,
 
   @{bin}/sudo rCx -> root,
diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open
index 7d265e566..04d5f8b36 100644
--- a/apparmor.d/profiles-a-f/exo-open
+++ b/apparmor.d/profiles-a-f/exo-open
@@ -19,10 +19,10 @@ profile exo-open @{exec_path} {
 
   @{exec_path} mr,
 
-  @{lib}/@{multiarch}/xfce4/exo-[0-9]/exo-helper-[0-9] rPx,
+  @{lib}/@{multiarch}/xfce4/exo-@{version}/exo-helper-@{version} rPx,
 
   # It looks like gio-launch-desktop decides what app should be opened
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rPx,
 
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol
index f6f6b300f..ec3dcff98 100644
--- a/apparmor.d/profiles-g-l/gsmartcontrol
+++ b/apparmor.d/profiles-g-l/gsmartcontrol
@@ -63,7 +63,7 @@ profile gsmartcontrol @{exec_path} {
   # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
   # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
   # hence this behavior should be blocked.
-  deny @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rx,
+  deny @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rx,
 
 
   profile dbus {
diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer
index 96b114461..9d2bc322e 100644
--- a/apparmor.d/profiles-g-l/gtk-youtube-viewer
+++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer
@@ -40,8 +40,8 @@ profile gtk-youtube-viewer @{exec_path} {
 
   @{lib}/firefox/firefox  rPx,
 
-  @{bin}/xdg-open                                    rCx -> open,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
+  @{bin}/xdg-open                                         rCx -> open,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
 
   owner @{user_config_dirs}/youtube-viewer/{,*} rw,
 
diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader
index 424074da4..9dc2ed226 100644
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@@ -95,7 +95,7 @@ profile jdownloader @{exec_path} {
 
   # To open a web browser for CAPTCHA
   @{bin}/xdg-open                                    rCx -> open,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
 
 
   profile open {
@@ -103,7 +103,7 @@ profile jdownloader @{exec_path} {
     include <abstractions/xdg-open>
 
     @{bin}/xdg-open mr,
-    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
+    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
 
     @{sh_path}             rix,
     @{bin}/{m,g,}awk       rix,
diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage
index 571532b4f..39e960587 100644
--- a/apparmor.d/profiles-m-r/orage
+++ b/apparmor.d/profiles-m-r/orage
@@ -23,7 +23,7 @@ profile orage @{exec_path} {
 
   @{bin}/xdg-open   rCx -> open,
   @{bin}/exo-open   rCx -> open,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
 
   owner @{user_config_dirs}/orage/ rw,
   owner @{user_config_dirs}/orage/* rw,
diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index 69ca70ef7..a98f28ae6 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -33,7 +33,7 @@
 # Open
 @{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
 @{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
-@{open_path} += @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop
+@{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
 
 # File explorers
 @{file_explorers_path} = @{bin}/@{file_explorers_names}
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index aaebe5ed1..b2e1a3b0b 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -61,6 +61,9 @@
 @{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
 @{group}=@{user}
 
+# Semantic version
+@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},}
+
 # Shortcut for PCI device
 @{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
 @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
diff --git a/docs/variables.md b/docs/variables.md
index b45df411f..6104e5033 100644
--- a/docs/variables.md
+++ b/docs/variables.md
@@ -135,5 +135,5 @@ title: Variables References
 | Shells path | `@{shells_path}` | `@{bin}/@{shells}` |
 | Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) |
 | Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` |
-| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop @{lib}/gio-launch-desktop`
+| Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop`
 | All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11)
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index 75c009c86..ad3915983 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -33,6 +33,7 @@ func DefaultTunables() *AppArmorProfileFile {
 	return &AppArmorProfileFile{
 		Preamble: Rules{
 			&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
+			&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
 			&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},
 			&Variable{Name: "HOME", Values: []string{"/home/*"}, Define: true},
 			&Variable{Name: "int", Values: []string{"[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}"}, Define: true},
@@ -40,11 +41,13 @@ func DefaultTunables() *AppArmorProfileFile {
 			&Variable{Name: "lib", Values: []string{"/{,usr/}lib{,exec,32,64}"}, Define: true},
 			&Variable{Name: "MOUNTS", Values: []string{"/media/*/", "/run/media/*/*/", "/mnt/*/"}, Define: true},
 			&Variable{Name: "multiarch", Values: []string{"*-linux-gnu*"}, Define: true},
+			&Variable{Name: "rand", Values: []string{"@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}"}, Define: true}, // Up to 10 characters
 			&Variable{Name: "run", Values: []string{"/run/", "/var/run/"}, Define: true},
 			&Variable{Name: "uid", Values: []string{"{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}"}, Define: true},
 			&Variable{Name: "user_cache_dirs", Values: []string{"/home/*/.cache"}, Define: true},
 			&Variable{Name: "user_config_dirs", Values: []string{"/home/*/.config"}, Define: true},
 			&Variable{Name: "user_share_dirs", Values: []string{"/home/*/.local/share"}, Define: true},
+			&Variable{Name: "version", Values: []string{"@{int}{.@{int},}{.@{int},}{-@{rand},}"}, Define: true},
 		},
 	}
 }

From 4e17001ce2b2d4c27aadd45083c2fe48b284e855 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 5 Sep 2024 14:08:08 +0100
Subject: [PATCH 055/315] feat(tunable): add the new python_path & python_name
 variables.

---
 apparmor.d/tunables/multiarch.d/paths    | 3 +++
 apparmor.d/tunables/multiarch.d/programs | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index a98f28ae6..35bf0c58f 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -13,6 +13,9 @@
 # Coreutils programs that should not have dedicated profile
 @{coreutils_path} = @{bin}/@{coreutils}
 
+# Python interpreters
+@{python_path} = @{bin}/@{python_name}
+
 # Browsers
 @{brave_path} =  @{brave_lib_dirs}/@{brave_name}
 @{chrome_path} =  @{opera_lib_dirs}/@{chrome_name}
diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index e8c6b9022..9c0c4d305 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -25,6 +25,9 @@
 @{coreutils} += sort split stat stdbuf stty sum sync tac tail tee test timeout touch tr true
 @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes
 
+# Python interpreters
+@{python_name} = python{,3,3.[0-9],3.1[0-9]}
+
 # Browsers
 
 @{brave_name} = brave{,-beta,-dev,-bin}

From 6b191d9ada6e267e0337322de52e7938944ee85c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 5 Sep 2024 14:23:16 +0100
Subject: [PATCH 056/315] feat(profile): use @{int} on systemd/inhibit.

---
 apparmor.d/groups/apps/signal-desktop             | 2 +-
 apparmor.d/groups/apt/apt                         | 2 +-
 apparmor.d/groups/apt/unattended-upgrade          | 2 +-
 apparmor.d/groups/apt/unattended-upgrade-shutdown | 2 +-
 apparmor.d/groups/bus/dbus-system                 | 2 +-
 apparmor.d/groups/freedesktop/upowerd             | 2 +-
 apparmor.d/groups/gnome/gnome-music               | 2 +-
 apparmor.d/groups/gnome/gnome-session-binary      | 2 +-
 apparmor.d/groups/gnome/gnome-shell               | 2 +-
 apparmor.d/groups/gnome/gnome-software            | 2 +-
 apparmor.d/groups/gnome/gsd-media-keys            | 2 +-
 apparmor.d/groups/gnome/gsd-power                 | 2 +-
 apparmor.d/groups/kde/kde-powerdevil              | 2 +-
 apparmor.d/groups/kde/ksmserver                   | 2 +-
 apparmor.d/groups/kde/kwin_wayland                | 2 +-
 apparmor.d/groups/network/ModemManager            | 2 +-
 apparmor.d/groups/network/NetworkManager          | 2 +-
 apparmor.d/groups/network/mullvad-gui             | 2 +-
 apparmor.d/groups/systemd/systemd-inhibit         | 2 +-
 apparmor.d/groups/systemd/systemd-logind          | 2 +-
 apparmor.d/groups/ubuntu/update-manager           | 2 +-
 apparmor.d/groups/virt/libvirtd                   | 2 +-
 apparmor.d/groups/virt/virtinterfaced             | 2 +-
 apparmor.d/groups/virt/virtlogd                   | 2 +-
 apparmor.d/groups/virt/virtnetworkd               | 2 +-
 apparmor.d/groups/virt/virtnodedevd               | 2 +-
 apparmor.d/groups/virt/virtsecretd                | 2 +-
 apparmor.d/groups/virt/virtstoraged               | 2 +-
 apparmor.d/groups/xfce/xfce-power-manager         | 2 +-
 apparmor.d/groups/xfce/xfce-screensaver           | 2 +-
 apparmor.d/profiles-a-f/fprintd                   | 2 +-
 apparmor.d/profiles-a-f/fwupd                     | 2 +-
 apparmor.d/profiles-m-r/mission-control           | 2 +-
 apparmor.d/profiles-m-r/nvtop                     | 2 +-
 apparmor.d/profiles-m-r/packagekitd               | 2 +-
 apparmor.d/profiles-m-r/psi                       | 2 +-
 apparmor.d/profiles-m-r/psi-plus                  | 2 +-
 apparmor.d/profiles-s-z/udisksd                   | 2 +-
 38 files changed, 38 insertions(+), 38 deletions(-)

diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/groups/apps/signal-desktop
index 6c8525f48..912d95760 100644
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/groups/apps/signal-desktop
@@ -37,7 +37,7 @@ profile signal-desktop @{exec_path} {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index dcc6303c8..38bd8f3eb 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -149,7 +149,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
 
   /dev/ptmx rw,
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   profile editor flags=(complain) {
     include <abstractions/base>
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index f5caa7b65..eaac10851 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -100,7 +100,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /var/log/apt/{term,history}.log w,
   /var/log/apt/eipp.log.xz w,
 
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/unattended-upgrades.lock rwk,
   owner @{run}/unattended-upgrades.pid rw,
   owner @{run}/unattended-upgrades.progress rw,
diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown
index 65f8a30d2..bd963a006 100644
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@@ -25,7 +25,7 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
   owner /var/log/unattended-upgrades/*.log* rw,
 
   owner @{run}/unattended-upgrades.lock rwk,
-  owner @{run}/systemd/inhibit/[0-9]*.ref rw,
+  owner @{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{PROC}/@{pid}/mounts r,
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index e63d51eaa..f532bb29b 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -53,7 +53,7 @@ profile dbus-system flags=(attach_disconnected) {
   @{user_share_dirs}/icc/ r,
   @{user_share_dirs}/icc/edid-@{hex32}.icc r,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/notify w,
   @{run}/systemd/sessions/*.ref rw,
   @{run}/systemd/users/@{int} r,
diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index 92e6148b3..aa93e0267 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -40,7 +40,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
   @{run}/udev/data/c116:@{int} r,         # for ALSA
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/hid/devices/ r,
   @{sys}/class/input/ r,
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index 69273720e..710393390 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -45,7 +45,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
   owner /var/tmp/etilqs_@{hex15} rw,
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 2f00b527a..e08ae61d3 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -84,7 +84,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/gnome-session/ rw,
   owner @{user_config_dirs}/gnome-session/saved-session/ rw,
 
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/sessions/*.ref rw,
         @{run}/systemd/users/@{uid} r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 256309abd..6950304fc 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -307,7 +307,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{run}/systemd/seats/seat@{int} r,
   @{run}/systemd/sessions/  r,
   @{run}/systemd/sessions/* r,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{run}/udev/tags/seat/ r,
 
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index f5652135a..290aa4454 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -108,7 +108,7 @@ profile gnome-software @{exec_path} {
   owner /dev/shm/flatpak-com.*/ rw,
   owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/sessions/@{int} r,
   @{run}/systemd/users/@{uid} r,
 
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index 9a799d444..6ed820866 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -96,7 +96,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{run}/udev/data/+sound:card@{int} r,   # For sound card
   @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 2c21bc4fd..0f4b3cd3c 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -64,7 +64,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
   @{run}/udev/data/+leds:* r,
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 64371caaa..a37fea7a0 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -46,7 +46,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
   owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
 
-        @{run}/systemd/inhibit/*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
         @{run}/udev/data/c189:@{int} r,       # for /dev/bus/usb/**
   owner @{run}/user/@{uid}kcrash_@{int} rw,
 
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 5f6c9ceb6..f768cad0c 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -69,7 +69,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{tmp}/@{rand6} rw,
 
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
 
   /dev/tty r,
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 7bed8beca..95abaa2a6 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -103,7 +103,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{user_share_dirs}/kscreen/* r,
   owner @{user_share_dirs}/kwin/scripts/{,**} r,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index fad5908b4..06e0c0fe5 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -34,7 +34,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c5:@{int} r,           # for /dev/tty, /dev/console, /dev/ptmx
   @{run}/udev/data/n@{int} r,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
   @{sys}/bus/usb/devices/ r,
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index e5e9b0785..f8612b4dc 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -122,7 +122,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{run}/NetworkManager/{,**} rw,
   @{run}/nm-*.pid rw,
   @{run}/nscd/db* rwl,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/users/@{uid} r,
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+platform:* r,
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index 7533b107c..48534d676 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit
index 755cfe5ee..01b3e0bcd 100644
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@@ -18,7 +18,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/cat rix,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/systemd-inhibit>
 }
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 9a0a2c7d7..8db1923e5 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -96,7 +96,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/inhibit/ rw,
   @{run}/systemd/inhibit/.#* rw,
-  @{run}/systemd/inhibit/[0-9]*{,.ref} rw,
+  @{run}/systemd/inhibit/@{int}{,.ref} rw,
   @{run}/systemd/journal/socket rw,
   @{run}/systemd/notify rw,
   @{run}/systemd/seats/ rw,
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 0ee70c39b..2811b16e3 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -70,7 +70,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  @{run}/systemd/inhibit/*.ref w,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
         @{PROC}/@{pids}/mountinfo r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index a755c1672..4f8c76a81 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -157,7 +157,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/libvirt/** rwk,
   @{run}/libvirtd.pid wk,
   @{run}/lock/LCK.._pts_@{int} rw,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/notify w,
   @{run}/utmp rk,
 
diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced
index 96d135912..ccda93f6b 100644
--- a/apparmor.d/groups/virt/virtinterfaced
+++ b/apparmor.d/groups/virt/virtinterfaced
@@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
   @{lib}/gconv/gconv-modules rm,
   @{lib}/gconv/gconv-modules.d/{,*} r,
 
-        @{run}/systemd/inhibit/*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/interface/ rw,
   owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk,
diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd
index b06ad67f1..0cb7202ee 100644
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@@ -30,7 +30,7 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/libvirt/common/system.token rwk,
   @{run}/libvirt/virtlogd-sock rw,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/virtlogd.pid rwk,
 
   @{sys}/devices/system/node/ r,
diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd
index a2c02368b..fa4e0a5d5 100644
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@@ -25,7 +25,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
   owner /var/lib/libvirt/dnsmasq/*.macs* rw,
 
         @{run}/libvirt/network/default.pid r,
-        @{run}/systemd/inhibit/*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
         @{run}/utmp rk,
   owner @{run}/libvirt/common/system.token rwk,
   owner @{run}/libvirt/network/{,**} rwk,
diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd
index a39c04504..38f84a8eb 100644
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@@ -33,7 +33,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   /etc/libvirt/virtnodedevd.conf r,
   /etc/mdevctl.d/{,**} r,
 
-        @{run}/systemd/inhibit/*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/libvirt/common/system.token rwk,
   owner @{run}/libvirt/nodedev/ rw,
   owner @{run}/libvirt/nodedev/driver.pid wk,
diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd
index cdded1152..f6c56ca10 100644
--- a/apparmor.d/groups/virt/virtsecretd
+++ b/apparmor.d/groups/virt/virtsecretd
@@ -20,7 +20,7 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/libvirt/secrets/ rw,
   owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk,
 
-        @{run}/systemd/inhibit/*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/secrets/ rw,
   owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk,
diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged
index 7c6f7207b..7130edfa6 100644
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@@ -55,7 +55,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   owner @{run}/libvirt/storage/{,**} rwk,
   owner @{run}/virtstoraged.pid rwk,
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/utmp rwk,
 
   @{sys}/devices/system/node/ r,
diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager
index d286280f0..f0654ac68 100644
--- a/apparmor.d/groups/xfce/xfce-power-manager
+++ b/apparmor.d/groups/xfce/xfce-power-manager
@@ -21,7 +21,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/stat r,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/xfce-power-manager>
 }
diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver
index e441b84b8..aaa5f7fa4 100644
--- a/apparmor.d/groups/xfce/xfce-screensaver
+++ b/apparmor.d/groups/xfce/xfce-screensaver
@@ -25,7 +25,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) {
 
   /etc/xdg/menus/xfce4-screensavers.menu r,
 
-  @{run}/systemd/inhibit/*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/xfce-screensaver>
 }
diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd
index d856867a3..2c474b27b 100644
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@@ -28,7 +28,7 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
   /var/lib/fprint/{,**} rw,
 
   @{run}/systemd/journal/socket rw,
-  @{run}/systemd/inhibit/*.ref w,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/class/hidraw/ r,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 474ab630b..afb8bc367 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -98,7 +98,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   @{run}/motd.d/@{int}-fwupd* rw,
   @{run}/motd.d/fwupd/{,**} rw,
   @{run}/mount/utab r,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/udev/data/* r,
 
   @{PROC}/@{pids}/fd/ r,
diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control
index 267fb9d1a..a6f1e5803 100644
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@@ -24,7 +24,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected)  {
 
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/mission-control>
 }
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index 54c9c5959..a27a9d0f9 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -23,7 +23,7 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_config_dirs}/nvtop/{,**} rw,
 
-  @{run}/systemd/inhibit/*.ref r,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/udev/data/+drm:card@{int}-* r,   # for screen outputs
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card*
diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd
index b61426196..7482cda65 100644
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@@ -93,7 +93,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
   owner @{tmp}/packagekit* rw,
 
-        @{run}/systemd/inhibit/*.ref rw,
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/systemd/users/@{uid} r,
 
   #aa:only opensuse
diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi
index e764b69f8..30457cf04 100644
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@@ -59,7 +59,7 @@ profile psi @{exec_path} {
   owner @{tmp}/etilqs_@{hex16} rw,
   owner @{tmp}/Psi.* rwl -> /tmp/#@{int},
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus
index d9b1f7fd5..1427af278 100644
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@@ -59,7 +59,7 @@ profile psi-plus @{exec_path} {
   owner @{tmp}/etilqs_@{hex16} rw,
   owner @{tmp}/Psi+.* rwl -> /tmp/#@{int},
 
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 83561941c..76be97683 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -107,7 +107,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{run}/mount/utab{,.*} rwk,
   @{run}/udisks2/{,**} rw,
   @{run}/systemd/seats/seat@{int} r,
-  @{run}/systemd/inhibit/[0-9]*.ref rw,
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/L* rwk,
 

From fde8ee6ec65095ec90c91e08e7d118aedc456176 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 6 Sep 2024 21:32:39 +0100
Subject: [PATCH 057/315] fix(profile): generic app need access to
 /var/cache/tmp/

fix #465
---
 apparmor.d/abstractions/common/app | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index dc598cfa1..2798b5082 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -61,6 +61,7 @@
   owner @{user_share_dirs}/** rwkl,
   owner @{user_games_dirs}/{,**} rm,
 
+  owner /var/cache/tmp/** rwk,
   owner @{tmp}/** rmwk,
   owner /dev/shm/** rwlk -> /dev/shm/**,
 

From a1407243dd4f8f17a4d23acaa4cac21e77d6eb90 Mon Sep 17 00:00:00 2001
From: EricLin0509 <143688917+EricLin0509@users.noreply.github.com>
Date: Sat, 7 Sep 2024 04:35:16 +0800
Subject: [PATCH 058/315] Update profile for ufw (#467)

* Update profile for ufw

* A small fix
---
 apparmor.d/profiles-s-z/ufw | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 55437c180..4340f12db 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -33,12 +33,12 @@ profile ufw @{exec_path} {
 
     /etc/default/ufw r,
 
-    @{run}/ufw.lock rwk,
+    owner @{run}/ufw.lock rwk,
 
-    /var/tmp/@{rand8} rw,
-    /var/tmp/tmp* rw,
-    /tmp/@{rand8} rw,
-    /tmp/tmp* rw,
+    owner /var/tmp/???????? rw,
+    owner /var/tmp/tmp???????? rw,
+    owner @{tmp}/???????? rw,
+    owner @{tmp}/tmp???????? rw,
 
     @{PROC}/@{pid}/stat r,
     @{PROC}/@{pid}/fd/ r,

From ac2f085d8cb686c2f8d76678fdd70dc6113e1d0b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 6 Sep 2024 21:40:17 +0100
Subject: [PATCH 059/315] feat(abs): add support for keyfile in dconf.

fix #460
---
 apparmor.d/abstractions/dconf-write      | 1 +
 apparmor.d/abstractions/dconf.d/complete | 7 +++++++
 2 files changed, 8 insertions(+)
 create mode 100644 apparmor.d/abstractions/dconf.d/complete

diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write
index f25e1c3e6..41145e512 100644
--- a/apparmor.d/abstractions/dconf-write
+++ b/apparmor.d/abstractions/dconf-write
@@ -20,6 +20,7 @@
   /etc/dconf/** r,
 
   owner @{user_config_dirs}/dconf/user r,
+  owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
 
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
diff --git a/apparmor.d/abstractions/dconf.d/complete b/apparmor.d/abstractions/dconf.d/complete
new file mode 100644
index 000000000..108f6b8c7
--- /dev/null
+++ b/apparmor.d/abstractions/dconf.d/complete
@@ -0,0 +1,7 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  owner @{user_config_dirs}/glib-2.0/settings/keyfile r,
+
+# vim:syntax=apparmor

From 512b42702b761552153e006c0cb80c47d37b0dba Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 21 Jul 2024 11:23:32 -0300
Subject: [PATCH 060/315] add hyprland profile

---
 apparmor.d/groups/hyprland/hyprland | 70 +++++++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 apparmor.d/groups/hyprland/hyprland

diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
new file mode 100644
index 000000000..25ebbf28d
--- /dev/null
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -0,0 +1,70 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/Hyprland
+profile hyprland @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
+  include <abstractions/wayland>
+
+  capability sys_ptrace,
+
+  ptrace read,
+
+  network netlink raw,
+
+  signal send,
+
+  @{exec_path} mr,
+
+  @{bin}/** rPUx,
+  @{user_bin_dirs}/** rPUx,
+  owner @{user_share_dirs}/hyprpm/** mr,
+
+  /usr/share/hyprland/{,*} r,
+  /usr/share/libinput/{,*} r,
+
+  owner @{user_cache_dirs}/hyprland/** w,
+  owner @{user_config_dirs}/hypr/hyprland.conf r,
+
+  @{run}/systemd/sessions/@{int} r,
+  @{run}/udev/data/+acpi:* r,
+  @{run}/udev/data/+dmi:id r,
+  @{run}/udev/data/+drm:card@{int}-* r,
+  @{run}/udev/data/+input:input@{int} r,
+  @{run}/udev/data/+pci:* r,
+  @{run}/udev/data/+platform:pcspkr r,
+  @{run}/udev/data/+sound:card@{int} r,
+  @{run}/udev/data/+usb:* r,
+  @{run}/udev/data/c13:@{int} r,
+  @{run}/udev/data/c189:@{int} r,
+  @{run}/udev/data/c226:@{int} r,
+  owner @{run}/user/@{uid}/hypr/{,**} rw,
+  owner @{run}/user/@{uid}/.hyprpaper_* rw,
+  owner @{run}/user/@{uid}/.hyprpicker_* rw,
+  owner /tmp/.X@{int}-lock w,
+  owner /dev/shm/@{uuid} rw,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
+  @{sys}/bus/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/@{pci}/oot_vga r,
+  @{sys}/devices/**/uevent r,
+
+  owner @{PROC}/@{pid}/environ r,
+
+  /dev/input/event@{int} rw,
+  /dev/tty r,
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/hyprland>
+}
+
+# vim:syntax=apparmor
+

From fe3d32df1f92ece9c5ee25cb78442830e87a104e Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 21 Jul 2024 16:10:46 -0300
Subject: [PATCH 061/315] Add access to gamescope

---
 apparmor.d/groups/hyprland/hyprland | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 25ebbf28d..2a41650b9 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -45,6 +45,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c13:@{int} r,
   @{run}/udev/data/c189:@{int} r,
   @{run}/udev/data/c226:@{int} r,
+  owner @{run}/user/@{uid}/gamescope-* rw,
   owner @{run}/user/@{uid}/hypr/{,**} rw,
   owner @{run}/user/@{uid}/.hyprpaper_* rw,
   owner @{run}/user/@{uid}/.hyprpicker_* rw,

From c4482675ef503ab4301d50ef51696eaf3b75539b Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Wed, 21 Aug 2024 09:10:01 -0300
Subject: [PATCH 062/315] Update hyprland

---
 apparmor.d/groups/hyprland/hyprland | 40 ++++++++++++++---------------
 1 file changed, 19 insertions(+), 21 deletions(-)

diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 2a41650b9..65759f682 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -9,9 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/Hyprland
 profile hyprland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/app-launcher-user>
   include <abstractions/desktop>
   include <abstractions/graphics>
-  include <abstractions/wayland>
 
   capability sys_ptrace,
 
@@ -23,39 +23,37 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/** rPUx,
   @{user_bin_dirs}/** rPUx,
   owner @{user_share_dirs}/hyprpm/** mr,
 
   /usr/share/hyprland/{,*} r,
   /usr/share/libinput/{,*} r,
 
-  owner @{user_cache_dirs}/hyprland/** w,
-  owner @{user_config_dirs}/hypr/hyprland.conf r,
+  owner @{user_cache_dirs}/hyprland/{,**} rw,
+  owner @{user_config_dirs}/hypr/** r,
 
-  @{run}/systemd/sessions/@{int} r,
-  @{run}/udev/data/+acpi:* r,
-  @{run}/udev/data/+dmi:id r,
-  @{run}/udev/data/+drm:card@{int}-* r,
-  @{run}/udev/data/+input:input@{int} r,
-  @{run}/udev/data/+pci:* r,
-  @{run}/udev/data/+platform:pcspkr r,
-  @{run}/udev/data/+sound:card@{int} r,
-  @{run}/udev/data/+usb:* r,
-  @{run}/udev/data/c13:@{int} r,
-  @{run}/udev/data/c189:@{int} r,
-  @{run}/udev/data/c226:@{int} r,
   owner @{run}/user/@{uid}/gamescope-* rw,
   owner @{run}/user/@{uid}/hypr/{,**} rw,
-  owner @{run}/user/@{uid}/.hyprpaper_* rw,
-  owner @{run}/user/@{uid}/.hyprpicker_* rw,
-  owner /tmp/.X@{int}-lock w,
-  owner /dev/shm/@{uuid} rw,
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
+  @{run}/systemd/sessions/@{int} r,
+ 
+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+dmi:id r,             # for motherboard info
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+sound:card@{int} r,   # for sound card
+  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
+  @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
+  @{run}/udev/data/c189:@{int}  r,        # for /dev/bus/usb/**
+  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card* 
+
   @{sys}/bus/ r,
   @{sys}/class/input/ r,
-  @{sys}/devices/@{pci}/oot_vga r,
+  @{sys}/devices/@{pci}/boot_vga r,
   @{sys}/devices/**/uevent r,
 
   owner @{PROC}/@{pid}/environ r,

From 2e048156acafec8248fada2a97d3a807131c1c07 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Wed, 21 Aug 2024 09:13:29 -0300
Subject: [PATCH 063/315] Update wayland abstraction

---
 apparmor.d/abstractions/wayland.d/complete | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete
index 245b9238d..ee2cc73c9 100644
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@@ -6,10 +6,15 @@
 
   owner @{user_share_dirs}/sddm/wayland-session.log w,
 
+  owner @{run}/user/@{uid}/.hyprpaper_* rw,
+  owner @{run}/user/@{uid}/.hyprpicker_* rw,
   owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
   owner @{run}/user/@{uid}/wayland-proxy-@{int} rw,
 
+  owner /tmp/.X@{int}-lock w,
   owner /dev/shm/sway* rw,
   owner /dev/shm/dunst-@{rand6} rw,
+  owner /dev/shm/@{uuid} rw,
+  owner /dev/shm/wlroots-@{rand6} rw,
 
 # vim:syntax=apparmor

From fe86133f4986e000f17a4e68eb90d3446c3accd2 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Wed, 21 Aug 2024 09:48:59 -0300
Subject: [PATCH 064/315] Update wayland abstraction

---
 apparmor.d/abstractions/wayland.d/complete | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete
index ee2cc73c9..0054a51d0 100644
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@@ -12,6 +12,7 @@
   owner @{run}/user/@{uid}/wayland-proxy-@{int} rw,
 
   owner /tmp/.X@{int}-lock w,
+  owner /dev/shm/grim-@{rand6} rw,
   owner /dev/shm/sway* rw,
   owner /dev/shm/dunst-@{rand6} rw,
   owner /dev/shm/@{uuid} rw,

From edfa690e2b0f007f24c1bc6ddd716544fb73f6dc Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sat, 31 Aug 2024 13:49:27 -0300
Subject: [PATCH 065/315] Update hyprland

---
 apparmor.d/groups/hyprland/hyprland | 1 -
 1 file changed, 1 deletion(-)

diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 65759f682..40ee83296 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -23,7 +23,6 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{user_bin_dirs}/** rPUx,
   owner @{user_share_dirs}/hyprpm/** mr,
 
   /usr/share/hyprland/{,*} r,

From f91fc287111d62555c7f4789195548078ad40747 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 6 Sep 2024 21:47:24 +0100
Subject: [PATCH 066/315] chore: minor guideline cosmetic.

---
 apparmor.d/abstractions/wayland.d/complete |  7 ++-----
 apparmor.d/groups/hyprland/hyprland        | 13 +++++++------
 2 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/apparmor.d/abstractions/wayland.d/complete b/apparmor.d/abstractions/wayland.d/complete
index 0054a51d0..f0c712634 100644
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@@ -6,16 +6,13 @@
 
   owner @{user_share_dirs}/sddm/wayland-session.log w,
 
-  owner @{run}/user/@{uid}/.hyprpaper_* rw,
-  owner @{run}/user/@{uid}/.hyprpicker_* rw,
   owner @{run}/user/@{uid}/wayland-@{int}.lock rwk,
   owner @{run}/user/@{uid}/wayland-proxy-@{int} rw,
 
-  owner /tmp/.X@{int}-lock w,
+  owner /dev/shm/@{uuid} rw,
+  owner /dev/shm/dunst-@{rand6} rw,
   owner /dev/shm/grim-@{rand6} rw,
   owner /dev/shm/sway* rw,
-  owner /dev/shm/dunst-@{rand6} rw,
-  owner /dev/shm/@{uuid} rw,
   owner /dev/shm/wlroots-@{rand6} rw,
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 40ee83296..5fa0ce84b 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -15,23 +15,24 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
 
   capability sys_ptrace,
 
-  ptrace read,
-
   network netlink raw,
 
   signal send,
 
-  @{exec_path} mr,
+  ptrace read,
 
-  owner @{user_share_dirs}/hyprpm/** mr,
+  @{exec_path} mr,
 
   /usr/share/hyprland/{,*} r,
   /usr/share/libinput/{,*} r,
 
   owner @{user_cache_dirs}/hyprland/{,**} rw,
   owner @{user_config_dirs}/hypr/** r,
+  owner @{user_share_dirs}/hyprpm/** mr,
 
   owner @{run}/user/@{uid}/gamescope-* rw,
+  owner @{run}/user/@{uid}/.hyprpaper_* rw,
+  owner @{run}/user/@{uid}/.hyprpicker_* rw,
   owner @{run}/user/@{uid}/hypr/{,**} rw,
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
@@ -57,8 +58,8 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/environ r,
 
-  /dev/input/event@{int} rw,
-  /dev/tty r,
+        /dev/input/event@{int} rw,
+        /dev/tty r,
   owner /dev/tty@{int} rw,
 
   include if exists <local/hyprland>

From a8b1e4609542a23422bd0168a85f82bfb2464698 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 8 Sep 2024 12:21:56 +0100
Subject: [PATCH 067/315] feat(profile): add dmsetup

fix #469
---
 apparmor.d/profiles-a-f/dmsetup | 23 +++++++++++++++++++++++
 dists/flags/main.flags          |  1 +
 2 files changed, 24 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/dmsetup

diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup
new file mode 100644
index 000000000..305e03573
--- /dev/null
+++ b/apparmor.d/profiles-a-f/dmsetup
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/dmsetup
+profile dmsetup @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/disks-write>
+
+  capability sys_admin,
+
+  @{exec_path} mr,
+
+  @{PROC}/devices r,
+
+  include if exists <local/dmsetup>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index e051078a6..d26b951f7 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -90,6 +90,7 @@ ddcutil complain
 dino attach_disconnected,complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
+dmsetup complain
 dockerd attach_disconnected,complain
 dolphin complain
 downloadhelper complain

From 98042620f6ca9fd558ba888186131fb3baf6cab6 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sat, 7 Sep 2024 10:30:55 -0300
Subject: [PATCH 068/315] Update hyprlock

---
 apparmor.d/groups/hyprland/hyprlock | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock
index 86cc79570..9459018ef 100644
--- a/apparmor.d/groups/hyprland/hyprlock
+++ b/apparmor.d/groups/hyprland/hyprlock
@@ -13,6 +13,7 @@ profile hyprlock @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   network netlink raw,
 

From 7b04e288358b6d4ad6ce3b19a26e4fb4052f361a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 8 Sep 2024 12:36:35 +0100
Subject: [PATCH 069/315] feat(profile): remove transparent_hugepage rule
 already included in base.

---
 apparmor.d/groups/network/mullvad-daemon         | 1 -
 apparmor.d/groups/network/tailscale              | 2 --
 apparmor.d/groups/network/tailscaled             | 1 -
 apparmor.d/groups/ubuntu/apt-esm-json-hook       | 2 --
 apparmor.d/groups/ubuntu/ubuntu-report           | 2 --
 apparmor.d/groups/virt/cni-bandwidth             | 2 --
 apparmor.d/groups/virt/cni-bridge                | 2 --
 apparmor.d/groups/virt/cni-calico                | 2 --
 apparmor.d/groups/virt/cni-firewall              | 2 --
 apparmor.d/groups/virt/cni-flannel               | 2 --
 apparmor.d/groups/virt/cni-host-local            | 2 --
 apparmor.d/groups/virt/cni-loopback              | 2 --
 apparmor.d/groups/virt/cni-portmap               | 2 --
 apparmor.d/groups/virt/cni-tuning                | 2 --
 apparmor.d/groups/virt/containerd                | 1 -
 apparmor.d/groups/virt/containerd-shim-runc-v2   | 1 -
 apparmor.d/groups/virt/docker-proxy              | 2 --
 apparmor.d/groups/virt/dockerd                   | 1 -
 apparmor.d/groups/virt/k3s                       | 1 -
 apparmor.d/profiles-a-f/aa-log                   | 2 --
 apparmor.d/profiles-a-f/arduino-builder          | 2 --
 apparmor.d/profiles-a-f/browserpass              | 2 --
 apparmor.d/profiles-a-f/dnscrypt-proxy           | 2 --
 apparmor.d/profiles-g-l/hugo                     | 2 --
 apparmor.d/profiles-s-z/sbctl                    | 2 --
 apparmor.d/profiles-s-z/sing-box                 | 2 --
 apparmor.d/profiles-s-z/snap                     | 1 -
 apparmor.d/profiles-s-z/snap-failure             | 2 --
 apparmor.d/profiles-s-z/snap-seccomp             | 2 --
 apparmor.d/profiles-s-z/snap-update-ns           | 1 -
 apparmor.d/profiles-s-z/snapd                    | 1 -
 apparmor.d/profiles-s-z/snapd-aa-prompt-listener | 2 --
 apparmor.d/profiles-s-z/snapd-apparmor           | 2 --
 apparmor.d/profiles-s-z/syncthing                | 2 --
 apparmor.d/profiles-s-z/zsysd                    | 2 --
 35 files changed, 61 deletions(-)

diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index dcdb1738a..a57213481 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -55,7 +55,6 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   @{sys}/fs/cgroup/net_cls/ w,
   @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,
   @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   owner @{tmp}/@{uuid} rw,
   owner @{tmp}/talpid-openvpn-@{uuid} rw,
diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale
index 5c3b62211..37029973b 100644
--- a/apparmor.d/groups/network/tailscale
+++ b/apparmor.d/groups/network/tailscale
@@ -27,8 +27,6 @@ profile tailscale @{exec_path} {
 
   owner @{run}/tailscale/tailscaled.sock rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
         @{PROC}/ r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/sys/net/core/somaxconn r,
diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled
index 121697da6..dd3f253db 100644
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@@ -69,7 +69,6 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
   owner @{run}/tailscale/{,**} rw,
 
   @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   @{PROC}/ r,
   @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook
index 54c116677..4ce754d65 100644
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@@ -21,8 +21,6 @@ profile apt-esm-json-hook @{exec_path} {
   /var/lib/ubuntu-advantage/{,**} r,
   /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{run}/cloud-init/cloud-id-nocloud r,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report
index 5edc9ebd2..54e444532 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@@ -23,8 +23,6 @@ profile ubuntu-report @{exec_path} {
 
   owner @{user_cache_dirs}/ubuntu-report/{,*} r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/ubuntu-report>
 }
 
diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth
index 21914faf8..0159f603e 100644
--- a/apparmor.d/groups/virt/cni-bandwidth
+++ b/apparmor.d/groups/virt/cni-bandwidth
@@ -18,8 +18,6 @@ profile cni-bandwidth @{exec_path} {
 
   @{exec_path} mr,
   
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-bandwidth>
 }
 
diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge
index 37de32ae0..70347fe59 100644
--- a/apparmor.d/groups/virt/cni-bridge
+++ b/apparmor.d/groups/virt/cni-bridge
@@ -12,8 +12,6 @@ profile cni-bridge @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-bridge>
 }
 
diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 7c39a7ad2..47d5590a2 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -41,8 +41,6 @@ profile cni-calico @{exec_path} flags=(attach_disconnected) {
   @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
   @{PROC}/sys/net/ipv{4,6}/{conf,neigh}/cali[0-9a-z]*/* rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-calico>
 }
 
diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall
index 866b9dc96..028f5bd6f 100644
--- a/apparmor.d/groups/virt/cni-firewall
+++ b/apparmor.d/groups/virt/cni-firewall
@@ -12,8 +12,6 @@ profile cni-firewall @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-firewall>
 }
 
diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel
index 05929a64c..ac473fbcb 100644
--- a/apparmor.d/groups/virt/cni-flannel
+++ b/apparmor.d/groups/virt/cni-flannel
@@ -12,8 +12,6 @@ profile cni-flannel @{exec_path} flags=(complain,attach_disconnected){
 
   @{exec_path} mr,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-flannel>
 }
 
diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local
index bf555cfd8..50b8f315b 100644
--- a/apparmor.d/groups/virt/cni-host-local
+++ b/apparmor.d/groups/virt/cni-host-local
@@ -12,8 +12,6 @@ profile cni-host-local @{exec_path} flags=(complain,attach_disconnected){
 
   @{exec_path} mr,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-host-local>
 }
 
diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index d05a303de..a7d24e306 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -22,8 +22,6 @@ profile cni-loopback @{exec_path} flags=(attach_disconnected) {
   @{run}/netns/ r,
   @{run}/netns/cni-@{uuid} rw,
   
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-loopback>
 }
 
diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap
index db29f252c..bc4a00fa2 100644
--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@@ -19,8 +19,6 @@ profile cni-portmap @{exec_path} {
 
   @{PROC}/sys/net/ipv{4,6}/conf/cali[0-9a-z]*/route_localnet rw,
   
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-portmap>
 }
 
diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning
index ee7133b31..c0e3a3fd2 100644
--- a/apparmor.d/groups/virt/cni-tuning
+++ b/apparmor.d/groups/virt/cni-tuning
@@ -12,8 +12,6 @@ profile cni-tuning @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/cni-tuning>
 }
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index f85a3571c..9ae6596ee 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -92,7 +92,6 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   owner /var/tmp/** rwkl,
 
   @{sys}/fs/cgroup/kubepods/** r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
   @{sys}/module/apparmor/parameters/enabled r,
 
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index c705c0cc8..428473f5d 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -49,7 +49,6 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   @{sys}/fs/cgroup/{,**} rw,
   @{sys}/fs/cgroup/kubepods/{,**} rw,
   @{sys}/kernel/mm/hugepages/ r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/mountinfo r,
diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy
index d549168ee..4bb1d9497 100644
--- a/apparmor.d/groups/virt/docker-proxy
+++ b/apparmor.d/groups/virt/docker-proxy
@@ -20,8 +20,6 @@ profile docker-proxy @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{PROC}/sys/net/core/somaxconn r,
 
   include if exists <local/docker-proxy>
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index f552c5289..64bba083d 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -75,7 +75,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/cpuset.cpus.effective r,
   @{sys}/fs/cgroup/cpuset.mems.effective r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/profiles r,
   @{sys}/module/apparmor/parameters/enabled r,
 
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 5905d4895..e1cded61d 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -163,7 +163,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{,**/} r,
 
   @{sys}/kernel/mm/hugepages/ r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/mm/hugepages/hugepages-*/nr_hugepages r,
   @{sys}/kernel/security/apparmor/profiles r,
 
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index 6d1f690f6..74fbebcb1 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -27,8 +27,6 @@ profile aa-log @{exec_path} {
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/@{hex32}/{,*} r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{PROC}/sys/kernel/cap_last_cap r,
 
   /dev/tty@{int} rw,
diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder
index 23f8628e5..d35004e35 100644
--- a/apparmor.d/profiles-a-f/arduino-builder
+++ b/apparmor.d/profiles-a-f/arduino-builder
@@ -39,8 +39,6 @@ profile arduino-builder @{exec_path} {
 
   owner @{HOME}/Arduino/{,**} r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
         /tmp/ r,
   owner @{tmp}/cc* rw,
   owner @{tmp}/untitled[0-9]*.tmp/{,**} rw,
diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass
index cfc5d3b0b..f35e0c640 100644
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@@ -25,8 +25,6 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
   owner @{tmp}/mozilla-temp-@{int} r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   owner @{PROC}/@{pid}/mountinfo r,
 
   # Inherit Silencer
diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy
index 03d47e395..6727b8201 100644
--- a/apparmor.d/profiles-a-f/dnscrypt-proxy
+++ b/apparmor.d/profiles-a-f/dnscrypt-proxy
@@ -52,8 +52,6 @@ profile dnscrypt-proxy @{exec_path} {
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/core/somaxconn r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   include if exists <local/dnscrypt-proxy>
 }
 
diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo
index fcb585020..9cf73dc49 100644
--- a/apparmor.d/profiles-g-l/hugo
+++ b/apparmor.d/profiles-g-l/hugo
@@ -40,8 +40,6 @@ profile hugo @{exec_path} {
   owner @{tmp}/hugo_cache/{,**} rwkl,
   owner @{tmp}/go-codehost-@{int} rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{PROC}/sys/net/core/somaxconn r,
 
   include if exists <local/hugo>
diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index 938ecb638..57d8fb5e6 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -30,8 +30,6 @@ profile sbctl @{exec_path} {
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   /dev/pts/@{int} rw,
 
   # File Inherit
diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box
index eb9866b53..221da9617 100644
--- a/apparmor.d/profiles-s-z/sing-box
+++ b/apparmor.d/profiles-s-z/sing-box
@@ -31,8 +31,6 @@ profile sing-box @{exec_path} {
 
   owner @{user_share_dirs}/certmagic/** rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-  
   include if exists <local/sing-box>
 }
 
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index f59fd9226..158744d0c 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -70,7 +70,6 @@ profile snap @{exec_path} {
   @{run}/mount/utab r,
   @{run}/snapd.socket rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/features/{,**} r,
 
         @{PROC}/@{pids}/cgroup r,
diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure
index df8fe47fb..61372b169 100644
--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@@ -19,8 +19,6 @@ profile snap-failure @{exec_path} {
 
   /var/lib/snapd/sequence/snapd.json r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{PROC}/cmdline r,
 
   profile systemctl {
diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp
index 0da410bca..4c34746ed 100644
--- a/apparmor.d/profiles-s-z/snap-seccomp
+++ b/apparmor.d/profiles-s-z/snap-seccomp
@@ -20,8 +20,6 @@ profile snap-seccomp @{exec_path} {
 
   /var/lib/snapd/seccomp/bpf/{,**} rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   owner @{PROC}/@{pids}/mountinfo r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns
index e9315f5c7..2092ab1c9 100644
--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@@ -47,7 +47,6 @@ profile snap-update-ns @{exec_path} {
   @{sys}/fs/cgroup/{,**/} r,
   @{sys}/fs/cgroup/system.slice/snap.*.service/cgroup.freeze rw,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/cmdline r,
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index fa5ef1956..672ae2f7b 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -153,7 +153,6 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/user.slice/ r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
   @{sys}/kernel/kexec_loaded r,
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
   @{sys}/kernel/security/apparmor/features/{,**} r,
   @{sys}/kernel/security/apparmor/profiles r,
 
diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
index 3e3045b80..6cc8801aa 100644
--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
@@ -16,8 +16,6 @@ profile snapd-aa-prompt-listener @{exec_path} {
 
   @{lib_dirs}/snapd/info r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{PROC}/cmdline r,
 
   include if exists <local/snapd-aa-prompt-listener>
diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor
index 22a9c5faa..edd266c20 100644
--- a/apparmor.d/profiles-s-z/snapd-apparmor
+++ b/apparmor.d/profiles-s-z/snapd-apparmor
@@ -22,8 +22,6 @@ profile snapd-apparmor @{exec_path} {
 
   /var/lib/snapd/apparmor/profiles/ r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   @{PROC}/cmdline r,
 
   include if exists <local/snapd-apparmor>
diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing
index 50b04668b..b65a56145 100644
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@@ -36,8 +36,6 @@ profile syncthing @{exec_path} {
   /home/ r,
   @{user_sync_dirs}/{,**} rw,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
         @{PROC}/@{pids}/net/route r,
         @{PROC}/sys/net/core/somaxconn r,
   owner @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index c325e216d..eabe2d62c 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -37,8 +37,6 @@ profile zsysd @{exec_path} flags=(complain) {
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/spl/hostid r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   /dev/pts/@{int} rw,
   /dev/zfs rw,
 

From 54e013824e0599aea01fcdc57f5778931e4bc458 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 8 Sep 2024 12:38:54 +0100
Subject: [PATCH 070/315] feat(profile): update libreoffice.

see #470
---
 apparmor.d/profiles-g-l/libreoffice | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 2a7295f49..4b9812c55 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -15,6 +15,8 @@ profile libreoffice @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/enchant>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/user-read-strict>
@@ -41,14 +43,14 @@ profile libreoffice @{exec_path} {
 
   @{open_path}      rPx -> child-open-browsers,
 
-  @{bin}/gpgconf rPx,
-  @{bin}/gpgsm rPx, 
-  @{bin}/gpg rPx, 
+  @{bin}/gpg        rPx,
+  @{bin}/gpgconf    rPx,
+  @{bin}/gpgsm      rPx,
 
   @{lib}/libreoffice/program/javaldx      rix,
   @{lib}/libreoffice/program/oosplash     rix,
   @{lib}/libreoffice/program/soffice.bin  rix,
-  @{lib}/jvm/java*/bin/java              rix,
+  @{lib}/jvm/java*/bin/java               rix,
   @{lib}/jvm/java*/lib/** rm,
 
   @{lib}/libreoffice/{,**} rm,
@@ -70,6 +72,10 @@ profile libreoffice @{exec_path} {
   owner @{user_config_dirs}/libreoffice/ rw,
   owner @{user_config_dirs}/libreoffice/** rwk,
 
+  owner @{user_config_dirs}/kcminputrc r,
+  owner @{user_config_dirs}/kdedefaults/kcminputrc r,
+
+  owner @{tmp}/ r,
   owner @{tmp}/@{rand6} rwk,
   owner @{tmp}/*.tmp/{,**} rwk,
   owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} w,

From 4f310b88024e009e2f7dd719840c28661e202f63 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 8 Sep 2024 12:41:49 +0100
Subject: [PATCH 071/315] feat(profile): update dolphin.

fix #470
---
 apparmor.d/groups/kde/dolphin | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin
index 89e5685d9..b76cff2a0 100644
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@@ -82,6 +82,8 @@ profile dolphin @{exec_path} {
   owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int},
   owner @{user_cache_dirs}/ksplash/qmlcache/*.qmlc.@{rand6} rwl -> @{user_cache_dirs}/dolphin/qmlcache/#@{int},
 
+  owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
+
         @{run}/mount/utab r,
   owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
   owner @{run}/user/@{uid}/#@{int} rw,

From 2af1d06f183302037a10f62641b90ee644a65eaf Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 8 Sep 2024 13:25:49 +0100
Subject: [PATCH 072/315] feat(tunable): add @{editor_path}  & @{pager_path}.

---
 apparmor.d/groups/_full/default           |  4 +---
 apparmor.d/groups/apt/apt                 |  8 +++-----
 apparmor.d/groups/apt/apt-listchanges     |  6 +++---
 apparmor.d/groups/apt/aptitude            | 11 +++++------
 apparmor.d/groups/apt/dpkg                |  5 +----
 apparmor.d/groups/apt/dpkg-query          |  4 +---
 apparmor.d/groups/apt/reportbug           |  4 +---
 apparmor.d/groups/cron/crontab            |  6 +-----
 apparmor.d/groups/network/nmcli           |  4 +---
 apparmor.d/groups/pacman/pacman           |  5 +----
 apparmor.d/groups/systemd/bootctl         |  4 +---
 apparmor.d/groups/systemd/busctl          |  4 +---
 apparmor.d/groups/systemd/coredumpctl     |  4 +---
 apparmor.d/groups/systemd/journalctl      |  4 +---
 apparmor.d/groups/systemd/localectl       |  4 +---
 apparmor.d/groups/systemd/loginctl        |  4 +---
 apparmor.d/groups/systemd/networkctl      |  4 +---
 apparmor.d/groups/systemd/systemd-analyze |  4 +---
 apparmor.d/groups/systemd/systemd-cgls    |  4 +---
 apparmor.d/groups/systemd/systemd-cgtop   |  4 +---
 apparmor.d/groups/systemd/systemd-dissect |  4 +---
 apparmor.d/groups/systemd/systemd-mount   |  4 +---
 apparmor.d/groups/systemd/systemd-udevd   |  4 +---
 apparmor.d/groups/systemd/userdbctl       |  4 +---
 apparmor.d/profiles-a-f/dmesg             |  4 +---
 apparmor.d/profiles-g-l/git               | 10 +++-------
 apparmor.d/profiles-g-l/gpo               |  4 +---
 apparmor.d/profiles-m-r/mutt              | 13 +++----------
 apparmor.d/profiles-m-r/pass              |  7 ++-----
 apparmor.d/profiles-s-z/task              |  5 +----
 apparmor.d/profiles-s-z/udisksctl         |  4 +---
 apparmor.d/profiles-s-z/vipw-vigr         |  4 +---
 apparmor.d/tunables/multiarch.d/paths     | 10 ++++++++--
 apparmor.d/tunables/multiarch.d/programs  |  9 +++++++++
 docs/install.md                           |  4 +---
 35 files changed, 63 insertions(+), 124 deletions(-)

diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default
index 733d227cb..b6689cb1d 100644
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@@ -45,9 +45,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{coreutils_path}      rix,
   @{shells_path}         rix,
 
-  @{bin}/less            rPx -> child-pager,
-  @{bin}/more            rPx -> child-pager,
-  @{bin}/pager           rPx -> child-pager,
+  @{pager_path}          rPx -> child-pager,
 
 #   @{open_path}           rPx -> child-open,
 
diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 38bd8f3eb..9907ae02f 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -99,11 +99,10 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /usr/share/language-tools/language-options            rPx,
 
   # For editing the sources.list file
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
+  @{editor_path} rCx -> editor,
 
   # For changelogs
-  @{bin}/sensible-pager  rCx -> pager,
+  @{pager_path}  rCx -> pager,
 
   #aa:only whonix
   @{lib}/uwt/uwtwrapper rix,
@@ -168,8 +167,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
 
     @{bin}/                      r,
     @{sh_path}                   rix,
-    @{bin}/less                  rix,
-    @{bin}/sensible-pager         mr,
+    @{pager_path}               rmix,
     @{bin}/which{,.debianutils}  rix,
 
     /root/ r,  # For shell pwd
diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges
index 8613f2280..fbabcd983 100644
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@@ -28,7 +28,7 @@ profile apt-listchanges @{exec_path} {
   #  shared object file): ignored.
   @{bin}/dpkg-deb       rpx,
   #
-  @{bin}/sensible-pager rCx -> pager,
+  @{pager_path}        rCx -> pager,
   # Send results using email
   @{bin}/exim4         rPx,
 
@@ -83,12 +83,11 @@ profile apt-listchanges @{exec_path} {
     capability dac_read_search,
     #capability sys_tty_config,
 
-    @{bin}/sensible-pager mr,
+    @{pager_path}  mrix,
 
     @{bin}/           r,
     @{sh_path}        rix,
     @{bin}/which{,.debianutils}      rix,
-    @{bin}/less       rix,
 
     owner @{HOME}/.less* rw,
 
@@ -98,6 +97,7 @@ profile apt-listchanges @{exec_path} {
           /tmp/ r,
     owner @{tmp}/apt-listchanges-tmp*.txt r,
 
+    include if exists <local/apt-listchanges_pager>
   }
 
   include if exists <local/apt-listchanges>
diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude
index 12bd0efb1..7b36e4abe 100644
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@@ -105,7 +105,7 @@ profile aptitude @{exec_path} flags=(complain) {
   owner @{user_cache_dirs}/aptitude/ rw,
   owner @{user_cache_dirs}/aptitude/metadata-download{,-journal} rw,
   owner @{user_cache_dirs}/aptitude/metadata-download rwk,
-  @{bin}/sensible-pager rCx -> pager,
+  @{pager_path} rCx -> pager,
 
   # For aptitude-run-state-bundle
   owner @{tmp}/aptitudebug.*/ r,
@@ -171,20 +171,19 @@ profile aptitude @{exec_path} flags=(complain) {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    @{bin}/                r,
-    @{bin}/sensible-pager mr,
-    @{sh_path}        rix,
+    @{bin}/            r,
+    @{editor_path}  mrix,
+    @{sh_path}       rix,
 
     @{bin}/which{,.debianutils}      rix,
-    @{bin}/less       rix,
 
     owner @{HOME}/.less* rw,
-
     owner @{tmp}/aptitude-*.@{pid}:*/aptitude-download-* rw,
 
     # For shell pwd
     /root/ r,
 
+    include if exists <local/aptitude_pager>
   }
 
   include if exists <local/aptitude>
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index b8e577833..c22ba0ae5 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -34,10 +34,7 @@ profile dpkg @{exec_path} {
   @{lib}/needrestart/dpkg-status rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
-  @{bin}/pager       rPx -> child-pager,
-  @{bin}/less        rPx -> child-pager,
-  @{bin}/more        rPx -> child-pager,
-  @{bin}/diff        rPx -> child-pager,
+  @{pager_path}      rPx -> child-pager,
 
   # Package maintainer's scripts
   # Move it to a child profile once more transitions will be available
diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query
index f8150cc37..9a5512c2c 100644
--- a/apparmor.d/groups/apt/dpkg-query
+++ b/apparmor.d/groups/apt/dpkg-query
@@ -16,9 +16,7 @@ profile dpkg-query @{exec_path} {
 
   @{sh_path}        rix,
 
-  @{bin}/pager      rPx -> child-pager,
-  @{bin}/less       rPx -> child-pager,
-  @{bin}/more       rPx -> child-pager,
+  @{pager_path}     rPx -> child-pager,
 
   /var/lib/dpkg/** r,
 
diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug
index e7b8e1d29..1571298af 100644
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@@ -47,10 +47,8 @@ profile reportbug @{exec_path} {
   @{bin}/dlocate          rPx,
   @{bin}/dpkg             rPx -> child-dpkg,
   @{bin}/dpkg-query       rpx,
-  @{bin}/less             rPx -> child-pager,
   @{bin}/lsb_release      rPx -> lsb_release,
-  @{bin}/more             rPx -> child-pager,
-  @{bin}/pager            rPx -> child-pager,
+  @{pager_path}           rPx -> child-pager,
   @{bin}/systemctl        rCx -> systemctl,
   @{lib}/firefox/firefox rPUx,  # App allowed to open
   /usr/share/bug/*       rPUx,
diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index c5aaf5546..2743173f8 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -22,11 +22,7 @@ profile crontab @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}             rix,
-
-  # When editing the crontab file
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  @{bin}/nvim            rCx -> editor,
+  @{editor_path}         rCx -> editor,
 
   /etc/cron.{allow,deny} r,
   /etc/environment r,
diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli
index 2345d9d2c..6c9a13203 100644
--- a/apparmor.d/groups/network/nmcli
+++ b/apparmor.d/groups/network/nmcli
@@ -15,9 +15,7 @@ profile nmcli @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less            rPx -> child-pager,
-  @{bin}/more            rPx -> child-pager,
-  @{bin}/pager           rPx -> child-pager,
+  @{pager_path}          rPx -> child-pager,
 
   owner @{HOME}/.nm-vpngate/*.ovpn r,
   owner @{HOME}/.cert/nm-openvpn/*.pem rw,
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index ab08d1f18..6ab0802ba 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -196,10 +196,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
 
     signal send set=cont peer=child-pager,
 
-    @{bin}/pager       rPx -> child-pager,
-    @{bin}/less        rPx -> child-pager,
-    @{bin}/more        rPx -> child-pager,
-    @{bin}/diff        rPx -> child-pager,
+    @{pager_path}      rPx -> child-pager,
 
     /etc/machine-id r,
 
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 2bd8c4c78..4a5d4d832 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -22,9 +22,7 @@ profile bootctl @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /{boot,efi}/ r,
   /{boot,efi}/EFI/{,**} r,
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index baf89561d..64396608f 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -37,9 +37,7 @@ profile busctl @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/comm r,
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index 7c4149bee..b291c0493 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -22,9 +22,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
   @{bin}/gdb   rCx -> gdb,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index 4b5f11810..79af65679 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -25,9 +25,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl
index 46f67b325..3ab09cfca 100644
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@@ -15,9 +15,7 @@ profile localectl @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /usr/share/kbd/keymaps/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl
index 345957e3f..b5228f222 100644
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@@ -19,9 +19,7 @@ profile loginctl @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   include if exists <local/loginctl>
 }
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index 4c841e97d..ae188df5f 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -35,9 +35,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /etc/udev/hwdb.bin r,
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index deb22cbc1..0c3b38d64 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -28,9 +28,7 @@ profile systemd-analyze @{exec_path} {
 
   @{lib}/systemd/system-environment-generators/* rix,
 
-  @{bin}/pager     rPx -> child-pager,
-  @{bin}/less      rPx -> child-pager,
-  @{bin}/more      rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
   @{bin}/man       rPx,
 
   /usr/ r,
diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls
index ed7254339..e58fec015 100644
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@@ -14,9 +14,7 @@ profile systemd-cgls @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop
index 9ae69cd69..cd0f1e416 100644
--- a/apparmor.d/groups/systemd/systemd-cgtop
+++ b/apparmor.d/groups/systemd/systemd-cgtop
@@ -14,9 +14,7 @@ profile systemd-cgtop @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 
diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect
index 991a787d2..cd3ba97ca 100644
--- a/apparmor.d/groups/systemd/systemd-dissect
+++ b/apparmor.d/groups/systemd/systemd-dissect
@@ -25,9 +25,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/fsck  rPx,
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   # Location of file system OS images
   @{user_build_dirs}/{,**} r,
diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount
index 4db3dcacf..a86bf152d 100644
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@@ -13,9 +13,7 @@ profile systemd-mount @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index fa096a35d..5c1709201 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -37,6 +37,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   @{sh_path}              rix,
   @{coreutils_path}       rix,
+  @{pager_path}           rPx -> child-pager,
   @{bin}/*-print-pci-ids  rix,
   @{bin}/alsactl          rPUx,
   @{bin}/ddcutil          rPx,
@@ -44,16 +45,13 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   @{bin}/ethtool          rix,
   @{bin}/issue-generator  rPx,
   @{bin}/kmod             rPx,
-  @{bin}/less             rPx -> child-pager,
   @{bin}/logger           rix,
   @{bin}/ls               rix,
   @{bin}/lvm              rPx,
   @{bin}/mknod            rix,
-  @{bin}/more             rPx -> child-pager,
   @{bin}/multipath        rPx,
   @{bin}/nfsrahead        rix,
   @{bin}/nvidia-modprobe  rPx -> child-modprobe-nvidia,
-  @{bin}/pager            rPx -> child-pager,
   @{bin}/perl             rix,
   @{bin}/setfacl          rix,
   @{bin}/sg_inq           rix,
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index 159d1442a..279560e99 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -16,9 +16,7 @@ profile userdbctl @{exec_path} {
 
   @{exec_path} mr,
   
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
-  @{bin}/pager rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /etc/shadow r,
   /etc/gshadow r,
diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg
index 819cd234e..f2d0c7665 100644
--- a/apparmor.d/profiles-a-f/dmesg
+++ b/apparmor.d/profiles-a-f/dmesg
@@ -18,9 +18,7 @@ profile dmesg @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}        rix,
-  @{bin}/less       rPx -> child-pager,
-  @{bin}/more       rPx -> child-pager,
-  @{bin}/pager      rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /usr/share/terminfo/** r,
 
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 47450b8e6..8a2ffb797 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -62,9 +62,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
   @{bin}/wc          rix,
   @{bin}/whoami      rix,
 
-  @{bin}/pager       rPx -> child-pager,
-  @{bin}/less        rPx -> child-pager,
-  @{bin}/more        rPx -> child-pager,
+  @{pager_path}      rPx -> child-pager,
 
   @{bin}/man         rPx,
   @{bin}/meld       rPUx,
@@ -74,10 +72,8 @@ profile git @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/gpg{,2}         rCx -> gpg,
   @{bin}/ssh             rCx -> ssh,
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim             rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  
+  @{editor_path}         rCx -> editor,
+
   /usr/share/git{,-core}/{,**} r,
   /usr/share/libalternatives/{,**} r,
   /usr/share/terminfo/** r,
diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo
index 97c89a433..411d078bd 100644
--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@@ -27,9 +27,7 @@ profile gpo @{exec_path} {
   @{bin}/ r,
   @{sh_path}        rix,
   @{bin}/uname      rix,
-  @{bin}/pager      rPx -> child-pager,
-  @{bin}/less       rPx -> child-pager,
-  @{bin}/more       rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /etc/inputrc r,
 
diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt
index 1ed63e68e..9d01e2269 100644
--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@@ -37,13 +37,8 @@ profile mutt @{exec_path} {
  
   @{bin}/w3m             rCx -> html-renderer,
   @{bin}/lynx            rCx -> html-renderer,
-  @{bin}/vim             rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  @{bin}/sensible-editor rCx -> editor,
-
-  @{bin}/less            rCx -> pager,
-  @{bin}/more            rCx -> pager,
-  @{bin}/pager           rCx -> pager,
+  @{editor_path}         rCx -> editor,
+  @{pager_path}          rCx -> pager,
 
   @{bin}/gpg{2,}         rCx -> gpg,
   @{bin}/gpgconf         rCx -> gpg,
@@ -118,9 +113,7 @@ profile mutt @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    @{bin}/less  mr,
-    @{bin}/more  mr,
-    @{bin}/pager mr,
+    @{pager_path}  mr,
 
     /usr/share/terminfo/** r,
     /usr/share/file/misc/magic.mgc r,
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index 5bd851921..3796dfbc4 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -46,7 +46,7 @@ profile pass @{exec_path} {
   @{bin}/gpg{2,}         rCx -> gpg,
   @{bin}/pkill           rCx -> pkill,
   @{bin}/qdbus           rCx -> qdbus,
-  @{bin}/vim{,.*}        rCx -> editor,
+  @{editor_path}         rCx -> editor,
   @{lib}/git{,-core}/git rCx -> git,
   @{bin}/wl-{copy,paste} rPx,
   @{bin}/xclip           rPx,
@@ -112,10 +112,7 @@ profile pass @{exec_path} {
     @{bin}/git*              mrix,
     @{lib}/git{,-core}/git*  mrix,
 
-    @{bin}/pager         rPx -> child-pager,
-    @{bin}/less          rPx -> child-pager,
-    @{bin}/more          rPx -> child-pager,
-
+    @{pager_path}   rPx -> child-pager,
     @{bin}/gpg{2,}  rPx -> pass//gpg,
 
     /usr/share/git{,-core}/{,**} r,
diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task
index bd7f276a8..87b9be2df 100644
--- a/apparmor.d/profiles-s-z/task
+++ b/apparmor.d/profiles-s-z/task
@@ -23,10 +23,7 @@ profile task @{exec_path} {
   @{exec_path}            mr,
 
   @{sh_path}             rix,
-
-  @{bin}/vim             rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
-  @{bin}/sensible-editor rCx -> editor,
+  @{editor_path}         rCx -> editor,
 
   /usr/share/{doc/,}task{warrior,}/** r,
 
diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl
index a05cede9c..63e8b7c79 100644
--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@@ -15,9 +15,7 @@ profile udisksctl @{exec_path} {
 
   @{sh_path}        rix,
 
-  @{bin}/pager rPx -> child-pager,
-  @{bin}/less  rPx -> child-pager,
-  @{bin}/more  rPx -> child-pager,
+  @{pager_path} rPx -> child-pager,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr
index 835267c2d..5b42ab828 100644
--- a/apparmor.d/profiles-s-z/vipw-vigr
+++ b/apparmor.d/profiles-s-z/vipw-vigr
@@ -16,9 +16,7 @@ profile vipw-vigr @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}             rix,
-
-  @{bin}/sensible-editor rCx -> editor,
-  @{bin}/vim.*           rCx -> editor,
+  @{editor_path}         rCx -> editor,
 
   /etc/login.defs r,
 
diff --git a/apparmor.d/tunables/multiarch.d/paths b/apparmor.d/tunables/multiarch.d/paths
index 35bf0c58f..83aec3ce3 100644
--- a/apparmor.d/tunables/multiarch.d/paths
+++ b/apparmor.d/tunables/multiarch.d/paths
@@ -34,10 +34,16 @@
 @{emails_path} = @{thunderbird_path} @{bin}/@{emails_names}
 
 # Open
-@{open_path}  = @{bin}/exo-open @{bin}/xdg-open @{bin}/gio @{bin}/kde-open
-@{open_path} += @{bin}/gio-launch-desktop @{lib}/gio-launch-desktop
+@{open_path}  = @{bin}/@{open_names}
+@{open_path} += @{lib}/gio-launch-desktop
 @{open_path} += @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
 
+# Editor
+@{editor_path} = @{bin}/@{editor_names}
+
+# Pager
+@{pager_path} = @{bin}/@{pager_names}
+
 # File explorers
 @{file_explorers_path} = @{bin}/@{file_explorers_names}
 
diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index 9c0c4d305..8dd2f237c 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -28,6 +28,15 @@
 # Python interpreters
 @{python_name} = python{,3,3.[0-9],3.1[0-9]}
 
+# Open
+@{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop
+
+# Editor
+@{editor_names} = sensible-editor vim{,.*} nvim nano
+
+# Pager
+@{pager_names} = sensible-pager pager less more
+
 # Browsers
 
 @{brave_name} = brave{,-beta,-dev,-bin}
diff --git a/docs/install.md b/docs/install.md
index 5afac9c77..5d84331ce 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -148,9 +148,7 @@ The following desktop environments are supported:
         @{bin}/wl-{copy,paste} rPx,
         @{bin}/xclip           rPx,
         @{bin}/python3.@{int} rPx -> pass-import,  # pass-import
-            @{bin}/pager         rPx -> child-pager,
-            @{bin}/less          rPx -> child-pager,
-            @{bin}/more          rPx -> child-pager,
+            @{pager_path}        rPx -> child-pager,
         '.build/apparmor.d/pass' -> '/etc/apparmor.d/pass'
         ```
         So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.

From d4e380ad46a7cb3c5f9b7d935bcd94b093124530 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 19:40:42 +0100
Subject: [PATCH 073/315] feat(profile): update & enable profiles in the apps
 group.

see #471
---
 .../{groups/apps => profiles-a-f}/calibre     | 58 ++++++++++---------
 .../{groups/apps => profiles-a-f}/discord     | 14 +++--
 .../discord-chrome-sandbox                    |  0
 .../{groups/apps => profiles-a-f}/dropbox     |  5 +-
 .../{groups/apps => profiles-a-f}/filezilla   | 26 ++++++---
 .../{groups/apps => profiles-a-f}/freetube    |  6 +-
 .../freetube-chrome-sandbox                   |  0
 .../apps => profiles-s-z}/signal-desktop      | 29 ++++++----
 .../signal-desktop-chrome-sandbox             |  4 +-
 .../apps => profiles-s-z}/telegram-desktop    | 26 +++++----
 dists/flags/main.flags                        | 12 ++++
 dists/ignore/main.ignore                      |  5 --
 12 files changed, 115 insertions(+), 70 deletions(-)
 rename apparmor.d/{groups/apps => profiles-a-f}/calibre (67%)
 rename apparmor.d/{groups/apps => profiles-a-f}/discord (73%)
 rename apparmor.d/{groups/apps => profiles-a-f}/discord-chrome-sandbox (100%)
 rename apparmor.d/{groups/apps => profiles-a-f}/dropbox (91%)
 rename apparmor.d/{groups/apps => profiles-a-f}/filezilla (75%)
 rename apparmor.d/{groups/apps => profiles-a-f}/freetube (80%)
 rename apparmor.d/{groups/apps => profiles-a-f}/freetube-chrome-sandbox (100%)
 rename apparmor.d/{groups/apps => profiles-s-z}/signal-desktop (50%)
 rename apparmor.d/{groups/apps => profiles-s-z}/signal-desktop-chrome-sandbox (85%)
 rename apparmor.d/{groups/apps => profiles-s-z}/telegram-desktop (66%)

diff --git a/apparmor.d/groups/apps/calibre b/apparmor.d/profiles-a-f/calibre
similarity index 67%
rename from apparmor.d/groups/apps/calibre
rename to apparmor.d/profiles-a-f/calibre
index f1b3e9050..d58a8d042 100644
--- a/apparmor.d/groups/apps/calibre
+++ b/apparmor.d/profiles-a-f/calibre
@@ -7,23 +7,22 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path}  = @{bin}/calibre{,-parallel,-debug,-server,-smtp,-complete,-customize}
-@{exec_path} += @{bin}/calibredb
-@{exec_path} += @{bin}/ebook{-viewer,-edit,-device,-meta,-polish,-convert}
+@{exec_path}  = @{bin}/calibre{,-*} @{bin}/calibredb @{bin}/ebook{,-*}
 @{exec_path} += @{bin}/fetch-ebook-metadata
-@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer
-@{exec_path} += @{bin}/web2disk
+@{exec_path} += @{bin}/lrs2lrf @{bin}/lrf2lrs @{bin}/lrfviewer @{bin}/web2disk
 profile calibre @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/common/chromium>
+  include <abstractions/bus/org.freedesktop.UDisks2>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
+  include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/qt5-compose-cache-write>
@@ -45,20 +44,19 @@ profile calibre @{exec_path} {
   unix (bind)          type=stream addr="@calibre-*",
 
   @{exec_path} mrix,
-  @{bin}/python3.@{int} r,
 
-  @{bin}/ldconfig{,.real} rix,
   @{sh_path}              rix,
+  @{python_path}          rix,
   @{bin}/file             rix,
+  @{bin}/ldconfig{,.real} rix,
   @{bin}/uname            rix,
-  @{lib}/@{multiarch}/qt5/libexec/QtWebEngineProcess rix,
+  @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix,
 
   @{bin}/pdftoppm        rPUx, # (#FIXME#)
   @{bin}/pdfinfo         rPUx,
   @{bin}/pdftohtml       rPUx,
 
-  @{bin}/xdg-open         rPx -> child-open,
-  @{bin}/xdg-mime         rPx,
+  @{open_path}            rPx -> child-open,
 
   /usr/share/calibre/{,**} r,
 
@@ -79,16 +77,11 @@ profile calibre @{exec_path} {
   owner @{user_config_dirs}/calibre/** rwk,
 
   owner @{user_share_dirs}/calibre-ebook.com/ rw,
-  owner @{user_share_dirs}/calibre-ebook.com/calibre/ rw,
-  owner @{user_share_dirs}/calibre-ebook.com/calibre/** rwk,
+  owner @{user_share_dirs}/calibre-ebook.com/** rwk,
 
-  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/calibre/ rw,
   owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
 
-  owner @{user_cache_dirs}/gstreamer-@{int}/ rw,
-  owner @{user_cache_dirs}/gstreamer-@{int}/registry.*.bin{,.tmp@{rand6}} rw,
-
   owner @{tmp}/calibre_*_tmp_*/{,**} rw,
   owner @{tmp}/calibre-*/{,**} rw,
   owner @{tmp}/@{int}-*/ rw,
@@ -98,18 +91,31 @@ profile calibre @{exec_path} {
 
   @{sys}/devices/@{pci}/irq r,
 
-             @{PROC}/ r,
-             @{PROC}/@{pids}/net/route r,
-             @{PROC}/sys/fs/inotify/max_user_watches r,
-             @{PROC}/sys/kernel/yama/ptrace_scope r,
-             @{PROC}/vmstat r,
-       owner @{PROC}/@{pid}/fd/ r,
-       owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/ r,
+        @{PROC}/@{pids}/net/route r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+        @{PROC}/vmstat r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+       owner @{PROC}/@{pid}/stat{,m} r,
        owner @{PROC}/@{pid}/stat{,m} r,
        owner @{PROC}/@{pid}/comm r,
-       owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/stat{,m} r,
+       owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
        owner @{PROC}/@{pid}/task/@{tid}/status r,
+       owner @{PROC}/@{pid}/task/@{tid}/status r,
+       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  deny owner @{PROC}/@{pid}/cmdline r,
+  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  deny       @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/task/@{tid}/status r,
        owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   deny owner @{PROC}/@{pid}/cmdline r,
   deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
diff --git a/apparmor.d/groups/apps/discord b/apparmor.d/profiles-a-f/discord
similarity index 73%
rename from apparmor.d/groups/apps/discord
rename to apparmor.d/profiles-a-f/discord
index 3c70844c1..fc2aadd1c 100644
--- a/apparmor.d/groups/apps/discord
+++ b/apparmor.d/profiles-a-f/discord
@@ -16,6 +16,9 @@ include <tunables/global>
 profile discord @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/common/electron>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
@@ -28,23 +31,26 @@ profile discord @{exec_path} {
 
   @{exec_path} mrix,
   @{sh_path}    rix,
+  @{bin}/lsb_release rPx -> lsb_release,
 
   @{lib_dirs}/chrome-sandbox rix,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
-  @{open_path}         rPx -> child-open-browsers,
+  @{open_path}         rPx -> child-open-strict,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  owner @{user_videos_dirs}/{,**} rwl,
+  owner @{user_pictures_dirs}/{,**} rwl,
 
   owner @{tmp}/net-export/ rw,
   owner @{tmp}/discord.sock rw,
   owner "@{tmp}/Discord Crashes/" rw,
 
-  owner @{config_dirs}/*/modules/** rm,
+  audit owner @{config_dirs}/*/modules/** rm,
 
   owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
 
+  owner @{PROC}/@{pid}/task/@{tid}/comm r,
+
   include if exists <local/discord>
 }
 
diff --git a/apparmor.d/groups/apps/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox
similarity index 100%
rename from apparmor.d/groups/apps/discord-chrome-sandbox
rename to apparmor.d/profiles-a-f/discord-chrome-sandbox
diff --git a/apparmor.d/groups/apps/dropbox b/apparmor.d/profiles-a-f/dropbox
similarity index 91%
rename from apparmor.d/groups/apps/dropbox
rename to apparmor.d/profiles-a-f/dropbox
index ddb62bf60..8aa054238 100644
--- a/apparmor.d/groups/apps/dropbox
+++ b/apparmor.d/profiles-a-f/dropbox
@@ -15,6 +15,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/dropbox
 profile dropbox @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
@@ -35,7 +38,7 @@ profile dropbox @{exec_path} {
   @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
   @{bin}/{,@{multiarch}-}objdump    rix,
 
-  @{bin}/xdg-open                   rCx -> child-open,
+  @{open_path}                      rPx -> child-open-strict,
   @{bin}/lsb_release                rPx -> lsb_release,
 
   owner @{HOME}/ r,
diff --git a/apparmor.d/groups/apps/filezilla b/apparmor.d/profiles-a-f/filezilla
similarity index 75%
rename from apparmor.d/groups/apps/filezilla
rename to apparmor.d/profiles-a-f/filezilla
index 29654c955..2ec1a542f 100644
--- a/apparmor.d/groups/apps/filezilla
+++ b/apparmor.d/profiles-a-f/filezilla
@@ -10,13 +10,23 @@ include <tunables/global>
 @{exec_path} = @{bin}/filezilla
 profile filezilla @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink dgram,
+  network netlink raw,
+
   signal (send) set=(term, kill) peer=fzsftp,
 
   @{exec_path} mr,
@@ -46,15 +56,15 @@ profile filezilla @{exec_path} {
   owner @{user_cache_dirs}/filezilla/ rw,
   owner @{user_cache_dirs}/filezilla/default_*.png rw,
 
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-
         /tmp/ r,
   owner @{tmp}/fz[0-9]temp-@{int}/ rw,
   owner @{tmp}/fz[0-9]temp-@{int}/fz*-lockfile rwk,
   owner @{tmp}/fz[0-9]temp-@{int}/empty_file_* rw,
 
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/filezilla>
diff --git a/apparmor.d/groups/apps/freetube b/apparmor.d/profiles-a-f/freetube
similarity index 80%
rename from apparmor.d/groups/apps/freetube
rename to apparmor.d/profiles-a-f/freetube
index d59762cfd..a3d655d87 100644
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@@ -12,10 +12,12 @@ include <tunables/global>
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
-@{exec_path} = @{lib_dirs}/@{name}
+@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
 profile freetube @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/common/electron>
   include <abstractions/consoles>
   include <abstractions/thumbnails-cache-read>
@@ -27,6 +29,8 @@ profile freetube @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.freetube path=/org/mpris/MediaPlayer2
+
   @{exec_path} mrix,
 
   @{open_path}         rPx -> child-open-strict,
diff --git a/apparmor.d/groups/apps/freetube-chrome-sandbox b/apparmor.d/profiles-a-f/freetube-chrome-sandbox
similarity index 100%
rename from apparmor.d/groups/apps/freetube-chrome-sandbox
rename to apparmor.d/profiles-a-f/freetube-chrome-sandbox
diff --git a/apparmor.d/groups/apps/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop
similarity index 50%
rename from apparmor.d/groups/apps/signal-desktop
rename to apparmor.d/profiles-s-z/signal-desktop
index 912d95760..e50d95764 100644
--- a/apparmor.d/groups/apps/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@@ -8,14 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = signal-desktop{,-beta}
-@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
-@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
+@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
+@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{lib_dirs}/@{name}
 profile signal-desktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.ScreenSaver>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/common/electron>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/user-download-strict>
@@ -28,24 +31,28 @@ profile signal-desktop @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{bin}/getconf rix,
-  @{bin}/xdg-settings rPx,
+  @{bin}/basename      rix,
+  @{bin}/getconf       rix,
+  @{bin}/xdg-settings  rix,
+  @{open_path} rPx -> child-open-strict,
 
-  @{lib_dirs}/chrome-sandbox rPx,
+  audit @{lib_dirs}/chrome-sandbox rPx,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   @{run}/systemd/inhibit/@{int}.ref rw,
 
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/vmstat r,
 
+  /dev/tty rw,
+
   include if exists <local/signal-desktop>
 }
 
diff --git a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
similarity index 85%
rename from apparmor.d/groups/apps/signal-desktop-chrome-sandbox
rename to apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index 8a5083143..a5f4a7ef9 100644
--- a/apparmor.d/groups/apps/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{lib_dirs} = @{lib}/signal-desktop "/opt/Signal{, Beta}"
-@{config_dirs} = "@{user_config_dirs}/Signal{, Beta}"
+@{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
+@{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
 
 @{exec_path} = @{lib_dirs}/chrome-sandbox
 profile signal-desktop-chrome-sandbox @{exec_path} {
diff --git a/apparmor.d/groups/apps/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop
similarity index 66%
rename from apparmor.d/groups/apps/telegram-desktop
rename to apparmor.d/profiles-s-z/telegram-desktop
index be043e150..416c97d72 100644
--- a/apparmor.d/groups/apps/telegram-desktop
+++ b/apparmor.d/profiles-s-z/telegram-desktop
@@ -11,14 +11,20 @@ include <tunables/global>
 profile telegram-desktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/common/electron>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/qt5-shader-cache>
+  include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
 
   network inet dgram,
@@ -28,22 +34,18 @@ profile telegram-desktop @{exec_path} {
   network netlink dgram,
   network netlink raw,
 
-  @{exec_path} mrix,
+  @{exec_path} mr,
 
-  @{sh_path}             rix,
+  @{sh_path}   rix,
+  @{open_path} rPx -> child-open-strict,
 
-  @{open_path} rPx -> child-open,
-
-  /usr/share/TelegramDesktop/{,**} r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  owner @{user_share_dirs}/TelegramDesktop/ rw,
+  owner @{user_share_dirs}/TelegramDesktop/** rwlk -> @{user_share_dirs}/TelegramDesktop/**,
 
   owner @{user_config_dirs}/autostart/telegramdesktop.desktop rw,
 
-  owner @{tmp}/@{hex}-* rwk,
-  owner @{run}/user/@{uid}/@{hex}-* rwk,
-  owner /dev/shm/#@{int} rw,
+  owner @{tmp}/@{hex32}-?@{uuid}? rwk,
+  audit owner /dev/shm/#@{int} rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d26b951f7..401681743 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -47,6 +47,7 @@ avahi-set-host-name complain
 baloo complain
 baloorunner complain
 busctl complain
+calibre complain
 cc-remote-login-helper complain
 cctk complain
 child-modprobe-nvidia attach_disconnected,complain
@@ -88,6 +89,8 @@ cups-pk-helper-mechanism complain
 cupsd attach_disconnected,complain
 ddcutil complain
 dino attach_disconnected,complain
+discord complain
+discord-chrome-sandbox complain
 DiscoverNotifier complain
 dkms attach_disconnected,complain
 dmsetup complain
@@ -106,6 +109,7 @@ evolution-user-prompter complain
 fail2ban-client attach_disconnected,complain
 fail2ban-server attach_disconnected,complain
 fdisk complain
+filezilla complain
 firewall-applet attach_disconnected,complain
 firewall-config complain
 firewalld attach_disconnected,complain
@@ -119,6 +123,11 @@ flatpak-system-helper complain
 flatpak-validate-icon complain
 foliate attach_disconnected,complain
 fractal attach_disconnected,complain
+freetube complain
+freetube-chrome-sandbox complain
+fstrim complain
+freetube complain
+freetube-chrome-sandbox complain
 fuse-overlayfs complain
 fusermount complain
 gdm-generate-config complain
@@ -291,6 +300,8 @@ sddm attach_disconnected,mediate_deleted,complain
 sddm-greeter complain
 secure-time-sync attach_disconnected,complain
 sftp-server complain
+signal-desktop attach_disconnected,complain
+signal-desktop-chrome-sandbox complain
 sing-box complain
 slirp4netns attach_disconnected,complain
 snap complain
@@ -370,6 +381,7 @@ systemd-udevd attach_disconnected,complain
 systemd-user-sessions complain
 systemd-userwork attach_disconnected,complain
 systemsettings complain
+telegram-desktop complain
 totem attach_disconnected,complain
 tracker-writeback complain
 udev-dmi-memory-id complain
diff --git a/dists/ignore/main.ignore b/dists/ignore/main.ignore
index fe61aaf2f..917b117f1 100644
--- a/dists/ignore/main.ignore
+++ b/dists/ignore/main.ignore
@@ -5,11 +5,6 @@
 # when built with 'make full'
 apparmor.d/groups/_full
 
-# Apps that should be sandboxed
-apparmor.d/groups/apps
-code
-code-wrapper
-
 # Provided by other packages
 man
 

From a99fbaa0beebe9b16e708de312034335ee73e6cb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 19:47:25 +0100
Subject: [PATCH 074/315] feat(profile): restic some well known path.

---
 apparmor.d/abstractions/common/chromium    |  8 ++++----
 apparmor.d/abstractions/common/electron    |  2 +-
 apparmor.d/groups/apt/apt-cdrom            | 12 ++++++------
 apparmor.d/groups/freedesktop/cpupower     |  2 +-
 apparmor.d/groups/freedesktop/xorg         |  2 +-
 apparmor.d/groups/freedesktop/xrdb         |  2 +-
 apparmor.d/groups/network/mullvad-gui      |  2 +-
 apparmor.d/groups/pacman/pacman            |  2 +-
 apparmor.d/profiles-g-l/gtk-youtube-viewer |  2 +-
 9 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium
index 2e98c515a..28effd768 100644
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@@ -26,10 +26,10 @@
         /var/tmp/ r,
   owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
   owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
-  owner @{tmp}/scoped_dir*/ rw,
-  owner @{tmp}/scoped_dir*/SingletonCookie w,
-  owner @{tmp}/scoped_dir*/SingletonSocket w,
-  owner @{tmp}/scoped_dir*/SS w,
+  owner @{tmp}/scoped_dir@{rand6}/ rw,
+  owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
+  owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
+  owner @{tmp}/scoped_dir@{rand6}/SS w,
 
         /dev/shm/ r,
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index 732129c26..5de098246 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -50,7 +50,7 @@
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
-  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
+  owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
 
   owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
   owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom
index a2268648b..dc3f9c216 100644
--- a/apparmor.d/groups/apt/apt-cdrom
+++ b/apparmor.d/groups/apt/apt-cdrom
@@ -33,11 +33,11 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   # @{run}/udev/data/* r,
 
   # For cd-roms
-  /media/cdrom[0-9]/ r,
-  /media/cdrom[0-9]/**/ r,
-  /media/cdrom[0-9]/.disk/info r,
-  /media/cdrom[0-9]/dists/**/binary-*/Packages{,.gz} r,
-  /media/cdrom[0-9]/dists/**/i18n/Translation-en{,.gz} r,
+  /media/cdrom@{int}/ r,
+  /media/cdrom@{int}/**/ r,
+  /media/cdrom@{int}/.disk/info r,
+  /media/cdrom@{int}/dists/**/binary-*/Packages{,.gz} r,
+  /media/cdrom@{int}/dists/**/i18n/Translation-en{,.gz} r,
 
   # For pendrives
   @{MOUNTS}/ r,
@@ -63,7 +63,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
 
     /etc/fstab r,
 
-    /media/cdrom[0-9]/ r,
+    /media/cdrom@{int}/ r,
 
     include if exists <local/apt-cdrom_mount>
   }
diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower
index 0b1d0ead3..58d4f0e84 100644
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@@ -32,7 +32,7 @@ profile cpupower @{exec_path} {
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_{min,max}_freq rw,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_setspeed rw,
-  @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state[0-9]/disable rw,
+  @{sys}/devices/system/cpu/cpu@{int}/cpuidle/state@{int}/disable rw,
 
   @{sys}/devices/system/cpu/cpu@{int}/topology/{physical_package_id,core_id} r,
 
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 378c81119..878b85004 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -125,7 +125,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   @{PROC}/ioports r,
   @{PROC}/mtrr rw,
 
-  /dev/fb[0-9] rw,
+  /dev/fb@{int} rw,
   /dev/input/event@{int} rw,
   /dev/shm/#@{int} rw,
   /dev/shm/shmfd-* rw,
diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb
index 9bd897bee..638f6ebee 100644
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@@ -19,7 +19,7 @@ profile xrdb @{exec_path} {
   @{bin}/{,*-}cpp-[0-9]*               rix,
   @{sh_path}                           rix,
   @{bin}/cpp                           rix,
-  @{lib}/gcc/@{multiarch}/@{int}*/cc1  rix,
+  @{lib}/gcc/@{multiarch}/@{version}/cc1  rix,
   @{lib}/llvm-[0-9]*/bin/clang         rix,
 
   /usr/include/stdc-predef.h r,
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index 48534d676..91cfaab0f 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = Mullvad*VPN
+@{name} = Mullvad?VPN
 @{lib_dirs} = /opt/@{name} 
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 6ab0802ba..c1bd7fa37 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -123,7 +123,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
 
   owner /var/lib/pacman/{,**} rwl,
-  owner @{tmp}/alpm_*/{,**} rw,
+  owner @{tmp}/alpm_@{rand6}/{,**} rw,
   owner @{tmp}/checkup-db-@{int}/sync/{,*.db*} rw,
   owner @{tmp}/checkup-db-@{int}/db.lck rw,
 
diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer
index 9d2bc322e..5f2e4fde7 100644
--- a/apparmor.d/profiles-g-l/gtk-youtube-viewer
+++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer
@@ -98,7 +98,7 @@ profile gtk-youtube-viewer @{exec_path} {
     include <abstractions/xdg-open>
 
     @{bin}/xdg-open mr,
-    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
+    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
 
     @{sh_path}             rix,
     @{bin}/{m,g,}awk       rix,

From c7181ecadf7c5ce96c32ce497c591795f5abf931 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 19:57:49 +0100
Subject: [PATCH 075/315] feat(profile): general update.

---
 apparmor.d/abstractions/common/electron       |  1 +
 apparmor.d/abstractions/common/game           | 12 ++++--
 apparmor.d/abstractions/qt5-shader-cache      |  4 +-
 apparmor.d/groups/apt/apt-cdrom               | 28 +++++++-------
 apparmor.d/groups/bus/dbus-session            |  2 +-
 .../groups/children/child-modprobe-nvidia     |  4 --
 apparmor.d/groups/freedesktop/accounts-daemon | 19 +++++-----
 apparmor.d/groups/freedesktop/xdg-screensaver |  4 +-
 .../gnome/gnome-control-center-goa-helper     | 17 +++++++--
 apparmor.d/groups/gnome/gnome-weather         |  2 +
 apparmor.d/groups/gnome/gsd-media-keys        | 28 +-------------
 apparmor.d/groups/gpg/gpg                     | 37 +++++++++----------
 apparmor.d/groups/pacman/arch-audit           |  6 +--
 apparmor.d/groups/pacman/pacman               |  7 +---
 apparmor.d/groups/ssh/ssh                     |  3 +-
 apparmor.d/groups/ssh/ssh-agent-launch        |  2 +-
 apparmor.d/profiles-a-f/bluetoothd            | 10 -----
 apparmor.d/profiles-a-f/cemu                  | 12 +++---
 apparmor.d/profiles-a-f/dkms                  |  2 +-
 apparmor.d/profiles-g-l/git                   | 10 +++--
 apparmor.d/profiles-g-l/gitstatusd            |  1 +
 apparmor.d/profiles-m-r/run-parts             |  6 +++
 apparmor.d/profiles-m-r/runuser               | 23 +++---------
 apparmor.d/profiles-s-z/speedtest             |  7 ++--
 .../spice-client-glib-usb-acl-helper          |  4 +-
 apparmor.d/profiles-s-z/ss                    | 19 +++++-----
 apparmor.d/profiles-s-z/steam                 |  2 +-
 apparmor.d/profiles-s-z/steam-launch          |  2 +-
 .../profiles-s-z/steam-runtime-steam-remote   | 29 +++++++++++++++
 apparmor.d/profiles-s-z/uname                 |  3 +-
 apparmor.d/profiles-s-z/vipw-vigr             |  3 +-
 apparmor.d/profiles-s-z/who                   |  1 +
 32 files changed, 152 insertions(+), 158 deletions(-)
 create mode 100644 apparmor.d/profiles-s-z/steam-runtime-steam-remote

diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index 5de098246..b39ccc853 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -61,6 +61,7 @@
   owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
   owner @{tmp}/scoped_dir@{rand6}/SS w,
 
+        /dev/shm/ r,
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
   @{sys}/devices/system/cpu/kernel_max r,
diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game
index a3619b164..609bb521d 100644
--- a/apparmor.d/abstractions/common/game
+++ b/apparmor.d/abstractions/common/game
@@ -3,9 +3,9 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Core set of resources for any games on Linux. Runtimes such as sandboxing,
-# wine, proton, game launchers should use this abstraction. 
+# wine, proton, game launchers should use this abstraction.
 
-# This abstraction use the following tunables:
+# This abstraction uses the following tunables:
 # - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
 #   (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
 # - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
@@ -38,7 +38,7 @@
 
   owner @{user_games_dirs}/ r,
   owner @{user_games_dirs}/*/ r,
-  owner @{user_games_dirs}/*/{,**} rwkl,
+  owner @{user_games_dirs}/*/** rwlk,
 
   owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
   owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
@@ -50,11 +50,15 @@
   owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
   owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
   owner @{tmp}/#@{int} rw,
+  owner @{tmp}/AsyncGPUReadbackPlugin_*.log w,
   owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
   owner @{tmp}/crashes/ rw,
   owner @{tmp}/crashes/** rwk,
   owner @{tmp}/miles_image_@{rand6} mrw,
-  owner @{tmp}/runtime-info.txt.@{rand6} rw, 
+  owner @{tmp}/runtime-info.txt.@{rand6} rw,
+  owner @{tmp}/tmp@{rand6}.tmp rw,
+  owner @{tmp}/tmp@{rand6}@{h}.tmp rw,
+  owner @{tmp}/tmp@{rand8}.tmp rw,
   owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
 
   owner /dev/shm/mono.@{int} rw,
diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache
index 4ac0f7f1d..e43ca64e1 100644
--- a/apparmor.d/abstractions/qt5-shader-cache
+++ b/apparmor.d/abstractions/qt5-shader-cache
@@ -6,10 +6,10 @@
   owner @{user_cache_dirs}/ w,
   owner @{user_cache_dirs}/qtshadercache/ rw,
   owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
+  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl,
   owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/ rw,
   owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
+  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex}* rwl,
 
   include if exists <abstractions/qt5-shader-cache.d>
 
diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom
index dc3f9c216..0f3bce398 100644
--- a/apparmor.d/groups/apt/apt-cdrom
+++ b/apparmor.d/groups/apt/apt-cdrom
@@ -18,19 +18,18 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   @{exec_path} mr,
 
   @{bin}/dpkg        rPx -> child-dpkg,
-
   @{bin}/mount       rCx -> mount,
   @{bin}/umount      rCx -> umount,
 
   /etc/fstab r,
 
-  # Are all of these needed? (#FIXME#)
-  @{sys}/bus/ r,
-  @{sys}/bus/*/devices/ r,
-  @{sys}/class/ r,
-  @{sys}/class/*/ r,
-  @{sys}/devices/**/uevent r,
-  # @{run}/udev/data/* r,
+  /etc/apt/sources.list{,.new} rw,
+  /etc/apt/sources.list~ w,
+
+  /var/lib/apt/lists/** rw,
+
+  /var/lib/apt/cdroms.list{,.new} rw,
+  /var/lib/apt/cdroms.list~ w,
 
   # For cd-roms
   /media/cdrom@{int}/ r,
@@ -46,16 +45,15 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   @{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
   @{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
 
-  /var/lib/apt/lists/** rw,
+  # Are all of these needed? (#FIXME#)
+  @{sys}/bus/ r,
+  @{sys}/bus/*/devices/ r,
+  @{sys}/class/ r,
+  @{sys}/class/*/ r,
+  @{sys}/devices/**/uevent r,
 
   owner @{PROC}/@{pid}/fd/ r,
 
-  /var/lib/apt/cdroms.list{,.new} rw,
-  /var/lib/apt/cdroms.list~ w,
-
-  /etc/apt/sources.list{,.new} rw,
-  /etc/apt/sources.list~ w,
-
   profile mount flags=(complain) {
     include <abstractions/base>
 
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index e5e382795..b06eaa510 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -64,7 +64,7 @@ profile dbus-session flags=(attach_disconnected) {
   @{sys}/kernel/security/apparmor/.access rw,
   @{sys}/kernel/security/apparmor/features/dbus/mask r,
   @{sys}/module/apparmor/parameters/enabled r,
- 
+
         @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/attr/apparmor/current r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia
index fb91234b0..45b1ff120 100644
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@@ -62,13 +62,9 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
     include <abstractions/app/kmod>
 
     capability mknod,
-    # capability sys_module,
 
     /etc/nvidia/{current,legacy*,tesla*}/*.conf r,
 
-    # @{sys}/module/ipmi_devintf/initstate r,
-    # @{sys}/module/ipmi_msghandler/initstate r,
-    # @{sys}/module/{drm,nvidia}/initstate r,
     @{sys}/module/compression r,
 
     deny @{HOME}/.steam/** r,
diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon
index 4f2e8b64c..1389b2ee6 100644
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@@ -21,7 +21,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   capability sys_nice,
   capability sys_ptrace,
 
-  ptrace (read) peer=unconfined,
+  ptrace read peer=unconfined,
 
   #aa:dbus own bus=system name=org.freedesktop.Accounts
 
@@ -58,24 +58,23 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   /etc/shells r,
   /etc/sysconfig/displaymanager r,
 
+  /var/log/wtmp r,
+
   owner /var/lib/AccountsService/ r,
   owner /var/lib/AccountsService/** rw,
 
         @{HOME}/ r,
   owner @{HOME}/.pam_environment r,
 
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/loginuid rw,
-        @{PROC}/@{pids}/loginuid r,
-        @{PROC}/@{pids}/cmdline r,
+  owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
+
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/loginuid r,
         @{PROC}/1/environ r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
-
-  # wtmp.d ?
-  /var/log/wtmp r,
-
-  owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/loginuid rw,
 
   include if exists <local/accounts-daemon>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver
index cee9898b5..bca69b9b1 100644
--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@@ -32,14 +32,14 @@ profile xdg-screensaver @{exec_path} {
   @{bin}/xset         rPx,
   @{bin}/hostname     rix,
 
-  /dev/dri/card@{int} rw,
-
   owner @{HOME}/ r,
   owner @{HOME}/.Xauthority r,
   owner @{tmp}/xauth-@{int}-_[0-9] r,
 
   owner @{run}/user/@{uid}/ r,
 
+  /dev/dri/card@{int} rw,
+
   include if exists <local/xdg-screensaver>
 }
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
index 72f5867a4..a210cbd18 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -39,7 +39,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/bwrap  rPUx,
+  @{bin}/bwrap rCx -> bwrap,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
 
@@ -48,9 +48,11 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   owner @{user_config_dirs}/goa-1.0/accounts.conf r,
 
-  owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,
+  owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw,
+  owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl,
 
-  owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk,
+  owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw,
+  owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk,
   owner @{user_share_dirs}/webkitgtk/{,**} rw,
   owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
 
@@ -63,6 +65,15 @@ profile gnome-control-center-goa-helper @{exec_path} {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
 
+  profile bwrap flags=(attach_disconnected,complain) {
+    include <abstractions/base>
+    include <abstractions/common/bwrap>
+
+    @{bin}/bwrap mr,
+  
+    include if exists <local/gnome-control-center-goa-helper_bwrap>
+  }
+
   include if exists <local/gnome-control-center-goa-helper>
 }
 
diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather
index b2851601c..a49fe97bd 100644
--- a/apparmor.d/groups/gnome/gnome-weather
+++ b/apparmor.d/groups/gnome/gnome-weather
@@ -33,6 +33,8 @@ profile gnome-weather @{exec_path} {
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+
   include if exists <local/gnome-weather>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index 6ed820866..dc6e8aeb7 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -31,38 +31,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys
+  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
+  #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=PowerOff
        peer=(name=:*, label=systemd-logind),
 
-  dbus send bus=session path=/org/gnome/Shell
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gnome-shell),
-  dbus send bus=session path=/org/gnome/Shell
-       interface=org.gnome.Shell
-       member={GrabAccelerators,UngrabAccelerators}
-       peer=(name=:*, label=gnome-shell),
-  dbus receive bus=session path=/org/gnome/Shell
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged}
-       peer=(name=:*, label=gnome-shell),
-  dbus receive bus=session path=/org/gnome/Shell
-       interface=org.gnome.Shell
-       member=AcceleratorActivated
-       peer=(name=:*, label=gnome-shell),
-
-  dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gsd-rfkill),
-  dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name=:*, label=gsd-rfkill),
-
   dbus send bus=session path=/
        interface=org.freedesktop.DBus
        member=ListNames
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index 43cb9cadf..a7aa93d2b 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -32,6 +32,23 @@ profile gpg @{exec_path} {
 
   /etc/inputrc r,
 
+  #aa:only pacman
+  /etc/pacman.d/gnupg/gpg.conf r,
+  /etc/pacman.d/gnupg/pubring.gpg r,
+  /etc/pacman.d/gnupg/trustdb.gpg r,
+
+  #aa:only apt
+  owner /etc/apt/keyrings/ rw,
+  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
+
+  owner /var/lib/*/{,.}gnupg/ rw,
+  owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**,
+
+  # TODO: Remove after zypper profile is created
+  #aa:only zypper
+  owner /var/tmp/zypp.@{rand6}/ rw,
+  owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
+
   owner @{HOME}/@{XDG_GPG_DIR}/ rw,
   owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
@@ -45,26 +62,6 @@ profile gpg @{exec_path} {
   owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
   owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
 
-  #aa:only apt
-  owner /etc/apt/keyrings/ rw,
-  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
-
-  #aa:only pacman
-  /etc/pacman.d/gnupg/gpg.conf r,
-  /etc/pacman.d/gnupg/pubring.gpg r,
-  /etc/pacman.d/gnupg/trustdb.gpg r,
-
-  owner /var/lib/*/gnupg/ rw,
-  owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
-
-  owner /var/lib/*/.gnupg/ rw,
-  owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
-
-  # TODO: Remove after zypper profile is created
-  #aa:only zypper
-  owner /var/tmp/zypp.@{rand6}/ rw,
-  owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
-
   #aa:exclude ubuntu
   owner @{tmp}/ostree-gpg-@{rand6}/ r,
   owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit
index 7ef09601c..ba4987a31 100644
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@@ -28,12 +28,12 @@ profile arch-audit @{exec_path} {
 
   /var/lib/pacman/local/{,**} r,
 
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/mountinfo r,
-
   @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
   @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
 
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/mountinfo r,
+
   /dev/pts/@{int} rw,
 
   include if exists <local/arch-audit>
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index c1bd7fa37..957e521f4 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -46,7 +46,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   @{bin}/gpg{,2}      rCx -> gpg,
   @{bin}/gpgconf      rCx -> gpg,
   @{bin}/gpgsm        rCx -> gpg,
-  
+
   # Pacman hooks & install scripts
   @{sh_path}                         rix,
   @{coreutils_path}                  rix,
@@ -64,7 +64,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   @{bin}/gdk-pixbuf-query-loaders    rPx,
   @{bin}/getent                      rix,
   @{bin}/gettext                     rix,
-  @{bin}/ghc-pkg{,-*}                rPx,
   @{bin}/gio-querymodules            rPx,
   @{bin}/glib-compile-schemas        rPx,
   @{bin}/groupadd                    rPx,
@@ -118,9 +117,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   /var/** rwlk -> /var/**,
 
   # Read packages files
-  @{user_pkg_dirs}/ r,
-  @{user_pkg_dirs}/**/ r,
-  @{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
+  @{user_pkg_dirs}/{,**} r,
 
   owner /var/lib/pacman/{,**} rwl,
   owner @{tmp}/alpm_@{rand6}/{,**} rw,
diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 1dac2be00..296074f5f 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -23,8 +23,7 @@ profile ssh @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{bin}/{,b,d,rb}ash  rix,
-  @{bin}/{c,k,tc,z}sh  rix,
+  @{bin}/@{shells}     rUx,
 
   @{etc_ro}/ssh/ssh_config r,
   @{etc_ro}/ssh/ssh_config.d/{,*} r,
diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch
index 66e05b5ec..a243069c0 100644
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@@ -12,7 +12,7 @@ profile ssh-agent-launch @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/{,z,ba,da}sh   rix,
+  @{sh_path}            rix,
   @{bin}/dbus-update-activation-environment  rCx -> dbus,
   @{bin}/getopt         rix,
   @{bin}/grep           rix,
diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd
index 75934102b..66cc35860 100644
--- a/apparmor.d/profiles-a-f/bluetoothd
+++ b/apparmor.d/profiles-a-f/bluetoothd
@@ -35,16 +35,6 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
        member=GetManagedObjects
        peer=(name=:*, label=pulseaudio),
 
-  dbus send bus=system path=/MediaEndpoint/{A2DPSink,A2DPSource}/*
-       interface=org.bluez.MediaEndpoint1
-       member=Release
-       peer=(name=:*, label=pulseaudio),
-
-  dbus send bus=system path=/Profile/{HFPAGProfile,HSPHSProfile}
-       interface=org.bluez.MediaEndpoint1
-       member=Release
-       peer=(name=:*, label=pulseaudio),
-
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesRemoved
diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu
index 44d4098da..40920ebd0 100644
--- a/apparmor.d/profiles-a-f/cemu
+++ b/apparmor.d/profiles-a-f/cemu
@@ -29,18 +29,18 @@ profile cemu @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/Cemu/{,**} rw,
   owner @{user_share_dirs}/Cemu/{,**} rw,
 
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/fd r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/statm r,
-  
-  owner @{sys}/class/ r,
+  @{sys}/class/ r,
   @{sys}/class/input/ r,
   @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/abs r,
   @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/ev r,
   @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/key r,
   @{sys}/devices/@{pci}/usb@{int}/**/input@{int}/capabilities/rel r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/statm r,
+
   /dev/input/ r,
   /dev/input/event@{int} rw,
   /dev/input/js@{int} rw,
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index 6d836c63d..4ebe8e464 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -41,7 +41,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{bin}/update-secureboot-policy rPUx,
   @{bin}/zstd       rix,
 
-  @{lib}/gcc/@{multiarch}/@{int}*/*            rix,
+  @{lib}/gcc/@{multiarch}/@{version}/*         rix,
   @{lib}/linux-kbuild-*/scripts/**             rix,
   @{lib}/linux-kbuild-*/tools/objtool/objtool  rix,
   @{lib}/llvm-[0-9]*/bin/clang                 rix,
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 8a2ffb797..af7fbd4df 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -101,9 +101,11 @@ profile git @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/.git_vtag_tmp@{rand6} rw,       # For git log --show-signature
   owner @{tmp}/git-commit-msg-.txt rw,         # For android studio
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
-  deny /dev/shm/.org.chromium.Chromium* rw,
   deny owner @{code_config_dirs}/** rw,
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/zed/**/data.mdb rw,
+  deny /usr/share/nvidia/nvidia-application-profiles-* r,
+  deny /dev/shm/.org.chromium.Chromium* rw,
 
   profile gpg flags=(attach_disconnected) {
     include <abstractions/base>
@@ -163,11 +165,11 @@ profile git @{exec_path} flags=(attach_disconnected) {
   profile editor flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/editor>
-  
+
     owner @{user_projects_dirs}/**/ r,
     owner @{user_projects_dirs}/**/.git/@{int} rw,
     owner @{user_projects_dirs}/**/.git/*MSG rw,
-  
+
     # The git repository files
     owner @{user_build_dirs}/ r,
     owner @{user_build_dirs}/** rw,
diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd
index da5566f9f..5dbce6ae3 100644
--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@@ -22,6 +22,7 @@ profile gitstatusd @{exec_path} {
   deny capability dac_read_search,
   deny capability dac_override,
   deny owner @{HOME}/.*-store/{,**} r,
+  deny owner @{user_share_dirs}/zed/**/data.mdb rw,
 
   include if exists <local/gitstatusd>
 }
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index b37172246..81c52aa1f 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -4,6 +4,12 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
+# TODO: Rewrite this profile. Most of the rule should be confined directly by the calling profile
+# Possible confinement depending of profile architecture:
+# - As rix,
+# - As rCx -> run-parts,
+# - As rPx -> foo-run-parts,
+
 abi <abi/3.0>,
 
 include <tunables/global>
diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser
index 97100f32a..5fc2d65c4 100644
--- a/apparmor.d/profiles-m-r/runuser
+++ b/apparmor.d/profiles-m-r/runuser
@@ -10,43 +10,30 @@ include <tunables/global>
 @{exec_path} = @{bin}/runuser
 profile runuser @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/authentication>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
-  # To remove the following errors:
-  #  runuser: cannot set user id: Operation not permitted
   capability setuid,
-
-  # To remove the following errrors:
-  #  runuser: cannot set groups: Operation not permitted
   capability setgid,
-
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # Needed? (#FIXME#)
   capability sys_resource,
 
   network netlink raw,
 
   @{exec_path} mr,
 
-  # Shells to use
-  @{bin}/{,b,d,rb}ash rpux,
-  @{bin}/{c,k,tc,z}sh rpux,
-
-  owner @{PROC}/@{pid}/loginuid r,
-        @{PROC}/1/limits r,
+  @{bin}/@{shells}    rUx,
 
   @{etc_ro}/security/limits.d/ r,
-
   /etc/default/runuser r,
 
-  # file_inherit
   owner @{tmp}/debian-security-support.postinst.*/output w,
 
+        @{PROC}/1/limits r,
+  owner @{PROC}/@{pid}/loginuid r,
+
   include if exists <local/runuser>
 }
 
diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest
index 511f32a96..0fe00bc24 100644
--- a/apparmor.d/profiles-s-z/speedtest
+++ b/apparmor.d/profiles-s-z/speedtest
@@ -12,6 +12,7 @@ profile speedtest @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
+  include <abstractions/python>
 
   network inet dgram,
   network inet6 dgram,
@@ -26,12 +27,10 @@ profile speedtest @{exec_path} {
   @{bin}/file  rix,
   @{bin}/uname rix,
 
-  owner @{PROC}/@{pid}/fd/ r,
-
-  /usr/local/lib/python*/dist-packages/ r,
-
   /etc/magic r,
 
+  owner @{PROC}/@{pid}/fd/ r,
+
   include if exists <local/speedtest>
 }
 
diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
index 1847c93d7..87afa46eb 100644
--- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
+++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
@@ -17,10 +17,8 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  @{lib}/gconv/gconv-modules r,
-
-  owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/cap_last_cap r,
+  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/spice-client-glib-usb-acl-helper>
 }
diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
index 36f4c988d..7346ebd62 100644
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@@ -16,7 +16,7 @@ profile ss @{exec_path} {
   capability dac_read_search,
   capability sys_ptrace,
 
-  ptrace (read),  # unconfined, TODO
+  ptrace read,
 
   network netlink raw,
 
@@ -27,21 +27,20 @@ profile ss @{exec_path} {
   owner @{tmp}/*.ss     rw,
   owner @{HOME}/*.ss  rw,
 
+  @{sys}/fs/cgroup/{,**/} r,
+
         @{PROC} r,
-        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+        @{PROC}/@{pids}/attr/current r,
         @{PROC}/@{pids}/fd/ r,
         @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/attr/current r,
-  owner @{PROC}/@{pids}/net/sockstat r,
-  owner @{PROC}/@{pids}/net/snmp r,
-  owner @{PROC}/@{pids}/net/unix r,
+        @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
+  owner @{PROC}/@{pids}/mounts r,
   owner @{PROC}/@{pids}/net/raw r,
+  owner @{PROC}/@{pids}/net/snmp r,
+  owner @{PROC}/@{pids}/net/sockstat r,
   owner @{PROC}/@{pids}/net/tcp r,
   owner @{PROC}/@{pids}/net/udp r,
-
-  # [e]xtended
-  owner @{PROC}/@{pids}/mounts r,
-        @{sys}/fs/cgroup/{,**/} r,
+  owner @{PROC}/@{pids}/net/unix r,
 
   include if exists <local/ss>
 }
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 82deb0d65..d8e0a50c5 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -54,7 +54,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   ptrace read,
   ptrace trace peer=steam,
 
-  signal send peer=steam-game,
+  signal send peer=steam-game-{native,proton},
   signal send peer=steam-launcher,
   signal send peer=steam//journalctl,
   signal send peer=steam//web,
diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch
index 11c7b76b2..b1d820d86 100644
--- a/apparmor.d/profiles-s-z/steam-launch
+++ b/apparmor.d/profiles-s-z/steam-launch
@@ -34,7 +34,7 @@ profile steam-launch @{exec_path} {
   @{lib}/steam/bin_steam.sh  rix,
   @{share_dirs}/steam.sh     rPx,
 
-  @{runtime_dirs}/@{arch}/steam-runtime-steam-remote rPUx,
+  @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote rPx,
 
   /usr/ r,
   /usr/local/ r,
diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
new file mode 100644
index 000000000..4f256ef2d
--- /dev/null
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{arch} = amd64 i386
+@{runtime} = SteamLinuxRuntime_sniper
+@{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
+@{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
+@{runtime_dirs} = @{lib_dirs}/steam-runtime{,-sniper}
+@{app_dirs} = @{share_dirs}/steamapps/common/
+
+@{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote
+profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{runtime_dirs}/** rm,
+
+  owner @{HOME}/.steam/steam.pipe rw,
+
+  include if exists <local/steam-runtime-steam-remote>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname
index 4dd41a7bf..31508b640 100644
--- a/apparmor.d/profiles-s-z/uname
+++ b/apparmor.d/profiles-s-z/uname
@@ -17,7 +17,8 @@ profile uname @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
 
   deny network,
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/zed/**/data.mdb rw,
 
   include if exists <local/uname>
 }
diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr
index 5b42ab828..3705f0bab 100644
--- a/apparmor.d/profiles-s-z/vipw-vigr
+++ b/apparmor.d/profiles-s-z/vipw-vigr
@@ -35,7 +35,6 @@ profile vipw-vigr @{exec_path} {
   # modify the /etc/passwd or /etc/shadow password database.
   /etc/.pwd.lock rwk,
 
-
   profile editor {
     include <abstractions/base>
     include <abstractions/app/editor>
@@ -43,6 +42,8 @@ profile vipw-vigr @{exec_path} {
     capability fsetid,
 
     /etc/{passwd,shadow,gshadow,group}.edit rw,
+
+    include if exists <local/vipw-vigr_editor>
   }
 
   include if exists <local/vipw-vigr>
diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who
index bed53e7e6..54b4375b2 100644
--- a/apparmor.d/profiles-s-z/who
+++ b/apparmor.d/profiles-s-z/who
@@ -19,6 +19,7 @@ profile who @{exec_path} {
   @{exec_path} mr,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+  deny owner @{user_share_dirs}/zed/**/data.mdb rw,
 
   include if exists <local/who>
 }

From f31a68ca216bb33fa8b62648703aad29057b1e0d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 19:58:17 +0100
Subject: [PATCH 076/315] feat(profile): add gitg.

---
 apparmor.d/profiles-g-l/gitg | 44 ++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/gitg

diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg
new file mode 100644
index 000000000..3d6da038c
--- /dev/null
+++ b/apparmor.d/profiles-g-l/gitg
@@ -0,0 +1,44 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/gitg
+profile gitg @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.secrets>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/gitg/{,**} r,
+
+  owner @{user_projects_dirs}/   rw,
+  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
+  owner @{user_projects_dirs}/**/.git/hooks/* rix,
+
+  owner @{user_config_dirs}/git/{,*} rw,
+
+  owner @{user_share_dirs}/gitg/{,**} rw,
+
+  @{run}/mount/utab r,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  include if exists <local/gitg>
+}
+
+# vim:syntax=apparmor

From 51d8c052f525eaea809116d12de2945a8242528b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 20:18:30 +0100
Subject: [PATCH 077/315] feat(profile): add makepkg

This profile is large enough to support any userbased compilation.
While giving protection as it only allows root access to use pacman.

see  #404, #420 #444, #466
---
 apparmor.d/groups/pacman/makepkg | 75 ++++++++++++++++++++++++++++++++
 apparmor.d/groups/pacman/pacman  |  2 +-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/pacman/makepkg

diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
new file mode 100644
index 000000000..6aa98d84d
--- /dev/null
+++ b/apparmor.d/groups/pacman/makepkg
@@ -0,0 +1,75 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/makepkg
+profile makepkg @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  file,
+
+  @{bin}/gpg{,2}  Cx -> gpg,
+  @{bin}/gpgconf  Cx -> gpg,
+  @{bin}/gpgsm    Cx -> gpg,
+  @{bin}/sudo     Cx -> sudo,
+
+  profile gpg {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    @{bin}/gpg{,2} mr,
+    @{bin}/gpgconf mr,
+    @{bin}/gpgsm   mr,
+
+    @{bin}/dirmngr           rix,
+    @{bin}/gpg-agent         rix,
+    @{bin}/gpg-connect-agent rix,
+    @{lib}/{,gnupg/}scdaemon rix,
+
+    /etc/pacman.d/gnupg/ r,
+    /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**,
+
+    owner @{user_pkg_dirs}/{,**} rw,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    owner @{run}/user/@{uid}/ r,
+    owner @{run}/user/@{uid}/gnupg/ r,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
+    owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
+
+    owner @{PROC}/@{pid}/fd/ r,
+
+    include if exists <local/makepkg_gpg>
+  }
+
+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    capability sys_ptrace,
+
+    ptrace read,
+
+    @{bin}/pacman Px,
+
+    include if exists <local/makepkg_sudo>
+  }
+
+  include if exists <local/makepkg>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 957e521f4..d90daf9ba 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -168,7 +168,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
     @{bin}/gpg-connect-agent rix,
 
     /etc/pacman.d/gnupg/ rw,
-    /etc/pacman.d/gnupg/** rwkl,
+    /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**,
 
     @{HOME}/@{XDG_GPG_DIR}/*.conf r,
 

From f1dcefabb329777f0a1ed176ed118b2bb5c650c5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 20:38:42 +0100
Subject: [PATCH 078/315] feat(profile): add profile for yay.

fix #420, #466
---
 apparmor.d/groups/pacman/makepkg |   1 +
 apparmor.d/groups/pacman/pacman  |   2 +
 apparmor.d/groups/pacman/yay     | 104 +++++++++++++++++++++++++++++++
 dists/flags/arch.flags           |   1 +
 4 files changed, 108 insertions(+)
 create mode 100644 apparmor.d/groups/pacman/yay

diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 6aa98d84d..d62e509e9 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -52,6 +52,7 @@ profile makepkg @{exec_path} {
     owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
 
     owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
     include if exists <local/makepkg_gpg>
   }
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index d90daf9ba..c1dbb002e 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -64,6 +64,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   @{bin}/gdk-pixbuf-query-loaders    rPx,
   @{bin}/getent                      rix,
   @{bin}/gettext                     rix,
+  @{bin}/ghc-pkg-@{version}          rix,
   @{bin}/gio-querymodules            rPx,
   @{bin}/glib-compile-schemas        rPx,
   @{bin}/groupadd                    rPx,
@@ -99,6 +100,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   @{bin}/vercmp                      rix,
   @{bin}/xmlcatalog                  rix,
   @{lib}/systemd/systemd-*           rPx,
+  @{lib}/ghc-@{version}/bin/ghc-pkg-@{version} rix,
   @{lib}/vlc/vlc-cache-gen           rPx,
   /opt/Mullvad*/resources/mullvad-setup  rPx,
   /usr/share/code-features/patch.py      rPx,
diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay
new file mode 100644
index 000000000..8f2804621
--- /dev/null
+++ b/apparmor.d/groups/pacman/yay
@@ -0,0 +1,104 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/yay
+profile yay @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{editor_path}      Cx -> editor,
+  @{bin}/git          Cx -> git,
+  @{bin}/gpg{,2}      Cx -> gpg,
+  @{bin}/makepkg      Px,
+  @{bin}/pacman-conf  Px,
+  @{bin}/sudo         Cx -> sudo,
+
+  /var/lib/pacman/** r,
+
+  owner @{user_cache_dirs}/yay/ rw,
+  owner @{user_cache_dirs}/yay/** rwkl -> @{user_cache_dirs}/yay/**,
+
+  owner @{user_config_dirs}/yay/{,**} rw,
+
+  profile git {
+    include <abstractions/base>
+    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet6 dgram,
+    network inet stream,
+    network inet6 stream,
+    network netlink raw,
+
+    @{bin}/git*              mrix,
+    @{lib}/git{,-core}/git*  mrix,
+
+    @{pager_path}   rPx -> child-pager,
+    @{bin}/gpg{2,}  rPx -> yay//gpg,
+
+    /usr/share/git{,-core}/{,**} r,
+
+    owner @{HOME}/.gitconfig r,
+    owner @{user_cache_dirs}/yay/ rw,
+    owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,
+    owner @{user_config_dirs}/git/{,*} r,
+
+    include if exists <local/pass_git>
+  }
+
+  profile editor {
+    include <abstractions/base>
+    include <abstractions/app/editor>
+
+    owner @{user_cache_dirs}/yay/*/** rw,
+
+    include if exists <local/yay_editor>
+  }
+
+  profile gpg {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    @{bin}/gpg{,2}     mr,
+    @{bin}/gpg-agent  rPx,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    include if exists <local/yay_gpg>
+  }
+
+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    capability sys_ptrace,
+
+    ptrace read peer=unconfined,
+
+    @{bin}/pacman Px,
+
+    include if exists <local/yay_sudo>
+  }
+
+  include if exists <local/yay>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags
index b94fae2c2..e65ae5520 100644
--- a/dists/flags/arch.flags
+++ b/dists/flags/arch.flags
@@ -13,3 +13,4 @@ pacman-hook-mkinitcpio attach_disconnected,complain
 pacman-hook-perl complain
 pacman-hook-systemd attach_disconnected,complain
 pacman-key complain
+yay complain

From f3f92297bc545e9eeab1a91dc44dd7b98ae3a9bc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 20:49:42 +0100
Subject: [PATCH 079/315] fix(profile): remove deprecated & never enabled
 profiles.

---
 apparmor.d/profiles-a-f/code         | 105 ---------------------------
 apparmor.d/profiles-a-f/code-wrapper |  27 -------
 2 files changed, 132 deletions(-)
 delete mode 100644 apparmor.d/profiles-a-f/code
 delete mode 100644 apparmor.d/profiles-a-f/code-wrapper

diff --git a/apparmor.d/profiles-a-f/code b/apparmor.d/profiles-a-f/code
deleted file mode 100644
index 393598746..000000000
--- a/apparmor.d/profiles-a-f/code
+++ /dev/null
@@ -1,105 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{code_config_dirs} = @{user_config_dirs}/Code* @{HOME}/.vscode{,-oss}
-
-@{exec_path} = @{lib}/electron@{int}/electron
-profile code flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/chromium-common>
-  include <abstractions/dconf-write>
-  include <abstractions/desktop>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
-
-  capability sys_ptrace,
-
-  network inet stream,
-  network inet6 stream,
-  network inet dgram,
-  network inet6 dgram,
-  network netlink raw,
-
-  signal (send),
-
-  @{exec_path} mrix,
-
-  @{lib}/code/node_modules.asar.unpacked/**.node rm,
-
-  # Core tools
-  @{bin}/git                    rPx,
-  @{bin}/gpg{,2}                rPx,
-  @{bin}/lsb_release            rPx -> lsb_release,
-  @{bin}/rg                     rix,
-  @{open_path}                  rPx -> child-open,
-
-  # The shell is not confined on purpose.
-  @{bin}/@{shells}              rUx,
-
-  # Confine some common tools
-  @{lib}/code/extensions/git/dist/askpass.sh     rPx,
-  @{lib}/code/extensions/git/dist/git-editor.sh  rPx,
-
-  # Do NOT confine most of the extensions
-  @{bin}/[a-z0-9]*                   rPUx,
-  @{code_config_dirs}/extensions/**  rPUx,
-  @{HOME}/.go/bin/*                  rPUx,
-  @{lib}/go/bin/*                    rPUx,
-  @{bin}/python3.@{int}               rUx,
-
-  /etc/shells r,
-  /etc/lsb-release r,
-
-  owner @{HOME}/@{XDG_SSH_DIR}/config r,
-
-  owner @{code_config_dirs}/** rwkl -> @{code_config_dirs}/**,
-
-  owner @{user_projects_dirs}/ r,
-  owner @{user_projects_dirs}/** rwkl -> @{user_projects_dirs}/**,
-
-  owner @{tmp}/@{uuid} rw,
-  owner @{tmp}/vscode-*/{,**} rw,
-  owner @{tmp}/vscode-ipc-@{uuid}.sock rw,
-
-  owner @{run}/user/@{uid}/vscode-@{hex}-*-{shared,main}.sock rw,
-  owner @{run}/user/@{uid}/vscode-git-@{hex}.sock rw,
-  owner @{run}/user/@{uid}/git-graph-askpass-[a-zA-Z0-9]*.sock rw,
-
-  @{run}/systemd/inhibit/*.ref rw,
-
-  @{sys}/devices/system/cpu/present r,
-  @{sys}/devices/system/cpu/kernel_max r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
-
-        @{PROC}/ r,
-        @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pid}/stat r,
-        @{PROC}/loadavg r,
-        @{PROC}/sys/fs/inotify/max_user_watches r,
-        @{PROC}/sys/kernel/yama/ptrace_scope r,
-        @{PROC}/version r,
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm w,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/oom_score_adj rw,
-  owner @{PROC}/@{pid}/statm r,
-  owner @{PROC}/@{pids}/clear_refs w,
-  owner @{PROC}/@{pids}/task/ r,
-  owner @{PROC}/@{pids}/task/@{tid}/status r,
-
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
-  include if exists <local/code>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/code-wrapper b/apparmor.d/profiles-a-f/code-wrapper
deleted file mode 100644
index 707164b09..000000000
--- a/apparmor.d/profiles-a-f/code-wrapper
+++ /dev/null
@@ -1,27 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/code{,-oss}
-profile code-wrapper @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  @{exec_path} r,
-
-  @{sh_path}                      rix,
-  @{lib}/electron@{int}/electron  rPx -> code,
-
-  owner @{user_config_dirs}/code-flags.conf r,
-  owner @{user_config_dirs}/electron@{int}-flags.conf r,
-
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
-  include if exists <local/code-wrapper>
-}
-
-# vim:syntax=apparmor

From c2bc55dc465cd560861fbf773b47f0af6f746de3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 20:53:12 +0100
Subject: [PATCH 080/315] feat(profile): general update.

---
 apparmor.d/abstractions/app/editor                 | 1 +
 apparmor.d/abstractions/app/pgrep                  | 2 +-
 apparmor.d/abstractions/freedesktop.org.d/complete | 2 ++
 apparmor.d/groups/gnome/gnome-shell                | 1 -
 apparmor.d/profiles-a-f/aa-enforce                 | 2 +-
 5 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor
index 023696e31..d6e346f36 100644
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@@ -4,6 +4,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
   include <abstractions/nameservice-strict>
+  include <abstractions/consoles>
 
   @{sh_path}                   rix,
   @{bin}/nvim                 mrix,
diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep
index 4bab75387..aaf14d859 100644
--- a/apparmor.d/abstractions/app/pgrep
+++ b/apparmor.d/abstractions/app/pgrep
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Minimal set of rules for pgrep.
+# Minimal set of rules for pgrep/pkill.
 
   include <abstractions/consoles>
 
diff --git a/apparmor.d/abstractions/freedesktop.org.d/complete b/apparmor.d/abstractions/freedesktop.org.d/complete
index ed4f067a5..4724c694a 100644
--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@@ -13,6 +13,8 @@
   @{system_share_dirs}/ r,
   @{system_share_dirs}/mime/ r,
 
+  /opt/*/**.{desktop,png} r,
+
   /etc/gnome/defaults.list r,
   /etc/xfce4/defaults.list r,  
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 6950304fc..29ced8dd9 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -195,7 +195,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /usr/share/gnome-shell/extensions/*/**               rPUx,
 
   /opt/**/share/icons/{,**} r,
-  /opt/*/**/*.png r,
   /snap/*/@{uid}/**.png r,
   /usr/share/{,zoneinfo-}icu/{,**} r,
   /usr/share/**.{png,jpg,svg} r,
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 2028e713f..84ba22fba 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain
+@{exec_path} = @{bin}/aa-enforce @{bin}/aa-complain @{bin}/aa-audit
 profile aa-enforce @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

From f0faf4ba5294193dee05a2e3d648951fe282f3ad Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 9 Sep 2024 21:03:41 +0100
Subject: [PATCH 081/315] build: add signal-desktop to the overwritten list.

---
 dists/overwrite | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dists/overwrite b/dists/overwrite
index ec35b79cd..767c07312 100644
--- a/dists/overwrite
+++ b/dists/overwrite
@@ -16,6 +16,7 @@ msedge
 nautilus
 opera
 plasmashell
+signal-desktop
 slirp4netns
 systemd-coredump
 thunderbird

From d9ce0d287d04d498432a3879f6c6b289d575eba0 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Mon, 9 Sep 2024 23:33:28 -0300
Subject: [PATCH 082/315] Create earlyoom

---
 apparmor.d/profiles-a-f/earlyoom | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/earlyoom

diff --git a/apparmor.d/profiles-a-f/earlyoom b/apparmor.d/profiles-a-f/earlyoom
new file mode 100644
index 000000000..6752cbae6
--- /dev/null
+++ b/apparmor.d/profiles-a-f/earlyoom
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/earlyoom
+profile earlyoom @{exec_path} {
+  include <abstractions/base>
+
+  capability kill,
+
+  @{exec_path} mr,
+
+        @{PROC}/ r,
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/oom_adj r,
+        @{PROC}/@{pid}/oom_score r,
+        @{PROC}/@{pid}/oom_score_adj r,
+        @{PROC}/@{pid}/stat r,
+
+  include if exists <local/earlyoom>
+}
+
+# vim:syntax=apparmor

From 67c5181ba9de7467bc89c720d5c3b4d8c583439c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 17:38:05 +0100
Subject: [PATCH 083/315] fix(profile): set flags in sub profile of fwupd.

---
 apparmor.d/profiles-a-f/fwupd | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index afb8bc367..d8fa6d355 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/{,fwupd/}fwupd
-profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
+profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.bluez>
@@ -126,7 +126,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /dev/tpmrm@{int} rw,
   /dev/wmi/* r,
 
-  profile gpg flags=(complain) {
+  profile gpg flags=(attach_disconnected,complain) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 

From f3094cc741db28c2390991fcfa72c30d88eeb137 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:13:48 +0100
Subject: [PATCH 084/315] build: add the X option to the stack directive.

---
 docs/development/directives.md   |  4 ++++
 pkg/prebuild/builder/complain.go |  4 ++--
 pkg/prebuild/builder/enforce.go  |  4 ++--
 pkg/prebuild/directive/exec.go   |  4 ++++
 pkg/prebuild/directive/stack.go  | 18 ++++++++++++++++--
 pkg/prebuild/prepare/flags.go    |  4 ++--
 6 files changed, 30 insertions(+), 8 deletions(-)

diff --git a/docs/development/directives.md b/docs/development/directives.md
index 9cff8840e..291b0b74e 100644
--- a/docs/development/directives.md
+++ b/docs/development/directives.md
@@ -115,6 +115,10 @@ The `exec` directive is useful to allow executing transitions to a profile witho
 
 :   List a profile **files** to stack at the end of the current profile.
 
+**`[X]`**
+
+:   If `X` is set, the directive will conserve the `x` file rules regardless of the transition. Not enabled by default as it may conflict with the parent profile.
+
 
 **Example**
 
diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go
index e0f9f26b5..68dcc9f48 100644
--- a/pkg/prebuild/builder/complain.go
+++ b/pkg/prebuild/builder/complain.go
@@ -14,7 +14,7 @@ import (
 
 var (
 	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
-	regProfileHeader = regexp.MustCompile(` {`)
+	regProfileHeader = regexp.MustCompile(` {\n`)
 )
 
 type Complain struct {
@@ -40,7 +40,7 @@ func (b Complain) Apply(opt *Option, profile string) (string, error) {
 		}
 	}
 	flags = append(flags, "complain")
-	strFlags := " flags=(" + strings.Join(flags, ",") + ") {"
+	strFlags := " flags=(" + strings.Join(flags, ",") + ") {\n"
 
 	// Remove all flags definition, then set manifest' flags
 	profile = regFlags.ReplaceAllLiteralString(profile, "")
diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go
index bc25e03dc..d453da51b 100644
--- a/pkg/prebuild/builder/enforce.go
+++ b/pkg/prebuild/builder/enforce.go
@@ -36,9 +36,9 @@ func (b Enforce) Apply(opt *Option, profile string) (string, error) {
 		return profile, nil
 	}
 	flags = slices.Delete(flags, idx, idx+1)
-	strFlags := "{"
+	strFlags := "{\n"
 	if len(flags) >= 1 {
-		strFlags = " flags=(" + strings.Join(flags, ",") + ") {"
+		strFlags = " flags=(" + strings.Join(flags, ",") + ") {\n"
 	}
 
 	// Remove all flags definition, then set new flags
diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go
index dd0d2ed0e..b77d80fa4 100644
--- a/pkg/prebuild/directive/exec.go
+++ b/pkg/prebuild/directive/exec.go
@@ -7,6 +7,7 @@
 package directive
 
 import (
+	"fmt"
 	"slices"
 	"strings"
 
@@ -30,6 +31,9 @@ func init() {
 }
 
 func (d Exec) Apply(opt *Option, profileRaw string) (string, error) {
+	if len(opt.ArgList) == 0 {
+		return "", fmt.Errorf("No profile to exec")
+	}
 	transition := "Px"
 	transitions := []string{"P", "U", "p", "u", "PU", "pu"}
 	t := opt.ArgList[0]
diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go
index e0ab9d84e..a2079dfb9 100644
--- a/pkg/prebuild/directive/stack.go
+++ b/pkg/prebuild/directive/stack.go
@@ -7,6 +7,7 @@ package directive
 import (
 	"fmt"
 	"regexp"
+	"slices"
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
@@ -19,7 +20,6 @@ var (
 	regCleanStakedRules = util.ToRegexRepl([]string{
 		`(?m)^.*include <abstractions/base>.*$`, ``, // Remove mandatory base abstraction
 		`(?m)^.*@{exec_path}.*$`, ``, // Remove entry point
-		`(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove transition rules
 		`(?m)^(?:[\t ]*(?:\r?\n))+`, ``, // Remove empty lines
 	})
 )
@@ -33,12 +33,26 @@ func init() {
 		Base: cfg.Base{
 			Keyword: "stack",
 			Msg:     "Stack directive applied",
-			Help:    Keyword + `stack profiles...`,
+			Help:    Keyword + `stack [X] profiles...`,
 		},
 	})
 }
 
 func (s Stack) Apply(opt *Option, profile string) (string, error) {
+	if len(opt.ArgList) == 0 {
+		return "", fmt.Errorf("No profile to stack")
+	}
+	t := opt.ArgList[0]
+	if t != "X" {
+		regCleanStakedRules = slices.Insert(regCleanStakedRules, 0,
+			util.ToRegexRepl([]string{
+				`(?m)^.*(|P|p)(|U|u)(|i)x,.*$`, ``, // Remove X transition rules
+			})...,
+		)
+	} else {
+		delete(opt.ArgMap, t)
+	}
+
 	res := ""
 	for name := range opt.ArgMap {
 		stackedProfile := util.MustReadFile(cfg.RootApparmord.Join(name))
diff --git a/pkg/prebuild/prepare/flags.go b/pkg/prebuild/prepare/flags.go
index cd6c2f54e..4ef41ef56 100644
--- a/pkg/prebuild/prepare/flags.go
+++ b/pkg/prebuild/prepare/flags.go
@@ -15,7 +15,7 @@ import (
 
 var (
 	regFlags         = regexp.MustCompile(`flags=\(([^)]+)\)`)
-	regProfileHeader = regexp.MustCompile(` {`)
+	regProfileHeader = regexp.MustCompile(` {\n`)
 )
 
 type SetFlags struct {
@@ -43,7 +43,7 @@ func (p SetFlags) Apply() ([]string, error) {
 
 			// Overwrite profile flags
 			if len(flags) > 0 {
-				flagsStr := " flags=(" + strings.Join(flags, ",") + ") {"
+				flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n"
 				out, err := util.ReadFile(file)
 				if err != nil {
 					return res, err

From 50b0e09a9ad141d391b9cbd3c632ec869cf9500d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:15:27 +0100
Subject: [PATCH 085/315] feat(profile): add fstrim.

---
 apparmor.d/profiles-a-f/fstrim | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/fstrim

diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/profiles-a-f/fstrim
new file mode 100644
index 000000000..e49108044
--- /dev/null
+++ b/apparmor.d/profiles-a-f/fstrim
@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/fstrim
+profile fstrim @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/disks-write>
+
+  capability dac_override,
+  capability sys_admin,
+
+  @{exec_path} mr,
+
+  /etc/fstab r,
+
+  @{HOMEDIRS}/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  / r,
+  /boot/ r,
+  /var/ r,
+
+  include if exists <local/fstrim>
+}
+
+# vim:syntax=apparmor

From 49b8967bb2680b44ce1c8d7d5e2c3a5c088693d4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:20:41 +0100
Subject: [PATCH 086/315] feat(profile): improve the use of
 org.chromium.Chromium.@{rand6}.

---
 apparmor.d/groups/browsers/brave    | 7 +------
 apparmor.d/groups/gnome/gnome-shell | 2 +-
 apparmor.d/profiles-g-l/git         | 2 +-
 3 files changed, 3 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave
index a47652600..4d065dce4 100644
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = brave{,-beta,-dev,-bin}
-@{domain} = com.brave.Brave
+@{domain} = com.brave.Brave org.chromium.Chromium
 @{lib_dirs} = /opt/brave{-bin,.com}{,/@{name}}
 @{config_dirs} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
 @{cache_dirs} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
@@ -43,11 +43,6 @@ profile brave @{exec_path} {
 
   owner @{tmp}/net-export/ rw,  # For brave://net-export/
 
-  owner @{tmp}/.org.chromium.Chromium.* rwk,
-  owner @{tmp}/.org.chromium.Chromium*/{,**} rw,
-
-  owner /dev/shm/.org.chromium.Chromium.* rw,
-
   # Silencer
   deny /etc/opt/chrome/ w,
   deny /dev/disk/by-uuid/ r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 29ced8dd9..b6420b348 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -294,7 +294,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
-  owner /dev/shm/.org.chromium.Chromium.* rw,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
         /tmp/.X@{int}-lock rw,
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index af7fbd4df..edacd92e1 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -105,7 +105,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
   deny owner @{user_share_dirs}/zed/**/data.mdb rw,
   deny /usr/share/nvidia/nvidia-application-profiles-* r,
-  deny /dev/shm/.org.chromium.Chromium* rw,
+  deny /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
   profile gpg flags=(attach_disconnected) {
     include <abstractions/base>

From e4f963f30f69ce3ae82e51b7daf2cb99f07a7f71 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:38:59 +0100
Subject: [PATCH 087/315] feat(aa-log): add some util functions.

---
 pkg/util/slice.go      |  81 ++++++++++++++++++++++++++++
 pkg/util/slice_test.go | 120 +++++++++++++++++++++++++++++++++++++++++
 pkg/util/tools.go      |  34 ------------
 pkg/util/tools_test.go |  68 -----------------------
 4 files changed, 201 insertions(+), 102 deletions(-)
 create mode 100644 pkg/util/slice.go
 create mode 100644 pkg/util/slice_test.go

diff --git a/pkg/util/slice.go b/pkg/util/slice.go
new file mode 100644
index 000000000..defd9703a
--- /dev/null
+++ b/pkg/util/slice.go
@@ -0,0 +1,81 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package util
+
+// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element.
+func RemoveDuplicate[T comparable](inlist []T) []T {
+	var empty T
+	list := []T{}
+	seen := map[T]bool{}
+	seen[empty] = true
+	for _, item := range inlist {
+		if _, ok := seen[item]; !ok {
+			seen[item] = true
+			list = append(list, item)
+		}
+	}
+	return list
+}
+
+// Intersect returns the intersection between two collections.
+// From https://github.com/samber/lo
+func Intersect[T comparable](list1 []T, list2 []T) []T {
+	result := []T{}
+	seen := map[T]struct{}{}
+
+	for _, elem := range list1 {
+		seen[elem] = struct{}{}
+	}
+
+	for _, elem := range list2 {
+		if _, ok := seen[elem]; ok {
+			result = append(result, elem)
+		}
+	}
+
+	return result
+}
+
+// Flatten returns an array a single level deep.
+// From https://github.com/samber/lo
+func Flatten[T comparable](collection [][]T) []T {
+	totalLen := 0
+	for i := range collection {
+		totalLen += len(collection[i])
+	}
+
+	result := make([]T, 0, totalLen)
+	for i := range collection {
+		result = append(result, collection[i]...)
+	}
+
+	return result
+}
+
+// Invert creates a map composed of the inverted keys and values. If map
+// contains duplicate values, subsequent values overwrite property assignments
+// of previous values.
+// Play: https://go.dev/play/p/rFQ4rak6iA1
+func Invert[K comparable, V comparable](in map[K]V) map[V]K {
+	out := make(map[V]K, len(in))
+
+	for k := range in {
+		out[in[k]] = k
+	}
+
+	return out
+}
+
+func InvertFlatten[V comparable](in map[V][]V) map[V]V {
+	out := make(map[V]V, len(in))
+
+	for k := range in {
+		for _, v := range in[k] {
+			out[v] = k
+		}
+	}
+
+	return out
+}
diff --git a/pkg/util/slice_test.go b/pkg/util/slice_test.go
new file mode 100644
index 000000000..11f05a711
--- /dev/null
+++ b/pkg/util/slice_test.go
@@ -0,0 +1,120 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package util
+
+import (
+	"reflect"
+	"testing"
+)
+
+func TestRemoveDuplicate(t *testing.T) {
+	tests := []struct {
+		name   string
+		inlist []string
+		want   []string
+	}{
+		{
+			name:   "Duplicate",
+			inlist: []string{"foo", "bar", "foo", "bar", ""},
+			want:   []string{"foo", "bar"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestIntersect(t *testing.T) {
+	tests := []struct {
+		name  string
+		list1 []int
+		list2 []int
+		want  []int
+	}{
+		{
+			name:  "1",
+			list1: []int{0, 1, 2, 3, 4, 5},
+			list2: []int{0, 2},
+			want:  []int{0, 2},
+		},
+		{
+			name:  "2",
+			list1: []int{0, 1, 2, 3, 4, 5},
+			list2: []int{0, 6},
+			want:  []int{0},
+		},
+		{
+			name:  "3",
+			list1: []int{0, 1, 2, 3, 4, 5},
+			list2: []int{-1, 6},
+			want:  []int{},
+		},
+		{
+			name:  "4",
+			list1: []int{0, 6},
+			list2: []int{0, 1, 2, 3, 4, 5},
+			want:  []int{0},
+		},
+		{
+			name:  "5",
+			list1: []int{0, 6, 0},
+			list2: []int{0, 1, 2, 3, 4, 5},
+			want:  []int{0},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Intersect() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestFlatten(t *testing.T) {
+	tests := []struct {
+		name  string
+		input [][]int
+		want  []int
+	}{
+		{
+			name:  "1",
+			input: [][]int{{0, 1}, {2, 3, 4, 5}},
+			want:  []int{0, 1, 2, 3, 4, 5},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Flatten(tt.input); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Intersect() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestInvert(t *testing.T) {
+	tests := []struct {
+		name  string
+		input map[string]int
+		want  map[int]string
+	}{
+		{
+			name:  "1",
+			input: map[string]int{"a": 1, "b": 2},
+			want:  map[int]string{1: "a", 2: "b"},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := Invert(tt.input); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("Invert() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
diff --git a/pkg/util/tools.go b/pkg/util/tools.go
index 30d5251d6..0d3372fcc 100644
--- a/pkg/util/tools.go
+++ b/pkg/util/tools.go
@@ -67,40 +67,6 @@ func DecodeHexInString(str string) string {
 	return str
 }
 
-// RemoveDuplicate filter out all duplicates from a slice. Also filter out empty element.
-func RemoveDuplicate[T comparable](inlist []T) []T {
-	var empty T
-	list := []T{}
-	seen := map[T]bool{}
-	seen[empty] = true
-	for _, item := range inlist {
-		if _, ok := seen[item]; !ok {
-			seen[item] = true
-			list = append(list, item)
-		}
-	}
-	return list
-}
-
-// Intersect returns the intersection between two collections.
-// From https://github.com/samber/lo
-func Intersect[T comparable](list1 []T, list2 []T) []T {
-	result := []T{}
-	seen := map[T]struct{}{}
-
-	for _, elem := range list1 {
-		seen[elem] = struct{}{}
-	}
-
-	for _, elem := range list2 {
-		if _, ok := seen[elem]; ok {
-			result = append(result, elem)
-		}
-	}
-
-	return result
-}
-
 // CopyTo recursivelly copy all files from a source path to a destination path.
 func CopyTo(src *paths.Path, dst *paths.Path) error {
 	files, err := src.ReadDirRecursiveFiltered(nil,
diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go
index 4d5cade6a..df45d92b7 100644
--- a/pkg/util/tools_test.go
+++ b/pkg/util/tools_test.go
@@ -38,74 +38,6 @@ func TestDecodeHexInString(t *testing.T) {
 	}
 }
 
-func TestRemoveDuplicate(t *testing.T) {
-	tests := []struct {
-		name   string
-		inlist []string
-		want   []string
-	}{
-		{
-			name:   "Duplicate",
-			inlist: []string{"foo", "bar", "foo", "bar", ""},
-			want:   []string{"foo", "bar"},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := RemoveDuplicate(tt.inlist); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("RemoveDuplicate() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestIntersect(t *testing.T) {
-	tests := []struct {
-		name  string
-		list1 []int
-		list2 []int
-		want  []int
-	}{
-		{
-			name:  "1",
-			list1: []int{0, 1, 2, 3, 4, 5},
-			list2: []int{0, 2},
-			want:  []int{0, 2},
-		},
-		{
-			name:  "2",
-			list1: []int{0, 1, 2, 3, 4, 5},
-			list2: []int{0, 6},
-			want:  []int{0},
-		},
-		{
-			name:  "3",
-			list1: []int{0, 1, 2, 3, 4, 5},
-			list2: []int{-1, 6},
-			want:  []int{},
-		},
-		{
-			name:  "4",
-			list1: []int{0, 6},
-			list2: []int{0, 1, 2, 3, 4, 5},
-			want:  []int{0},
-		},
-		{
-			name:  "5",
-			list1: []int{0, 6, 0},
-			list2: []int{0, 1, 2, 3, 4, 5},
-			want:  []int{0},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if got := Intersect(tt.list1, tt.list2); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("Intersect() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-
 func TestToRegexRepl(t *testing.T) {
 	tests := []struct {
 		name string

From 3ad53a2bb087d99f25ba75b0396c94727a7e15ac Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:39:29 +0100
Subject: [PATCH 088/315] feat(profile): add aa-unconfined.

---
 apparmor.d/profiles-a-f/aa-unconfined | 44 +++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/aa-unconfined

diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/profiles-a-f/aa-unconfined
new file mode 100644
index 000000000..a47fa60eb
--- /dev/null
+++ b/apparmor.d/profiles-a-f/aa-unconfined
@@ -0,0 +1,44 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/aa-unconfined
+profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/python>
+
+  capability dac_read_search,
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{exec_path} mr,
+
+  @{bin}/          r,
+  @{bin}/netstat  Px,
+  @{bin}/ss       Px,
+
+  /usr/share/terminfo/** r,
+
+  /etc/apparmor/logprof.conf r,
+  @{etc_ro}/inputrc r,
+
+  owner @{tmp}/@{rand8} rw,
+  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+  owner /var/tmp/@{rand8} rw,
+
+        @{PROC}/ r,
+        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pids}/attr/apparmor/current r,
+        @{PROC}/@{pids}/attr/current r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/aa-unconfined>
+}
+
+# vim:syntax=apparmor

From 9cd1939ddc0c871ec9ca511e5e13003da2c49240 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:41:01 +0100
Subject: [PATCH 089/315] feat(abs): improve the app-launcher* abs.

---
 apparmor.d/abstractions/app-launcher-root | 4 ++--
 apparmor.d/abstractions/app-launcher-user | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root
index c31d328fb..2aaecbd21 100644
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@@ -3,8 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  @{bin}/*                      PUx,
-  /usr/local/{s,}bin/*          PUx,
+  @{bin}/**                     PUx,
+  /usr/local/{s,}bin/**         PUx,
 
   @{bin}/                       r,
   /                             r,
diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index edf96b05a..04b20e84d 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -3,10 +3,10 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  @{bin}/*                      PUx,
+  @{bin}/**                     PUx,
   /opt/*/**                     PUx,
-  /usr/share/*/*                PUx,
-  /usr/local/bin/*              PUx,
+  /usr/share/**                 PUx,
+  /usr/local/bin/**             PUx,
 
   @{brave_path}                 Px,
   @{chrome_path}                Px,

From 7f594d51b5f6eb1c911cdecf9b22783d690ea72f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:49:33 +0100
Subject: [PATCH 090/315] feat(tunable): add the new @{arch} variable.

---
 apparmor.d/profiles-s-z/steam                      | 1 -
 apparmor.d/profiles-s-z/steam-fossilize            | 1 -
 apparmor.d/profiles-s-z/steam-game-native          | 1 -
 apparmor.d/profiles-s-z/steam-game-proton          | 1 -
 apparmor.d/profiles-s-z/steam-gameoverlayui        | 1 -
 apparmor.d/profiles-s-z/steam-launch               | 1 -
 apparmor.d/profiles-s-z/steam-launcher             | 1 -
 apparmor.d/profiles-s-z/steam-runtime              | 1 -
 apparmor.d/profiles-s-z/steam-runtime-steam-remote | 1 -
 apparmor.d/profiles-s-z/steamerrorreporter         | 1 -
 apparmor.d/tunables/multiarch.d/system             | 3 +++
 pkg/aa/apparmor.go                                 | 1 +
 12 files changed, 4 insertions(+), 10 deletions(-)

diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index d8e0a50c5..0828786d5 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -21,7 +21,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize
index b33c90d8b..1786a5e40 100644
--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native
index 2817006f2..4246f7870 100644
--- a/apparmor.d/profiles-s-z/steam-game-native
+++ b/apparmor.d/profiles-s-z/steam-game-native
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index 95eec5abc..8f1939bd1 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index d6680ac61..ae01bf5d3 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch
index b1d820d86..975e432a6 100644
--- a/apparmor.d/profiles-s-z/steam-launch
+++ b/apparmor.d/profiles-s-z/steam-launch
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher
index 45fa30245..2605c15f1 100644
--- a/apparmor.d/profiles-s-z/steam-launcher
+++ b/apparmor.d/profiles-s-z/steam-launcher
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime
index 6fde5418f..add024de7 100644
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
index 4f256ef2d..1a6dd4063 100644
--- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter
index 3e206e898..1d55e59af 100644
--- a/apparmor.d/profiles-s-z/steamerrorreporter
+++ b/apparmor.d/profiles-s-z/steamerrorreporter
@@ -6,7 +6,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{arch} = amd64 i386
 @{runtime} = SteamLinuxRuntime_sniper
 @{share_dirs} = @{user_share_dirs}/Steam @{HOME}/.steam/debian-installation
 @{lib_dirs} = @{share_dirs}/ubuntu@{int2}_{32,64} @{share_dirs}/linux{32,64}
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index b2e1a3b0b..9684cba18 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -91,6 +91,9 @@
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
+# Common architecture names
+@{arch}=x86_64 amd64 i386 
+
 # OpenSUSE does not have the same multiarch structure
 @{multiarch}+=*-suse-linux*  #aa:only opensuse
 
diff --git a/pkg/aa/apparmor.go b/pkg/aa/apparmor.go
index ad3915983..a887d4b98 100644
--- a/pkg/aa/apparmor.go
+++ b/pkg/aa/apparmor.go
@@ -32,6 +32,7 @@ func NewAppArmorProfile() *AppArmorProfileFile {
 func DefaultTunables() *AppArmorProfileFile {
 	return &AppArmorProfileFile{
 		Preamble: Rules{
+			&Variable{Name: "arch", Values: []string{"x86_64", "amd64", "i386"}, Define: true},
 			&Variable{Name: "bin", Values: []string{"/{,usr/}{,s}bin"}, Define: true},
 			&Variable{Name: "c", Values: []string{"[0-9a-zA-Z]"}, Define: true},
 			&Variable{Name: "etc_ro", Values: []string{"/{,usr/}etc/"}, Define: true},

From 9ea9f1eeedb8a6f1fa9b337c404b4c19ab489e42 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 10 Sep 2024 18:55:41 +0100
Subject: [PATCH 091/315] feat(tunable): add the new @{u8} and @{u16} variable.

---
 apparmor.d/tunables/multiarch.d/system | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 9684cba18..c6b22f9e0 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -14,6 +14,13 @@
 # Integer up to 10 digits (0-9999999999)
 @{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}
 
+# Unsigned integer over 8 bits (0-255)
+#      0 - 99       100 - 199   200 - 249   250 - 255
+@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
+
+# Unsigned integer over 16 bits (0-65535, 5 digits)
+@{u16}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}
+
 # hexadecimal, alphanumeric up to 64 characters
 @{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
 @{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}

From c622f5de93deb9b9c7105f95aca74d958507dfc7 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Tue, 10 Sep 2024 20:15:39 -0300
Subject: [PATCH 092/315] Add support for controllers in game abstraction

---
 apparmor.d/abstractions/common/game | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game
index 609bb521d..678327f09 100644
--- a/apparmor.d/abstractions/common/game
+++ b/apparmor.d/abstractions/common/game
@@ -108,6 +108,7 @@
   /dev/hidraw@{int} rw,
   /dev/input/ r,
   /dev/input/event@{int} rw,
+  /dev/input/js@{int} rw,
   /dev/tty rw,
   /dev/uinput rw,
 

From 6539b713fbc06c41349de5d1b67c5a93251a0b22 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 11 Sep 2024 17:54:34 +0100
Subject: [PATCH 093/315] feat(profile): general update.

---
 .../polkit-mate-authentication-agent           | 16 ++++------------
 apparmor.d/groups/freedesktop/xdg-dbus-proxy   |  2 +-
 .../groups/freedesktop/xdg-desktop-portal      |  2 +-
 .../freedesktop/xdg-desktop-portal-hyprland    |  9 +++++----
 apparmor.d/groups/gpg/gpg-agent                | 18 ++++++++++--------
 .../groups/gvfs/gvfs-udisks2-volume-monitor    |  1 -
 apparmor.d/groups/network/NetworkManager       | 10 +++-------
 apparmor.d/groups/network/tailscaled           | 15 +--------------
 apparmor.d/groups/pacman/makepkg               |  4 ++++
 apparmor.d/groups/pacman/pacman                |  6 ++++--
 apparmor.d/profiles-a-f/aa-enforce             |  4 ++--
 apparmor.d/profiles-a-f/aa-notify              |  2 +-
 apparmor.d/profiles-a-f/calibre                | 15 +--------------
 apparmor.d/profiles-a-f/filezilla              |  4 +++-
 apparmor.d/profiles-a-f/freetube               | 13 ++++---------
 apparmor.d/profiles-g-l/git                    |  8 ++------
 apparmor.d/profiles-s-z/signal-desktop         |  6 ++++--
 apparmor.d/profiles-s-z/telegram-desktop       |  4 ++++
 apparmor.d/profiles-s-z/udisksctl              |  4 ++++
 apparmor.d/profiles-s-z/waybar                 |  7 +++++++
 apparmor.d/tunables/multiarch.d/programs       |  2 +-
 21 files changed, 66 insertions(+), 86 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
index 762882b74..3aa47de3c 100644
--- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
@@ -11,13 +11,9 @@ include <tunables/global>
 profile polkit-mate-authentication-agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
@@ -26,19 +22,15 @@ profile polkit-mate-authentication-agent @{exec_path} {
 
   @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
-  /usr/share/X11/xkb/** r,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  owner @{HOME}/.Xauthority r,
-
-  owner /dev/tty@{int} rw,
-
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  owner /dev/tty@{int} rw,
+
   include if exists <local/polkit-mate-authentication-agent>
 }
 
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index dea66efb8..51d9fdddb 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -23,7 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
 
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Realtime
-       member=MakeThreadRealtimeWithPID
+       member=MakeThread*
        peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 702b0088d..5d908e67b 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -78,8 +78,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/gdm{,3}/greeter-dconf-defaults r,
 
-  owner @{user_config_dirs}/xdg-desktop-portal/* r,
         @{user_config_dirs}/kioslaverc r,
+  owner @{user_config_dirs}/xdg-desktop-portal/* r,
 
   owner @{tmp}/icon* rw,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
index 73e8e734a..05c12eaf3 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -26,10 +27,10 @@ profile xdg-desktop-portal-hyprland @{exec_path} {
   owner /tmp/hypr/\#@{int} rwkl,
   owner /tmp/hypr/hyprland-share-picker.conf* rwkl,
 
-  /sys/devices/virtual/dmi/id/bios_vendor r,
-  /sys/devices/virtual/dmi/id/board_vendor r,
-  /sys/devices/virtual/dmi/id/product_name r,
-  /sys/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
   owner @{PROC}/@{pid}/cmdline r,
 
diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index d97327969..3d240828b 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -27,54 +27,56 @@ profile gpg-agent @{exec_path} {
   owner @{HOME}/@{XDG_GPG_DIR}/*.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
   owner @{HOME}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw,
-  owner @{HOME}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{HOME}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{HOME}/@{XDG_GPG_DIR}/sshcontrol r,
 
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/ rw,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/*.conf r,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/ rw,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/private-keys-v1.d/@{hex}.key{,.tmp} rw,
-  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{MOUNTS}/{,/*}/@{XDG_GPG_DIR}/sshcontrol r,
 
   owner @{user_projects_dirs}/**/{.,}gnupg/ rw,
   owner @{user_projects_dirs}/**/{.,}gnupg/*.conf r,
   owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
   owner @{user_projects_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
-  owner @{user_projects_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{user_projects_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{user_projects_dirs}/**/{.,}gnupg/sshcontrol r,
 
   owner @{run}/user/@{uid}/gnupg/ rw,
   owner @{run}/user/@{uid}/gnupg/*.conf r,
+  owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+  owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/ rw,
   owner @{run}/user/@{uid}/gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
-  owner @{run}/user/@{uid}/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{run}/user/@{uid}/gnupg/sshcontrol r,
 
   owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/*.conf r,
   owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
 
   #aa:only pacman
   owner /etc/pacman.d/gnupg/ rw,
   owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw,
   owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner /etc/pacman.d/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner /etc/pacman.d/gnupg/sshcontrol r,
 
   owner /var/lib/*/.gnupg/ rw,
   owner /var/lib/*/.gnupg/private-keys-v1.d/ rw,
   owner /var/lib/*/.gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner /var/lib/*/.gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /var/lib/*/.gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner /var/lib/*/.gnupg/sshcontrol r,
 
   owner /var/lib/*/gnupg/ rw,
   owner /var/lib/*/gnupg/private-keys-v1.d/ rw,
   owner /var/lib/*/gnupg/private-keys-v1.d/@{hex}.key rw,
-  owner /var/lib/*/gnupg/{,d.*/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner /var/lib/*/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner /var/lib/*/gnupg/sshcontrol r,
 
   #aa:only zypper
diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
index 8c8a1c069..477354574 100644
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@@ -12,7 +12,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.UDisks2>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/devices-usb>
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index f8612b4dc..7f9b5adf6 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -43,6 +43,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=system name=org.freedesktop.NetworkManager
 
+  #aa:dbus talk bus=system name=org.fedoraproject.FirewallD1 label=firewalld
   #aa:dbus talk bus=system name=org.freedesktop.nm_dispatcher label=nm-dispatcher
   #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
 
@@ -61,11 +62,6 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
        member=GetManagedObjects
        peer=(name=:*, label=bluetoothd),
 
-  dbus send bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.zone
-       member={changeZoneOfInterface,removeInterface}
-       peer=(name=org.freedesktop.DBus, label=firewalld),
-
   dbus send bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesAdded
@@ -134,13 +130,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/net/*/{,**} r,
   @{sys}/devices/@{pci}/usb@{int}/**/net/{,**} r,
 
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/** rw,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   /dev/rfkill rw,
 
diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled
index dd3f253db..14d73b356 100644
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@@ -30,20 +30,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
-  dbus send bus=system path=/org/freedesktop/resolve1
-       interface=org.freedesktop.DBus.Peer
-       member=Ping
-       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
-
-  dbus send bus=system path=/org/freedesktop/resolve1
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
-
-  dbus send bus=system path=/org/freedesktop/resolve1
-       interface=org.freedesktop.resolve1.Manager
-       member={FlushCaches,SetLink*}
-       peer=(name=org.freedesktop.resolve1, label=systemd-resolved),
+  #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index d62e509e9..311135eae 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -11,6 +11,9 @@ profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  signal send set=winch peer=pacman,           
+  signal send set=winch peer=pacman//systemctl,
+
   network inet stream,
   network inet6 stream,
   network inet dgram,
@@ -48,6 +51,7 @@ profile makepkg @{exec_path} {
     owner @{run}/user/@{uid}/ r,
     owner @{run}/user/@{uid}/gnupg/ r,
     owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
     owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
     owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
 
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index c1dbb002e..48778d6e4 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -37,9 +37,10 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
   network unix stream,
 
-  ptrace (read),
+  ptrace read,
 
-  signal (send) set=(usr1) peer=gvfsd,
+  signal send set=usr1 peer=gvfsd,
+  signal receive set=winch peer=makepkg//sudo,
 
   @{exec_path} mrix,
 
@@ -194,6 +195,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
     capability sys_resource,
 
     signal send set=cont peer=child-pager,
+    signal receive set=winch peer=makepkg//sudo,
 
     @{pager_path}      rPx -> child-pager,
 
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 84ba22fba..3a803756c 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -29,8 +29,8 @@ profile aa-enforce @{exec_path} {
   owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
   owner /var/lib/snapd/apparmor/{,**} rw,
 
-  /tmp/@{rand8} rw,
-  /tmp/apparmor-bugreport-@{rand8}.txt rw,
+  owner @{tmp}/@{rand8} rw,
+  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
 
   owner @{PROC}/@{pid}/fd r,
 
diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify
index 7c65b9be2..f2ff96df4 100644
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@@ -35,7 +35,7 @@ profile aa-notify @{exec_path} {
   owner @{HOME}/.terminfo/@{int}/dumb r,
 
   owner @{tmp}/@{rand8} rw,
-  owner @{tmp}/apparmor-bugreport-*.txt rw,
+  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
 
   @{PROC}/ r,
   @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre
index d58a8d042..c00490a75 100644
--- a/apparmor.d/profiles-a-f/calibre
+++ b/apparmor.d/profiles-a-f/calibre
@@ -94,6 +94,7 @@ profile calibre @{exec_path} {
         @{PROC}/ r,
         @{PROC}/@{pids}/net/route r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/vmstat r,
   owner @{PROC}/@{pid}/cmdline r,
@@ -102,24 +103,10 @@ profile calibre @{exec_path} {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-       owner @{PROC}/@{pid}/stat{,m} r,
-       owner @{PROC}/@{pid}/stat{,m} r,
-       owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/stat{,m} r,
-       owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-       owner @{PROC}/@{pid}/task/@{tid}/status r,
-       owner @{PROC}/@{pid}/task/@{tid}/status r,
-       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  deny owner @{PROC}/@{pid}/cmdline r,
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  deny       @{PROC}/sys/kernel/random/boot_id r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
-       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  deny owner @{PROC}/@{pid}/cmdline r,
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  deny       @{PROC}/sys/kernel/random/boot_id r,
 
   owner /dev/tty@{int} rw,
 
diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla
index 2ec1a542f..8b3786eb5 100644
--- a/apparmor.d/profiles-a-f/filezilla
+++ b/apparmor.d/profiles-a-f/filezilla
@@ -13,6 +13,7 @@ profile filezilla @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus/org.freedesktop.Notifications>
   include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
@@ -27,7 +28,7 @@ profile filezilla @{exec_path} {
   network netlink dgram,
   network netlink raw,
 
-  signal (send) set=(term, kill) peer=fzsftp,
+  signal send set=(term, kill) peer=fzsftp,
 
   @{exec_path} mr,
 
@@ -65,6 +66,7 @@ profile filezilla @{exec_path} {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
 
+        /dev/tty rw,
   owner /dev/tty@{int} rw,
 
   include if exists <local/filezilla>
diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube
index a3d655d87..7d9a5f59e 100644
--- a/apparmor.d/profiles-a-f/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = {F,f}reetube{,-vue}
+@{name} = {F,f}ree{T,t}ube{,-vue}
 @{lib_dirs} = @{lib}/@{name} /opt/@{name} 
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
@@ -16,11 +16,11 @@ include <tunables/global>
 profile freetube @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
   include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/common/electron>
   include <abstractions/consoles>
-  include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
 
   network inet dgram,
@@ -35,13 +35,8 @@ profile freetube @{exec_path} {
 
   @{open_path}         rPx -> child-open-strict,
 
-  /etc/fstab r,
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
-
-  owner @{run}/user/@{uid}/ r,
-
-  owner /dev/tty@{int} rw,
+  #aa:stack X xdg-settings
+  @{bin}/xdg-settings  rPx -> freetube//&xdg-settings,
 
   include if exists <local/freetube>
 }
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index edacd92e1..30ce7e1e8 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -92,14 +92,9 @@ profile git @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.netrc r,
   owner @{user_config_dirs}/git/{,*} rw,
 
-  owner @{tmp}/git-difftool.*/ rw,             # For diffs
-  owner @{tmp}/git-difftool.*/right/{,**} rw,
-  owner @{tmp}/git-difftool.*/left/{,**} rw,
-  owner @{tmp}/* rw,
-  owner @{tmp}/tmp*/ rw,                       # For TWRP-device-tree-generator
-  owner @{tmp}/tmp*/** rwkl -> /tmp/tmp*/**,
   owner @{tmp}/.git_vtag_tmp@{rand6} rw,       # For git log --show-signature
   owner @{tmp}/git-commit-msg-.txt rw,         # For android studio
+  owner @{tmp}/git-difftool.*/{,**} rw,        # For diffs
 
   deny owner @{code_config_dirs}/** rw,
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
@@ -126,6 +121,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
 
   profile ssh flags=(attach_disconnected) {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
 
     network inet dgram,
diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop
index e50d95764..73474ce7f 100644
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@@ -31,11 +31,13 @@ profile signal-desktop @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{bin}/basename      rix,
+  # @{bin}/basename      rix,
   @{bin}/getconf       rix,
-  @{bin}/xdg-settings  rix,
   @{open_path} rPx -> child-open-strict,
 
+  #aa:stack X xdg-settings
+  @{bin}/xdg-settings  rPx -> signal-desktop//&xdg-settings,
+
   audit @{lib_dirs}/chrome-sandbox rPx,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop
index 416c97d72..a31d4c601 100644
--- a/apparmor.d/profiles-s-z/telegram-desktop
+++ b/apparmor.d/profiles-s-z/telegram-desktop
@@ -26,6 +26,7 @@ profile telegram-desktop @{exec_path} {
   include <abstractions/qt5-shader-cache>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
+  include <abstractions/video>
 
   network inet dgram,
   network inet6 dgram,
@@ -47,10 +48,13 @@ profile telegram-desktop @{exec_path} {
   owner @{tmp}/@{hex32}-?@{uuid}? rwk,
   audit owner /dev/shm/#@{int} rw,
 
+  @{sys}/kernel/mm/transparent_hugepage/enabled r,
+
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   owner /dev/tty@{int} rw,
 
diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl
index 63e8b7c79..5e7320a63 100644
--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@@ -10,6 +10,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/udisksctl
 profile udisksctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
+
+  #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
index 127945081..3646a616d 100644
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@@ -22,15 +22,22 @@ profile waybar @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
+
   owner @{user_config_dirs}/waybar/{,**} r,
 
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
   @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/system/cpu/present r,
 
+        @{PROC}/@{pid}/net/dev r,
+        @{PROC}/spl/kstat/zfs/arcstats r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  /dev/rfkill r,
+
   owner /dev/tty@{int} rw,
 
   include if exists <local/waybar>
diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index 8dd2f237c..5c18c1b28 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -71,7 +71,7 @@
 @{file_explorers_names} = dolphin nautilus thunar
 
 # Text editors
-@{text_editors_names} = code gedit mousepad gnome-text-editor
+@{text_editors_names} = code gedit mousepad gnome-text-editor zeditor zedit zed-cli
 
 # Document viewers
 @{document_viewers_names} = evince okular *{F,f}oliate YACReader

From eb9e0c13ae4578c78e751103a22e59037008b403 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Wed, 11 Sep 2024 13:24:51 -0300
Subject: [PATCH 094/315] Update hyprland profile with version 0.43

---
 apparmor.d/groups/hyprland/hyprland | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 5fa0ce84b..8327c14cd 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -10,6 +10,7 @@ include <tunables/global>
 profile hyprland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
+  include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/graphics>
 

From 04c2cabeb636dc98faa8a9aaae1d7f2ed9ea9138 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 11 Sep 2024 19:40:01 +0100
Subject: [PATCH 095/315] feat(profile): remove linssid profile.

---
 apparmor.d/profiles-g-l/linssid | 113 --------------------------------
 1 file changed, 113 deletions(-)
 delete mode 100644 apparmor.d/profiles-g-l/linssid

diff --git a/apparmor.d/profiles-g-l/linssid b/apparmor.d/profiles-g-l/linssid
deleted file mode 100644
index 615f51b62..000000000
--- a/apparmor.d/profiles-g-l/linssid
+++ /dev/null
@@ -1,113 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/linssid @{bin}/linssid-pkexec
-profile linssid @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice-strict>
-  include <abstractions/dri-enumerate>
-  include <abstractions/mesa>
-  include <abstractions/qt5>
-
-  # For reading/saving config/log files when linssid is started via pkexec
-  #capability dac_read_search,
-  #capability dac_override,
-
-  # Needed?
-  deny capability sys_admin,
-  deny capability sys_nice,
-
-  @{exec_path} mr,
-
-  @{sh_path}        rix,
-  @{bin}/cat        rix,
-
-  # When linssid is run as root, it wants to exec dbus-launch, and hence it creates the two
-  # following root processes:
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Linssid works fine without this.
-  #@{bin}/dbus-launch        rCx -> dbus,
-  #@{bin}/dbus-send          rCx -> dbus,
-  deny @{bin}/dbus-launch rx,
-  deny @{bin}/dbus-send   rx,
-
-  @{bin}/iw      rCx -> iw,
-  @{bin}/pkexec      rPx,
-
-  # For regular run as root user
-  owner @{HOME}/.linssid.prefs rw,
-  owner @{HOME}/LinSSID.datalog rw,
-  # For pkexec
-  #@{HOME}/.linssid.prefs rw,
-  #@{HOME}/LinSSID.datalog rw,
-
-  /usr/share/linssid/{,*} r,
-
-  /usr/share/hwdata/pnp.ids r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/net/wireless r,
-  owner @{PROC}/@{pid}/cmdline r,
-
-  owner @{tmp}/runtime-root/ rw,
-  owner @{tmp}/linssid_* rw,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  # For shell pwd
-  /root/ r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-
-
-  profile iw {
-    include <abstractions/base>
-
-    capability net_admin,
-    deny capability sys_module,
-
-    network netlink raw,
-
-    @{bin}/iw mr,
-
-    # file_inherit
-    owner @{HOME}/.linssid.prefs rw,
-    owner @{HOME}/LinSSID.datalog rw,
-    owner @{tmp}/linssid_* rw,
-    owner /dev/dri/card@{int} rw,
-
-  }
-
-  profile dbus {
-    include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon rPUx,
-
-    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    @{HOME}/.Xauthority r,
-  }
-
-  include if exists <local/linssid>
-}
-
-# vim:syntax=apparmor

From 64c2ee5fe9391a1ed35a4ab79bc08c2abf6ba0d4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 11 Sep 2024 19:48:31 +0100
Subject: [PATCH 096/315] feat(abs): add app/bus

Useful to confine dbus access in scripts.
---
 apparmor.d/abstractions/app/bus | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)
 create mode 100644 apparmor.d/abstractions/app/bus

diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus
new file mode 100644
index 000000000..d1d0d8cb7
--- /dev/null
+++ b/apparmor.d/abstractions/app/bus
@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for dbus-send/dbus-launch.
+
+  include <abstractions/nameservice-strict>
+
+  @{bin}/dbus-launch  mix,
+  @{bin}/dbus-send    mix,
+
+  @{bin}/dbus-daemon   Px -> dbus-session,
+
+  owner @{HOME}/.dbus/session-bus/@{hex}-@{int} w,
+
+  include if exists <abstractions/app/bus.d>
+
+# vim:syntax=apparmor

From 0fdf514418aa97c80afc9ec1c257f95c28fc0f82 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 11 Sep 2024 19:50:50 +0100
Subject: [PATCH 097/315] feat(profile): update profile with dbus-send.

---
 apparmor.d/groups/apt/synaptic        | 166 ++++++++------------------
 apparmor.d/profiles-a-f/acpi-powerbtn |  18 ++-
 apparmor.d/profiles-a-f/dunstctl      |   7 +-
 apparmor.d/profiles-g-l/gsmartcontrol |  76 ++++--------
 apparmor.d/profiles-g-l/lxappearance  |  48 ++------
 5 files changed, 96 insertions(+), 219 deletions(-)

diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic
index fcfa2ef7c..2b8679c2a 100644
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@@ -10,176 +10,106 @@ include <tunables/global>
 @{exec_path} = @{bin}/synaptic @{bin}/synaptic-pkexec
 profile synaptic @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
   include <abstractions/common/apt>
+  include <abstractions/consoles>
+  include <abstractions/desktop>
   include <abstractions/nameservice-strict>
 
-  # To remove the following errors:
-  #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
-  #     (1: Operation not permitted)
-  #  W: chmod 0700 of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
-  #     (1: Operation not permitted)
-  #  W: chmod 0600 of file /var/lib/apt/lists/deb.debian.org_debian_dists_sid_InRelease failed -
-  #     Item::QueueURI (1: Operation not permitted)
-  capability fowner,
-
-  # To remove the following errors:
-  #  W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory
-  #  (1: Operation not permitted)
-  #  W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory
-  #  (1: Operation not permitted)
   capability chown,
-
-  # To remove the following errors:
-  #  E: setgroups 65534 failed - setgroups (1: Operation not permitted)
-  #  E: setegid 65534 failed - setegid (1: Operation not permitted)
-  #  E: seteuid 100 failed - seteuid (1: Operation not permitted)
-  #  E: setgroups 0 failed - setgroups (1: Operation not permitted)
-  capability setuid,
-  capability setgid,
-
-  # To remove the following errors:
-  #  W: Problem unlinking the file /var/lib/apt/lists/partial/*_InRelease -
-  #     PrepareFiles (13: Permission denied)
-  #  E: Unable to read /var/lib/apt/lists/partial/ - open (13: Permission denied)
-  capability dac_read_search,
-
-  # To remove the following errors:
-  #  E: Failed to fetch https://**.deb  rename failed, Permission denied
-  #     (/var/cache/apt/archives/partial/*.deb -> /var/cache/apt/archives/*.deb).
-  #  E: Unable to fetch some archives, maybe run apt-get update or try with --fix-missing?
   capability dac_override,
-
-  # Needed? (##FIXME##)
-  capability kill,
+  capability dac_read_search,
+  capability fowner,
   capability fsetid,
-  deny capability net_admin,
-  deny capability sys_nice,
+  capability kill,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
+  capability sys_nice,
 
-  signal (send) peer=apt-methods-*,
+  signal send peer=apt-methods-*,
 
   @{exec_path} mr,
 
   @{sh_path}        rix,
   @{bin}/{,e,f}grep rix,
-  @{bin}/test       rix,
   @{bin}/echo       rix,
-
-  # For update-apt-xapian-index
-  @{bin}/nice       rix,
   @{bin}/ionice     rix,
+  @{bin}/nice       rix,
+  @{bin}/test       rix,
 
-  # When synaptic is run as root, it wants to exec dbus-launch, and hence it creates the two
-  # following root processes:
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Synaptic works fine without this.
-  #@{bin}/dbus-launch        rCx -> dbus,
-  #@{bin}/dbus-send          rCx -> dbus,
-  deny @{bin}/dbus-launch rx,
-  deny @{bin}/dbus-send   rx,
-  deny @{bin}/gdbus       rx,
-
-  @{bin}/ps                 rPx,
-  @{bin}/dpkg               rPx,
+  @{bin}/adequate           rPx,
+  @{bin}/appstreamcli       rPx,
   @{bin}/apt-listbugs       rPx,
   @{bin}/apt-listchanges    rPx,
   @{bin}/apt-show-versions  rPx,
-  @{bin}/dpkg-preconfigure  rPx,
+  @{bin}/deborphan          rPx,
   @{bin}/debtags            rPx,
+  @{bin}/dpkg               rPx,
+  @{bin}/dpkg-preconfigure  rPx,
   @{bin}/localepurge        rPx,
-  @{bin}/appstreamcli       rPx,
-  @{bin}/adequate           rPx,
+  @{bin}/lsb_release        rPx -> lsb_release,
+  @{bin}/pkexec             rPx,
+  @{bin}/ps                 rPx,
+  @{bin}/software-properties-gtk rPx,
+  @{bin}/tasksel            rPx,
+  @{bin}/update-apt-xapian-index       rPx,
   @{bin}/update-command-not-found      rPx,
   /usr/share/command-not-found/cnf-update-db rPx,
-  @{bin}/update-apt-xapian-index       rPx,
-  @{bin}/lsb_release        rPx -> lsb_release,
-  @{bin}/deborphan          rPx,
-  @{bin}/tasksel            rPx,
-  @{bin}/pkexec             rPx,
-  @{bin}/software-properties-gtk rPx,
 
   # Methods to use to download packages from the net
   @{lib}/apt/methods/*      rPx,
 
-  /var/lib/apt/lists/** rw,
-  /var/lib/apt/lists/lock rwk,
-  /var/lib/apt/extended_states{,.*} rw,
+  /usr/share/synaptic/{,**} r,
 
   /etc/apt/apt.conf.d/99synaptic rw,
 
+  # For editing the sources.list file
+  /etc/apt/sources.list rwk,
+  /etc/apt/sources.list.d/ r,
+  /etc/apt/sources.list.d/*.list rw,
+
+  /etc/fstab r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
   /var/log/apt/eipp.log.xz w,
   /var/log/apt/{term,history}.log w,
 
-  # For editing the sources.list file
-  /etc/apt/sources.list.d/ r,
-  /etc/apt/sources.list.d/*.list rw,
-  /etc/apt/sources.list rwk,
-
-  /var/lib/apt-xapian-index/index r,
+  /var/cache/apt/ r,
+  /var/cache/apt/** rwk,
   /var/cache/apt-xapian-index/index.[0-9]/*.glass r,
   /var/cache/apt-xapian-index/index.[0-9]/iamglass r,
 
+  /var/lib/apt-xapian-index/index r,
   /var/lib/dpkg/** r,
   /var/lib/dpkg/lock{,-frontend} rwk,
+  /var/lib/apt/lists/** rw,
+  /var/lib/apt/lists/lock rwk,
+  /var/lib/apt/extended_states{,.*} rw,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
+  # For package building
+  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
+
+  owner @{HOME}/.synaptic/ rw,
+  owner @{HOME}/.synaptic/** rwk,
 
         /tmp/ r,
   owner @{tmp}/apt-dpkg-install-*/ rw,
   owner @{tmp}/apt-dpkg-install-*/@{int}-*.deb w,
 
-  /var/cache/apt/ r,
-  /var/cache/apt/** rwk,
-
-  /usr/share/synaptic/{,**} r,
-  owner @{HOME}/.synaptic/ rw,
-  owner @{HOME}/.synaptic/** rwk,
   @{run}/synaptic.socket w,
 
-  @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,
-
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 
-  # To remove the following error:
-  #  Internal Error: impossible to fork children. Synaptics is going to stop. Please report.
-  #  errorcode: 2
-  /dev/ptmx rw,
-
-  /etc/fstab r,
-
-  # Synaptic is a GUI app started by root, so without "owner"
-  @{HOME}/.Xauthority r,
-
-  # For package building
-  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
-
-  # file_inherit
+        /dev/ptmx rw,
   owner /dev/tty@{int} rw,
 
+  deny @{bin}/dbus-launch x,
+  deny @{bin}/dbus-send x,
+  deny @{bin}/gdbus x,
   deny @{user_share_dirs}/gvfs-metadata/{*,} r,
 
-  profile dbus {
-    include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon rPUx,
-
-    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    @{HOME}/.Xauthority r,
-  }
-
   include if exists <local/synaptic>
 }
 
diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn
index 9372f46b4..519f7f868 100644
--- a/apparmor.d/profiles-a-f/acpi-powerbtn
+++ b/apparmor.d/profiles-a-f/acpi-powerbtn
@@ -11,9 +11,8 @@ profile acpi-powerbtn flags=(attach_disconnected) {
 
   /etc/acpi/powerbtn-acpi-support.sh r,
 
-  @{bin}/{ba,da,}sh   rix,
+  @{sh_path}          rix,
   @{bin}/{e,}grep     rix,
-  @{bin}/dbus-send    rix,
   @{bin}/killall5     rix,
   @{bin}/pgrep        rix,
   @{bin}/pinky        rix,
@@ -21,10 +20,10 @@ profile acpi-powerbtn flags=(attach_disconnected) {
   @{bin}/shutdown     rix,
   /etc/acpi/powerbtn.sh    rix,
 
-  @{bin}/systemctl    rCx -> systemctl,
-  @{bin}/ps           rPx,
-
-  @{bin}/fgconsole    rCx -> fgconsole,
+  @{bin}/dbus-send     Cx -> bus,
+  @{bin}/fgconsole     Cx -> fgconsole,
+  @{bin}/ps            Px,
+  @{bin}/systemctl     Cx -> systemctl,
 
   /usr/share/acpi-support/** r,
 
@@ -46,6 +45,13 @@ profile acpi-powerbtn flags=(attach_disconnected) {
     owner /dev/tty@{int} rw,
   }
 
+  profile bus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+
+    include if exists <local/acpi-powerbtn_bus>
+  }
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl
index 42276c6c6..a00668556 100644
--- a/apparmor.d/profiles-a-f/dunstctl
+++ b/apparmor.d/profiles-a-f/dunstctl
@@ -13,12 +13,13 @@ profile dunstctl @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/dbus-send   rCx -> dbus,
+  @{bin}/dbus-send          Cx -> bus,
 
-  profile dbus {
+  profile bus {
     include <abstractions/base>
+    include <abstractions/app/bus>
 
-    @{bin}/dbus-send   mr,
+    include if exists <local/dunstctl_bus>
   }
 
   include if exists <local/dunstctl>
diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol
index ec3dcff98..9ce2b10dc 100644
--- a/apparmor.d/profiles-g-l/gsmartcontrol
+++ b/apparmor.d/profiles-g-l/gsmartcontrol
@@ -10,43 +10,31 @@ include <tunables/global>
 @{exec_path} = @{bin}/gsmartcontrol
 profile gsmartcontrol @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
-
-  # Needed?
-  deny capability sys_nice,
+  capability sys_nice,
 
   @{exec_path} mr,
 
-  @{bin}/smartctl rPx,
-  @{bin}/xterm     rCx -> terminal,
+  @{bin}/dbus-launch        Cx -> bus,
+  @{bin}/dbus-send          Cx -> bus,
+  @{bin}/smartctl           Px,
+  @{bin}/xterm              Cx -> terminal,
 
-  # When gsmartcontrol is run as root, it wants to exec dbus-launch, and hence it creates the two
-  # following root processes:
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Gsmartcontrol works fine without this.
-  #@{bin}/dbus-launch        rCx -> dbus,
-  #@{bin}/dbus-send          rCx -> dbus,
-  deny @{bin}/dbus-launch rx,
-  deny @{bin}/dbus-send   rx,
+  /etc/fstab r,
 
-  owner @{user_config_dirs}/gsmartcontrol/ rw,
-  owner @{user_config_dirs}/gsmartcontrol/gsmartcontrol.conf rw,
-
-  # As it's started as root
-  @{HOME}/.Xauthority r,
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
 
   # For saving SMART raport
   owner /root/ r,
   owner /root/**.txt w,
 
+  owner @{user_config_dirs}/gsmartcontrol/ rw,
+  owner @{user_config_dirs}/gsmartcontrol/** rw,
+
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
@@ -55,57 +43,37 @@ profile gsmartcontrol @{exec_path} {
   owner @{PROC}/scsi/scsi r,
   owner @{PROC}/scsi/sg/devices r,
 
-  /etc/fstab r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   # The Help menu (and links in it) requires access to a web browser. Since gsmartcontrol is run as
   # root (even when used sudo or gsmartcontrol-root), the web browser will also be run as root and
   # hence this behavior should be blocked.
-  deny @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rx,
+  deny @{open_path} rx,
 
-
-  profile dbus {
+  profile bus flags=(complain) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/app/bus>
 
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon rPUx,
-
-    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    @{HOME}/.Xauthority r,
+    include if exists <local/gsmartcontrol_bus>
   }
 
   profile terminal {
     include <abstractions/base>
     include <abstractions/consoles>
+    include <abstractions/desktop>
     include <abstractions/nameservice-strict>
-    include <abstractions/freedesktop.org>
+    include <abstractions/shells>
 
-    capability setuid,
-    capability setgid,
     capability fsetid,
+    capability setgid,
+    capability setuid,
 
     @{bin}/xterm mr,
-
-    /usr/sbin/update-smart-drivedb rPx,
-
-    owner @{HOME}/.Xauthority r,
-
-    /etc/shells r,
-
-    /etc/X11/app-defaults/XTerm-color r,
-    /etc/X11/app-defaults/XTerm r,
-    /etc/X11/cursors/*.theme r,
+    @{bin}/update-smart-drivedb rPx,
 
     /usr/include/X11/bitmaps/vlines2 r,
 
     /dev/ptmx rw,
 
+    include if exists <local/gsmartcontrol_terminal>
   }
 
   include if exists <local/gsmartcontrol>
diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance
index a400ef80c..c4ef29625 100644
--- a/apparmor.d/profiles-g-l/lxappearance
+++ b/apparmor.d/profiles-g-l/lxappearance
@@ -10,59 +10,31 @@ include <tunables/global>
 @{exec_path} = @{bin}/lxappearance
 profile lxappearance @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
 
   @{exec_path} mr,
 
-  # When lxappearance is run as root, it wants to exec dbus-launch, and hence it creates the two
-  # following root processes:
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Lxappearance works fine without this.
-  #@{bin}/dbus-launch        rCx -> dbus,
-  #@{bin}/dbus-send          rCx -> dbus,
-  deny @{bin}/dbus-launch rx,
-  deny @{bin}/dbus-send   rx,
+  @{bin}/dbus-launch        Cx -> bus,
+  @{bin}/dbus-send          Cx -> bus,
 
   /usr/share/lxappearance/{,**} r,
 
-  owner @{HOME}/.themes/{,**} r,
-  owner @{HOME}/.icons/{,**} rw,
-
-  owner @{HOME}/.gtkrc-2.0{,.*} rw,
-  owner @{user_config_dirs}/gtk-3.0/settings.ini{,.*} rw,
-
-  /etc/X11/cursors/*.theme r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-
   /etc/fstab r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  # file_inherit
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
   owner /dev/tty@{int} rw,
 
-
-  profile dbus {
+  profile bus {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/app/bus>
 
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon rPUx,
-
-    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    @{HOME}/.Xauthority r,
+    include if exists <local/lxappearance_bus>
   }
 
   include if exists <local/lxappearance>

From e4a986096f87bcca5398747037de1e362ea60ae1 Mon Sep 17 00:00:00 2001
From: EricLin0509 <143688917+EricLin0509@users.noreply.github.com>
Date: Thu, 12 Sep 2024 18:59:25 +0800
Subject: [PATCH 098/315] Add support for linuxqq (#474)

---
 apparmor.d/profiles-g-l/linuxqq | 58 +++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/linuxqq

diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
new file mode 100644
index 000000000..640458439
--- /dev/null
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -0,0 +1,58 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = QQ
+@{lib_dirs} = /opt/QQ/
+@{config_dirs} = @{user_config_dirs}/@{name}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
+
+@{exec_path} = @{bin}/linuxqq
+@{exec_path} += /opt/QQ/qq
+profile linuxqq @{exec_path} flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/common/electron>
+    include <abstractions/graphics>
+    include <abstractions/ssl_certs>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/audio-client>
+
+    network netlink raw,
+    network netlink dgram,
+    network inet stream,
+    network inet dgram,
+    network inet6 dgram,
+    network inet6 stream,
+
+    @{exec_path} mr,
+
+    @{sh_path}  r,
+    @{bin}/find rix,
+    @{bin}/rm   rix,
+    @{bin}/xdg-open rix,
+    @{bin}/grep rix,
+    /opt/QQ/qq ix,
+    /opt/QQ/chrome_crashpad_handler ix,
+
+    @{lib_dirs}/resources/app/{,**} m,
+
+    /etc/machine-id r,
+
+    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{run}/utmp r,
+
+    owner @{PROC}/@{pid}/loginuid r,
+    owner @{PROC}/@{pid}/mounts r,
+    owner @{PROC}/@{pid}/cmdline r,
+
+    /dev/tty rw,
+    /dev/pts/@{int} rw,
+
+    include if exists <local/linuxqq>
+}
+

From fb93ac0df35346019181d96bee9624925e04fb84 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 12:12:29 +0100
Subject: [PATCH 099/315] fix(profile): improve linuxqq

See #474
---
 apparmor.d/profiles-g-l/linuxqq | 23 +++++++----------------
 1 file changed, 7 insertions(+), 16 deletions(-)

diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 640458439..6961d8cc7 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -11,16 +11,12 @@ include <tunables/global>
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
-@{exec_path} = @{bin}/linuxqq
-@{exec_path} += /opt/QQ/qq
+@{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
 profile linuxqq @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-    include <abstractions/common/electron>
-    include <abstractions/graphics>
-    include <abstractions/ssl_certs>
-    include <abstractions/fontconfig-cache-read>
     include <abstractions/audio-client>
+    include <abstractions/common/electron>
+    include <abstractions/fontconfig-cache-read>
 
     network netlink raw,
     network netlink dgram,
@@ -29,17 +25,13 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
     network inet6 dgram,
     network inet6 stream,
 
-    @{exec_path} mr,
+    @{exec_path} mrix,
 
-    @{sh_path}  r,
-    @{bin}/find rix,
-    @{bin}/rm   rix,
-    @{bin}/xdg-open rix,
+    @{sh_path} r,
     @{bin}/grep rix,
-    /opt/QQ/qq ix,
-    /opt/QQ/chrome_crashpad_handler ix,
-
+    @{lib_dirs}/chrome_crashpad_handler ix,
     @{lib_dirs}/resources/app/{,**} m,
+    @{open_path} rPx -> child-open-strict,
 
     /etc/machine-id r,
 
@@ -48,7 +40,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
 
     owner @{PROC}/@{pid}/loginuid r,
     owner @{PROC}/@{pid}/mounts r,
-    owner @{PROC}/@{pid}/cmdline r,
 
     /dev/tty rw,
     /dev/pts/@{int} rw,

From feb482edd92b126cba06a12713ba9a5d9ec33ab2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 12:18:05 +0100
Subject: [PATCH 100/315] fix(profile): crontab editor issues with cronie

fix #479
---
 apparmor.d/groups/cron/crontab | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index 2743173f8..1144b39c5 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -14,11 +14,15 @@ profile crontab @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability audit_write,
+  capability chown,
   capability dac_read_search,
   capability net_admin,
   capability setgid,
   capability setuid,
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{sh_path}             rix,
@@ -29,12 +33,12 @@ profile crontab @{exec_path} {
   /etc/pam.d/* r,
   /etc/security/*.conf r,
 
-        /var/spool/cron/ r,
-        /var/spool/cron/crontabs/ rw,
-        /var/spool/cron/user r,
-  owner /var/spool/cron/crontabs/* rw,
+  /var/spool/cron/ r,
+  /var/spool/cron/** rw,
 
-  owner @{tmp}/crontab.@{rand6}/{,crontab} rw,
+  owner @{user_cache_dirs}/crontab/crontab.bak rw,
+
+  @{tmp}/crontab.@{rand6}/{,crontab} rwl,
 
   profile editor {
     include <abstractions/base>

From aa6704bbac0cf3a1f9a728dfbe989245b1e99445 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:15:46 +0100
Subject: [PATCH 101/315] feat(profile): remove the unused freetube sandbox.

---
 .../profiles-a-f/freetube-chrome-sandbox      | 35 -------------------
 1 file changed, 35 deletions(-)
 delete mode 100644 apparmor.d/profiles-a-f/freetube-chrome-sandbox

diff --git a/apparmor.d/profiles-a-f/freetube-chrome-sandbox b/apparmor.d/profiles-a-f/freetube-chrome-sandbox
deleted file mode 100644
index 5dc20400e..000000000
--- a/apparmor.d/profiles-a-f/freetube-chrome-sandbox
+++ /dev/null
@@ -1,35 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{name} = {F,f}reetube{,-vue}
-@{lib_dirs} = @{lib}/@{name} /opt/@{name} 
-
-@{exec_path} = @{lib_dirs}/chrome-sandbox
-profile freetube-chrome-sandbox @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  capability sys_admin,
-  capability setgid,
-  capability setuid,
-  capability sys_chroot,
-
-  @{exec_path} mr,
-
-  # Has to be lower "P"
-  @{lib_dirs}/@{name} rpx,
-
-             @{PROC}/@{pids}/ r,
-       owner @{PROC}/@{pid}/oom_{,score_}adj r,
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj w,
-
-  include if exists <local/freetube-chrome-sandbox>
-}
-
-# vim:syntax=apparmor

From 18010b266d62ff52d1e45ebe6c959218772d63ac Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:17:37 +0100
Subject: [PATCH 102/315] feat(profile): firefox: update dbus & move stacked
 profile outside of the abs.

---
 apparmor.d/abstractions/app/firefox | 6 +++---
 apparmor.d/groups/browsers/firefox  | 8 ++++++--
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index f1443a936..b3e78105e 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -17,6 +17,7 @@
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -46,6 +47,8 @@
 
   signal (send) set=(term, kill) peer=@{profile_name}-*,
 
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
   @{sh_path}                 rix,
   @{bin}/basename            rix,
   @{bin}/dirname             rix,
@@ -54,11 +57,9 @@
   @{lib_dirs}/{,**}             r,
   @{lib_dirs}/*.so              mr,
   @{lib_dirs}/crashreporter     rPx,
-  @{lib_dirs}/glxtest           rPx -> firefox//&firefox-glxtest,
   @{lib_dirs}/minidump-analyzer rPx,
   @{lib_dirs}/pingsender        rPx,
   @{lib_dirs}/plugin-container  rPx,
-  @{lib_dirs}/vaapitest         rPx -> firefox//&firefox-vaapitest,
 
   # Desktop integration
   @{bin}/lsb_release            rPx -> lsb_release,
@@ -157,7 +158,6 @@
   # Silencer
   deny dbus send bus=system path=/org/freedesktop/hostname1,
   deny /tmp/MozillaUpdateLock-* w,
-  deny owner @{HOME}/ r,
   deny owner @{HOME}/.* r,
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 6d50db9dc..75c3c0f86 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -24,13 +24,17 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
+  @{lib_dirs}/glxtest    rPx -> firefox//&firefox-glxtest,
+  @{lib_dirs}/vaapitest  rPx -> firefox//&firefox-vaapitest,
+
+  @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
   @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
   @{lib}/mozilla/plugins/ r,
-  @{lib}/mozilla/plugins/libvlcplugin.so mr,
+  @{lib}/mozilla/plugins/*.so mr,
 
   # Desktop integration
   @{bin}/gnome-software                              rPx,
-  @{bin}/kreadconfig5                                rix,
+  @{bin}/kreadconfig{,5}                             rPx,
   @{bin}/plasma-browser-integration-host             rPx,
   @{bin}/update-mime-database                        rPx,
   @{lib}/gvfsd-metadata                              rPx,

From 9e7c4c7ec8093757145febba71c1c63a642415f5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:18:30 +0100
Subject: [PATCH 103/315] feat(abs): mesa: update cache for desktop users.

---
 apparmor.d/abstractions/mesa.d/complete | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete
index 0e437190f..a8b9937bd 100644
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@@ -5,6 +5,7 @@
   # Extra Mesa rules for desktop environments
   owner @{desktop_cache_dirs}/ w,
   owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw,
+  owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,

From ab7f45bc3126f6d6a472e4eea79a356de46806ad Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:26:47 +0100
Subject: [PATCH 104/315] feat(profile): general update.

---
 apparmor.d/groups/bus/dbus-session            |  6 ++---
 apparmor.d/groups/gnome/gnome-control-center  |  3 +++
 apparmor.d/groups/gnome/gnome-shell           |  9 +++----
 apparmor.d/groups/gnome/nautilus              |  6 +----
 apparmor.d/groups/kde/kreadconfig             |  2 +-
 apparmor.d/groups/kde/kwalletmanager          |  1 -
 apparmor.d/groups/kde/plasma-discover         |  2 +-
 apparmor.d/groups/network/wg                  |  7 +++++
 apparmor.d/groups/network/wg-quick            |  4 ++-
 apparmor.d/groups/pacman/makepkg              |  2 ++
 apparmor.d/profiles-a-f/e2fsck                |  1 +
 apparmor.d/profiles-a-f/fdisk                 |  6 +----
 .../profiles-a-f/flatpak-session-helper       | 12 +++++----
 apparmor.d/profiles-a-f/fwupdmgr              | 23 ++++++----------
 apparmor.d/profiles-g-l/git                   |  7 ++---
 apparmor.d/profiles-g-l/hypnotix              | 26 +-----------------
 apparmor.d/profiles-g-l/linuxqq               |  1 -
 apparmor.d/profiles-m-r/mpv                   | 27 +------------------
 apparmor.d/profiles-m-r/partprobe             |  1 +
 apparmor.d/profiles-m-r/resize2fs             |  1 +
 apparmor.d/profiles-s-z/YACReader             |  2 --
 apparmor.d/profiles-s-z/sfdisk                |  8 +-----
 apparmor.d/profiles-s-z/steam                 |  1 -
 apparmor.d/profiles-s-z/steam-runtime         |  2 +-
 apparmor.d/profiles-s-z/thunderbird           |  3 +--
 apparmor.d/profiles-s-z/udisksd               |  1 +
 26 files changed, 53 insertions(+), 111 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index b06eaa510..fa6305055 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -4,7 +4,7 @@
 
 # Profile for session dbus, regardless of the dbus implementation used.
 # It does not specify an attachment path as it would be the same than
-# "dbus-system". It is intended to be used only via "Px ->" or via 
+# "dbus-system". It is intended to be used only via "Px ->" or via
 # systemd drop-in AppArmorProfile= setting.
 
 abi <abi/3.0>,
@@ -24,9 +24,7 @@ profile dbus-session flags=(attach_disconnected) {
 
   unix (send receive) type=stream addr=none peer=(label=gnome-shell, addr=none),
 
-  signal (receive) set=(term hup)      peer=gdm-session-worker,
-  signal (receive) set=(term hup)      peer=gdm-session,
-  signal (receive) set=(term hup)      peer=gdm,
+  signal (receive) set=(term hup)      peer=gdm{,-*},
   signal (send)    set=(term hup kill) peer=dbus-accessibility,
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 7643844c5..1f3bb42d8 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -153,6 +153,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/temp* r,
   @{sys}/firmware/acpi/pm_profile r,
 
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
 
         @{PROC}/cmdline r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index b6420b348..d4ce1c504 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -181,16 +181,14 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/glib-compile-schemas   rPx,
   @{bin}/ibus-daemon            rPx,
   @{bin}/Xwayland               rPx,
+  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
   @{lib}/mutter-x11-frames      rPx,
   #aa:exec polkit-agent-helper
 
   @{sh_path}                                              rCx -> shell,
   @{lib}/gio-launch-desktop                               rCx -> open,
   @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
-  
-  # nm-openvpn-auth-dialog
-  @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog rPx,
-  
+
   @{user_share_dirs}/gnome-shell/extensions/*/**       rPUx,
   /usr/share/gnome-shell/extensions/*/**               rPUx,
 
@@ -294,11 +292,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
-  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} r,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
         /tmp/.X@{int}-lock rw,
         /tmp/dbus-@{rand8} rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6} r,
   owner @{tmp}/@{rand6}.shell-extension.zip rw,
   owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 66f9af691..f00b8d10f 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -33,17 +33,13 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+  #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus.Properties
        member={GetAll,ListActivatableNames}
        peer=(name=org.freedesktop.DBus, label=dbus-session),
 
-  dbus send bus=session path=/org/gtk/Notifications
-       interface=org.gtk.Notifications
-       member=AddNotification
-       peer=(name=org.gtk.Notifications, label=gnome-shell),
-
   dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
        interface=org.gtk.private.CommandLine
        member=Print
diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig
index 33cf23a9b..4dbe69f9d 100644
--- a/apparmor.d/groups/kde/kreadconfig
+++ b/apparmor.d/groups/kde/kreadconfig
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/kreadconfig5
+@{exec_path} = @{bin}/kreadconfig{,5}
 profile kreadconfig @{exec_path} {
   include <abstractions/base>
   include <abstractions/kde-strict>
diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager
index b1ca562cc..e26d09f13 100644
--- a/apparmor.d/groups/kde/kwalletmanager
+++ b/apparmor.d/groups/kde/kwalletmanager
@@ -45,7 +45,6 @@ profile kwalletmanager @{exec_path} {
         @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/cmdline r,
 
-  /dev/shm/ r,
   /dev/shm/#@{int} rw,
 
   include if exists <local/kwalletmanager>
diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover
index 542110454..d35e8dcd8 100644
--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@@ -29,7 +29,7 @@ profile plasma-discover @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}                        rix,
-  @{bin}/kreadconfig5               rPx,
+  @{bin}/kreadconfig{,5}            rPx,
 
   @{bin}/gpg                        rCx -> gpg,
   @{bin}/gpgconf                    rCx -> gpg,
diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg
index 783fa41fe..2ddaee94c 100644
--- a/apparmor.d/groups/network/wg
+++ b/apparmor.d/groups/network/wg
@@ -11,11 +11,18 @@ profile wg @{exec_path} {
   include <abstractions/base>
 
   capability net_admin,
+  capability net_bind_service,
 
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
   network netlink raw,
 
   @{exec_path} mr,
 
+  /etc/wireguard/{,**} rw,
+
   include if exists <local/wg>
 }
 
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index 1183a4a5b..89d89162a 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -10,6 +10,7 @@ include <tunables/global>
 profile wg-quick @{exec_path} {
   include <abstractions/base>
 
+  capability dac_read_search,
   capability net_admin,
 
   network netlink raw,
@@ -21,7 +22,8 @@ profile wg-quick @{exec_path} {
   @{bin}/ip                 rPx,
   @{bin}/nft                rix,
   @{bin}/readlink           rix,
-  @{bin}/resolvectl         rPx,
+  @{bin}/resolvconf         rPx,
+  @{bin}/resolvectl        rPUx,
   @{bin}/sort               rix,
   @{bin}/stat               rix,
   @{bin}/sysctl             rix,
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 311135eae..5ac446817 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -48,6 +48,8 @@ profile makepkg @{exec_path} {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    owner @{tmp}/.git_vtag_tmp@{rand6} rw,
+
     owner @{run}/user/@{uid}/ r,
     owner @{run}/user/@{uid}/gnupg/ r,
     owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck
index 8ce1ed3c7..a02c8735e 100644
--- a/apparmor.d/profiles-a-f/e2fsck
+++ b/apparmor.d/profiles-a-f/e2fsck
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/e2fsck @{bin}/fsck.ext2 @{bin}/fsck.ext3 @{bin}/fsck.ext4
 profile e2fsck @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/user-download-strict>
 
diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk
index 815e3bc76..8e6ea58fa 100644
--- a/apparmor.d/profiles-a-f/fdisk
+++ b/apparmor.d/profiles-a-f/fdisk
@@ -10,14 +10,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/fdisk
 profile fdisk @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
 
-  # Needed to inform the system of newly created/removed partitions
-  #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
   capability sys_admin,
-
-  # To remove the following errors:
-  #  kernel: device-mapper: core: fdisk: sending ioctl 5331 to DM device without required privilege.
   capability sys_rawio,
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index d27d0c24a..54b95b8e3 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -10,14 +10,14 @@ include <tunables/global>
 profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
-  include <abstractions/consoles>
 
-  signal (send) set=(hup int) peer=user_unconfined,
-  signal (send) set=(int) peer=@{p_systemd},
-  signal (send) set=(int) peer=flatpak-app,
+  signal send set=(hup int) peer=user_unconfined,
+  signal send set=(int) peer=@{p_systemd},
+  signal send set=(int) peer=flatpak-app,
 
   #aa:dbus own bus=session name=org.freedesktop.Flatpak
 
@@ -27,11 +27,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   @{bin}/dbus-monitor                 rPUx,
   @{bin}/env                           rix,
   @{bin}/flatpak                       rPx,
-  @{bin}/test                          rix,
   @{bin}/getent                        rix,
   @{bin}/p11-kit                       rix,
   @{bin}/pkexec                        rPx, # TODO: too wide, rCx.
+  @{bin}/printenv                      rix,
   @{bin}/ps                            rPx,
+  @{bin}/test                          rix,
+  @{bin}/touch                         rix,
   @{lib}/p11-kit/p11-kit-remote        rix,
   @{lib}/p11-kit/p11-kit-server        rix,
   /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 6064c0ff1..8f6885b46 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -8,17 +8,18 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/fwupdmgr
-profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
+profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/dconf-write>
+  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
   capability sys_nice,
 
-  signal (send),
+  signal send,
 
   network inet stream,
   network inet6 stream,
@@ -30,19 +31,16 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   
   @{exec_path} mr,
 
-  @{bin}/dbus-launch  rCx -> dbus,
-  @{bin}/pkttyagent   rPx,
-
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  @{bin}/dbus-launch   Cx -> bus,
+  @{bin}/pkttyagent    Px,
 
   /etc/machine-id r,
 
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
-  /var/lib/flatpak/exports/share/mime/mime.cache r,
 
-  owner @{user_cache_dirs}/ rw,
         @{user_cache_dirs}/dconf/user rw,
+  owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/fwupd/ rw,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
 
@@ -53,14 +51,9 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   /dev/i2c-@{int} rw,
   /dev/tty rw,
 
-  profile dbus {
+  profile bus flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    @{bin}/dbus-launch mr,
-
-    owner @{HOME}/.Xauthority r,
-
+    include <abstractions/app/bus>
     include if exists <local/fwupdmgr_dbus>
   }
 
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 30ce7e1e8..032da7124 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -66,9 +66,9 @@ profile git @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/man         rPx,
   @{bin}/meld       rPUx,
-  @{lib}/code/extensions/git/dist/askpass.sh rPx,
-  @{lib}/code/extensions/git/dist/git-editor.sh rPx,
-  /usr/share/aurpublish/*.hook rPx,
+  @{lib}/code/extensions/git/dist/askpass.sh     rPx,
+  @{lib}/code/extensions/git/dist/git-editor.sh  rPx,
+  /usr/share/aurpublish/*.hook                   rPx,
 
   @{bin}/gpg{,2}         rCx -> gpg,
   @{bin}/ssh             rCx -> ssh,
@@ -98,6 +98,7 @@ profile git @{exec_path} flags=(attach_disconnected) {
 
   deny owner @{code_config_dirs}/** rw,
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/vulkan/** r,
   deny owner @{user_share_dirs}/zed/**/data.mdb rw,
   deny /usr/share/nvidia/nvidia-application-profiles-* r,
   deny /dev/shm/.org.chromium.Chromium.@{rand6} rw,
diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix
index 3a9a6131d..0a54528be 100644
--- a/apparmor.d/profiles-g-l/hypnotix
+++ b/apparmor.d/profiles-g-l/hypnotix
@@ -37,8 +37,7 @@ profile hypnotix @{exec_path} {
   @{bin}/ldconfig        rix,
   @{bin}/mkdir           rix,
 
-  @{bin}/xdg-screensaver rCx -> xdg-screensaver,
-
+  @{bin}/xdg-screensaver rPx,
   @{bin}/youtube-dl     rPUx,
   @{bin}/yt-dlp         rPUx,
   @{lib}/firefox/firefox rPx,
@@ -63,29 +62,6 @@ profile hypnotix @{exec_path} {
   # Silencer
   deny @{lib}/hypnotix/** w,
 
-  profile xdg-screensaver {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/xdg-screensaver mr,
-
-    @{sh_path}          rix,
-    @{bin}/mv           rix,
-    @{bin}/{,e}grep     rix,
-    @{bin}/sed          rix,
-    @{bin}/which{,.debianutils}        rix,
-    @{bin}/xset         rix,
-    @{bin}/xautolock    rix,
-    @{bin}/dbus-send    rix,
-
-    owner @{HOME}/.Xauthority r,
-
-    # file_inherit
-    /dev/dri/card@{int} rw,
-    network inet stream,
-    network inet6 stream,
-  }
-
   include if exists <local/hypnotix>
 }
 
diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 6961d8cc7..dcccd68c8 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -27,7 +27,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
 
     @{exec_path} mrix,
 
-    @{sh_path} r,
     @{bin}/grep rix,
     @{lib_dirs}/chrome_crashpad_handler ix,
     @{lib_dirs}/resources/app/{,**} m,
diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv
index 88a5078aa..da5e4715c 100644
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@@ -32,8 +32,7 @@ profile mpv @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/xdg-screensaver rCx -> xdg-screensaver,
-
+  @{bin}/xdg-screensaver Px,
   @{bin}/youtube-dl rPx,
   @{bin}/yt-dlp     rPx,
 
@@ -81,30 +80,6 @@ profile mpv @{exec_path} {
         /dev/input/event@{int} r,
   owner /dev/tty@{int} rw,
 
-  profile xdg-screensaver {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/xdg-screensaver mr,
-
-    @{sh_path}          rix,
-    @{bin}/mv           rix,
-    @{bin}/{,e}grep     rix,
-    @{bin}/sed          rix,
-    @{bin}/which{,.debianutils}        rix,
-    @{bin}/xset         rix,
-    @{bin}/xautolock    rix,
-    @{bin}/dbus-send    rix,
-    @{bin}/xscreensaver-command rix,
-
-    owner @{HOME}/.Xauthority r,
-
-    # file_inherit
-    /dev/dri/card@{int} rw,
-    network inet stream,
-    network inet6 stream,
-  }
-
   include if exists <local/mpv>
 }
 
diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe
index 9e384c66c..0d0d82388 100644
--- a/apparmor.d/profiles-m-r/partprobe
+++ b/apparmor.d/profiles-m-r/partprobe
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/partprobe
 profile partprobe @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
 
   capability sys_admin,
diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs
index 114846812..698ec99fd 100644
--- a/apparmor.d/profiles-m-r/resize2fs
+++ b/apparmor.d/profiles-m-r/resize2fs
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/resize2fs
 profile resize2fs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/user-download-strict>
 
diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader
index ccbbb2494..3038df49a 100644
--- a/apparmor.d/profiles-s-z/YACReader
+++ b/apparmor.d/profiles-s-z/YACReader
@@ -37,8 +37,6 @@ profile YACReader @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/YACReader/YACReader/ rw,
   owner @{user_share_dirs}/YACReader/YACReader/** rwlk,
 
-  /dev/shm/ r,
-
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
 
diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk
index 5b75a27ef..c82aff776 100644
--- a/apparmor.d/profiles-s-z/sfdisk
+++ b/apparmor.d/profiles-s-z/sfdisk
@@ -10,15 +10,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/sfdisk
 profile sfdisk @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
 
-  # Needed to avoid the following error:
-  #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
-  #
-  #  Checking that no-one is using this disk right now ... FAILED
-  #  This disk is currently in use - repartitioning is probably a bad idea.
-  #  Umount all file systems, and swapoff all swap partitions on this disk.
-  #  Use the --no-reread flag to suppress this check.
   capability sys_admin,
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 0828786d5..447ef9f16 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -327,7 +327,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
     owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
 
-          /dev/shm/ r,
     owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime
index add024de7..e0c6b146d 100644
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@@ -42,7 +42,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
   @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-platform rix,
+  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-* rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
   @{app_dirs}/@{runtime}/run rix,
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index d6553d990..3d580afe9 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -158,8 +158,7 @@ profile thunderbird @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
 
-        /dev/shm/ r,
-  owner /dev/shm/org.chromium.* rw,
+  owner /dev/shm/org.chromium.@{rand6} rw,
   owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 76be97683..6f74c826e 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -119,6 +119,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{sys}/bus/ r,
   @{sys}/bus/pci/slots/ r,
   @{sys}/bus/pci/slots/@{int}/address r,
+  @{sys}/bus/scsi/devices/ r,
   @{sys}/class/ r,
   @{sys}/class/nvme-subsystem/ r,
   @{sys}/class/nvme/ r,

From 7e63564c56e44c2b32d6cdcefbba31a5b3038e81 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:29:22 +0100
Subject: [PATCH 105/315] feat(profile): add speech-dispatcher.

---
 apparmor.d/profiles-s-z/speech-dispatcher | 34 +++++++++++++++++++++++
 dists/flags/main.flags                    |  1 +
 2 files changed, 35 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/speech-dispatcher

diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher
new file mode 100644
index 000000000..7a597ed5d
--- /dev/null
+++ b/apparmor.d/profiles-s-z/speech-dispatcher
@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/speech-dispatcher
+profile speech-dispatcher @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  network inet stream,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  @{sh_path} ix,
+  @{lib}/speech-dispatcher/** r,
+  @{lib}/speech-dispatcher/speech-dispatcher-modules/* ix,
+
+  /etc/machine-id r,
+  /etc/speech-dispatcher/{,**} r,
+
+  owner @{run}/user/@{uid}/speech-dispatcher/ rw,
+  owner @{run}/user/@{uid}/speech-dispatcher/** rwk,
+
+  include if exists <local/speech-dispatcher>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 401681743..88cb2d176 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -316,6 +316,7 @@ snapd complain
 snapd-apparmor complain
 snapd-core-fixup complain
 snapshot complain
+speech-dispatcher complain
 ssservice complain
 startplasma complain
 startx attach_disconnected,complain

From ecf4eaee14674bf49bd6063722056eb6b6d94f28 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:29:59 +0100
Subject: [PATCH 106/315] feat(profile): add superproductivity.

---
 apparmor.d/profiles-s-z/superproductivity | 37 +++++++++++++++++++++++
 dists/flags/main.flags                    |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/superproductivity

diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity
new file mode 100644
index 000000000..f8295f311
--- /dev/null
+++ b/apparmor.d/profiles-s-z/superproductivity
@@ -0,0 +1,37 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = super{p,P}roductivity
+@{lib_dirs} = /opt/@{name}
+@{config_dirs} = @{user_config_dirs}/@{name}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
+
+@{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
+profile superproductivity @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/common/electron>
+
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mrix,
+
+  @{bin}/speech-dispatcher rPx,
+  @{open_path}             rPx -> child-open-strict,
+
+  @{run}/systemd/inhibit/@{int}.ref rw,
+
+  include if exists <local/superproductivity>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 88cb2d176..f2091d4f5 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -331,6 +331,7 @@ steam-runtime attach_disconnected,complain
 steamerrorreporter attach_disconnected,complain
 strawberry attach_disconnected,mediate_deleted,complain
 sulogin complain
+superproductivity attach_disconnected,complain
 switcherooctl complain
 swtpm complain
 swtpm_ioctl complain

From 7b4db8fd41812f951379d6773910986b527228ba Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:54:20 +0100
Subject: [PATCH 107/315] feat(profile): add torbrowser

The same profiles are now used for torbrowser on either it is running on whonix or not.
---
 .../groups/{whonix => browsers}/torbrowser    | 17 +++-
 .../{whonix => browsers}/torbrowser-glxtest   | 12 +--
 .../groups/browsers/torbrowser-launcher       | 93 +++++++++++++++++++
 .../torbrowser-plugin-container               |  4 +-
 apparmor.d/groups/browsers/torbrowser-start   | 54 +++++++++++
 apparmor.d/groups/browsers/torbrowser-tor     | 51 ++++++++++
 .../{whonix => browsers}/torbrowser-updater   |  6 +-
 .../{whonix => browsers}/torbrowser-vaapitest | 12 +--
 apparmor.d/groups/whonix/torbrowser-start     | 51 ----------
 apparmor.d/groups/whonix/torbrowser-wrapper   | 34 +++----
 10 files changed, 241 insertions(+), 93 deletions(-)
 rename apparmor.d/groups/{whonix => browsers}/torbrowser (76%)
 rename apparmor.d/groups/{whonix => browsers}/torbrowser-glxtest (69%)
 create mode 100644 apparmor.d/groups/browsers/torbrowser-launcher
 rename apparmor.d/groups/{whonix => browsers}/torbrowser-plugin-container (79%)
 create mode 100644 apparmor.d/groups/browsers/torbrowser-start
 create mode 100644 apparmor.d/groups/browsers/torbrowser-tor
 rename apparmor.d/groups/{whonix => browsers}/torbrowser-updater (77%)
 rename apparmor.d/groups/{whonix => browsers}/torbrowser-vaapitest (63%)
 delete mode 100644 apparmor.d/groups/whonix/torbrowser-start

diff --git a/apparmor.d/groups/whonix/torbrowser b/apparmor.d/groups/browsers/torbrowser
similarity index 76%
rename from apparmor.d/groups/whonix/torbrowser
rename to apparmor.d/groups/browsers/torbrowser
index 0ec13ed51..6b9b6dbab 100644
--- a/apparmor.d/groups/whonix/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@@ -7,9 +7,9 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 @{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
 @{cache_dirs} = @{data_dirs}/Browser/Caches
 
 @{exec_path} = @{lib_dirs}/firefox{,.real}
@@ -19,8 +19,14 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{lib_dirs}/abicheck          rix,
-  @{lib_dirs}/updater           rPx,
+  @{lib_dirs}/abicheck           ix,
+  @{lib_dirs}/glxtest            Px -> torbrowser//&torbrowser-glxtest,
+  @{lib_dirs}/updater            Px,
+  @{lib_dirs}/vaapitest          Px -> torbrowser//&torbrowser-vaapitest,
+
+  #aa:exclude whonix
+  @{lib_dirs}/TorBrowser/Tor/PluggableTransports/**  Px -> torbrowser-tor,
+  @{lib_dirs}/TorBrowser/Tor/tor                     Px -> torbrowser-tor,
 
   /usr/share/homepage/{,**} r,
 
@@ -37,10 +43,10 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   # Due to the nature of the browser, we silence much more than for Firefox.
   deny network inet dgram, # TOR does not work over UDP
   deny network inet6 dgram,
+  deny network inet6 stream, # TOR does not work over IPv6
   deny dbus (send receive) bus=session path=/ca/desrt/dconf/Writer/user,
   deny @{bin}/lsb_release x,
   deny @{lib_dirs}/crashreporter x,
-  deny @{lib_dirs}/glxtest x,
   deny @{lib_dirs}/minidump-analyzer x,
   deny @{lib_dirs}/pingsender x,
   deny /usr/share/dconf/** r,
@@ -56,6 +62,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   deny /etc/passwd r,
   deny /etc/resolv.conf r,
   deny /var/lib/dbus/machine-id r,
+  deny owner @{HOME}/ r,
   deny owner @{user_config_dirs}/dconf/user r,
   deny owner @{user_config_dirs}/gtk-*/{,**} rw,
   deny owner @{run}/user/@{uid}/dconf/ rw,
diff --git a/apparmor.d/groups/whonix/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest
similarity index 69%
rename from apparmor.d/groups/whonix/torbrowser-glxtest
rename to apparmor.d/groups/browsers/torbrowser-glxtest
index cbc009db1..54e1d5ad0 100644
--- a/apparmor.d/groups/whonix/torbrowser-glxtest
+++ b/apparmor.d/groups/browsers/torbrowser-glxtest
@@ -7,13 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 @{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
 @{cache_dirs} = @{data_dirs}/Browser/Caches
 
 @{exec_path} = @{lib_dirs}/glxtest
-profile torbrowser-glxtest @{exec_path} {
+profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
@@ -21,12 +21,10 @@ profile torbrowser-glxtest @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{config_dirs}/.parentlock rw,
-
-  owner @{tmp}/@{name}/.parentlock rw,
-
   owner @{PROC}/@{pid}/cmdline r,
 
+  deny @{config_dirs}/.parentlock rw,
+
   include if exists <local/torbrowser-glxtest>
 }
 
diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher
new file mode 100644
index 000000000..2d52cd2b4
--- /dev/null
+++ b/apparmor.d/groups/browsers/torbrowser-launcher
@@ -0,0 +1,93 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
+
+@{exec_path} = @{bin}/torbrowser-launcher
+profile torbrowser-launcher @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+
+  network netlink raw,
+
+  @{exec_path} mrix,
+
+  @{sh_path}      rix,
+  @{bin}/file      ix,
+  @{bin}/gpg{,2}   Cx -> gpg,
+  @{bin}/gpgconf   Cx -> gpg,
+  @{bin}/gpgsm     Cx -> gpg,
+  @{bin}/grep      ix,
+  @{bin}/sed       ix,
+  @{bin}/tail      ix,
+
+  @{lib_dirs}/execdesktop       ix,
+  @{lib_dirs}/start-tor-browser Px, # torbrowser-start 
+  @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop ix,
+
+  /usr/share/file/** r,
+  /usr/share/torbrowser-launcher/{,**} r,
+
+  owner @{user_cache_dirs}/torbrowser/{,**/} rw,
+  owner @{user_cache_dirs}/torbrowser/download/** rw,
+  owner @{user_cache_dirs}/torbrowser/torbrowser.gpg rw,
+
+  owner @{user_config_dirs}/torbrowser/{,**/} rw,
+  owner @{user_config_dirs}/torbrowser/settings.json rw,
+
+  owner @{user_share_dirs}/torbrowser/{,**} rw,
+
+  owner @{PROC}/@{pid}/cmdline r,
+
+  /dev/tty rw,
+
+  profile gpg {
+    include <abstractions/base>
+
+    @{bin}/gpg{,2}  mr,
+    @{bin}/gpgconf  mr,
+    @{bin}/gpgsm    mr,
+
+    @{bin}/gpg-agent         ix,
+    @{lib}/{,gnupg/}scdaemon ix,
+
+    owner @{HOME}/ r,
+    owner @{HOME}/@{XDG_GPG_DIR}/ r,
+    owner @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
+    owner @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r,
+
+    owner @{user_share_dirs}/torbrowser/ r,
+    owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
+    owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    owner @{run}/user/@{uid}/ r,
+    owner @{run}/user/@{uid}/gnupg/ r,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
+    owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
+
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+    include if exists <local/torbrowser-launcher_gpg>
+  }
+
+  include if exists <local/torbrowser-launcher>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/whonix/torbrowser-plugin-container b/apparmor.d/groups/browsers/torbrowser-plugin-container
similarity index 79%
rename from apparmor.d/groups/whonix/torbrowser-plugin-container
rename to apparmor.d/groups/browsers/torbrowser-plugin-container
index 9fcb1bd3d..fa31652c5 100644
--- a/apparmor.d/groups/whonix/torbrowser-plugin-container
+++ b/apparmor.d/groups/browsers/torbrowser-plugin-container
@@ -8,9 +8,9 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 @{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
 @{cache_dirs} = @{data_dirs}/Browser/Caches
 
 @{exec_path} = @{lib_dirs}/plugin-container
diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start
new file mode 100644
index 000000000..8292f613a
--- /dev/null
+++ b/apparmor.d/groups/browsers/torbrowser-start
@@ -0,0 +1,54 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
+
+@{exec_path} = @{lib_dirs}/start-tor-browser
+profile torbrowser-start @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} rm,
+
+  @{sh_path}                  rix,
+  @{bin}/cp                    ix,
+  @{bin}/dirname               ix,
+  @{bin}/env                    r,
+  @{bin}/expr                  ix,
+  @{bin}/file                  ix,
+  @{bin}/getconf               ix,
+  @{bin}/grep                  ix,
+  @{bin}/id                    ix,
+  @{bin}/ln                    ix,
+  @{bin}/mkdir                 ix,
+  @{bin}/rm                    ix,
+  @{bin}/sed                   ix,
+  @{bin}/srm                   ix,
+
+  @{lib_dirs}/abicheck         ix,
+  @{lib_dirs}/firefox{,.real}  Px -> torbrowser,
+
+  /usr/share/file/** r,
+
+  /etc/magic r,
+
+  owner @{lib_dirs}/.config/ibus/{,**} rw,
+  owner @{lib_dirs}/.local/* rw,
+  owner @{lib_dirs}/sed@{rand6} rw,
+  owner @{lib_dirs}/TorBrowser/Tor/tor r,
+
+  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw,
+  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw,
+
+  owner @{HOME}/.xsession-errors rw,
+  owner @{HOME}/.tb/tor-browser/* rw,
+
+  include if exists <local/torbrowser-start>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor
new file mode 100644
index 000000000..7eaa85c5c
--- /dev/null
+++ b/apparmor.d/groups/browsers/torbrowser-tor
@@ -0,0 +1,51 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
+@{data_dirs} = @{lib_dirs}/TorBrowser/Data/
+
+@{exec_path} = @{lib_dirs}/TorBrowser/Tor/tor 
+profile torbrowser-tor @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network inet stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{lib_dirs}/{,**}                                    r,
+  @{lib_dirs}/TorBrowser/Tor/*.so*                     m,
+  @{lib_dirs}/TorBrowser/Tor/PluggableTransports/**  mix,
+
+  owner @{data_dirs}/Tor/ rw,
+  owner @{data_dirs}/Tor/** rw,
+  owner @{data_dirs}/Tor/lock rwk,
+
+  /tmp/onionshare/** rw,  # OnionShare compatibility
+
+  @{PROC}/sys/kernel/random/uuid r,
+  @{PROC}/sys/net/core/somaxconn r,
+
+  deny /etc/group r,
+  deny /etc/host.conf r,
+  deny /etc/hosts r,
+  deny /etc/machine-id r,
+  deny /etc/mailcap r,
+  deny /etc/nsswitch.conf r,
+  deny /etc/os-release r,
+  deny /etc/passwd r,
+  deny /etc/resolv.conf r,
+  deny /etc/services r,
+  deny /var/lib/dbus/machine-id r,
+
+  include if exists <local/torbrowser-tor>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/whonix/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater
similarity index 77%
rename from apparmor.d/groups/whonix/torbrowser-updater
rename to apparmor.d/groups/browsers/torbrowser-updater
index 4f0e16823..3bc8e591d 100644
--- a/apparmor.d/groups/whonix/torbrowser-updater
+++ b/apparmor.d/groups/browsers/torbrowser-updater
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 
 @{exec_path} = @{lib_dirs}/updater
 profile torbrowser-updater @{exec_path} {
@@ -16,14 +16,12 @@ profile torbrowser-updater @{exec_path} {
   @{exec_path} mr,
 
   @{lib_dirs}/*.so              mr,
-  @{lib_dirs}/firefox{,.real}  rPx,
+  @{lib_dirs}/firefox{,.real}   Px,
 
   owner @{lib_dirs}/{,**} rw,
 
   owner @{tmp}/#@{int} rw,
 
-  deny owner @{lib_dirs}/Downloads/** rw,
-
   include if exists <local/torbrowser-updater>
 }
 
diff --git a/apparmor.d/groups/whonix/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest
similarity index 63%
rename from apparmor.d/groups/whonix/torbrowser-vaapitest
rename to apparmor.d/groups/browsers/torbrowser-vaapitest
index d29d1265a..7570d6ce4 100644
--- a/apparmor.d/groups/whonix/torbrowser-vaapitest
+++ b/apparmor.d/groups/browsers/torbrowser-vaapitest
@@ -7,13 +7,13 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{name} = torbrowser "tor browser"
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
+@{lib_dirs} = @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/ @{HOME}/.tb/tor-browser/Browser/
 @{data_dirs} = @{lib_dirs}/TorBrowser/Data/
-@{config_dirs} = @{data_dirs}/Browser/*.default/
+@{config_dirs} = @{data_dirs}/Browser/profile.default/
 @{cache_dirs} = @{data_dirs}/Browser/Caches
 
 @{exec_path} = @{lib_dirs}/vaapitest
-profile torbrowser-vaapitest @{exec_path} {
+profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
 
@@ -21,11 +21,9 @@ profile torbrowser-vaapitest @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{tmp}/@{name}/.parentlock rw,
-
+  deny @{lib_dirs}/{,browser/}omni.ja r,
+  deny @{cache_dirs}/profile.default/startupCache/* r,
   deny @{config_dirs}/.parentlock rw,
-  deny @{config_dirs}/startupCache/** r,
-  deny @{user_cache_dirs}/startupCache/* r,
 
   include if exists <local/torbrowser-vaapitest>
 }
diff --git a/apparmor.d/groups/whonix/torbrowser-start b/apparmor.d/groups/whonix/torbrowser-start
deleted file mode 100644
index 266f8e349..000000000
--- a/apparmor.d/groups/whonix/torbrowser-start
+++ /dev/null
@@ -1,51 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
-
-@{exec_path} = @{lib_dirs}/start-tor-browser
-profile torbrowser-start @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  @{exec_path} rm,
-
-  @{sh_path}                  rix,
-  @{bin}/cp                   rix,
-  @{bin}/dirname              rix,
-  @{bin}/env                  r,
-  @{bin}/expr                 rix,
-  @{bin}/file                 rix,
-  @{bin}/getconf              rix,
-  @{bin}/grep                 rix,
-  @{bin}/id                   rix,
-  @{bin}/ln                   rix,
-  @{bin}/mkdir                rix,
-  @{bin}/rm                   rix,
-  @{bin}/sed                  rix,
-  @{bin}/sh                   rix,
-  @{bin}/srm                  rix,
-  @{lib_dirs}/abicheck        rix,
-
-  @{lib_dirs}/firefox{,.real} rPx,
-
-  /etc/magic r,
-
-  owner @{lib_dirs}/.config/ibus/{,**} rw,
-  owner @{lib_dirs}/.local/* rw,
-  owner @{lib_dirs}/sed@{rand6} rw,
-  owner @{lib_dirs}/start-tor-browser.desktop rw,
-  owner @{lib_dirs}/TorBrowser/Tor/tor r,
-
-  owner @{HOME}/.xsession-errors rw,
-  owner @{HOME}/.tb/tor-browser/* rw,
-
-  include if exists <local/torbrowser-start>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper
index 5ae554b40..a659d00f0 100644
--- a/apparmor.d/groups/whonix/torbrowser-wrapper
+++ b/apparmor.d/groups/whonix/torbrowser-wrapper
@@ -17,24 +17,24 @@ profile torbrowser-wrapper @{exec_path} {
   @{exec_path} rm,
 
   @{sh_path}                     rix,
-  @{bin}/basename                rix,
-  @{bin}/cp                      rix,
-  @{bin}/dirname                 rix,
-  @{bin}/grep                    rix,
-  @{bin}/id                      rix,
-  @{bin}/mkdir                   rix,
-  @{bin}/mktemp                  rix,
-  @{bin}/mount                   rix,
-  @{bin}/str_replace             rix,
-  @{bin}/sudo                    rCx -> sudo,
-  @{bin}/systemctl               rCx -> systemctl,
-  @{bin}/touch                   rix,
-  @{bin}/tty                     rix,
-  @{bin}/whoami                  rix,
+  @{bin}/basename                 ix,
+  @{bin}/cp                       ix,
+  @{bin}/dirname                  ix,
+  @{bin}/grep                     ix,
+  @{bin}/id                       ix,
+  @{bin}/mkdir                    ix,
+  @{bin}/mktemp                   ix,
+  @{bin}/mount                    ix,
+  @{bin}/str_replace              ix,
+  @{bin}/sudo                     Cx -> sudo,
+  @{bin}/systemctl                Cx -> systemctl,
+  @{bin}/touch                    ix,
+  @{bin}/tty                      ix,
+  @{bin}/whoami                   ix,
 
-  @{lib_dirs}/start-tor-browser                         rPx,
-  @{lib}/msgcollector/msgcollector                      rPx,
-  @{lib}/open-link-confirmation/open-link-confirmation  rPx,
+  @{lib_dirs}/start-tor-browser                         Px, # torbrowser-start 
+  @{lib}/msgcollector/msgcollector                      Px,
+  @{lib}/open-link-confirmation/open-link-confirmation  Px,
 
   @{lib}/helper-scripts/* r,
 

From ce51195ff435eaa87e34fcd43cd06a0c07c063de Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 22:56:57 +0100
Subject: [PATCH 108/315] feat(profile): add homebank.

---
 apparmor.d/profiles-g-l/homebank | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/homebank

diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank
new file mode 100644
index 000000000..4c0b0316a
--- /dev/null
+++ b/apparmor.d/profiles-g-l/homebank
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/homebank
+profile homebank @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/desktop>
+  include <abstractions/dconf-write>
+
+  @{exec_path} mr,
+
+  /usr/share/homebank/{,**} r,
+
+  owner @{user_config_dirs}/homebank/{,**} rw,
+
+  include if exists <local/homebank>
+}
+
+# vim:syntax=apparmor

From 366d5f01c0ade4779a36c179eec08bf0675c419d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 12 Sep 2024 23:17:54 +0100
Subject: [PATCH 109/315] feat(profile): add session-desktop.

---
 apparmor.d/profiles-s-z/session-desktop | 47 +++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/session-desktop

diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop
new file mode 100644
index 000000000..72c704741
--- /dev/null
+++ b/apparmor.d/profiles-s-z/session-desktop
@@ -0,0 +1,47 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = {S,s}ession
+@{lib_dirs} = /opt/@{name} 
+@{config_dirs} = @{user_config_dirs}/@{name}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
+
+@{exec_path} = @{bin}/session-messenger-desktop @{lib_dirs}/session-desktop
+profile session-desktop @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
+  include <abstractions/common/electron>
+  include <abstractions/user-download-strict>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mrix,
+ 
+  @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr,
+
+  @{open_path} rPx -> child-open-strict,
+
+  deny / r,
+  deny @{HOME}/ r,
+  deny @{HOME}/.pki/{,**} rw,
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny @{user_cache_dirs}/thumbnails/** rw,
+  deny /etc/machine-id r,
+  deny /var/lib/dbus/machine-id r,
+
+  include if exists <local/session-desktop>
+}
+
+# vim:syntax=apparmor

From fadf1f886d7fe8926596b4d905e675daef25463d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 00:02:44 +0100
Subject: [PATCH 110/315] chore: kbuildsycoca5 -> kbuildsycoca

---
 apparmor.d/groups/kde/{kbuildsycoca5 => kbuildsycoca} | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)
 rename apparmor.d/groups/kde/{kbuildsycoca5 => kbuildsycoca} (78%)

diff --git a/apparmor.d/groups/kde/kbuildsycoca5 b/apparmor.d/groups/kde/kbuildsycoca
similarity index 78%
rename from apparmor.d/groups/kde/kbuildsycoca5
rename to apparmor.d/groups/kde/kbuildsycoca
index 8d9fa0bca..005458b08 100644
--- a/apparmor.d/groups/kde/kbuildsycoca5
+++ b/apparmor.d/groups/kde/kbuildsycoca
@@ -7,8 +7,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/kbuildsycoca5
-profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) {
+@{exec_path} = @{bin}/kbuildsycoca{,5}
+profile kbuildsycoca @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
@@ -20,7 +20,7 @@ profile kbuildsycoca5 @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty r,
 
-  include if exists <local/kbuildsycoca5>
+  include if exists <local/kbuildsycoca>
 }
 
 # vim:syntax=apparmor

From 07928318d4c487b98c98b30866bd63c398e359dc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 00:06:46 +0100
Subject: [PATCH 111/315] feat(profile): add tomb.

---
 apparmor.d/profiles-s-z/tomb | 132 +++++++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/tomb

diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb
new file mode 100644
index 000000000..44a34595e
--- /dev/null
+++ b/apparmor.d/profiles-s-z/tomb
@@ -0,0 +1,132 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/tomb
+profile tomb @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/sudo>
+  include <abstractions/consoles>
+  include <abstractions/disks-read>
+  include <abstractions/nameservice-strict>
+  include <abstractions/zsh>
+
+  capability chown,
+  capability fowner,
+  capability sys_ptrace,
+  capability sys_rawio,
+
+  signal send set=cont peer=gpg,
+
+  ptrace read peer=@{p_systemd_user},
+
+  @{exec_path} mr,
+
+  @{bin}/{,e,f}grep  rix,
+  @{bin}/awk         rix,
+  @{bin}/basename    rix,
+  @{bin}/cat         rix,
+  @{bin}/chmod       rix,
+  @{bin}/chown       rix,
+  @{bin}/cp          rix,
+  @{bin}/date        rix,
+  @{bin}/dcfldd      rix,
+  @{bin}/dd          rix,
+  @{bin}/df          rix,
+  @{bin}/dirname     rix,
+  @{bin}/env         rix,
+  @{bin}/file        rix,
+  @{bin}/findmnt     rix,
+  @{bin}/gawk        rix,
+  @{bin}/getent      rix,
+  @{bin}/gettext     rix,
+  @{bin}/hostname    rix,
+  @{bin}/id          rix,
+  @{bin}/kill        rix,
+  @{bin}/locate      rix,
+  @{bin}/losetup     rix,
+  @{bin}/ls          rix,
+  @{bin}/lsof        rix,
+  @{bin}/mkdir       rix,
+  @{bin}/mktemp      rix,
+  @{bin}/realpath    rix,
+  @{bin}/recoll      rix,
+  @{bin}/rm          rix,
+  @{bin}/rmdir       rix,
+  @{bin}/sha*sum     rix,
+  @{bin}/shred       rix,
+  @{bin}/sleep       rix,
+  @{bin}/stat        rix,
+  @{bin}/sudo        rix,
+  @{bin}/touch       rix,
+  @{bin}/tr          rix,
+  @{bin}/zsh         rix,
+
+  @{bin}/btrfs             rPx,
+  @{bin}/cryptsetup        rPUx,
+  @{bin}/e2fsc             rPUx,
+  @{bin}/fsck              rPx,
+  @{bin}/gpg{,2}           rPx,
+  @{bin}/lsblk             rPx,
+  @{bin}/mkfs.*            rPUx,
+  @{bin}/mount             rPx,
+  @{bin}/pinentry          rPx,
+  @{bin}/pinentry-*        rPx,
+  @{bin}/qrencode          rPx,
+  @{bin}/resize2fs         rPx,
+  @{bin}/tomb-kdb-pbkdf2   rPUx,
+  @{bin}/tune2fs           rPx,
+  @{bin}/umount            rCx -> umount,
+  @{bin}/updatedb.mlocate  rPx,
+  @{bin}/zramctl           rPx,
+
+  /usr/share/file/** r,
+  /usr/share/terminfo/** r,
+
+        @{MOUNTDIRS}/ rw,
+        @{MOUNTS}/ rw,
+        @{MOUNTS}/** w,
+        @{MOUNTS}/**/ rw,
+  owner @{MOUNTS}/.{host,last,tty,uid,cleanexit} rw,
+
+  # TODO: access to tomb files and key.
+  @{user_private_dirs}/**/*tomb* rw,
+
+        /tmp/ r,
+  owner @{tmp}/@{int} rw,
+  owner @{tmp}/@{int}@{int} rw,
+  owner @{tmp}/zsh@{rand6} rw,
+  owner @{tmp}/zshm@{rand6} rw,
+
+  @{sys}/devices/virtual/block/zram@{int}/backing_dev r,
+
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  /dev/loop-control rw,
+  /dev/loop@{int} rw,
+
+  profile umount {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    capability sys_admin,
+
+    umount @{MOUNTS}/{,*/},
+
+    @{bin}/umount mr,
+
+    owner @{run}/mount/utab r,
+
+    include if exists <local/tomb_umount>
+  }
+
+  include if exists <local/tomb>
+}
+
+# vim:syntax=apparmor

From 9609f0b617d1e8e7291ca8415085ccab96bdbcc4 Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Fri, 13 Sep 2024 10:53:53 +0800
Subject: [PATCH 112/315] Update profile for sbctl

---
 apparmor.d/profiles-s-z/sbctl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index 57d8fb5e6..db71eb7e0 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -18,6 +18,7 @@ profile sbctl @{exec_path} {
   @{bin}/lsblk  rPx,
 
   /usr/share/secureboot/{,**} rw,
+  /var/lib/sbctl/{,**} rw,
 
   /{boot,efi}/{,**} r,
   /{boot,efi}/EFI/{,**} rw,

From 1807f1dfe5891628732eb77428a40d2155f12eef Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 19:39:51 +0100
Subject: [PATCH 113/315] feat(tunable): add busmae variable for dbus unique
 name.

---
 .../bus/com.canonical.Unity.LauncherEntry     |  4 +--
 .../abstractions/bus/fi.w1.wpa_supplicant1    | 18 ++++++------
 .../abstractions/bus/net.hadess.PowerProfiles |  2 +-
 .../bus/net.hadess.SwitcherooControl          |  2 +-
 .../abstractions/bus/net.reactivated.Fprint   |  2 +-
 apparmor.d/abstractions/bus/org.a11y          |  4 +--
 apparmor.d/abstractions/bus/org.bluez         |  8 +++---
 .../abstractions/bus/org.freedesktop.Accounts | 10 +++----
 .../abstractions/bus/org.freedesktop.Avahi    |  2 +-
 .../bus/org.freedesktop.ColorManager          |  8 +++---
 .../bus/org.freedesktop.FileManager1          |  4 +--
 .../abstractions/bus/org.freedesktop.GeoClue2 | 10 +++----
 .../bus/org.freedesktop.ModemManager1         |  4 +--
 .../bus/org.freedesktop.NetworkManager        | 28 +++++++++----------
 .../bus/org.freedesktop.Notifications         |  6 ++--
 .../bus/org.freedesktop.PackageKit            |  2 +-
 .../bus/org.freedesktop.PolicyKit1            |  8 +++---
 .../bus/org.freedesktop.RealtimeKit1          |  4 +--
 .../abstractions/bus/org.freedesktop.UDisks2  | 20 ++++++-------
 .../abstractions/bus/org.freedesktop.UPower   | 12 ++++----
 .../bus/org.freedesktop.background.Monitor    |  4 +--
 .../bus/org.freedesktop.hostname1             |  2 +-
 ...rg.freedesktop.impl.portal.PermissionStore |  4 +--
 .../abstractions/bus/org.freedesktop.locale1  |  2 +-
 .../abstractions/bus/org.freedesktop.login1   | 10 +++----
 .../bus/org.freedesktop.login1.Session        | 14 +++++-----
 .../bus/org.freedesktop.portal.Desktop        | 10 +++----
 .../abstractions/bus/org.freedesktop.resolve1 |  2 +-
 .../abstractions/bus/org.freedesktop.secrets  |  8 +++---
 .../bus/org.freedesktop.systemd1-session      |  4 +--
 .../bus/org.freedesktop.timedate1             |  2 +-
 .../bus/org.gnome.ArchiveManager1             |  4 +--
 .../abstractions/bus/org.gnome.DisplayManager |  2 +-
 .../bus/org.gnome.Mutter.DisplayConfig        | 10 +++----
 .../bus/org.gnome.Mutter.IdleMonitor          |  6 ++--
 .../bus/org.gnome.Nautilus.FileOperations2    |  6 ++--
 .../abstractions/bus/org.gnome.ScreenSaver    |  6 ++--
 .../abstractions/bus/org.gnome.SessionManager | 18 ++++++------
 .../bus/org.gnome.Shell.Introspect            |  8 +++---
 .../bus/org.gtk.Private.RemoteVolumeMonitor   |  6 ++--
 .../abstractions/bus/org.gtk.vfs.Daemon       |  2 +-
 .../abstractions/bus/org.gtk.vfs.Metadata     |  4 +--
 .../abstractions/bus/org.gtk.vfs.MountTracker |  6 ++--
 apparmor.d/tunables/multiarch.d/system        |  3 ++
 44 files changed, 152 insertions(+), 149 deletions(-)

diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
index 3eceb53ab..7aa5e7f75 100644
--- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
+++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
@@ -12,12 +12,12 @@
   dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int}
        interface=com.canonical.dbusmenu
        member={GetLayout,GetGroupProperties}
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus receive bus=session path=/com/canonical/unity/launcherentry/@{int}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>
 
diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
index a8e3d52a5..458d99eef 100644
--- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
+++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
@@ -5,47 +5,47 @@
   dbus send bus=system path=/fi/w1/wpa_supplicant1
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged}
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
        interface=org.freedesktop.DBus.Properties
        member={GetAll,Set}
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus send bus=system path=/fi/w1/wpa_supplicant1
        interface=fi.w1.wpa_supplicant1.Interface
        member=CreateInterface
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
        interface=fi.w1.wpa_supplicant1.Interface
        member={AddNetwork,Disconnect,RemoveNetwork,Scan,SelectNetwork}
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
        interface=fi.w1.wpa_supplicant1.Interface.P2PDevice
        member=Cancel
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus receive bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesRemoved
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
        interface=fi.w1.wpa_supplicant1.Interface
        member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged}
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged}
-       peer=(name=:*, label=wpa-supplicant),
+       peer=(name="@{busname}", label=wpa-supplicant),
 
   include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
 
diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
index b4032e033..1bee9da46 100644
--- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
+++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
@@ -5,7 +5,7 @@
   dbus send bus=system path=/net/hadess/PowerProfiles
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=power-profiles-daemon),
+       peer=(name="@{busname}", label=power-profiles-daemon),
 
   include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
 
diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
index 55e4f414d..84422b28e 100644
--- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
+++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
@@ -5,7 +5,7 @@
   dbus send bus=system path=/net/hadess/SwitcherooControl
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=switcheroo-control),
+       peer=(name="@{busname}", label=switcheroo-control),
 
   include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
 
diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint
index 7e7b21565..ad16d10a2 100644
--- a/apparmor.d/abstractions/bus/net.reactivated.Fprint
+++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint
@@ -5,7 +5,7 @@
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
        member={GetDevices,GetDefaultDevice}
-       peer=(name=:*, label=fprintd),
+       peer=(name="@{busname}", label=fprintd),
 
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y
index 5103361c9..deb517f1d 100644
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@@ -7,7 +7,7 @@
   dbus receive bus=accessibility path=/org/a11y/atspi/registry
        interface=org.a11y.atspi.Registry
        member=EventListenerDeregistered
-       peer=(name=:*, label=at-spi2-registryd),
+       peer=(name="@{busname}", label=at-spi2-registryd),
 
   dbus send bus=accessibility path=/org/a11y/atspi/registry
        interface=org.a11y.atspi.Registry
@@ -22,7 +22,7 @@
   dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.freedesktop.DBus.Properties
        member=Set
-       peer=(name=:*, label=at-spi2-registryd),
+       peer=(name="@{busname}", label=at-spi2-registryd),
 
   dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.a11y.atspi.Socket
diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez
index 7c86817f5..d6ed8922d 100644
--- a/apparmor.d/abstractions/bus/org.bluez
+++ b/apparmor.d/abstractions/bus/org.bluez
@@ -5,17 +5,17 @@
   dbus receive bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesRemoved
-       peer=(name="{:*,org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
 
   dbus receive bus=system path=/org/bluez/hci@{int}{,/**}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name="{:*,org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name="{:*,org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
 
   dbus send bus=system path=/org/bluez
        interface=org.bluez.AgentManager@{int}
@@ -30,7 +30,7 @@
   dbus send bus=system path=/org/bluez/hci@{int}
        interface=org.freedesktop.DBus.Properties
        member=Set
-       peer=(name="{:*,org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
 
   dbus send bus=system path=/org/bluez/hci@{int}
        interface=org.bluez.BatteryProviderManager@{int}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
index 10a9e8fc0..946189fe5 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
@@ -5,27 +5,27 @@
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
        member={FindUserByName,ListCachedUsers}
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name="@{busname}", label=accounts-daemon),
 
   dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name="@{busname}", label=accounts-daemon),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.Accounts.User
        member=*Changed
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name="@{busname}", label=accounts-daemon),
 
   dbus receive bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
        member=UserAdded
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name="@{busname}", label=accounts-daemon),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.DBus.Properties
        member=*Changed
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name="@{busname}", label=accounts-daemon),
 
   include if exists <abstractions/bus/org.freedesktop.Accounts.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
index 8b24700db..73ddaf14e 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
@@ -20,7 +20,7 @@
   dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
        member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name="@{busname}", label=avahi-daemon),
 
   include if exists <abstractions/bus/org.freedesktop.Avahi.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
index 3950b77aa..6f5c7acf3 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
@@ -5,22 +5,22 @@
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member=GetDevices
-       peer=(name=:*, label=colord),
+       peer=(name="@{busname}", label=colord),
 
   dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=colord),
+       peer=(name="@{busname}", label=colord),
 
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member=CreateDevice
-       peer=(name=:*, label=colord),
+       peer=(name="@{busname}", label=colord),
 
   dbus receive bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member={DeviceAdded,DeviceRemoved}
-       peer=(name=:*, label=colord),
+       peer=(name="@{busname}", label=colord),
 
   include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
index b4e985b9e..36f5b405e 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
@@ -5,12 +5,12 @@
   dbus send bus=session path=/org/freedesktop/FileManager1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=nautilus),
+       peer=(name="@{busname}", label=nautilus),
 
   dbus receive bus=session path=/org/freedesktop/FileManager1
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=nautilus),
+       peer=(name="@{busname}", label=nautilus),
 
   include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
index 836e99d94..af34b33fe 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@@ -5,7 +5,7 @@
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=geoclue),
+       peer=(name="@{busname}", label=geoclue),
 
   dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
        interface=org.freedesktop.DBus.Properties
@@ -15,22 +15,22 @@
   dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=geoclue),
+       peer=(name="@{busname}", label=geoclue),
   
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=geoclue),
+       peer=(name="@{busname}", label=geoclue),
 
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.GeoClue2.Manager
        member=AddAgent
-       peer=(name=:*, label=geoclue),
+       peer=(name="@{busname}", label=geoclue),
 
   dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=geoclue),
+       peer=(name="@{busname}", label=geoclue),
 
   include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
index 217b588a4..84ce80b6e 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
@@ -10,12 +10,12 @@
   dbus send bus=system path=/org/freedesktop/ModemManager1
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name=:*, label=ModemManager),
+       peer=(name="@{busname}", label=ModemManager),
 
   dbus send bus=system path=/org/freedesktop/ModemManager1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=ModemManager),
+       peer=(name="@{busname}", label=ModemManager),
 
   include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
index 0fa92d3cc..128f07fe5 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@@ -5,72 +5,72 @@
   dbus send bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
        member={GetDevices,GetPermissions}
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager/Settings
        interface=org.freedesktop.NetworkManager.Settings
        member=ListConnections
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
        interface=org.freedesktop.NetworkManager.Settings.Connection
        member=GetSettings
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesAdded
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Properties
        member=CheckPermissions
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
        member=CheckPermissions
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager
        member={CheckPermissions,DeviceAdded,DeviceRemoved,StateChanged}
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager/Settings/@{int}
        interface=org.freedesktop.NetworkManager.Settings.Connection
        member=Updated
-       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),
+       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
index 90ee1aefc..27e1e7137 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@@ -5,17 +5,17 @@
   dbus send bus=session path=/org/freedesktop/Notifications
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gjs-console),
+       peer=(name="@{busname}", label=gjs-console),
 
   dbus send bus=session path=/org/freedesktop/Notifications
        interface=org.freedesktop.DBus.Properties
        member={GetCapabilities,GetServerInformation,Notify}
-       peer=(name=:*, label=gjs-console),
+       peer=(name="@{busname}", label=gjs-console),
 
   dbus receive bus=session path=/org/freedesktop/Notifications
        interface=org.freedesktop.DBus.Properties
        member={GetAll,NotificationClosed,CloseNotification}
-       peer=(name=:*, label=gjs-console),
+       peer=(name="@{busname}", label=gjs-console),
 
   dbus receive bus=session path=/org/freedesktop/Notifications
        interface=org.freedesktop.DBus.Properties
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
index 7cdd9a3ce..1a6839b17 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
@@ -5,7 +5,7 @@
   dbus send bus=system path=/org/freedesktop/PackageKit
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=packagekitd),
+       peer=(name="@{busname}", label=packagekitd),
 
   dbus send bus=system path=/org/freedesktop/PackageKit
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
index 3201e48ce..006dcee84 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
@@ -5,12 +5,12 @@
   dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=Changed
-       peer=(name=:*, label=polkitd),
+       peer=(name="@{busname}", label=polkitd),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=polkitd),
+       peer=(name="@{busname}", label=polkitd),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
@@ -20,7 +20,7 @@
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization
-       peer=(name=:*, label=polkitd),
+       peer=(name="@{busname}", label=polkitd),
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization
@@ -29,7 +29,7 @@
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=:*, label=polkitd),
+       peer=(name="@{busname}", label=polkitd),
 
   include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
index 474c4c625..527c1e916 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@@ -10,12 +10,12 @@
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name=:*, label=rtkit-daemon),
+       peer=(name="@{busname}", label=rtkit-daemon),
 
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.RealtimeKit1
        member=MakeThread*
-       peer=(name=:*, label=rtkit-daemon),
+       peer=(name="@{busname}", label=rtkit-daemon),
 
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.RealtimeKit1
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
index 79b882e51..cd415f396 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
@@ -5,52 +5,52 @@
   dbus send bus=system path=/org/freedesktop/UDisks2
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/**
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Properties
        member=Get
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus receive bus=system path=/org/freedesktop/UDisks2
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesAdded
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus receive bus=system path=/org/freedesktop/UDisks2/jobs/@{int}
        interface=org.freedesktop.UDisks2.Job
        member=Completed
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),
+       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
   include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower
index d8341d33c..247e2ddda 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@@ -5,12 +5,12 @@
   dbus send bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
        member=EnumerateDevices
-       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
   dbus send bus=system path=/org/freedesktop/UPower{,/**}
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
   dbus send bus=system path=/org/freedesktop/UPower{,/**}
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
@@ -24,22 +24,22 @@
   dbus send bus=system path=/org/freedesktop/UPower/devices/*
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
   dbus send bus=system path=/org/freedesktop/UPower/devices/*
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
   dbus receive bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
        member=DeviceAdded
-       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
   dbus receive bus=system path=/org/freedesktop/UPower/devices/*
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
   include if exists <abstractions/bus/org.freedesktop.UPower.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
index 5f951381b..ff7d57989 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
+++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
@@ -5,12 +5,12 @@
   dbus send bus=session path=/org/freedesktop/background/monitor
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=xdg-desktop-portal),
+       peer=(name="@{busname}", label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/background/monitor
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=xdg-desktop-portal),
+       peer=(name="@{busname}", label=xdg-desktop-portal),
 
   include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
index 54196d16b..51b0a5cec 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@@ -5,7 +5,7 @@
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.hostname1}", label=systemd-hostnamed),
+       peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
 
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
index 6b965a2f5..0fabcd310 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
+++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
@@ -5,12 +5,12 @@
   dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=xdg-permission-store),
+       peer=(name="@{busname}", label=xdg-permission-store),
 
   dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
        interface=org.freedesktop.impl.portal.PermissionStore
        member=Lookup
-       peer=(name=:*, label=xdg-permission-store),
+       peer=(name="@{busname}", label=xdg-permission-store),
 
   include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1
index a2865c7c9..74e51b1d7 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@@ -5,7 +5,7 @@
   dbus send bus=system path=/org/freedesktop/locale1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=systemd-localed),
+       peer=(name="@{busname}", label=systemd-localed),
   dbus send bus=system path=/org/freedesktop/locale1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1
index fdceceea4..595b81335 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1
@@ -5,27 +5,27 @@
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus receive bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus receive bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*}
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
index 24d5c1452..d5b62f739 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
@@ -5,37 +5,37 @@
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=GetSession
-       peer=(name=:*, label=systemd-logind),
+       peer=(name="@{busname}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name=:*, label=systemd-logind),
+       peer=(name="@{busname}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus send bus=system path=/org/freedesktop/login1/seat/*
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   dbus receive bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=systemd-logind),
+       peer=(name="@{busname}", label=systemd-logind),
 
   dbus receive bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={PauseDevice,Unlock}
-       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
 
   include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
index a2a1a94a0..820b57ff7 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
+++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
@@ -5,27 +5,27 @@
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll,Read}
-       peer=(name="{:*,org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
+       peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
 
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Settings
        member={Read,ReadAll}
-       peer=(name=:*, label=xdg-desktop-portal),
+       peer=(name="@{busname}", label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Settings
        member=SettingChanged
-       peer=(name=:*, label=xdg-desktop-portal),
+       peer=(name="@{busname}", label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name=:*, label=xdg-desktop-portal),
+       peer=(name="@{busname}", label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.impl.portal.Settings
        member={Read,ReadAll}
-       peer=(name=:*, label=xdg-desktop-portal),
+       peer=(name="@{busname}", label=xdg-desktop-portal),
 
   include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
index 3057282c9..7f5b6d1a4 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@@ -5,7 +5,7 @@
   dbus send bus=system path=/org/freedesktop/resolve1
        interface=org.freedesktop.resolve1.Manager
        member={SetLink*,ResolveHostname}
-       peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),
+       peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
 
   include if exists <abstractions/bus/org.freedesktop.resolve1.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets
index 01ecf0786..bb8014fc0 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.secrets
+++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets
@@ -5,12 +5,12 @@
   dbus send bus=session path=/org/freedesktop/secrets{,/**}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gnome-keyring-daemon),
+       peer=(name="@{busname}", label=gnome-keyring-daemon),
 
   dbus send bus=session path=/org/freedesktop/secrets
        interface=org.freedesktop.Secret.Service
        member={OpenSession,GetSecrets,SearchItems,ReadAlias}
-       peer=(name=:*, label=gnome-keyring-daemon),
+       peer=(name="@{busname}", label=gnome-keyring-daemon),
 
   dbus send bus=session path=/org/freedesktop/secrets/aliases/default
        interface=org.freedesktop.Secret.Collection
@@ -20,12 +20,12 @@
   dbus receive bus=session path=/org/freedesktop/secrets/collection/login
        interface=org.freedesktop.Secret.Collection
        member=ItemCreated
-       peer=(name=:*, label=gnome-keyring-daemon),
+       peer=(name="@{busname}", label=gnome-keyring-daemon),
 
   dbus receive bus=session path=/org/freedesktop/secrets/collection/login
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gnome-keyring-daemon),
+       peer=(name="@{busname}", label=gnome-keyring-daemon),
 
   include if exists <abstractions/bus/org.freedesktop.secrets.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
index c0e852662..8edda758c 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
@@ -10,12 +10,12 @@
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
+       peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
 
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member=GetUnit
-       peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),
+       peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
 
   include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
 
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
index 883c5c165..32cc2f451 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
@@ -16,7 +16,7 @@
   dbus send bus=system path=/org/freedesktop/timedate1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=systemd-timedated),
+       peer=(name="@{busname}", label=systemd-timedated),
 
   include if exists <abstractions/bus/org.freedesktop.timedate1.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
index 9953ee8bf..078835c41 100644
--- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
+++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
@@ -5,12 +5,12 @@
   dbus send bus=session path=/org/gnome/ArchiveManager1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=file-roller),
+       peer=(name="@{busname}", label=file-roller),
 
   dbus send bus=session path=/org/gnome/ArchiveManager1
        interface=org.gnome.ArchiveManager1
        member=GetSupportedTypes
-       peer=(name=:*, label=file-roller),
+       peer=(name="@{busname}", label=file-roller),
 
   include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager
index 05945a253..0d76f2388 100644
--- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager
+++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager
@@ -5,7 +5,7 @@
   dbus send bus=system path=/org/gnome/DisplayManager/Manager
        interface=org.gnome.DisplayManager.Manager
        member=RegisterDisplay
-       peer=(name=:*, label=gdm),
+       peer=(name="@{busname}", label=gdm),
 
   include if exists <abstractions/bus/org.gnome.DisplayManager.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
index d701792a6..1449ff4ea 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
@@ -5,27 +5,27 @@
   dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member={GetResources,GetCrtcGamma}
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member=GetCurrentState
-       peer=(name="{:*,org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
+       peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
 
   dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged}
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member=MonitorsChanged
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   include if exists <abstractions/bus/org.gnome.Mutter.DisplayConfig.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
index 7ada64f05..2726a7c54 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
@@ -5,17 +5,17 @@
   dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
        interface=org.gnome.Mutter.IdleMonitor
        member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
        interface=org.gnome.Mutter.IdleMonitor
        member=WatchFired
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   include if exists <abstractions/bus/org.gnome.Mutter.IdleMonitor.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
index e547ab2c5..da9f7229f 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
+++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
@@ -5,17 +5,17 @@
   dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=nautilus),
+       peer=(name="@{busname}", label=nautilus),
 
   dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=:*, label=nautilus),
+       peer=(name="@{busname}", label=nautilus),
 
   dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=nautilus),
+       peer=(name="@{busname}", label=nautilus),
 
   include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
index 3e228ad1f..15eec0c69 100644
--- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
@@ -5,17 +5,17 @@
   dbus send bus=session path=/org/gnome/ScreenSaver
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gjs-console),
+       peer=(name="@{busname}", label=gjs-console),
 
   dbus send bus=session path=/org/gnome/ScreenSaver
        interface=org.gnome.ScreenSaver
        member=GetActive
-       peer=(name=:*, label=gjs-console),
+       peer=(name="@{busname}", label=gjs-console),
 
   dbus receive bus=session path=/org/gnome/ScreenSaver
        interface=org.gnome.ScreenSaver
        member={ActiveChanged,WakeUpScreen}
-       peer=(name=:*, label=gjs-console),
+       peer=(name="@{busname}", label=gjs-console),
 
   include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager
index 4197fb4cf..19242d56a 100644
--- a/apparmor.d/abstractions/bus/org.gnome.SessionManager
+++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager
@@ -7,7 +7,7 @@
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={RegisterClient,IsSessionRunning}
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
@@ -17,42 +17,42 @@
   dbus receive bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus receive bus=session path=/org/gnome/SessionManager
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
        interface=org.gnome.SessionManager.ClientPrivate
        member=EndSessionResponse
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
        interface=org.gnome.SessionManager.ClientPrivate
        member={CancelEndSession,QueryEndSession,EndSession,Stop}
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus receive bus=session path=/org/gnome/SessionManager/Presence
        interface=org.gnome.SessionManager.Presence
        member=StatusChanged
-       peer=(name=:*, label=gnome-session-binary),
+       peer=(name="@{busname}", label=gnome-session-binary),
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
index 72e4525bc..ed39a2533 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
+++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
@@ -5,7 +5,7 @@
   dbus send bus=session path=/org/gnome/Shell/Introspect
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus send bus=session path=/org/gnome/Shell/Introspect
        interface=org.freedesktop.DBus.Properties
@@ -15,17 +15,17 @@
   dbus send bus=session path=/org/gnome/Shell/Introspect
        interface=org.gnome.Shell.Introspect
        member=GetRunningApplications
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Shell/Introspect
        interface=org.gnome.Shell.Introspect
        member={RunningApplicationsChanged,WindowsChanged}
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Shell/Introspect
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gnome-shell),
+       peer=(name="@{busname}", label=gnome-shell),
 
   include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
index 73d958513..0ad921ed3 100644
--- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
+++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
@@ -5,17 +5,17 @@
   dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
        member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded}
-       peer=(name=:*, label=gvfs-*-volume-monitor),
+       peer=(name="@{busname}", label=gvfs-*-volume-monitor),
 
   dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
        member={MountAdded,MountChanged,VolumeChanged,VolumeRemoved}
-       peer=(name=:*, label=gvfs-*-volume-monitor),
+       peer=(name="@{busname}", label=gvfs-*-volume-monitor),
 
   dbus receive bus=session path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
        member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
-       peer=(name=:*, label=gvfs-*-volume-monitor),
+       peer=(name="@{busname}", label=gvfs-*-volume-monitor),
 
   include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
index 35cd640d6..3e0d95f18 100644
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
@@ -5,7 +5,7 @@
   dbus send bus=session path=/org/gtk/vfs/Daemon
        interface=org.gtk.vfs.Daemon
        member={GetConnection,ListMonitorImplementations,ListMountableInfo}
-       peer=(name=:*, label=gvfsd),
+       peer=(name="@{busname}", label=gvfsd),
 
   include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
index 33d3c1c36..e755faa6a 100644
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
@@ -5,12 +5,12 @@
   dbus send bus=session path=/org/gtk/vfs/metadata
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name=:*, label=gvfsd-metadata),
+       peer=(name="@{busname}", label=gvfsd-metadata),
 
   dbus receive bus=session path=/org/gtk/vfs/metadata
        interface=org.gtk.vfs.Metadata
        member=AttributeChanged
-       peer=(name=:*, label=gvfsd-metadata),
+       peer=(name="@{busname}", label=gvfsd-metadata),
 
   include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
 
diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
index 4d59f0afc..575401ee6 100644
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
@@ -5,17 +5,17 @@
   dbus send bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member=ListMountableInfo
-       peer=(name=:*, label=gvfsd),
+       peer=(name="@{busname}", label=gvfsd),
 
   dbus send bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member=ListMounts2
-       peer=(name=:*, label=gvfsd),
+       peer=(name="@{busname}", label=gvfsd),
 
   dbus receive bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member=Mounted
-       peer=(name=:*, label=gvfsd),
+       peer=(name="@{busname}", label=gvfsd),
 
   include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
 
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index c6b22f9e0..036fd1a70 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -98,6 +98,9 @@
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
+# Dbus unique name
+@{busname}=:1.@{u16}
+
 # Common architecture names
 @{arch}=x86_64 amd64 i386 
 

From 5474a5fa69e73566ff1ac5bec851bb6f549b876f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 19:40:17 +0100
Subject: [PATCH 114/315] feat(tunable): update the arch variable.

---
 apparmor.d/tunables/multiarch.d/system | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 036fd1a70..4fb8304cd 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -102,7 +102,7 @@
 @{busname}=:1.@{u16}
 
 # Common architecture names
-@{arch}=x86_64 amd64 i386 
+@{arch}=x86_64 amd64 i386 i686
 
 # OpenSUSE does not have the same multiarch structure
 @{multiarch}+=*-suse-linux*  #aa:only opensuse

From db064b651e86548fbfc366d94a816b8d7ab2eec2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 19:47:07 +0100
Subject: [PATCH 115/315] feat(profile): general update.

---
 apparmor.d/abstractions/app-open              |  1 +
 apparmor.d/abstractions/app/chromium          |  2 ++
 apparmor.d/groups/_full/systemd               |  6 +---
 .../groups/gnome/evolution-user-prompter      |  2 ++
 apparmor.d/groups/gnome/gjs-console           |  4 +--
 .../groups/gnome/gnome-extension-gsconnect    |  2 --
 apparmor.d/groups/gnome/gnome-session-binary  |  7 +----
 apparmor.d/groups/gnome/gnome-software        | 23 +++++++++++++--
 apparmor.d/groups/gnome/gsd-power             |  6 +---
 apparmor.d/groups/whonix/msgdispatcher        |  1 -
 apparmor.d/profiles-a-f/aa-enforce            |  2 +-
 apparmor.d/profiles-m-r/minitube              | 29 +------------------
 apparmor.d/profiles-s-z/signal-desktop        |  3 +-
 13 files changed, 32 insertions(+), 56 deletions(-)

diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index 8c4efc350..c47c7ca69 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -38,6 +38,7 @@
   @{bin}/gnome-calculator       rPUx,
   @{bin}/gnome-disk-image-mounter rPx,
   @{bin}/gnome-disks            rPx,
+  @{bin}/gnome-software         rPx,
   @{bin}/gwenview               rPUx,
   @{bin}/kgx                    rPx,
   @{bin}/qbittorrent            rPx,
diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index e80a7e0f4..a392507b5 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -26,6 +26,8 @@
   include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/bus/org.freedesktop.secrets>
   include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
+  include <abstractions/bus/org.gnome.ScreenSaver>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.kde.kwalletd>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index aa1f1729d..d85d04e2f 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -155,13 +155,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
 
   @{lib}/ r,
   / r,
-  /boot/ r,
+  /*/ r,
   /boot/efi/ r,
-  /efi/ r,
-  /snap/ r,
   /snap/*/@{int}/ r,
-  /tmp/ r,
-  /usr/ r,
   /var/cache/*/ r,
   /var/lib/*/ r,
   /var/tmp/ r,
diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter
index 560f2bdb0..d9d2e6a55 100644
--- a/apparmor.d/groups/gnome/evolution-user-prompter
+++ b/apparmor.d/groups/gnome/evolution-user-prompter
@@ -10,6 +10,8 @@ include <tunables/global>
 profile evolution-user-prompter @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
 
   #aa:dbus own bus=session name=org.gnome.evolution.dataserver.UserPrompter0
 
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index e51ed5b8d..cf1ace48c 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -35,9 +35,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=session name=org.gnome.Shell.Notifications
   #aa:dbus own bus=session name=org.gnome.Shell.Screencast
 
-  dbus send bus=session path=/org/gnome/Mutter/ScreenCast
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label=gnome-shell),
+  #aa:dbus talk bus=session name=org.gnome.Mutter.ScreenCast label=gnome-shell
 
   dbus send bus=session path=/org/gnome/Shell
        interface=org.freedesktop.DBus.Properties
diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect
index 3083c73f9..58b528704 100644
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@@ -62,8 +62,6 @@ profile gnome-extension-gsconnect @{exec_path} {
   owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
-  /dev/shm/ r,
-
   include if exists <local/gnome-extension-gsconnect>
 }
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index e08ae61d3..795153fb1 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -14,7 +14,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.systemd1-session>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
   include <abstractions/bus/org.gnome.ScreenSaver>
@@ -33,17 +32,13 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(term) peer=gsd-*,
 
   #aa:dbus own bus=session name=org.gnome.SessionManager
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixUser,GetConnectionUnixProcessID,UpdateActivationEnvironment}
        peer=(name=org.freedesktop.DBus label=dbus-session),
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member={CanPowerOff,PowerOff,Reboot}
-       peer=(name=:*, label=systemd-logind),
-
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 290aa4454..dbd07fe7d 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -75,8 +75,11 @@ profile gnome-software @{exec_path} {
 
   owner @{HOME}/.var/app/{,**} rw,
 
+  owner @{user_download_dirs}/*.flatpakref r,
+
   owner @{user_cache_dirs}/flatpak/{,**} rwl,
-  owner @{user_cache_dirs}/gnome-software/{,**} rw,
+  owner @{user_cache_dirs}/gnome-software/ rw,
+  owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,
 
   owner @{user_config_dirs}/flatpak/{,**} r,
   owner @{user_config_dirs}/pulse/*.conf r,
@@ -124,6 +127,8 @@ profile gnome-software @{exec_path} {
 
   /dev/fuse rw,
  
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+
   profile gpg {
     include <abstractions/base>
 
@@ -131,14 +136,26 @@ profile gnome-software @{exec_path} {
     @{bin}/gpgconf  mr,
     @{bin}/gpgsm    mr,
 
+    @{bin}/gpg-agent         rix,
+    @{bin}/gpg-connect-agent rix,
+    @{lib}/{,gnupg/}scdaemon rix,
+
     @{HOME}/@{XDG_GPG_DIR}/*.conf r,
 
           @{tmp}/ r,
     owner @{tmp}/ostree-gpg-@{rand6}/ r,
     owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
 
-    owner @{run}/user/@{uid}/gnupg/ w,
-
+    owner @{run}/user/@{uid}/ r,
+    owner @{run}/user/@{uid}/gnupg/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.ssh,.browser,.extra} rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
+    owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
+  
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  
     include if exists <local/gnome-software_gpg>
   }
 
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 0f4b3cd3c..9a197e5bf 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -20,7 +20,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/bus/org.freedesktop.UPower>
-  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
   include <abstractions/bus/org.gnome.ScreenSaver>
   include <abstractions/bus/org.gnome.SessionManager>
@@ -37,10 +36,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power
 
-  dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name=:*, label=gnome-shell),
+  #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
 
   dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
        interface=org.freedesktop.UPower.KbdBacklight
diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher
index 02433106d..9f2871eef 100644
--- a/apparmor.d/groups/whonix/msgdispatcher
+++ b/apparmor.d/groups/whonix/msgdispatcher
@@ -39,7 +39,6 @@ profile msgdispatcher @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/sudo>
 
-    @{bin}/sudo mr,
     @{lib}/msgcollector/* rPx,
 
     owner @{run}/msgcollector/user/msgdispatcher_x_* r,
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 3a803756c..71823cb4c 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -32,7 +32,7 @@ profile aa-enforce @{exec_path} {
   owner @{tmp}/@{rand8} rw,
   owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
 
-  owner @{PROC}/@{pid}/fd r,
+  @{PROC}/@{pid}/fd r,
 
   include if exists <local/aa-enforce>
 }
diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube
index 4d4d26655..b349940ca 100644
--- a/apparmor.d/profiles-m-r/minitube
+++ b/apparmor.d/profiles-m-r/minitube
@@ -30,9 +30,7 @@ profile minitube @{exec_path} {
 
   @{exec_path} mr,
 
-  # Be able to turn off the screensaver while playing movies
-  @{bin}/xdg-screensaver  rCx -> xdg-screensaver,
-
+  @{bin}/xdg-screensaver  rPx,
   @{open_path}            rPx -> child-open,
 
   /usr/share/minitube/{,**} r,
@@ -69,31 +67,6 @@ profile minitube @{exec_path} {
         /dev/shm/#@{int} rw,
   owner /dev/tty@{int} rw,
 
-  profile xdg-screensaver {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/xdg-screensaver mr,
-
-    @{sh_path}          rix,
-    @{bin}/mv           rix,
-    @{bin}/{,e}grep     rix,
-    @{bin}/sed          rix,
-    @{bin}/which{,.debianutils}        rix,
-    @{bin}/xset         rix,
-    @{bin}/xautolock    rix,
-    @{bin}/dbus-send    rix,
-
-    owner @{HOME}/.Xauthority r,
-
-    # file_inherit
-    /dev/dri/card@{int} rw,
-    network inet stream,
-    network inet6 stream,
-
-    include if exists <local/minitube_xdg-screensaver>
-  }
-
   include if exists <local/minitube>
 }
 
diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop
index 73474ce7f..484f42dd9 100644
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@@ -31,9 +31,8 @@ profile signal-desktop @{exec_path} {
 
   @{exec_path} mrix,
 
-  # @{bin}/basename      rix,
   @{bin}/getconf       rix,
-  @{open_path} rPx -> child-open-strict,
+  @{open_path}         rPx -> child-open-strict,
 
   #aa:stack X xdg-settings
   @{bin}/xdg-settings  rPx -> signal-desktop//&xdg-settings,

From 4ccf2156de7d6df6730dbe18a7ef203bd639dea5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 20:07:41 +0100
Subject: [PATCH 116/315] fix(abs): base: allow inherited mesa cache

mesa 24.2 introduced a shader disk cache which is enabled by default, which opens quite a lot of fd. They are not closed and get inherited by child programs.

Denying it can cause crash, so we are allowing it globally while the issue is beeing fixed in mesa.

See: https://gitlab.freedesktop.org/mesa/mesa/-/issues/11810
---
 apparmor.d/abstractions/base.d/complete | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete
index e9761b843..f0b3efdaf 100644
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@@ -24,6 +24,12 @@
   @{etc_rw}/localtime r,
   /etc/locale.conf r,
 
+  # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd.
+  # They are not closed and get inherited by child programs. Denying it can cause
+  # crash, so we are allowing it globally while the issue is beeing fixed in mesa.
+  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw,
+  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw,
+
   @{sys}/devices/system/cpu/possible r,
 
   @{PROC}/sys/kernel/core_pattern r,

From b03b9b05ebf5526c8565fee9d3a922ff5adf777d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 20:41:22 +0100
Subject: [PATCH 117/315] feat(profile): improve kde integration.

see #484
---
 apparmor.d/abstractions/app/chromium      |  6 ++++
 apparmor.d/groups/browsers/brave          |  4 +--
 apparmor.d/groups/freedesktop/xorg        | 37 ++++++++++++-----------
 apparmor.d/groups/kde/baloo               | 25 +++++++++++++++
 apparmor.d/groups/kde/baloorunner         |  6 ++++
 apparmor.d/groups/kde/kde-powerdevil      |  1 +
 apparmor.d/groups/kde/kscreenlocker_greet |  4 ++-
 apparmor.d/groups/kde/ksmserver           |  1 +
 apparmor.d/groups/kde/kwin_wayland        |  5 +++
 apparmor.d/groups/kde/plasmashell         |  6 ++++
 apparmor.d/groups/kde/sddm-greeter        |  5 +--
 apparmor.d/groups/network/tailscaled      |  7 +++--
 12 files changed, 81 insertions(+), 26 deletions(-)

diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index a392507b5..0066e5eec 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -137,6 +137,12 @@
 
   owner @{cache_dirs}/{,**} rw,
 
+  owner @{user_config_dirs}/kcminputrc r,
+  owner @{user_config_dirs}/kdedefaults/kcminputrc r,
+  owner @{user_config_dirs}/kioslaverc r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
+  owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
+
   # For importing data (bookmarks, cookies, etc) from Firefox
   # owner @{HOME}/.mozilla/firefox/profiles.ini r,
   # owner @{HOME}/.mozilla/firefox/*/ r,
diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave
index 4d065dce4..543548f98 100644
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@@ -34,9 +34,6 @@ profile brave @{exec_path} {
   /etc/opt/chrome/native-messaging-hosts/* r,
 
   owner @{user_config_dirs}/BraveSoftware/ rw,
-  owner @{user_config_dirs}/kioslaverc r,
-  owner @{user_config_dirs}/menus/applications-merged/ r,
-  owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
 
   owner @{config_dirs}/WidevineCdm/libwidevinecdm.so mrw,
   owner @{cache_dirs}/BraveSoftware/ rw,
@@ -44,6 +41,7 @@ profile brave @{exec_path} {
   owner @{tmp}/net-export/ rw,  # For brave://net-export/
 
   # Silencer
+  deny /etc/opt/ w,
   deny /etc/opt/chrome/ w,
   deny /dev/disk/by-uuid/ r,
 
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 878b85004..5797f27bf 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -87,6 +87,25 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/server-* rwk,
   owner @{tmp}/serverauth.* r,
 
+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+dmi* r,               # for motherboard info
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+i2c:* r,
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+platform:* r,         # for ?
+  @{run}/udev/data/+serio:* r,            # for touchpad?
+  @{run}/udev/data/+sound:card@{int} r,   # for sound card
+  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
+
+  @{run}/udev/data/c4:@{int}   r,         # for /dev/tty[0-9]*
+  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
+  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+  @{run}/udev/data/c189:@{int} r,         # for /dev/bus/usb/**
+  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*
+
   @{sys}/bus/ r,
   @{sys}/bus/pci/devices/ r,
   @{sys}/class/ r,
@@ -103,23 +122,6 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/platform/ r,
   @{sys}/module/i915/{,**} r,
 
-  @{run}/udev/data/+acpi:* r,             # for acpi
-  @{run}/udev/data/+dmi* r,               # for motherboard info
-  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
-  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
-  @{run}/udev/data/+i2c:* r,
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
-  @{run}/udev/data/+platform:* r,         # for ?
-  @{run}/udev/data/+serio:* r,            # for touchpad?
-  @{run}/udev/data/+usb* r,               # for USB mouse and keyboard
-  @{run}/udev/data/c4:@{int}   r,         # for /dev/tty[0-9]*
-  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
-  @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
-  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
-  @{run}/udev/data/c189:@{int} r,         # for /dev/bus/usb/**
-  @{run}/udev/data/c226:@{int} r,         # for /dev/dri/card*
-
   @{PROC}/@{pids}/cmdline r,
   @{PROC}/cmdline r,
   @{PROC}/ioports r,
@@ -127,6 +129,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
 
   /dev/fb@{int} rw,
   /dev/input/event@{int} rw,
+  /dev/input/mouse@{int} rw,
   /dev/shm/#@{int} rw,
   /dev/shm/shmfd-* rw,
   /dev/tty rw,
diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index 3b5efe387..780348692 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -42,8 +42,33 @@ profile baloo @{exec_path} {
 
   owner @{user_share_dirs}/baloo/{,**} rwk,
 
+  @{run}/udev/data/+acpi:* r,             # for acpi
+  @{run}/udev/data/+backlight:* r,
+  @{run}/udev/data/+bluetooth:* r,
+  @{run}/udev/data/+dmi:* r,              # For motherboard info
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
+  @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+power_supply* r,
+  @{run}/udev/data/+rfkill:* r,
+  @{run}/udev/data/+sound:card@{int} r,   # for sound card
+
+  @{run}/udev/data/c1:@{int} r,           # For RAM disk
+  @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/c7:@{int} r,           # For Virtual console capture devices
+  @{run}/udev/data/c10:@{int} r,          # For non-serial mice, misc features
+  @{run}/udev/data/c13:@{int}  r,         # For /dev/input/*
+  @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
+  @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,
+  @{sys}/class/*/ r,
+  @{sys}/devices/**/uevent r,
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner
index 1b5d79492..7faa752d6 100644
--- a/apparmor.d/groups/kde/baloorunner
+++ b/apparmor.d/groups/kde/baloorunner
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}baloorunner
 profile baloorunner @{exec_path} {
   include <abstractions/base>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -20,6 +21,11 @@ profile baloorunner @{exec_path} {
 
   /etc/xdg/baloofilerc r,
 
+  # Allow to search user files
+  owner @{HOME}/{,**} r,
+  owner @{MOUNTS}/{,**} r,
+  owner @{tmp}/*/{,**} r,
+
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/baloofilerc r,
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index a37fea7a0..b745dea62 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -59,6 +59,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{sys}/devices/ r,
   @{sys}/devices/@{pci}/*_backlight/{,max_,actual_}brightness r,
   @{sys}/devices/@{pci}/card@{int}/*/dpms r,
+  @{sys}/devices/@{pci}/drm/card@{int}/**/{,max_,actual_}brightness r,
   @{sys}/devices/@{pci}/drm/card@{int}/**/dev r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/dpms r,
   @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet
index bd1666a06..0be47a752 100644
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@@ -73,7 +73,9 @@ profile kscreenlocker_greet @{exec_path} {
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kscreenlocker_greet/ w,
   owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk,
-  owner @{user_cache_dirs}/ksvg-elements r,
+  owner @{user_cache_dirs}/ksvg-elements rw,
+  owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
+  owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
   owner @{user_cache_dirs}/plasma-svgelements rw,
   owner @{user_cache_dirs}/plasma-svgelements-default_v* r,
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index f768cad0c..65bf9036a 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -56,6 +56,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_config_dirs}/ksmserverrc.@{rand6} rwl,
   owner @{user_config_dirs}/ksmserverrc.lock rwk,
   owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/ r,
   owner @{user_config_dirs}/session/*_[0-9]*_[0-9]*_[0-9]* rw,
 
   owner @{user_share_dirs}/kservices{5,6}/ r,
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 95abaa2a6..c5451f4ae 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -89,6 +89,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{user_config_dirs}/kdedefaults/* r,
   owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
   owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/khotkeysrc r,
   owner @{user_config_dirs}/klaunchrc r,
   owner @{user_config_dirs}/kscreenlockerrc r,
   owner @{user_config_dirs}/kwinoutputconfig.json rw,
@@ -110,6 +111,10 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   @{sys}/class/drm/ r,
   @{sys}/class/input/ r,
   @{sys}/devices/**/uevent r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
   @{run}/udev/data/+acpi:* r,             # for ACPI
   @{run}/udev/data/+dmi:* r,              # for motherboard info
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 06a816026..825a28ba0 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -151,6 +151,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_config_dirs}/plasma* rwlk,
   owner @{user_config_dirs}/trashrc r,
 
+  owner @{user_share_dirs}/*/sessions/ r,
   owner @{user_share_dirs}/#@{int} rw,
   owner @{user_share_dirs}/akonadi/search_db/{,**} r,
   owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
@@ -174,6 +175,11 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_share_dirs}/user-places.xbel{,*} rwl,
   owner @{user_share_dirs}/wallpapers/{,**} rw,
 
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/plasmashellstaterc rw,
+  owner @{user_state_dirs}/plasmashellstaterc.lock rwk,
+  owner @{user_state_dirs}/plasmashellstaterc.@{rand6} rwl,
+
         /tmp/.mount_nextcl@{rand6}/{,*} r,
   owner @{tmp}/#@{int} rw,
 
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index 4872716fc..441f2db25 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -29,12 +29,13 @@ profile sddm-greeter @{exec_path} {
   @{lib}/libheif/*.so* rm,
 
   /usr/share/desktop-base/*-theme/login/*.svg r,
+  /usr/share/endeavouros/backgrounds/** r,
+  /usr/share/hunspell/** r,
   /usr/share/plasma/desktoptheme/** r,
   /usr/share/sddm/{,**} r,
+  /usr/share/wallpapers/{,**} r,
   /usr/share/wayland-sessions/{,*.desktop} r,
   /usr/share/xsessions/{,*.desktop} r,
-  /usr/share/wallpapers/{,**} r,
-  /usr/share/hunspell/** r,
 
   /etc/fstab r,
   /etc/os-release r,
diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled
index 14d73b356..b59c668b8 100644
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@@ -21,12 +21,13 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
   capability syslog,
 
   network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
   network inet raw,
+  network inet stream,
+  network inet6 dgram,
   network inet6 raw,
+  network inet6 stream,
   network netlink raw,
+  network packet dgram,
 
   ptrace (read),
 

From 09401567a46579ab795b866730d7d8e51c13f2fb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 13 Sep 2024 22:39:43 +0100
Subject: [PATCH 118/315] feat(profile): base the the thunderbird profile from
 firefox.

---
 apparmor.d/abstractions/app/firefox      |   1 +
 apparmor.d/profiles-s-z/thunderbird      | 149 +++--------------------
 apparmor.d/tunables/multiarch.d/programs |   2 +-
 3 files changed, 18 insertions(+), 134 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index b3e78105e..89ea1f747 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -28,6 +28,7 @@
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
+  include <abstractions/uim>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
 
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 3d580afe9..28b0a4836 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = thunderbird{,.sh,-bin} 
+@{name} = thunderbird{,-bin} 
 @{lib_dirs} = @{lib}/@{name}
 @{config_dirs} = @{HOME}/.@{name}/
 @{cache_dirs} = @{user_cache_dirs}/@{name}/
@@ -15,60 +15,16 @@ include <tunables/global>
 @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
 profile thunderbird @{exec_path} {
   include <abstractions/base>
-  include <abstractions/audio-client>
-  include <abstractions/bus-session>
-  include <abstractions/bus-system>
-  include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/bus/org.freedesktop.RealtimeKit1>
-  include <abstractions/dconf-write>
-  include <abstractions/desktop>
-  include <abstractions/enchant>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
-  include <abstractions/ssl_certs>
-  include <abstractions/thumbnails-cache-read>
-  include <abstractions/uim>
-  include <abstractions/user-download-strict>
-
-  # userns,
-
-  capability sys_admin, # If kernel.unprivileged_userns_clone = 1
-  capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink raw,
-
-  ptrace peer=@{profile_name},
+  include <abstractions/app/firefox>
 
   #aa:dbus own bus=session name=org.mozilla.thunderbird
 
-  dbus receive bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.login1.Manager
-       member={UserAdded,UserRemoved}
-       peer=(name=:*, label=systemd-logind),
-
-  dbus receive bus=system
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=gnome-shell),
-
   @{exec_path} mrix,
 
-  @{sh_path}                rix,
-  @{bin}/which.debianutils  rix,
-
-  @{lib_dirs}/{,**}                            r,
-  @{lib_dirs}/*.so                            mr,
-  @{lib_dirs}/glxtest                        rPx,
-  @{lib_dirs}/thunderbird-wrapper-helper.sh  rix,
-  @{lib_dirs}/vaapitest                      rPx,
+  @{lib_dirs}/glxtest    rPx,
+  @{lib_dirs}/vaapitest  rPx,
 
+  @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemKWaylandPlugin.so mr,
   @{lib}/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
 
   # GPG integration
@@ -77,104 +33,31 @@ profile thunderbird @{exec_path} {
   @{bin}/gpgsm       rPx,
 
   # Desktop integration
-  @{bin}/lsb_release rPx -> lsb_release,
   @{open_path}       rPx -> child-open,
 
-  # Allowed apps to open
-  @{bin}/engrampa                                         rPx,
-  @{bin}/geany                                            rPx,
-  @{bin}/qpdfview                                         rPx,
-  @{bin}/viewnior                                        rPUx,
-  @{brave_path}                                           rPx,
-  @{chrome_path}                                          rPx,
-  @{firefox_path}                                         rPx,
-  @{opera_path}                                           rPx,
-
-  /usr/share/@{name}/{,**} r,
-  /usr/share/gvfs/remote-volume-monitors/{,*} r,
   /usr/share/lightning/{,**} r,
-  /usr/share/mozilla/extensions/{,**} r,
-  /usr/share/xul-ext/kwallet5/* r,
 
-  /etc/@{name}/{,**} r,
-  /etc/fstab r,
-  /etc/mailcap r,
-  /etc/mime.types r,
-  /etc/timezone r,
-  /etc/xul-ext/kwallet5.js r,
-
-  owner /var/mail/* rwk,
-
-  owner @{HOME}/ r,
-
-  owner @{user_config_dirs}/kwalletrc r,
-  owner @{user_config_dirs}/mimeapps.list.* rw,
+  owner /var/mail/** rwk,
 
   owner @{user_mail_dirs}/ rw,
   owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
 
-  owner @{config_dirs}/ rw,
-  owner @{user_config_dirs}/gtk-3.0/assets/* r,
-  owner @{config_dirs}/*/ rw,
-  owner @{config_dirs}/*/** rwk,
-  owner @{config_dirs}/installs.ini rw,
-  owner @{config_dirs}/profiles.ini rw,
+  owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/kioslaverc r,
+  owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
 
-  owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
-
-  owner @{cache_dirs}/{,**} rw,
-
-        /tmp/ r,
-    /var/tmp/ r,
-  owner @{tmp}/@{name}{,_*}/ rw,
-  owner @{tmp}/@{name}{,_*}/* rwk,
-  owner @{tmp}/* rw,
-  owner @{tmp}/mozilla_*/ rw,
-  owner @{tmp}/mozilla_*/* rw,
   owner @{tmp}/MozillaMailnews/ rw,
   owner @{tmp}/MozillaMailnews/*.msf rw,
-  owner @{tmp}/Temp-@{uuid}/ rw,
-
-  @{run}/mount/utab r,
-
-  @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
-  @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
-
-        @{PROC}/@{pids}/net/arp r,
-        @{PROC}/@{pids}/net/route r,
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
-  owner @{PROC}/@{pid}/smaps r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/statm r,
-  owner @{PROC}/@{pid}/task/ r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  owner @{PROC}/@{pid}/task/@{tid}/stat r,
-  owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
-
-  owner /dev/shm/org.chromium.@{rand6} rw,
-  owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
-  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
-
-  /dev/tty rw,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
+  owner @{tmp}/nsma rw,
 
   # Silencer
-  deny @{HOME}/.mozilla/** mrwkl,
-  deny @{config_dirs}/*.*/pepmda/ rw,
-  deny @{config_dirs}/*.*/pepmda/** rwklmx,
+  deny capability sys_ptrace,
   deny @{lib_dirs}/** w,
-  deny /dev/ r,
-  deny /dev/urandom w,
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+  deny @{lib_dirs}/crashreporter x,
+  deny @{lib_dirs}/minidump-analyzer x,
+  deny @{HOME}/.mozilla/** mrwkl,
 
   include if exists <local/thunderbird>
 }
diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index 5c18c1b28..61d3713ae 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -62,7 +62,7 @@
 
 # Emails 
 
-@{thunderbird_name} = thunderbird{,.sh,-bin} 
+@{thunderbird_name} = thunderbird{,-bin} 
 @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name}
 
 @{emails_names} = evolution geary

From 58783e06cb2fb482c520e36ffbcbe15cf7b1ecbe Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 14 Sep 2024 15:28:18 +0100
Subject: [PATCH 119/315] fix(profile): ufw can't determine iptables version

fix #485
---
 apparmor.d/profiles-s-z/ufw | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 4340f12db..6a9897d91 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/ufw
 profile ufw @{exec_path} {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/nameservice-strict>
     include <abstractions/python>
 
@@ -22,16 +24,16 @@ profile ufw @{exec_path} {
     @{exec_path} mr,
 
     @{bin}/ r,
+    @{bin}/cat ix,
     @{bin}/env r,
     @{bin}/python3.@{int} ix,
-    @{bin}/cat ix,
+    @{bin}/xtables-legacy-multi ix,
     @{bin}/xtables-nft-multi ix,
-
     @{lib}/ufw/ufw-init ix,
 
-    /etc/ufw/{,**} rwk,
-
     /etc/default/ufw r,
+    /etc/ufw/ rw,
+    /etc/ufw/** rwk,
 
     owner @{run}/ufw.lock rwk,
 
@@ -40,12 +42,9 @@ profile ufw @{exec_path} {
     owner @{tmp}/???????? rw,
     owner @{tmp}/tmp???????? rw,
 
-    @{PROC}/@{pid}/stat r,
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/@{pid}/net/ip_tables_names r,
-
-    /dev/pts/[0-9]* rw,
-    /dev/tty rw, 
+    @{PROC}/@{pid}/stat r,
 
     include if exists <local/ufw>
 

From 2805ed9dd9706247083b5f1b52ac83eed7fd9e9f Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Sun, 15 Sep 2024 11:30:32 +0800
Subject: [PATCH 120/315] Update profile for linuxqq

---
 apparmor.d/profiles-g-l/linuxqq | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index dcccd68c8..06811fbd4 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -27,6 +27,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
 
     @{exec_path} mrix,
 
+	@{sh_path}  r,
     @{bin}/grep rix,
     @{lib_dirs}/chrome_crashpad_handler ix,
     @{lib_dirs}/resources/app/{,**} m,

From 7858cae3300f46269e67d1f0d43fda678251b0d2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 16 Sep 2024 13:36:29 +0100
Subject: [PATCH 121/315] feat(profile): torbrowser: do not give access to user
 dirs by default.

- Remove read-only access to most user dirs.
- Remove read-write access to download directories.

fix #490
---
 apparmor.d/abstractions/app/firefox        | 2 --
 apparmor.d/groups/browsers/firefox         | 2 ++
 apparmor.d/groups/browsers/firefox-glxtest | 2 +-
 apparmor.d/groups/browsers/torbrowser      | 4 ++++
 apparmor.d/profiles-s-z/thunderbird        | 2 ++
 5 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 89ea1f747..7eb223b09 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -29,8 +29,6 @@
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
-  include <abstractions/user-download-strict>
-  include <abstractions/user-read-strict>
 
   # userns,
 
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index 75c3c0f86..ef8bf5842 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -16,6 +16,8 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   signal (send) set=(term, kill) peer=keepassxc-proxy,
 
diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 995f94f8f..02bbb92a6 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = firefox{,.sh,-esr,-bin}
+@{name} = firefox{,-esr,-bin}
 @{lib_dirs} = @{lib}/@{name} /opt/@{name}
 @{config_dirs} = @{HOME}/.mozilla/
 @{cache_dirs} = @{user_cache_dirs}/mozilla/
diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser
index 6b9b6dbab..c0c4a893e 100644
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@@ -17,6 +17,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/firefox>
 
+  # Uncomment if you want to give the Tor Browser access to the common download directory.
+  # include <abstractions/user-download-strict>
+
   @{exec_path} mrix,
 
   @{lib_dirs}/abicheck           ix,
@@ -41,6 +44,7 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner "@{tmp}/Tor Project*/**" rwk,
 
   # Due to the nature of the browser, we silence much more than for Firefox.
+  deny capability sys_ptrace,
   deny network inet dgram, # TOR does not work over UDP
   deny network inet6 dgram,
   deny network inet6 stream, # TOR does not work over IPv6
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 28b0a4836..dbf045333 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -16,6 +16,8 @@ include <tunables/global>
 profile thunderbird @{exec_path} {
   include <abstractions/base>
   include <abstractions/app/firefox>
+  include <abstractions/user-download-strict>
+  include <abstractions/user-read-strict>
 
   #aa:dbus own bus=session name=org.mozilla.thunderbird
 

From 516a1fd36d9192c7cb580a6be43f0e52988f87ae Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 17 Sep 2024 12:55:08 +0100
Subject: [PATCH 122/315] fix(profile): multiple minor fixes.

fix #493 #480
---
 apparmor.d/groups/children/child-pager                |  2 ++
 apparmor.d/groups/pacman/archlinux-keyring-wkd-sync   |  2 +-
 .../groups/systemd/systemd-generator-user-environment |  2 ++
 apparmor.d/groups/systemd/systemd-journald            |  1 +
 apparmor.d/profiles-a-f/auditd                        |  1 +
 apparmor.d/profiles-g-l/login                         |  4 +++-
 apparmor.d/profiles-m-r/nft                           |  2 ++
 apparmor.d/profiles-m-r/pidof                         |  1 +
 apparmor.d/profiles-m-r/resolvconf                    | 11 +++++++++++
 9 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index ebaf6724d..45ac2516a 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -37,6 +37,8 @@ profile child-pager {
   owner @{user_state_dirs}/ r,
   owner @{user_state_dirs}/lesshs* rw,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/child-pager>
 }
 
diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
index 708d2b585..dab6a2edd 100644
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
   /etc/pacman.conf r,
   /etc/pacman.d/*-mirrorlist r,
   /etc/pacman.d/gnupg/ rw,
-  /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**,
+  /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**,
   /etc/pacman.d/mirrorlist r,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment
index 1abceb364..420ef84a9 100644
--- a/apparmor.d/groups/systemd/systemd-generator-user-environment
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@@ -12,6 +12,8 @@ profile systemd-generator-user-environment @{exec_path} {
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   @{sh_path}         rix,
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 3d1fdfa6d..6ac35cb68 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+acpi:*      r,
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+ieee80211:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+mdio_bus:* r,
   @{run}/udev/data/+pci:*       r,
diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd
index 4e93a5d22..935a84c69 100644
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@@ -31,6 +31,7 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
 
+        @{PROC}/@{pid}/ r,
   owner @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login
index c93553030..41fa293b4 100644
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@@ -54,13 +54,15 @@ profile login @{exec_path} flags=(attach_disconnected) {
   /etc/security/pam_env.conf r,
   /etc/shells r,
 
+  /var/lib/faillock/@{user} rwk,
   /var/log/btmp{,.@{int}} r,
 
   owner @{user_cache_dirs}/motd.legal-displayed rw,
 
-  @{run}/motd.d/{,*} r,
+  @{run}/credentials/getty@tty@{int}.service/ r,
   @{run}/dbus/system_bus_socket rw,
   @{run}/faillock/@{user} rwk,
+  @{run}/motd.d/{,*} r,
   @{run}/motd.dynamic{,.new} rw,
   @{run}/systemd/sessions/*.ref rw,
 
diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft
index 1255ca401..3595bb4c5 100644
--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@@ -20,6 +20,8 @@ profile nft @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/iproute2/{,**} r,
+
   /etc/iproute2/** r,
   /etc/nftables.conf r,
   /etc/nftables/{,**} r,
diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof
index e2ea46e57..a294705b0 100644
--- a/apparmor.d/profiles-m-r/pidof
+++ b/apparmor.d/profiles-m-r/pidof
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pidof
 profile pidof @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability sys_ptrace,
 
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index 6dfe82b6e..981af134f 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -22,6 +22,7 @@ profile resolvconf @{exec_path} {
   @{bin}/rm          rix,
   @{bin}/run-parts   rix,
   @{bin}/sed         rix,
+  @{bin}/systemctl   rCx -> systemctl,
   @{lib}/resolvconf/list-records rix,
 
   /usr/lib/resolvconf/{,**} r,
@@ -35,6 +36,16 @@ profile resolvconf @{exec_path} {
 
   /dev/tty rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    include if exists <local/resolvconf_systemctl>
+  }
+  
   include if exists <local/resolvconf>
 }
 

From 6fd05f26af636f3651cee6e3512388906eb852c2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 17 Sep 2024 12:58:41 +0100
Subject: [PATCH 123/315] feat(login): allow disconnection from login

fix #492
---
 apparmor.d/abstractions/base.d/complete | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete
index f0b3efdaf..eef226aec 100644
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@@ -11,6 +11,7 @@
   signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
   signal (receive) set=(cont,term)           peer=@{p_systemd_user},
   signal (receive) set=(cont,term)           peer=@{p_systemd},
+  signal (receive) set=(hup term)            peer=login,
   signal (receive) set=(hup)                 peer=xinit,
   signal (receive) set=(term,kill)           peer=gnome-shell,
   signal (receive) set=(term,kill)           peer=gnome-system-monitor,

From 02d8aaee7fa45f9b889c362be458a50a81518f22 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 16:59:44 +0100
Subject: [PATCH 124/315] feat(profile): improve integration with kde

see #496
---
 apparmor.d/abstractions/common/app            |  7 ++-
 apparmor.d/abstractions/desktop               |  3 ++
 .../polkit-kde-authentication-agent           |  1 +
 apparmor.d/groups/freedesktop/xdg-dbus-proxy  |  1 +
 apparmor.d/groups/gnome/kgx                   |  2 +
 apparmor.d/groups/kde/dolphin                 |  8 +++-
 apparmor.d/groups/kde/drkonqi                 |  7 +++
 apparmor.d/groups/kde/kde-powerdevil          |  1 +
 apparmor.d/groups/kde/kioworker               |  1 +
 apparmor.d/groups/kde/konsole                 |  8 ++++
 apparmor.d/groups/kde/kscreenlocker_greet     |  1 +
 apparmor.d/groups/kde/ksplashqml              |  1 +
 apparmor.d/groups/kde/kwin_wayland            |  2 +
 apparmor.d/groups/kde/plasmashell             |  4 ++
 apparmor.d/groups/kde/systemsettings          | 44 ++++++++++++++++---
 apparmor.d/groups/kde/xwaylandvideobridge     |  2 +
 apparmor.d/groups/virt/virtnetworkd           |  2 +-
 apparmor.d/groups/virt/virtnodedevd           |  5 ++-
 apparmor.d/groups/virt/virtstoraged           |  3 +-
 apparmor.d/profiles-a-f/aa-enforce            |  1 +
 apparmor.d/profiles-a-f/flatpak-app           |  1 +
 apparmor.d/profiles-g-l/keepassxc             |  2 +-
 apparmor.d/profiles-g-l/libreoffice           | 16 ++++++-
 apparmor.d/profiles-s-z/sudo                  |  1 +
 apparmor.d/profiles-s-z/xauth                 |  1 +
 25 files changed, 108 insertions(+), 17 deletions(-)

diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index 2798b5082..777518f3d 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -61,19 +61,24 @@
   owner @{user_share_dirs}/** rwkl,
   owner @{user_games_dirs}/{,**} rm,
 
-  owner /var/cache/tmp/** rwk,
+  owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
   owner @{tmp}/** rmwk,
   owner /dev/shm/** rwlk -> /dev/shm/**,
 
   @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
   @{run}/host/{,**} r,
   @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
+  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/utmp rk,
 
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
   @{sys}/ r,
   @{sys}/block/ r,
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,
+  @{sys}/bus/pci/slots/ r,
+  @{sys}/bus/pci/slots/@{int}/address r,
   @{sys}/class/*/ r,
   @{sys}/devices/** r,
 
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index befea8bcb..6ba381b05 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -36,10 +36,13 @@
     @{lib}/kde{,3,4}/plugins/*/ r,
     @{lib}/kde{,3,4}/plugins/*/*.so mr,
 
+    /etc/xdg/kcminputrc r,
     /etc/xdg/kdeglobals r,
     /etc/xdg/kwinrc r,
 
+    owner @{user_config_dirs}/kcminputrc r,
     owner @{user_config_dirs}/kdedefaults/ r,
+    owner @{user_config_dirs}/kdedefaults/kcminputrc r,
     owner @{user_config_dirs}/kdedefaults/kdeglobals r,
     owner @{user_config_dirs}/kdedefaults/kwinrc r,
     owner @{user_config_dirs}/kdeglobals r,
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index f8a9700f5..3a04356f5 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -31,6 +31,7 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
   @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
   /etc/machine-id r,
+  /etc/xdg/plasmarc r,
   /var/lib/dbus/machine-id r,
 
   owner @{user_config_dirs}/breezerc r,
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index 51d9fdddb..6e5b5adb0 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -31,6 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
   owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
 
+        @{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
   owner @{run}/flatpak/doc/** r,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx
index e756831f2..b704e580b 100644
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@@ -25,9 +25,11 @@ profile kgx @{exec_path} {
   @{bin}/@{shells}           rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
+  @{bin}/btop                rPUx,
   @{bin}/htop                 rPx,
   @{bin}/micro               rPUx,
   @{bin}/nvtop                rPx,
+  @{bin}/nvtop                rPx,
   @{bin}/vim                  rUx,
 
   @{open_path}                rPx -> child-open-help,
diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin
index b76cff2a0..577cdd085 100644
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@@ -16,6 +16,7 @@ profile dolphin @{exec_path} {
   include <abstractions/deny-sensitive-home>
   include <abstractions/devices-usb>
   include <abstractions/disks-read>
+  include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -28,13 +29,17 @@ profile dolphin @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/ldd            rix,
+  @{bin}/lsb_release    rPx -> lsb_release,
+  @{lib}/{,@{multiarch}/}utempter/utempter rPx,
   @{thunderbird_path}   rPx,
+
   #aa:exec kioworker
 
   /usr/share/kf5/kmoretools/{,**} r,
   /usr/share/kio/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,**} r,
+  /usr/share/misc/termcap r,
 
   /etc/fstab r,
   /etc/machine-id r,
@@ -84,9 +89,10 @@ profile dolphin @{exec_path} {
 
   owner @{user_state_dirs}/dolphinstaterc{,.*} rwlk -> @{user_state_dirs}/#@{int},
 
+        @{run}/issue r,
         @{run}/mount/utab r,
-  owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/dolphin@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
   @{sys}/bus/ r,
   @{sys}/bus/*/devices/ r,
diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi
index 602b087bb..78ca6d21b 100644
--- a/apparmor.d/groups/kde/drkonqi
+++ b/apparmor.d/groups/kde/drkonqi
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}drkonqi
 profile drkonqi @{exec_path} {
   include <abstractions/base>
+  include <abstractions/graphics>
   include <abstractions/kde-strict>
 
   network inet stream,
@@ -22,11 +23,17 @@ profile drkonqi @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/lsb_release    rPx -> lsb_release,
+
   /usr/share/drkonqi/{,**} r,
   /usr/share/knotifications{5,6}/*.notifyrc r,
 
+  owner @{user_cache_dirs}/drkonqi/ rw,
+  owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**,
   owner @{user_cache_dirs}/kcrash-metadata/* w,
 
+  owner @{user_config_dirs}/drkonqirc r,
+
   /dev/tty r,
 
   include if exists <local/drkonqi>
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index b745dea62..32ad8cd86 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}org_kde_powerdevil
 profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted) {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker
index 6dd771859..db135515b 100644
--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@@ -91,6 +91,7 @@ profile kioworker @{exec_path} {
         @{run}/mount/utab r,
   owner @{run}/user/@{uid}/#@{int} rw,
   owner @{run}/user/@{uid}/kio_*.socket rwl -> @{run}/user/@{uid}/#@{int},
+  owner @{run}/user/@{uid}/kioworker*.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 359297e42..c6cfa9587 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -30,6 +30,14 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{lib}/libheif/**                         mr,
   @{lib}/{,@{multiarch}/}utempter/utempter rPx,
 
+  # Some CLI program can be launched directly from KDE
+  @{bin}/btop                rPUx,
+  @{bin}/htop                 rPx,
+  @{bin}/micro               rPUx,
+  @{bin}/nvtop                rPx,
+  @{bin}/nvtop                rPx,
+  @{bin}/vim                  rUx,
+
   /usr/share/color-schemes/{,**} r,
   /usr/share/kf6/{,**} r,
   /usr/share/knotifications{5,6}/konsole.notifyrc r,
diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet
index 0be47a752..74020b468 100644
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@@ -85,6 +85,7 @@ profile kscreenlocker_greet @{exec_path} {
   owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
   owner @{user_config_dirs}/kscreenlockerrc r,
+  owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
   owner @{user_config_dirs}/ksmserverrc r,
   owner @{user_config_dirs}/plasmarc r,
   owner @{user_config_dirs}/plasmashellrc r,
diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml
index 463aec245..97ecd5c22 100644
--- a/apparmor.d/groups/kde/ksplashqml
+++ b/apparmor.d/groups/kde/ksplashqml
@@ -22,6 +22,7 @@ profile ksplashqml @{exec_path} {
   /usr/share/plasma/** r,
 
   /etc/machine-id r,
+  /etc/xdg/plasmarc r,
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/ksplash/ rw,
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index c5451f4ae..2393f9201 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -104,6 +104,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{user_share_dirs}/kscreen/* r,
   owner @{user_share_dirs}/kwin/scripts/{,**} r,
 
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
   @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 825a28ba0..f3f37b6fd 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -59,6 +59,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   /opt/**/share/icons/{,**} r,
   /opt/*/**/*.desktop r,
   /opt/*/**/*.png r,
+  /usr/share/*/icons/{,**} r,
   /usr/share/akonadi/{,**} r,
   /usr/share/desktop-base/{,**} r,
   /usr/share/desktop-directories/kf5-*.directory r,
@@ -93,6 +94,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{MOUNTS}/ r,
 
         @{HOME}/ r,
+  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
   owner @{user_pictures_dirs}/{,**} r,
@@ -186,6 +188,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
         @{run}/mount/utab r,
         @{run}/user/@{uid}/gvfs/ r,
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
   owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/kdesud_:@{int} w,
   owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
@@ -205,6 +208,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   @{sys}/devices/virtual/thermal/thermal_zone@{int}/hwmon@{int}/ r,
 
         @{PROC}/ r,
+        @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/stat r,
         @{PROC}/cmdline r,
         @{PROC}/diskstats r,
diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings
index ffcf93783..384c1da8b 100644
--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@@ -9,7 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/systemsettings
 profile systemsettings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/bus-session>
+  include <abstractions/cups-client>
+  include <abstractions/dconf-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
@@ -22,7 +25,9 @@ profile systemsettings @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path} rix,
   @{bin}/cat rix,
+  @{bin}/eglinfo rPUx,
   @{bin}/kcminit rPx,
   @{bin}/lspci rPx,
   @{bin}/openssl rix,
@@ -38,7 +43,8 @@ profile systemsettings @{exec_path} {
   /usr/share/kcmkeys/{,*.kksrc} r,
   /usr/share/kglobalaccel/* r,
   /usr/share/kinfocenter/{,**} r,
-  /usr/share/kinfocenter/{,**} r,
+  /usr/share/knotifications{5,6}/{,**} r,
+  /usr/share/solid/{,**} r,
   /usr/share/kpackage/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,**} r,
@@ -46,9 +52,9 @@ profile systemsettings @{exec_path} {
   /usr/share/kxmlgui5/systemsettings/systemsettingsui.rc r,
   /usr/share/plasma/{,**} r,
   /usr/share/sddm/themes/{,**} r,
-  /usr/share/sddm/themes/{,**} r,
   /usr/share/systemsettings/{,**} r,
   /usr/share/wallpapers/{,**} r,
+  /usr/share/thumbnailers/{,**} r,
 
   /etc/fstab r,
   /etc/machine-id r,
@@ -56,10 +62,19 @@ profile systemsettings @{exec_path} {
   /etc/xdg/plasmanotifyrc r,
   /etc/xdg/ui/ui_standards.rc r,
   /var/lib/dbus/machine-id r,
+  /etc/xdg/* r,
+
+  /var/cache/cracklib/cracklib_dict.* r,
+  /var/cache/samba/ rw,
+  /var/lib/AccountsService/icons/* r,
+  /var/lib/flatpak/repo/{,**} r,
+
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/kinfocenter/{,**} rwl,
+  owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
+  owner @{user_cache_dirs}/kinfocenter/{,**} rwlk,
   owner @{user_cache_dirs}/ksvg-elements rw,
   owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
@@ -69,22 +84,24 @@ profile systemsettings @{exec_path} {
   owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,
 
   owner @{user_config_dirs}/{P,p}lasma* r,
+  owner @{user_config_dirs}/*rc r,
   owner @{user_config_dirs}/#@{int} rw,
+  owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk,
+  owner @{user_config_dirs}/emaildefaults r,
   owner @{user_config_dirs}/kactivitymanagerdrc r,
   owner @{user_config_dirs}/kde.org/{,**} rwlk,
   owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
-  owner @{user_config_dirs}/khotkeysrc r,
   owner @{user_config_dirs}/kinfocenterrc* rwlk,
-  owner @{user_config_dirs}/kscreenlockerrc r,
-  owner @{user_config_dirs}/kxkbrc r,
+  owner @{user_config_dirs}/libaccounts-glib/ rw,
+  owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
   owner @{user_config_dirs}/menus/ r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
-  owner @{user_config_dirs}/plasmarc r,
   owner @{user_config_dirs}/session/ rw,
   owner @{user_config_dirs}/session/** rwlk,
   owner @{user_config_dirs}/systemsettingsrc.lock rwk,
   owner @{user_config_dirs}/systemsettingsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_share_dirs}/baloo/index r,
 
   owner @{user_share_dirs}/kactivitymanagerd/resources/database rwk,
   owner @{user_share_dirs}/kactivitymanagerd/resources/database-shm rwk,
@@ -98,12 +115,25 @@ profile systemsettings @{exec_path} {
   owner @{user_share_dirs}/systemsettings/** rwlk,
   owner @{user_share_dirs}/wallpapers/{,**} r,
 
+  owner @{run}/user/@{uid}/#@{int} rw,
+
+  @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
+
   @{sys}/bus/ r,
+  @{sys}/bus/acpi/devices/ r,
   @{sys}/bus/cpu/devices/ r,
   @{sys}/class/ r,
+  @{sys}/firmware/acpi/pm_profile r,
 
+        @{PROC}/interrupts r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/input/ r,
+  /dev/rfkill r,
   /dev/tty r,
 
   include if exists <local/systemsettings>
diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge
index 0f6aeb48a..f5139eb13 100644
--- a/apparmor.d/groups/kde/xwaylandvideobridge
+++ b/apparmor.d/groups/kde/xwaylandvideobridge
@@ -20,6 +20,8 @@ profile xwaylandvideobridge @{exec_path} {
   owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
   owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,
 
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
+
   include if exists <local/xwaylandvideobridge>
 }
 
diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd
index fa4e0a5d5..5be9abb71 100644
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@@ -20,7 +20,7 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/dnsmasq rPx,
 
-  /etc/libvirt/libvirt.conf r,
+  /etc/libvirt/*.conf r,
 
   owner /var/lib/libvirt/dnsmasq/*.macs* rw,
 
diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd
index 38f84a8eb..7e2c76c92 100644
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@@ -29,8 +29,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   /usr/share/hwdata/*.ids r,
   /usr/share/pci.ids r,
 
-  /etc/libvirt/libvirt.conf r,
-  /etc/libvirt/virtnodedevd.conf r,
+  /etc/libvirt/*.conf r,
   /etc/mdevctl.d/{,**} r,
 
         @{run}/systemd/inhibit/@{int}.ref rw,
@@ -64,6 +63,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
   @{run}/udev/data/c89:@{int}  r,         # For I2C bus interface
   @{run}/udev/data/c90:@{int} r,          # For RAM, ROM, Flash
+  @{run}/udev/data/c99:@{int} r,          # For raw parallel ports /dev/parport*
   @{run}/udev/data/c116:@{int} r,         # For ALSA
   @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
   @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
@@ -90,6 +90,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/mtrr w,
+  owner @{PROC}/uptime r,
 
   include if exists <local/virtnodedevd>
 }
diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged
index 7130edfa6..3ef20199d 100644
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@@ -25,8 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   @{bin}/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
   @{bin}/qemu-img      rUx, # TODO: Integration with virt-aa-helper
 
-  /etc/libvirt/**/ r,
-  /etc/libvirt/libvirt.conf r,
+  /etc/libvirt/{,**} r,
 
   # For disk images
   @{MOUNTS}/ r,
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 71823cb4c..30c03508a 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -25,6 +25,7 @@ profile aa-enforce @{exec_path} {
   /etc/apparmor.d/{,**} rw,
 
   @{etc_ro}/inputrc r,
+  @{etc_ro}/inputrc.keys r,
 
   owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
   owner /var/lib/snapd/apparmor/{,**} rw,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 58d4713bd..8f3a15fc6 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -57,6 +57,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   /var/lib/flatpak/app/*/**/@{bin}/**  rmix,
   /var/lib/flatpak/app/*/**/@{lib}/**  rmix,
 
+  @{run}/flatpak/app/*/**so*           rm,
   @{run}/parent/@{bin}/**              rmix,
   @{run}/parent/@{lib}/**              rmix,
   @{run}/parent/app/**                 rmix,
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index 4315fb6e5..0e236f945 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -58,7 +58,7 @@ profile keepassxc @{exec_path} {
   owner @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
   owner @{user_config_dirs}/chromium/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
   owner @{user_config_dirs}/google-chrome{,-beta,-unstable}/NativeMessagingHosts/org.keepassxc.keepassxc_browser.json rw,
-  owner @{user_config_dirs}/{,kdedefaults/}kdeglobals r,
+  owner @{user_config_dirs}/keepassxcrc r,
 
   # Database locations
   owner @{user_cache_dirs}/keepassxc/ rw,
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 4b9812c55..60ea019aa 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -12,12 +12,14 @@ profile libreoffice @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
+  include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
@@ -59,21 +61,28 @@ profile libreoffice @{exec_path} {
   @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w,
 
   /usr/share/hyphen/{,**} r,
+  /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
   /usr/share/libexttextcat/{,**} r,
   /usr/share/liblangtag/{,**} r,
   /usr/share/libreoffice/{,**} r,
   /usr/share/mythes/{,**} r,
+  /usr/share/thumbnailers/{,**} r,
 
   /etc/java-openjdk/{,**} r,
   /etc/libreoffice/{,**} r,
   /etc/paperspecs r,
+  /etc/xdg/* r,
 
   owner @{user_cache_dirs}/libreoffice/{,**} rw,
   owner @{user_config_dirs}/libreoffice/ rw,
   owner @{user_config_dirs}/libreoffice/** rwk,
+  owner @{user_config_dirs}/soffice.*.lock rwk,
+  owner @{user_config_dirs}/trashrc r,
+  owner @{user_config_dirs}/plasma_workspace.notifyrc r,
+  owner @{user_config_dirs}/kservicemenurc r,
 
-  owner @{user_config_dirs}/kcminputrc r,
-  owner @{user_config_dirs}/kdedefaults/kcminputrc r,
+  owner @{user_share_dirs}/#@{int} rw,
+  owner @{user_share_dirs}/user-places.xbel r,
 
   owner @{tmp}/ r,
   owner @{tmp}/@{rand6} rwk,
@@ -83,6 +92,8 @@ profile libreoffice @{exec_path} {
   owner @{tmp}/hsperfdata_@{user}/  rw,
   owner @{tmp}/hsperfdata_@{user}/@{int} rwk,
 
+  owner @{run}/user/@{uid}/#@{int} rw,
+
         @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
         @{sys}/devices/virtual/block/**/queue/rotational r,
         @{sys}/kernel/mm/hugepages/ r,
@@ -95,6 +106,7 @@ profile libreoffice @{exec_path} {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/coredump_filter rw,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index 6f4e290d6..6f01bc8f0 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -46,6 +46,7 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
 
   @{run}/ r,
   @{run}/systemd/sessions/* r,
+  @{run}/systemd/sessions/?@{int}.ref rw,
 
   include if exists <local/sudo>
 }
diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth
index ad57f8615..c5e741b8f 100644
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@@ -36,6 +36,7 @@ profile xauth @{exec_path} {
   owner @{tmp}/xauth_@{rand6} r,
   owner @{tmp}/xauth_@{rand6}-c w,
   owner @{tmp}/xauth_@{rand6}-l wl,
+  owner @{tmp}/xauth.@{rand10}-c w,
 
   owner @{run}/user/@{uid}/xauth_@{rand6} rw,
   owner @{run}/user/@{uid}/xauth_@{rand6}-c w,

From 619aa709f1040e96a6212df5fc66b2b44428e1f8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 17:06:04 +0100
Subject: [PATCH 125/315] feat(abs): add iceauth to X-strict.

---
 apparmor.d/abstractions/X-strict                              | 1 +
 apparmor.d/abstractions/app/firefox                           | 1 -
 apparmor.d/groups/akonadi/akonadi_control                     | 2 --
 apparmor.d/groups/freedesktop/polkit-kde-authentication-agent | 2 --
 apparmor.d/groups/freedesktop/pulseaudio                      | 1 -
 apparmor.d/groups/kde/DiscoverNotifier                        | 2 --
 apparmor.d/groups/kde/gmenudbusmenuproxy                      | 2 --
 apparmor.d/groups/kde/kalendarac                              | 2 --
 apparmor.d/groups/kde/konsole                                 | 2 --
 apparmor.d/groups/kde/kwalletd                                | 2 --
 apparmor.d/groups/kde/okular                                  | 1 -
 apparmor.d/groups/kde/plasmashell                             | 1 -
 apparmor.d/groups/kde/xembedsniproxy                          | 2 --
 apparmor.d/groups/kde/xwaylandvideobridge                     | 2 --
 14 files changed, 1 insertion(+), 22 deletions(-)

diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict
index 0998bbb44..6a29d1764 100644
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@@ -24,6 +24,7 @@
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,  # Xwayland
   owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
+  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/ICEauthority r,
   owner @{run}/user/@{uid}/X11/Xauthority r,
   owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},
diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 7eb223b09..55ff461aa 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -105,7 +105,6 @@
   owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
 
   @{run}/mount/utab r,
diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control
index f21b968d2..f3b9a0811 100644
--- a/apparmor.d/groups/akonadi/akonadi_control
+++ b/apparmor.d/groups/akonadi/akonadi_control
@@ -30,8 +30,6 @@ profile akonadi_control @{exec_path} {
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
 
   owner @{user_share_dirs}/akonadi/{,**} rwl,
-  
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
 
   /dev/tty r,
 
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index 3a04356f5..821468193 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -47,8 +47,6 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
   owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
   # owner /tmp/xauth_@{rand6} r,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   /dev/shm/#@{int} rw,
 
   @{run}/systemd/users/@{uid} r,
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index 029d7d4ad..e4a563755 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -93,7 +93,6 @@ profile pulseaudio @{exec_path} {
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin r,
 
   owner @{run}/user/@{uid}/ rw,
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/pulse/ rw,
   owner @{run}/user/@{uid}/pulse/** rwk,
   owner @{run}/user/@{uid}/systemd/notify rw,
diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier
index 227f4e062..8c0fc8d20 100644
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@@ -59,8 +59,6 @@ profile DiscoverNotifier @{exec_path} {
   owner @{tmp}/ostree-gpg-@{rand6}/pubring.gpg rw,
   owner @{tmp}/ostree-gpg-@{rand6}/trustdb.gpg rw,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   /dev/tty r,
 
   profile gpg {
diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy
index d1e48f849..c1a63931e 100644
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@@ -25,8 +25,6 @@ profile gmenudbusmenuproxy @{exec_path} {
   owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini{,.@{rand6}} rwl,
   owner @{user_config_dirs}/gtk-{2,3}.0/settings.ini.lock rwk,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   include if exists <local/gmenudbusmenuproxy>
 }
 
diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac
index 471812c7c..e6a57f985 100644
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@@ -36,8 +36,6 @@ profile kalendarac @{exec_path} {
   owner @{user_config_dirs}/kalendaracrc.lock rwk,
   owner @{user_config_dirs}/kmail2rc r,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   /dev/tty r,
 
   include if exists <local/kalendarac>
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index c6cfa9587..28b5d2650 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -80,8 +80,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/konsole.@{rand6} rw,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   @{PROC}/@{pid}/cmdline r,
   @{PROC}/@{pid}/stat r,
 
diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd
index 2b2545b33..5005dde31 100644
--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@@ -43,8 +43,6 @@ profile kwalletd @{exec_path} {
 
   owner @{tmp}/kwalletd5.* rw,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
 
diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular
index 775491bdd..40f9de33e 100644
--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@@ -89,7 +89,6 @@ profile okular @{exec_path} {
   owner @{tmp}/messageviewer_attachment_@{rand6}/{,*} r, # files opened from KMail as mail attachment, 
 
   owner @{run}/user/@{uid}/#@{int} rw,
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/okular@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index f3f37b6fd..e583c26bc 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -189,7 +189,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
         @{run}/user/@{uid}/gvfs/ r,
   owner @{run}/user/@{uid}/#@{int} rw,
   owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
   owner @{run}/user/@{uid}/kdesud_:@{int} w,
   owner @{run}/user/@{uid}/plasmashell@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy
index 57e32b960..a4474a64a 100644
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@@ -20,8 +20,6 @@ profile xembedsniproxy @{exec_path} {
 
   owner @{tmp}/xauth_@{rand6} r,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   @{run}/user/@{uid}/xauth_@{rand6} rl,
 
   include if exists <local/xembedsniproxy>
diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge
index f5139eb13..0f6aeb48a 100644
--- a/apparmor.d/groups/kde/xwaylandvideobridge
+++ b/apparmor.d/groups/kde/xwaylandvideobridge
@@ -20,8 +20,6 @@ profile xwaylandvideobridge @{exec_path} {
   owner @{user_cache_dirs}/xwaylandvideobridge/ rw,
   owner @{user_cache_dirs}/xwaylandvideobridge/** rwk,
 
-  owner @{run}/user/@{uid}/iceauth_@{rand6} r,
-
   include if exists <local/xwaylandvideobridge>
 }
 

From cc139f1144699adee366f4a3dddc3f4c29f0f00d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 18:01:16 +0100
Subject: [PATCH 126/315] feat(abs): update kde abs with common access.

---
 apparmor.d/abstractions/app/chromium          |  3 --
 apparmor.d/abstractions/desktop               | 15 ++++++-
 apparmor.d/abstractions/gnome-strict          |  2 +
 apparmor.d/abstractions/kde-strict            | 13 +++++-
 .../groups/akonadi/akonadi_akonotes_resource  |  2 -
 .../groups/akonadi/akonadi_archivemail_agent  |  2 -
 .../groups/akonadi/akonadi_birthdays_resource |  2 -
 .../groups/akonadi/akonadi_contacts_resource  |  2 -
 apparmor.d/groups/akonadi/akonadi_control     |  1 -
 .../akonadi/akonadi_followupreminder_agent    |  2 -
 .../groups/akonadi/akonadi_ical_resource      |  1 -
 .../groups/akonadi/akonadi_indexing_agent     |  2 -
 .../groups/akonadi/akonadi_maildir_resource   |  2 -
 .../akonadi/akonadi_maildispatcher_agent      |  3 --
 .../groups/akonadi/akonadi_mailfilter_agent   |  2 -
 .../groups/akonadi/akonadi_mailmerge_agent    |  2 -
 .../groups/akonadi/akonadi_migration_agent    |  2 -
 .../akonadi/akonadi_newmailnotifier_agent     |  3 --
 apparmor.d/groups/akonadi/akonadi_notes_agent |  2 -
 .../groups/akonadi/akonadi_sendlater_agent    |  2 -
 .../akonadi/akonadi_unifiedmailbox_agent      |  2 -
 .../groups/browsers/firefox-kmozillahelper    | 11 -----
 .../display-manager/lightdm-gtk-greeter       |  1 -
 .../polkit-kde-authentication-agent           |  1 -
 .../groups/freedesktop/xdg-desktop-portal-kde |  4 --
 apparmor.d/groups/gnome/gjs-console           |  1 -
 apparmor.d/groups/gnome/gnome-boxes           |  1 -
 apparmor.d/groups/gnome/gnome-characters      |  1 -
 apparmor.d/groups/gnome/gnome-control-center  |  1 -
 apparmor.d/groups/gnome/gnome-extensions-app  |  1 -
 apparmor.d/groups/gnome/gnome-shell           |  1 -
 apparmor.d/groups/gnome/gnome-terminal-server |  2 -
 apparmor.d/groups/gnome/nautilus              |  1 -
 apparmor.d/groups/gnome/tracker-extract       |  1 -
 apparmor.d/groups/gnome/tracker-miner         |  1 -
 apparmor.d/groups/kde/DiscoverNotifier        |  2 -
 apparmor.d/groups/kde/baloo                   |  2 -
 apparmor.d/groups/kde/baloorunner             |  6 ---
 apparmor.d/groups/kde/drkonqi                 |  1 -
 apparmor.d/groups/kde/kaccess                 |  2 -
 apparmor.d/groups/kde/kactivitymanagerd       |  5 ---
 apparmor.d/groups/kde/kalendarac              |  3 --
 apparmor.d/groups/kde/kbuildsycoca            |  3 --
 apparmor.d/groups/kde/kconf_update            | 40 ++-----------------
 apparmor.d/groups/kde/kde-powerdevil          |  2 -
 .../groups/kde/kde-systemd-start-condition    |  5 +--
 apparmor.d/groups/kde/kded                    |  8 ----
 apparmor.d/groups/kde/kglobalacceld           |  2 -
 apparmor.d/groups/kde/kiod                    |  2 -
 apparmor.d/groups/kde/kioworker               |  2 -
 apparmor.d/groups/kde/konsole                 |  5 ---
 apparmor.d/groups/kde/kscreenlocker_greet     |  1 -
 apparmor.d/groups/kde/ksmserver               |  4 --
 .../groups/kde/ksmserver-logout-greeter       |  1 -
 apparmor.d/groups/kde/ksplashqml              |  1 -
 apparmor.d/groups/kde/kwalletd                |  2 -
 apparmor.d/groups/kde/kwalletmanager          |  1 -
 apparmor.d/groups/kde/kwin_wayland            |  7 ----
 apparmor.d/groups/kde/kwin_x11                |  2 -
 apparmor.d/groups/kde/okular                  |  5 ---
 .../kde/plasma-browser-integration-host       |  3 --
 apparmor.d/groups/kde/plasma-discover         |  2 -
 apparmor.d/groups/kde/plasma_session          |  4 --
 apparmor.d/groups/kde/plasmashell             |  9 +----
 apparmor.d/groups/kde/sddm                    |  1 -
 apparmor.d/groups/kde/sddm-greeter            |  2 -
 apparmor.d/groups/kde/startplasma             |  3 --
 apparmor.d/groups/kde/systemsettings          |  4 --
 apparmor.d/profiles-g-l/keepassxc             |  1 -
 apparmor.d/profiles-g-l/libreoffice           |  2 -
 apparmor.d/profiles-m-r/pinentry-qt           |  3 --
 apparmor.d/profiles-m-r/psi                   |  2 -
 apparmor.d/profiles-m-r/psi-plus              |  2 -
 apparmor.d/profiles-m-r/qbittorrent           |  2 -
 apparmor.d/profiles-m-r/qt5ct                 |  3 --
 apparmor.d/profiles-s-z/smplayer              |  2 -
 apparmor.d/profiles-s-z/virt-manager          |  1 -
 apparmor.d/profiles-s-z/vlc                   |  1 -
 78 files changed, 32 insertions(+), 224 deletions(-)

diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index 0066e5eec..3fa7005a6 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -129,7 +129,6 @@
   owner @{user_config_dirs}/gtk-3.0/servers r,
   owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
   owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{config_dirs}/ rw,
   owner @{config_dirs}/** rwk,
@@ -137,8 +136,6 @@
 
   owner @{cache_dirs}/{,**} rw,
 
-  owner @{user_config_dirs}/kcminputrc r,
-  owner @{user_config_dirs}/kdedefaults/kcminputrc r,
   owner @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
   owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index 6ba381b05..50244b3a7 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -22,13 +22,13 @@
          peer=(name=:*, label=gnome-shell),
 
     /usr/{local/,}share/ r,
-    /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
+    /usr/{local/,}share/glib-@{version}/schemas/** r,
     /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,
 
     /etc/gnome/* r,
     /etc/xdg/{,*-}mimeapps.list r,
 
-    /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
+    /var/cache/gio-@{version}/gnome-mimeapps.list r,
 
   # else if @{DE} == kde
 
@@ -36,10 +36,19 @@
     @{lib}/kde{,3,4}/plugins/*/ r,
     @{lib}/kde{,3,4}/plugins/*/*.so mr,
 
+    /usr/share/knotifications{5,6}/*.notifyrc r,
+
+    /etc/xdg/baloofilerc r,
     /etc/xdg/kcminputrc r,
     /etc/xdg/kdeglobals r,
     /etc/xdg/kwinrc r,
 
+    owner @{user_cache_dirs}/#@{int} rw,
+    owner @{user_cache_dirs}/icon-cache.kcache rw,
+    owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
+
+    owner @{user_config_dirs}/baloofilerc r,
+    owner @{user_config_dirs}/dolphinrc r,
     owner @{user_config_dirs}/kcminputrc r,
     owner @{user_config_dirs}/kdedefaults/ r,
     owner @{user_config_dirs}/kdedefaults/kcminputrc r,
@@ -47,6 +56,7 @@
     owner @{user_config_dirs}/kdedefaults/kwinrc r,
     owner @{user_config_dirs}/kdeglobals r,
     owner @{user_config_dirs}/kwinrc r,
+    owner @{user_config_dirs}/trashrc r,
 
   # else if @{DE} == xfce
 
@@ -57,6 +67,7 @@
 
   # end
 
+  /usr/share/desktop-base/{,**} r,
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
 
diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict
index e9a06e8aa..74df87344 100644
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@@ -13,6 +13,8 @@
        member=Introspect 
        peer=(name=:*, label=gnome-shell),
 
+  /usr/share/desktop-base/{,**} r,
+  /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
 
   /usr/{local/,}share/ r,
diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict
index c164bd434..f31a38617 100644
--- a/apparmor.d/abstractions/kde-strict
+++ b/apparmor.d/abstractions/kde-strict
@@ -12,10 +12,12 @@
   @{lib}/kde{,3,4}/plugins/*/ r,
   @{lib}/kde{,3,4}/plugins/*/*.so mr,
 
-  /usr/share/hwdata/pnp.ids r,
+  /usr/share/desktop-base/{,**} r,
+  /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
-  /usr/share/desktop-base/kf{5,6}-settings/kdeglobals r,
+  /usr/share/knotifications{5,6}/*.notifyrc r,
 
+  /etc/xdg/baloofilerc r,
   /etc/xdg/kcminputrc r,
   /etc/xdg/kdeglobals r,
   /etc/xdg/kwinrc r,
@@ -25,6 +27,12 @@
   owner @{user_config_dirs}/ rw,
   owner @{user_share_dirs}/ rw,
 
+  owner @{user_cache_dirs}/#@{int} rw,
+  owner @{user_cache_dirs}/icon-cache.kcache rw,
+  owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
+
+  owner @{user_config_dirs}/baloofilerc r,
+  owner @{user_config_dirs}/dolphinrc r,
   owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kdedefaults/ r,
   owner @{user_config_dirs}/kdedefaults/kcminputrc r,
@@ -32,6 +40,7 @@
   owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kwinrc r,
+  owner @{user_config_dirs}/trashrc r,
 
   include if exists <abstractions/kde-strict.d>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource
index 086c29a40..0d9822088 100644
--- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource
+++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource
@@ -15,8 +15,6 @@ profile akonadi_akonotes_resource @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_akonotes_resource_[0-9]rc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent
index aea424deb..13d45c38a 100644
--- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent
+++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent
@@ -19,8 +19,6 @@ profile akonadi_archivemail_agent @{exec_path} {
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/akonadi_archivemail_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
index 70ff765b3..8fb383054 100644
--- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource
+++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
@@ -17,8 +17,6 @@ profile akonadi_birthdays_resource @{exec_path} {
 
   /usr/share/akonadi/plugins/{,**} r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_birthdays_resourcerc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource
index c90d09a4a..733e4a85b 100644
--- a/apparmor.d/groups/akonadi/akonadi_contacts_resource
+++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource
@@ -17,8 +17,6 @@ profile akonadi_contacts_resource @{exec_path} {
 
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_contacts_resource_[0-9]rc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control
index f3b9a0811..eba2bb4d9 100644
--- a/apparmor.d/groups/akonadi/akonadi_control
+++ b/apparmor.d/groups/akonadi/akonadi_control
@@ -22,7 +22,6 @@ profile akonadi_control @{exec_path} {
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/akonadi/{,**} rwl,
 
   owner @{user_config_dirs}/akonadi/ rw,
diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
index 9af94de78..ba3b0227c 100644
--- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
+++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
@@ -19,8 +19,6 @@ profile akonadi_followupreminder_agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_followupreminder_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource
index d8d87dcfb..5689a2d88 100644
--- a/apparmor.d/groups/akonadi/akonadi_ical_resource
+++ b/apparmor.d/groups/akonadi/akonadi_ical_resource
@@ -16,7 +16,6 @@ profile akonadi_ical_resource @{exec_path} {
   @{exec_path} mr,
 
   owner @{user_cache_dirs}/akonadi_ical_resource_[0-9]/{,*} rwl,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/akonadi_ical_resource_[0-9]rc rwl,
   owner @{user_config_dirs}/akonadi/ rw,
diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent
index e2e60c67f..1f5096a82 100644
--- a/apparmor.d/groups/akonadi/akonadi_indexing_agent
+++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent
@@ -22,8 +22,6 @@ profile akonadi_indexing_agent @{exec_path} {
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/akonadi_indexing_agentrc rw,
   owner @{user_config_dirs}/akonadi_indexing_agentrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource
index 7340d58a2..905fe7d68 100644
--- a/apparmor.d/groups/akonadi/akonadi_maildir_resource
+++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource
@@ -19,8 +19,6 @@ profile akonadi_maildir_resource @{exec_path} {
 
   owner @{user_mail_dirs}/{,**} rw,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_maildir_resource_[0-9]rc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
index e81a1c3e9..24b2dd695 100644
--- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
+++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
@@ -24,12 +24,9 @@ profile akonadi_maildispatcher_agent @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/akonadi/plugins/{,**} r,
-  /usr/share/knotifications{5,6}/akonadi_maildispatcher_agent.notifyrc r,
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_maildispatcher_agent.notifyrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
index 03fb464a4..9ca03ba33 100644
--- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
@@ -22,8 +22,6 @@ profile akonadi_mailfilter_agent @{exec_path} {
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/agent_config_akonadi_mailfilter_agent r,
   owner @{user_config_dirs}/akonadi_*_resource_*rc r,
diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
index f10a8ea13..b6c8a34e0 100644
--- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
@@ -20,8 +20,6 @@ profile akonadi_mailmerge_agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
 
diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent
index 7200357f0..63e83d214 100644
--- a/apparmor.d/groups/akonadi/akonadi_migration_agent
+++ b/apparmor.d/groups/akonadi/akonadi_migration_agent
@@ -15,8 +15,6 @@ profile akonadi_migration_agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi-migrationrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
index cb98b328a..b9e8debb2 100644
--- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
+++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
@@ -16,12 +16,9 @@ profile akonadi_newmailnotifier_agent @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
-  /usr/share/knotifications{5,6}/akonadi_newmailnotifier_agent.notifyrc r,
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/akonadi_newmailnotifier_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent
index 791f90d06..97a3e8067 100644
--- a/apparmor.d/groups/akonadi/akonadi_notes_agent
+++ b/apparmor.d/groups/akonadi/akonadi_notes_agent
@@ -20,8 +20,6 @@ profile akonadi_notes_agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_*_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent
index 6062b4857..157d963fb 100644
--- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent
+++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent
@@ -20,8 +20,6 @@ profile akonadi_sendlater_agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/akonadi_sendlater_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
   owner @{user_config_dirs}/akonadi/** rwlk -> @{user_config_dirs}/akonadi/**,
diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
index d8af9fa47..5a623c860 100644
--- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
+++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
@@ -15,8 +15,6 @@ profile akonadi_unifiedmailbox_agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner "@{user_config_dirs}/Unknown Organization/akonadi_unifiedmailbox_agent.conf_changes.dat" r, # see https://bugs.kde.org/show_bug.cgi?id=452565
   owner @{user_config_dirs}/akonadi_unifiedmailbox_agentrc r,
   owner @{user_config_dirs}/akonadi/ rw,
diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper
index d7162578b..2ad6e2263 100644
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@@ -25,27 +25,16 @@ profile firefox-kmozillahelper @{exec_path} {
   @{lib}/libheif/            r,
   @{lib}/libheif/*.so*      rm,
 
-  /usr/share/hwdata/*.ids r,
-  /usr/share/icu/@{int}.@{int}/*.dat r,
-  /usr/share/knotifications{5,6}/*.notifyrc r,
   /usr/share/kservices{5,6}/{,**} r,
 
-  /etc/xdg/kdeglobals r,
-  /etc/xdg/kwinrc r,
   /etc/xdg/menus/ r,
   /etc/xdg/menus/applications-merged/ r,
 
   owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
-
-  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
-  owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kmozillahelperrc r,
   owner @{user_config_dirs}/kmozillahelperrc.@{rand6} rwl,
-  owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/menus/ r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
 
diff --git a/apparmor.d/groups/display-manager/lightdm-gtk-greeter b/apparmor.d/groups/display-manager/lightdm-gtk-greeter
index 60fab17a2..8cc278fc7 100644
--- a/apparmor.d/groups/display-manager/lightdm-gtk-greeter
+++ b/apparmor.d/groups/display-manager/lightdm-gtk-greeter
@@ -25,7 +25,6 @@ profile lightdm-gtk-greeter @{exec_path} {
   @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
 
   /usr/share/backgrounds/xfce/{,**} r,
-  /usr/share/desktop-base/{,**} r,
   /usr/share/lightdm/{,**} r,
   /usr/share/wayland-sessions/{,*.desktop} r,
 
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index 821468193..e67ccbf6a 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -37,7 +37,6 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected,
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/ rw,
   owner @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** rwk,
   owner link @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/** -> @{user_cache_dirs}/polkit-kde-authentication-agent-@{int}/**,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
index 3b6fa1112..ae2691cb0 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@@ -27,10 +27,6 @@ profile xdg-desktop-portal-kde @{exec_path} {
 
   owner @{desktop_config_dirs}/user-dirs.dirs r,
 
-  owner @{user_cache_dirs}/*.kcache r,
-
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk,
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index cf1ace48c..d84a3378f 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -60,7 +60,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/gnome-shell/{,**} r,
-  /usr/share/icu/@{int}.@{int}/*.dat r,
 
   /tmp/ r,
   /var/tmp/ r,
diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes
index 9d82ad369..46007489e 100644
--- a/apparmor.d/groups/gnome/gnome-boxes
+++ b/apparmor.d/groups/gnome/gnome-boxes
@@ -37,7 +37,6 @@ profile gnome-boxes @{exec_path} {
 
   /usr/share/osinfo/{,**} r,
   /usr/share/gnome-boxes/{,**} r,
-  /usr/share/hwdata/*.ids r,
 
   /etc/qemu/bridge.conf r,
 
diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters
index 1d3285292..457bcfea2 100644
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@@ -23,7 +23,6 @@ profile gnome-characters @{exec_path} {
 
   @{open_path} rPx -> child-open-help,
 
-  /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/org.gnome.Characters/{,**} r,
 
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 1f3bb42d8..535454199 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -78,7 +78,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /snap/*/@{int}/**.png r,
   /usr/share/backgrounds/{,**} r,
   /usr/share/cups/data/testprint r,
-  /usr/share/desktop-base/**.{xml,png,svg} r,
   /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
   /usr/share/gnome-background-properties/{,**} r,
   /usr/share/gnome-bluetooth{-*,}/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index ffa771be4..1b110f6e3 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -18,7 +18,6 @@ profile gnome-extensions-app @{exec_path} {
   @{bin}/gjs-console rix,
 
   /usr/share/gnome-shell/org.gnome.Extensions* r,
-  /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/terminfo/** r,
 
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index d4ce1c504..87cc77d0e 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -200,7 +200,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /usr/share/backgrounds/{,**} r,
   /usr/share/byobu/desktop/byobu* r,
   /usr/share/dconf/profile/gdm r,
-  /usr/share/desktop-base/** r,
   /usr/share/desktop-directories/{,*.directory} r,
   /usr/share/gdm/BuiltInSessions/{,*.desktop} r,
   /usr/share/gdm/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index db128da15..c5b1ec821 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -48,8 +48,6 @@ profile gnome-terminal-server @{exec_path} {
 
   @{open_path}                rPx -> child-open,
 
-  /usr/share/icu/@{int}.@{int}/*.dat r,
-
   /etc/shells r,
 
   owner @{user_config_dirs}/*xdg-terminals.list* rw,
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index f00b8d10f..3e597c156 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -66,7 +66,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   @{open_path}               rPx -> child-open,
 
-  /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/nautilus/{,**} r,
   /usr/share/poppler/{,**} r,
   /usr/share/sounds/freedesktop/stereo/*.oga r,
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index 858d216ac..7752d9dd3 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -39,7 +39,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter/applications/*.desktop r,
-  /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,**} r,
   /usr/share/osinfo/{,**} r,
   /usr/share/poppler/{,**} r,
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index 9ebdd9fe8..f54f05731 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -47,7 +47,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
   /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
-  /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,**} r,
   /usr/share/osinfo/{,**} r,
   /usr/share/poppler/{,**} r,
diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier
index 8c0fc8d20..5f293a9e1 100644
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@@ -31,7 +31,6 @@ profile DiscoverNotifier @{exec_path} {
   @{bin}/gpgconf             rCx -> gpg,
   @{bin}/gpgsm               rCx -> gpg,
 
-  /usr/share/knotifications{5,6}/{,**} r,
   /usr/share/metainfo/{,**} r,
 
   /etc/machine-id r,
@@ -45,7 +44,6 @@ profile DiscoverNotifier @{exec_path} {
   owner @{user_cache_dirs}/appstream/ r,
   owner @{user_cache_dirs}/appstream/** rw,
   owner @{user_cache_dirs}/flatpak/{,**} rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_config_dirs}/@{int} rw,
   owner @{user_config_dirs}/breezerc r,
diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index 780348692..0b1ee4fa4 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -25,11 +25,9 @@ profile baloo @{exec_path} {
   @{lib}/{,kf6/}baloo_file_extractor rix,
 
   /usr/share/poppler/{,**} r,
-  /usr/share/desktop-base/kf5-settings/baloofilerc r,
 
   /etc/fstab r,
   /etc/machine-id r,
-  /etc/xdg/baloofilerc r,
 
   # Allow to search user files
   owner @{HOME}/{,**} r,
diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner
index 7faa752d6..894c2cb7b 100644
--- a/apparmor.d/groups/kde/baloorunner
+++ b/apparmor.d/groups/kde/baloorunner
@@ -19,17 +19,11 @@ profile baloorunner @{exec_path} {
 
   @{bin}/* rPx,
 
-  /etc/xdg/baloofilerc r,
-
   # Allow to search user files
   owner @{HOME}/{,**} r,
   owner @{MOUNTS}/{,**} r,
   owner @{tmp}/*/{,**} r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
-  owner @{user_config_dirs}/baloofilerc r,
-
   owner @{user_share_dirs}/baloo/{,**} rwk,
 
   /tmp/ r,
diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi
index 78ca6d21b..d096c9ba8 100644
--- a/apparmor.d/groups/kde/drkonqi
+++ b/apparmor.d/groups/kde/drkonqi
@@ -26,7 +26,6 @@ profile drkonqi @{exec_path} {
   @{bin}/lsb_release    rPx -> lsb_release,
 
   /usr/share/drkonqi/{,**} r,
-  /usr/share/knotifications{5,6}/*.notifyrc r,
 
   owner @{user_cache_dirs}/drkonqi/ rw,
   owner @{user_cache_dirs}/drkonqi/** rwlk -> @{user_cache_dirs}/drkonqi/**,
diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess
index 7d6e4867e..e9ed1399d 100644
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@@ -22,8 +22,6 @@ profile kaccess @{exec_path} {
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/kaccessrc r,
 
diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd
index b51d72a91..8fccca289 100644
--- a/apparmor.d/groups/kde/kactivitymanagerd
+++ b/apparmor.d/groups/kde/kactivitymanagerd
@@ -29,17 +29,12 @@ profile kactivitymanagerd @{exec_path} {
   owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
 
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
-
   owner @{user_config_dirs}/#@{int} rw,
-  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/breezerc r,
-  owner @{user_config_dirs}/dolphinrc r,
   owner @{user_config_dirs}/kactivitymanagerdrc.lock rwk,
   owner @{user_config_dirs}/kactivitymanagerdrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/libreoffice/**.xcu r,
   owner @{user_config_dirs}/menus/{,**} r,
-  owner @{user_config_dirs}/trashrc r,
 
   owner @{user_share_dirs}/kactivitymanagerd/{,**} rwlk,
   owner @{user_share_dirs}/kservices{5,6}/{,**} r,
diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac
index e6a57f985..97bdef983 100644
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@@ -20,12 +20,9 @@ profile kalendarac @{exec_path} {
 
   /usr/share/akonadi/firstrun/{,*} r,
   /usr/share/akonadi/plugins/serializer/{,*.desktop} r,
-  /usr/share/knotifications{5,6}/{,**} r,
 
   /etc/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/akonadi-firstrunrc r,
   owner @{user_config_dirs}/akonadi/akonadiconnectionrc r,
diff --git a/apparmor.d/groups/kde/kbuildsycoca b/apparmor.d/groups/kde/kbuildsycoca
index 005458b08..beb235536 100644
--- a/apparmor.d/groups/kde/kbuildsycoca
+++ b/apparmor.d/groups/kde/kbuildsycoca
@@ -15,9 +15,6 @@ profile kbuildsycoca @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  owner @{user_cache_dirs}/ksycoca{5,6}_* rw,
-  owner link @{user_cache_dirs}/ksycoca5_* -> @{user_cache_dirs}/#@{int},
-
   /dev/tty r,
 
   include if exists <local/kbuildsycoca>
diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update
index 5d0914b52..ce11fb914 100644
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@@ -44,44 +44,10 @@ profile kconf_update @{exec_path} {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
-  owner @{user_config_dirs}/akregatorrc.lock rwk,
-  owner @{user_config_dirs}/akregatorrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/dolphinrc.lock rwk,
-  owner @{user_config_dirs}/dolphinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/*rc.lock rwk,
   owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**,
-  owner @{user_config_dirs}/kactivitymanagerd-statsrc rw,
-  owner @{user_config_dirs}/kateschemarc.lock rwk,
-  owner @{user_config_dirs}/kateschemarc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kcminputrc.lock rwk,
-  owner @{user_config_dirs}/kcminputrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kconf_updaterc.lock rwk,
-  owner @{user_config_dirs}/kconf_updaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
-  owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/khotkeysrc.lock rwk,
-  owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kmixrc.lock rwk,
-  owner @{user_config_dirs}/kmixrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/konsolerc.lock rwk,
-  owner @{user_config_dirs}/konsolerc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/krunnerrc.lock rwk,
-  owner @{user_config_dirs}/krunnerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/krunnerstaterc.lock rwk,
-  owner @{user_config_dirs}/krunnerstaterc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kscreenlockerrc.lock rwk,
-  owner @{user_config_dirs}/kscreenlockerrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/ksmserverrc.lock rwk,
-  owner @{user_config_dirs}/ksmserverrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kwinrc.lock rwk,
-  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kwinrulesrc.lock rwk,
-  owner @{user_config_dirs}/kwinrulesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kxkbrc.lock rwk,
-  owner @{user_config_dirs}/kxkbrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/plasma-org.kde.plasma.desktop-appletsrc rw,
-  owner @{user_config_dirs}/plasmashellrc r,
   owner @{user_config_dirs}/sed@{rand6} rw,
   owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,
 
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 32ad8cd86..3a24b3db8 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -30,8 +30,6 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   @{bin}/xargs        rix,
   @{lib}/drkonqi      rPx,
 
-  /usr/share/knotifications{5,6}/*.notifyrc r,
-
   /etc/fstab r,
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition
index a913dba60..31367f47c 100644
--- a/apparmor.d/groups/kde/kde-systemd-start-condition
+++ b/apparmor.d/groups/kde/kde-systemd-start-condition
@@ -9,13 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/kde-systemd-start-condition
 profile kde-systemd-start-condition @{exec_path} {
   include <abstractions/base>
+  include <abstractions/kde-strict>
 
   @{exec_path} mr,
 
-  /etc/xdg/baloofilerc r,
-  /usr/share/desktop-base/kf{5,6}-settings/baloofilerc r,
-
-  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/kalendaracrc r,
   owner @{user_config_dirs}/kgpgrc r,
   owner @{user_config_dirs}/kmixrc r,
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index 5620d7dee..f93144c5f 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -70,14 +70,11 @@ profile kded @{exec_path} {
   /usr/share/kded{5,6}/{,**} r,
   /usr/share/kf{5,6}/kcookiejar/* r,
   /usr/share/khotkeys/{,**} r,
-  /usr/share/knotifications{5,6}/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,**} r,
 
   /etc/fstab r,
   /etc/xdg/accept-languages.codes r,
-  /etc/xdg/baloofilerc r,
-  /etc/xdg/kcminputrc r,
   /etc/xdg/kde* r,
   /etc/xdg/kioslaverc r,
   /etc/xdg/menus/{,**} r,
@@ -91,21 +88,17 @@ profile kded @{exec_path} {
   owner @{HOME}/.gtkrc-2.0 rw,
 
         @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
-  owner @{user_cache_dirs}/#@{int} rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/plasmashell/ rw,
   owner @{user_cache_dirs}/plasmashell/** rwlk ->  @{user_cache_dirs}/plasmashell/**,
 
         @{user_config_dirs}/kcookiejarrc.lock rwk,
         @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
   owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
   owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
   owner @{user_config_dirs}/gtkrc{,*} rwlk,
-  owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kconf_updaterc rw,
   owner @{user_config_dirs}/kconf_updaterc.lock rwk,
   owner @{user_config_dirs}/kdebugrc r,
@@ -128,7 +121,6 @@ profile kded @{exec_path} {
   owner @{user_config_dirs}/networkmanagement.notifyrc r,
   owner @{user_config_dirs}/plasma* r,
   owner @{user_config_dirs}/touchpadrc r,
-  owner @{user_config_dirs}/trashrc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
   owner @{user_config_dirs}/xsettingsd/{,**} rw,
diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld
index f71f9734c..4d2616e3e 100644
--- a/apparmor.d/groups/kde/kglobalacceld
+++ b/apparmor.d/groups/kde/kglobalacceld
@@ -21,8 +21,6 @@ profile kglobalacceld @{exec_path} {
   /etc/xdg/menus/ r,
   /etc/xdg/menus/applications-merged/ r,
 
-  owner @{user_cache_dirs}/ksycoca{5,6}_* rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
   owner @{user_config_dirs}/kglobalshortcutsrc* rwl,
diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod
index 5b6c7184a..d83749455 100644
--- a/apparmor.d/groups/kde/kiod
+++ b/apparmor.d/groups/kde/kiod
@@ -22,8 +22,6 @@ profile kiod @{exec_path} {
   /usr/share/icons/breeze/index.theme r,
   /usr/share/mime/{,**} r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/ksslcertificatemanager rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/ksslcertificatemanager.lock rwk,
diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker
index db135515b..5bd01bb15 100644
--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@@ -72,9 +72,7 @@ profile kioworker @{exec_path} {
 
   owner @{HOME}/@{XDG_DESKTOP_DIR}/.directory l -> @{HOME}/@{XDG_DESKTOP_DIR}/#@{int},
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kio_http/* rwl,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
 
   owner @{user_config_dirs}/kio_httprc r,
   owner @{user_config_dirs}/menus/{,**} r,
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 28b5d2650..94bad21ba 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -40,8 +40,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/kf6/{,**} r,
-  /usr/share/knotifications{5,6}/konsole.notifyrc r,
-  /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
   /usr/share/konsole/{,**} r,
   /usr/share/sounds/** r,
 
@@ -52,9 +50,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{HOME}/@{XDG_SSH_DIR}/config r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
-
   owner @{user_config_dirs}/#@{int} rwl,
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/kbookmarkrc r,
diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet
index 74020b468..b67fe50f1 100644
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@@ -70,7 +70,6 @@ profile kscreenlocker_greet @{exec_path} {
   owner @{user_pictures_dirs}/{,**} r,
 
   owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kscreenlocker_greet/ w,
   owner @{user_cache_dirs}/kscreenlocker_greet/** rwlk,
   owner @{user_cache_dirs}/ksvg-elements rw,
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 65bf9036a..f36d8f2f2 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -32,7 +32,6 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:exec kscreenlocker_greet
 
   /usr/share/color-schemes/{,**} r,
-  /usr/share/knotifications{5,6}/*.notifyrc r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes{5,6}/{,**} r,
 
@@ -44,10 +43,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{HOME}/@{rand6} rw,
   owner @{HOME}/.Xauthority rw,
 
-  owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/fontconfig/*-le64.cache-* r,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk,
 
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter
index 44d7f6e2a..55379861e 100644
--- a/apparmor.d/groups/kde/ksmserver-logout-greeter
+++ b/apparmor.d/groups/kde/ksmserver-logout-greeter
@@ -13,7 +13,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/kde-icon-cache-write>
   include <abstractions/kde-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml
index 97ecd5c22..8b878457b 100644
--- a/apparmor.d/groups/kde/ksplashqml
+++ b/apparmor.d/groups/kde/ksplashqml
@@ -24,7 +24,6 @@ profile ksplashqml @{exec_path} {
   /etc/machine-id r,
   /etc/xdg/plasmarc r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/ksplash/ rw,
   owner @{user_cache_dirs}/ksplash/** rwlk -> @{user_cache_dirs}/ksplash/**,
 
diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd
index 5005dde31..282f4231b 100644
--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@@ -30,8 +30,6 @@ profile kwalletd @{exec_path} {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/kwalletrc r,
diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager
index e26d09f13..a5c5ddfef 100644
--- a/apparmor.d/groups/kde/kwalletmanager
+++ b/apparmor.d/groups/kde/kwalletmanager
@@ -29,7 +29,6 @@ profile kwalletmanager @{exec_path} {
   /etc/xdg/ui/ui_standards.rc r,
   /var/lib/dbus/machine-id r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/kwalletmanager5rc rw,
   owner @{user_config_dirs}/kwalletmanager5rc.* rwl -> @{user_config_dirs}/#@{int},
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 2393f9201..162f2cfc3 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -32,10 +32,8 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   #aa:exec kscreenlocker_greet
 
   /usr/share/color-schemes/*.colors r,
-  /usr/share/desktop-base/kf5-settings/{,**} r,
   /usr/share/desktop-directories/*.directory r,
   /usr/share/kglobalaccel/{,**} r,
-  /usr/share/knotifications{5,6}/ksmserver.notifyrc r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,*.desktop} r,
   /usr/share/kwin/{,**} r,
@@ -71,11 +69,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   owner @{sddm_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{sddm_config_dirs}/#@{int},
 
   owner @{user_cache_dirs}/ r,
-  owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/ksvg-elements r,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* rwkl -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/kwin/ rw,
   owner @{user_cache_dirs}/kwin/** rwkl -> @{user_cache_dirs}/kwin/**,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
@@ -85,7 +79,6 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   owner @{user_config_dirs}/#@{int} rwl,
   owner @{user_config_dirs}/breezerc r,
-  owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kdedefaults/* r,
   owner @{user_config_dirs}/kglobalshortcutsrc.lock rwk,
   owner @{user_config_dirs}/kglobalshortcutsrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11
index 8ee46455e..0454e70e1 100644
--- a/apparmor.d/groups/kde/kwin_x11
+++ b/apparmor.d/groups/kde/kwin_x11
@@ -36,8 +36,6 @@ profile kwin_x11 @{exec_path} {
   /etc/xdg/plasmarc r,
 
   owner @{user_cache_dirs}/ r,
-  owner @{user_cache_dirs}/#@{int} rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
   owner @{user_cache_dirs}/ksvg-elements r,
   owner @{user_cache_dirs}/kwin/{,**} rwl,
diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular
index 40f9de33e..a27751eb4 100644
--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@@ -41,7 +41,6 @@ profile okular @{exec_path} {
   /usr/share/poppler/{,**} r,
 
   /etc/fstab r,
-  /etc/xdg/baloofilerc r,
   /etc/xdg/dolphinrc r,
   /etc/xdg/menus/ r,
   /etc/xdg/menus/applications-merged/ r,
@@ -49,7 +48,6 @@ profile okular @{exec_path} {
   / r,
   @{MOUNTS}/ r,
 
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
   owner @{user_cache_dirs}/okular/{,**} rw,
 
   owner @{user_config_dirs}/#@{int} rw,
@@ -59,8 +57,6 @@ profile okular @{exec_path} {
   owner @{user_config_dirs}/okularrc rw,
   owner @{user_config_dirs}/okularrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/okularrc.lock rwk,
-  owner @{user_config_dirs}/baloofilerc r,
-  owner @{user_config_dirs}/dolphinrc r,
   owner @{user_config_dirs}/okular-generator-popplerrc r,
   owner @{user_config_dirs}/KDE/*.conf r,
   owner @{user_config_dirs}/kioslaverc r,
@@ -68,7 +64,6 @@ profile okular @{exec_path} {
   owner @{user_config_dirs}/kwalletrc r,
   owner @{user_config_dirs}/menus/ r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
-  owner @{user_config_dirs}/trashrc r,
 
   owner @{user_share_dirs}/#@{int} rw,
   owner @{user_share_dirs}/kxmlgui{5,6}/okular/{,*} r,
diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host
index 6270df2f7..bcf1af528 100644
--- a/apparmor.d/groups/kde/plasma-browser-integration-host
+++ b/apparmor.d/groups/kde/plasma-browser-integration-host
@@ -28,9 +28,6 @@ profile plasma-browser-integration-host @{exec_path} {
   /etc/xdg/menus/ r,
   /etc/xdg/taskmanagerrulesrc r,
 
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
-
   owner @{user_config_dirs}/menus/ r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
 
diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover
index d35e8dcd8..e94fd036e 100644
--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@@ -38,7 +38,6 @@ profile plasma-discover @{exec_path} {
   #aa:exec kio_http_cache_cleaner
   #aa:exec kioworker
 
-  /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
   /usr/share/knsrcfiles/{,*} r,
   /usr/share/kservices{5,6}/{,*} r,
   /usr/share/kservicetypes5/{,*} r,
@@ -65,7 +64,6 @@ profile plasma-discover @{exec_path} {
   owner @{user_cache_dirs}/appstream/*.xb rw,
   owner @{user_cache_dirs}/discover/{,**} rwlk,
   owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kio_http/ w,
 
   owner @{user_config_dirs}/ r,
diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session
index 6082b579e..172c643c7 100644
--- a/apparmor.d/groups/kde/plasma_session
+++ b/apparmor.d/groups/kde/plasma_session
@@ -33,15 +33,11 @@ profile plasma_session @{exec_path} {
   #aa:exec polkit-kde-authentication-agent
 
   /usr/share/kservices{5,6}/{,**} r,
-  /usr/share/knotifications{5,6}/{,**} r,
 
   /etc/xdg/autostart/ r,
   /etc/xdg/autostart/*.desktop r,
   /etc/xdg/menus/ r,
 
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
-
-  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/kdedefaults/ksplashrc r,
   owner @{user_config_dirs}/plasma-welcomerc r,
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index e583c26bc..954431f86 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -61,11 +61,9 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   /opt/*/**/*.png r,
   /usr/share/*/icons/{,**} r,
   /usr/share/akonadi/{,**} r,
-  /usr/share/desktop-base/{,**} r,
   /usr/share/desktop-directories/kf5-*.directory r,
   /usr/share/kf{5,6}/{,**} r,
   /usr/share/kio/servicemenus/{,*.desktop} r,
-  /usr/share/knotifications{5,6}/*.notifyrc r,
   /usr/share/konsole/ r,
   /usr/share/krunner/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
@@ -97,6 +95,8 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{HOME}/.var/app/**.{png,jpg,svg} r,
   owner @{HOME}/@{XDG_DESKTOP_DIR}/*.desktop r,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{user_games_dirs}/**.{png,jpg,svg} r,
+  owner @{user_music_dirs}/**.{png,jpg,svg} r,
   owner @{user_pictures_dirs}/{,**} r,
 
   owner @{user_templates_dirs}/ r,
@@ -107,12 +107,10 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_cache_dirs}/appstream/*.xb rw,
   owner @{user_cache_dirs}/bookmarksrunner/ rw,
   owner @{user_cache_dirs}/bookmarksrunner/** rwkl -> @{user_cache_dirs}/bookmarksrunner/#@{int},
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kcrash-metadata/plasmashell.*.ini w,
   owner @{user_cache_dirs}/ksvg-elements rw,
   owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* rwlk -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/org.kde.dirmodel-qml.kcache rw,
   owner @{user_cache_dirs}/plasma_engine_potd/{,**} rw,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
@@ -132,9 +130,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_config_dirs}/akonadi/akonadi*rc r,
   owner @{user_config_dirs}/arkrc r,
   owner @{user_config_dirs}/baloofileinformationrc r,
-  owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/breezerc r,
-  owner @{user_config_dirs}/dolphinrc r,
   owner @{user_config_dirs}/eventviewsrc r,
   owner @{user_config_dirs}/kactivitymanagerd* rwkl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/kcookiejarrc r,
@@ -151,7 +147,6 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   owner @{user_config_dirs}/menus/{,**} r,
   owner @{user_config_dirs}/networkmanagement.notifyrc r,
   owner @{user_config_dirs}/plasma* rwlk,
-  owner @{user_config_dirs}/trashrc r,
 
   owner @{user_share_dirs}/*/sessions/ r,
   owner @{user_share_dirs}/#@{int} rw,
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 1b52954d6..5030d18f4 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -113,7 +113,6 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /usr/share/sddm/scripts/Xsetup          rix,
   /usr/share/sddm/scripts/Xstop           rix,
 
-  /usr/share/desktop-base/softwaves-theme/login/*.svg r,
   /usr/share/plasma/desktoptheme/** r,
   /usr/share/sddm/faces/.*.icon r,
   /usr/share/sddm/themes/** r,
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index 441f2db25..6f33e233a 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -28,7 +28,6 @@ profile sddm-greeter @{exec_path} {
   @{lib}/libheif/ r,
   @{lib}/libheif/*.so* rm,
 
-  /usr/share/desktop-base/*-theme/login/*.svg r,
   /usr/share/endeavouros/backgrounds/** r,
   /usr/share/hunspell/** r,
   /usr/share/plasma/desktoptheme/** r,
@@ -53,7 +52,6 @@ profile sddm-greeter @{exec_path} {
   @{HOME}/.face.icon r,
 
   owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
   owner @{user_cache_dirs}/plasma-svgelements rw,
   owner @{user_cache_dirs}/plasma-svgelements.@{rand6} rw,
diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma
index 81b1a1243..e57639b6e 100644
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@@ -33,14 +33,12 @@ profile startplasma @{exec_path} {
 
   /usr/share/color-schemes/{,**} r,
   /usr/share/desktop-directories/{,**} r,
-  /usr/share/knotifications{5,6}/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
   /usr/share/kservicetypes5/{,**} r,
   /usr/share/plasma/{,**} r,
 
   /etc/locale.alias r,
   /etc/machine-id r,
-  /etc/xdg/kcminputrc r,
   /etc/xdg/menus/{,**} r,
   /etc/xdg/plasma-workspace/env/{,*} r,
 
@@ -52,7 +50,6 @@ profile startplasma @{exec_path} {
   owner @{user_cache_dirs}/plasma-svgelements rw,
 
   owner @{user_config_dirs}/gtkrc{,*} rwlk,
-  owner @{user_config_dirs}/kcminputrc r,
   owner @{user_config_dirs}/kdedefaults/ rw,
   owner @{user_config_dirs}/kdedefaults/** rwkl -> @{user_config_dirs}/kdedefaults/**,
   owner @{user_config_dirs}/ksplashrc r,
diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings
index 384c1da8b..d0fec60fc 100644
--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@@ -43,7 +43,6 @@ profile systemsettings @{exec_path} {
   /usr/share/kcmkeys/{,*.kksrc} r,
   /usr/share/kglobalaccel/* r,
   /usr/share/kinfocenter/{,**} r,
-  /usr/share/knotifications{5,6}/{,**} r,
   /usr/share/solid/{,**} r,
   /usr/share/kpackage/{,**} r,
   /usr/share/kservices{5,6}/{,**} r,
@@ -71,14 +70,11 @@ profile systemsettings @{exec_path} {
 
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
-  owner @{user_cache_dirs}/#@{int} rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/kcrash-metadata/*.ini rw,
   owner @{user_cache_dirs}/kinfocenter/{,**} rwlk,
   owner @{user_cache_dirs}/ksvg-elements rw,
   owner @{user_cache_dirs}/ksvg-elements.@{rand6} rwlk -> @{user_cache_dirs}/#@{int},
   owner @{user_cache_dirs}/ksvg-elements.lock rwlk,
-  owner @{user_cache_dirs}/ksycoca{5,6}_* r,
   owner @{user_cache_dirs}/plasma_theme_*.kcache rw,
   owner @{user_cache_dirs}/systemsettings/ rw,
   owner @{user_cache_dirs}/systemsettings/** rwlk -> @{user_cache_dirs}/systemsettings/**,
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index 0e236f945..96c9b6d25 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -38,7 +38,6 @@ profile keepassxc @{exec_path} {
   @{lib}/firefox/firefox rPx,
   @{open_path}           rPx -> child-open,
 
-  /usr/share/hwdata/pnp.ids r,
   /usr/share/keepassxc/{,**} r,
 
   /etc/fstab r,
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 60ea019aa..b4c07e38b 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -61,7 +61,6 @@ profile libreoffice @{exec_path} {
   @{lib}/libreoffice/share/extensions/{,**/}__pycache__/ w,
 
   /usr/share/hyphen/{,**} r,
-  /usr/share/knotifications{5,6}/plasma_workspace.notifyrc r,
   /usr/share/libexttextcat/{,**} r,
   /usr/share/liblangtag/{,**} r,
   /usr/share/libreoffice/{,**} r,
@@ -77,7 +76,6 @@ profile libreoffice @{exec_path} {
   owner @{user_config_dirs}/libreoffice/ rw,
   owner @{user_config_dirs}/libreoffice/** rwk,
   owner @{user_config_dirs}/soffice.*.lock rwk,
-  owner @{user_config_dirs}/trashrc r,
   owner @{user_config_dirs}/plasma_workspace.notifyrc r,
   owner @{user_config_dirs}/kservicemenurc r,
 
diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt
index 93dc4aded..97e84c7ec 100644
--- a/apparmor.d/profiles-m-r/pinentry-qt
+++ b/apparmor.d/profiles-m-r/pinentry-qt
@@ -22,9 +22,6 @@ profile pinentry-qt @{exec_path} {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  owner @{user_cache_dirs}/#@{int} rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{tmp}/xauth_@{rand6} r,
   owner /dev/shm/#@{int} rw,
 
diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi
index 30457cf04..762af3bfc 100644
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@@ -46,8 +46,6 @@ profile psi @{exec_path} {
   /var/lib/dbus/machine-id r,
 
   owner @{HOME}/ r,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/psi/{,**} rw,
   owner @{user_config_dirs}/autostart/psi.desktop rw,
   owner @{user_config_dirs}/psi/ rw,
diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus
index 1427af278..076d96da7 100644
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@@ -46,8 +46,6 @@ profile psi-plus @{exec_path} {
   /var/lib/dbus/machine-id r,
 
   owner @{HOME}/ r,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/psi+/{,**} rw,
   owner @{user_config_dirs}/autostart/psi-plus.desktop rw,
   owner @{user_config_dirs}/psi+/ rw,
diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index f9502cf75..7f79d3a06 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -85,8 +85,6 @@ profile qbittorrent @{exec_path} {
   /usr/share/GeoIP/GeoIP.dat r,
   /usr/share/gvfs/remote-volume-monitors/{,*} r,
 
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/qBittorrent/{,**} rw,
 
   owner @{user_config_dirs}/qBittorrent/ rw,
diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct
index 3052736b6..4026983ab 100644
--- a/apparmor.d/profiles-m-r/qt5ct
+++ b/apparmor.d/profiles-m-r/qt5ct
@@ -28,9 +28,6 @@ profile qt5ct @{exec_path} {
   owner @{user_config_dirs}/fontconfig/** rw,
   owner @{user_config_dirs}/fontconfig/fonts.conf.back rwl -> @{user_config_dirs}/fontconfig/#@{int},
 
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/icon-cache.kcache rw,
-
   owner @{PROC}/@{pid}/cmdline r,
 
   /dev/shm/#@{int} rw,
diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer
index 28065ac24..0248d4218 100644
--- a/apparmor.d/profiles-s-z/smplayer
+++ b/apparmor.d/profiles-s-z/smplayer
@@ -53,8 +53,6 @@ profile smplayer @{exec_path} {
   owner @{user_config_dirs}/smplayer/ rw,
   owner @{user_config_dirs}/smplayer/* rwkl -> @{user_config_dirs}/smplayer/#@{int},
 
-  owner @{user_cache_dirs}/#@{int} rw,
-
   owner @{tmp}/qtsingleapp-smplay-* rw,
   owner @{tmp}/qtsingleapp-smplay-*-lockfile rwk,
   owner @{tmp}/smplayer_preview/ rw,
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index fbfcaf7b9..310b94683 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -46,7 +46,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   @{open_path}     rPx -> child-open,
 
   /usr/share/gtksourceview-4/{,**} r,
-  /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,ladspa.rdfs} r,
   /usr/share/misc/*.ids r,
   /usr/share/osinfo/{,**} r,
diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc
index b5ea8b272..508deaeac 100644
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@@ -56,7 +56,6 @@ profile vlc @{exec_path} {
   owner @{user_torrents_dirs}/{,**} rw,
   owner @{user_videos_dirs}/{,**} rw,
 
-  owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/vlc/ rw,
   owner @{user_cache_dirs}/vlc/{,**} rw,
 

From 7a53fc3a99399c56c50c2761124a08153b0e0a08 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 18:10:27 +0100
Subject: [PATCH 127/315] feat(profile): general updtae.

---
 apparmor.d/abstractions/app/sudo              |  1 -
 apparmor.d/abstractions/gstreamer             |  7 +-
 apparmor.d/abstractions/vulkan-strict         |  1 -
 apparmor.d/groups/browsers/torbrowser-start   |  2 +
 apparmor.d/groups/bus/at-spi2-registryd       | 20 +----
 .../groups/freedesktop/xdg-desktop-portal     | 20 ++---
 .../freedesktop/xdg-desktop-portal-gnome      | 32 +-------
 apparmor.d/groups/freedesktop/xdg-user-dir    |  3 +-
 apparmor.d/groups/gpg/gpg-agent               |  1 +
 apparmor.d/groups/gpg/scdaemon                |  6 +-
 apparmor.d/groups/network/NetworkManager      |  3 +-
 apparmor.d/groups/pacman/makepkg              |  5 +-
 apparmor.d/groups/pacman/yay                  |  2 +
 apparmor.d/groups/systemd/systemd-udevd       |  2 -
 apparmor.d/groups/virt/cni-xtables-nft        | 36 ---------
 apparmor.d/groups/virt/cockpit-bridge         | 27 ++++++-
 apparmor.d/groups/virt/cockpit-update-motd    |  2 -
 apparmor.d/groups/virt/xtables                | 43 +++++++++++
 apparmor.d/profiles-a-f/aa-log                |  2 -
 apparmor.d/profiles-a-f/convertall            | 23 ++----
 apparmor.d/profiles-m-r/pass                  | 76 +++++++++----------
 .../signal-desktop-chrome-sandbox             |  4 +-
 .../spice-client-glib-usb-acl-helper          |  1 -
 apparmor.d/profiles-s-z/switcherooctl         |  2 +-
 apparmor.d/profiles-s-z/tomb                  |  3 +-
 apparmor.d/profiles-s-z/udisksd               |  7 +-
 apparmor.d/profiles-s-z/wpa-gui               | 11 +--
 27 files changed, 158 insertions(+), 184 deletions(-)
 delete mode 100644 apparmor.d/groups/virt/cni-xtables-nft
 create mode 100644 apparmor.d/groups/virt/xtables

diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index fdd348587..3fa454356 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -57,7 +57,6 @@
   @{PROC}/@{pid}/limits r,
   @{PROC}/@{pid}/loginuid r,
   @{PROC}/@{pid}/stat r,
-  @{PROC}/sys/kernel/cap_last_cap r,
   @{PROC}/sys/kernel/ngroups_max r,
   @{PROC}/sys/kernel/seccomp/actions_avail r,
 
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index 60bac614e..4a5deb7c4 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -45,7 +45,12 @@
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
   @{sys}/class/video4linux/ r,
-  @{sys}/devices/@{pci}/{busnum,config,devnum,descriptors,speed,uevent} r,
+  @{sys}/devices/@{pci}/busnum r,
+  @{sys}/devices/@{pci}/config r,
+  @{sys}/devices/@{pci}/descriptors r,
+  @{sys}/devices/@{pci}/devnum r,
+  @{sys}/devices/@{pci}/speed r,
+  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict
index fd86f1e81..5210a48e2 100644
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@@ -29,5 +29,4 @@
 
   include if exists <abstractions/vulkan-strict.d>
 
-
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start
index 8292f613a..e7072c856 100644
--- a/apparmor.d/groups/browsers/torbrowser-start
+++ b/apparmor.d/groups/browsers/torbrowser-start
@@ -42,6 +42,8 @@ profile torbrowser-start @{exec_path} {
   owner @{lib_dirs}/sed@{rand6} rw,
   owner @{lib_dirs}/TorBrowser/Tor/tor r,
 
+  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/sed@{rand6} rw,
+  owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/Browser/start-tor-browser.desktop rw,
   owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/sed@{rand6} rw,
   owner @{user_share_dirs}/torbrowser/tbb/@{arch}/tor-browser/start-tor-browser.desktop rw,
 
diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd
index 2b0ac0475..46b404f2b 100644
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@@ -17,24 +17,8 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term) peer=gdm,
 
-  #aa:dbus own bus=accessibility name=org.a11y.atspi.{R,r}egistry
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name=:*),
-  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=:*),
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=:*),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
+  #aa:dbus own bus=accessibility name=org.a11y.atspi
+  #aa:dbus talk bus=session name=org.a11y.{B,b}us label=dbus-accessibility
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 5d908e67b..d8929cfb1 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -20,6 +20,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
 
   capability sys_ptrace,
@@ -34,19 +35,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
        member=MakeThread*
        peer=(name=:*),
 
-  dbus receive bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.NetworkManager
-       member=CheckPermissions
-       peer=(name=:*, label=NetworkManager),
-
   #aa:dbus own bus=session name=org.freedesktop.background.Monitor path=/org/freedesktop/background/monitor
 
-  dbus send bus=session path=/org/freedesktop/portal/documents
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label=xdg-document-portal),
-  dbus send bus=session path=/org/freedesktop/portal/documents
-       interface=org.freedesktop.portal.Documents
-       peer=(name=:*, label=xdg-document-portal),
+  #aa:dbus talk bus=session name=org.freedesktop.portal.Documents path=/org/freedesktop/portal/documents label=xdg-document-portal
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -62,10 +53,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}         rix,
   @{bin}/nautilus    rPx,
-  @{bin}/snap       rPUx,
 
-  @{bin}/kreadconfig5                     rPx,
-  @{lib}/xdg-desktop-portal-validate-icon rPUx,
+  @{bin}/kreadconfig{,5}                  rPx,
+  @{lib}/xdg-desktop-portal-validate-icon rPx,
   @{open_path}                            rPx -> child-open,
 
   / r,
@@ -76,7 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /etc/sysconfig/proxy r,
 
-  /var/lib/gdm{,3}/greeter-dconf-defaults r,
+  @{GDM_HOME}/greeter-dconf-defaults r,
 
         @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/xdg-desktop-portal/* r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 588d4d393..586828ee0 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -13,7 +13,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.Accounts>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
   include <abstractions/bus/org.gnome.Shell.Introspect>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
@@ -30,39 +29,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   signal (receive) set=(hup term) peer=gdm-session-worker,
 
   #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome
-
-  dbus send bus=session path=/org/gnome/Shell/Screenshot
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=:*, label=gnome-shell),
-
-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Background
-       member=RunningApplicationsChanged
-       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
-
-  dbus receive bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Background
-       member=GetAppState
-       peer=(name=:*, label=xdg-desktop-portal),
-
-  dbus send bus=session path=/org/freedesktop/portal/desktop
-       interface=org.freedesktop.impl.portal.Settings
-       member=SettingChanged
-       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
-
-  dbus (send, receive) bus=session path=/org/gnome/Mutter/*
-       interface=org.gnome.Mutter.*
-       peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
-  dbus send bus=session path=/org/gnome/Mutter/*
-       interface=org.freedesktop.DBus.Properties
-       peer=(name=:*, label="{gnome-shell,gsd-xsettings}"),
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal
+  #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
+  #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
 
   @{exec_path} mr,
 
   / r,
   @{bin}/ r,
   @{bin}/* r,
+  /opt/*/* r,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/thumbnailers/{,**} r,
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir
index 47184420b..7fcf6f3ec 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dir
+++ b/apparmor.d/groups/freedesktop/xdg-user-dir
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dir
 profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
@@ -18,8 +19,6 @@ profile xdg-user-dir @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_config_dirs}/user-dirs.dirs r,
 
-  /dev/tty rw,
-
   # Silencer
   deny network inet stream,
   deny network inet6 stream,
diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index 3d240828b..b7e00a45d 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -62,6 +62,7 @@ profile gpg-agent @{exec_path} {
 
   #aa:only pacman
   owner /etc/pacman.d/gnupg/ rw,
+  owner /etc/pacman.d/gnupg/*.conf r,
   owner /etc/pacman.d/gnupg/private-keys-v1.d/ rw,
   owner /etc/pacman.d/gnupg/private-keys-v1.d/@{hex}.key rw,
   owner /etc/pacman.d/gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon
index 92be0bdcc..2160cbea9 100644
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@@ -19,12 +19,16 @@ profile scdaemon @{exec_path} {
 
   @{exec_path} mr,
 
+  #aa:only pacman
+  owner /etc/pacman.d/gnupg/scdaemon.conf r,
+  owner /etc/pacman.d/gnupg/S.scdaemon rw,
+
   owner @{HOME}/@{XDG_GPG_DIR}/scdaemon.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}common.conf r,
   owner @{HOME}/@{XDG_GPG_DIR}/reader_@{int}.status rw,
 
   owner @{run}/user/@{uid}/gnupg/S.scdaemon rw,
-  owner @{run}/user/@{uid}/gnupg/d.*/S.scdaemon rw,
+  owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.scdaemon rw,
 
   owner /var/tmp/zypp.*/PublicKey/S.scdaemon w,
   owner /var/tmp/zypp.*/zypp-general-kr*/S.scdaemon w,
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 7f9b5adf6..50614a60a 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -90,9 +90,10 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{lib}/{,NetworkManager/}nm-openvpn-auth-dialog            rPx,
   @{lib}/{,NetworkManager/}nm-openvpn-service                rPx,
   @{lib}/{,NetworkManager/}nm-openvpn-service-openvpn-helper rPx,
+  /usr/share/netplan/netplan.script                          rPx,
 
-  /usr/share/netplan/netplan.script rPx,
   /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
+  /usr/share/iproute2/{,**} r,
 
   / r,
   /etc/ r,
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 5ac446817..4ccb1088d 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -11,7 +11,7 @@ profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  signal send set=winch peer=pacman,           
+  signal send set=winch peer=pacman,
   signal send set=winch peer=pacman//systemctl,
 
   network inet stream,
@@ -48,7 +48,10 @@ profile makepkg @{exec_path} {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    owner @{user_cache_dirs}/makepkg/src/*.asc r,
+
     owner @{tmp}/.git_vtag_tmp@{rand6} rw,
+    owner @{tmp}/tmp.@{rand10} rw,
 
     owner @{run}/user/@{uid}/ r,
     owner @{run}/user/@{uid}/gnupg/ r,
diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay
index 8f2804621..8f3dede75 100644
--- a/apparmor.d/groups/pacman/yay
+++ b/apparmor.d/groups/pacman/yay
@@ -67,6 +67,8 @@ profile yay @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/editor>
 
+    owner @{HOME}/**/ r, # For pwd
+
     owner @{user_cache_dirs}/yay/*/** rw,
 
     include if exists <local/yay_editor>
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 5c1709201..612fda9eb 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -123,8 +123,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
     # / r,
 
-    @{PROC}/sys/kernel/cap_last_cap r,
-
     include if exists <local/systemd-udevd_systemctl>
   }
 
diff --git a/apparmor.d/groups/virt/cni-xtables-nft b/apparmor.d/groups/virt/cni-xtables-nft
deleted file mode 100644
index d19f875bf..000000000
--- a/apparmor.d/groups/virt/cni-xtables-nft
+++ /dev/null
@@ -1,36 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2022 Jeroen Rijken
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/xtables-nft-multi
-profile cni-xtables-nft {
-    include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/nameservice-strict>
-
-    capability net_admin,
-    capability net_raw,
-
-    network inet dgram,
-    network inet6 dgram,
-    network inet raw,
-    network inet6 raw,
-    network inet stream,
-    network inet6 stream,
-    network netlink raw,
-
-    @{exec_path} mr,
-    @{bin}/xtables-legacy-multi mr,
-  
-    /etc/libnl/classid r,
-    /etc/iptables/{,**} rw,
-    /etc/nftables.conf rw,
-
-    @{PROC}/@{pids}/net/ip_tables_names r,
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index a2b773499..1ae8c7109 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -26,11 +26,11 @@ profile cockpit-bridge @{exec_path} {
 
   ptrace read,
 
+  signal send set=term peer=cockpit-bridge//sudo,
   signal send set=term peer=cockpit-pcp,
   signal send set=term peer=dbus-daemon,
   signal send set=term peer=journalctl,
   signal send set=term peer=ssh-agent,
-  signal send set=term peer=sudo,
   signal send set=term peer=unconfined,
 
   @{exec_path} mr,
@@ -41,24 +41,30 @@ profile cockpit-bridge @{exec_path} {
   @{bin}/ip                   ix,
   @{bin}/python3.@{int}       ix,
   @{bin}/test                 ix,
+  @{bin}/file                 ix,
 
+  @{bin}/chage                Px,
+  @{bin}/dmidecode            Px,
   @{bin}/findmnt              Px,
   @{bin}/journalctl           Px,
+  @{bin}/last                 Px,
   @{bin}/lastlog              Px,
+  @{bin}/lscpu                Px,
   @{bin}/passwd               Px,
   @{bin}/ssh-agent            Px,
-  @{bin}/sudo                 Px, # TODO: rCx -> privilieged ? or rix?
+  @{bin}/sudo                 Cx -> sudo,
   @{bin}/udevadm              Cx -> udevadm,
+  @{bin}/virsh               rPUx,
   @{bin}/virt-install        PUx, # TODO: rPx
   @{lib}/cockpit/cockpit-pcp  Px,
   @{lib}/cockpit/cockpit-ssh  Px,
-  @{bin}/virsh               rPUx,
 
   # The shell is not confined on purpose.
   @{bin}/@{shells}            Ux,
 
   /usr/{,local/}share/ r,
   /usr/share/cockpit/{,**} r,
+  /usr/share/file/** r,
   /usr/share/iproute2/* r,
 
   /etc/cockpit/{,**} r,
@@ -70,7 +76,8 @@ profile cockpit-bridge @{exec_path} {
   /etc/shadow r,
   /etc/shells r,
 
-  / r,
+  / r, 
+  @{HOME}/ r,
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
   owner @{user_share_dirs}/ r,
@@ -103,6 +110,18 @@ profile cockpit-bridge @{exec_path} {
 
   /dev/ptmx rw,
 
+  profile sudo {
+    include <abstractions/base>
+    include <abstractions/app/sudo>
+
+    signal (send receive) set=term peer=cockpit-bridge,
+
+    @{bin}/cockpit-bridge Px,
+    @{lib}/cockpit/cockpit-askpass Px,
+
+    include if exists <local/cockpit-bridge_sudo>
+  }
+
   profile udevadm {
     include <abstractions/base>
     include <abstractions/app/udevadm>
diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd
index eaf340c6b..cf4bf5bb7 100644
--- a/apparmor.d/groups/virt/cockpit-update-motd
+++ b/apparmor.d/groups/virt/cockpit-update-motd
@@ -30,8 +30,6 @@ profile cockpit-update-motd @{exec_path} {
     capability net_admin,
     capability sys_ptrace,
 
-    @{PROC}/sys/kernel/cap_last_cap r,
-
     include if exists <local/cockpit-update-motd_systemctl>
   }
 
diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables
new file mode 100644
index 000000000..82eb1a733
--- /dev/null
+++ b/apparmor.d/groups/virt/xtables
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xtables-nft-multi @{bin}/xtables-legacy-multi
+profile xtables {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability net_admin,
+  capability net_raw,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet raw,
+  network inet6 raw,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /usr/share/iproute2/{,**} r,
+
+  /etc/iproute2/{,**} r,
+  /etc/iptables/{,**} rw,
+  /etc/libnl/classid r,
+  /etc/nftables.conf rw,
+
+  @{run}/xtables.lock rwk,
+
+  @{PROC}/@{pids}/net/ip_tables_names r,
+
+  include if exists <local/xtables>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index 74fbebcb1..bfd0b457e 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -27,8 +27,6 @@ profile aa-log @{exec_path} {
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/@{hex32}/{,*} r,
 
-  @{PROC}/sys/kernel/cap_last_cap r,
-
   /dev/tty@{int} rw,
 
   include if exists <local/aa-log>
diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall
index 28a393470..f3ce650e6 100644
--- a/apparmor.d/profiles-a-f/convertall
+++ b/apparmor.d/profiles-a-f/convertall
@@ -10,35 +10,28 @@ include <tunables/global>
 @{exec_path} = @{bin}/convertall /usr/share/convertall/convertall.py
 profile convertall @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/mesa>
-  include <abstractions/dri-enumerate>
-  include <abstractions/python>
-  include <abstractions/qt5>
-  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/qt5-compose-cache-write>
 
   @{exec_path} r,
   @{sh_path}            rix,
 
   @{bin}/python3.@{int} rix,
 
-  owner @{HOME}/.convertall rw,
-
-  deny owner @{PROC}/@{pid}/cmdline r,
-
   /usr/share/convertall/{,**} r,
   /usr/share/doc/convertall/{,*} r,
 
-  /usr/share/hwdata/pnp.ids r,
-
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
+  owner @{HOME}/.convertall rw,
+
+  deny owner @{PROC}/@{pid}/cmdline r,
+
   include if exists <local/convertall>
 }
 
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index 3796dfbc4..b3c963dde 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -15,47 +15,47 @@ profile pass @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}         rix,
-  @{bin}/base64      rix,
-  @{bin}/basename    rix,
-  @{bin}/cat         rix,
-  @{bin}/cp          rix,
-  @{bin}/diff        rix,
-  @{bin}/dirname     rix,
-  @{bin}/env         rix,
-  @{bin}/find        rix,
-  @{bin}/getopt      rix,
-  @{bin}/grep        rix,
-  @{bin}/head        rix,
-  @{bin}/mkdir       rix,
-  @{bin}/mktemp      rix,
-  @{bin}/mv          rix,
-  @{bin}/rm          rix,
-  @{bin}/rmdir       rix,
-  @{bin}/sed         rix,
-  @{bin}/shred       rix,
-  @{bin}/sleep       rix,
-  @{bin}/sort        rix,
-  @{bin}/tail        rix,
-  @{bin}/touch       rix,
-  @{bin}/tr          rix,
-  @{bin}/tree        rix,
-  @{bin}/tty         rix,
-  @{bin}/which       rix,
+  @{bin}/base64       ix,
+  @{bin}/basename     ix,
+  @{bin}/cat          ix,
+  @{bin}/cp           ix,
+  @{bin}/diff         ix,
+  @{bin}/dirname      ix,
+  @{bin}/env           r,
+  @{bin}/find         ix,
+  @{bin}/getopt       ix,
+  @{bin}/grep         ix,
+  @{bin}/head         ix,
+  @{bin}/mkdir        ix,
+  @{bin}/mktemp       ix,
+  @{bin}/mv           ix,
+  @{bin}/rm           ix,
+  @{bin}/rmdir        ix,
+  @{bin}/sed          ix,
+  @{bin}/shred        ix,
+  @{bin}/sleep        ix,
+  @{bin}/sort         ix,
+  @{bin}/tail         ix,
+  @{bin}/touch        ix,
+  @{bin}/tr           ix,
+  @{bin}/tree         ix,
+  @{bin}/tty          ix,
+  @{bin}/which        ix,
 
-  @{bin}/git             rCx -> git,
-  @{bin}/gpg{2,}         rCx -> gpg,
-  @{bin}/pkill           rCx -> pkill,
-  @{bin}/qdbus           rCx -> qdbus,
-  @{editor_path}         rCx -> editor,
-  @{lib}/git{,-core}/git rCx -> git,
-  @{bin}/wl-{copy,paste} rPx,
-  @{bin}/xclip           rPx,
+  @{bin}/git             Cx -> git,
+  @{bin}/gpg{2,}         Cx -> gpg,
+  @{bin}/pkill           Cx -> pkill,
+  @{bin}/qdbus           Cx -> qdbus,
+  @{bin}/wl-{copy,paste} Px,
+  @{bin}/xclip           Px,
+  @{editor_path}         Cx -> editor,
+  @{lib}/git{,-core}/git Cx -> git,
 
   # Pass extensions
-  @{bin}/oathtool       rix,   # pass-otp
-  @{bin}/python3.@{int} rPx -> pass-import,  # pass-import, pass-audit
-  @{bin}/qrencode       rPUx,  # pass-otp
-  @{bin}/tomb           rPUx,  # pass-tomb
+  @{bin}/oathtool        ix,   # pass-otp
+  @{bin}/python3.@{int}  Px -> pass-import,  # pass-import, pass-audit
+  @{bin}/qrencode        PUx,  # pass-otp
+  @{bin}/tomb            PUx,  # pass-tomb
 
   /usr/share/terminfo/** r,
 
diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index a5f4a7ef9..0dc19e1af 100644
--- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -7,8 +7,10 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
+@{name} = signal-desktop{,-beta}
 @{lib_dirs} = @{lib}/signal-desktop /opt/Signal{,?Beta}
 @{config_dirs} = @{user_config_dirs}/Signal{,?Beta}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{lib_dirs}/chrome-sandbox
 profile signal-desktop-chrome-sandbox @{exec_path} {
@@ -19,7 +21,7 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
 
   @{exec_path} mr,
 
-  @{lib_dirs}/signal-desktop{,-beta} rPx,
+  @{lib_dirs}/@{name} rPx,
 
   @{PROC}/@{pid}/ r,
   @{PROC}/@{pid}/oom_adj w,
diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
index 87afa46eb..aae606395 100644
--- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
+++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
@@ -17,7 +17,6 @@ profile spice-client-glib-usb-acl-helper @{exec_path} {
 
   @{exec_path} mr,
 
-        @{PROC}/sys/kernel/cap_last_cap r,
   owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/spice-client-glib-usb-acl-helper>
diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl
index 9979c9246..1e9d50989 100644
--- a/apparmor.d/profiles-s-z/switcherooctl
+++ b/apparmor.d/profiles-s-z/switcherooctl
@@ -12,7 +12,7 @@ profile switcherooctl @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/python>
 
-  #aa:dbus own bus=system name=net.hadess.SwitcherooControl
+  #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb
index 44a34595e..cc540ae93 100644
--- a/apparmor.d/profiles-s-z/tomb
+++ b/apparmor.d/profiles-s-z/tomb
@@ -115,9 +115,10 @@ profile tomb @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
+    capability dac_read_search,
     capability sys_admin,
 
-    umount @{MOUNTS}/{,*/},
+    umount @{MOUNTS}/{,**/},
 
     @{bin}/umount mr,
 
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 6f74c826e..b835be9e7 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -11,8 +11,6 @@ include <tunables/global>
 profile udisksd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/disks-write>
   include <abstractions/nameservice-strict>
 
@@ -60,9 +58,11 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/udisks2/temp-mount-*/,
   umount /media/cdrom@{int}/,
 
-  signal (receive) set=(int) peer=@{p_systemd},
+  signal receive set=int peer=@{p_systemd},
 
   #aa:dbus own bus=system name=org.freedesktop.UDisks2
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -88,6 +88,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{bin}/sgdisk               rPx,
   @{bin}/systemctl            rCx -> systemctl,
   @{bin}/systemd-escape       rPx,
+  @{bin}/xfs_db              rPUx,
 
   /etc/crypttab r,
   /etc/fstab r,
diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui
index ceefecbf2..3a729a989 100644
--- a/apparmor.d/profiles-s-z/wpa-gui
+++ b/apparmor.d/profiles-s-z/wpa-gui
@@ -10,20 +10,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/wpa_gui
 profile wpa-gui @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dri-enumerate>
+  include <abstractions/graphics>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/desktop>
   include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
-  include <abstractions/X>
 
   @{exec_path} mr,
 
-  /usr/share/hwdata/pnp.ids r,
-
   owner @{tmp}/wpa_ctrl_@{pid}-[0-9] w,
   owner /dev/shm/#@{int} rw,
 

From bdac1adf8fd0d4e259319fda3d25bdea4a6f39e8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 18:31:24 +0100
Subject: [PATCH 128/315] fix(aa-log): fix cleaning regex.

fix #495
---
 pkg/logs/logs.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index c1bcf81df..587e0b7b7 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -40,8 +40,8 @@ var (
 		`\x1d`, " ",
 
 		// Remove basic rules from abstractions/base
-		`(?m)^.*/etc/[^/]+so.*$`, ``,
-		`(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+so.*$`, ``,
+		`(?m)^.*/etc/[^/]+\.so.*$`, ``,
+		`(?m)^.*/usr/(lib|lib32|lib64|libexec)/[^/]+\.so.*$`, ``,
 		`(?m)^.*/usr/(lib|lib32|lib64|libexec)/locale/.*$`, ``,
 		`(?m)^.*/usr/share/locale[^/]?/.*$`, ``,
 		`(?m)^.*/usr/share/zoneinfo[^/]?/.*$`, ``,

From 305fceb4139159e0beda2af573ce01773ea713a9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 21:10:04 +0100
Subject: [PATCH 129/315] feat(profile): add buildx support in dockerd.

---
 apparmor.d/groups/virt/dockerd | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 64bba083d..9e17f678b 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -32,15 +32,24 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  mount /tmp/containerd-mount@{int}/, 
+  mount /var/lib/docker/buildkit/**/,
   mount /var/lib/docker/overlay2/**/,
+  mount /var/lib/docker/tmp/buildkit-mount@{int}/,
   mount options=(rw, bind) -> /run/docker/netns/*,
   mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
   mount options=(rw, rprivate) -> /.pivot_root@{int}/,
   mount options=(rw, rslave) -> /,
 
+  remount /tmp/containerd-mount@{int10}/,
+  remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
+
   umount /.pivot_root@{int}/,
   umount /run/docker/netns/*,
+  umount /tmp/containerd-mount@{int}/,
+  umount /var/lib/docker/buildkit/**/,
   umount /var/lib/docker/overlay*/**/,
+  umount /var/lib/docker/tmp/buildkit-mount@{int}/,
 
   pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
   pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,

From ddd0388d7d5228b0d36fb05a808a8bc9699db63a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 23:18:31 +0100
Subject: [PATCH 130/315] feat(profile): add mkcert.

---
 apparmor.d/profiles-m-r/mkcert | 43 ++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/mkcert

diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert
new file mode 100644
index 000000000..0941ad343
--- /dev/null
+++ b/apparmor.d/profiles-m-r/mkcert
@@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/mkcert
+profile mkcert @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/sudo>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/certutil         rix,
+  @{bin}/rm               rix,
+  @{bin}/sudo             rix,
+  @{bin}/tee              rix,
+  @{bin}/trust            rix,
+  @{bin}/update-ca-trust  rPx,
+
+  owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db{,-journal} rwk,
+
+  owner @{HOME}/.pki/ rw,
+  owner @{HOME}/.pki/nssdb/ rw,
+  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
+  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  owner @{user_share_dirs}/mkcert/{,**} rw,
+
+  owner @{PROC}/@{pids}//cgroup r,
+
+  include if exists <local/mkcert>
+}
+
+# vim:syntax=apparmor

From 0f4c37c39afefd9f395e12c75985fc31f63646c8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 23:31:48 +0100
Subject: [PATCH 131/315] feat(profile): add gimp.

---
 apparmor.d/profiles-g-l/gimp | 54 ++++++++++++++++++++++++++++++++++++
 dists/flags/main.flags       |  1 +
 2 files changed, 55 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/gimp

diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp
new file mode 100644
index 000000000..bfdc6d640
--- /dev/null
+++ b/apparmor.d/profiles-g-l/gimp
@@ -0,0 +1,54 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/gimp{,-*}
+profile gimp @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/desktop>
+  include <abstractions/graphics>
+  include <abstractions/user-download-strict>
+
+  #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
+  @{exec_path} mr,
+
+  @{lib}/gimp/*/plug-ins/** rix,
+
+  @{open_path}  rPx -> child-open-help,
+
+  /usr/share/gimp/{,**} r,
+  /usr/share/mypaint-data/{,**} r,
+  /usr/share/xml/iso-codes/{,**} r,
+
+  /etc/gimp/{,**} r,
+
+  owner @{user_documents_dirs}/{,**} rw,
+  owner @{user_pictures_dirs}/{,**} rw,
+  owner @{user_work_dirs}/{,**} rw,
+
+  owner @{user_cache_dirs}/babl/{,**} rw,
+  owner @{user_cache_dirs}/gegl-*/{,**} r,
+  owner @{user_cache_dirs}/gegl-*/{,**} r,
+  owner @{user_cache_dirs}/gimp/{,**} rw,
+  owner @{user_cache_dirs}/GIMP/{,**} rw,
+
+  owner @{user_config_dirs}/gimp/{,**} rw,
+  owner @{user_config_dirs}/GIMP/{,**} rw,
+
+  owner @{user_share_dirs}/gegl-*/{,**} r,
+  owner @{user_share_dirs}/GIMP/{,**} rw,
+
+  owner @{tmp}/gimp/{,**} rw,
+
+  include if exists <local/gimp>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index f2091d4f5..158f10791 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -134,6 +134,7 @@ gdm-generate-config complain
 gdm-runtime-config complain
 gdm-session attach_disconnected,complain
 gdm-xsession complain
+gimp complain
 gmenudbusmenuproxy complain
 gnome-boxes complain
 gnome-browser-connector-host complain

From 9be25c8498b62ac6432dca1736f6e9fbd3717fd5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 23:32:39 +0100
Subject: [PATCH 132/315] feat(profile): add baobab.

---
 apparmor.d/profiles-a-f/baobab | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/baobab

diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab
new file mode 100644
index 000000000..63a6ebd22
--- /dev/null
+++ b/apparmor.d/profiles-a-f/baobab
@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/baobab
+profile baobab @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus/org.freedesktop.hostname1>
+  include <abstractions/common/gnome>
+  include <abstractions/deny-sensitive-home>
+
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
+  @{exec_path} mr,
+
+  # As a directory tree analyzer it needs full access to the filesystem
+  / r,
+  /** r,
+
+  deny /boot/{,**} r,
+
+  include if exists <local/baobab>
+}
\ No newline at end of file

From e9a5edb33235837479c01b3fb949a6de5574bfb7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 18 Sep 2024 23:36:00 +0100
Subject: [PATCH 133/315] feat(profile): add firewall-applet.

---
 apparmor.d/profiles-a-f/firewall-applet | 28 ++++++++++++++++++++++++
 apparmor.d/profiles-a-f/firewall-config | 29 +++++++++++++++++++++++++
 2 files changed, 57 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/firewall-applet
 create mode 100644 apparmor.d/profiles-a-f/firewall-config

diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/profiles-a-f/firewall-applet
new file mode 100644
index 000000000..b3571e628
--- /dev/null
+++ b/apparmor.d/profiles-a-f/firewall-applet
@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/firewall-applet
+profile firewall-applet @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{bin}/ r,
+  @{bin}/python3.@{int} r,
+
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/firewall-applet>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/profiles-a-f/firewall-config
new file mode 100644
index 000000000..a752954e6
--- /dev/null
+++ b/apparmor.d/profiles-a-f/firewall-config
@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/firewall-config
+profile firewall-config @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/desktop>
+  include <abstractions/python>
+
+  @{exec_path} mr,
+
+  @{open_path}  rPx -> child-open-help,
+
+  /usr/share/firewalld/__pycache__/ rw,
+
+  /usr/share/firewalld/{,**} r,
+
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/firewall-config>
+}
+
+# vim:syntax=apparmor

From fa668af54a590e02a15df463d20d3cd90c1dac70 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 19 Sep 2024 00:00:54 +0100
Subject: [PATCH 134/315] feat(profile): add some gnome profiles.

---
 apparmor.d/groups/gnome/gnome-font-viewer     | 19 ++++++++++++++++
 .../groups/gnome/gnome-user-share-webdav      | 21 ++++++++++++++++++
 apparmor.d/groups/gnome/tracker-xdg-portal    | 22 +++++++++++++++++++
 3 files changed, 62 insertions(+)
 create mode 100644 apparmor.d/groups/gnome/gnome-font-viewer
 create mode 100644 apparmor.d/groups/gnome/gnome-user-share-webdav
 create mode 100644 apparmor.d/groups/gnome/tracker-xdg-portal

diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer
new file mode 100644
index 000000000..2844be9b7
--- /dev/null
+++ b/apparmor.d/groups/gnome/gnome-font-viewer
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/gnome-font-viewer
+profile gnome-font-viewer @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/common/gnome>
+
+  @{exec_path} mr,
+
+  include if exists <local/gnome-font-viewer>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/gnome/gnome-user-share-webdav b/apparmor.d/groups/gnome/gnome-user-share-webdav
new file mode 100644
index 000000000..37e1ea496
--- /dev/null
+++ b/apparmor.d/groups/gnome/gnome-user-share-webdav
@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/gnome-user-share-webdav
+profile gnome-user-share-webdav @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+
+  #aa:dbus own bus=session name=org.gnome.user-share.webdav
+
+  @{exec_path} mr,
+
+  include if exists <local/gnome-user-share-webdav>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/gnome/tracker-xdg-portal b/apparmor.d/groups/gnome/tracker-xdg-portal
new file mode 100644
index 000000000..bf612104f
--- /dev/null
+++ b/apparmor.d/groups/gnome/tracker-xdg-portal
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/tracker-xdg-portal-3
+profile tracker-xdg-portal @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/gnome-strict>
+
+  #aa:dbus own bus=session name=org.freedesktop.portal.Tracker
+
+  @{exec_path} mr,
+
+  include if exists <local/tracker-xdg-portal>
+}
+
+# vim:syntax=apparmor

From 92b45f895cc71b013f5be8030bd5fac593d8d8c7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 19 Sep 2024 00:16:07 +0100
Subject: [PATCH 135/315] feat(profile): add child-open-any.

---
 apparmor.d/groups/children/child-open-any | 42 +++++++++++++++++++++++
 1 file changed, 42 insertions(+)
 create mode 100644 apparmor.d/groups/children/child-open-any

diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any
new file mode 100644
index 000000000..3fcfe4abe
--- /dev/null
+++ b/apparmor.d/groups/children/child-open-any
@@ -0,0 +1,42 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# This profile is designed to be used in a child profile to limit what
+# confined application can invoke via open helper.
+
+# This version of child-open allows to open any programs.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile child-open-any flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/desktop>
+
+  @{open_path} mr,
+
+  @{sh_path} r,
+
+  @{bin}/**                     PUx,
+  @{lib}/**                     PUx,
+  @{user_bin_dirs}/**           PUx,
+  /opt/*/**                     PUx,
+  /usr/local/bin/**             PUx,
+  /usr/share/**                 PUx,
+
+  @{bin}/                       r,
+  @{user_bin_dirs}/             r,
+  /                             r,
+  /usr/                         r,
+  /usr/local/bin/               r,
+  
+  /dev/tty rw,
+
+  include if exists <usr/child-open-any.d>
+  include if exists <local/child-open-any>
+}
+
+# vim:syntax=apparmor
+

From 5def115a0eeaa1dbf65deecbdbfd35ae241b7542 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 19 Sep 2024 00:20:13 +0100
Subject: [PATCH 136/315] build: enforce a few profiles.

---
 dists/flags/arch.flags | 13 -------------
 dists/flags/main.flags |  9 ---------
 2 files changed, 22 deletions(-)

diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags
index e65ae5520..ba883e3c2 100644
--- a/dists/flags/arch.flags
+++ b/dists/flags/arch.flags
@@ -1,16 +1,3 @@
-archlinux-keyring-wkd-sync complain
 makepkg complain
 mkinitcpio attach_disconnected,complain
 pacman attach_disconnected,complain
-pacman-conf attach_disconnected,complain
-pacman-hook-dconf complain
-pacman-hook-depmod complain
-pacman-hook-dkms attach_disconnected,complain
-pacman-hook-fontconfig complain
-pacman-hook-gio complain
-pacman-hook-gtk complain
-pacman-hook-mkinitcpio attach_disconnected,complain
-pacman-hook-perl complain
-pacman-hook-systemd attach_disconnected,complain
-pacman-key complain
-yay complain
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 158f10791..8c28c7252 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -28,7 +28,6 @@ akonadi_newmailnotifier_agent complain
 akonadi_notes_agent complain
 akonadi_sendlater_agent complain
 akonadi_unifiedmailbox_agent complain
-alacarte complain
 anacron complain
 appimagelauncherd complain
 apport attach_disconnected,complain
@@ -123,11 +122,7 @@ flatpak-system-helper complain
 flatpak-validate-icon complain
 foliate attach_disconnected,complain
 fractal attach_disconnected,complain
-freetube complain
-freetube-chrome-sandbox complain
 fstrim complain
-freetube complain
-freetube-chrome-sandbox complain
 fuse-overlayfs complain
 fusermount complain
 gdm-generate-config complain
@@ -264,7 +259,6 @@ networkd-dispatcher complain
 nm-online complain
 nm-openvpn-service-openvpn-helper complain
 nm-priv-helper complain
-nmap complain
 nmcli complain
 nvidia-detector complain
 nvidia-persistenced complain
@@ -273,8 +267,6 @@ okular complain
 ollama attach_disconnected,complain
 os-prober attach_disconnected,complain
 package-data-downloader complain
-packagekitd attach_disconnected,complain
-pacman-hook-dkms complain
 pam_kwallet_init complain
 pam-tmpdir-helper complain
 passim complain
@@ -291,7 +283,6 @@ plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
 qdbus complain
-qemu-bridge-helper complain
 realmd complain
 remmina complain
 run-parts complain

From 7a3a1f7725d07cbd7d969bba2649f31d330d1e40 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 19 Sep 2024 12:29:13 +0100
Subject: [PATCH 137/315] fix(profile): thunderbird: allow saving of draft.

---
 apparmor.d/profiles-s-z/thunderbird | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index dbf045333..208c581d8 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -52,6 +52,7 @@ profile thunderbird @{exec_path} {
 
   owner @{tmp}/MozillaMailnews/ rw,
   owner @{tmp}/MozillaMailnews/*.msf rw,
+  owner @{tmp}/nsemail.eml rw,
   owner @{tmp}/nsma rw,
 
   # Silencer

From 96defe021c5bb238ef8f274db2fba7e3eefcbe56 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 20 Sep 2024 23:24:15 +0100
Subject: [PATCH 138/315] feat(abs): add the pkexec app abs.

---
 apparmor.d/abstractions/app/pkexec            | 39 +++++++++++++++++++
 apparmor.d/groups/apt/synaptic                |  9 ++++-
 apparmor.d/groups/gnome/gnome-system-monitor  |  3 +-
 apparmor.d/groups/ubuntu/apport-gtk           |  9 ++++-
 apparmor.d/groups/ubuntu/update-notifier      | 11 +++++-
 .../profiles-a-f/flatpak-session-helper       |  9 ++++-
 apparmor.d/profiles-g-l/gsmartcontrol-root    |  9 ++++-
 apparmor.d/profiles-m-r/pkexec                | 32 ++-------------
 8 files changed, 85 insertions(+), 36 deletions(-)
 create mode 100644 apparmor.d/abstractions/app/pkexec

diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec
new file mode 100644
index 000000000..2c3669bcc
--- /dev/null
+++ b/apparmor.d/abstractions/app/pkexec
@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Minimal set of rules for pkexec.
+
+  include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+
+  capability audit_write,
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability setgid,
+  capability setuid,
+  capability sys_resource,
+
+  network netlink raw,   # PAM
+
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
+
+  @{bin}/pkexec    mr,
+
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*} r,
+  /etc/shells r,
+
+  owner @{PROC}/@{pid}/loginuid r,
+
+  owner /dev/tty@{int} rw,
+
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
+  include if exists <abstractions/app/pkexec.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic
index 2b8679c2a..6edd79767 100644
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@@ -48,7 +48,7 @@ profile synaptic @{exec_path} {
   @{bin}/dpkg-preconfigure  rPx,
   @{bin}/localepurge        rPx,
   @{bin}/lsb_release        rPx -> lsb_release,
-  @{bin}/pkexec             rPx,
+  @{bin}/pkexec             rCx -> pkexec,
   @{bin}/ps                 rPx,
   @{bin}/software-properties-gtk rPx,
   @{bin}/tasksel            rPx,
@@ -110,6 +110,13 @@ profile synaptic @{exec_path} {
   deny @{bin}/gdbus x,
   deny @{user_share_dirs}/gvfs-metadata/{*,} r,
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/synaptic_pkexec>
+  }
+
   include if exists <local/synaptic>
 }
 
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 8e79bd015..4d0a5dd5d 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -82,8 +82,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
 
   profile pkexec {
     include <abstractions/base>
-
-    @{bin}/pkexec mr,
+    include <abstractions/app/pkexec>
 
     include if exists <local/gnome-system-monitor_pkexec>
   }
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 0fd5fb7d9..dddb1f890 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} {
   @{bin}/ldd                    rix,
   @{bin}/lsb_release            rPx -> lsb_release,
   @{bin}/md5sum                 rix,
-  @{bin}/pkexec                 rPx, # TODO: rCx or something
+  @{bin}/pkexec                 rCx -> pkexec,
   @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
   @{bin}/uname                  rix,
@@ -124,6 +124,13 @@ profile apport-gtk @{exec_path} {
     include if exists <local/apport-gtk_gdb>
   }
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/apport-gtk_pkexec>
+  }
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 999502dbc..0487399fa 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -53,7 +53,7 @@ profile update-notifier @{exec_path} {
 
   @{bin}/dpkg                                    rPx -> child-dpkg,
   @{bin}/lsb_release                             rPx -> lsb_release,
-  @{bin}/pkexec                                  rPx, # TODO: rCx or rix to run /usr/lib/update-notifier/package-system-locked
+  @{bin}/pkexec                                  rCx -> pkexec,
   @{bin}/snap                                   rPUx,
   @{bin}/software-properties-gtk                 rPx,
   @{bin}/systemctl                               rCx -> systemctl,
@@ -85,6 +85,15 @@ profile update-notifier @{exec_path} {
         @{PROC}/@{pids}/mountinfo r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    @{lib}/update-notifier/package-system-locked Px,
+
+    include if exists <local/update-notifier_pkexec>
+  }
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 54b95b8e3..5f02a2fac 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -29,7 +29,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   @{bin}/flatpak                       rPx,
   @{bin}/getent                        rix,
   @{bin}/p11-kit                       rix,
-  @{bin}/pkexec                        rPx, # TODO: too wide, rCx.
+  @{bin}/pkexec                        rCx -> pkexec,
   @{bin}/printenv                      rix,
   @{bin}/ps                            rPx,
   @{bin}/test                          rix,
@@ -46,6 +46,13 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
 
   /dev/ptmx rw,
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/flatpak-session-helper_pkexec>
+  }
+
   include if exists <local/flatpak-session-helper>
 }
 
diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root
index 01b7d22e1..565634e10 100644
--- a/apparmor.d/profiles-g-l/gsmartcontrol-root
+++ b/apparmor.d/profiles-g-l/gsmartcontrol-root
@@ -17,7 +17,14 @@ profile gsmartcontrol-root @{exec_path} {
 
   @{bin}/which{,.debianutils}      rix,
 
-  @{bin}/pkexec     rPx,
+  @{bin}/pkexec     rCx -> pkexec,
+
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/gsmartcontrol-root_pkexec>
+  }
 
   include if exists <local/gsmartcontrol-root>
 }
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index 49c762df9..d3e47a350 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -8,31 +8,16 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pkexec
-profile pkexec @{exec_path} {
+profile pkexec @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/authentication>
-  include <abstractions/bus-system>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-  include <abstractions/wutmp>
+  include <abstractions/app/pkexec>
 
-  capability audit_write,
-  capability dac_read_search,
-  capability net_admin,
-  capability setgid,  # gdbus
-  capability setuid,  # gmain
-  capability sys_ptrace,
-  capability sys_resource,
-  audit deny capability sys_nice,
-
-  network netlink raw,
+  audit capability sys_nice,
 
   signal (send) set=(term, kill) peer=polkit-agent-helper,
 
   ptrace (read),
 
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1.Authority label=polkitd
-
   @{exec_path} mr,
 
   @{bin}/*       PUx,
@@ -40,22 +25,11 @@ profile pkexec @{exec_path} {
   /opt/*/**      PUx,
   /usr/share/**  PUx,
 
-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
   /etc/default/locale r,
-  /etc/shells r,
 
         @{PROC}/@{pid}/fdinfo/@{int} r,
         @{PROC}/@{pids}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/loginuid r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
-  owner @{HOME}/.xsession-errors w,
-
-  # Silencer
-  deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/pkexec>
 }

From 8979d84633cd189cbfee2ecf2ea4c0102b49b521 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 20 Sep 2024 23:30:09 +0100
Subject: [PATCH 139/315] feat(profile): remove rules already included in the
 base abs.

---
 apparmor.d/groups/apt/apt-overlay                   | 1 -
 apparmor.d/groups/cron/cron-apt                     | 3 ---
 apparmor.d/groups/freedesktop/colord                | 1 -
 apparmor.d/groups/freedesktop/geoclue               | 2 --
 apparmor.d/groups/gnome/evolution-alarm-notify      | 1 -
 apparmor.d/groups/gnome/gnome-control-center        | 1 -
 apparmor.d/groups/gnome/gnome-shell                 | 1 -
 apparmor.d/groups/gnome/gnome-shell-calendar-server | 1 -
 apparmor.d/groups/grub/grub-multi-install           | 1 -
 apparmor.d/groups/kde/konsole                       | 1 -
 apparmor.d/groups/kde/startplasma                   | 3 +--
 apparmor.d/groups/network/openvpn                   | 2 +-
 apparmor.d/groups/pacman/aurpublish                 | 2 --
 apparmor.d/groups/systemd/systemd-logind            | 1 -
 apparmor.d/groups/systemd/systemd-oomd              | 7 +++----
 apparmor.d/groups/systemd/systemd-resolved          | 7 +++----
 apparmor.d/groups/systemd/systemd-sleep-grub2       | 2 --
 apparmor.d/groups/systemd/systemd-timesyncd         | 1 -
 apparmor.d/groups/virt/k3s                          | 1 -
 apparmor.d/profiles-a-f/auditd                      | 1 -
 apparmor.d/profiles-a-f/boltd                       | 1 -
 apparmor.d/profiles-a-f/cups-browsed                | 1 -
 apparmor.d/profiles-s-z/spice-vdagentd              | 1 -
 23 files changed, 8 insertions(+), 35 deletions(-)

diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay
index fb567a5ef..158e7c57b 100644
--- a/apparmor.d/groups/apt/apt-overlay
+++ b/apparmor.d/groups/apt/apt-overlay
@@ -22,7 +22,6 @@ profile apt-overlay @{exec_path} {
   owner @{bin}/env r,
 
   @{lib}/ruby/{,**} r,
-  @{lib}/locale/locale-archive r,
   @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
 
   /usr/share/rubygems-integration/{,**} r,
diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt
index 51057f47f..41c27ecc7 100644
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@@ -70,9 +70,6 @@ profile cron-apt @{exec_path} {
   /var/log/cron-apt/mail rw,
   /var/log/cron-apt/lastfullmessage rw,
 
-  # For the "ls" command
-  @{lib}/locale/locale-archive r,
-
   # TMP
         /tmp/ r,
   owner @{tmp}/cron-apt.*/ rw,
diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index 418864a6f..8ed35020a 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -52,7 +52,6 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{desktop_share_dirs}/icc/edid-*.icc r,
   @{user_share_dirs}/icc/edid-*.icc r,
 
-  @{run}/systemd/journal/socket rw,
   @{run}/systemd/sessions/* r,
 
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue
index e5d86092a..7e2a282ac 100644
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@@ -41,8 +41,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
   /var/lib/nscd/services r,
   /var/lib/dbus/machine-id r,
 
-  @{run}/systemd/journal/socket rw,
-
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 
diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify
index a4c2c4a92..abae74d45 100644
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@@ -34,7 +34,6 @@ profile evolution-alarm-notify @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/evolution-data-server/{,**} r,
-  /usr/share/{,zoneinfo-}icu/{,**} r,
 
   /etc/timezone r,
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 535454199..aea86106a 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -165,7 +165,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/loginuid r,
-  owner @{PROC}/@{pid}/maps r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/statm r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 87cc77d0e..3ee2665e5 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -194,7 +194,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   /opt/**/share/icons/{,**} r,
   /snap/*/@{uid}/**.png r,
-  /usr/share/{,zoneinfo-}icu/{,**} r,
   /usr/share/**.{png,jpg,svg} r,
   /usr/share/**/icons/{,**} r,
   /usr/share/backgrounds/{,**} r,
diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server
index cc56eff59..371ed3e01 100644
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@@ -36,7 +36,6 @@ profile gnome-shell-calendar-server @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/{,zoneinfo-}icu/{,**} r,
 
   /etc/sysconfig/clock r,
   /etc/timezone r,
diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install
index 9cc94f9c1..9360173af 100644
--- a/apparmor.d/groups/grub/grub-multi-install
+++ b/apparmor.d/groups/grub/grub-multi-install
@@ -31,7 +31,6 @@ profile grub-multi-install @{exec_path} {
 
   /boot/grub/grub.cfg rw,
 
-  owner @{PROC}/@{pid}/maps r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/disk/by-id/ r,
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 94bad21ba..164510ae7 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -35,7 +35,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/htop                 rPx,
   @{bin}/micro               rPUx,
   @{bin}/nvtop                rPx,
-  @{bin}/nvtop                rPx,
   @{bin}/vim                  rUx,
 
   /usr/share/color-schemes/{,**} r,
diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma
index e57639b6e..c0cd5690c 100644
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@@ -73,8 +73,7 @@ profile startplasma @{exec_path} {
 
   owner @{run}/user/@{uid}/ r,
 
-        @{PROC}/sys/kernel/random/boot_id r,
-  owner @{PROC}/@{pid}/maps r,
+  @{PROC}/sys/kernel/random/boot_id r,
 
   /dev/tty r,
   /dev/tty@{int} rw,
diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn
index 6bf8c168b..e94315846 100644
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@@ -59,7 +59,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
 
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
   @{run}/openvpn/*.{pid,status} rw,
-  @{run}/systemd/journal/dev-log rw,
+  @{run}/systemd/journal/dev-log r,
 
   @{bin}/ip                                rix,
   @{bin}/systemd-ask-password              rPx,
diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index 3f46e2fa6..cae1d7dca 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -57,8 +57,6 @@ profile aurpublish @{exec_path} {
 
   owner @{tmp}/tmp.@{rand10} rw,
 
-  owner @{PROC}/@{pid}/maps r,
-
   /dev/tty rw,
 
   profile gpg {
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index 8db1923e5..d1fa06e7c 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -97,7 +97,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/inhibit/ rw,
   @{run}/systemd/inhibit/.#* rw,
   @{run}/systemd/inhibit/@{int}{,.ref} rw,
-  @{run}/systemd/journal/socket rw,
   @{run}/systemd/notify rw,
   @{run}/systemd/seats/ rw,
   @{run}/systemd/seats/.#seat* rw,
diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd
index 9ebe87c49..21ef79495 100644
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@@ -24,10 +24,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/oomd.conf r,
   /etc/systemd/oomd.conf.d/{,**} r,
 
-        @{run}/systemd/io.system.ManagedOOM rw,
-        @{run}/systemd/io.systemd.ManagedOOM rw,
-        @{run}/systemd/notify rw,
-  owner @{run}/systemd/journal/socket w,
+  @{run}/systemd/io.system.ManagedOOM rw,
+  @{run}/systemd/io.systemd.ManagedOOM rw,
+  @{run}/systemd/notify rw,
 
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/memory.* r,
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index 7b2e7ffa9..34597caa1 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -41,10 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/resolved.conf r,
   /etc/systemd/resolved.conf.d/{,*} r,
 
-        @{run}/systemd/netif/links/* r,
-        @{run}/systemd/notify rw,
-        @{run}/systemd/resolve/{,**} rw,
-  owner @{run}/systemd/journal/socket w,
+  @{run}/systemd/netif/links/* r,
+  @{run}/systemd/notify rw,
+  @{run}/systemd/resolve/{,**} rw,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/pressure/* r,
diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub2
index e7ae09355..9c718f7b0 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-grub2
+++ b/apparmor.d/groups/systemd/systemd-sleep-grub2
@@ -19,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} {
 
   /etc/sysconfig/bootloader r,
 
-  @{PROC}/@{pid}/maps r,
-
   /dev/tty rw,
 
   include if exists <local/systemd-sleep-grub>
diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd
index 51fd6358e..4f0903d1f 100644
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@@ -38,7 +38,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/netif/state r,
         @{run}/systemd/notify rw,
         @{run}/systemd/timesyncd.conf.d/{,**} r,
-  owner @{run}/systemd/journal/socket w,
   owner @{run}/systemd/timesync/synchronized rw,
 
   @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index e1cded61d..c2183c33b 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -130,7 +130,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
         @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
         @{PROC}/sys/net/netfilter/* rw,
-        @{PROC}/sys/vm/overcommit_memory rw,
         @{PROC}/sys/vm/panic_on_oom r,
 
   @{sys}/class/net/ r,
diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd
index 935a84c69..8c1878604 100644
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@@ -27,7 +27,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
 
   /var/log/audit/{,**} rw,
 
-        @{run}/systemd/journal/dev-log w,
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
 
diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd
index 47c16d1cd..e5464290a 100644
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@@ -26,7 +26,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/boltd/{,**} rw,
 
   @{run}/systemd/notify rw,
-  @{run}/systemd/journal/socket w,
   @{run}/udev/data/+thunderbolt:* r,
 
   @{sys}/bus/ r,
diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed
index 2abffbe16..6b01087b9 100644
--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@@ -39,7 +39,6 @@ profile cups-browsed @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/cups/locale/{,**} r,
-  /usr/share/locale/{,**} r,
 
   /etc/cups/{,**} r,
 
diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd
index e9a8b6330..70eca91fe 100644
--- a/apparmor.d/profiles-s-z/spice-vdagentd
+++ b/apparmor.d/profiles-s-z/spice-vdagentd
@@ -16,7 +16,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-        @{run}/systemd/journal/dev-log w,
         @{run}/systemd/seats/seat@{int} r,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/users/@{uid} r,

From e15bdcc9ad71f88d935e77efe611ca57bbab75a8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 20 Sep 2024 23:34:03 +0100
Subject: [PATCH 140/315] feat(profile): firefox: handle nnp with
 keepassxc-proxy.

---
 apparmor.d/abstractions/app/firefox     | 2 --
 apparmor.d/groups/browsers/firefox      | 7 ++++---
 apparmor.d/profiles-g-l/keepassxc-proxy | 6 +++---
 3 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 55ff461aa..66a517721 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -105,8 +105,6 @@
   owner /dev/shm/org.mozilla.ipc.@{pid}.@{int} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
-  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer w,
-
   @{run}/mount/utab r,
 
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index ef8bf5842..f35949078 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -19,7 +19,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
 
-  signal (send) set=(term, kill) peer=keepassxc-proxy,
+  signal send set=(term, kill) peer=firefox//&keepassxc-proxy,
 
   #aa:dbus own bus=session name=org.mozilla.firefox
   #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
@@ -46,8 +46,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   # Common extensions
   /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rPx,
   @{bin}/browserpass         rPx,
-  # As a temporary solution - see issue #128
-  @{bin}/keepassxc-proxy     rix,
+  @{bin}/keepassxc-proxy     rPx -> firefox//&keepassxc-proxy,
 
   owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
   owner @{user_config_dirs}/ibus/bus/ r,
@@ -72,6 +71,8 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,
   owner @{tmp}/Mozillato-be-removed-cachePurge-{@{hex15},@{hex16}} rwk,
 
+  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowsrServer w,
+
   # Silencer
   deny @{lib_dirs}/** w,
 
diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy
index 5e9736108..a193df0ee 100644
--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@@ -12,14 +12,14 @@ profile keepassxc-proxy @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  signal (receive) set=(term, kill),
-
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
   network netlink raw,
 
+  signal receive set=(term, kill) peer=firefox,
+
   @{exec_path} mr,
 
   /usr/share/icons/*/index.theme r,
@@ -32,7 +32,7 @@ profile keepassxc-proxy @{exec_path} {
   # file_inherit
   deny owner @{run}/user/@{uid}/.[a-zA-Z]*/{,s} rw,
   deny owner @{run}/user/@{uid}/kpxc_server rw,
-  deny       /dev/shm/org.chromium.* rw,
+  deny       /dev/shm/org.chromium.@{rand6} rw,
   deny owner /dev/shm/org.mozilla.ipc.@{int}.@{int} rw,
   deny owner @{HOME}/.mozilla/** rw,
   deny owner @{user_cache_dirs}/mozilla/** rw,

From 8572a3ec074f87237653afafca0bc3a0327664de Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 13:16:46 +0100
Subject: [PATCH 141/315] doc: improve the directives page.

---
 docs/development/directives.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/docs/development/directives.md b/docs/development/directives.md
index 291b0b74e..7263b4910 100644
--- a/docs/development/directives.md
+++ b/docs/development/directives.md
@@ -63,7 +63,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul
 
 ## Exec
 
-The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directives parse and resolve the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile.
+The `exec` directive is useful to allow executing transitions to a profile without having to manage the possible long list of profile attachments (it varies depending on the distribution). The directive parses and resolves the attachment variable (`@{exec_path}`) of the target profile and includes it in the current profile.
 
 **Format**
 
@@ -103,7 +103,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho
 
 ## Stack
 
-[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always include the stacked profile rules. This directive automatically include the stacked profile rules into the parent profile.
+[Stacked](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) profiles can be hard to maintain. The *parent* profile needs to manage its own rules as well as always including access from the *child* profile. In most profile using stacking, the *child* profile is often naturally included in the *parent*. However, sometime the child profile is fully different. This directive automatically include the stacked profile rules into the parent profile.
 
 **Format**
 
@@ -147,7 +147,6 @@ The `exec` directive is useful to allow executing transitions to a profile witho
             @{run}/systemd/io.system.ManagedOOM rw,
             @{run}/systemd/io.systemd.ManagedOOM rw,
             @{run}/systemd/notify rw,
-    owner @{run}/systemd/journal/socket w,
     @{sys}/fs/cgroup/cgroup.controllers r,
     @{sys}/fs/cgroup/memory.pressure r,
     @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,

From 064e9edec2f2baa442ec37f36712ffd5cf9bef72 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 13:18:03 +0100
Subject: [PATCH 142/315] fix(profile): ensure torbrowser-update can start
 torbrowser.

---
 apparmor.d/groups/browsers/torbrowser-updater   | 2 +-
 apparmor.d/groups/browsers/torbrowser-vaapitest | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/browsers/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater
index 3bc8e591d..5aaa82c2a 100644
--- a/apparmor.d/groups/browsers/torbrowser-updater
+++ b/apparmor.d/groups/browsers/torbrowser-updater
@@ -16,7 +16,7 @@ profile torbrowser-updater @{exec_path} {
   @{exec_path} mr,
 
   @{lib_dirs}/*.so              mr,
-  @{lib_dirs}/firefox{,.real}   Px,
+  @{lib_dirs}/firefox{,.real}   Px -> torbrowser,
 
   owner @{lib_dirs}/{,**} rw,
 
diff --git a/apparmor.d/groups/browsers/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest
index 7570d6ce4..cf68f3ea7 100644
--- a/apparmor.d/groups/browsers/torbrowser-vaapitest
+++ b/apparmor.d/groups/browsers/torbrowser-vaapitest
@@ -24,6 +24,7 @@ profile torbrowser-vaapitest @{exec_path} flags=(attach_disconnected) {
   deny @{lib_dirs}/{,browser/}omni.ja r,
   deny @{cache_dirs}/profile.default/startupCache/* r,
   deny @{config_dirs}/.parentlock rw,
+  deny @{config_dirs}/extensions/*.xpi r,
 
   include if exists <local/torbrowser-vaapitest>
 }

From 89240929e9bc55a1b671766874a27af5251b369e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 13:19:35 +0100
Subject: [PATCH 143/315] feat(profile): thunderbird: allow to open attachment.

---
 apparmor.d/groups/gnome/gnome-calendar | 2 ++
 apparmor.d/profiles-s-z/thunderbird    | 1 +
 2 files changed, 3 insertions(+)

diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar
index c74292f4b..2db321baf 100644
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@@ -44,6 +44,8 @@ profile gnome-calendar @{exec_path} {
   /usr/share/evolution-data-server/{,**} r,
   /usr/share/libgweather/Locations.xml r,
 
+  owner @{tmp}/pid-@{pid}/*.ics r,
+
   include if exists <local/gnome-calendar>
 }
 
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index 208c581d8..a9490c6f7 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -54,6 +54,7 @@ profile thunderbird @{exec_path} {
   owner @{tmp}/MozillaMailnews/*.msf rw,
   owner @{tmp}/nsemail.eml rw,
   owner @{tmp}/nsma rw,
+  owner @{tmp}/pid-@{pid}/{,**} w,
 
   # Silencer
   deny capability sys_ptrace,

From cc33e29af0987c32816383ec581bdde4700aa30d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 13:35:57 +0100
Subject: [PATCH 144/315] feat(profile): dbus:  allow to talk with org.gtk.vfs
 for some profiles.

---
 apparmor.d/groups/gnome/gnome-shell       | 8 +-------
 apparmor.d/groups/gnome/gnome-text-editor | 2 ++
 apparmor.d/groups/gnome/loupe             | 2 ++
 apparmor.d/profiles-a-f/evince            | 6 +-----
 4 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 3ee2665e5..c72652065 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -34,9 +34,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
-  include <abstractions/bus/org.gtk.vfs.Daemon>
-  include <abstractions/bus/org.gtk.vfs.Metadata>
-  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
@@ -93,6 +90,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
   #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
   # System bus
 
@@ -135,10 +133,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        member=Embed
        peer=(name=org.a11y.atspi.Registry),
 
-  dbus send bus=session path=/org/gtk/vfs/**
-       interface=org.gtk.vfs.*
-       peer=(name=:*, label=gvfsd*),
-
   dbus send bus=session path=/org/ayatana/NotificationItem/*
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor
index 80ff8310d..8641e01bd 100644
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@@ -15,6 +15,8 @@ profile gnome-text-editor @{exec_path} {
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
   @{exec_path} mr,
 
   owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe
index 6d53ebf44..a90f8664f 100644
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@@ -19,6 +19,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
 
   signal (send) set=(kill) peer=loupe//bwrap,
 
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
   @{exec_path} mr,
 
   @{bin}/bwrap rCx -> bwrap,
diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince
index 73d73eb02..3ac55439a 100644
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@@ -31,11 +31,7 @@ profile evince @{exec_path} {
   #aa:dbus own bus=session name=org.gnome.evince
 
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.MediaKeys label=gsd-media-keys
-
-  dbus send bus=session path=/org/gtk/vfs/metadata
-       interface=org.gtk.vfs.Metadata
-       member={Set,GetTreeFromDevice}
-       peer=(name=:*, label=gvfsd-metadata),
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
   @{exec_path} rix,
 

From 38a5799979e58a2cb4efe3b488dad761b775a461 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 14:35:25 +0100
Subject: [PATCH 145/315] fix(profile): transmission translation

fix #503
---
 apparmor.d/profiles-s-z/transmission | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission
index 07aca1890..44f89d2b1 100644
--- a/apparmor.d/profiles-s-z/transmission
+++ b/apparmor.d/profiles-s-z/transmission
@@ -27,6 +27,8 @@ profile transmission @{exec_path} {
 
   @{open_path}         rPx -> child-open,
 
+  /usr/share/transmission/{,**} r,
+
   owner @{user_torrents_dirs}/ r,
   owner @{user_torrents_dirs}/** rw,
 

From f2011688771d2983f9399d20aff522ec73cb86e8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 16:03:02 +0100
Subject: [PATCH 146/315] fix(profile): thunderbird: cpu.max and owner

fix #504
---
 apparmor.d/abstractions/app/firefox | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 66a517721..23a91593f 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -122,7 +122,7 @@
         @{sys}/devices/power/events/energy-* r,
         @{sys}/devices/power/type r,
         @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
-  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
 
         @{PROC}/@{pid}/net/arp r,

From c1d8958aedcaf1b662e9e6d6c32ac042b6e65753 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 16:07:55 +0100
Subject: [PATCH 147/315] fix(profile): missing rule in resolvconf.

fix #502
---
 apparmor.d/profiles-m-r/resolvconf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index 981af134f..caa13b97d 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -15,6 +15,7 @@ profile resolvconf @{exec_path} {
 
   @{sh_path}         rix,
   @{bin}/cat         rix,
+  @{bin}/cp          rix,
   @{bin}/flock       rix,
   @{bin}/mkdir       rix,
   @{bin}/mv          rix,
@@ -27,10 +28,14 @@ profile resolvconf @{exec_path} {
 
   /usr/lib/resolvconf/{,**} r,
 
+  @{etc_rw}/resolv.conf.bak rw,
   @{etc_rw}/resolv.conf rw,
+  /etc/resolvconf.conf r,
   /etc/resolvconf/{,**} r,
   /etc/resolvconf/update.d/libc rix,
 
+  / r,
+
   owner @{run}/resolvconf/{,**} rw,
   owner @{run}/resolvconf/run-lock wk,
 

From 688f2651fdfa413bc58876aef00685ac6cdc25ee Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 22:14:30 +0100
Subject: [PATCH 148/315] feat(tunable): improve python name definition.

---
 apparmor.d/tunables/multiarch.d/programs | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/programs b/apparmor.d/tunables/multiarch.d/programs
index 61d3713ae..406336e49 100644
--- a/apparmor.d/tunables/multiarch.d/programs
+++ b/apparmor.d/tunables/multiarch.d/programs
@@ -26,7 +26,8 @@
 @{coreutils} += truncate tsort tty uname unexpand uniq unlink updatedb vdir wc who whoami xargs yes
 
 # Python interpreters
-@{python_name} = python{,3,3.[0-9],3.1[0-9]}
+@{python_version} = 3 3.[0-9] 3.1[0-9]
+@{python_name} = python python@{python_version}
 
 # Open
 @{open_names} = exo-open xdg-open gio kde-open gio-launch-desktop
@@ -60,9 +61,9 @@
 @{torbrowser_name} = torbrowser "tor browser"
 @{torbrowser_lib_dirs} = @{HOME}/.tb/tor-browser/Browser/
 
-# Emails 
+# Emails
 
-@{thunderbird_name} = thunderbird{,-bin} 
+@{thunderbird_name} = thunderbird{,-bin}
 @{thunderbird_lib_dirs} = @{lib}/@{thunderbird_name}
 
 @{emails_names} = evolution geary

From 7f657780e5fc0cbcaad6dc1ec79de4d361ea7dea Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Sep 2024 22:24:45 +0100
Subject: [PATCH 149/315] feat(tunable): add the word @{w} and digit @{d}
 variables.

---
 apparmor.d/tunables/multiarch.d/system | 33 +++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 4fb8304cd..d51ede6ca 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -11,22 +11,29 @@
 # Single alphanumeric character
 @{c}=[0-9a-zA-Z]
 
+# Word character. Matches any letter, digit or underscore.
+@{w}=[a-zA-Z0-9_]
+
+# Any digit
+@{d}=[0-9]
+
 # Integer up to 10 digits (0-9999999999)
-@{int}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}
+@{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
 
 # Unsigned integer over 8 bits (0-255)
 #      0 - 99       100 - 199   200 - 249   250 - 255
 @{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
 
 # Unsigned integer over 16 bits (0-65535, 5 digits)
-@{u16}=[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}
+@{u16}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}
 
-# hexadecimal, alphanumeric up to 64 characters
+# hexadecimal, alphanumeric and word up to 64 characters
 @{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
 @{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
+@{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
 
 # Any x digits characters
-@{int2}=[0-9][0-9]
+@{int2}=@{d}@{d}
 @{int4}=@{int2}@{int2}
 @{int6}=@{int4}@{int2}
 @{int8}=@{int4}@{int4}
@@ -42,6 +49,7 @@
 @{hex8}=@{hex4}@{hex4}
 @{hex9}=@{hex8}@{h}
 @{hex10}=@{hex8}@{hex2}
+@{hex12}=@{hex8}@{hex4}
 @{hex15}=@{hex8}@{hex4}@{hex2}@{h}
 @{hex16}=@{hex8}@{hex8}
 @{hex32}=@{hex16}@{hex16}
@@ -55,17 +63,30 @@
 @{rand8}=@{rand4}@{rand4}
 @{rand9}=@{rand8}@{c}
 @{rand10}=@{rand8}@{rand2}
+@{rand12}=@{rand8}@{rand4}
 @{rand15}=@{rand8}@{rand4}@{rand2}@{c}
 @{rand16}=@{rand8}@{rand8}
 @{rand32}=@{rand16}@{rand16}
 @{rand64}=@{rand64}@{rand64}
 
+# Any x word characters
+@{word2}=@{w}@{w}
+@{word4}=@{word2}@{word2}
+@{word6}=@{word4}@{word2}
+@{word8}=@{word4}@{word4}
+@{word9}=@{word8}@{w}
+@{word10}=@{word8}@{word2}
+@{word12}=@{word8}@{word4}
+@{word15}=@{word8}@{word4}@{word2}@{w}
+@{word16}=@{word8}@{word8}
+@{word32}=@{word16}@{word16}
+@{word64}=@{word32}@{word32}
+
 # Universally unique identifier
 @{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
 
 # Username & group valid characters
-@{u}=[a-zA-Z0-9_]
-@{user}=[a-zA-Z_]{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}{@{u},}
+@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
 @{group}=@{user}
 
 # Semantic version

From c085c8038b87a233f82445f2531f46a039efbf0d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 23 Sep 2024 13:57:32 +0100
Subject: [PATCH 150/315] feat(abs): add glfw.

fix #508
---
 apparmor.d/abstractions/glfw | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 apparmor.d/abstractions/glfw

diff --git a/apparmor.d/abstractions/glfw b/apparmor.d/abstractions/glfw
new file mode 100644
index 000000000..f52fb926d
--- /dev/null
+++ b/apparmor.d/abstractions/glfw
@@ -0,0 +1,9 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw,
+
+  include if exists <abstractions/glfw.d>
+
+# vim:syntax=apparmor

From 62cb546afa8c29b740d6a0979b51bfb3c8f1cff7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 23 Sep 2024 14:59:44 +0100
Subject: [PATCH 151/315] feat(fps): improve systemd profiles.

---
 apparmor.d/groups/_full/bwrap-app            |  1 -
 apparmor.d/groups/_full/systemd              | 54 +++++++++++++-------
 apparmor.d/groups/_full/systemd-user         | 53 ++++++++++---------
 apparmor.d/groups/_full/systemd-user-service | 23 +++++++++
 4 files changed, 88 insertions(+), 43 deletions(-)
 create mode 100644 apparmor.d/groups/_full/systemd-user-service

diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app
index bfe12e560..d0ddfaaad 100644
--- a/apparmor.d/groups/_full/bwrap-app
+++ b/apparmor.d/groups/_full/bwrap-app
@@ -11,7 +11,6 @@ include <tunables/global>
 profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/common/app>
-  include <abstractions/fontconfig-cache-write>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index d85d04e2f..36c31e60e 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   umount @{run}/systemd/unit-root/{,**},
 
   pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
-  pivot_root oldroot=@{run}/systemd/unit-root/ @{run}/systemd/unit-root/,
+  pivot_root oldroot=@{run}/systemd/unit-root/    @{run}/systemd/unit-root/,
 
   change_profile,
 
@@ -129,29 +129,37 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
        member=GetConnectionUnixUser
        peer=(name=org.freedesktop.DBus, label=dbus-system),
 
-  @{bin}/systemctl                  rix,
-  @{bin}/mount                      rix,
+  @{bin}/**                         Px,
+  @{lib}/**                         Px,
+  /etc/cron.*/*                     Px,
+  /etc/init.d/*                     Px,
+  /usr/share/*/**                   Px,
 
-  @{lib}/systemd/systemd-executor   rix,
-  @{lib}/systemd/systemd            rpx -> systemd-user,
+  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  @{lib}/systemd/systemd-executor   ix,
 
-  @{bin}/ldconfig                   rPx -> systemd-service,
-  @{bin}/mandb                      rPx -> systemd-service,
-  @{bin}/savelog                    rPx -> systemd-service,
-  @{coreutils_path}                 rPx -> systemd-service,
-  @{sh_path}                        rPx -> systemd-service,
+  # Systemd user: systemd --user
+  @{lib}/systemd/systemd            px -> systemd-user,
 
-  @{bin}/**                          Px,
-  @{lib}/**                          Px,
-  /etc/cron.*/*                      Px,
-  /etc/init.d/*                      Px,
-  /usr/share/*/**                    Px,
+  # Unit services using systemctl
+  @{bin}/systemctl                  Cx -> systemctl,
 
+  # Unit services
+  @{bin}/mount                      ix,
+
+  # Shell based systemd unit services
+  @{bin}/ldconfig                   Px -> systemd-service,
+  @{bin}/mandb                      Px -> systemd-service,
+  @{bin}/savelog                    Px -> systemd-service,
+  @{coreutils_path}                 Px -> systemd-service,
+  @{sh_path}                        Px -> systemd-service,
+
+  # Systemd profiles that need be stacked
   #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd
-  @{lib}/systemd/systemd-networkd   rPx -> systemd//&systemd-networkd,
-  @{lib}/systemd/systemd-oomd       rPx -> systemd//&systemd-oomd,
-  @{lib}/systemd/systemd-resolved   rPx -> systemd//&systemd-resolved,
-  @{lib}/systemd/systemd-timesyncd  rPx -> systemd//&systemd-timesyncd,
+  @{lib}/systemd/systemd-networkd   Px -> systemd//&systemd-networkd,
+  @{lib}/systemd/systemd-oomd       Px -> systemd//&systemd-oomd,
+  @{lib}/systemd/systemd-resolved   Px -> systemd//&systemd-resolved,
+  @{lib}/systemd/systemd-timesyncd  Px -> systemd//&systemd-timesyncd,
 
   @{lib}/ r,
   / r,
@@ -254,6 +262,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   owner /dev/shm/ rw,
   owner /dev/ttyS@{int} rwk,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <usr/systemd_systemctl.d>
+    include if exists <local/systemd_systemctl>
+  }
+
   include if exists <usr/systemd.d>
   include if exists <local/systemd>
 }
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index f88604124..7b6ef77fb 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -25,40 +25,47 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   network netlink raw,
 
-  signal (send) set=(term, cont, kill),
-  signal (receive) set=(hup) peer=@{p_systemd},
+  signal send set=(term, cont, kill),
+  signal receive set=hup peer=@{p_systemd},
 
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
 
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-system,
-  unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
+  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-system,
+  unix bind type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
 
   #aa:dbus own bus=session name=org.freedesktop.systemd1
 
   @{exec_path} mr,
 
-  @{bin}/dbus-broker                         rpx -> dbus-session,
-  @{bin}/dbus-broker-launch                  rpx -> dbus-session,
-  @{bin}/dbus-daemon                         rpx -> dbus-session,
-  @{lib}/dbus-1.0/dbus-daemon-launch-helper  rpx -> dbus-session,
+  @{bin}/**                         Px,
+  @{lib}/**                         Px,
+  /etc/cron.*/*                     Px,
+  /opt/*/**                         Px,
+  /usr/share/*/**                   Px,
 
-  @{bin}/systemctl                  rCx -> systemctl,
-  @{lib}/systemd/systemd-executor   rix,
-  @{sh_path}                        rix, # Should be handled by default profile?
-  @{bin}/grep                       rix,
-  @{bin}/sleep                      rix,
+  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  @{lib}/systemd/systemd-executor   ix,
 
-  @{bin}/**                          Px,
-  @{lib}/**                          Px,
-  /opt/*/**                          Px,
-  /usr/share/*/**                    Px,
+  # Unit services using systemctl
+  @{bin}/systemctl                  Cx -> systemctl,
 
+  # Shell based ystemd unit services
+  @{coreutils_path}                 Px -> systemd-user-service,
+  @{sh_path}                        Px -> systemd-user-service,
+
+  # Dbus needs to be started without environment scrubbing
+  @{bin}/dbus-broker                         px -> dbus-session,
+  @{bin}/dbus-broker-launch                  px -> dbus-session,
+  @{bin}/dbus-daemon                         px -> dbus-session,
+  @{lib}/dbus-1.0/dbus-daemon-launch-helper  px -> dbus-session,
+
+  # Audio profiles need to be stacked
   #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber
-  @{bin}/pipewire                   rPx -> systemd-user//&pipewire,
-  @{bin}/pipewire-media-session     rPx -> systemd-user//&pipewire-media-session,
-  @{bin}/pipewire-pulse             rPx -> systemd-user//&pipewire-pulse,
-  @{bin}/pulseaudio                 rPx -> systemd-user//&pulseaudio,
-  @{bin}/wireplumber                rPx -> systemd-user//&wireplumber,
+  @{bin}/pipewire                   Px -> systemd-user//&pipewire,
+  @{bin}/pipewire-media-session     Px -> systemd-user//&pipewire-media-session,
+  @{bin}/pipewire-pulse             Px -> systemd-user//&pipewire-pulse,
+  @{bin}/pulseaudio                 Px -> systemd-user//&pulseaudio,
+  @{bin}/wireplumber                Px -> systemd-user//&wireplumber,
 
   /usr/ r,
   /usr/share/defaults/**.conf r,
diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service
new file mode 100644
index 000000000..0aaeba215
--- /dev/null
+++ b/apparmor.d/groups/_full/systemd-user-service
@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Profile for generic systemd unit services. Only used by tiny systemd services
+# that start a shell or use context specific programs.
+
+# It does not specify an attachment path because it is intended to be used only
+# via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile systemd-user-service flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  include if exists <usr/systemd-user-service.d>
+  include if exists <local/systemd-user-service>
+}
+
+# vim:syntax=apparmor

From 31cadd634fca16588d1cd92ee6809b80adfb4414 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 23 Sep 2024 15:11:50 +0100
Subject: [PATCH 152/315] feat(abs): improve some gnome profiles.

---
 apparmor.d/groups/gnome/gnome-control-center |  9 +++++----
 apparmor.d/groups/gnome/gsd-datetime         | 11 ++++++++++-
 2 files changed, 15 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index aea86106a..154aff58c 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -72,7 +72,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /usr/share/language-tools/language2locale      rix,
   /usr/share/language-tools/language-options    rPUx,
 
-  @{open_path}                                   rPx -> child-open-browsers,
+  @{open_path}                                   rPx -> child-open-any,
 
   /opt/**/share/icons/{,**} r,
   /snap/*/@{int}/**.png r,
@@ -124,6 +124,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/gnome-remote-desktop/rdp-tls.{crt,key}{,.@{rand6}} rw,
   owner @{user_share_dirs}/icc/{,edid-*} r,
 
+  owner @{tmp}/@{hex12}@{h} rw,
+  owner @{tmp}/@{rand8} rw,
   owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
         @{run}/samba/ rw,
@@ -160,6 +162,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
         @{PROC}/cmdline r,
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
         @{PROC}/zoneinfo r,
+        @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
@@ -187,9 +190,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   profile pkexec {
     include <abstractions/base>
-  
-    @{bin}/pkexec mr,
-  
+    include <abstractions/app/pkexec>
     include if exists <local/gnome-control-center_pkexec>
   }
 
diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime
index d125cd13d..5c3b768fc 100644
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@@ -12,8 +12,15 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/dconf-write>
+  include <abstractions/nameservice-strict>
 
-  signal (receive) set=(term, hup) peer=gdm*,
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal receive set=(term, hup) peer=gdm*,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Datetime
 
@@ -34,6 +41,8 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/geocode-glib/* r,
 
+  @{run}/systemd/sessions/@{int} r,
+  @{run}/systemd/users/@{uid} r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
 

From 6723b43559ab5b52ebb0335062880283f136100b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 23 Sep 2024 15:12:24 +0100
Subject: [PATCH 153/315] feat(profile): improve systemsettings.

---
 apparmor.d/groups/kde/systemsettings | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings
index d0fec60fc..e1de05a11 100644
--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@@ -112,6 +112,7 @@ profile systemsettings @{exec_path} {
   owner @{user_share_dirs}/wallpapers/{,**} r,
 
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
 

From 117b54d16ccae75e8bfc672988de8575678ba7fa Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 19 Sep 2024 13:58:46 -0300
Subject: [PATCH 154/315] Create gamemoded

---
 apparmor.d/profiles-g-l/gamemoded | 81 +++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100644 apparmor.d/profiles-g-l/gamemoded

diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded
new file mode 100644
index 000000000..64b0e8f8f
--- /dev/null
+++ b/apparmor.d/profiles-g-l/gamemoded
@@ -0,0 +1,81 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/gamemoded
+profile gamemoded @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+
+  capability sys_ptrace,
+
+  ptrace read,
+
+  @{exec_path} mr,
+
+  @{bin}/pkexec Cx -> pkexec,
+  @{lib}/gamemode/gpuclockctl Cx -> pkexec,
+
+  /etc/gamemode.ini r,
+
+  owner @{user_config_dirs}/ r,
+
+  @{sys}/devices/@{pci}/vendor r,
+  @{sys}/devices/@{pci}/power_dpm_force_performance_level r,
+  @{sys}/devices/system/cpu/{,**} r,
+  @{sys}/devices/virtual/powercap/{,**} r,
+
+        @{PROC}/sys/kernel/split_lock_mitigate r,
+  owner @{PROC}/@{pid}/ r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/environ r,
+  owner @{PROC}/@{pid}/fdinfo/ r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
+  owner @{PROC}/@{pid}/task/ r,
+
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/authentication>
+    include <abstractions/nameservice-strict>
+   
+    capability audit_write,
+    capability mknod,
+    capability setgid,
+    capability sys_ptrace,
+   
+    ptrace read peer=gamemoded,
+   
+    network netlink raw,
+   
+    @{bin}/pkexec mr,
+   
+    @{lib}/gamemode/{,**} r,
+    @{lib}/gamemode/cpugovctl ix,
+    @{lib}/gamemode/gpuclockctl ix,
+    @{lib}/gamemode/procsysctl ix,
+   
+    /etc/security/limits.d/ r,
+    /etc/security/limits.d/@{int}-gamemode.conf r,
+    /etc/shells r,
+
+    @{sys}/devices/@{pci}/power_dpm_force_performance_level rw,
+    @{sys}/devices/@{pci}/vendor r,
+    @{sys}/devices/system/cpu/ r,
+    @{sys}/devices/system/cpu/cpu@{int}/cpufreq r,
+    @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
+   
+    @{PROC}/@{pid}/fdinfo/@{int} r,
+    @{PROC}/@{pid}/loginuid r,
+    @{PROC}/@{pid}/stat r,
+    @{PROC}/sys/kernel/split_lock_mitigate rw,
+   
+    include if exists <local/gamemoded_pkexec>
+  }
+   
+  include if exists <local/gamemoded>
+}
+
+# vim:syntax=apparmor

From 18c2f3e8d7c0c0b749ccc0b4067b89ea1ac91eb9 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Fri, 20 Sep 2024 19:26:49 -0300
Subject: [PATCH 155/315] Update gamemoded

---
 apparmor.d/profiles-g-l/gamemoded | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded
index 64b0e8f8f..e17a9e537 100644
--- a/apparmor.d/profiles-g-l/gamemoded
+++ b/apparmor.d/profiles-g-l/gamemoded
@@ -36,7 +36,7 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/task/ r,
 
-  profile pkexec {
+  profile pkexec flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/authentication>
     include <abstractions/nameservice-strict>

From 8fa2058c55342964b3ad46f77f12da314da83a38 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sat, 21 Sep 2024 21:42:15 -0300
Subject: [PATCH 156/315] Small improvement to audio-client

---
 apparmor.d/abstractions/audio-client | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client
index ceacbae9c..7ed4d6b80 100644
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@@ -17,7 +17,7 @@
   /etc/libao.conf r,
   /etc/openal/alsoft.conf r,
   /etc/pipewire/client{,-rt}.conf r,
-  /etc/pipewire/client.conf.d/{,**} r,
+  /etc/pipewire/client{,-rt}.conf.d/{,**} r,
   /etc/pulse/client.conf r,
   /etc/pulse/client.conf.d/{,**} r,
   /etc/wildmidi/wildmidi.cfg r,

From 3a7e4c670583d4ff03520b8e696ad4071e96e214 Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Sun, 22 Sep 2024 17:23:18 +0800
Subject: [PATCH 157/315] A Fix for xdg-permission-store

---
 apparmor.d/groups/freedesktop/xdg-permission-store | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store
index f698111d4..fa139a9ec 100644
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@@ -41,7 +41,7 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/flatpak/db/ rw,
   owner @{user_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
   owner @{user_share_dirs}/flatpak/db/background rw,
-  owner @{user_share_dirs}/flatpak/db/devices r,
+  owner @{user_share_dirs}/flatpak/db/devices rw,
   owner @{user_share_dirs}/flatpak/db/documents rw,
   owner @{user_share_dirs}/flatpak/db/notifications rw,
 

From c28d05f15fb32897dab3d2b0b09666c5c81a213d Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Sun, 22 Sep 2024 12:19:13 +0200
Subject: [PATCH 158/315] Update protonmail-bridge

Because of the following requests:

```
owner "@{user_cache_dirs}/Proton AG/" w,
owner @{user_cache_dirs}/protonmail/ w,

owner @{user_config_dirs}/protonmail/ w,

owner @{user_share_dirs}/protonmail/ w,
```
possibly during setup.
---
 apparmor.d/profiles-m-r/protonmail-bridge | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge
index 3d3878c3e..7e8dfe9d4 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge
+++ b/apparmor.d/profiles-m-r/protonmail-bridge
@@ -6,9 +6,9 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{config_dirs} = @{user_config_dirs}/protonmail/bridge-v3
-@{cache_dirs} = @{user_cache_dirs}/protonmail/bridge-v3 "@{user_cache_dirs}/Proton AG/Proton Mail Bridge"
-@{share_dirs} = @{user_share_dirs}/protonmail/bridge-v3
+@{config_dirs} = @{user_config_dirs}/protonmail/{,bridge-v3}
+@{cache_dirs} = @{user_cache_dirs}/protonmail/{,bridge-v3} "@{user_cache_dirs}/Proton AG/{,Proton Mail Bridge}"
+@{share_dirs} = @{user_share_dirs}/protonmail/{,bridge-v3}
 
 @{exec_path} = @{lib}/protonmail/bridge/bridge-gui
 profile protonmail-bridge @{exec_path} {

From 0d5a3405d8f5c3b4f43707cfbe1c5b166b6ef28f Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Sun, 22 Sep 2024 12:22:17 +0200
Subject: [PATCH 159/315] Update protonmail-bridge-core

because of the following request:

```
/etc/ca-certificates/extracted/*.pem r,
/etc/ssl/certs/{,**} r,
```
---
 apparmor.d/profiles-m-r/protonmail-bridge-core | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core
index b7fd0c98a..89330c819 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@@ -15,6 +15,7 @@ include <tunables/global>
 profile protonmail-bridge-core @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
   network inet6 dgram,

From 4660b7d49ce9b9f15a229348fa171894d0d5d7f7 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sun, 15 Sep 2024 13:22:12 +0200
Subject: [PATCH 160/315] add ssh-sk-helper

---
 apparmor.d/groups/ssh/ssh           |  2 ++
 apparmor.d/groups/ssh/ssh-sk-helper | 26 ++++++++++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 apparmor.d/groups/ssh/ssh-sk-helper

diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 296074f5f..a1046dbb5 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -25,6 +25,8 @@ profile ssh @{exec_path} {
 
   @{bin}/@{shells}     rUx,
 
+  @{lib}/ssh/ssh-sk-helper rix -> ssh//null-@{lib}/ssh/ssh-sk-helper,
+
   @{etc_ro}/ssh/ssh_config r,
   @{etc_ro}/ssh/ssh_config.d/{,*} r,
   @{etc_ro}/ssh/sshd_config r,
diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper
new file mode 100644
index 000000000..915086e9c
--- /dev/null
+++ b/apparmor.d/groups/ssh/ssh-sk-helper
@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 valoq <valoq@mailbox.org>
+# SPDX-License-Identifier: GPL-2.0-only
+
+profile ssh//null-@{lib}/ssh/ssh-sk-helper {
+  / r,
+
+  @{lib}/ssh/ssh-sk-helper r,
+
+  /etc/ssl/openssl.cnf r,
+
+  @{sys}/ r,
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/hidraw/ r,
+  @{sys}/class/hidraw/hidraw@{int} r,
+  @{sys}/devices/ r,
+  @{sys}/devices/@{pci_bus}/ r,
+  @{sys}/devices/@{pci_bus}/{,**} r,
+
+  /dev/hidraw@{int} rwk,
+
+  include if exists <local/ssh-sk-helper>
+}
+
+# vim:syntax=apparmor

From a854b631621bb62b760d282bf222a3930a111cd7 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Sun, 15 Sep 2024 13:46:07 +0200
Subject: [PATCH 161/315] fix profiles

---
 apparmor.d/groups/ssh/ssh           | 2 +-
 apparmor.d/groups/ssh/ssh-sk-helper | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index a1046dbb5..476bd3f26 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -25,7 +25,7 @@ profile ssh @{exec_path} {
 
   @{bin}/@{shells}     rUx,
 
-  @{lib}/ssh/ssh-sk-helper rix -> ssh//null-@{lib}/ssh/ssh-sk-helper,
+  @{lib}/ssh/ssh-sk-helper rix -> ssh-sk-helper,
 
   @{etc_ro}/ssh/ssh_config r,
   @{etc_ro}/ssh/ssh_config.d/{,*} r,
diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper
index 915086e9c..2013371b3 100644
--- a/apparmor.d/groups/ssh/ssh-sk-helper
+++ b/apparmor.d/groups/ssh/ssh-sk-helper
@@ -2,8 +2,9 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-profile ssh//null-@{lib}/ssh/ssh-sk-helper {
-  / r,
+include <tunables/global>
+
+profile ssh-sk-helper flags=(complain) {
 
   @{lib}/ssh/ssh-sk-helper r,
 

From 69cc1031add7e61b5974daa9fdd32c28d6906c63 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Fri, 20 Sep 2024 12:01:14 +0200
Subject: [PATCH 162/315] clean ssh sk helper

---
 apparmor.d/groups/ssh/ssh           | 2 +-
 apparmor.d/groups/ssh/ssh-sk-helper | 9 +++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 476bd3f26..5dce3ec80 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -25,7 +25,7 @@ profile ssh @{exec_path} {
 
   @{bin}/@{shells}     rUx,
 
-  @{lib}/ssh/ssh-sk-helper rix -> ssh-sk-helper,
+  @{lib}/ssh/ssh-sk-helper rPx -> ssh-sk-helper,
 
   @{etc_ro}/ssh/ssh_config r,
   @{etc_ro}/ssh/ssh_config.d/{,*} r,
diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper
index 2013371b3..defa9ac1b 100644
--- a/apparmor.d/groups/ssh/ssh-sk-helper
+++ b/apparmor.d/groups/ssh/ssh-sk-helper
@@ -4,20 +4,17 @@
 
 include <tunables/global>
 
+@{exec_path} = @{lib}/ssh/ssh-sk-helper
 profile ssh-sk-helper flags=(complain) {
+  include <abstractions/base>
 
-  @{lib}/ssh/ssh-sk-helper r,
-
-  /etc/ssl/openssl.cnf r,
+  @{exec_path} mr,
 
   @{sys}/ r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
   @{sys}/class/hidraw/ r,
   @{sys}/class/hidraw/hidraw@{int} r,
-  @{sys}/devices/ r,
-  @{sys}/devices/@{pci_bus}/ r,
-  @{sys}/devices/@{pci_bus}/{,**} r,
 
   /dev/hidraw@{int} rwk,
 

From 97676dcf711dfb43c402195a7e9ba6dd85facba6 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Sun, 22 Sep 2024 12:40:42 +0200
Subject: [PATCH 163/315] Update sudo

Condensing requests like:

@{sys}/fs/cgroup/{hostcritical,system,unevictable,user}.slice/*.service/cgroup.procs r,
@{sys}/fs/cgroup/system.slice/system-getty.slice/getty@tty3.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.procs r,
@{sys}/fs/cgroup/system.slice/system-getty.slice/getty@tty3.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/cgroup.procs r,
@{sys}/fs/cgroup/user.slice/user-968.slice/user@968.service/cgroup.procs r,
---
 apparmor.d/profiles-s-z/sudo | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index 6f01bc8f0..9574b98d1 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -48,6 +48,8 @@ profile sudo @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/sessions/?@{int}.ref rw,
 
+  @{sys}/fs/cgroup/*.slice{,/*.slice}/*.service/cgroup.procs r,
+
   include if exists <local/sudo>
 }
 

From 0bf60c313f6d4a1fdc94342e4da547defbde71d2 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Mon, 23 Sep 2024 12:37:48 +0200
Subject: [PATCH 164/315] New profile: protonmail

---
 apparmor.d/profiles-m-r/protonmail | 45 ++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/protonmail

diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
new file mode 100644
index 000000000..2c69d8c08
--- /dev/null
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -0,0 +1,45 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 curiosityseeker
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = "Proton Mail"
+@{lib_dirs} = /opt/@{name}
+@{config_dirs} = @{user_config_dirs}/@{name}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
+
+@{exec_path} = "/opt/proton-mail/Proton Mail{, Beta}"
+profile protonmail @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/common/electron>
+
+  network inet stream,
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  ptrace read peer=xdg-settings,
+
+  @{exec_path} mrix,
+
+  /opt/proton-mail/** r,
+  /opt/proton-mail/*.so m,
+  /opt/proton-mail/libvulkan.so.1 m,
+
+  @{bin}/xdg-settings Px,
+  @{open_path}        rpx -> child-open,
+
+  /etc/machine-id r,
+
+  owner @{user_config_dirs}/ibus/bus/ r,
+
+  @{sys}/devices/@{pci}/boot_vga r,
+
+  owner @{tmp}/gtkprint_ppd_@{rand6} rw,
+
+  include if exists <local/protonmail>
+
+}

From 9400e5fd00039aa65b925055b9a5e6bef64bc0ef Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Mon, 23 Sep 2024 13:04:19 +0200
Subject: [PATCH 165/315] Update main.flags

---
 dists/flags/main.flags | 1 +
 1 file changed, 1 insertion(+)

diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 8c28c7252..16c616404 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -283,6 +283,7 @@ plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
 qdbus complain
+protonmail complain
 realmd complain
 remmina complain
 run-parts complain

From 8cc986ab9241533cea96a312b9113eb08c0bd143 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Tue, 24 Sep 2024 11:58:03 +0200
Subject: [PATCH 166/315] Update protonmail

---
 apparmor.d/profiles-m-r/protonmail | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
index 2c69d8c08..f6bc7e4b8 100644
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -6,14 +6,16 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{name} = "Proton Mail"
+@{name} = proton-mail "Proton Mail"
 @{lib_dirs} = /opt/@{name}
 @{config_dirs} = @{user_config_dirs}/@{name}
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
-@{exec_path} = "/opt/proton-mail/Proton Mail{, Beta}"
+@{exec_path} = @{bin}/proton-mail /opt/proton-mail/Proton*
 profile protonmail @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.freedesktop.secrets>
   include <abstractions/common/electron>
 
   network inet stream,
@@ -25,15 +27,9 @@ profile protonmail @{exec_path} flags=(complain) {
 
   @{exec_path} mrix,
 
-  /opt/proton-mail/** r,
-  /opt/proton-mail/*.so m,
-  /opt/proton-mail/libvulkan.so.1 m,
-
   @{bin}/xdg-settings Px,
   @{open_path}        rpx -> child-open,
 
-  /etc/machine-id r,
-
   owner @{user_config_dirs}/ibus/bus/ r,
 
   @{sys}/devices/@{pci}/boot_vga r,

From 67b1c301eda7af8a7e901649d00227d56debfab3 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 22 Sep 2024 13:12:04 -0300
Subject: [PATCH 167/315] Create vesktop

---
 apparmor.d/profiles-s-z/vesktop | 46 +++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/vesktop

diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop
new file mode 100644
index 000000000..ce420ea12
--- /dev/null
+++ b/apparmor.d/profiles-s-z/vesktop
@@ -0,0 +1,46 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+include <tunables/global>
+
+@{name} = vesktop
+@{lib_dirs} = @{lib}/@{name}
+@{config_dirs} = @{user_config_dirs}/@{name}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
+
+@{exec_path} = @{bin}/vesktop
+profile vesktop @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/common/electron>
+  include <abstractions/p11-kit>
+  include <abstractions/user-download-strict>
+  include <abstractions/video>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  owner /tmp/.org.chromium.Chromium.@{rand6} mr,
+  owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
+
+  @{sys}/devices/@{pci}/usb@{int}/**/interface r,
+
+        @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  owner /dev/ r,
+
+  deny       /dev/tty rw,
+  deny owner /dev/tty@{int} rw,
+
+  include if exists <local/vesktop>
+}
+
+# vim:syntax=apparmor

From a0dab014019efad5ea48d35970a574714316a7f9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 24 Sep 2024 21:36:49 +0100
Subject: [PATCH 168/315] feat(profile): update multipath.

fix #523
---
 apparmor.d/profiles-m-r/multipath | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath
index 918e5a0c2..b79db6418 100644
--- a/apparmor.d/profiles-m-r/multipath
+++ b/apparmor.d/profiles-m-r/multipath
@@ -27,6 +27,7 @@ profile multipath @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
+  @{sys}/module/*/parameters/multipath r,
 
   @{PROC}/devices r,
   @{PROC}/sys/fs/nr_open r,

From 3a34a70181f4ec47e4199ca669a5e2883b70abda Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 24 Sep 2024 21:38:51 +0100
Subject: [PATCH 169/315] fix(profile): xfs support in udisksd

fix #524
---
 apparmor.d/profiles-s-z/udisksd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index b835be9e7..a0071a759 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -88,7 +88,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{bin}/sgdisk               rPx,
   @{bin}/systemctl            rCx -> systemctl,
   @{bin}/systemd-escape       rPx,
-  @{bin}/xfs_db              rPUx,
+  @{bin}/xfs_*               rPUx,
 
   /etc/crypttab r,
   /etc/fstab r,

From 6578b55829b9a84d9eba009a0e82561d989b83e3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 24 Sep 2024 21:44:49 +0100
Subject: [PATCH 170/315] fix(profile) Gimp thumbnails log

fix #522
---
 apparmor.d/profiles-g-l/gimp | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp
index bfdc6d640..fe69ad91c 100644
--- a/apparmor.d/profiles-g-l/gimp
+++ b/apparmor.d/profiles-g-l/gimp
@@ -13,6 +13,7 @@ profile gimp @{exec_path} {
   include <abstractions/bus/org.freedesktop.FileManager1>
   include <abstractions/desktop>
   include <abstractions/graphics>
+  include <abstractions/thumbnails-cache-write>
   include <abstractions/user-download-strict>
 
   #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell

From 24e0746efa5cc17f64fe1a09d3c6ab7f4836a616 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 24 Sep 2024 21:46:50 +0100
Subject: [PATCH 171/315] fix(profile): libreoffice: support any version of
 java.

fix #520
---
 apparmor.d/profiles-g-l/libreoffice | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index b4c07e38b..86efb49a2 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -67,7 +67,7 @@ profile libreoffice @{exec_path} {
   /usr/share/mythes/{,**} r,
   /usr/share/thumbnailers/{,**} r,
 
-  /etc/java-openjdk/{,**} r,
+  /etc/java{,@{version}}-openjdk/{,**} r,
   /etc/libreoffice/{,**} r,
   /etc/paperspecs r,
   /etc/xdg/* r,

From 457953876aa08037fa631bf4f64dadd2c5bc8790 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 24 Sep 2024 21:49:56 +0100
Subject: [PATCH 172/315] feat(profile): improve systemd-dissect

---
 apparmor.d/groups/systemd/systemd-dissect | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect
index cd3ba97ca..5dc785198 100644
--- a/apparmor.d/groups/systemd/systemd-dissect
+++ b/apparmor.d/groups/systemd/systemd-dissect
@@ -11,16 +11,22 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>
+  include <abstractions/common/systemd>
 
   capability dac_read_search,
   capability sys_admin,
   capability sys_resource,
 
-  mount options=(rw, rslave) -> /,
-  mount options=(rw, nodev) -> /mnt/*/,
-  mount -> /tmp/dissect-@{rand6}/,
+  mount options=(rw rshared rslave)                 -> /,
+  mount options=(rw nodev)                          -> /mnt/*/,
+  mount                                             -> /tmp/dissect-@{rand6}/,
+  mount options=(ro nodev)          /dev/loop* -> @{run}/systemd/dissect-root/,
 
-  signal (send) set=(cont) peer=child-pager,
+  umount @{run}/systemd/dissect-root/,
+
+  signal send set=cont peer=child-pager,
+
+  ptrace read peer=unconfined,
 
   @{exec_path} mr,
 
@@ -35,14 +41,19 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/dissect-@{rand6}/{,**} rw,
 
+  @{run}/systemd/dissect-root/ rw,
+  @{run}/systemd/dissect-root/** rwlk,
+
   @{sys}/devices/virtual/block/loop@{int}/{,**} r,
   @{sys}/kernel/uevent_seqnum r,
 
-  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pid}/mountinfo r,
 
   /dev/btrfs-control rw,
   /dev/loop-control rwk,
-  /dev/loop*  rwk,
+  /dev/loop* rwk,
+  /dev/mapper/control w,
 
   include if exists <local/systemd-dissect>
 }

From 69f9e8464f7ed74667d4541e4575ac83f8f02a60 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 00:14:02 +0100
Subject: [PATCH 173/315] feat(profile): update profiles for gnome 47.

---
 apparmor.d/abstractions/common/gnome                     | 1 +
 apparmor.d/abstractions/desktop                          | 8 +++-----
 apparmor.d/abstractions/gnome-strict                     | 6 ++----
 apparmor.d/abstractions/kde-strict                       | 6 +-----
 apparmor.d/abstractions/vulkan-strict                    | 2 ++
 apparmor.d/groups/freedesktop/xdg-desktop-portal         | 6 +++++-
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome   | 6 ++++--
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk     | 9 +++++++--
 apparmor.d/groups/gnome/gnome-control-center             | 2 ++
 .../groups/gnome/gnome-control-center-print-renderer     | 1 +
 apparmor.d/groups/gnome/gnome-shell                      | 2 ++
 apparmor.d/groups/gnome/loupe                            | 1 +
 apparmor.d/groups/gnome/nautilus                         | 1 +
 apparmor.d/groups/gvfs/gvfsd                             | 2 ++
 apparmor.d/profiles-a-f/appstreamcli                     | 1 +
 15 files changed, 35 insertions(+), 19 deletions(-)

diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome
index c93f9bc05..8fe4d97cd 100644
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@@ -23,6 +23,7 @@
   owner @{user_share_dirs}/@{profile_name}/** rwlk,
 
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   include if exists <abstractions/common/gnome.d>
 
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index 50244b3a7..ae585999b 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -13,6 +13,7 @@
   include <abstractions/qt5>
   include <abstractions/wayland>
   include <abstractions/X-strict>
+  include <abstractions/xdg-desktop>
 
   # if @{DE} == gnome
 
@@ -30,6 +31,8 @@
 
     /var/cache/gio-@{version}/gnome-mimeapps.list r,
 
+    owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
   # else if @{DE} == kde
 
     @{lib}/kde{,3,4}/*.so mr,
@@ -71,11 +74,6 @@
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
 
-  owner @{HOME}/.local/ rw,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_config_dirs}/ rw,
-  owner @{user_share_dirs}/ rw,
-
   include if exists <abstractions/desktop.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict
index 74df87344..833aaa59b 100644
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@@ -7,6 +7,7 @@
   include <abstractions/gtk>
   include <abstractions/wayland>
   include <abstractions/X-strict>
+  include <abstractions/xdg-desktop>
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
@@ -26,10 +27,7 @@
 
   /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
 
-  owner @{HOME}/.local/ rw,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_config_dirs}/ rw,
-  owner @{user_share_dirs}/ rw,
+  owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   include if exists <abstractions/gnome-strict.d>
 
diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict
index f31a38617..11e897aba 100644
--- a/apparmor.d/abstractions/kde-strict
+++ b/apparmor.d/abstractions/kde-strict
@@ -7,6 +7,7 @@
   include <abstractions/qt5>
   include <abstractions/wayland>
   include <abstractions/X-strict>
+  include <abstractions/xdg-desktop>
 
   @{lib}/kde{,3,4}/*.so mr,
   @{lib}/kde{,3,4}/plugins/*/ r,
@@ -22,11 +23,6 @@
   /etc/xdg/kdeglobals r,
   /etc/xdg/kwinrc r,
 
-  owner @{HOME}/.local/ rw,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_config_dirs}/ rw,
-  owner @{user_share_dirs}/ rw,
-
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
   owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict
index 5210a48e2..7dbb8f424 100644
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@@ -14,6 +14,8 @@
   /etc/vulkan/icd.d/{,*.json} r,
   /etc/vulkan/implicit_layer.d/{,*.json} r,
 
+  owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/.goutputstream-@{rand6} rw,
+  owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/@{uuid}.@{int} rw,
   owner @{user_cache_dirs}/radv_builtin_shaders{32,64} r, # Vulkan radv shaders cache
 
   owner @{user_share_dirs}/vulkan/ rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index d8929cfb1..720d794b7 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -21,13 +21,16 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>
+  include <abstractions/trash-strict>
   include <abstractions/user-download-strict>
 
   capability sys_ptrace,
 
   network netlink raw,
 
-  ptrace (read),
+  ptrace read,
+
+  signal receive set=term peer=gdm,
 
   #aa:dbus own bus=session name=org.freedesktop.portal.Desktop path=/org/freedesktop/portal/desktop interface={org.freedesktop.DBus.Properties,org.freedesktop{,.impl}.portal.{Settings,Background}}
   dbus receive bus=session path=/org/freedesktop/portal/desktop
@@ -63,6 +66,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/xdg-desktop-portal/** r,
+  /usr/share/gdm/greeter-dconf-defaults r,
 
   /etc/sysconfig/proxy r,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 586828ee0..02cf99b01 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -38,13 +38,15 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   / r,
   @{bin}/ r,
   @{bin}/* r,
-  /opt/*/* r,
+  /opt/** r,
 
   /usr/share/dconf/profile/gdm r,
+  /usr/share/gdm/greeter-dconf-defaults r,
   /usr/share/thumbnailers/{,**} r,
 
-  owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
+  owner @{desktop_cache_dirs}/dconf/user r,
   owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
+  owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
 
   owner @{HOME}/ r,
   owner @{HOME}/* r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
index c21b955d0..9eaea73aa 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/xdg-desktop-portal-gtk
-profile xdg-desktop-portal-gtk @{exec_path} {
+profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
@@ -27,7 +27,8 @@ profile xdg-desktop-portal-gtk @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
-  include <abstractions/user-write>
+
+  signal receive set=term peer=gdm,
 
   unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
 
@@ -53,10 +54,14 @@ profile xdg-desktop-portal-gtk @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/gdm/greeter-dconf-defaults r,
+
   / r,
 
   owner /var/lib/xkb/server-@{int}.xkm rw,
 
+  owner @{gdm_config_dirs}/dconf/user r,
+
   owner @{tmp}/runtime-*/xauth_@{rand6} r,
 
   @{run}/mount/utab r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 154aff58c..b0006d774 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -103,6 +103,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /var/cache/samba/ rw,
   /var/lib/AccountsService/icons/* r,
 
+  / r,
+
   owner @{HOME}/.cat_installer/ca.pem r,
   owner @{HOME}/.cert/nm-openvpn/*.pem r,
   owner @{HOME}/.face r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
index 22784f1d5..db68c40b5 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -24,6 +24,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
   / r,
 
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   include if exists <local/gnome-control-center-print-renderer>
 }
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index c72652065..c492cf3fd 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -409,6 +409,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     /usr/local/bin/**             PUx,
     /usr/games/**                 PUx,
 
+    owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
     owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, 
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe
index a90f8664f..56c4a2c5d 100644
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@@ -40,6 +40,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 3e597c156..f9be02d9d 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -110,6 +110,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index 710abbba1..c31c1038f 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -13,6 +13,8 @@ profile gvfsd @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/nameservice-strict>
 
+  signal receive set=usr1 peer=pacman,
+
   #aa:dbus own bus=session name=org.gtk.vfs.Daemon
   #aa:dbus own bus=session name=org.gtk.vfs.MountTracker path=/org/gtk/vfs/mounttracker
 
diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli
index 6b6bad8d8..25f4ff40c 100644
--- a/apparmor.d/profiles-a-f/appstreamcli
+++ b/apparmor.d/profiles-a-f/appstreamcli
@@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
 
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/ r,
+  /usr/share/gvfs/remote-volume-monitors/{,**} r,
   /usr/share/metainfo/ r,
   /usr/share/metainfo/*.{metainfo,appdata}.xml r,
   /usr/share/swcatalog/{,**} r,

From 156cce5362ab7914c8bddd0ead505e9281c9bcab Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 00:48:42 +0100
Subject: [PATCH 174/315] feat(profile): restrict dbus in dbus

even dbus-* profiles do not need access to the full bus.
---
 apparmor.d/groups/bus/dbus-accessibility | 3 +--
 apparmor.d/groups/bus/dbus-session       | 2 +-
 apparmor.d/groups/bus/dbus-system        | 2 +-
 apparmor.d/tunables/multiarch.d/system   | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index 1c5f8cd30..0f43955e8 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -25,8 +25,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   signal (receive) set=(term hup kill) peer=dbus-session,
   signal (receive) set=(term hup kill) peer=gdm{,-session-worker},
 
-  dbus bus=accessibility,
-
+  #aa:dbus own bus=accessibility name=org.freedesktop.DBus
   #aa:dbus own bus=session name=org.a11y.{B,b}us
 
   dbus receive bus=session
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index fa6305055..99467d9f5 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -29,7 +29,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  dbus bus=session,
+  #aa:dbus own bus=session name=org.freedesktop.DBus
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index f532bb29b..d6c92bae1 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -32,7 +32,7 @@ profile dbus-system flags=(attach_disconnected) {
 
   ptrace (read) peer=@{p_systemd},
 
-  dbus bus=system,
+  #aa:dbus own bus=system name=org.freedesktop.DBus
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index d51ede6ca..95e42888c 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -120,7 +120,7 @@
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
 # Dbus unique name
-@{busname}=:1.@{u16}
+@{busname}=:1.@{u16} :not.active.yet
 
 # Common architecture names
 @{arch}=x86_64 amd64 i386 i686

From 90a8e44d208987a116f7185b5ee2aa1d17232bd3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 13:05:35 +0100
Subject: [PATCH 175/315] feat(tunable): add more system vars.

---
 apparmor.d/tunables/multiarch.d/system | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 95e42888c..40f56216d 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -5,17 +5,20 @@
 # To allow extended personalisation without breaking everything.
 # All apparmor profiles should always use the variables defined here.
 
-# Single hexadecimal character
-@{h}=[0-9a-fA-F]
+# Any digit
+@{d}=[0-9]
+
+# Any letter
+@{l}=[a-zA-Z]
 
 # Single alphanumeric character
 @{c}=[0-9a-zA-Z]
 
-# Word character. Matches any letter, digit or underscore.
+# Word character: matches any letter, digit or underscore.
 @{w}=[a-zA-Z0-9_]
 
-# Any digit
-@{d}=[0-9]
+# Single hexadecimal character
+@{h}=[0-9a-fA-F]
 
 # Integer up to 10 digits (0-9999999999)
 @{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
@@ -37,7 +40,10 @@
 @{int4}=@{int2}@{int2}
 @{int6}=@{int4}@{int2}
 @{int8}=@{int4}@{int4}
+@{int9}=@{int8}@{d}
 @{int10}=@{int8}@{int2}
+@{int12}=@{int8}@{int4}
+@{int15}=@{int8}@{int4}@{int2}@{d}
 @{int16}=@{int8}@{int8}
 @{int32}=@{int16}@{int16}
 @{int64}=@{int32}@{int32}

From 28b32f1ae381affe9164ccaa842c411fd08072e3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 14:00:29 +0100
Subject: [PATCH 176/315] feat(profile): restrict some access to
 @{PROC}/@{pid}.

---
 apparmor.d/abstractions/app/chromium             | 16 ++++++++--------
 apparmor.d/groups/bus/dbus-accessibility         |  9 +++++----
 apparmor.d/groups/gnome/gnome-session-binary     |  3 ++-
 apparmor.d/groups/gnome/gnome-shell              | 10 +++++-----
 apparmor.d/groups/gnome/gnome-software           |  3 ++-
 apparmor.d/groups/gnome/gsd-datetime             |  3 +++
 apparmor.d/groups/gnome/gsd-sharing              |  3 ++-
 .../groups/gnome/org.gnome.NautilusPreviewer     |  3 ++-
 apparmor.d/profiles-a-f/alacarte                 |  1 +
 apparmor.d/profiles-m-r/protonmail-bridge-core   |  2 +-
 10 files changed, 31 insertions(+), 22 deletions(-)

diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index 3fa7005a6..0aa8f5ef1 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -182,14 +182,15 @@
 
         @{PROC}/ r,
         @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/statm r,
-        @{PROC}/@{pids}/task/@{tid}/stat r,
-        @{PROC}/@{pids}/task/@{tid}/status r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/task/@{tid}/status r,
         @{PROC}/pressure/{memory,cpu,io} r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/vmstat r,
+  owner @{PROC}/@{pid}/clear_refs w,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/environ r,
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/limits r,
   owner @{PROC}/@{pid}/mem r,
@@ -197,12 +198,11 @@
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_{,score_}adj rw,
   owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/statm r,
+  owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/uid_map w,
-  owner @{PROC}/@{pids}/clear_refs w,
-  owner @{PROC}/@{pids}/cmdline r,
-  owner @{PROC}/@{pids}/environ r,
-  owner @{PROC}/@{pids}/task/ r,
 
         /dev/ r,
         /dev/hidraw@{int} rw,
diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index 0f43955e8..bf6a680a2 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -64,12 +64,13 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/security/apparmor/features/dbus/mask r,
   @{sys}/module/apparmor/parameters/enabled r,
 
-        @{PROC}/@{pid}/attr/apparmor/current r,
-        @{PROC}/@{pid}/cgroup r,
-        @{PROC}/@{pid}/cmdline r,
-        @{PROC}/@{pid}/oom_score_adj r,
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/attr/apparmor/current r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/oom_score_adj r,
 
   owner /dev/tty@{int} rw,
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 795153fb1..25be8038c 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -91,9 +91,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/**/{vendor,device} r,
 
-        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index c492cf3fd..db004062c 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -347,23 +347,23 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,
 
         @{PROC}/ r,
-        @{PROC}/@{pid}/attr/current r,
-        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/net/* r,
-        @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pid}/task/@{tid}/stat r,
-        @{PROC}/@{pids}/cmdline r,
         @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
         @{PROC}/vmstat r,
+  owner @{PROC}/@{pid}/attr/current r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/input/event@{int} rw,
   /dev/media@{int} rw,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index dbd07fe7d..343205e12 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -117,10 +117,11 @@ profile gnome-software @{exec_path} {
 
   @{sys}/module/nvidia/version r,
 
-        @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pids}/mounts r,
+        @{PROC}/1/cgroup r,
         @{PROC}/sys/fs/pipe-max-size r,
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime
index 5c3b768fc..db829825b 100644
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@@ -43,6 +43,9 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/sessions/@{int} r,
   @{run}/systemd/users/@{uid} r,
+
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
 
diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing
index 4ba613fb7..83a444c7d 100644
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@@ -41,7 +41,8 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/sessions/* r,
   @{run}/systemd/users/@{uid} r,
 
-  @{PROC}/@{pid}/cgroup r,
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
 
   owner /dev/tty@{int} rw,
 
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index cc08462e8..15a9170cd 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -43,9 +43,10 @@ profile org.gnome.NautilusPreviewer @{exec_path} {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
+        @{PROC}/1/cgroup r,
         @{PROC}/devices r,
-        @{PROC}/@{pid}/cgroup r,
         @{PROC}/zoneinfo r,
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte
index 80e64558a..e1e228618 100644
--- a/apparmor.d/profiles-a-f/alacarte
+++ b/apparmor.d/profiles-a-f/alacarte
@@ -30,6 +30,7 @@ profile alacarte @{exec_path} {
 
   owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
+  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/mounts r,
 
   include if exists <local/alacarte>
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core
index 89330c819..d9f0facb5 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@@ -44,8 +44,8 @@ profile protonmail-bridge-core @{exec_path} {
   owner /var/tmp/etilqs_@{hex16} rw,
 
   @{PROC}/ r,
+  @{PROC}/1/cgroup r,
   @{PROC}/sys/net/core/somaxconn r,
-  @{PROC}/@{pid}/cgroup r,
 
   deny @{bin}/pass x,
   deny owner @{user_password_store_dirs}/** r,

From 8fb767a5f9cfebdabad7caa49d1308fb812706c6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 15:14:16 +0100
Subject: [PATCH 177/315] feat(abs): add user-data abstraction.

Warning: experiemental, only for abi 4+, requires a prompting client.

See: https://discourse.ubuntu.com/t/ubuntu-desktop-s-24-10-dev-cycle-part-5-introducing-permissions-prompting/47963
---
 apparmor.d/abstractions/user-data | 49 +++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 apparmor.d/abstractions/user-data

diff --git a/apparmor.d/abstractions/user-data b/apparmor.d/abstractions/user-data
new file mode 100644
index 000000000..6406b3e84
--- /dev/null
+++ b/apparmor.d/abstractions/user-data
@@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Gives access to non-hidden files in user's $HOME.
+# Warning: experiemental, only for abi 4+, requires a prompting client.
+
+  abi <abi/4.0>,
+
+  # Allow accessing the GNOME crypto services prompt APIs as used by
+  # applications using libgcr (such as pinentry-gnome3) for secure pin
+  # entry to unlock GPG keys etc. See:
+  # https://developer.gnome.org/gcr/unstable/GcrPrompt.html
+  # https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
+  # https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
+  dbus send bus=session path=/org/gnome/keyring/Prompter
+       interface=org.gnome.keyring.internal.Prompter
+       member={BeginPrompting,PerformPrompt,StopPrompting}
+       peer=(name="{@{busname}", label=pinentry-*),
+  dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
+       interface=org.gnome.keyring.internal.Prompter.Callback
+       member={PromptReady,PromptDone}
+       peer=(name="{@{busname}", label=pinentry-*),
+
+  # Allow read access to toplevel $HOME & mounts for the user.
+  prompt owner @{HOME}/ r,
+  prompt owner @{MOUNTS}/ r,
+
+  # Allow read/write access to all files in @{HOME}, except snap application
+  # data in @{HOME}/snap and toplevel hidden directories in @{HOME}.
+  prompt owner @{HOME}/[^s.]**             rwlk,
+  prompt owner @{HOME}/s[^n]**             rwlk,
+  prompt owner @{HOME}/sn[^a]**            rwlk,
+  prompt owner @{HOME}/sna[^p]**           rwlk,
+  prompt owner @{HOME}/snap[^/]**          rwlk,
+  prompt owner @{HOME}/{s,sn,sna}{,/}      rwlk,
+
+  # Allow access to mounts (/mnt/*/, /media/*/, @{run}/media/@{user}/*/, gvfs)
+  # for non-hidden files owned by the user.
+  prompt owner @{MOUNTS}/[^.]**            rwlk,
+
+  # Disallow writes to the well-known directory included in
+  # the user's PATH on several distributions
+  audit deny @{HOME}/bin/{,**} wl,
+  audit deny @{HOME}/bin wl,
+
+  include if exists <abstractions/user-data.d>
+
+# vim:syntax=apparmor

From bbd06dcabd2d7f8cb901a55a5587e1d1128bd87b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 22:33:32 +0100
Subject: [PATCH 178/315] doc: add git-committers extension.

---
 mkdocs.yml       | 3 +++
 requirements.txt | 1 +
 2 files changed, 4 insertions(+)

diff --git a/mkdocs.yml b/mkdocs.yml
index 67d8cc5a8..2db8677a1 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -69,6 +69,9 @@ plugins:
       fallback_to_build_date: true
   - minify:
       minify_html: true
+  - git-committers:
+      repository: roddhjav/apparmor.d
+      branch: main
 
 # Customization
 extra:
diff --git a/requirements.txt b/requirements.txt
index 8be8158d5..d30bccf19 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,4 +1,5 @@
 mkdocs
+mkdocs-git-committers-plugin-2
 mkdocs-git-revision-date-localized-plugin
 mkdocs-material
 mkdocs-minify-plugin

From e3a5812bfbd374b5d7d3aa0771d76cf278e4c975 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 23:17:44 +0100
Subject: [PATCH 179/315] doc: add man page for aa-log.

---
 Makefile                          | 15 ++++--
 dists/apparmor.d.spec             |  2 +
 root/usr/share/man/man8/aa-log.8  | 79 ++++++++++++++++++++++++++++++
 root/usr/share/man/man8/aa-log.md | 80 +++++++++++++++++++++++++++++++
 4 files changed, 173 insertions(+), 3 deletions(-)
 create mode 100644 root/usr/share/man/man8/aa-log.8
 create mode 100644 root/usr/share/man/man8/aa-log.md

diff --git a/Makefile b/Makefile
index 85a4a7190..88febbb5e 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ PKGDEST := /tmp/pkg
 PKGNAME := apparmor.d
 P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 
-.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint clean
+.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint man docs serve clean
 
 all: build
 	@./${BUILD}/prebuild --complain
@@ -24,7 +24,7 @@ enforce: build
 full: build
 	@./${BUILD}/prebuild --complain --full
 
-ROOT = $(shell find "${BUILD}/root" -type f -printf "%P\n")
+ROOT = $(shell find "${BUILD}/root" -type f -not -name "*.md" -printf "%P\n")
 PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
 DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
 install:
@@ -56,7 +56,7 @@ local:
 ABSTRACTIONS = $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n")
 TUNABLES = $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n")
 $(P):
-	@[ -f ${BUILD}/aa-log ] || exit 0; install -Dm755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
+	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
 	@for file in ${ABSTRACTIONS}; do \
 		install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
 	done;
@@ -99,6 +99,15 @@ lint:
 		tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
 		debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
 
+man:
+	pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
+
+docs:
+	ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
+
+serve:
+	ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
+
 clean:
 	@rm -rf \
 		debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
diff --git a/dists/apparmor.d.spec b/dists/apparmor.d.spec
index b00b12eca..339d88036 100644
--- a/dists/apparmor.d.spec
+++ b/dists/apparmor.d.spec
@@ -51,4 +51,6 @@ systemctl is-active -q apparmor && systemctl reload apparmor ||:
 %dir /usr/share/zsh/site-functions
 /usr/share/zsh/site-functions/_aa-log.zsh
 
+%doc %{_mandir}/man8/aa-log.8.gz
+
 %changelog
diff --git a/root/usr/share/man/man8/aa-log.8 b/root/usr/share/man/man8/aa-log.8
new file mode 100644
index 000000000..42c9a3560
--- /dev/null
+++ b/root/usr/share/man/man8/aa-log.8
@@ -0,0 +1,79 @@
+.\" Automatically generated by Pandoc 3.1.9
+.\"
+.TH "aa-log" "8" "September 2024" "" ""
+.SH NAME
+aa-log \[em] Review AppArmor generated messages in a colorful way.
+.SH SYNOPSIS
+\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]]
+.SH DESCRIPTION
+Review AppArmor generated messages in a colourful way.
+Support logs from \f[I]auditd\f[R], \f[I]systemd\f[R], \f[I]syslog\f[R]
+as well as \f[I]dbus session\f[R] events.
+.PP
+It can be given an optional profile name to filter the output with.
+.PP
+It can be used to generate AppArmor rules from the logs and it therefore
+an alternative to \f[CR]aa-logprof(8)\f[R].
+The generated rules should be manually reviewed and inserted into the
+profile.
+.PP
+Default logs are read from \f[CR]/var/log/audit/audit.log\f[R].
+Other files in \f[CR]/var/log/audit/\f[R] can easily be checked:
+\f[B]aa-log -f 1\f[R] parses \f[CR]audit.log.1\f[R]
+.SH OPTIONS
+\f[B]aa-log\f[R] [\f[I]options\&...\f[R]] [\f[I]profile\f[R]]
+.TP
+[\f[I]profile\f[R]]
+Optional profile name to filter the output with.
+.TP
+\f[CR]--file\f[R], \f[CR]-f\f[R]
+Set a logfile or a suffix to the default log file.
+.TP
+\f[CR]--systemd\f[R], \f[CR]-s\f[R]
+Parse systemd logs from journalctl.
+Provides all AppArmor logs since the last boot.
+.TP
+\f[CR]--rules\f[R], \f[CR]-r\f[R]
+Convert the log into AppArmor rules.
+.TP
+\f[CR]--raw\f[R], \f[CR]-R\f[R]
+Print the raw log without any formatting.
+Useful for reporting logs.
+.TP
+\f[CR]--help\f[R], \f[CR]-h\f[R]
+Print the program usage.
+.SH USAGE
+To read the AppArmor log from \f[CR]/var/log/audit/audit.log\f[R]:
+.IP
+.EX
+aa-log
+.EE
+.PP
+To optionally filter a given profile name:
+\f[CR]aa-log <profile-name>\f[R] (your shell will autocomplete the
+profile name):
+.IP
+.EX
+$ aa-log dnsmasq
+DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
+DENIED  dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
+DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
+.EE
+.PP
+To generate AppArmor rule:
+.IP
+.EX
+$ aa-log -r dnsmasq
+profile dnsmasq {
+  \[at]{PROC}/\[at]{pid}/environ r,
+  \[at]{PROC}/cmdline r,
+  \[at]{PROC}/sys/kernel/osrelease r,
+}
+.EE
+.SH SEE ALSO
+\f[CR]aa-logprof(8)\f[R], \f[CR]apparmor(7)\f[R],
+\f[CR]apparmor.d(5)\f[R], \f[CR]aa-genprof(1)\f[R],
+\f[CR]aa-enforce(1)\f[R], \f[CR]aa-complain(1)\f[R],
+\f[CR]aa-disable(1)\f[R], and https://apparmor.pujol.io.
+.SH AUTHORS
+aa-log was written by Alexandre Pujol (alexandre\[at]pujol.io).
diff --git a/root/usr/share/man/man8/aa-log.md b/root/usr/share/man/man8/aa-log.md
new file mode 100644
index 000000000..0b7fe8afa
--- /dev/null
+++ b/root/usr/share/man/man8/aa-log.md
@@ -0,0 +1,80 @@
+% aa-log(8)
+% aa-log was written by Alexandre Pujol (alexandre@pujol.io)
+% September 2024
+
+# NAME
+
+aa-log — Review AppArmor generated messages in a colorful way.
+
+# SYNOPSIS
+
+**aa-log** [*options…*] [*profile*]
+
+# DESCRIPTION
+
+Review AppArmor generated messages in a colourful way. Support logs from *auditd*, *systemd*, *syslog* as well as *dbus session* events.
+
+It can be given an optional profile name to filter the output with.
+
+It can be used to generate AppArmor rules from the logs and it therefore an alternative to `aa-logprof(8)`. The generated rules should be manually reviewed and inserted into the profile.
+
+Default logs are read from `/var/log/audit/audit.log`. Other files in `/var/log/audit/` can easily be checked: **aa-log -f 1** parses `audit.log.1`
+
+# OPTIONS
+
+**aa-log** [*options…*] [*profile*]
+
+[*profile*]
+
+: Optional profile name to filter the output with.
+
+`--file`, `-f`
+
+: Set a logfile or a suffix to the default log file.
+
+`--systemd`, `-s`
+
+: Parse systemd logs from journalctl. Provides all AppArmor logs since the last boot.
+
+`--rules`, `-r`
+
+: Convert the log into AppArmor rules.
+
+`--raw`, `-R`
+
+: Print the raw log without any formatting. Useful for reporting logs.
+
+`--help`, `-h`
+
+: Print the program usage.
+
+
+# USAGE
+
+To read the AppArmor log from `/var/log/audit/audit.log`:
+```sh
+aa-log
+```
+
+To optionally filter a given profile name: `aa-log <profile-name>` (your shell will autocomplete the profile name):
+```
+$ aa-log dnsmasq
+DENIED  dnsmasq open /proc/sys/kernel/osrelease comm=dnsmasq requested_mask=r denied_mask=r
+DENIED  dnsmasq open /proc/1/environ comm=dnsmasq requested_mask=r denied_mask=r
+DENIED  dnsmasq open /proc/cmdline comm=dnsmasq requested_mask=r denied_mask=r
+```
+
+To generate AppArmor rule:
+```
+$ aa-log -r dnsmasq
+profile dnsmasq {
+  @{PROC}/@{pid}/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+}
+```
+
+# SEE ALSO
+
+`aa-logprof(8)`, `apparmor(7)`, `apparmor.d(5)`, `aa-genprof(1)`, `aa-enforce(1)`, `aa-complain(1)`, `aa-disable(1)`, and
+https://apparmor.pujol.io.

From 91fc3adb632105617527a791182243cee3b41033 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 25 Sep 2024 23:19:54 +0100
Subject: [PATCH 180/315] docs: update known issues.

---
 docs/issues.md | 29 +++++++++--------------------
 1 file changed, 9 insertions(+), 20 deletions(-)

diff --git a/docs/issues.md b/docs/issues.md
index d9f28cfe6..1db3b195a 100644
--- a/docs/issues.md
+++ b/docs/issues.md
@@ -2,18 +2,19 @@
 title: Known issues
 ---
 
-Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**.
+!!! info
 
-!!! info 
+    Known bugs are tracked on the meta issue **[#75](https://github.com/roddhjav/apparmor.d/issues/74)**.
 
-    Usually, a profile in complain mode cannot break the program it confines.
-    However, there are some **major exceptions**:
+## Complain mode
 
-    * `deny` rules are enforced even in complain mode,
-    * `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile,
-    * If AppArmor does not find the profile to transition `rPx`.
+A profile in *complain* mode cannot break the program it confines. However, there are some **major exceptions**:
 
-### Pacman "could not get current working directory"
+1. `deny` rules are enforced even in *complain* mode,
+2. `attach_disconnected` (and `mediate_deleted`) will break the program if they are required and missing in the profile,
+3. If AppArmor does not find the profile to transition `rPx`.
+
+## Pacman "could not get current working directory"
 
 ```sh
 $ sudo pacman -Syu
@@ -30,15 +31,3 @@ According to the Arch Linux guideline, on Arch Linux, packages cannot install fi
 This provides a basic protection against some packages (on the AUR) that may have rogue install script.
 
 [pacman]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/pacman/pacman
-
-
-### Gnome can be very slow to start.
-
-[Gnome](https://github.com/roddhjav/apparmor.d/issues/80) can be slow to start. This is a known bug, help is very welcome.
-
-The complexity is that:
-
-- It works fine without AppArmor
-- It works fine on most system (including test VM)
-- It seems to be dbus related
-- On archlinux, the dbus mediation is not enabled. So, there is nothing special to allow.

From 779377ce4cbfac3a991be4f595131f96682fb345 Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Thu, 26 Sep 2024 13:33:27 +0300
Subject: [PATCH 181/315] Get images from a scanner

---
 apparmor.d/profiles-g-l/gimp       |  5 +++-
 apparmor.d/profiles-s-z/xsane-gimp | 38 ++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/profiles-s-z/xsane-gimp

diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp
index fe69ad91c..040af8fac 100644
--- a/apparmor.d/profiles-g-l/gimp
+++ b/apparmor.d/profiles-g-l/gimp
@@ -16,6 +16,8 @@ profile gimp @{exec_path} {
   include <abstractions/thumbnails-cache-write>
   include <abstractions/user-download-strict>
 
+  signal (send) set=(term, kill) peer=xsane-gimp,
+
   #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
@@ -23,7 +25,8 @@ profile gimp @{exec_path} {
 
   @{lib}/gimp/*/plug-ins/** rix,
 
-  @{open_path}  rPx -> child-open-help,
+  @{bin}/xsane-gimp rPx,
+  @{open_path}      rPx -> child-open-help,
 
   /usr/share/gimp/{,**} r,
   /usr/share/mypaint-data/{,**} r,
diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp
new file mode 100644
index 000000000..94312bff2
--- /dev/null
+++ b/apparmor.d/profiles-s-z/xsane-gimp
@@ -0,0 +1,38 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xsane-gimp
+profile xsane-gimp /{,usr/}{,s}bin/xsane-gimp {
+  include <abstractions/base>
+  include <abstractions/gnome-strict>
+  include <abstractions/devices-usb>
+
+  signal (receive) set=(term, kill) peer=gimp,
+
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
+  @{exec_path} mr,
+  @{system_share_dirs}/gimp/{,**} r,
+  @{system_share_dirs}/sane/xsane/{,**} r,
+  @{system_share_dirs}/snmp/mibs/{,**} r, # network
+  /etc/sane.d/{,**} r,
+  owner @{HOME}/.sane/{,**} rw,
+  owner @{tmp}/xsane-* rw,
+  @{sys}/devices/@{pci}/{model,type,vendor} r,
+  @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,
+
+  # SCSI
+  @{sys}/bus/scsi/devices/ r,
+  @{PROC}/scsi/scsi r,
+
+  include if exists <local/xsane-gimp>
+}
+
+# vim:syntax=apparmor

From f70e17da33a5dc969a5716db189346022a4ea69f Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Thu, 26 Sep 2024 15:06:14 +0300
Subject: [PATCH 182/315] Changed the profile attachment to the variable

---
 apparmor.d/profiles-s-z/xsane-gimp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp
index 94312bff2..edbded62a 100644
--- a/apparmor.d/profiles-s-z/xsane-gimp
+++ b/apparmor.d/profiles-s-z/xsane-gimp
@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xsane-gimp
-profile xsane-gimp /{,usr/}{,s}bin/xsane-gimp {
+profile xsane-gimp @{exec_path} {
   include <abstractions/base>
   include <abstractions/gnome-strict>
   include <abstractions/devices-usb>

From e16ade603a72c2de826ea0b39fc17aca8bcb469b Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Thu, 26 Sep 2024 15:07:48 +0300
Subject: [PATCH 183/315] Includes have been sorted alphabetically

---
 apparmor.d/profiles-s-z/xsane-gimp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp
index edbded62a..a18ce3152 100644
--- a/apparmor.d/profiles-s-z/xsane-gimp
+++ b/apparmor.d/profiles-s-z/xsane-gimp
@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/xsane-gimp
 profile xsane-gimp @{exec_path} {
   include <abstractions/base>
-  include <abstractions/gnome-strict>
   include <abstractions/devices-usb>
+  include <abstractions/gnome-strict>
 
   signal (receive) set=(term, kill) peer=gimp,
 

From 03e974525e5991bbf7ce046d6145162e28de9b7d Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Thu, 26 Sep 2024 15:27:16 +0300
Subject: [PATCH 184/315] Narrowed the temporary file permission

---
 apparmor.d/profiles-s-z/xsane-gimp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp
index a18ce3152..1ae25a35e 100644
--- a/apparmor.d/profiles-s-z/xsane-gimp
+++ b/apparmor.d/profiles-s-z/xsane-gimp
@@ -24,7 +24,7 @@ profile xsane-gimp @{exec_path} {
   @{system_share_dirs}/snmp/mibs/{,**} r, # network
   /etc/sane.d/{,**} r,
   owner @{HOME}/.sane/{,**} rw,
-  owner @{tmp}/xsane-* rw,
+  owner @{tmp}/xsane-*-@{rand6} rw,
   @{sys}/devices/@{pci}/{model,type,vendor} r,
   @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,
 

From 5d14ff8e5cd66379d7807470b16919c23efbe4b8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 20:20:20 +0100
Subject: [PATCH 185/315] ci: set token for git-committers

---
 .gitlab-ci.yml | 2 +-
 mkdocs.yml     | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index ffc9dded0..7737e2d3c 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -190,7 +190,7 @@ pages:
     GIT_DEPTH: 0
   script:
     - pip install -r requirements.txt
-    - mkdocs build --strict --site-dir public
+    - mkdocs build --site-dir public
   artifacts:
     paths:
       - public
diff --git a/mkdocs.yml b/mkdocs.yml
index 2db8677a1..404905913 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -64,12 +64,13 @@ plugins:
   - offline:
       enabled: !ENV [MKDOCS_OFFLINE, true]
   - git-revision-date-localized:
-      enabled: !ENV [ENABLED_GIT_REVISION_DATE, True]
+      enabled: !ENV [ENABLED_GIT_REVISION_DATE, true]
       enable_creation_date: true
       fallback_to_build_date: true
   - minify:
       minify_html: true
   - git-committers:
+      token: !ENV [MKDOCS_GIT_COMMITTERS_APIKEY]
       repository: roddhjav/apparmor.d
       branch: main
 

From fbb0d62aee272dc56d613f1dc24a7f58e2b2259b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 20:21:48 +0100
Subject: [PATCH 186/315] fix(profile):  ensure sandboxed app ca write font
 cache.

---
 apparmor.d/abstractions/common/app | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index 777518f3d..5c8ebd21f 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -20,7 +20,7 @@
   include <abstractions/devices-usb>
   include <abstractions/disks-read>
   include <abstractions/enchant>
-  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>

From 3f13aa77bfd668f3f36b615b39a2598f451b6024 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 20:29:33 +0100
Subject: [PATCH 187/315] feat(profile): update some dbus rules.

---
 .../bus/org.freedesktop.NetworkManager        | 14 ++------------
 .../abstractions/bus/org.freedesktop.UPower   |  2 +-
 apparmor.d/groups/bus/dbus-session            |  2 +-
 apparmor.d/groups/gnome/gnome-shell           |  8 ++------
 apparmor.d/groups/gnome/nautilus              |  5 -----
 apparmor.d/groups/gnome/yelp                  |  4 ++++
 apparmor.d/groups/gvfs/gvfsd-dnssd            |  1 +
 apparmor.d/groups/ubuntu/update-manager       |  1 +
 apparmor.d/groups/ubuntu/update-notifier      | 19 +------------------
 apparmor.d/profiles-a-f/atril                 |  8 +-------
 10 files changed, 14 insertions(+), 50 deletions(-)

diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
index 128f07fe5..61f27fca5 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@@ -7,9 +7,9 @@
        member=GetManagedObjects
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
-  dbus send bus=system path=/org/freedesktop/NetworkManager
+  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
        interface=org.freedesktop.DBus.Properties
-       member=GetAll
+       member={Get,GetAll}
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
@@ -27,16 +27,6 @@
        member=GetSettings
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
-  dbus send bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
-  dbus send bus=system path=/org/freedesktop/NetworkManager/Devices/@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
   dbus send bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower
index 247e2ddda..148db02d7 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@@ -26,7 +26,7 @@
        member={Get,GetAll}
        peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
 
-  dbus send bus=system path=/org/freedesktop/UPower/devices/*
+  dbus send bus=system path=/org/freedesktop/UPower{,/**}
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
        peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index 99467d9f5..af961be6d 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -29,7 +29,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  #aa:dbus own bus=session name=org.freedesktop.DBus
+  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index db004062c..04f90e33a 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -73,8 +73,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus own bus=session name=org.gnome.Mutter
   #aa:dbus own bus=session name=org.gnome.Shell
 
-  #aa:dbus own bus=session name=com.canonical.Unity path=/com/canonical/{U,u}nity
+  #aa:dbus own bus=session name=com.canonical.{U,u}nity
   #aa:dbus own bus=session name=com.rastersoft.dingextension
+  #aa:dbus own bus=session name=org.ayatana.NotificationItem
   #aa:dbus own bus=session name=org.gtk.Actions path=/**
   #aa:dbus own bus=session name=org.gtk.MountOperationHandler
   #aa:dbus own bus=session name=org.gtk.Notifications
@@ -133,11 +134,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        member=Embed
        peer=(name=org.a11y.atspi.Registry),
 
-  dbus send bus=session path=/org/ayatana/NotificationItem/*
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=:*, label=update-notifier),
-
   dbus receive bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member=JobRemoved
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index f9be02d9d..5704fa866 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -35,11 +35,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
   #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
 
-  dbus send bus=session path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,ListActivatableNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
-
   dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
        interface=org.gtk.private.CommandLine
        member=Print
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index 4da1fe736..fe9123e5b 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -9,10 +9,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/yelp @{bin}/gnome-help
 profile yelp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus/org.a11y>
   include <abstractions/common/gnome>
 
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.gnome.Yelp
+
   @{exec_path} mr,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd
index b07cd070b..1bad8c349 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@@ -16,6 +16,7 @@ profile gvfsd-dnssd @{exec_path} {
   include <abstractions/bus/org.gtk.vfs.MountTracker>
 
   #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_dnssd
+  #aa:dbus talk bus=session name=org.gtk.vfs.MountTracker label=gvfsd
 
   dbus receive bus=session path=/org/gtk/vfs/Daemon
        interface=org.gtk.vfs.Daemon
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 2811b16e3..4a05ad8d7 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -19,6 +19,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 0487399fa..cb33f6046 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -25,24 +25,7 @@ profile update-notifier @{exec_path} {
   unix (bind) type=stream addr=@@{hex16}/bus/systemd/bus-api-user,
 
   #aa:dbus talk bus=system name=org.debian.apt label=apt
-
-  dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=:*, label=gnome-shell),
-
-  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch{,/Menu}
-       interface=org.freedesktop.DBus.Properties
-       member=={Get,GetAll}
-       peer=(name=:*, label=gnome-shell),
-  dbus receive bus=session path=/org/ayatana/NotificationItem/livepatch/Menu
-       interface=com.canonical.dbusmenu
-       member={AboutToShow,GetGroupProperties,GetLayout}
-       peer=(name=:*, label=gnome-shell),
-
-  dbus send bus=session path=/org/ayatana/NotificationItem/*
-       interface=org.kde.StatusNotifierItem
-       peer=(name=org.freedesktop.DBus, label=gnome-shell),
+  #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril
index 2163346cc..3b78d9c02 100644
--- a/apparmor.d/profiles-a-f/atril
+++ b/apparmor.d/profiles-a-f/atril
@@ -26,13 +26,7 @@ profile atril @{exec_path} {
 
   network netlink raw,
 
-  dbus send bus=session path=/org/mate/atril/{,**}
-       peer=(name=org.freedesktop.DBus, label=atrild),  # all interfaces and members
-
-  dbus send bus=session path=/org/mate/atril/Daemon
-       interface=org.mate.atril.Daemon
-       member={RegisterDocument,UnregisterDocument}
-       peer=(name=org.mate.atril.Daemon),  # no peer's labels
+  #aa:dbus talk bus=session name=org.mate.atril.Daemon label=atrild
 
   @{exec_path} mr,
 

From 549c6ba2f5402878ad28fa68d1809d7505ef3a02 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 20:34:12 +0100
Subject: [PATCH 188/315] feat(profile): ubuntu: improve integration with
 ubuntu.

---
 apparmor.d/groups/apt/apt-systemd-daily       |  2 +-
 apparmor.d/groups/apt/dpkg-preconfigure       |  1 +
 apparmor.d/groups/bus/ibus-x11                |  5 +++--
 apparmor.d/groups/grub/grub-sort-version      |  2 ++
 .../groups/ubuntu/livepatch-notification      |  9 +--------
 apparmor.d/groups/ubuntu/pro                  | 20 -------------------
 .../groups/ubuntu/software-properties-dbus    |  6 +++---
 .../ubuntu/ubuntu-advantage-notification      |  7 +------
 apparmor.d/groups/ubuntu/update-manager       |  2 +-
 apparmor.d/groups/ubuntu/update-notifier      |  7 +++++++
 apparmor.d/profiles-a-f/fstrim                |  1 +
 apparmor.d/profiles-g-l/gtk-query-immodules   |  1 +
 apparmor.d/profiles-g-l/logrotate             | 16 +++------------
 apparmor.d/profiles-m-r/mkinitramfs           | 10 +++++++---
 apparmor.d/profiles-s-z/setvtrgb              |  2 ++
 apparmor.d/profiles-s-z/snap                  |  5 ++++-
 apparmor.d/profiles-s-z/snap-seccomp          |  2 ++
 apparmor.d/profiles-s-z/ufw                   |  8 ++++----
 18 files changed, 44 insertions(+), 62 deletions(-)
 delete mode 100644 apparmor.d/groups/ubuntu/pro

diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily
index 7ebb4da0b..1acaa6aff 100644
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@@ -59,7 +59,7 @@ profile apt-systemd-daily @{exec_path} {
   /var/backups/ r,
   /var/backups/apt.extended_states rw,
   /var/backups/apt.extended_states.@{int} rw,
-  /var/backups/apt.extended_states.@{int}.gz w,
+  /var/backups/apt.extended_states.@{int}.gz rw,
 
   /var/cache/apt/ r,
   /var/cache/apt/archives/ r,
diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure
index d57d3d42d..f94d95251 100644
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@@ -24,6 +24,7 @@ profile dpkg-preconfigure @{exec_path} {
   @{bin}/{,g,m}awk  rix,
   @{bin}/cat        rix,
   @{bin}/dialog     rix,
+  @{bin}/expr       rix,
   @{bin}/locale     rix,
   @{bin}/sed        rix,
   @{bin}/sort       rix,
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index 44bb611fe..066adc056 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -17,14 +17,15 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
-  unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
-
   network inet stream,
   network inet6 stream,
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
+  # unix (connect, receive, send) type=stream peer=(label=ibus-daemon),
+  unix (send receive connect) type=stream addr=none peer=(label=gnome-shell, addr=@/tmp/.X11-unix/X@{int}),
+
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version
index 7f830dc33..bea282862 100644
--- a/apparmor.d/groups/grub/grub-sort-version
+++ b/apparmor.d/groups/grub/grub-sort-version
@@ -10,6 +10,8 @@ include <tunables/global>
 profile grub-sort-version @{exec_path} {
   include <abstractions/base>
   include <abstractions/common/apt>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
   include <abstractions/python>
 
   capability dac_read_search,
diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification
index 14f21729f..66739c7bc 100644
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@@ -14,17 +14,10 @@ profile livepatch-notification @{exec_path} {
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/wayland>
+  include <abstractions/desktop>
 
   @{exec_path} mr,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/{,**} r,
-
-  @{run}/user/@{uid}/gdm/Xauthority r,
-
   include if exists <local/livepatch-notification>
 }
 
diff --git a/apparmor.d/groups/ubuntu/pro b/apparmor.d/groups/ubuntu/pro
deleted file mode 100644
index c00b07587..000000000
--- a/apparmor.d/groups/ubuntu/pro
+++ /dev/null
@@ -1,20 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/pro
-profile pro @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/common/apt>
-  include <abstractions/python>
-
-  @{exec_path} mr,
-
-  include if exists <local/pro>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus
index 2def932dc..32b4e27c3 100644
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@@ -39,9 +39,9 @@ profile software-properties-dbus @{exec_path} {
   /usr/share/distro-info/*.csv r,
   /usr/share/xml/iso-codes/{,**} r,
 
-  owner @{tmp}/???????? rw,  # unconventional '_' tail
-  owner @{tmp}/tmp????????/ w, # change to 'c'
-  owner @{tmp}/tmp????????/apt.conf w,
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/tmp@{word8}/ w, # change to 'c'
+  owner @{tmp}/tmp@{word8}/apt.conf w,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
index 2f539bac8..c9a48ed47 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@@ -14,15 +14,10 @@ profile ubuntu-advantage-notification @{exec_path} {
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/wayland>
+  include <abstractions/desktop>
 
   @{exec_path} mr,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/icons/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
-
   include if exists <local/ubuntu-advantage-notification>
 }
 
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 4a05ad8d7..2cf2f3e99 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = @{bin}/update-manager
 profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/common/apt>
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
@@ -20,6 +19,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/common/apt>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index cb33f6046..df73d4e40 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -72,8 +72,15 @@ profile update-notifier @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/pkexec>
 
+    capability sys_ptrace,
+
+    ptrace read peer=update-notifier,
+
     @{lib}/update-notifier/package-system-locked Px,
 
+    @{PROC}/@{pid}/fdinfo/@{int} r,
+    @{PROC}/@{pid}/stat r,
+
     include if exists <local/update-notifier_pkexec>
   }
 
diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/profiles-a-f/fstrim
index e49108044..a4ba7fedb 100644
--- a/apparmor.d/profiles-a-f/fstrim
+++ b/apparmor.d/profiles-a-f/fstrim
@@ -23,6 +23,7 @@ profile fstrim @{exec_path} {
   @{MOUNTS}/ r,
   / r,
   /boot/ r,
+  /boot/efi/ r,
   /var/ r,
 
   include if exists <local/fstrim>
diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules
index e67def6d2..a92092f8c 100644
--- a/apparmor.d/profiles-g-l/gtk-query-immodules
+++ b/apparmor.d/profiles-g-l/gtk-query-immodules
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0
 profile gtk-query-immodules @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_override,
   capability dac_read_search,
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 6004b8a35..9bfe64a72 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -50,19 +50,7 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
   @{bin}/squid                             rPUx,
 
   @{bin}/pgrep rCx -> pgrep,
-
-  # no new privs
-  #@{bin}/systemctl              rCx -> systemctl,
-  @{bin}/systemctl rix,
-  @{bin}/runlevel rix,
-  include <abstractions/wutmp>
-  ptrace (read),
-  capability sys_ptrace,
-  owner @{PROC}/@{pid}/stat r,
-        @{PROC}/1/environ r,
-        @{PROC}/1/sched r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/osrelease r,
+  @{bin}/systemctl rCx -> systemctl,
 
   /etc/ r,
   @{etc_ro}/logrotate.conf rk,
@@ -92,6 +80,8 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
     capability net_admin,
     capability sys_ptrace,
 
+    @{run}/utmp rk,
+
     include if exists <local/logrotate_systemctl>
   }
 
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index 692d79184..b24bdbdf1 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -81,18 +81,22 @@ profile mkinitramfs @{exec_path} {
   /etc/modprobe.d/{,*.conf} r,
 
         /boot/ r,
-  owner /boot/initrd.img-*.new rw,
   owner /boot/config-* r,
+  owner /boot/initrd.img-*.new rw,
 
         /var/tmp/ r,
+        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
   owner /var/tmp/mkinitramfs_*/ rw,
   owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**,
-        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
   owner /var/tmp/mkinitramfs-* rw,
 
-  owner @{PROC}/@{pid}/fd/ r,
+  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/reg-dummy/{,**}/ r,
+  @{sys}/module/compression r,
+
         @{PROC}/cmdline r,
         @{PROC}/modules r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   profile ldd {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb
index 79398e82d..aef3b00fe 100644
--- a/apparmor.d/profiles-s-z/setvtrgb
+++ b/apparmor.d/profiles-s-z/setvtrgb
@@ -15,6 +15,8 @@ profile setvtrgb @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/console-setup/vtrgb r,
+
   /dev/tty@{int} rw,
 
   include if exists <local/setvtrgb>
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index 158744d0c..e5e5bef97 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -104,7 +104,10 @@ profile snap @{exec_path} {
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
-  
+    include <abstractions/bus/org.freedesktop.systemd1>
+
+    network unix stream,
+
     include if exists <local/snap_systemctl>
   }
 
diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp
index 4c34746ed..5018ff379 100644
--- a/apparmor.d/profiles-s-z/snap-seccomp
+++ b/apparmor.d/profiles-s-z/snap-seccomp
@@ -18,6 +18,8 @@ profile snap-seccomp @{exec_path} {
 
   @{exec_path} mr,
 
+  @{lib_dirs}/**.so* mr,
+
   /var/lib/snapd/seccomp/bpf/{,**} rw,
 
   owner @{PROC}/@{pids}/mountinfo r,
diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 6a9897d91..525e543b9 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -37,10 +37,10 @@ profile ufw @{exec_path} {
 
     owner @{run}/ufw.lock rwk,
 
-    owner /var/tmp/???????? rw,
-    owner /var/tmp/tmp???????? rw,
-    owner @{tmp}/???????? rw,
-    owner @{tmp}/tmp???????? rw,
+    owner @{tmp}/@{word8} rw,
+    owner @{tmp}/tmp@{word8} rw,
+    owner /var/tmp/@{word8} rw,
+    owner /var/tmp/tmp@{word8} rw,
 
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/@{pid}/net/ip_tables_names r,

From c6c4920598ea6d06c1f855eff76e6f261c946f10 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 20:36:14 +0100
Subject: [PATCH 189/315] feat(profile): newer gnome want to read /.

---
 apparmor.d/groups/gnome/gnome-system-monitor | 4 ++++
 apparmor.d/profiles-a-f/fractal              | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 4d0a5dd5d..730ea1ffe 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -38,6 +38,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   /usr/share/gnome-system-monitor/{,**} r,
   /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
 
+  / r,
+
   owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
   owner @{run}/user/@{uid}/doc/ rw,
@@ -76,6 +78,8 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{PROC}/diskstats r,
   @{PROC}/vmstat r,
 
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   /dev/tty rw,
diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal
index c7df958f7..54abde9d3 100644
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@@ -25,6 +25,8 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/xml/iso-codes/{,**} r,
 
+  / r,
+
   owner @{tmp}/.@{rand6} rw, 
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/@{rand6} rw,

From 6f5604d59d9a31bae3dfec48762a3a8b8a4d6cea Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 22:05:47 +0100
Subject: [PATCH 190/315] build: cleanup base build interface.

---
 pkg/prebuild/cfg/core.go         | 10 ++++++----
 pkg/prebuild/cfg/core_test.go    |  9 +++++----
 pkg/prebuild/directive/dbus.go   | 10 ++++++----
 pkg/prebuild/directive/exec.go   |  2 +-
 pkg/prebuild/directive/filter.go |  4 ++--
 pkg/prebuild/directive/stack.go  |  2 +-
 6 files changed, 21 insertions(+), 16 deletions(-)

diff --git a/pkg/prebuild/cfg/core.go b/pkg/prebuild/cfg/core.go
index 692f130ad..56b91ed6f 100644
--- a/pkg/prebuild/cfg/core.go
+++ b/pkg/prebuild/cfg/core.go
@@ -9,20 +9,20 @@ import "fmt"
 type BaseInterface interface {
 	Message() string
 	Name() string
-	Usage() string
+	Usage() []string
 }
 
 type Base struct {
 	Msg     string
 	Keyword string
-	Help    string
+	Help    []string
 }
 
 func (b Base) Name() string {
 	return b.Keyword
 }
 
-func (b Base) Usage() string {
+func (b Base) Usage() []string {
 	return b.Help
 }
 
@@ -41,7 +41,9 @@ func Help[T BaseInterface](name string, tasks map[string]T) string {
 func Usage[T BaseInterface](name string, tasks map[string]T) string {
 	res := fmt.Sprintf("%s\n", name)
 	for _, t := range tasks {
-		res += fmt.Sprintf("    %s\n", t.Usage())
+		for _, h := range t.Usage() {
+			res += fmt.Sprintf("    #aa:%s %s\n", t.Name(), h)
+		}
 	}
 	return res
 }
diff --git a/pkg/prebuild/cfg/core_test.go b/pkg/prebuild/cfg/core_test.go
index ff76f9466..7cde166a1 100644
--- a/pkg/prebuild/cfg/core_test.go
+++ b/pkg/prebuild/cfg/core_test.go
@@ -5,6 +5,7 @@
 package cfg
 
 import (
+	"slices"
 	"strings"
 	"testing"
 )
@@ -17,7 +18,7 @@ func TestBase_Helpers(t *testing.T) {
 	}{
 		{
 			name: "base",
-			b:    Base{Keyword: "test", Help: "test", Msg: "test"},
+			b:    Base{Keyword: "test", Help: []string{"test"}, Msg: "test"},
 			want: "test",
 		},
 	}
@@ -26,7 +27,7 @@ func TestBase_Helpers(t *testing.T) {
 			if got := tt.b.Name(); got != tt.want {
 				t.Errorf("Base.Name() = %v, want %v", got, tt.want)
 			}
-			if got := tt.b.Usage(); got != tt.want {
+			if got := tt.b.Usage(); !slices.Equal(got, []string{tt.want}) {
 				t.Errorf("Base.Usage() = %v, want %v", got, tt.want)
 			}
 			if got := tt.b.Message(); got != tt.want {
@@ -45,8 +46,8 @@ func TestHelp(t *testing.T) {
 		{
 			name: "one",
 			tasks: map[string]Base{
-				"one": {Keyword: "one", Help: "one", Msg: "one"},
-				"two": {Keyword: "two", Help: "two", Msg: "two"},
+				"one": {Keyword: "one", Help: []string{"one"}, Msg: "one"},
+				"two": {Keyword: "two", Help: []string{"two"}, Msg: "two"},
 			},
 			want: `one`,
 		},
diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go
index dc7ac16d3..98f5cd61c 100644
--- a/pkg/prebuild/directive/dbus.go
+++ b/pkg/prebuild/directive/dbus.go
@@ -35,10 +35,12 @@ func init() {
 		Base: cfg.Base{
 			Keyword: "dbus",
 			Msg:     "Dbus directive applied",
-			Help: `#aa:dbus own bus=<bus> name=<name> [interface=AARE] [path=AARE]
-    #aa:dbus talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE]`,
-		},
-	})
+			Help: []string{
+				"own bus=<bus> name=<name> [interface=AARE] [path=AARE]",
+				"talk bus=<bus> name=<name> label=<profile> [interface=AARE] [path=AARE]",
+			},
+		}},
+	)
 }
 
 func setInterfaces(rules map[string]string) []string {
diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go
index b77d80fa4..64c97e9cd 100644
--- a/pkg/prebuild/directive/exec.go
+++ b/pkg/prebuild/directive/exec.go
@@ -25,7 +25,7 @@ func init() {
 		Base: cfg.Base{
 			Keyword: "exec",
 			Msg:     "Exec directive applied",
-			Help:    Keyword + `exec [P|U|p|u|PU|pu|] profiles...`,
+			Help:    []string{"[P|U|p|u|PU|pu|] profiles..."},
 		},
 	})
 }
diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go
index 1c90fa760..39e6c0062 100644
--- a/pkg/prebuild/directive/filter.go
+++ b/pkg/prebuild/directive/filter.go
@@ -25,14 +25,14 @@ func init() {
 		Base: cfg.Base{
 			Keyword: "only",
 			Msg:     "Only directive applied",
-			Help:    Keyword + `only filters...`,
+			Help:    []string{"filters..."},
 		},
 	})
 	RegisterDirective(&FilterExclude{
 		Base: cfg.Base{
 			Keyword: "exclude",
 			Msg:     "Exclude directive applied",
-			Help:    Keyword + `exclude filters...`,
+			Help:    []string{"filters..."},
 		},
 	})
 }
diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go
index a2079dfb9..c673a1701 100644
--- a/pkg/prebuild/directive/stack.go
+++ b/pkg/prebuild/directive/stack.go
@@ -33,7 +33,7 @@ func init() {
 		Base: cfg.Base{
 			Keyword: "stack",
 			Msg:     "Stack directive applied",
-			Help:    Keyword + `stack [X] profiles...`,
+			Help:    []string{"[X] profiles..."},
 		},
 	})
 }

From 05a489e0214e1dbacc5a5c7220cbd79575379183 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 22:08:48 +0100
Subject: [PATCH 191/315] build: improve internal directive tool.

---
 pkg/prebuild/directive/core.go   | 26 ++++++++++++++++++++++----
 pkg/prebuild/directive/filter.go | 11 +----------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go
index d14dd4861..b81ae3cc7 100644
--- a/pkg/prebuild/directive/core.go
+++ b/pkg/prebuild/directive/core.go
@@ -61,11 +61,29 @@ func NewOption(file *paths.Path, match []string) *Option {
 	}
 }
 
-// Clean the selected directive from profile.
+// Clean removes selected directive line from input string.
 // Useful to remove directive text applied on some condition only
-func (o *Option) Clean(profile string) string {
-	reg := regexp.MustCompile(`\s*` + Keyword + o.Name + ` .*$`)
-	return strings.Replace(profile, o.Raw, reg.ReplaceAllString(o.Raw, ""), 1)
+func (o *Option) Clean(input string) string {
+	return strings.Replace(input, o.Raw, o.cleanKeyword(o.Raw), 1)
+}
+
+// cleanKeyword removes the dirextive keywork (#aa:...) from the input string
+func (o *Option) cleanKeyword(input string) string {
+	reg := regexp.MustCompile(`\s*` + Keyword + o.Name + `( .*)?$`)
+	return reg.ReplaceAllString(input, "")
+}
+
+// Check if the directive is inline or if it is a paragraph
+func (o *Option) IsInline() bool {
+	inline := true
+	tmp := strings.Split(o.Raw, Keyword)
+	if len(tmp) >= 1 {
+		left := strings.TrimSpace(tmp[0])
+		if len(left) == 0 {
+			inline = false
+		}
+	}
+	return inline
 }
 
 func RegisterDirective(d Directive) {
diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go
index 39e6c0062..1aa2e1c76 100644
--- a/pkg/prebuild/directive/filter.go
+++ b/pkg/prebuild/directive/filter.go
@@ -49,16 +49,7 @@ func filter(only bool, opt *Option, profile string) (string, error) {
 		return opt.Clean(profile), nil
 	}
 
-	inline := true
-	tmp := strings.Split(opt.Raw, Keyword)
-	if len(tmp) >= 1 {
-		left := strings.TrimSpace(tmp[0])
-		if len(left) == 0 {
-			inline = false
-		}
-	}
-
-	if inline {
+	if opt.IsInline() {
 		profile = strings.Replace(profile, opt.Raw, "", -1)
 	} else {
 		regRemoveParagraph := regexp.MustCompile(`(?s)` + opt.Raw + `\n.*?\n\n`)

From fbdf9cea64aa60230c9fbb6545cba97abda5e14f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 22:09:49 +0100
Subject: [PATCH 192/315] build: support directive without argument.

---
 pkg/prebuild/directive/core.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go
index b81ae3cc7..0e791730f 100644
--- a/pkg/prebuild/directive/core.go
+++ b/pkg/prebuild/directive/core.go
@@ -20,7 +20,7 @@ var (
 	// Build the profiles with the following directive applied
 	Directives = map[string]Directive{}
 
-	regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*) (.*)`)
+	regDirective = regexp.MustCompile(`(?m).*` + Keyword + `([a-z]*)( .*)?`)
 )
 
 // Main directive interface

From 83bc7d3adeb6507747eeebdd87037d50b5955696 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 22:15:46 +0100
Subject: [PATCH 193/315] feat(aa-log): minor improvment in rule generation &
 formatting.

---
 pkg/aa/base.go     |  2 +-
 pkg/aa/file.go     | 21 +++++++++++++++++++++
 pkg/aa/mount.go    |  8 ++++----
 pkg/aa/parse.go    | 16 +++++++++++-----
 pkg/aa/profile.go  | 38 ++++++++++++++++++++++----------------
 pkg/aa/rules.go    | 40 +++++++++++++++++++++++++++++++++++-----
 pkg/aa/template.go |  6 +++---
 7 files changed, 97 insertions(+), 34 deletions(-)

diff --git a/pkg/aa/base.go b/pkg/aa/base.go
index 967466520..609525111 100644
--- a/pkg/aa/base.go
+++ b/pkg/aa/base.go
@@ -9,8 +9,8 @@ import (
 )
 
 type Base struct {
-	IsLineRule  bool
 	Comment     string
+	IsLineRule  bool
 	NoNewPrivs  bool
 	FileInherit bool
 	Optional    bool
diff --git a/pkg/aa/file.go b/pkg/aa/file.go
index 50b23bae9..549ff66de 100644
--- a/pkg/aa/file.go
+++ b/pkg/aa/file.go
@@ -118,6 +118,21 @@ func (r *File) String() string {
 }
 
 func (r *File) Validate() error {
+	if !isAARE(r.Path) {
+		return fmt.Errorf("'%s' is not a valid AARE", r.Path)
+	}
+	for _, v := range r.Access {
+		if v == "" {
+			continue
+		}
+		if !slices.Contains(requirements[r.Kind()]["access"], v) ||
+			!slices.Contains(requirements[r.Kind()]["transition"], v) {
+			return fmt.Errorf("invalid mode '%s'", v)
+		}
+	}
+	if r.Target != "" && !isAARE(r.Target) {
+		return fmt.Errorf("'%s' is not a valid AARE", r.Target)
+	}
 	return nil
 }
 
@@ -260,6 +275,12 @@ func (r *Link) String() string {
 }
 
 func (r *Link) Validate() error {
+	if !isAARE(r.Path) {
+		return fmt.Errorf("'%s' is not a valid AARE", r.Path)
+	}
+	if !isAARE(r.Target) {
+		return fmt.Errorf("'%s' is not a valid AARE", r.Target)
+	}
 	return nil
 }
 
diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go
index 914efc2ff..ad83801c6 100644
--- a/pkg/aa/mount.go
+++ b/pkg/aa/mount.go
@@ -17,10 +17,10 @@ const (
 func init() {
 	requirements[MOUNT] = requirement{
 		"flags": {
-			"acl", "async", "atime", "ro", "rw", "bind", "rbind", "dev",
-			"diratime", "dirsync", "exec", "iversion", "loud", "mand", "move",
-			"noacl", "noatime", "nodev", "nodiratime", "noexec", "noiversion",
-			"nomand", "norelatime", "nosuid", "nouser", "private", "relatime",
+			"ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime",
+			"dirsync", "exec", "iversion", "loud", "mand", "move", "noacl",
+			"noatime", "nodev", "nodiratime", "noexec", "noiversion", "nomand",
+			"norelatime", "nosuid", "nouser", "private", "rbind", "relatime",
 			"remount", "rprivate", "rshared", "rslave", "runbindable", "shared",
 			"silent", "slave", "strictatime", "suid", "sync", "unbindable",
 			"user", "verbose",
diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go
index 88808a375..b7fb52835 100644
--- a/pkg/aa/parse.go
+++ b/pkg/aa/parse.go
@@ -495,9 +495,15 @@ func (r rule) String() string {
 }
 
 func isAARE(str string) bool {
-	return strings.HasPrefix(str, "@") ||
-		strings.HasPrefix(str, "/") ||
-		strings.HasPrefix(str, "\"")
+	if len(str) < 1 {
+		return false
+	}
+	switch str[0] {
+	case '@', '/', '"':
+		return true
+	default:
+		return false
+	}
 }
 
 // Convert a slice of internal rules to a slice of ApparmorRule.
@@ -652,8 +658,8 @@ done:
 }
 
 // Parse apparmor profile rules by paragraphs
-func ParseRules(input string) ([]Rules, []string, error) {
-	paragraphRules := []Rules{}
+func ParseRules(input string) (ParaRules, []string, error) {
+	paragraphRules := ParaRules{}
 	paragraphs := []string{}
 
 	for _, match := range regParagraph.FindAllStringSubmatch(input, -1) {
diff --git a/pkg/aa/profile.go b/pkg/aa/profile.go
index ec5068971..30e8b106f 100644
--- a/pkg/aa/profile.go
+++ b/pkg/aa/profile.go
@@ -139,16 +139,18 @@ func (p *Profile) GetAttachments() string {
 
 var (
 	newLogMap = map[string]func(log map[string]string) Rule{
+		// class
 		"rlimits":      newRlimitFromLog,
-		"cap":          newCapabilityFromLog,
-		"io_uring":     newIOUringFromLog,
-		"signal":       newSignalFromLog,
-		"ptrace":       newPtraceFromLog,
 		"namespace":    newUsernsFromLog,
-		"unix":         newUnixFromLog,
-		"dbus":         newDbusFromLog,
+		"cap":          newCapabilityFromLog,
+		"net":          newNetworkFromLog,
 		"posix_mqueue": newMqueueFromLog,
 		"sysv_mqueue":  newMqueueFromLog,
+		"signal":       newSignalFromLog,
+		"ptrace":       newPtraceFromLog,
+		"unix":         newUnixFromLog,
+		"io_uring":     newIOUringFromLog,
+		"dbus":         newDbusFromLog,
 		"mount": func(log map[string]string) Rule {
 			if strings.Contains(log["flags"], "remount") {
 				return newRemountFromLog(log)
@@ -156,7 +158,6 @@ var (
 			newRule := newLogMountMap[log["operation"]]
 			return newRule(log)
 		},
-		"net": newNetworkFromLog,
 		"file": func(log map[string]string) Rule {
 			if log["operation"] == "change_onexec" {
 				return newChangeProfileFromLog(log)
@@ -164,14 +165,19 @@ var (
 				return newFileFromLog(log)
 			}
 		},
-		"exec":       newFileFromLog,
-		"getattr":    newFileFromLog,
-		"mkdir":      newFileFromLog,
-		"mknod":      newFileFromLog,
-		"open":       newFileFromLog,
-		"rename_src": newFileFromLog,
-		"truncate":   newFileFromLog,
-		"unlink":     newFileFromLog,
+		// operation
+		"capable":     newCapabilityFromLog,
+		"chmod":       newFileFromLog,
+		"exec":        newFileFromLog,
+		"getattr":     newFileFromLog,
+		"link":        newFileFromLog,
+		"mkdir":       newFileFromLog,
+		"mknod":       newFileFromLog,
+		"open":        newFileFromLog,
+		"rename_dest": newFileFromLog,
+		"rename_src":  newFileFromLog,
+		"truncate":    newFileFromLog,
+		"unlink":      newFileFromLog,
 	}
 	newLogMountMap = map[string]func(log map[string]string) Rule{
 		"mount":     newMountFromLog,
@@ -213,7 +219,7 @@ func (p *Profile) AddRule(log map[string]string) {
 		case strings.Contains(log["operation"], "dbus"):
 			p.Rules = append(p.Rules, newDbusFromLog(log))
 		default:
-			fmt.Printf("unknown log type: %s", log["operation"])
+			fmt.Printf("unknown log type: %s\n", log["operation"])
 		}
 	}
 }
diff --git a/pkg/aa/rules.go b/pkg/aa/rules.go
index 637412278..8e8ed5d95 100644
--- a/pkg/aa/rules.go
+++ b/pkg/aa/rules.go
@@ -94,7 +94,7 @@ func (r Rules) Delete(i int) Rules {
 }
 
 func (r Rules) DeleteKind(kind Kind) Rules {
-	res := make(Rules, 0)
+	res := make(Rules, 0, len(r))
 	for _, rule := range r {
 		if rule == nil {
 			continue
@@ -106,8 +106,8 @@ func (r Rules) DeleteKind(kind Kind) Rules {
 	return res
 }
 
-func (r Rules) Filter(filter Kind) Rules {
-	res := make(Rules, 0)
+func (r Rules) FilterOut(filter Kind) Rules {
+	res := make(Rules, 0, len(r))
 	for _, rule := range r {
 		if rule == nil {
 			continue
@@ -119,8 +119,21 @@ func (r Rules) Filter(filter Kind) Rules {
 	return res
 }
 
+func (r Rules) Filter(filter Kind) Rules {
+	res := make(Rules, 0, len(r))
+	for _, rule := range r {
+		if rule == nil {
+			continue
+		}
+		if rule.Kind() == filter {
+			res = append(res, rule)
+		}
+	}
+	return res
+}
+
 func (r Rules) GetVariables() []*Variable {
-	res := make([]*Variable, 0)
+	res := make([]*Variable, 0, len(r))
 	for _, rule := range r {
 		switch rule := rule.(type) {
 		case *Variable:
@@ -131,7 +144,7 @@ func (r Rules) GetVariables() []*Variable {
 }
 
 func (r Rules) GetIncludes() []*Include {
-	res := make([]*Include, 0)
+	res := make([]*Include, 0, len(r))
 	for _, rule := range r {
 		switch rule := rule.(type) {
 		case *Include:
@@ -247,3 +260,20 @@ func (r Rules) Format() Rules {
 	r.setPaddings(paddingsIndex, paddingsMaxLen)
 	return r
 }
+
+// ParaRules is a slice of Rules grouped by paragraph
+type ParaRules []Rules
+
+func (r ParaRules) Flatten() Rules {
+	totalLen := 0
+	for i := range r {
+		totalLen += len(r[i])
+	}
+
+	res := make(Rules, 0, totalLen)
+	for i := range r {
+		res = append(res, r[i]...)
+	}
+
+	return res
+}
diff --git a/pkg/aa/template.go b/pkg/aa/template.go
index 18f07bc2e..92c10b46e 100644
--- a/pkg/aa/template.go
+++ b/pkg/aa/template.go
@@ -138,7 +138,7 @@ var (
 
 	// The order AARE should be sorted
 	stringAlphabet = []byte(
-		"!\"#$%&'*(){}[]+,-./:;<=>?@\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz",
+		"!\"#$%&'*(){}[]@+,-./:;<=>?\\^_`|~0123456789abcdefghijklmnopqrstuvwxyz",
 	)
 	stringWeights = generateWeights(stringAlphabet)
 
@@ -232,11 +232,11 @@ func cjoin(i any) string {
 	}
 }
 
-func kindOf(i any) string {
+func kindOf(i Rule) string {
 	if i == nil {
 		return ""
 	}
-	return i.(Rule).Kind().String()
+	return i.Kind().String()
 }
 
 func setindent(i string) string {

From 00d6a664eb11eedf8bee418174cd85dad4bd2cc4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 22:25:24 +0100
Subject: [PATCH 194/315] feat(aa-log): improve logs cleaning and varible
 resolution.

---
 cmd/aa-log/main.go       |  4 ++--
 cmd/aa/main.go           | 11 +++++-----
 pkg/logs/loggers_test.go |  6 +++---
 pkg/logs/logs.go         | 46 +++++++++++++++++++++++-----------------
 pkg/logs/logs_test.go    | 12 +++++------
 5 files changed, 44 insertions(+), 35 deletions(-)

diff --git a/cmd/aa-log/main.go b/cmd/aa-log/main.go
index 184e6d118..f7c484fd7 100644
--- a/cmd/aa-log/main.go
+++ b/cmd/aa-log/main.go
@@ -17,7 +17,7 @@ import (
 
 const usage = `aa-log [-h] [--systemd] [--file file] [--rules | --raw] [profile]
 
-    Review AppArmor generated messages in a colorful way. Supports logs from
+    Review AppArmor generated messages in a colorful way. It supports logs from
     auditd, systemd, syslog as well as dbus session events.
 
     It can be given an optional profile name to filter the output with.
@@ -64,7 +64,7 @@ func aaLog(logger string, path string, profile string) error {
 		return nil
 	}
 
-	aaLogs := logs.NewApparmorLogs(file, profile)
+	aaLogs := logs.New(file, profile)
 	if rules {
 		profiles := aaLogs.ParseToProfiles()
 		for _, p := range profiles {
diff --git a/cmd/aa/main.go b/cmd/aa/main.go
index ec64e8cfd..d5bc10d59 100644
--- a/cmd/aa/main.go
+++ b/cmd/aa/main.go
@@ -76,10 +76,10 @@ func getIndentationLevel(input string) int {
 	return level
 }
 
-func parse(kind kind, profile string) ([]aa.Rules, []string, error) {
+func parse(kind kind, profile string) (aa.ParaRules, []string, error) {
 	var raw string
 	paragraphs := []string{}
-	rulesByParagraph := []aa.Rules{}
+	rulesByParagraph := aa.ParaRules{}
 
 	switch kind {
 	case isTunable, isProfile:
@@ -110,9 +110,6 @@ func formatFile(kind kind, profile string) (string, error) {
 		return "", err
 	}
 	for idx, rules := range rulesByParagraph {
-		if err := rules.Validate(); err != nil {
-			return "", err
-		}
 		aa.IndentationLevel = getIndentationLevel(paragraphs[idx])
 		rules = rules.Merge().Sort().Format()
 		profile = strings.Replace(profile, paragraphs[idx], rules.String()+"\n", -1)
@@ -202,8 +199,12 @@ func main() {
 			logging.Fatal("%s", err.Error())
 		}
 		err = aaFormat(files)
+
 	case tree:
 		err = aaTree()
+
+	default:
+		flag.Usage()
 	}
 
 	if err != nil {
diff --git a/pkg/logs/loggers_test.go b/pkg/logs/loggers_test.go
index 15fa1fbc8..d1a485344 100644
--- a/pkg/logs/loggers_test.go
+++ b/pkg/logs/loggers_test.go
@@ -30,7 +30,7 @@ func TestGetJournalctlLogs(t *testing.T) {
 					"apparmor":   "ALLOWED",
 					"label":      "gsd-xsettings",
 					"operation":  "dbus_method_call",
-					"name":       ":*",
+					"name":       "@{busname}",
 					"mask":       "receive",
 					"bus":        "session",
 					"path":       "/org/gtk/Settings",
@@ -50,8 +50,8 @@ func TestGetJournalctlLogs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			reader, _ := GetJournalctlLogs(tt.path, tt.useFile)
-			if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
+			if got := New(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("New() = %v, want %v", got, tt.want)
 			}
 		})
 	}
diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 587e0b7b7..67197e53c 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -28,11 +28,14 @@ const (
 	boldYellow = "\033[1;33m"
 )
 
+const (
+	h = `[0-9a-fA-F]`
+	d = `[0-9]`
+)
+
 var (
 	quoted                bool
 	isAppArmorLogTemplate = regexp.MustCompile(`apparmor=("DENIED"|"ALLOWED"|"AUDIT")`)
-	_hex                  = `[0-9a-fA-F]`
-	_int                  = `[0-9]`
 	regCleanLogs          = util.ToRegexRepl([]string{
 		// Clean apparmor log file
 		`.*apparmor="`, `apparmor="`,
@@ -61,40 +64,45 @@ var (
 		`/home/[^/]+/`, `@{HOME}/`,
 
 		// Resolve system variables
-		`/usr/(lib|lib32|lib64|libexec)`, `@{lib}`,
+		`/usr/lib(32|64|exec)`, `@{lib}`,
+		`/usr/lib`, `@{lib}`,
 		`/usr/(bin|sbin)`, `@{bin}`,
-		`x86_64-pc-linux-gnu[^/]?`, `@{multiarch}`,
+		`(x86_64|amd64|i386|i686)`, `@{arch}`,
+		`@{arch}-*linux-gnu[^/]?`, `@{multiarch}`,
 		`/usr/etc/`, `@{etc_ro}/`,
 		`/var/run/`, `@{run}/`,
 		`/run/`, `@{run}/`,
 		`user/[0-9]*/`, `user/@{uid}/`,
 		`/tmp/user/@{uid}/`, `@{tmp}/`,
 		`/proc/`, `@{PROC}/`,
+		`@{PROC}/1/`, `@{PROC}/one/`, // Go does not support lookahead assertions like (?!1\b)d+, so we have to use a workaround
 		`@{PROC}/[0-9]*/`, `@{PROC}/@{pid}/`,
+		`@{PROC}/one/`, `@{PROC}/1/`,
 		`@{PROC}/@{pid}/task/[0-9]*/`, `@{PROC}/@{pid}/task/@{tid}/`,
 		`/sys/`, `@{sys}/`,
 		`@{PROC}@{sys}/`, `@{PROC}/sys/`,
-		`pci` + strings.Repeat(_hex, 4) + `:` + strings.Repeat(_hex, 2), `@{pci_bus}`,
+		`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
 		`@{pci_bus}/[0-9a-f:*./]*`, `@{pci}/`,
 		`1000`, `@{uid}`,
 
 		// Some system glob
-		`:1.[0-9]*`, `:*`, // dbus peer name
+		`:not.active.yet`, `@{busname}`, // dbus unique bus name
+		`:1.[0-9]*`, `@{busname}`, // dbus unique bus name
 		`@{bin}/(|ba|da)sh`, `@{sh_path}`, // collect all shell
 		`@{lib}/modules/[^/]+\/`, `@{lib}/modules/*/`, // strip kernel version numbers from kernel module accesses
 
 		// int, hex, uuid
-		strings.Repeat(_hex, 8) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 4) + `[-_]` + strings.Repeat(_hex, 12), `@{uuid}`,
-		strings.Repeat(_int, 64), `@{int64}`,
-		strings.Repeat(_hex, 64), `@{hex64}`,
-		strings.Repeat(_hex, 38), `@{hex38}`,
-		strings.Repeat(_int, 32), `@{int32}`,
-		strings.Repeat(_hex, 32), `@{hex32}`,
-		strings.Repeat(_int, 16), `@{int16}`,
-		strings.Repeat(_hex, 16), `@{hex16}`,
-		strings.Repeat(_int, 10), `@{int10}`,
-		strings.Repeat(_int, 8), `@{int8}`,
-		strings.Repeat(_int, 6), `@{int6}`,
+		strings.Repeat(h, 8) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 4) + `[-_]` + strings.Repeat(h, 12), `@{uuid}`,
+		strings.Repeat(d, 64), `@{int64}`,
+		strings.Repeat(h, 64), `@{hex64}`,
+		strings.Repeat(h, 38), `@{hex38}`,
+		strings.Repeat(d, 32), `@{int32}`,
+		strings.Repeat(h, 32), `@{hex32}`,
+		strings.Repeat(d, 16), `@{int16}`,
+		strings.Repeat(h, 16), `@{hex16}`,
+		strings.Repeat(d, 10), `@{int10}`,
+		strings.Repeat(d, 8), `@{int8}`,
+		strings.Repeat(d, 6), `@{int6}`,
 	})
 )
 
@@ -117,8 +125,8 @@ func toQuote(str string) string {
 	return str
 }
 
-// NewApparmorLogs return a new ApparmorLogs list of map from a log file
-func NewApparmorLogs(file io.Reader, profile string) AppArmorLogs {
+// New returns a new ApparmorLogs list of map from a log file
+func New(file io.Reader, profile string) AppArmorLogs {
 	logs := GetApparmorLogs(file, profile)
 
 	// Parse log into ApparmorLog struct
diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go
index cc4b93ed9..c70909dcb 100644
--- a/pkg/logs/logs_test.go
+++ b/pkg/logs/logs_test.go
@@ -174,14 +174,14 @@ func TestAppArmorEvents(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			file := strings.NewReader(tt.event)
-			if got := NewApparmorLogs(file, ""); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
+			if got := New(file, ""); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("New() = %v, want %v", got, tt.want)
 			}
 		})
 	}
 }
 
-func TestNewApparmorLogs(t *testing.T) {
+func TestNew(t *testing.T) {
 	tests := []struct {
 		name string
 		path string
@@ -208,7 +208,7 @@ func TestNewApparmorLogs(t *testing.T) {
 					"apparmor":       "DENIED",
 					"profile":        "dnsmasq",
 					"operation":      "open",
-					"name":           "@{PROC}/@{pid}/environ",
+					"name":           "@{PROC}/1/environ",
 					"comm":           "dnsmasq",
 					"requested_mask": "r",
 					"denied_mask":    "r",
@@ -251,8 +251,8 @@ func TestNewApparmorLogs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			file, _ := os.Open(tt.path)
-			if got := NewApparmorLogs(file, tt.name); !reflect.DeepEqual(got, tt.want) {
-				t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
+			if got := New(file, tt.name); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("New() = %v, want %v", got, tt.want)
 			}
 		})
 	}

From e1f665aec1e02897d75665c87ebaec0e9d9aaae9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 26 Sep 2024 22:53:02 +0100
Subject: [PATCH 195/315] fix(go): updated function name.

---
 tests/integration/suite.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/suite.go b/tests/integration/suite.go
index abb08cfdf..26ef24994 100644
--- a/tests/integration/suite.go
+++ b/tests/integration/suite.go
@@ -101,7 +101,7 @@ func (t *TestSuite) ReadSettings(path *paths.Path) error {
 // Results returns a sum up of the apparmor logs raised by the scenarios
 func (t *TestSuite) Results() string {
 	file, _ := logs.GetAuditLogs(logs.LogFiles[0])
-	aaLogs := logs.NewApparmorLogs(file, "")
+	aaLogs := logs.New(file, "")
 	return aaLogs.String()
 }
 

From a8c18f9b9418ac42922eee1e31b1e3c9f791c1dc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 27 Sep 2024 12:20:48 +0100
Subject: [PATCH 196/315] test(aa-log): update tests to the last changes.

---
 pkg/aa/file.go       |  8 +++++-
 pkg/aa/parse.go      | 10 ++++----
 pkg/aa/parse_test.go | 12 ++++-----
 pkg/aa/rule_test.go  | 61 +++++++++++++++++++++++---------------------
 4 files changed, 50 insertions(+), 41 deletions(-)

diff --git a/pkg/aa/file.go b/pkg/aa/file.go
index 549ff66de..14ade6997 100644
--- a/pkg/aa/file.go
+++ b/pkg/aa/file.go
@@ -118,14 +118,20 @@ func (r *File) String() string {
 }
 
 func (r *File) Validate() error {
+	if r.Path == "" && r.Target == "" && len(r.Access) == 0 {
+		return nil // rule: `file` or `owner file`
+	}
 	if !isAARE(r.Path) {
 		return fmt.Errorf("'%s' is not a valid AARE", r.Path)
 	}
+	if len(r.Access) == 0 {
+		return fmt.Errorf("missing file access")
+	}
 	for _, v := range r.Access {
 		if v == "" {
 			continue
 		}
-		if !slices.Contains(requirements[r.Kind()]["access"], v) ||
+		if !slices.Contains(requirements[r.Kind()]["access"], v) &&
 			!slices.Contains(requirements[r.Kind()]["transition"], v) {
 			return fmt.Errorf("invalid mode '%s'", v)
 		}
diff --git a/pkg/aa/parse.go b/pkg/aa/parse.go
index b7fb52835..ef8a7acd9 100644
--- a/pkg/aa/parse.go
+++ b/pkg/aa/parse.go
@@ -187,11 +187,11 @@ func parseParagraph(input string) (Rules, error) {
 	}
 
 	res = append(res, rrr...)
-	for _, r := range res {
-		if r.Constraint() == PreambleRule {
-			return nil, fmt.Errorf("Rule not allowed in block: %s", r)
-		}
-	}
+	// for _, r := range res {
+	// 	if r.Constraint() == PreambleRule {
+	// 		return nil, fmt.Errorf("Rule not allowed in block: %s", r)
+	// 	}
+	// }
 	return res, nil
 }
 
diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go
index 9cc011f38..8b54487ff 100644
--- a/pkg/aa/parse_test.go
+++ b/pkg/aa/parse_test.go
@@ -843,7 +843,7 @@ var (
 		raw            string
 		apparmor       *AppArmorProfileFile
 		wParseErr      bool
-		wRules         []Rules
+		wRules         ParaRules
 		wParseRulesErr bool
 	}{
 		{
@@ -851,7 +851,7 @@ var (
 			raw:            "",
 			apparmor:       &AppArmorProfileFile{},
 			wParseErr:      false,
-			wRules:         []Rules{},
+			wRules:         ParaRules{},
 			wParseRulesErr: false,
 		},
 		{
@@ -875,7 +875,7 @@ var (
 				},
 			},
 			wParseErr:      false,
-			wRules:         []Rules{},
+			wRules:         ParaRules{},
 			wParseRulesErr: false,
 		},
 		{
@@ -914,7 +914,7 @@ var (
 				},
 			},
 			wParseErr:      false,
-			wRules:         []Rules{},
+			wRules:         ParaRules{},
 			wParseRulesErr: false,
 		},
 		{
@@ -943,7 +943,7 @@ var (
 				},
 			},
 			wParseErr: false,
-			wRules: []Rules{
+			wRules: ParaRules{
 				{
 					&Include{IsMagic: true, Path: "abstractions/base"},
 					&Include{IsMagic: true, Path: "abstractions/nameservice-strict"},
@@ -1050,7 +1050,7 @@ var (
 				},
 			},
 			wParseErr: false,
-			wRules: []Rules{
+			wRules: ParaRules{
 				{
 					&Include{IsMagic: true, Path: "abstractions/base"},
 					&Include{IsMagic: true, Path: "abstractions/nameservice-strict"},
diff --git a/pkg/aa/rule_test.go b/pkg/aa/rule_test.go
index 77e05e320..ee50532a9 100644
--- a/pkg/aa/rule_test.go
+++ b/pkg/aa/rule_test.go
@@ -124,7 +124,7 @@ var (
 			wString:  "include if exists <local/foo>",
 		},
 		{
-			name:     "include/abs",
+			name:     "include-abs",
 			rule:     &Include{Path: "/usr/share/apparmor.d/", IsMagic: false},
 			other:    &Include{Path: "/usr/share/apparmor.d/", IsMagic: true},
 			wCompare: -1,
@@ -190,7 +190,7 @@ var (
 			wString:  "capability net_admin,",
 		},
 		{
-			name:     "capability/multi",
+			name:     "capability-multi",
 			rule:     &Capability{Names: []string{"dac_override", "dac_read_search"}},
 			other:    capability2,
 			wCompare: -15,
@@ -198,7 +198,7 @@ var (
 			wString:  "capability dac_override dac_read_search,",
 		},
 		{
-			name:     "capability/all",
+			name:     "capability-all",
 			rule:     &Capability{},
 			other:    capability2,
 			wCompare: -1,
@@ -222,7 +222,7 @@ var (
 			log:      mount1Log,
 			rule:     mount1,
 			other:    mount2,
-			wCompare: 38,
+			wCompare: 37,
 			wMerge:   false,
 			wString:  "mount fstype=overlay overlay -> /var/lib/docker/overlay2/opaque-bug-check1209538631/merged/, # failed perms check",
 		},
@@ -250,7 +250,7 @@ var (
 			log:      pivotroot1Log,
 			rule:     pivotroot1,
 			other:    pivotroot2,
-			wCompare: 7,
+			wCompare: -5,
 			wMerge:   false,
 			wString:  "pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,",
 		},
@@ -307,7 +307,7 @@ var (
 			wString:  "signal receive set=kill peer=firefox//&firejail-default,",
 		},
 		{
-			name:     "ptrace/xdg-document-portal",
+			name:     "ptrace-xdg-document-portal",
 			fromLog:  newPtraceFromLog,
 			log:      ptrace1Log,
 			rule:     ptrace1,
@@ -317,7 +317,7 @@ var (
 			wString:  "ptrace read peer=nautilus,",
 		},
 		{
-			name:     "ptrace/snap-update-ns.firefox",
+			name:     "ptrace-snap-update-ns.firefox",
 			fromLog:  newPtraceFromLog,
 			log:      ptrace2Log,
 			rule:     ptrace2,
@@ -355,7 +355,7 @@ var (
 			wString:  "dbus bind bus=session name=org.gnome.evolution.dataserver.Sources5,",
 		},
 		{
-			name:     "dbus/bind",
+			name:     "dbus-bind",
 			rule:     &Dbus{Access: []string{"bind"}, Bus: "session", Name: "org.gnome.*"},
 			other:    dbus2,
 			wCompare: -39,
@@ -381,31 +381,33 @@ var (
 			wString:  "/usr/share/poppler/cMap/Identity-H r,",
 		},
 		{
-			name:     "file/empty",
+			name:     "file-all",
 			rule:     &File{},
 			other:    &File{},
 			wCompare: 0,
 			wMerge:   true,
-			wString:  " ,",
+			wString:  " ,", // FIXME:
 		},
 		{
-			name:     "file/equal",
-			rule:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			wCompare: 0,
-			wMerge:   true,
-			wString:  "/usr/share/poppler/cMap/Identity-H ,",
+			name:      "file-equal",
+			rule:      &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			other:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			wValidErr: true,
+			wCompare:  0,
+			wMerge:    true,
+			wString:   "/usr/share/poppler/cMap/Identity-H ,",
 		},
 		{
-			name:     "file/owner",
-			rule:     &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true},
-			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			wCompare: 1,
-			wMerge:   false,
-			wString:  "owner /usr/share/poppler/cMap/Identity-H ,",
+			name:      "file-owner",
+			rule:      &File{Path: "/usr/share/poppler/cMap/Identity-H", Owner: true},
+			other:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			wCompare:  1,
+			wValidErr: true,
+			wMerge:    false,
+			wString:   "owner /usr/share/poppler/cMap/Identity-H ,",
 		},
 		{
-			name:     "file/access",
+			name:     "file-access",
 			rule:     &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"r"}},
 			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H", Access: []string{"w"}},
 			wCompare: -5,
@@ -413,12 +415,13 @@ var (
 			wString:  "/usr/share/poppler/cMap/Identity-H r,",
 		},
 		{
-			name:     "file/close",
-			rule:     &File{Path: "/usr/share/poppler/cMap/"},
-			other:    &File{Path: "/usr/share/poppler/cMap/Identity-H"},
-			wCompare: -10,
-			wMerge:   false,
-			wString:  "/usr/share/poppler/cMap/ ,",
+			name:      "file-close",
+			rule:      &File{Path: "/usr/share/poppler/cMap/"},
+			other:     &File{Path: "/usr/share/poppler/cMap/Identity-H"},
+			wCompare:  -10,
+			wValidErr: true,
+			wMerge:    false,
+			wString:   "/usr/share/poppler/cMap/ ,",
 		},
 		{
 			name:     "link1",

From 63888f07a754b66e5558f43967b0e125f7b5bb55 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 27 Sep 2024 14:39:01 +0100
Subject: [PATCH 197/315] fix(profile): flatpak app range.

fix #519
---
 apparmor.d/abstractions/common/app  | 10 +++++-----
 apparmor.d/profiles-a-f/flatpak-app |  2 --
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index 5c8ebd21f..7b6a5fdda 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -54,12 +54,12 @@
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rwl,
+  owner @{HOME}/ r,
   owner @{HOME}/.var/app/** rmix,
-  owner @{HOME}/{,**} rwlk,
-  owner @{run}/user/@{uid}/{,**} rw,
-  owner @{user_config_dirs}/** rwkl,
-  owner @{user_share_dirs}/** rwkl,
-  owner @{user_games_dirs}/{,**} rm,
+  owner @{HOME}/** rwlk -> @{HOME}/**,
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/** rwlk -> @{run}/user/@{uid}/**,
+  owner @{user_games_dirs}/** rm,
 
   owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
   owner @{tmp}/** rmwk,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 8f3a15fc6..71ec660d8 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -92,8 +92,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/flatpak/doc/** rw,
   owner @{run}/ld-so-cache-dir/* rw,
   owner @{run}/user/ r,
-  owner @{run}/user/@{uid}/*.kioworker.socket r,
-  owner @{run}/user/@{uid}/#@{int} rwl,
 
   include if exists <usr/flatpak-app.d>
   include if exists <local/flatpak-app>

From 21e8456383c03ade4229888775a576216785da1c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 17:29:49 +0100
Subject: [PATCH 198/315] feat(abs): general improvment.

---
 apparmor.d/abstractions/app-open            |  4 +-
 apparmor.d/abstractions/app/kmod            |  8 +++-
 apparmor.d/abstractions/app/sudo            |  1 -
 apparmor.d/abstractions/base.d/complete     |  2 -
 apparmor.d/abstractions/common/electron     |  3 ++
 apparmor.d/abstractions/common/gnome        |  1 +
 apparmor.d/abstractions/deny-sensitive-home | 52 +++++++++++++--------
 apparmor.d/abstractions/mesa.d/complete     |  4 ++
 apparmor.d/abstractions/python.d/complete   | 11 +++--
 9 files changed, 56 insertions(+), 30 deletions(-)

diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index c47c7ca69..70f89d866 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -11,8 +11,8 @@
   # Sandbox managers
   @{bin}/bwrap                  rPUx,
   @{bin}/firejail               rPUx,
-  @{bin}/flatpak                rPUx,
-  @{bin}/snap                   rPUx,
+  @{bin}/flatpak                rPx,
+  @{bin}/snap                   rPx,
 
   # Labeled programs
   @{archive_viewers_path}       rPUx,
diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod
index ae6b1cd78..ae10dbbfc 100644
--- a/apparmor.d/abstractions/app/kmod
+++ b/apparmor.d/abstractions/app/kmod
@@ -4,7 +4,13 @@
 
   include <abstractions/consoles>
 
-  @{bin}/kmod mr,
+  @{bin}/depmod    mr,
+  @{bin}/insmod    mr,
+  @{bin}/kmod      mr,
+  @{bin}/lsmod     mr,
+  @{bin}/modinfo   mr,
+  @{bin}/modprobe  mr,
+  @{bin}/rmmod     mr,
 
   @{lib}/modprobe.d/ r,
   @{lib}/modprobe.d/*.conf r,
diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index 3fa454356..b10c66c68 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -57,7 +57,6 @@
   @{PROC}/@{pid}/limits r,
   @{PROC}/@{pid}/loginuid r,
   @{PROC}/@{pid}/stat r,
-  @{PROC}/sys/kernel/ngroups_max r,
   @{PROC}/sys/kernel/seccomp/actions_avail r,
 
         /dev/ r,
diff --git a/apparmor.d/abstractions/base.d/complete b/apparmor.d/abstractions/base.d/complete
index eef226aec..3e10a94f5 100644
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@@ -20,8 +20,6 @@
 
   ptrace (readby) peer=systemd-coredump,
 
-  /usr/share/locale/ r,
-
   @{etc_rw}/localtime r,
   /etc/locale.conf r,
 
diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index b39ccc853..9cf480718 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -50,6 +50,7 @@
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
+  owner @{user_config_dirs}/electron-flags.conf r,
   owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
 
   owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
@@ -87,6 +88,8 @@
   owner @{PROC}/@{pid}/task/@{tid}/status r,
   owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
 
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
   include if exists <abstractions/common/electron.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome
index 8fe4d97cd..ced9cb1b1 100644
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@@ -5,6 +5,7 @@
 # Minimal set of rules for all gnome based UI application.
 
   include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home
index d8e1fdfb8..1f1047cec 100644
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@@ -11,42 +11,56 @@
 
 # The only legitimate use in this project is for file browser and search engine.
 
-  deny @{HOME}/.*.bak                     mrwkl,
-  deny @{HOME}/.*.swp                     mrwkl,
-  deny @{HOME}/.*~                        mrwkl,
-  deny @{HOME}/.*~1~                      mrwkl,
+  # User defined private directories
+  deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**}  mrxwlk,
+  deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**}    mrxwlk,
+  deny @{user_private_dirs}/{,**}               mrxwlk,
+
+  # Files with secret paswords and tokens
   deny @{HOME}/.*age*{,/{,**}}            mrwkl,
   deny @{HOME}/.*aws*{,/{,**}}            mrwkl,
   deny @{HOME}/.*cert*{,/{,**}}           mrwkl,
-  deny @{HOME}/.*history                  mrwkl,
   deny @{HOME}/.*key*{,/{,**}}            mrwkl,
   deny @{HOME}/.*pass*{,/{,**}}           mrwkl,
   deny @{HOME}/.*pki*{,/{,**}}            mrwkl,
   deny @{HOME}/.*private*{,/{,**}}        mrwkl,
   deny @{HOME}/.*secret*{,/{,**}}         mrwkl,
   deny @{HOME}/.*yubi*{,/{,**}}           mrwkl,
-  deny @{HOME}/.fetchmail*                mrwkl,
-  deny @{HOME}/.lesshst*                  mrwkl,
-  deny @{HOME}/.mozilla/{,**}             mrwkl,
-  deny @{HOME}/.mutt*                     mrwkl,
-  deny @{HOME}/.thunderbird/{,**}         mrwkl,
-  deny @{HOME}/.viminfo*                  mrwkl,
-  deny @{HOME}/.wget-hsts                 mrwkl,
+  deny @{HOME}/.aws/{,**}                 mrwkl,
+  deny @{HOME}/.kde{,4}/share/apps/kwallet/{,**} mrwkl,
   deny @{HOME}/@{XDG_GPG_DIR}/{,**}       mrwkl,
   deny @{HOME}/@{XDG_SSH_DIR}/{,**}       mrwkl,
+  deny @{run}/user/@{uid}/keyring**       mrwkl,
   deny @{user_config_dirs}/*-store/{,**}  mrwkl,
-  deny @{user_config_dirs}/chromium/{,**} mrwkl,
   deny @{user_password_store_dirs}/{,**}  mrwkl,
   deny @{user_share_dirs}/kwalletd/{,**}  mrwkl,
 
-  # User defined private directories
-  deny @{user_private_dirs}/{,**}               mrxwlk,
-  deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**}  mrxwlk,
-  deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**}    mrxwlk,
+  # Privacy violations
+  deny @{HOME}/.*.bak                     mrwkl,
+  deny @{HOME}/.*.swp                     mrwkl,
+  deny @{HOME}/.*~                        mrwkl,
+  deny @{HOME}/.*~1~                      mrwkl,
+  deny @{HOME}/.*history                  mrwkl,
+  deny @{HOME}/.evolution/{,**}           mrwkl,
+  deny @{HOME}/.fetchmail*                mrwkl,
+  deny @{HOME}/.gnome2_private/{,**}      mrwkl,
+  deny @{HOME}/.gnome2/keyrings/{,**}     mrwkl,
+  deny @{HOME}/.lesshst*                  mrwkl,
+  deny @{HOME}/.mozilla/{,**}             mrwkl,
+  deny @{HOME}/.mutt**                    mrwkl,
+  deny @{HOME}/.thunderbird/{,**}         mrwkl,
+  deny @{HOME}/.viminfo*                  mrwkl,
+  deny @{HOME}/.wget-hsts                 mrwkl,
+  deny @{user_config_dirs}/chromium/{,**} mrwkl,
+  deny @{user_config_dirs}/evolution/{,**} mrwkl,
 
   # Deny executable mapping in writable space as allowed in abstractions/fonts
-  deny @{HOME}/.{,cache/}fontconfig/ rw,
-  deny @{HOME}/.{,cache/}fontconfig/** mrwl,
+  deny @{HOME}/.{,cache/}fontconfig/       rw,
+  deny @{HOME}/.{,cache/}fontconfig/**    mrwl,
+
+  # special attention to (potentially) executable files
+  deny @{HOME}/bin                          wl,
+  deny @{HOME}/bin/{,**}                    wl,
 
   include if exists <abstractions/deny-sensitive-home.d>
 
diff --git a/apparmor.d/abstractions/mesa.d/complete b/apparmor.d/abstractions/mesa.d/complete
index a8b9937bd..8ac3ad7f3 100644
--- a/apparmor.d/abstractions/mesa.d/complete
+++ b/apparmor.d/abstractions/mesa.d/complete
@@ -5,7 +5,11 @@
   # Extra Mesa rules for desktop environments
   owner @{desktop_cache_dirs}/ w,
   owner @{desktop_cache_dirs}/mesa_shader_cache_db/ rw,
+  owner @{desktop_cache_dirs}/mesa_shader_cache_db/index rw,
+  owner @{desktop_cache_dirs}/mesa_shader_cache_db/marker rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/ rw,
+  owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rwk,
+  owner @{desktop_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rwk,
   owner @{desktop_cache_dirs}/mesa_shader_cache/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/ rw,
   owner @{desktop_cache_dirs}/mesa_shader_cache/@{hex2}/@{hex38} rw,
diff --git a/apparmor.d/abstractions/python.d/complete b/apparmor.d/abstractions/python.d/complete
index e6eea6744..9f8d13eb5 100644
--- a/apparmor.d/abstractions/python.d/complete
+++ b/apparmor.d/abstractions/python.d/complete
@@ -4,11 +4,12 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
   @{bin}/ r,
-  @{bin}/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
+  @{python_path} r,
 
-  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so}              mr,
-  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}          r,
-  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/    r,
-  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
+  owner @{user_lib_dirs}/@{python_name}/                         r,
+  owner @{user_lib_dirs}/@{python_name}/**.{egg,py,pyi,pth}      r,
+  owner @{user_lib_dirs}/@{python_name}/**.{pyc,so}              mr,
+  owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/    r,
+  owner @{user_lib_dirs}/@{python_name}/{site,dist}-packages/**/ r,
 
 # vim:syntax=apparmor

From 8730c09b96620e60e14e5554ea5094974ef0c65b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 17:43:54 +0100
Subject: [PATCH 199/315] feat(profile): general update.

---
 apparmor.d/groups/browsers/firefox-glxtest    |  2 +
 apparmor.d/groups/browsers/firefox-vaapitest  |  1 +
 apparmor.d/groups/bus/ibus-portal             |  1 +
 apparmor.d/groups/bus/ibus-x11                |  1 +
 apparmor.d/groups/children/child-open-strict  |  4 +-
 apparmor.d/groups/children/child-pager        |  2 +-
 apparmor.d/groups/freedesktop/cpupower        |  1 -
 .../freedesktop/xdg-desktop-portal-gnome      |  1 +
 apparmor.d/groups/freedesktop/xorg            |  9 ++++-
 apparmor.d/groups/gnome/gdm-generate-config   |  9 +----
 apparmor.d/groups/gnome/gio-launch-desktop    |  2 +
 apparmor.d/groups/gnome/gnome-clocks          |  2 +
 apparmor.d/groups/gnome/gnome-shell           | 10 +++--
 apparmor.d/groups/gnome/yelp                  |  1 +
 apparmor.d/groups/pacman/makepkg              |  9 +++--
 .../pacman/pacman-hook-gtk4-querymodules      |  1 +
 apparmor.d/groups/pacman/pacman-key           |  5 ++-
 apparmor.d/groups/pacman/reflector            |  3 +-
 apparmor.d/groups/ssh/ssh-agent               |  4 +-
 apparmor.d/groups/systemd/systemd-sleep       |  1 -
 .../groups/virt/cockpit-certificate-helper    | 18 ++++-----
 apparmor.d/groups/virt/containerd             |  5 +--
 apparmor.d/groups/virt/dockerd                | 37 +++++++++++--------
 apparmor.d/profiles-a-f/aa-enforce            |  2 +-
 apparmor.d/profiles-a-f/aa-log                |  2 +
 apparmor.d/profiles-a-f/aa-notify             | 10 +++--
 apparmor.d/profiles-a-f/chronyd               |  3 +-
 apparmor.d/profiles-a-f/discord               | 11 ++++--
 apparmor.d/profiles-a-f/element-desktop       |  4 +-
 apparmor.d/profiles-a-f/file-roller           |  2 +
 apparmor.d/profiles-a-f/flatpak               |  2 +-
 .../profiles-a-f/flatpak-session-helper       |  2 +
 apparmor.d/profiles-a-f/foliate               |  3 ++
 apparmor.d/profiles-g-l/gajim                 | 14 ++++---
 apparmor.d/profiles-g-l/gio-querymodules      |  1 +
 apparmor.d/profiles-g-l/keepassxc             |  3 +-
 apparmor.d/profiles-m-r/ntfs-3g               | 19 +++++-----
 apparmor.d/profiles-m-r/pass                  |  8 ++--
 apparmor.d/profiles-m-r/passwd                |  2 +-
 apparmor.d/profiles-m-r/protonmail            |  3 +-
 apparmor.d/profiles-m-r/rpi-imager            | 22 +++--------
 .../signal-desktop-chrome-sandbox             |  1 -
 apparmor.d/profiles-s-z/snapd                 |  2 +
 apparmor.d/profiles-s-z/steam                 | 12 ++----
 apparmor.d/profiles-s-z/steam-game-proton     |  1 +
 apparmor.d/profiles-s-z/steam-runtime         |  4 +-
 .../profiles-s-z/steam-runtime-steam-remote   |  2 +-
 47 files changed, 146 insertions(+), 118 deletions(-)

diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 02bbb92a6..7a63d82e8 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -29,6 +29,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/cmdline r,
 
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
   include if exists <local/firefox-glxtest>
 }
 
diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest
index 785a7f547..603b7a5d6 100644
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
   deny @{config_dirs}/firefox/*/.parentlock rw,
   deny @{config_dirs}/firefox/*/startupCache/** r,
   deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   include if exists <local/firefox-vaapitest>
 }
diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal
index 9c779eb72..ea3d7a7a6 100644
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@@ -28,6 +28,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index 066adc056..fbb924969 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -33,6 +33,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict
index cea3dc5e0..f5d0d8ca0 100644
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@@ -15,8 +15,8 @@ profile child-open-strict {
   include <abstractions/base>
   include <abstractions/app/open>
 
-  @{browsers_path}              rPx,
-  @{file_explorers_path}        rPx,
+  @{browsers_path}               Px,
+  @{file_explorers_path}         Px,
 
   include if exists <usr/child-open-strict.d>
   include if exists <local/child-open-strict>
diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index 45ac2516a..504a3fb03 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -14,7 +14,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
-profile child-pager {
+profile child-pager flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower
index 58d4f0e84..2022a208c 100644
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@@ -40,7 +40,6 @@ profile cpupower @{exec_path} {
 
   /dev/cpu/@{int}/msr r,
 
-
   profile kmod {
     include <abstractions/base>
     include <abstractions/app/kmod>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 02cf99b01..8184ffbdf 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.Accounts>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.Shell.Introspect>
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 5797f27bf..6be9e2126 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -49,7 +49,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}        rix,
   @{bin}/xkbcomp    rPx,
-  @{bin}/pkexec     rPx,
+  @{bin}/pkexec     rCx -> pkexec,
 
   @{lib}/xorg/ r,
   @{lib}/xorg/modules/ r,
@@ -136,6 +136,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
   /dev/vga_arbiter rw,  # Graphic card modules
 
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/xorg_pkexec>
+  }
+
   include if exists <local/xorg>
 }
 
diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config
index db1c43d84..d9e121c41 100644
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
   @{sh_path}         rix,
   @{bin}/dconf       rix,
   @{bin}/install     rix,
-  @{bin}/pgrep       rCx -> pgrep,
+  @{bin}/pgrep       rix,
   @{bin}/pkill       rix,
   @{bin}/setpriv     rix,
   @{bin}/setsid      rix,
@@ -46,13 +46,6 @@ profile gdm-generate-config @{exec_path} {
   @{PROC}/@{pid}/stat r,
   @{PROC}/uptime r,
 
-  profile pgrep {
-    include <abstractions/base>
-    include <abstractions/app/pgrep>
-
-    include if exists <local/gdm-generate-config_pgrep>
-  }
-
   include if exists <local/gdm-generate-config>
 }
 
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 639b7a144..4e9539968 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -23,6 +23,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/trash-strict>
+  include <abstractions/user-read-strict>
+  include <abstractions/user-write-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks
index 5ebd08e5a..d8f77070b 100644
--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@@ -13,6 +13,8 @@ profile gnome-clocks @{exec_path} {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 04f90e33a..0fd0d1e83 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -163,6 +163,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        member=Introspect
        peer=(name=org.freedesktop.DBus, label=dbus-session),
 
+  dbus send bus=session path=/org/gnome/*/SearchProvider
+      interface=org.gnome.Shell.SearchProvider2
+      peer=(name=@{busname}),
+
   @{exec_path} mr,
 
   @{bin}/unzip                  rix,
@@ -280,7 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
-  owner /dev/shm/.org.chromium.Chromium.@{rand6} r,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
   owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
 
         /tmp/.X@{int}-lock rw,
@@ -343,6 +347,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,
 
         @{PROC}/ r,
+        @{PROC}/@{pid}/attr/current r,
+        @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/net/* r,
         @{PROC}/1/cgroup r,
@@ -350,8 +356,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
         @{PROC}/vmstat r,
-  owner @{PROC}/@{pid}/attr/current r,
-  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index fe9123e5b..e10c0cc22 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/yelp @{bin}/gnome-help
 profile yelp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus/org.a11y>
   include <abstractions/common/gnome>
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 4ccb1088d..2c72da3b0 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -11,15 +11,15 @@ profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  signal send set=winch peer=pacman,
-  signal send set=winch peer=pacman//systemctl,
-
   network inet stream,
   network inet6 stream,
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
+  signal send set=winch peer=pacman,
+  signal send set=winch peer=pacman//systemctl,
+
   file,
 
   @{bin}/gpg{,2}  Cx -> gpg,
@@ -74,6 +74,9 @@ profile makepkg @{exec_path} {
 
     ptrace read,
 
+    signal send set=winch peer=pacman,           
+    signal send set=winch peer=pacman//systemctl,
+
     @{bin}/pacman Px,
 
     include if exists <local/makepkg_sudo>
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
index aae81662b..54a002506 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules
 profile pacman-hook-gtk4-querymodules @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
 
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index 0375c7863..a8fb360cd 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -65,9 +65,10 @@ profile pacman-key @{exec_path} {
     owner @{PROC}/@{pid}/task/@{tid}/comm rw,
     owner @{PROC}/@{pid}/task/@{tid}/stat rw,
 
-   /dev/pts/@{int} rw,
-   /dev/tty@{int} rw,
+    /dev/pts/@{int} rw,
+    /dev/tty@{int} rw,
 
+    include if exists <local/pacman-key_gpg>
   }
 
   include if exists <local/pacman-key>
diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector
index 7b277fb3e..135a5bdf3 100644
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@@ -29,9 +29,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
   /etc/xdg/reflector/reflector.conf r,
   /etc/pacman.d/mirrorlist rw,
 
-  owner @{user_cache_dirs}/mirrorstatus.json rw,
   /var/cache/reflector/mirrorstatus.json rw,
 
+  owner @{user_cache_dirs}/mirrorstatus.json r,
+
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index d6dc90447..174efb5a4 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} {
   owner @{HOME}/.xsession-errors w,
   owner @{user_projects_dirs}/**/ssh/{,*} r,
 
-  owner @{tmp}/ssh-*/ rw,
-  owner @{tmp}/ssh-*/agent.* rw,
+  owner @{tmp}/ssh-@{rand12}/ rw,
+  owner @{tmp}/ssh-@{rand12}/agent.@{int} rw,
 
   owner @{run}/user/@{uid}/keyring/.ssh rw,
   owner @{run}/user/@{uid}/openssh_agent rw,
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index a17c13631..a683e3a78 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -31,7 +31,6 @@ profile systemd-sleep @{exec_path} {
 
   @{sys}/power/state rw,
 
-
   include if exists <local/systemd-sleep>
 }
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index 042c9cdad..01d23171b 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -13,15 +13,15 @@ profile cockpit-certificate-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sh_path}        rix,
-  @{bin}/chmod rix,
-  @{bin}/id rix,
-  @{bin}/mkdir rix,
-  @{bin}/mv rix,
-  @{bin}/openssl rix,
-  @{bin}/rm rix,
-  @{bin}/sscg rix,
-  @{bin}/tr rix,
+  @{sh_path}      rix,
+  @{bin}/chmod    rix,
+  @{bin}/id       rix,
+  @{bin}/mkdir    rix,
+  @{bin}/mv       rix,
+  @{bin}/openssl  rix,
+  @{bin}/rm       rix,
+  @{bin}/sscg     rix,
+  @{bin}/tr       rix,
 
   /etc/machine-id r,
   /etc/cockpit/ws-certs.d/* w,
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 9ae6596ee..182240228 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/apparmor_parser          rPx,
-  @{bin}/containerd-shim-runc-v2 rPUx,
+  @{bin}/containerd-shim-runc-v2  rPx,
   @{bin}/kmod                     rPx,
   @{bin}/unpigz                  rPUx,
   /{usr/,}{local/,}{s,}bin/zfs    rPx,
@@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
   /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
   /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
   /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
-  /var/lib/containerd/{,**} rwk,
-  /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
+  /var/lib/containerd/{,**} rwlk,
   /var/lib/docker/containerd/{,**} rwk,
   /var/lib/kubelet/seccomp/{,**} r,
   /var/lib/security-profiles-operator/{,**} r,
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 9e17f678b..def1d76b2 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -27,19 +27,22 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   capability sys_ptrace,
 
   network inet dgram,
-  network inet6 dgram,
   network inet stream,
+  network inet6 dgram,
   network inet6 stream,
   network netlink raw,
 
-  mount /tmp/containerd-mount@{int}/, 
-  mount /var/lib/docker/buildkit/**/,
-  mount /var/lib/docker/overlay2/**/,
-  mount /var/lib/docker/tmp/buildkit-mount@{int}/,
-  mount options=(rw, bind) -> /run/docker/netns/*,
-  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
-  mount options=(rw, rprivate) -> /.pivot_root@{int}/,
-  mount options=(rw, rslave) -> /,
+  mount                        /tmp/containerd-mount@{int}/,
+  mount                        /var/lib/docker/buildkit/**/,
+  mount                        /var/lib/docker/overlay2/**/,
+  mount                        /var/lib/docker/tmp/buildkit-mount@{int}/,
+  mount fstype=overlay                              overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
+  mount options=(rw bind)                                   -> /run/docker/netns/*,
+  mount options=(rw rbind)                                  -> /var/lib/docker/tmp/docker-builder@{int}/,
+  mount options=(rw rbind)     /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
+  mount options=(rw rprivate)                               -> /.pivot_root@{int}/,
+  mount options=(rw rprivate)                               -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
+  mount options=(rw rslave)                                 -> /,
 
   remount /tmp/containerd-mount@{int10}/,
   remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
@@ -48,18 +51,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   umount /run/docker/netns/*,
   umount /tmp/containerd-mount@{int}/,
   umount /var/lib/docker/buildkit/**/,
+  umount /var/lib/docker/rootfs/**/,
   umount /var/lib/docker/overlay*/**/,
   umount /var/lib/docker/tmp/buildkit-mount@{int}/,
 
-  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/ /var/lib/docker/overlay2/**/,
-  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/ /var/lib/docker/tmp/**/,
+  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/               /var/lib/docker/overlay2/**/,
+  pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
+  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/                    /var/lib/docker/tmp/**/,
 
-  ptrace (read) peer=docker-*,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=docker-*,
+  ptrace read peer=unconfined,
 
-  signal (send) set=int peer=docker-proxy,
-  signal (send) set=kill peer=docker-*,
-  signal (send) set=term peer=containerd,
+  signal send set=int  peer=docker-proxy,
+  signal send set=kill peer=docker-*,
+  signal send set=term peer=containerd,
 
   @{exec_path} mrix,
 
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 30c03508a..5f00f8386 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -33,7 +33,7 @@ profile aa-enforce @{exec_path} {
   owner @{tmp}/@{rand8} rw,
   owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
 
-  @{PROC}/@{pid}/fd r,
+  @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/aa-enforce>
 }
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index bfd0b457e..8ad4d1a24 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -27,6 +27,8 @@ profile aa-log @{exec_path} {
   /{run,var}/log/journal/ r,
   /{run,var}/log/journal/@{hex32}/{,*} r,
 
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   /dev/tty@{int} rw,
 
   include if exists <local/aa-log>
diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify
index f2ff96df4..95d24c9e9 100644
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@@ -18,17 +18,19 @@ profile aa-notify @{exec_path} {
   capability setuid,
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
   @{bin}/ r,
 
-  /etc/apparmor/*.conf r,
-  /etc/inputrc r,
-  /usr/etc/inputrc.keys r,
   /usr/share/terminfo/** r,
 
+  @{etc_ro}/inputrc r,
+  @{etc_ro}/inputrc.keys r,
+  /etc/apparmor.d/{,**} r,
+  /etc/apparmor/*.conf r,
+
   /var/log/audit/audit.log r,
 
   owner @{HOME}/.inputrc r,
diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd
index a7d265e29..79fbf8d80 100644
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@@ -36,7 +36,8 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /etc/adjtime r,
-  /etc/chrony.* r,
+  /etc/chrony.conf r,
+  /etc/chrony.keys r,
   /etc/chrony.d/{,*} r,
   /etc/chrony/{,**} r,
 
diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord
index fc2aadd1c..3ff222b4a 100644
--- a/apparmor.d/profiles-a-f/discord
+++ b/apparmor.d/profiles-a-f/discord
@@ -38,14 +38,17 @@ profile discord @{exec_path} {
 
   @{open_path}         rPx -> child-open-strict,
 
+  /etc/lsb-release r,
+
   owner @{user_videos_dirs}/{,**} rwl,
   owner @{user_pictures_dirs}/{,**} rwl,
 
-  owner @{tmp}/net-export/ rw,
-  owner @{tmp}/discord.sock rw,
-  owner "@{tmp}/Discord Crashes/" rw,
+  owner @{config_dirs}/@{version}/modules/** m,
 
-  audit owner @{config_dirs}/*/modules/** rm,
+  owner "@{tmp}/Discord Crashes/" rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
+  owner @{tmp}/discord.sock rw,
+  owner @{tmp}/net-export/ rw,
 
   owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
 
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index b3cd7e34b..e7d46f1f5 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -32,7 +32,9 @@ profile element-desktop @{exec_path} {
 
   @{sh_path} r,
   @{open_path}         rPx -> child-open-strict,
-  @{bin}/xdg-settings  rPx,
+
+  #aa:stack X xdg-settings
+  @{bin}/xdg-settings  rPx -> element-desktop//&xdg-settings,
 
   /usr/share/webapps/element/{,**} r,
 
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index e82f0d372..8f81ad522 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -38,6 +38,8 @@ profile file-roller @{exec_path} {
   @{bin}/zstd          rix,
   @{lib}/p7zip/7z      rix,
 
+  / r,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index f61879407..d89f8c524 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -95,7 +95,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   /dev/tty rw,
   /dev/tty@{int} rw,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
 
   profile gpg {
     include <abstractions/base>
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 5f02a2fac..1706f4b21 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -39,6 +39,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,
   /var/lib/flatpak/app/*/**/@{lib}/**  rPx -> flatpak-app,
 
+  owner @{user_config_dirs}/mimeapps.list w,
+
   owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
   owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
   
diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate
index 8498285d1..3592893e9 100644
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@@ -24,11 +24,14 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=com.github.johnfactotum.Foliate
+
   @{exec_path} mr,
 
   @{bin}/bwrap           rix,
   @{bin}/gjs-console     rix,
   @{bin}/xdg-dbus-proxy  rix,
+  @{bin}/speech-dispatcher rPx,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess  rix,
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess      rix,
diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim
index 5888743ef..033f082f2 100644
--- a/apparmor.d/profiles-g-l/gajim
+++ b/apparmor.d/profiles-g-l/gajim
@@ -100,15 +100,16 @@ profile gajim @{exec_path} {
     @{bin}/{,@{multiarch}-}ld.bfd     rix,
     @{lib}/gcc/@{multiarch}/@{int}/collect2 rix,
 
-    owner @{tmp}/cc* rw,
-    owner @{tmp}/tmp* rw,
+    /etc/debian_version r,
 
     /media/ccache/*/** rw,
 
+    owner @{tmp}/cc* rw,
+    owner @{tmp}/tmp* rw,
+
     owner @{run}/user/@{uid}/ccache-tmp/ rw,
 
-    /etc/debian_version r,
-
+    include if exists <local/gajim_ccache>
   }
 
   profile gpg {
@@ -121,8 +122,8 @@ profile gajim @{exec_path} {
     @{bin}/gpg-agent         rix,
     @{lib}/{,gnupg/}scdaemon rix,
 
-    owner @{run}/user/@{uid}/gnupg/d.*/ rw,
-    owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w,
 
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@@ -134,6 +135,7 @@ profile gajim @{exec_path} {
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+    include if exists <local/gajim_gpg>
   }
 
   include if exists <local/gajim>
diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules
index 3520ec06e..3f4ef7fed 100644
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gio-querymodules
 profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_read_search,
   capability mknod,
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index 96c9b6d25..c494e16d5 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -18,7 +18,6 @@ profile keepassxc @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/qt5>
   include <abstractions/qt5-compose-cache-write>
   include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
@@ -93,7 +92,7 @@ profile keepassxc @{exec_path} {
 
         /dev/shm/#@{int} rw,
         /dev/tty rw,
-        /dev/urandom rw,
+        /dev/urandom w,
   owner /dev/tty@{int} rw,
 
   # Silencer
diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g
index a7a580c41..bc2cb7ef3 100644
--- a/apparmor.d/profiles-m-r/ntfs-3g
+++ b/apparmor.d/profiles-m-r/ntfs-3g
@@ -22,15 +22,6 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
   capability setuid,
   capability sys_admin,
 
-  @{exec_path} mr,
-
-  @{bin}/kmod rPx,  # To load the fuse kernel module
-
-  # Mount points
-  @{MOUNTDIRS}/ r,
-  @{MOUNTS}/ r,
-  @{MOUNTS}/*/ r,
-
   # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
   mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
   mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
@@ -47,12 +38,22 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
   umount @{MOUNTS}/,
   umount @{MOUNTS}/*/,
 
+  @{exec_path} mr,
+
+  @{bin}/kmod rPx,  # To load the fuse kernel module
+
+  # Mount points
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/*/ r,
+
         @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/task/@{tid}/status r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/fuse rw,
+  /dev/tty@{int} rw,
 
   include if exists <local/ntfs-3g>
 }
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index b3c963dde..a5a46ac48 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -60,7 +60,7 @@ profile pass @{exec_path} {
   /usr/share/terminfo/** r,
 
   owner @{user_password_store_dirs}/{,**} rw,
-  owner /dev/shm/pass.*/{,*} rw,
+  owner /dev/shm/pass.@{rand}/{,*} rw,
 
   @{sys}/devices/system/node/ r,
 
@@ -90,7 +90,7 @@ profile pass @{exec_path} {
 
     owner @{user_password_store_dirs}/{,**/} r,
 
-    owner /dev/shm/pass.*/{,*} rw,
+    owner /dev/shm/pass.@{rand}/{,*} rw,
 
     deny owner @{HOME}/ r,
 
@@ -124,7 +124,7 @@ profile pass @{exec_path} {
     owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
 
     owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
-    owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw,
+    owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw,
 
     include if exists <local/pass_git>
   }
@@ -144,7 +144,7 @@ profile pass @{exec_path} {
 
     owner @{user_password_store_dirs}/   rw,
     owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
-    owner /dev/shm/pass.*/{,*} rw,
+    owner /dev/shm/pass.@{rand}/* rw,
     owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
 
     owner /dev/pts/@{int} rw,
diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd
index f37f5651d..b0e326b2d 100644
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@@ -21,7 +21,7 @@ profile passwd @{exec_path} {
   capability net_admin,
   capability setuid,
 
-  signal (receive) set=(term, kill) peer=gnome-control-center,
+  signal receive set=(term kill) peer=gnome-control-center,
 
   network netlink raw,
 
diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
index f6bc7e4b8..e34722fb9 100644
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 curiosityseeker
 # SPDX-License-Identifier: GPL-2.0-only
 
@@ -28,7 +29,7 @@ profile protonmail @{exec_path} flags=(complain) {
   @{exec_path} mrix,
 
   @{bin}/xdg-settings Px,
-  @{open_path}        rpx -> child-open,
+  @{open_path}        Px -> child-open,
 
   owner @{user_config_dirs}/ibus/bus/ r,
 
diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager
index 641217f56..b341bb736 100644
--- a/apparmor.d/profiles-m-r/rpi-imager
+++ b/apparmor.d/profiles-m-r/rpi-imager
@@ -8,24 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/rpi-imager
-profile rpi-imager @{exec_path} {
+profile rpi-imager @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/dconf-write>
+  include <abstractions/desktop>
   include <abstractions/disks-write>
-  include <abstractions/dri-common>
-  include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl>
-  include <abstractions/qt5>
   include <abstractions/qt5-shader-cache>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/vulkan>
 
   #capability sys_admin,
   # deny capability sys_nice,
@@ -42,18 +35,15 @@ profile rpi-imager @{exec_path} {
   @{bin}/lsblk rPx,
 
   /etc/fstab r,
-  /etc/X11/cursors/*.theme r,
-  /usr/share/hwdata/pnp.ids r,
-  /usr/share/X11/xkb/{,**} r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
   owner "@{user_cache_dirs}/Raspberry Pi/" rw,
   owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
-  owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
-  owner @{user_cache_dirs}/ rw,
-  owner @{user_config_dirs}/QtProject.conf r,
+
+  owner "@{user_config_dirs}/Raspberry Pi/" rw,
+  owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**",
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index 0dc19e1af..10e1de4b3 100644
--- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -30,5 +30,4 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
   include if exists <local/signal-desktop-chrome-sandbox>
 }
 
-
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index 672ae2f7b..ae061b032 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -28,6 +28,7 @@ profile snapd @{exec_path} {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability mac_admin,
   capability net_admin,
   capability setgid,
   capability setuid,
@@ -153,6 +154,7 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/user.slice/ r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
   @{sys}/kernel/kexec_loaded r,
+  @{sys}/kernel/security/apparmor/.notify r,
   @{sys}/kernel/security/apparmor/features/{,**} r,
   @{sys}/kernel/security/apparmor/profiles r,
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 447ef9f16..b1dd83471 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -247,6 +247,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
     include <abstractions/audio-client>
     include <abstractions/common/bwrap>
+    include <abstractions/common/chromium>
     include <abstractions/dconf-write>
     include <abstractions/desktop>
     include <abstractions/fontconfig-cache-write>
@@ -254,6 +255,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/nameservice-strict>
     include <abstractions/video>
 
+    capability dac_override,
     capability dac_read_search,
     capability sys_chroot,
 
@@ -304,12 +306,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     owner /var/cache/ldconfig/aux-cache* rw,
     owner /var/pressure-vessel/ldso/* rw,
 
-    owner @{HOME}/.pki/ rw,
-    owner @{HOME}/.pki/nssdb/ rw,
-    owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-    owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-    owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-
     owner @{lib_dirs}/.cef-* wk,
 
     owner @{share_dirs}/{,**} r,
@@ -320,14 +316,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
           @{tmp}/ r,
     owner @{tmp}/#@{int} rw,
-    owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
     owner @{tmp}/dumps/ rw,
     owner @{tmp}/dumps/** rwk,
     owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
     owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
     owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
 
-    owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
     owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@@ -389,7 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
     owner @{share_dirs}/ r,
 
-    @{PROC}/@{pid}/cgroup r,
+    @{PROC}/1/cgroup r,
 
     include if exists <local/steam_check>
   }
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index 8f1939bd1..0facb49ac 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -19,6 +19,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/steam-game>
   include <abstractions/python>
 
+  capability dac_override,
   capability dac_read_search,
 
   network inet dgram,
diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime
index e0c6b146d..b1fca8df4 100644
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@@ -41,9 +41,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
   @{app_dirs}/@{runtime}/*entry-point rmix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-* rix,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
+  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
   @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
   @{app_dirs}/@{runtime}/run rix,
   @{bin}/bwrap rpx -> steam-game-proton,
diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
index 1a6dd4063..c962f61ee 100644
--- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@@ -18,7 +18,7 @@ profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  @{runtime_dirs}/** rm,
+  @{runtime_dirs}/** mr,
 
   owner @{HOME}/.steam/steam.pipe rw,
 

From 08a6f8fb0b024f30f1dde5525b7213618a9a4790 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 17:49:43 +0100
Subject: [PATCH 200/315] tests(packer): enable apparmor debug in tests image.

---
 tests/boxes.yml                                  |  6 +++++-
 tests/packer/init/archlinux-gnome.user-data.yml  |  2 +-
 tests/packer/init/archlinux-kde.user-data.yml    |  2 +-
 tests/packer/init/archlinux-server.user-data.yml |  2 +-
 tests/packer/init/init.sh                        | 10 ++++++++--
 tests/packer/init/opensuse-kde.user-data.yml     |  6 ++++--
 6 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/tests/boxes.yml b/tests/boxes.yml
index 9846342c5..edda41096 100644
--- a/tests/boxes.yml
+++ b/tests/boxes.yml
@@ -2,7 +2,7 @@
 
 defaults:
   uefi: true
-  ram: '6144'
+  ram: '4096'
   cpu: '6'
 
 boxes:
@@ -14,6 +14,10 @@ boxes:
     box: aa-archlinux-kde
     uefi: false
 
+  - name: arch-xfce
+    box: aa-archlinux-xfce
+    uefi: false
+
   - name: arch-server
     box: aa-archlinux-server
     uefi: false
diff --git a/tests/packer/init/archlinux-gnome.user-data.yml b/tests/packer/init/archlinux-gnome.user-data.yml
index 855bc58ea..c65dfc4dd 100644
--- a/tests/packer/init/archlinux-gnome.user-data.yml
+++ b/tests/packer/init/archlinux-gnome.user-data.yml
@@ -77,7 +77,7 @@ write_files:
   - path: /etc/default/grub
     append: true
     content: |
-      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
+      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1"
 
   # Set some bash aliases
   - path: /etc/skel/.bashrc
diff --git a/tests/packer/init/archlinux-kde.user-data.yml b/tests/packer/init/archlinux-kde.user-data.yml
index a85ca16d4..97e8ffa7b 100644
--- a/tests/packer/init/archlinux-kde.user-data.yml
+++ b/tests/packer/init/archlinux-kde.user-data.yml
@@ -79,7 +79,7 @@ write_files:
   - path: /etc/default/grub
     append: true
     content: |
-      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
+      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1"
 
   # Set some bash aliases
   - path: /etc/skel/.bashrc
diff --git a/tests/packer/init/archlinux-server.user-data.yml b/tests/packer/init/archlinux-server.user-data.yml
index 034cd22d6..93fd254a5 100644
--- a/tests/packer/init/archlinux-server.user-data.yml
+++ b/tests/packer/init/archlinux-server.user-data.yml
@@ -56,7 +56,7 @@ write_files:
   - path: /etc/default/grub
     append: true
     content: |
-      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
+      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1"
 
   # Set some bash aliases
   - path: /etc/skel/.bashrc
diff --git a/tests/packer/init/init.sh b/tests/packer/init/init.sh
index 6a80b1993..df300c0c4 100644
--- a/tests/packer/init/init.sh
+++ b/tests/packer/init/init.sh
@@ -24,8 +24,13 @@ main() {
 	install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean
 	cat $SRC/parser.conf >>/etc/apparmor/parser.conf
 	chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/"
+
 	case "$DISTRIBUTION" in
-	arch) pacman --noconfirm -U $SRC/*.pkg.tar.zst ;;
+	arch)
+		pacman --noconfirm -U $SRC/*.pkg.tar.zst
+		systemctl start apparmor.service
+		;;
+
 	debian | ubuntu)
 		apt-get update -y
 		apt-get install -y apparmor-profiles build-essential config-package-dev \
@@ -34,8 +39,9 @@ main() {
 		;;
 
 	opensuse*)
+		mv "/home/$SUDO_USER/.bash_aliases" "/home/$SUDO_USER/.alias"
 		zypper install -y bash-completion git go htop make rsync vim
-		sudo rpm -i $SRC/*.rpm
+		rpm -i $SRC/*.rpm
 		;;
 
 	esac
diff --git a/tests/packer/init/opensuse-kde.user-data.yml b/tests/packer/init/opensuse-kde.user-data.yml
index 6c1c7cfff..b54bb458e 100644
--- a/tests/packer/init/opensuse-kde.user-data.yml
+++ b/tests/packer/init/opensuse-kde.user-data.yml
@@ -19,12 +19,14 @@ package_update: true
 package_upgrade: true
 package_reboot_if_required: false
 packages:
+  - apparmor-profiles
   - bash-completion
+  - distribution-release
   - git
-  - go
+  - golang-packaging
   - htop
   - make
-  - rsync
+  - rpmbuild
   - vim
 
 write_files:

From cee1e9a3f2dd85578457a408d52ed773ecc08952 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 18:09:52 +0100
Subject: [PATCH 201/315] fix(profile): nnp in strawberry.

fix #538
---
 apparmor.d/profiles-s-z/strawberry | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry
index 484a4069d..acba17f78 100644
--- a/apparmor.d/profiles-s-z/strawberry
+++ b/apparmor.d/profiles-s-z/strawberry
@@ -37,7 +37,7 @@ profile strawberry @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{exec_path} mr,
 
-  @{bin}/strawberry-tagreader rPx,
+  @{bin}/strawberry-tagreader rPx -> strawberry//&strawberry-tagreader,
 
   @{open_path} rPx -> child-open-help,
 

From 7033a13bc2ec697f81704a20ac90992e6efef4c0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 18:15:51 +0100
Subject: [PATCH 202/315] fix(profile): update ufw.

fix #537
---
 apparmor.d/profiles-s-z/ufw | 15 ++++++++++++---
 dists/flags/main.flags      |  1 +
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 525e543b9..685eed20a 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -16,10 +16,16 @@ profile ufw @{exec_path} {
 
     capability dac_read_search,
     capability net_admin,
+    capability net_raw,
+    capability sys_ptrace,
 
-    network netlink raw,
     network inet dgram,
+    network inet raw,
     network inet6 dgram,
+    network inet6 raw,
+    network netlink raw,
+
+    ptrace read,
 
     @{exec_path} mr,
 
@@ -27,14 +33,16 @@ profile ufw @{exec_path} {
     @{bin}/cat ix,
     @{bin}/env r,
     @{bin}/python3.@{int} ix,
+    @{bin}/sysctl ix,
     @{bin}/xtables-legacy-multi ix,
     @{bin}/xtables-nft-multi ix,
     @{lib}/ufw/ufw-init ix,
 
-    /etc/default/ufw r,
+    /etc/default/ufw rw,
     /etc/ufw/ rw,
     /etc/ufw/** rwk,
 
+          @{run}/xtables.lock rwk,
     owner @{run}/ufw.lock rwk,
 
     owner @{tmp}/@{word8} rw,
@@ -45,9 +53,10 @@ profile ufw @{exec_path} {
     @{PROC}/@{pid}/fd/ r,
     @{PROC}/@{pid}/net/ip_tables_names r,
     @{PROC}/@{pid}/stat r,
+    @{PROC}/sys/net/ipv{4,6}/** rw,
+    @{PROC}/sys/kernel/modprobe r,
 
     include if exists <local/ufw>
-
 }
 
 # vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 16c616404..e1c8a057a 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -382,6 +382,7 @@ tracker-writeback complain
 udev-dmi-memory-id complain
 udisksctl complain
 udisksd attach_disconnected,complain
+ufw complain
 update-grub complain
 update-secureboot-policy complain
 userdbctl complain

From b96362d915ae05fe467a686d756a1bc6d82df394 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 18:30:13 +0100
Subject: [PATCH 203/315] fix(profile): add mkinitcpio to create UKI.

fix #535
---
 apparmor.d/groups/pacman/mkinitcpio | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index b83ea2d3c..0598b5d64 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -24,6 +24,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   @{sh_path}                 rix,
   @{coreutils_path}          rix,
+  @{bin}/{m,g,}awk           rix,
   @{bin}/bsdtar              rix,
   @{bin}/fc-match            rix,
   @{bin}/findmnt             rPx,
@@ -34,6 +35,8 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   @{bin}/ldconfig            rix,
   @{bin}/ldd                 rix,
   @{bin}/loadkeys            rix,
+  @{bin}/objcopy             rix,
+  @{bin}/objdump             rix,
   @{bin}/tput                rix,
   @{bin}/xz                  rix,
   @{bin}/zcat                rix,
@@ -45,8 +48,10 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   @{bin}/modprobe            rPx,
   @{bin}/plymouth            rPx,
   @{bin}/plymouth-set-default-theme rPx,
+  @{bin}/sbctl               rPx,
 
   @{lib}/initcpio/busybox    rix,
+  @{lib}/initcpio/post/**    rix,
   @{lib}/ld-*.so*            rix,
 
   /etc/fstab r,
@@ -82,15 +87,22 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /boot/initramfs-*.img* rw,
   /boot/vmlinuz-* r,
 
-  # Temp files
-  owner @{run}/initramfs/{,**} rw,
-  owner @{run}/mkinitcpio.@{rand6}/{,**} rwl,
+  /usr/share/systemd/bootctl/** r,
+
+  /etc/kernel/** r,
+
+        /tmp/mkinitcpio.@{rand6} rw,
+        /tmp/mkinitcpio.@{rand6}.tmp rw,
   owner @{tmp}/mkinitcpio.@{rand6} rw,
   owner @{tmp}/mkinitcpio.@{rand6}/{,**} rwl,
+
   owner @{run}/initcpio-tmp/mkinitcpio.@{rand6}/{,**} rwl,
+  owner @{run}/initramfs/{,**} rw,
+  owner @{run}/mkinitcpio.@{rand6}/{,**} rwl,
 
   @{sys}/class/block/ r,
   @{sys}/devices/{,**} r,
+  @{sys}/firmware/efi/fw_platform_size r,
 
   owner @{PROC}/@{pid}/mountinfo r,
 

From bd0f3448cbbc35f35a47dc44d6aaf0c0aceb8bd4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 18:32:39 +0100
Subject: [PATCH 204/315] fix(profile): whereis: allow search in /opt.

fix #532
---
 apparmor.d/profiles-s-z/whereis | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis
index e7bc743a5..4a1293c0a 100644
--- a/apparmor.d/profiles-s-z/whereis
+++ b/apparmor.d/profiles-s-z/whereis
@@ -27,8 +27,8 @@ profile whereis @{exec_path} {
   /usr/src/{**,} r,
 
   /opt/ r,
-  /opt/cni/bin/ r,
-  /opt/containerd/bin/ r,
+  /opt/**/bin/ r,
+  /opt/**/lib/ r,
 
   @{etc_ro}/ r,
 

From e7620c7517e169fda95d0fc38380b7a1a2928398 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 18:34:45 +0100
Subject: [PATCH 205/315] fix(profile): child-pager: needs  file magic

fix #533
---
 apparmor.d/groups/children/child-pager | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index 504a3fb03..7170009ae 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -27,6 +27,7 @@ profile child-pager flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{system_share_dirs}/terminfo/{,**} r,
+  /usr/share/file/misc/** r,
 
   @{HOME}/.lesshst r,
 

From e6b1763bbcc3d6517c28f6a7864dfee2d971cf53 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 18:35:52 +0100
Subject: [PATCH 206/315] fix(profile): nethogs

fix 530
---
 apparmor.d/profiles-m-r/nethogs | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs
index e39e64621..fbdaecaac 100644
--- a/apparmor.d/profiles-m-r/nethogs
+++ b/apparmor.d/profiles-m-r/nethogs
@@ -24,6 +24,8 @@ profile nethogs @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/terminfo/** r,
+
   @{PROC}/ r,
   @{PROC}/@{pids}/fd/ r,
   @{PROC}/@{pids}/cmdline r,

From 30999904e7ac2b2ee8a2c14a4249228441a4d079 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 19:19:16 +0100
Subject: [PATCH 207/315] fix(profile): various fixes

fix #528 #527 #518 #517
---
 apparmor.d/groups/freedesktop/upowerd  | 1 +
 apparmor.d/groups/freedesktop/xwayland | 1 +
 apparmor.d/profiles-g-l/libreoffice    | 5 +++--
 apparmor.d/profiles-m-r/mpv            | 4 ++++
 4 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index aa93e0267..a6032976d 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -34,6 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+serio:* r,            # for serial mice
   @{run}/udev/data/+power_supply* r,
   @{run}/udev/data/+sound:card@{int} r,   # for sound card
   @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index a4f98c096..9b61e7dea 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -11,6 +11,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
   include <abstractions/X-strict>
 
   signal (receive) set=(term hup) peer=gdm*,
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 86efb49a2..1271b8c1a 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -97,8 +97,9 @@ profile libreoffice @{exec_path} {
         @{sys}/kernel/mm/hugepages/ r,
         @{sys}/kernel/mm/transparent_hugepage/enabled r,
         @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
-  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r,
-  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/**/memory.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
 
         @{PROC}/cgroups r,
   owner @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv
index da5e4715c..d5e6371c3 100644
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@@ -76,6 +76,10 @@ profile mpv @{exec_path} {
   @{sys}/devices/**/input/**/uevent r,
   @{sys}/devices/**/sound/**/capabilities/* r,
   @{sys}/devices/**/sound/**/uevent r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
         /dev/input/event@{int} r,
   owner /dev/tty@{int} rw,

From 460ac12bfbf444051906b787309fb844d7be2cc8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 20:11:03 +0100
Subject: [PATCH 208/315] feat(profile): dbus:  Dbus can receive any user files

---
 apparmor.d/groups/bus/dbus-session | 6 +++++-
 apparmor.d/groups/bus/dbus-system  | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index af961be6d..1aa90f2c4 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -18,6 +18,7 @@ profile dbus-session flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/consoles>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
 
   network unix stream,
@@ -29,7 +30,7 @@ profile dbus-session flags=(attach_disconnected) {
   signal (send)    set=(term hup kill) peer=dconf-service,
   signal (send)    set=(term hup kill) peer=xdg-*,
 
-  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/DBus}
+  #aa:dbus own bus=session name=org.freedesktop.DBus path=/{,org/freedesktop/{d,D}Bus}
 
   @{exec_path} mrix,
 
@@ -49,6 +50,9 @@ profile dbus-session flags=(attach_disconnected) {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
+  # Dbus can receive any user files
+  owner @{HOME}/** r,
+
   owner @{HOME}/.var/app/*/**/.ref rw,
   owner @{HOME}/.var/app/*/**/logs/* rw,
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index d6c92bae1..74853231a 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -15,8 +15,9 @@ include <tunables/global>
 @{exec_path} += @{bin}/dbus-daemon @{lib}/dbus-1{,.0}/dbus-daemon-launch-helper
 profile dbus-system flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-system>
+  include <abstractions/consoles>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
 
   capability audit_write,
@@ -53,6 +54,9 @@ profile dbus-system flags=(attach_disconnected) {
   @{user_share_dirs}/icc/ r,
   @{user_share_dirs}/icc/edid-@{hex32}.icc r,
 
+  # Dbus can receive any user files
+  @{HOME}/** r,
+
   @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/notify w,
   @{run}/systemd/sessions/*.ref rw,

From af50944fb5fc933301936420c015f85e3fd79b5f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 20:17:13 +0100
Subject: [PATCH 209/315] feat(profile): general update.

---
 apparmor.d/groups/gnome/nautilus                |  9 ++++++---
 apparmor.d/groups/gpg/gpg-connect-agent         |  4 ++--
 apparmor.d/groups/gvfs/gvfsd-fuse               |  2 ++
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio |  5 +++--
 apparmor.d/groups/ubuntu/apport-gtk             | 10 +++++-----
 apparmor.d/profiles-a-f/dkms                    |  1 +
 apparmor.d/profiles-a-f/element-desktop         |  2 +-
 apparmor.d/profiles-a-f/freetube                |  2 +-
 apparmor.d/profiles-g-l/kernel-install          |  1 +
 apparmor.d/profiles-s-z/speech-dispatcher       |  1 +
 10 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 5704fa866..d7736d7a8 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -80,9 +80,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rw,
-  owner @{HOME}/{,**} rw,
-  owner @{run}/user/@{uid}/{,**} rw,
-  owner @{tmp}/{,**} rw,
+  owner @{HOME}/ r,
+  owner @{HOME}/** rw,
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/** rw,
+  owner @{tmp}/ r,
+  owner @{tmp}/** rw,
 
   # Silence non user's data
   deny /boot/{,**} r,
diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent
index 1e257cfc0..9bf2bf897 100644
--- a/apparmor.d/groups/gpg/gpg-connect-agent
+++ b/apparmor.d/groups/gpg/gpg-connect-agent
@@ -18,8 +18,6 @@ profile gpg-connect-agent @{exec_path} {
 
   /etc/inputrc r,
 
-  owner @{PROC}/@{pid}/fd/ r,
-
   owner @{run}/user/@{uid}/gnupg/ w,
   owner @{run}/user/@{uid}/gnupg/d.*/ rw,
 
@@ -27,6 +25,8 @@ profile gpg-connect-agent @{exec_path} {
   owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
   owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
 
+  owner @{PROC}/@{pid}/fd/ r,
+
   include if exists <local/gpg-connect-agent>
 }
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index 9cd6b77ca..b49ad1d90 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -14,6 +14,8 @@ profile gvfsd-fuse @{exec_path} {
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/nameservice-strict>
 
+  capability sys_admin,
+
   mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
 
   unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index a182b23ca..178cee539 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -37,9 +37,10 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   / r,
   /boot/ r,
-  /boot/vmlinuz-* rw,
-  /boot/initramfs-*.img rw,
+  /boot/efi/boot/boot*.efi rw,
   /boot/initramfs-*-fallback.img rw,
+  /boot/initramfs-*.img rw,
+  /boot/vmlinuz-* rw,
 
   /dev/tty rw,
   owner /dev/pts/@{int} rw,
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index dddb1f890..f8d2c9973 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -79,12 +79,12 @@ profile apport-gtk @{exec_path} {
         /var/crash/ rw,
   owner /var/crash/*.@{uid}.{crash,upload} rw,
 
-   @{run}/snapd.socket rw,
+  @{run}/snapd.socket rw,
 
-  /tmp/[a-z0-9]* rw,
-  /tmp/apport_core_* rw,
-  /tmp/launchpadlib.cache.[a-z0-9]*/ rw,
-  /tmp/tmp[a-z0-9]*/{,**} rw,
+  owner @{tmp}/@{rand8} rw,
+  owner @{tmp}/apport_core_@{rand8} rw,
+  owner @{tmp}/launchpadlib.cache.@{rand8}/ rw,
+  owner @{tmp}/tmp@{rand8}/{,**} rw,
 
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index 4ebe8e464..bfd287741 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -27,6 +27,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{sh_path}        rix,
   @{coreutils_path} rix,
   @{bin}/as         rix,
+  @{bin}/bc         rix,
   @{bin}/gcc        rix,
   @{bin}/getconf    rix,
   @{bin}/kmod       rCx -> kmod,
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index e7d46f1f5..a792b7341 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -12,7 +12,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{bin}/element-desktop
-profile element-desktop @{exec_path} {
+profile element-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube
index 7d9a5f59e..a400bf9d9 100644
--- a/apparmor.d/profiles-a-f/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@@ -13,7 +13,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
-profile freetube @{exec_path} {
+profile freetube @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install
index 808528ce7..69096fe45 100644
--- a/apparmor.d/profiles-g-l/kernel-install
+++ b/apparmor.d/profiles-g-l/kernel-install
@@ -25,6 +25,7 @@ profile kernel-install @{exec_path} {
   @{bin}/chmod      rix,
   @{bin}/basename   rix,
 
+  @{pager_path}     rPx -> child-pager,
   @{bin}/kmod       rCx -> kmod,
 
   @{lib}/kernel/install.d/ r,
diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher
index 7a597ed5d..e2c00e2af 100644
--- a/apparmor.d/profiles-s-z/speech-dispatcher
+++ b/apparmor.d/profiles-s-z/speech-dispatcher
@@ -10,6 +10,7 @@ include <tunables/global>
 profile speech-dispatcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 

From b7434eb91ba19ef74bb79a3d190126af3ad0d0c3 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 26 Sep 2024 12:28:28 -0300
Subject: [PATCH 210/315] Create pokemmo

---
 apparmor.d/profiles-m-r/pokemmo | 100 ++++++++++++++++++++++++++++++++
 1 file changed, 100 insertions(+)
 create mode 100644 apparmor.d/profiles-m-r/pokemmo

diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo
new file mode 100644
index 000000000..9219df10c
--- /dev/null
+++ b/apparmor.d/profiles-m-r/pokemmo
@@ -0,0 +1,100 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pokemmo-launcher
+profile pokemmo @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/audio-client>
+  include <abstractions/dconf-write> # Installer
+  include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-write> # Installer
+  include <abstractions/glfw>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit> # Installer
+  include <abstractions/ssl_certs>
+
+  # The installer is a GTK app and requires a few extra abstractions
+  # GTK/QT/fonts abstractions are unused by the game itself and can
+  # be removed if this profile is later split into stacked profiles
+
+  network inet  dgram,
+  network inet6 dgram,
+  network inet  stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{coreutils_path} ix,
+  @{sh_path} ix,
+
+  @{bin}/java ix,
+  @{bin}/perl ix,
+  @{bin}/python ix,
+  @{bin}/python@{int} ix,
+  @{bin}/python@{int}.@{int} ix,
+  @{bin}/which ix,
+  @{lib}/jvm/java-@{int}-openjdk/bin/java ix,
+
+  # Installer
+  @{bin}/openssl ix,
+  @{bin}/ps ix,
+  @{bin}/wget ix,
+  @{bin}/zenity ix,
+  @{lib}/jvm/java-@{int}-openjdk/lib/jspawnhelper ix,
+
+  /etc/lsb-release r, # Installer
+  /etc/java-openjdk/** r,
+  /etc/timezone r,
+  /etc/wgetrc r, # Installer
+
+  # Installer
+  owner @{HOME}/ r,
+  owner @{HOME}/.java/fonts/** rw,
+  owner @{HOME}/.wget-hsts rwk,
+
+  owner @{user_config_dirs}/pokemmo/{,**} rw,
+  owner @{user_share_dirs}/pokemmo/{,**} rw,
+
+  owner /tmp/hsperfdata_user/ rw,
+  owner /tmp/hsperfdata_user/@{int} rwk,
+  owner /tmp/libgdxuser/{,**} rw,
+  owner /tmp/libgdxuser/**/*.so mrw,
+  owner /tmp/lwjgl_user/{,**} rw,
+  owner /tmp/lwjgl_user/**/*.so mrwk,
+
+  @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
+
+        @{PROC}/@{pid}/net/if_inet6 r,
+        @{PROC}/cgroups r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/coredump_filter rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  # Installer
+        @{PROC}/ r,
+        @{PROC}/uptime r,
+        @{PROC}/sys/kernel/pid_max r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/environ r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/stat r,
+
+        /dev/input/ r,
+        /dev/input/event@{int} rw,
+        /dev/input/js@{int} rw,
+
+        /dev/tty rw,
+  owner /dev/tty@{int} rw,
+
+  include if exists <local/pokemmo>
+}
+
+# vim:syntax=apparmor

From 89e39fc501d833e073d33e5b1c664e663e2bf765 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 26 Sep 2024 12:42:00 -0300
Subject: [PATCH 211/315] Update hyprland

---
 apparmor.d/groups/hyprland/hyprland | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 8327c14cd..44bed0cdd 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -12,6 +12,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/app-launcher-user>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
+  include <abstractions/glfw>
   include <abstractions/graphics>
 
   capability sys_ptrace,

From 507727caa3afa6d8f69ee777c29fad4523540f98 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Thu, 26 Sep 2024 13:39:32 -0300
Subject: [PATCH 212/315] Update pokemmo

---
 apparmor.d/profiles-m-r/pokemmo | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo
index 9219df10c..a6c1e83f7 100644
--- a/apparmor.d/profiles-m-r/pokemmo
+++ b/apparmor.d/profiles-m-r/pokemmo
@@ -32,13 +32,11 @@ profile pokemmo @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{coreutils_path} ix,
+  @{python_path} ix,
   @{sh_path} ix,
 
   @{bin}/java ix,
   @{bin}/perl ix,
-  @{bin}/python ix,
-  @{bin}/python@{int} ix,
-  @{bin}/python@{int}.@{int} ix,
   @{bin}/which ix,
   @{lib}/jvm/java-@{int}-openjdk/bin/java ix,
 

From 3ebaf5bb2928994fe550e59b3a78f4651390b5a7 Mon Sep 17 00:00:00 2001
From: EricLin0509 <143688917+EricLin0509@users.noreply.github.com>
Date: Wed, 2 Oct 2024 04:12:35 +0800
Subject: [PATCH 213/315] Add support for wechat-universal (#540)

* Add support for wechat-universal

* A small fix
---
 apparmor.d/profiles-s-z/wechat-universal | 58 ++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/wechat-universal

diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
new file mode 100644
index 000000000..e684e157f
--- /dev/null
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -0,0 +1,58 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 EricLin
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{name} = wechat-universal
+@{lib_dirs} = /opt/wechat-universal/
+@{config_dirs} = @{user_config_dirs}/@{name}
+@{cache_dirs} = @{user_cache_dirs}/@{name}
+
+@{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
+profile wechat-universal @{exec_path} flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/audio-client>
+    include <abstractions/common/electron>
+    include <abstractions/common/bwrap>
+    include <abstractions/fontconfig-cache-read>
+    include <abstractions/app/bus>
+
+    network netlink raw,
+    network netlink dgram,
+    network inet stream,
+    network inet dgram,
+    network inet6 dgram,
+    network inet6 stream,
+
+    @{exec_path} mrix,
+
+	@{sh_path}  rix,
+    @{lib}/wechat-universal/common.sh ix,
+    @{bin}/sed ix,
+    @{bin}/ln ix,
+    @{bin}/mkdir ix,
+    @{bin}/lsblk Px,
+    @{bin}/bwrap rix,
+    @{bin}/xdg-user-dir rix,
+    @{lib_dirs}/crashpad_handler ix,
+    @{open_path} rPx -> child-open-strict,
+
+    /etc/lsb-release r,
+
+    owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
+    owner @{HOME}/.xwechat/{,**} rwk,
+    owner @{HOME}/.sys1og.conf rw,
+
+    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{run}/utmp r,
+
+    @{PROC}/@{pid}/net/route r,
+
+    /dev/tty rw,
+    /dev/pts/@{int} rw,
+
+    include if exists <local/wechat-universal>
+}

From ba186647cd14981e8f31b8954cb9db4dff7f7a34 Mon Sep 17 00:00:00 2001
From: valoq <valoq@mailbox.org>
Date: Tue, 1 Oct 2024 13:39:44 +0200
Subject: [PATCH 214/315] add missing read permissions

---
 apparmor.d/profiles-a-f/ffmpegthumbnailer | 1 +
 apparmor.d/profiles-m-r/odt2txt           | 1 +
 apparmor.d/profiles-m-r/pdftotext         | 1 +
 3 files changed, 3 insertions(+)

diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer
index 5c0d7e2f8..04ecf16cc 100644
--- a/apparmor.d/profiles-a-f/ffmpegthumbnailer
+++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/ffmpegthumbnailer
 profile ffmpegthumbnailer @{exec_path} {
   include <abstractions/base>
+  include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt
index 0636f6ee8..a2ed448e2 100644
--- a/apparmor.d/profiles-m-r/odt2txt
+++ b/apparmor.d/profiles-m-r/odt2txt
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/odt2txt
 profile odt2txt @{exec_path} {
   include <abstractions/base>
+  include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext
index c122cbdcb..417375a79 100644
--- a/apparmor.d/profiles-m-r/pdftotext
+++ b/apparmor.d/profiles-m-r/pdftotext
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pdftotext
 profile pdftotext @{exec_path} {
   include <abstractions/base>
+  include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
   @{exec_path} mr,

From 86719377a87369adb5aacff7bd7a665dd0fa1f4d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 22:26:58 +0100
Subject: [PATCH 215/315] docs:  update variable reference page.

---
 docs/variables.md | 121 +++++++++++++++++++++++++++++++++++-----------
 1 file changed, 94 insertions(+), 27 deletions(-)

diff --git a/docs/variables.md b/docs/variables.md
index 6104e5033..b413e61f2 100644
--- a/docs/variables.md
+++ b/docs/variables.md
@@ -6,8 +6,10 @@ title: Variables References
 
 ### User directories
 
+<figure markdown>
+
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
+|-------------|------|------------------|
 | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` |
 | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` |
 | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` |
@@ -31,10 +33,14 @@ title: Variables References
 | Disk images | `@{XDG_IMG_DIR}` | `images` |
 | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` |
 
+</figure>
+
 ### Dotfiles
 
+<figure markdown>
+
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
+|-------------|------|------------------|
 | Cache | ` @{XDG_CACHE_DIR}` | `.cache` |
 | Config | `@{XDG_CONFIG_DIR}` | `.config` |
 | Data | `@{XDG_DATA_DIR}` | `.local/share` |
@@ -45,26 +51,33 @@ title: Variables References
 | SSH | `@{XDG_SSH_DIR}` | `.ssh` |
 | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` |
 | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` |
-| Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` |
+
+</figure>
 
 ### Full configuration path
 
+<figure markdown>
+
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
+|-------------|------|------------------|
 | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` |
 | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` |
 | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` |
 | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` |
 | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` |
 | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
-| Build | `@{user_build_dirs}` | `/tmp//build/` |
+| Build | `@{user_build_dirs}` | `/tmp/build/` |
 | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` |
 | Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` |
 
+</figure>
+
 ### Full user path
 
+<figure markdown>
+
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
+|-------------|------|------------------|
 | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` |
 | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` |
 | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` |
@@ -85,39 +98,77 @@ title: Variables References
 | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
 | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` |
 
+</figure>
+
 
 ## System variables
 
-!!! warning
+!!! danger
 
     Do not modify these variables unless you know what you are doing
 
-**Helper variables**
+#### Base variables
+
+<figure markdown>
 
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
-| Integer (up to 10 digits) | `@{int}` | `[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}` |
-| Any 6, 8 or 10 characters | `@{rand6}`, `@{rand8}`, `@{rand10}` | |
-| Hexadecimal | `@{h}*@{h}` |  |
-| Universally unique identifier | `@{uuid}` |  |
-| Current Process id | `@{pid}` | `[0-9]*` |
-| Processes ids | `@{pids}` | `[0-9]*` |
-| User id | `@{uid}` | `[0-9]*` |
-| Thread id | `@{tid}` | `[0-9]*` |
-| Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` |
+|-------------|------|------------------|
+| Any digit | `@{d}` | `[0-9]` |
+| Any letter | `@{l}` | `[a-zA-Z]` |
 | Single alphanumeric character | `@{c}` | `[0-9a-zA-Z]` |
-| PCI Devices | `@{pci}` | `@{pci_bus}/**/` |
-| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` |
-| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` |
+| Word character: matches any letter, digit or underscore. | `@{w}` | `[0-9a-zA-Z_]` |
+| Single hexadecimal character | `@{h}` | `[0-9a-fA-F]` |
+| Integer up to 10 digits (0-9999999999) | `@{int}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}` |
+| Unsigned integer over 8 bits (0-255) | `@{u8}` | `[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]` |
+| Unsigned integer over 16 bits (0-65535, 5 digits) | `@{u16}` | `@{d}{@{d},}{@{d},}{@{d},}{@{d},}` |
+| Hexadecimal up to 64 characters | `@{hex}` | |
+| Alphanumeric up to 64 characters | `@{rand}` | |
+| Word up to 64 characters | `@{word}` | |
 
-**System Paths**
+</figure>
+
+#### Basic variables of a given length
+
+<figure markdown>
+
+| Description | Name |
+|-------------|------|
+| Any x digits characters | `@{int2}` `@{int4}` `@{int6}` `@{int8}` `@{int9}` `@{int10}` `@{int12}` `@{int15}` `@{int16}` `@{int32}` `@{int64}` |
+| Any x hexadecimal characters | `@{hex2}` `@{hex4}` `@{hex6}` `@{hex8}` `@{hex9}` `@{hex10}` `@{hex12}` `@{hex15}` `@{hex16}` `@{hex32}` `@{hex38}` `@{hex64}` |
+| Any x alphanumeric characters | `@{rand2}` `@{rand4}` `@{rand6}` `@{rand8}` `@{rand9}` `@{rand10}` `@{rand12}` `@{rand15}` `@{rand16}` `@{rand32}` `@{rand64}` |
+| Any x word characters | `@{word2}` `@{word4}` `@{word6}` `@{word8}` `@{word9}` `@{word10}` `@{word12}` `@{word15}` `@{word16}` `@{word32}` `@{word64}` |
+
+</figure>
+
+#### System Variables
+
+<figure markdown>
 
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
+|-------------|------|------------------|
+| Common architecture names | `@{arch}` | `x86_64 amd64 i386 i686` |
+| Dbus unique name | `@{busname}` | `:1.@{u16} :not.active.yet` |
+| Universally unique identifier | `@{uuid}` | `@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}` |
+| Username valid characters | `@{user}` | `[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}` |
+| Group valid characters | `@{group}` | `@{user}` |
+| Semantic version | `@{version}` | `@{int}{.@{int},}{.@{int},}{-@{rand},}` |
+| Current Process Id | `@{pid}` | `{[1-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9]}` |
+| Processes Ids | `@{pids}` | `@{pid}` |
+| Thread Id | `@{tid}` | `@{pid}` |
+| User Id (equivalent to `@{int}`) | `@{uid}` | `{[0-9],[1-9][0-9],[1-9][0-9][0-9],[1-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9],[1-4][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]}` |
+
+</figure>
+
+#### System Paths
+
+<figure markdown>
+
+| Description | Name | Default Value(s) |
+|-------------|------|------------------|
 | Root Home | `@{HOMEDIRS}` | `/home/` |
 | Home directories | `@{HOME}` | `@{HOMEDIRS}/*/ /root/` |
-| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/ /mnt/` |
-| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/` |
+| Root Mountpoints | `@{MOUNTDIRS}` | `/media/ @{run}/media/@{user}/ /mnt/` |
+| Mountpoints directories | `@{MOUNTS}` | `@{MOUNTDIRS}/*/ @{run}/user/@{uid}/gvfs/` |
 | Bin | `@{bin}` |  `/{usr/,}{s,}bin` |
 | Lib | `@{lib}` |  `/{usr/,}lib{,exec,32,64}` |
 | multi-arch library | `@{multiarch}` | `*-linux-gnu*` |
@@ -127,13 +178,29 @@ title: Variables References
 | System wide share | `@{system_share_dirs}` | `/{usr,usr/local,var/lib/@{flatpak_exports_root}}/share` |
 | Flatpak export | `@{flatpak_exports_root}` | `{flatpak/exports,flatpak/{app,runtime}/*/*/*/*/export}` |
 
-**Program paths**
+</figure>
+
+#### System Internal
 
 | Description | Name | Default Value(s) |
-|-------------|:----:|---------------|
+|-------------|------|------------------|
+| PCI Devices | `@{pci}` | `@{pci_bus}/**/` |
+| PCI Bus | `@{pci_bus}` | `pci@{h}@{h}@{h}@{h}:@{h}@{h}` |
+| PCI Id | `@{pci_id}` | `@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}` |
+| HCI devices | `@{hci_id}` | `dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}` |
+| Udev data dynamic assignment ranges (234 to 254 then 384 to 511) | `@{dynamic}` | `23[4-9] 24[0-9] 25[0-4] 38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]` |
+
+#### Program paths
+
+<figure markdown>
+
+| Description | Name | Default Value(s) |
+|-------------|------|------------------|
 | All the shells | `@{shells}` | `sh zsh bash dash fish rbash ksh tcsh csh` |
 | Shells path | `@{shells_path}` | `@{bin}/@{shells}` |
 | Coreutils programs that should not have dedicated profile | `@{coreutils}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L46) |
 | Coreutils paths | `@{coreutils_path}` | `@{bin}/@{coreutils}` |
 | Launcher paths | `@{open_path}` | `@{bin}/exo-open @{bin}/xdg-open @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop @{lib}/gio-launch-desktop`
 | All browser paths | `@{*_path}` | See [tunables/multiarch.d/paths](https://github.com/roddhjav/apparmor.d/blob/c2d88c9bffc626fcf7d9b15b42b50706afb29562/apparmor.d/tunables/multiarch.d/paths#L11)
+
+</figure>

From b51576139b3ed3125aaa3ea4d737a77baac0f00e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 22:53:30 +0100
Subject: [PATCH 216/315] docs: rewrite the configuration section.

---
 docs/abbreviations.md |   3 +
 docs/configuration.md | 235 ++++++++++++++++++++++++++++++------------
 docs/index.md         |  11 +-
 docs/install.md       |  31 ++++--
 docs/usage.md         |   3 +-
 mkdocs.yml            |   5 +-
 6 files changed, 203 insertions(+), 85 deletions(-)
 create mode 100644 docs/abbreviations.md

diff --git a/docs/abbreviations.md b/docs/abbreviations.md
new file mode 100644
index 000000000..f99a4f70c
--- /dev/null
+++ b/docs/abbreviations.md
@@ -0,0 +1,3 @@
+
+*[MAC]: Mandatory Access Control
+*[AppArmor tunables]: AppArmor global variables
diff --git a/docs/configuration.md b/docs/configuration.md
index e784dcb82..f2f1d3722 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -2,107 +2,206 @@
 title: Configuration
 ---
 
-## AppArmor
-
-As there are a lot of rules, it is recommended to enable caching AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`.
-
-```sh
-echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
-echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
-```
-
-!!! info
-
-    See [Speed up AppArmor Start] on the Arch Wiki for more information:
-    [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles
-
-
-## Personal directories
+This project is designed in such a way that it is easy to personalize it to fit any system.
+It is mostly done by setting personalized XDG like directories in AppArmor tunables. More advanced configuration can be done by adding your own rules in local profile addition.
 
 !!! danger
 
-    You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings.
+    You need to ensure that all personal directories you are using are well-defined XDG directory. You may need to edit these variables to your own settings. 
 
-This project is designed in such a way that it is easy to personalize the directories your programs have access by defining a few variables.
+    This part is vital to ensure that the profiles are correctly configured for your system. It will lead to breakage if not done correctly.
 
-The profiles heavily use the (largely extended) XDG directory variables defined in the **[Variables Reference](variables.md)** page.
 
-??? note "XDG variables overview"
+## Personalize Apparmor
 
-    See **[Variables Reference](variables.md)** page for more.
+### Tunables
 
-    | Description | Name | Value |
-    |-------------|:----:|---------|
-    | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` |
-    | Download | `@{XDG_DOWNLOAD_DIR}` | `Downloads` |
-    | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` |
-    | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` |
-    | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` |
-    | Music | `@{XDG_MUSIC_DIR}` | `Music` |
-    | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` |
-    | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` |
-    | Books | `@{XDG_BOOKS_DIR}` | `Books` |
-    | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` |
-    | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` |
-    | Sync | `@{XDG_SYNC_DIR}` | `Sync` |
-    | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` |
-    | Vm | `@{XDG_VM_DIR}` | `.vm`
-    | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
+The profiles heavily use the **largely extended** [XDG directory variables](#xdg-variables). All the variables are list you can append with your own values.
 
-You can personalize these values.
+1. First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`:
+  ```sh
+  sudo mkdir -p /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d
+  ```
+2. Then create a `local` addition file in it where you define your own personal directories. *Example:*
+  ```sh
+  @{XDG_VIDEOS_DIR}+="Films"
+  @{XDG_MUSIC_DIR}+="Musique"
+  @{XDG_PICTURES_DIR}+="Images"
+  @{XDG_BOOKS_DIR}+="BD" "Comics"
+  @{XDG_PROJECTS_DIR}+="Git" "Papers"
+  ```
+3. Then restart the AppArmor service to reload the profiles in the kernel:
+  ```sh
+  sudo systemctl restart apparmor.service
+  ```
 
-First create the directory `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d`:
-```
-sudo mkdir /etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d
-```
-Then create a `local` addition file in it where you define your own personal
-directories. Example:
-```sh
-@{XDG_VIDEOS_DIR}+="Films"
-@{XDG_MUSIC_DIR}+="Musique"
-@{XDG_PICTURES_DIR}+="Images"
-@{XDG_BOOKS_DIR}+="BD" "Comics"
-@{XDG_PROJECTS_DIR}+="Git" "Papers"
-```
+### Profile Additions
 
-Then restart the AppArmor service to reload the profiles in the kernel:
-```sh
-sudo systemctl restart apparmor.service
-```
+You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of the profile you want to personalize.
 
-**Examples**
+**Example**
+
+By default, `nautilus` (and any file browser) only allows access to user files. Thus, your cannot browse system files such as `/etc/`, `/srv/`, `/var/`. You can change this behaviour by creating a local profile addition file for `nautilus`:
+
+1. Create the file `/etc/apparmor.d/local/nautilus` and add the following rules in it:
+  ```sh
+    /** r,
+  ```
+  You call also restrict this to specific directories:
+  ```sh
+    /etc/** r,
+    /srv/** r,
+    /var/** r,
+  ```
+2. Then restart the AppArmor service to reload the profiles in the kernel:
+  ```sh
+  sudo systemctl restart apparmor.service
+  ```
+
+### XDG variables
+
+Please ensure that all personal directories you are using are well-defined XDG directory defined below. If not, personalize the [variables](#tunables) to your own settings.
+
+??? quote "**User directories**"
+
+    <figure markdown>
+
+      | Description | Name | Default Value(s) |
+      |-------------|------|---------------|
+      | Desktop | `@{XDG_DESKTOP_DIR}` | `Desktop` |
+      | Documents | `@{XDG_DOCUMENTS_DIR}` | `Documents` |
+      | Downloads | `@{XDG_DOWNLOAD_DIR}` | `Downloads` |
+      | Music | `@{XDG_MUSIC_DIR}` | `Music` |
+      | Pictures | `@{XDG_PICTURES_DIR}` | `Pictures` |
+      | Videos | `@{XDG_VIDEOS_DIR}` | `Videos` |
+      | Screenshots | `@{XDG_SCREENSHOTS_DIR}` | `@{XDG_PICTURES_DIR}/Screenshots` |
+      | Wallpapers | `@{XDG_WALLPAPERS_DIR}` | `@{XDG_PICTURES_DIR}/Wallpapers` |
+      | Books | `@{XDG_BOOKS_DIR}` | `Books` |
+      | Games | `@{XDG_GAMES_DIR}` | `.games` |
+      | Templates | `@{XDG_TEMPLATES_DIR}` | `Templates` |
+      | Public | `@{XDG_PUBLICSHARE_DIR}` | `Public` |
+      | Projects | `@{XDG_PROJECTS_DIR}` | `Projects` |
+      | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` |
+      | Work | `@{XDG_WORK_DIR}` | `Work` |
+      | Mail | `@{XDG_MAIL_DIR}` | `Mail .{m,M}ail` |
+      | Sync | `@{XDG_SYNC_DIR}` | `Sync` |
+      | Torrents | `@{XDG_TORRENTS_DIR}` | `Torrents` |
+      | Vm | `@{XDG_VM_DIR}` | `.vm` |
+      | Vm Shares | `@{XDG_VM_SHARES_DIR}` | `VM_Shares` |
+      | Disk images | `@{XDG_IMG_DIR}` | `images` |
+      | Games Studio | `@{XDG_GAMESSTUDIO_DIR}` | `.unity3d` |
+
+    </figure>
+
+??? quote "**Dotfiles**"
+
+    <figure markdown>
+
+      | Description | Name | Default Value(s) |
+      |-------------|------|------------------|
+      | Cache | ` @{XDG_CACHE_DIR}` | `.cache` |
+      | Config | `@{XDG_CONFIG_DIR}` | `.config` |
+      | Data | `@{XDG_DATA_DIR}` | `.local/share` |
+      | State | `@{XDG_STATE_DIR}` | `.local/state` |
+      | Bin | `@{XDG_BIN_DIR}` | `.local/bin` |
+      | Lib | `@{XDG_LIB_DIR}` | `.local/lib` |
+      | GPG | `@{XDG_GPG_DIR}` | `.gnupg` |
+      | SSH | `@{XDG_SSH_DIR}` | `.ssh` |
+      | Private | `@{XDG_PRIVATE_DIR}` | `.{p,P}rivate {p,P}rivate` |
+      | Passwords | `@{XDG_PASSWORD_STORE_DIR}` | `.password-store` |
+
+    </figure>
+
+??? quote "**Full configuration path**"
+
+    <figure markdown>
+
+      | Description | Name | Default Value(s) |
+      |-------------|:----:|---------------|
+      | Cache | `@{user_cache_dirs}` | `@{HOME}/@{XDG_CACHE_DIR}` |
+      | Config | `@{user_config_dirs}` | `@{HOME}/@{XDG_CONFIG_DIR}` |
+      | Bin | `@{user_bin_dirs}` | `@{HOME}/@{XDG_BIN_DIR}` |
+      | Lib | `@{user_lib_dirs}` | `@{HOME}/@{XDG_LIB_DIR}` |
+      | Share | `@{user_share_dirs}` | ` @{HOME}/@{XDG_DATA_DIR}` |
+      | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
+      | Build | `@{user_build_dirs}` | `/tmp/build/` |
+      | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` |
+
+    </figure>
+
+??? quote "**Full user path**"
+
+    <figure markdown>
+
+      | Description | Name | Default Value(s) |
+      |-------------|:----:|---------------|
+      | Documents | `@{user_documents_dirs}` | `@{HOME}/@{XDG_DOCUMENTS_DIR} @{MOUNTS}/@{XDG_DOCUMENTS_DIR}` |
+      | Downloads | `@{user_download_dirs}` | `@{HOME}/@{XDG_DOWNLOAD_DIR} @{MOUNTS}/@{XDG_DOWNLOAD_DIR}` |
+      | Music | `@{user_music_dirs}` | `@{HOME}/@{XDG_MUSIC_DIR} @{MOUNTS}/@{XDG_MUSIC_DIR}` |
+      | Pictures | `@{user_pictures_dirs}` | `@{HOME}/@{XDG_PICTURES_DIR} @{MOUNTS}/@{XDG_PICTURES_DIR}` |
+      | Videos | `@{user_videos_dirs}` | `@{HOME}/@{XDG_VIDEOS_DIR} @{MOUNTS}/@{XDG_VIDEOS_DIR}` |
+      | Books | `@{user_books_dirs}` | `@{HOME}/@{XDG_BOOKS_DIR} @{MOUNTS}/@{XDG_BOOKS_DIR}` |
+      | Games | `@{user_games_dirs}` | `@{HOME}/@{XDG_GAMES_DIR} @{MOUNTS}/@{XDG_GAMES_DIR}` |
+      | Private | `@{user_private_dirs}` | `@{HOME}/@{XDG_PRIVATE_DIR} @{MOUNTS}/@{XDG_PRIVATE_DIR}` |
+      | Passwords | `@{user_password_store_dirs}` | `@{HOME}/@{XDG_PASSWORD_STORE_DIR} @{MOUNTS}/@{XDG_PASSWORD_STORE_DIR}` |
+      | Work | `@{user_work_dirs}` | `@{HOME}/@{XDG_WORK_DIR} @{MOUNTS}/@{XDG_WORK_DIR}` |
+      | Mail | `@{user_mail_dirs}` | `@{HOME}/@{XDG_MAIL_DIR} @{MOUNTS}/@{XDG_MAIL_DIR}` |
+      | Projects | `@{user_projects_dirs}` | `@{HOME}/@{XDG_PROJECTS_DIR} @{MOUNTS}/@{XDG_PROJECTS_DIR}` |
+      | Public | `@{user_publicshare_dirs}` | `@{HOME}/@{XDG_PUBLICSHARE_DIR} @{MOUNTS}/@{XDG_PUBLICSHARE_DIR}` |
+      | Templates | `@{user_templates_dirs}` | `@{HOME}/@{XDG_TEMPLATES_DIR} @{MOUNTS}/@{XDG_TEMPLATES_DIR}` |
+      | Torrents | `@{user_torrents_dirs}` | `@{HOME}/@{XDG_TORRENTS_DIR} @{MOUNTS}/@{XDG_TORRENTS_DIR}` |
+      | Sync | `@{user_sync_dirs}` | `@{HOME}/@{XDG_SYNC_DIR} @{MOUNTS}/*/@{XDG_SYNC_DIR}` |
+      | Vm | `@{user_vm_dirs}` | `@{HOME}/@{XDG_VM_DIR} @{MOUNTS}/@{XDG_VM_DIR}` |
+      | Vm Shares | `@{user_vm_shares}` | `@{HOME}/@{XDG_VM_SHARES_DIR} @{MOUNTS}/@{XDG_VM_SHARES_DIR}` |
+      | Disk images | `@{user_img_dirs}` | `@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}` |
+
+    </figure>
+
+System variables can also be personalized, they are defined in the **[Variables Reference](variables.md)** page.
+
+
+## Program Personalization
+
+### Examples
+
+All profiles use the variables defined above. Therefore, you can personalize them by setting your own values in `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`.
 
 - For git support, you may want to add your `GO_PATH` in the `XDG_PROJECTS_DIR`:
     ```sh
     @{XDG_PROJECTS_DIR}+="go"
     ```
+
 - If you use Keepass, personalize `XDG_PASSWORD_STORE_DIR` with your password directory. Eg:
     ```sh
     @{XDG_PASSWORD_STORE_DIR}+="@{HOME}/.keepass/"
     ```
+
 - Add pacman integration with your AUR helper. Eg for `yay`:
     ```sh
     @{user_pkg_dirs}+=@{user_cache_dirs}/yay/
     ```
 
-## Local profile extensions
+### Mountpoints
 
-You can extend any profile with your own rules by creating a file in the `/etc/apparmor.d/local/` directory with the name of your profile. For example, to extend the `foo` profile, create a file `/etc/apparmor.d/local/foo` and add your rules in it.
+Common mountpoints are defined in the `@{MOUNTS}` variable. If you mount a disk on a different location, you can add it to the `@{MOUNTS}` variable.
 
 **Example**
 
-- `child-open`, a profile that allows other program to open resources (URL, picture, books...) with some predefined GUI application. To allow it to open URLs with Firefox, create the file `/etc/apparmor.d/local/child-open` with:
-  ```sh
-    @{bin}/firefox rPx,
-  ```
+If you mount a disk on `/ssd/`, add the following to `/etc/apparmor.d/tunables/xdg-user-dirs.d/apparmor.d.d/local`:
+```sh
+@{MOUNT}+=/ssd/
+```
 
-!!! note
+<!-- ### User data
 
-    This is an example, no need to add Firefox into `child-open`, it is already there.
+!!! warning "TODO" -->
 
-!!! info
+### File browsers
 
-    `rPx` allows transition to the Firefox profile. Use `rPUx` to allow transition to an unconfined state if you do not have the profile for a given program.
+All supported file browsers (`nautilus`, `dolphin`, `thunar`) are configured to only access user files. If you want to allow access to system files, you can create a local profile addition file for the file browser you are using.
 
+### Games
 
-Then, reload the AppArmor rules with `sudo systemctl restart AppArmor`.
+In order to not allow access to user data, game profiles use the `@{XDG_GAMESSTUDIO_DIR}` variable. It may needs to be expanded with other game studio directory. The default is `@{XDG_GAMESSTUDIO_DIR}="unity3d"`.
+
+The `@{XDG_GAMES_DIR}` variable is used to define the game directory such as steam storage directory. If your steam storage is on another drive/mountpoint, you should personalize `@{user_games_dirs}` instead.
diff --git a/docs/index.md b/docs/index.md
index b57bae7a3..8f5696074 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -8,12 +8,11 @@ title: AppArmor.d
 
 !!! danger "Help Wanted"
 
-    This project is still in its early development. Help is very welcome; 
-    see [Development](development/index.md)
+    This project is still in its early development. Help is very welcome; see [Development](development/index.md)
 
 **AppArmor.d** is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based applications and processes.
 
-**Purpose**
+### Purpose
 
 - Confine all root processes such as all `systemd` tools, `bluetooth`, `dbus`, `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
 - Confine all Desktop environments
@@ -23,7 +22,7 @@ title: AppArmor.d
 
 See the [Concepts](concepts.md)' page for more detail on the architecture.
 
-**Goals**
+### Goals
 
 - Target both desktops and servers
 - Support for all distributions that support AppArmor:
@@ -37,13 +36,13 @@ See the [Concepts](concepts.md)' page for more detail on the architecture.
     - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
 - Fully tested *(work in progress)*
 
-**Presentations**
+### Presentations
 
 Building the largest set of AppArmor profiles:
 
 - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
 - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
 
-**Chat**
+### Chat
 
 A development chat is available on https://matrix.to/#/#apparmor.d:matrix.org
diff --git a/docs/install.md b/docs/install.md
index 5d84331ce..91b0b4ae6 100644
--- a/docs/install.md
+++ b/docs/install.md
@@ -10,13 +10,13 @@ title: Installation
 
 Due to the development stage of this project, the default package configuration installs all profiles in **complain** mode. The recommended installation workflow is as-follow:
 
-1. [Install](#installation) *apparmor.d* in the (default) complain mode.
-1. Configure [apparmor settings](configuration.md#apparmor) as well as your [personal directories](configuration.md#personal-directories).
-1. Ensure you have reloaded the profiles in the kernel: `sudo systemctl restart apparmor.service`.
+1. **[Configure AppArmor](#configure-apparmor)** AppArmor for *apparmor.d*.
+1. **[Install](#installation)** *apparmor.d* in the (default) complain mode.
+1. **[Configure your personal directories](configuration.md)**.
 1. Reboot your system.
 1. You **must** check for any AppArmor logs with [`aa-log`](usage.md#apparmor-log).
-1. [Report](https://apparmor.pujol.io/report/) any raised logs.
-1. Use the profiles in complain mode for a while (a week), regularly check for new AppArmor logs.
+1. **[Report](https://apparmor.pujol.io/report/)** any raised logs.
+1. Use the profiles in *complain* mode for a while (a week), regularly check for new AppArmor logs.
 1. Only if there are no logs raised for your daily usage, install it in [enforce mode](enforce.md).
 
 
@@ -30,15 +30,25 @@ An `AppArmor` supported Linux distribution is required. The default profiles and
 
 The following desktop environments are supported:
 
-  - [x] :material-gnome: Gnome (GDM)
-  - [x] :simple-kde: KDE (SDDM)
-  - [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
+- [x] :material-gnome: Gnome (GDM)
+- [x] :simple-kde: KDE (SDDM)
+- [ ] :simple-xfce: XFCE (Lightdm) *(work in progress)*
 
 **Build dependency**
 
 * Go >= 1.21
 
 
+## Configure AppArmor
+
+As there are a lot of rules (~80k lines), it is recommended to enable fast caching compression of AppArmor profiles. In `/etc/apparmor/parser.conf`, add `write-cache` and `Optimize=compress-fast`:
+
+```sh
+echo 'write-cache' | sudo tee -a /etc/apparmor/parser.conf
+echo 'Optimize=compress-fast' | sudo tee -a /etc/apparmor/parser.conf
+```
+
+
 ## Installation
 
 === ":material-arch: Archlinux"
@@ -115,7 +125,7 @@ The following desktop environments are supported:
 
     !!! warning
 
-        **Beware**: do not install a `.deb` made for Debian on Ubuntu, the packages are different.
+        **Beware**: do not install a `.deb` made for Ubuntu on Debian, the packages are different.
 
         If your distribution is based on Debian, you may want to manually set the target distribution by exporting `DISTRIBUTION=debian`.
 
@@ -154,6 +164,9 @@ The following desktop environments are supported:
         So, you can install the additional profiles `wl-copy`, `xclip`, `pass-import`, and `child-pager` if desired.
 
 
+[Next: Configure your personal directories](configuration.md){ .md-button .md-button--primary }
+
+
 ## Uninstallation
 
 === ":material-arch: Archlinux"
diff --git a/docs/usage.md b/docs/usage.md
index 9690733b1..e73439efc 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -24,9 +24,10 @@ apparmor module is loaded.
    ...
 30 processes are in complain mode.
    ...
+0 processes are in prompt mode.
+0 processes are in kill mode.
 0 processes are unconfined but have a profile defined.
 0 processes are in mixed mode.
-0 processes are in kill mode.
 ```
 
 You can also list the current processes alongside with their security profile with:
diff --git a/mkdocs.yml b/mkdocs.yml
index 404905913..689785a31 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -70,6 +70,7 @@ plugins:
   - minify:
       minify_html: true
   - git-committers:
+      enabled: !ENV [ENABLED_GIT_REVISION_DATE, true]
       token: !ENV [MKDOCS_GIT_COMMITTERS_APIKEY]
       repository: roddhjav/apparmor.d
       branch: main
@@ -116,7 +117,9 @@ markdown_extensions:
       user: squidfunk
       repo: mkdocs-material
   - pymdownx.smartsymbols
-  - pymdownx.snippets
+  - pymdownx.snippets:
+      auto_append:
+        - docs/abbreviations.md
   - pymdownx.superfences:
       custom_fences:
         - name: mermaid

From baad12a75422c7a1a758dd9d0820bc906cf3369c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 1 Oct 2024 23:00:37 +0100
Subject: [PATCH 217/315] docs: update abstraction page.

---
 docs/development/abstractions.md | 95 ++++++++++++++++++++++++++++++++
 docs/development/dbus.md         |  2 +-
 2 files changed, 96 insertions(+), 1 deletion(-)

diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md
index 1e075e66c..5c6694684 100644
--- a/docs/development/abstractions.md
+++ b/docs/development/abstractions.md
@@ -43,9 +43,67 @@ A full set of rules for all chromium based browsers. It works as a *function* an
 If your application requires chromium to run use [`common/chromium`](#commonchromium) or [`common/electron`](#commonelectron)
 instead.
 
+### **`app/firefox`**
+
+Similar to `app/chromium` but for Firefox based browsers (and thunderbird). It requires the same *arguments* as `app/chromium`:
+
+
+## Context helper
+
+These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case.
+
+### **`app/editor`**
+
+A minimal set of rules for profiles including terminal editor. It is intended to be used in profiles or sub-profiles that need to edit file using the user editor of choice. The following editors are supported:
+
+- neo vim
+- vim
+- nano
+
+```sh
+  @{editor_path} rCx -> editor,
+
+  profile editor {
+    include <abstractions/base>
+    include <abstractions/app/editor>
+
+    include if exists <local/<profile_name>_editor>
+  }
+```
+
+### **`app/kmod`**
+
+A minimal set of rules for profiles that need to load kernel modules. It is intended to be used in profiles or sub-profiles that need to load kernel modules for a very specific action:
+
+```sh
+  @{bin}/modprobe rCx -> kmod,
+
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    include if exists <local/<profile_name>_kmod>
+  }
+``` 
+
+### **`app/open`**
+
+Set of rules for `child-open-*` profiles. It should usually not be used directly in a profile.
 
 ### **`app/pgrep`**
 
+ Minimal set of rules for pgrep/pkill. It is intended to be used in profiles or sub-profiles that need to use `pgrep` or `pkill` for a very specific action:
+
+ ```sh
+  @{bin}/pgrep rCx -> pgrep,
+
+  profile pgrep {
+    include <abstractions/base>
+    include <abstractions/app/pgrep>
+
+    include if exists <local/<profile_name>_pgrep>
+  }
+ ```
 
 ### **`app/sudo`**
 
@@ -61,6 +119,22 @@ A minimal set of rules for profiles including internal `sudo`. Interactive sudo
   }
 ```
 
+
+### **`app/pkexec`**
+
+A minimal set of rules for profiles including internal `pkexec`. Like `app/sudo`, it should be used in profiles or sub-profiles that need to elevate their privileges using `pkexec` for a very specific action:
+
+```sh
+  @{bin}/pkexec rCx -> pkexec,
+
+  profile pkexec {
+    include <abstractions/base>
+    include <abstractions/app/pkexec>
+
+    include if exists <local/<profile_name>_pkexec>
+  }
+```
+
 ### **`app/systemctl`**
 
 An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows:
@@ -75,6 +149,20 @@ An alternative solution for [child-systemctl](structure.md#children-profiles), w
   }
 ```
 
+### **`app/udevadm`**
+
+A minimal set of rules for profiles including internal `udevadm` as read-only. It is intended to be used in profiles or sub-profiles that need to use `udevadm` for a very specific action:
+
+```sh
+  @{bin}/udevadm rCx -> udevadm,
+
+  profile udevadm {
+    include <abstractions/base>
+    include <abstractions/app/udevadm>
+
+    include if exists <local/<profile_name>_udevadm>
+  }
+```
 
 ## Common Dependencies
 
@@ -207,6 +295,9 @@ Common rules for interactive shell using bash.
 
 Common rules for interactive shell using zsh.
 
+### **`fish`**
+
+Common rules for interactive shell using fish.
 
 ## System
 
@@ -222,6 +313,10 @@ Use this abstraction instead of upstream `abstractions/nameservice` as upstream
 
 Instead of allowing the run of all software under `@{bin}` or `@{lib}` the purpose of this abstraction is to list all GUI program that can open resources. Ultimately, only sandbox manager program such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
 
+### **`app-launcher-root`**
+
+### **`app-launcher-user`**
+
 
 ## Devices
 
diff --git a/docs/development/dbus.md b/docs/development/dbus.md
index c8efda0c5..38e931b88 100644
--- a/docs/development/dbus.md
+++ b/docs/development/dbus.md
@@ -28,7 +28,7 @@ For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive.
 
 There is a trade of between security and maintenance to make:
 
-- `aa:dbus talk` will generate less issue as it give full talk access
+- `aa:dbus talk` will generate less issue as it gives full talk access
 - `abstractions/bus/*` will provide more restriction, and possibly more issue.
 
 Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call.

From 9112c6466dc22968620662e4c6e1220abdf34afb Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 01:08:06 +0100
Subject: [PATCH 218/315] docs: add development workflow.

---
 docs/abbreviations.md               |   2 +
 docs/configuration.md               |   8 +-
 docs/development/abstractions.md    |   3 +-
 docs/development/guidelines.md      |  13 +-
 docs/development/index.md           |  74 +++-------
 docs/development/install.md         |  66 ---------
 docs/development/integration.md     |   4 +-
 docs/development/internal.md        | 203 ++++++++++++++++++++++++++++
 docs/development/recommendations.md |  78 +++++++++++
 docs/development/structure.md       | 133 ------------------
 docs/development/workflow.md        | 195 ++++++++++++++++++++++++++
 docs/full-system-policy.md          |   2 +-
 mkdocs.yml                          |   8 +-
 13 files changed, 514 insertions(+), 275 deletions(-)
 delete mode 100644 docs/development/install.md
 create mode 100644 docs/development/internal.md
 create mode 100644 docs/development/recommendations.md
 delete mode 100644 docs/development/structure.md
 create mode 100644 docs/development/workflow.md

diff --git a/docs/abbreviations.md b/docs/abbreviations.md
index f99a4f70c..32f567afe 100644
--- a/docs/abbreviations.md
+++ b/docs/abbreviations.md
@@ -1,3 +1,5 @@
 
 *[MAC]: Mandatory Access Control
+*[W^X]: Write XOR Execute
+*[FSP]: Full System Policy
 *[AppArmor tunables]: AppArmor global variables
diff --git a/docs/configuration.md b/docs/configuration.md
index f2f1d3722..e3fbba5ea 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -181,9 +181,9 @@ All profiles use the variables defined above. Therefore, you can personalize the
     @{user_pkg_dirs}+=@{user_cache_dirs}/yay/
     ```
 
-### Mountpoints
+### Mount points
 
-Common mountpoints are defined in the `@{MOUNTS}` variable. If you mount a disk on a different location, you can add it to the `@{MOUNTS}` variable.
+Common mount points are defined in the `@{MOUNTS}` variable. If you mount a disk on a different location, you can add it to the `@{MOUNTS}` variable.
 
 **Example**
 
@@ -202,6 +202,6 @@ All supported file browsers (`nautilus`, `dolphin`, `thunar`) are configured to
 
 ### Games
 
-In order to not allow access to user data, game profiles use the `@{XDG_GAMESSTUDIO_DIR}` variable. It may needs to be expanded with other game studio directory. The default is `@{XDG_GAMESSTUDIO_DIR}="unity3d"`.
+In order to not allow access to user data, game profiles use the `@{XDG_GAMESSTUDIO_DIR}` variable. It may need to be expanded with other game studio directory. The default is `@{XDG_GAMESSTUDIO_DIR}="unity3d"`.
 
-The `@{XDG_GAMES_DIR}` variable is used to define the game directory such as steam storage directory. If your steam storage is on another drive/mountpoint, you should personalize `@{user_games_dirs}` instead.
+The `@{XDG_GAMES_DIR}` variable is used to define the game directory such as steam storage directory. If your steam storage is on another drive, you should personalize `@{user_games_dirs}` instead.
diff --git a/docs/development/abstractions.md b/docs/development/abstractions.md
index 5c6694684..9390945f8 100644
--- a/docs/development/abstractions.md
+++ b/docs/development/abstractions.md
@@ -137,7 +137,8 @@ A minimal set of rules for profiles including internal `pkexec`. Like `app/sudo`
 
 ### **`app/systemctl`**
 
-An alternative solution for [child-systemctl](structure.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows:
+An alternative solution for [child-systemctl](internal.md#children-profiles), when the child profile provides too much/not enough access. This abstraction should be used by a sub profile as follows:
+
 ```sh
   @{bin}/systemctl  rCx ->  systemctl,
 
diff --git a/docs/development/guidelines.md b/docs/development/guidelines.md
index 3d83fea5f..f207e58a2 100644
--- a/docs/development/guidelines.md
+++ b/docs/development/guidelines.md
@@ -11,7 +11,7 @@ The logic behind it is that if a rule is present in a profile, it should only be
 For example, if a program needs to run executable binaries then the rules allowing it can only be in a specific rule block (just after the `@{exec_path} mr,` rule). It is therefore easy to ensure some profile features such as:
 
 * A profile has access to a given resource 
-* A profile enforces a strict [write xor execute] (W^X) policy. 
+* A profile enforces a strict [write xor execute](https://en.wikipedia.org/wiki/W%5EX) (W^X) policy. 
 
 It also improves compatibilities and makes personalization easier thanks to the use of more variables.
 
@@ -132,14 +132,3 @@ If there is no predictable label it can be omitted.
     ```
     Does not help, and if generalized it would add a lot of complexity to any profiles.
 
-
-## Additional recommended documentation
-
-* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
-* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
-* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
-* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
-* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
-* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)
-
-[write xor execute]: https://en.wikipedia.org/wiki/W%5EX
diff --git a/docs/development/index.md b/docs/development/index.md
index c68745e26..2e12a466b 100644
--- a/docs/development/index.md
+++ b/docs/development/index.md
@@ -4,31 +4,38 @@ title: Development
 
 If you're looking to contribute to `apparmor.d` you can get started by going to the project [GitHub repository](https://github.com/roddhjav/apparmor.d/)! All contributions are welcome no matter how small. In this page you will find all the useful information needed to contribute to the apparmor.d project.
 
-??? info "How to contribute pull requests"
+??? info "How to contribute pull requests?"
 
     1. If you don't have git on your machine, [install it](https://help.github.com/articles/set-up-git/).
-    2. Fork this repo by clicking on the fork button on the top of the [project GitHub][project] page.
-    3. Clone the forked repository and go to the directory:
+    1. Fork this repo by clicking on the fork button on the top of the [project GitHub](https://github.com/roddhjav/apparmor.d) page.
+    1. [Generate a new SSH key](    https://docs.github.com/en/authentication/connecting-to-github-with-ssh/generating-a-new-ssh-key-and-adding-it-to-the-ssh-agent) and add it to your GitHub account.
+    1. Clone the forked repository and go to the directory:
     ```sh
-    git clone https://github.com/your-github-username/apparmor.d.git
+    git clone git@github.com:your-github-username/apparmor.d.git 
     cd apparmor.d
     ```
-    4. Create a branch:
+    1. Create a branch:
     ```
     git checkout -b my_contribution
     ```
-    5. Make the changes and commit:
+    1. Make the changes and commit:
     ```
     git add <files changed>
     git commit -m "A message to sum up my contribution"
     ```
-    6. Push changes to GitHub:
+    1. Push changes to GitHub:
     ```
     git push origin my_contribution
     ```
-    7. Submit your changes for review: If you go to your repository on GitHub,
+    1. Submit your changes for review: If you go to your repository on GitHub,
     you'll see a Compare & pull request button, fill and submit the pull request.
 
+<div class="grid cards" markdown>
+
+-   :material-arrow-right: &nbsp; **[See the workflow to write profiles](workflow.md)**
+
+</div>
+
 
 ## Project rules
 
@@ -55,48 +62,11 @@ If you're looking to contribute to `apparmor.d` you can get started by going to
     your devices or for your use case.
 
 
-## Add a profile
+## Additional recommended documentation
 
-!!! danger "Warning"
-
-    Following the [profile guidelines](guidelines.md) is **mandatory** for all new profiles.
-
-
-1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`][profiles-a-f]. 
-   If your profile is part of a large group of profiles, it can also go in
-   [`apparmor.d/groups`][groups].
-
-2. Write the profile content, the rules depend on the confined program,
-   Here is the bare minimum for the program `foo`:
-``` sh
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2024 You <your@email>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/foo
-profile foo @{exec_path} {
-  include <abstractions/base>
-
-  @{exec_path} mr,
-
-  include if exists <local/foo>
-}
-
-# vim:syntax=apparmor
-```
-
-
-3. You can automatically set the `complain` flag on your profile by editing the file [`dists/flags/main.flags`][flags] and add a new line with: `foo complain`
-
-4. Build & install for your distribution.
-
-
-[project]: https://github.com/roddhjav/apparmor.d
-
-[flags]: https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags
-[profiles-a-f]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f
-[groups]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups
+* [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
+* [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
+* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
+* [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
+* [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
+* [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)
diff --git a/docs/development/install.md b/docs/development/install.md
deleted file mode 100644
index 6b1f47581..000000000
--- a/docs/development/install.md
+++ /dev/null
@@ -1,66 +0,0 @@
----
-title: Installation
----
-
-## Development Install
-
-!!! warning
-
-    Do **not** install this project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream. You have been warned!
-
-    See `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`.
-
-
-=== ":material-arch: Archlinux"
-
-    ```sh
-    make pkg
-    ```
-
-=== ":material-ubuntu: Ubuntu"
-
-    ```sh
-    make dpkg
-    ```
-
-=== ":material-debian: Debian"
-
-    ```sh
-    make dpkg
-    ```
-
-=== ":simple-suse: openSUSE"
-
-    ```sh
-    make rpm
-    ```
-
-=== ":material-docker: Docker"
-
-    For any system with docker installed you can simply build the package with:
-
-    ```sh
-    make package dist=<distribution>
-    ```
-
-    Then you can install the package with `dpkg`, `pacman` or `rpm`.
-
-
-## Profile flags
-
-Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: `<profile> <flags>`, flags should be comma separated.
-
-For instance, to move `adb` in complain mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line:
-```sh
-adb complain
-```
-
-Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`:
-```sh
-gnome-shell attach_disconnected,mediate_deleted,complain
-```
-
-
-## Ignore profiles
-
-It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: `<profile or path>`. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root).
diff --git a/docs/development/integration.md b/docs/development/integration.md
index f829fb69f..1e5878aa0 100644
--- a/docs/development/integration.md
+++ b/docs/development/integration.md
@@ -74,7 +74,7 @@ All the images come pre-configured with the latest version of `apparmor.d` insta
 
 **Usage**
 
-On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two preconfigured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status.
+On all images, `aa-update` can be used to rebuild and install the latest version of the profiles. `p`, `pf`, and `pu` are two pre-configured aliases of `ps` that show the security status of processes. `htop` is also configured to show this status.
 
 
 ## Tests
@@ -118,7 +118,7 @@ Start the tests and collect the results
 
 **Tests manifest**
 
-A basic set of test is generated on initialisation. More tests can be manually written in yaml file. They must have the following structure:
+A basic set of test is generated on initialization. More tests can be manually written in yaml file. They must have the following structure:
 
 ```yaml
 - name: acpi
diff --git a/docs/development/internal.md b/docs/development/internal.md
new file mode 100644
index 000000000..c7dc4af14
--- /dev/null
+++ b/docs/development/internal.md
@@ -0,0 +1,203 @@
+---
+title: Internal
+---
+
+## Profile Context
+
+These are context helper to be used for in sub profile, they aim at providing a minimal set of rules for a given program. The calling profile only needs to add rules dependant of its use case.
+
+See [abstractions/app](abstractions.md#context-helper) for more information.
+
+
+## Open Resources
+
+The standard way to allow opening resources such as URL, pictures, video, in this project is to use one of the `child-open` profile available in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group.
+
+**Example:**
+```sh
+@{open_path} rPx -> child-open,
+```
+
+
+### Manual
+
+Directly using any of the following:
+
+- `@{bin}/* PUx,`
+- `include <abstractions/app-launcher-user>`
+- `include <abstractions/app-launcher-root>`
+
+Allow every installed program to be started from the current program with or without profile. This is a very permissive rule and should be avoided if possible. They are however legitimately needed for program launcher.
+
+### **`child-open`**
+
+Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
+
+??? quote "[children/child-open](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open)"
+
+    ``` aa
+      # Sandbox managers
+      @{bin}/bwrap                  rPUx,
+      @{bin}/firejail               rPUx,
+      @{bin}/flatpak                rPx,
+      @{bin}/snap                   rPx,
+
+      # Labeled programs
+      @{archive_viewers_path}       rPUx,
+      @{browsers_path}              rPx,
+      @{document_viewers_path}      rPUx,
+      @{emails_path}                rPUx,
+      @{file_explorers_path}        rPx,
+      @{help_path}                  rPx,
+      @{image_viewers_path}         rPUx,
+      @{offices_path}               rPUx,
+      @{text_editors_path}          rPUx,
+
+      # Others
+      @{bin}/blueman-tray           rPx,
+      @{bin}/discord{,-ptb}         rPx,
+      @{bin}/draw.io                rPUx,
+      @{bin}/dropbox                rPx,
+      @{bin}/element-desktop        rPx,
+      @{bin}/extension-manager      rPx,
+      @{bin}/filezilla              rPx,
+      @{bin}/flameshot              rPx,
+      @{bin}/gimp*                  rPUx,
+      @{bin}/gnome-calculator       rPUx,
+      @{bin}/gnome-disk-image-mounter rPx,
+      @{bin}/gnome-disks            rPx,
+      @{bin}/gnome-software         rPx,
+      @{bin}/gwenview               rPUx,
+      @{bin}/kgx                    rPx,
+      @{bin}/qbittorrent            rPx,
+      @{bin}/qpdfview               rPx,
+      @{bin}/smplayer               rPx,
+      @{bin}/steam-runtime          rPUx,
+      @{bin}/telegram-desktop       rPx,
+      @{bin}/transmission-gtk       rPx,
+      @{bin}/viewnior               rPUx,
+      @{bin}/vlc                    rPUx,
+      @{bin}/xbrlapi 	              rPx,
+
+      # Backup
+       @{lib}/deja-dup/deja-dup-monitor rPx,
+
+      @{browsers_path}              rPx,
+      @{help_path}                  rPx,
+    ```
+
+### **`child-open-browsers`**
+
+ This version of child-open only allow to open browsers.
+
+??? quote "[children/child-open-browsers](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-browsers)"
+
+    ``` aa
+      @{browsers_path}              rPx,
+    ```
+
+### **`child-open-help`**
+
+This version of child-open only allow to open browsers and help programs.
+
+??? quote "[children/child-open-help](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-help)"
+
+    ``` aa
+      @{browsers_path}              rPx,
+      @{help_path}                  rPx,
+    ```
+
+### **`child-open-strict`**
+
+This version of child-open only allow to open browsers & folders:
+
+??? quote "[children/child-open-strict](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children/child-open-strict)"
+
+    ``` aa
+      @{browsers_path}               Px,
+      @{file_explorers_path}         Px,
+    ```
+
+
+!!! warning
+
+    Although needed to not break a program, wrongly used these profiles can lead to confinment escape.
+
+
+## Children profiles
+
+Usually, a child profile is in the [`children`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children) group. They have the following note:
+
+!!! quote
+
+    Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. 
+
+<!-- ### **`child-dpkg`**
+
+### **`child-dpkg-divert`** -->
+
+### **`child-modprove-nvidia`**
+
+Used internally by the `nvidia` abstraction.
+
+### **`child-pager`**
+
+Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk. Supported pagers are: `sensible-pager`, `pager`, `less`, and `more`.
+It can be as follows in a profile:
+```
+  @{pager_path} rPx -> child-pager,
+```
+
+### **`child-systemctl`**
+
+Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you.
+
+It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) everything that is not generic and that may require some access (so restart, enable...), while `child-systemctl` can handle the more basic tasks.
+
+
+## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")
+
+!!! warning "TODO"
+
+
+## No New Privileges
+
+[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed).
+
+The possible solutions are:
+
+* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)).
+* Inherit the current confinement (`ix`)
+* [Stacking](#stacking)
+
+## Stacking
+
+[Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking) of two or more profile is the strict intersection them. It is a way to ensure that a profile never becomes more permissive than the intersection of all profiles in the stack. It provides several abilities to the policy author: 
+
+- It can be used to ensure that confinement never becomes more permissive.
+- To reduce the permissions of a generic profile on a specific task.
+- To provide both system level and container and user level policy (when combined with policy namespaces).
+
+!!! note ""
+
+    [apparmor.d/groups/browsers/chromium](https://github.com/roddhjav/apparmor.d/blob/b51576139b3ed3125aaa3ea4d737a77baac0f00e/apparmor.d/groups/browsers/chromium#L25)
+    ``` aa linenums="23"
+    profile chromium @{exec_path} {
+      ...
+      @{lib_dirs}/chrome_crashpad_handler  rPx -> chromium//&chromium-crashpad-handler,
+      ...
+    }
+    ```
+
+## Udev rules
+
+See the **[kernel docs](https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt)** to check the major block and char numbers used in `/run/udev/data/`.
+
+Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed:
+
+!!! note ""
+
+    [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188)
+    ``` aa linenums="179"
+      @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+    ```
diff --git a/docs/development/recommendations.md b/docs/development/recommendations.md
new file mode 100644
index 000000000..bbe41bc4e
--- /dev/null
+++ b/docs/development/recommendations.md
@@ -0,0 +1,78 @@
+---
+title: Recommendations
+---
+
+## Renaming of profiles
+
+For security reason, once loaded into the kernel, a profile cannot get fully removed. Therefore, by renaming a profile, you create a second profile with the same attachment. AppArmor will not be able to determine witch one to use leading to breakage.
+
+A reboot is required to fully remove the profile from the kernel.
+
+
+## Programs to not confine
+
+Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why.
+
+These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre.
+
+It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule:
+```sh
+  /etc/{,**} rw,
+```
+
+However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems:
+
+1. How do we know the exhaustive list of *sensitive files* in `/etc`?
+2. How do we ensure access to these sensitive files is not required?
+3. This breaks the principle of mandatory access control.
+   See the [first rule of this project](index.md#project-rules) which is to only allow
+   what is required. Here we allow everything and blacklist some paths.
+
+It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile:
+
+* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files:
+
+!!! note ""
+
+    [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123)
+    ``` aa linenums="123"
+    profile diff {
+      include <abstractions/base>
+      include <abstractions/consoles>
+
+      @{bin}/       r,
+      @{bin}/pager mr,
+      @{bin}/less  mr,
+      @{bin}/more  mr,
+      @{bin}/diff  mr,
+
+      owner @{HOME}/.lesshs* rw,
+
+      # Diff changed config files
+      /etc/** r,
+
+      # For shell pwd
+      /root/ r,
+
+    }
+    ```
+
+* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager:
+
+!!! note ""
+
+    [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20
+    )
+    ``` aa linenums="20"
+      @{bin}/diff      rix,
+    ```
+
+**What if I still want to protect these programs?**
+
+You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox.
+
+!!! example "To sum up"
+
+    1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat`
+    2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh`
+    3. Use [Toolbox](https://containertoolbx.org/)
diff --git a/docs/development/structure.md b/docs/development/structure.md
deleted file mode 100644
index c6b82e29f..000000000
--- a/docs/development/structure.md
+++ /dev/null
@@ -1,133 +0,0 @@
----
-title: Structure
----
-
-Description of common structure found across various AppArmor profiles
-
-
-## Programs to not confine
-
-Some programs should not be confined by themselves. For example, tools such as `ls`, `rm`, `diff` or `cat` do not have profiles in this project. Let's see why.
-
-These are general tools that in a general context can legitimately access any file in the system. Therefore, the confinement of such tools by a global profile would at best be minimal at worst be a security theatre.
-
-It gets even worse. Let's say, we write a profile for `cat`. Such a profile would need access to `/etc/`. We will add the following rule:
-```sh
-  /etc/{,**} rw,
-```
-
-However, as `/etc` can contain sensitive files, we now want to explicitly prevent access to these sensitive files. Problems:
-
-1. How do we know the exhaustive list of *sensitive files* in `/etc`?
-2. How do we ensure access to these sensitive files is not required?
-3. This breaks the principle of mandatory access control.
-   See the [first rule of this project](index.md#project-rules) which is to only allow
-   what is required. Here we allow everything and blacklist some paths.
-
-It creates even more issues when we want to use this profile in other profiles. Let's take the example of `diff`. Using this rule: `@{bin}/diff rPx,` this will restrict access to the very generic and not very confined `diff` profile. Whereas most of the time, we want to restrict `diff` to some specific file in our profile:
-
-* In `dpkg`, an internal child profile (`rCx -> diff`), allows `diff` to only access etc config files:
-
-!!! note ""
-
-    [apparmor.d/apparmor.d/groups/apt/dpkg](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/groups/apt/dpkg#L123)
-    ``` aa linenums="123"
-    profile diff {
-      include <abstractions/base>
-      include <abstractions/consoles>
-
-      @{bin}/       r,
-      @{bin}/pager mr,
-      @{bin}/less  mr,
-      @{bin}/more  mr,
-      @{bin}/diff  mr,
-
-      owner @{HOME}/.lesshs* rw,
-
-      # Diff changed config files
-      /etc/** r,
-
-      # For shell pwd
-      /root/ r,
-
-    }
-    ```
-
-* As it is a dependency of pass, `diff` inherits the `pass' profile and has the same access as the pass profile, so it will be allowed to diff password files because more than a generic `diff`, it is a `diff` "version" for the pass password manager:
-
-!!! note ""
-
-    [apparmor.d/apparmor.d/profiles-m-r/pass](https://github.com/roddhjav/apparmor.d/blob/accf5538bdfc1598f1cc1588a7118252884df50c/apparmor.d/profiles-m-r/pass#L20
-    )
-    ``` aa linenums="20"
-      @{bin}/diff      rix,
-    ```
-
-**What if I still want to protect these programs?**
-
-You do not protect these programs. *Protect the usage you have of these programs*. In practice, it means that you should put your terminal in a sandbox managed environment with a sandboxing tool such as Toolbox.
-
-!!! example "To sum up"
-
-    1. Do not create a profile for programs such as: `rm`, `ls`, `diff`, `cd`, `cat`
-    2. Do not create a profile for the shell: `bash`, `sh`, `dash`, `zsh`
-    3. Use [Toolbox].
-
-[Toolbox]: https://containertoolbx.org/
-
-
-## Open Resources
-
-The standard way to allow opening resource in this project is to use one of the 
-child-open profile. Eg: `@{open_path} rPx -> child-open,`
-
-They are available in the [`children`][children] group.
-
-* **`child-open`**: Instead of allowing the ability to run all software in `@{bin}/`, the purpose of this profile is to list all GUI programs that can open resources. Ultimately, only sandbox manager programs such as `bwrap`, `snap`, `flatpak`, `firejail` should be present here. Until this day, this profile will be a controlled mess.
-* **`child-open-browsers`**: This version of child-open only allow to open browsers.
-* **`child-open-help`**: This version of child-open only allow to open browsers and help programs.
-* **`child-open-strict`**: This version of child-open only allow to open browsers & folders.
-
-
-## Children profiles
-
-Usually, a child profile is in the [`children`][children] group. They have the following note:
-
-!!! quote
-
-    Note: This profile does not specify an attachment path because it is intended to be used only via `"Px -> child-open"` exec transitions from other profiles. 
-
-[children]: https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups/children
-
-Here is an overview of the current children profile:
-
-2. **`child-pager`**: Simple access to pagers such as `pager`, `less` and `more`. This profile assumes the pager is reading its data from stdin, not from a file on disk.
-
-3. **`child-systemctl`**: Common `systemctl` action. Do not use it too much as most of the time you will need more privilege than what this profile is giving you.
-
-
-## Udev rules
-
-See the **[kernel docs][kernel]** to check the major block and char numbers used in `/run/udev/data/`.
-
-Special care must be given as sometimes udev numbers are allocated dynamically by the kernel. Therefore, the full range must be allowed:
-
-!!! note ""
-
-    [apparmor.d/groups/virt/libvirtd](https://github.com/roddhjav/apparmor.d/blob/b2af7a631a2b8aca7d6bdc8f7ff4fdd5ec94220e/apparmor.d/groups/virt/libvirtd#L188)
-    ``` aa linenums="179"
-      @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
-    ```
-
-[kernel]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-
-
-## No New Privileges
-
-[**No New Privileges**](https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html) is a flag preventing a newly started program to get more privileges than its parent process. This is a **good thing** for security. And it is commonly used in systemd unit files (when possible). This flag also prevents transitions to other profiles because it could be less restrictive than the parent profile (no `Px` or `Ux` allowed).
-
-The possible solutions are:
-
-* The easiest (and unfortunately less secure) workaround is to ensure the programs do not run with no new privileges flag by disabling `NoNewPrivileges` in the systemd unit (or any other [options implying it](https://man.archlinux.org/man/core/systemd/systemd.exec.5.en#SECURITY)).
-* Inherit the current confinement (`ix`)
-* [Stacking](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmorStacking)
diff --git a/docs/development/workflow.md b/docs/development/workflow.md
new file mode 100644
index 000000000..7455d97c7
--- /dev/null
+++ b/docs/development/workflow.md
@@ -0,0 +1,195 @@
+---
+title: Workflow
+---
+
+**Workflow to write profiles**
+
+<div class="grid cards" markdown>
+
+-   :material-file-document: &nbsp; **[Write a blanck profile](#add-a-blank-profile)**
+
+</div>
+<div class="grid cards" markdown>
+
+-   :material-download: &nbsp; **[Install the profile](#individual-profile)**
+
+</div>
+<div class="grid cards" markdown>
+
+-   :material-test-tube: &nbsp; **[Profile the program](#program-profiling)**
+
+</div>
+<div class="grid cards" markdown>
+
+-   :octicons-law-16: &nbsp; **[Respect the profile guidelines](guidelines.md)**
+
+</div>
+
+
+## Add a blank profile
+
+1. To add a new profile `foo`, add the file `foo` in [`apparmor.d/profile-a-f`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/profiles-a-f).
+   If your profile is part of a large group of profiles, it can also go in
+   [`apparmor.d/groups`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/groups).
+
+2. Write the profile content, the rules depend on the confined program,
+   Here is the bare minimum for the program `foo`:
+``` sh
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 You <your@email>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/foo
+profile foo @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/foo>
+}
+
+# vim:syntax=apparmor
+```
+
+## Development Install
+
+It is not recommended installing the full project *"manually"* (with `make`, `sudo make install`). The distribution specific packages are intended to be used in development as they include additional rule to ensure compatibility with upstream (see `debian/`, `PKGBUILD` and `dists/apparmor.d.spec`).
+
+Instead, install an individual profile or the development package, the following way.
+
+### Development package
+
+=== ":material-arch: Archlinux"
+
+    ```sh
+    make pkg
+    ```
+
+=== ":material-ubuntu: Ubuntu"
+
+    ```sh
+    make dpkg
+    ```
+
+=== ":material-debian: Debian"
+
+    ```sh
+    make dpkg
+    ```
+
+=== ":simple-suse: openSUSE"
+
+    ```sh
+    make rpm
+    ```
+
+=== ":material-docker: Docker"
+
+    For any system with docker installed you can simply build the package with:
+
+    ```sh
+    make package dist=<distribution>
+    ```
+
+    Then you can install the package with `dpkg`, `pacman` or `rpm`.
+
+### Individual profile
+
+**Format**
+
+```sh
+make dev name=<profile-name>
+```
+
+**Exampe**
+
+:   Testing the profile `pass`
+
+    ```
+    make dev name=pass
+    ```
+
+    This:
+
+    - Prebuild the `pass` profile in complain mode to `.build`,
+    - Install the profile to `/etc/apparmor.d/`
+    - Load the profile by restarting the AppArmor service.
+
+
+More advanced development, like editing the abstractions or working over multiple profiles at the same time requires installing the full development package.
+
+For this individual profile installation to work, the full package needs to be installed, regardless of the installation method ([dev](#development-package) or [stable](../install.md)).
+
+## Program Profiling
+
+### Workflow
+
+To discover the access needed by a program, you can use the following tools:
+
+1. Star the program in *complain* mode, let it initialize itself, then close it.
+
+1. Run **[`aa-log -r`](../usage.md#apparmor-log)**. It will:
+    - Convert the logs to AppArmor rules.
+    - Detect if flags such as `attach_disconnected` are needed.
+    - Convert all common paths to **[variables](../variables.md)**.
+
+1. From `aa-log` output, you can:
+    - Copy the rules to the profile.
+    - Replace some rules with **[abstractions](abstractions.md)** as 80% of the rules should already be covered by an abstraction.
+
+1. Then, [update the profile](#individual-profile) and start the program again. Use the program as you would normally do, but also try to run all the features of the program, e.g.: open the help, settings, etc.
+
+1. Run **[`aa-log`](../usage.md#apparmor-log)**. Stop the program as long as you get over 100 new rules. Add the rules to the profile.
+
+After 2 or 3 iterations, you should have a working profile.
+
+### Recommendations
+
+<div class="grid cards" markdown>
+
+-   :material-function: &nbsp; **[Use the abstractions](abstractions.md)**
+-   :simple-files: &nbsp; **[Learn how to open resources](internal.md#open-resources)**
+-   :fontawesome-solid-bus-simple: &nbsp; **[Learn how Dbus rules are handled](dbus.md)**
+-   :material-sign-direction: &nbsp; **[Learn about directives `#aa:`](directives.md)**
+-   :octicons-law-16: &nbsp; **[Follow the profile guidelines](guidelines.md)**
+-   :octicons-light-bulb-16: &nbsp; **[See other recommendations](recommendations.md)**
+
+</div>
+
+!!! danger "Warning"
+
+    Following the [profile guidelines](guidelines.md) is **mandatory** for all profiles. PRs that do not follow the guidelines will not get merged.
+
+### Tools
+
+* **[aa-notify](https://wiki.archlinux.org/title/AppArmor#Get_desktop_notification_on_DENIED_actions)** is a tool that will allow you to get notified on every apparmor log.
+
+* **[aa-logprof](https://man.archlinux.org/man/aa-logprof.8)** is another tool that will help you to generate a profile from logs. However, the logs generated by `aa-logprof` need to be rewritten to comply with the profile [guidelines](guidelines.md).
+
+* **[aa-complain](https://man.archlinux.org/man/aa-complain.8), aa-enforce** are tools to quickly change the mode of a profile.
+
+
+## Development Settings
+
+### Profile flags
+
+Flags for all profiles in this project are tracked under the [`dists/flags`](https://github.com/roddhjav/apparmor.d/tree/main/dists/flags) directory. It is used for profile that are not considered stable. Files in this directory should respect the following format: `<profile> <flags>`, flags should be comma separated.
+
+For instance, to move `adb` in *complain* mode, edit **[`dists/flags/main.flags`](https://github.com/roddhjav/apparmor.d/blob/main/dists/flags/main.flags)** and add the following line:
+```sh
+adb complain
+```
+
+Beware, flags defined in this file overwrite flags in the profile. So you may need to add other flags. Example for `gnome-shell`:
+```sh
+gnome-shell attach_disconnected,mediate_deleted,complain
+```
+
+
+### Ignore profiles
+
+It can be handy to not install a profile for a given distribution. Profiles and directories to ignore are tracked under the [`dists/ignore`](https://github.com/roddhjav/apparmor.d/tree/main/dists/ignore) directory. Files in this directory should respect the following format: `<profile or path>`. One ignore by line. It can be a profile name or a directory to ignore (relative to the project root).
diff --git a/docs/full-system-policy.md b/docs/full-system-policy.md
index d37cf3071..80da55c2a 100644
--- a/docs/full-system-policy.md
+++ b/docs/full-system-policy.md
@@ -131,7 +131,7 @@ To work as intended, userland services started by `systemd --user` **should** ha
 
 !!! info
 
-    To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/structure.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
+    To be allowed to run, additional root or user services may need to add extra rules inside the `usr/systemd.d` or `usr/systemd-user.d` directory. For example, when installing a new privileged service `foo` with [stacking](development/internal.md#no-new-privileges) you may need to add the following to `/etc/apparmor.d/usr/systemd.d/foo`:
     ```
     @{lib}/foo rPx -> systemd//&foo,
     ```
diff --git a/mkdocs.yml b/mkdocs.yml
index 689785a31..9390b3dde 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -152,14 +152,14 @@ nav:
       - recovery.md
   - Development:
     - development/index.md
-    - Architecture:
-      - development/install.md
+    - Profiles:
+      - development/workflow.md
       - development/guidelines.md
-      - development/structure.md
-    - Profile:
       - development/abstractions.md
+      - development/internal.md
       - development/directives.md
       - development/dbus.md
+      - development/recommendations.md
     - Tests:
       - development/tests.md
       - development/integration.md

From 28a2892be0beea82a23101e246981f5526a18ada Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 01:19:25 +0100
Subject: [PATCH 219/315] docs: add badge colors.

---
 docs/assets/stylesheets/extra.css | 51 ++++++++++++++++++++++++++++++-
 1 file changed, 50 insertions(+), 1 deletion(-)

diff --git a/docs/assets/stylesheets/extra.css b/docs/assets/stylesheets/extra.css
index 3b0fc1db6..8691707db 100644
--- a/docs/assets/stylesheets/extra.css
+++ b/docs/assets/stylesheets/extra.css
@@ -4,9 +4,58 @@
     --md-footer-fg-color--lighter: #b6b6b6;
     --md-footer-bg-color: transparent;
     --md-footer-bg-color--dark: transparent;
+    --pg-purple: #603aa0;
+    --pg-red: #c0322f;
+    --pg-orange: #ac2f09;
+    --pg-teal: #04756a;
+    --pg-brown: #8d6e62;
+    --pg-blue: #0e66ae;
+    --pg-green: #2e7e31;
+    --pg-blue-gray: #546d78;
 }
 
 [data-md-color-scheme=slate] {
     --md-footer-bg-color: transparent;
     --md-footer-bg-color--dark: var(--md-default-bg-color--darkest);
-}
\ No newline at end of file
+    --pg-purple: #af94de;
+    --pg-red: #ff6c6a;
+    --pg-orange: #e97b5a;
+    --pg-teal: #8dc6c1;
+    --pg-brown: #4b1d0b;
+    --pg-blue: #74b9f1;
+    --pg-green: #72cd75;
+    --pg-blue-gray: #9ab2bc;
+}
+
+/* Badge colors */
+.pg-purple {
+    color: var(--pg-purple);
+}
+
+.pg-red {
+    color: var(--pg-red);
+}
+
+.pg-orange {
+    color: var(--pg-orange);
+}
+
+.pg-teal {
+    color: var(--pg-teal);
+}
+
+.pg-brown {
+    color: var(--pg-brown);
+}
+
+.pg-blue {
+    color: var(--pg-blue);
+}
+
+.pg-green {
+    color: var(--pg-green);
+}
+
+.pg-blue-gray {
+    color: var(--pg-blue-gray);
+}

From 239ae171193c9b4951badb39417768536841a880 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 13:46:30 +0100
Subject: [PATCH 220/315] feat(profile): modernize some profiles.

---
 apparmor.d/groups/bus/ibus-portal             |  7 +---
 apparmor.d/groups/freedesktop/xdg-email       |  2 ++
 .../groups/freedesktop/xdg-icon-resource      |  1 +
 apparmor.d/groups/freedesktop/xdg-screensaver |  1 +
 .../gnome-control-center-search-provider      |  5 +--
 apparmor.d/groups/gnome/seahorse              |  5 +--
 apparmor.d/groups/kde/systemsettings          |  9 ++++--
 apparmor.d/groups/ubuntu/cron-ubuntu-fan      |  2 +-
 .../groups/ubuntu/software-properties-gtk     | 32 ++++---------------
 .../groups/ubuntu/subiquity-console-conf      |  2 +-
 .../ubuntu/ubuntu-advantage-desktop-daemon    | 13 ++------
 apparmor.d/groups/virt/dockerd                |  1 +
 apparmor.d/profiles-m-r/qbittorrent           |  2 +-
 apparmor.d/profiles-m-r/repo                  |  2 +-
 apparmor.d/profiles-s-z/wireplumber           |  2 +-
 15 files changed, 28 insertions(+), 58 deletions(-)

diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal
index ea3d7a7a6..c902e20d0 100644
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@@ -14,18 +14,13 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term, hup) peer=gdm*,
 
-  dbus bind bus=session name=org.freedesktop.portal.IBus,
+  #aa:dbus own bus=session name=org.freedesktop.portal.IBus
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
        peer=(name=:*, label=gnome-shell),
 
-  dbus receive bus=session path=/org/freedesktop/IBus
-       interface=org.freedesktop.DBus.Peer
-       member=Ping 
-       peer=(name=:*, label=ibus-daemon),
-
   @{exec_path} mr,
 
   owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email
index da457a0fe..fa8abd38f 100644
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@@ -10,6 +10,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-email
 profile xdg-email @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
 
   @{exec_path}  r,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource
index 9ece71574..66cd5435f 100644
--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@@ -12,6 +12,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver
index bca69b9b1..792c6b859 100644
--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@@ -11,6 +11,7 @@ include <tunables/global>
 profile xdg-screensaver @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider
index b584a8c1a..53ced47f0 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@@ -14,10 +14,7 @@ profile gnome-control-center-search-provider @{exec_path} {
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
 
-  dbus bind bus=session name=org.gnome.Settings.SearchProvider,
-  dbus receive bus=session path=/org/gnome/Settings/SearchProvider
-       interface=org.gnome.Shell.SearchProvider2
-       peer=(name=:*, label=gnome-shell),
+  #aa:dbus own bus=session name=org.gnome.Settings.SearchProvider
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse
index ba23af8a4..cb41a046d 100644
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@@ -21,10 +21,7 @@ profile seahorse @{exec_path} {
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
 
-  dbus bind bus=session name=org.gnome.seahorse.Application,
-  dbus receive bus=session path=/org/gnome/seahorse/Application
-       interface=org.gnome.Shell.SearchProvider2
-       peer=(name=:*),
+  #aa:dbus own bus=session name=org.gnome.seahorse.Application
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings
index e1de05a11..c17a34e59 100644
--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@@ -84,7 +84,6 @@ profile systemsettings @{exec_path} {
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/device_automounter_kcmrc.lock rwk,
   owner @{user_config_dirs}/emaildefaults r,
-  owner @{user_config_dirs}/kactivitymanagerdrc r,
   owner @{user_config_dirs}/kde.org/{,**} rwlk,
   owner @{user_config_dirs}/kdedefaults/kscreenlockerrc r,
   owner @{user_config_dirs}/kdedefaults/plasmarc r,
@@ -111,6 +110,11 @@ profile systemsettings @{exec_path} {
   owner @{user_share_dirs}/systemsettings/** rwlk,
   owner @{user_share_dirs}/wallpapers/{,**} r,
 
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/systemsettingsstaterc rw,
+  owner @{user_state_dirs}/systemsettingsstaterc.@{rand6} rwlk,
+  owner @{user_state_dirs}/systemsettingsstaterc.lock rwlk,
+
   owner @{run}/user/@{uid}/#@{int} rw,
   owner @{run}/user/@{uid}/systemsettings@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
 
@@ -123,9 +127,10 @@ profile systemsettings @{exec_path} {
   @{sys}/firmware/acpi/pm_profile r,
 
         @{PROC}/interrupts r,
-  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
 
   /dev/ r,
   /dev/bus/usb/ r,
diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
index c66587969..aaf3b9f33 100644
--- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan
+++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
@@ -14,7 +14,7 @@ profile cron-ubuntu-fan @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/{,da,ba}sh  rix,
+  @{sh_path}         rix,
   @{bin}/fanctl      rix,
   @{bin}/flock       rix,
   @{bin}/grep        rix,
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 9db3ec332..6d7dc732f 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -20,35 +20,15 @@ profile software-properties-gtk @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
-  dbus bind bus=session name=com.ubuntu.SoftwareProperties,
-  dbus (send, receive) bus=system path=/com/ubuntu/SoftwareProperties
-       interface={com.ubuntu.SoftwareProperties,org.gtk.{Application,Actions}}
-       peer=(name="{:*,com.ubuntu.SoftwareProperties}", label=software-properties-gtk),
-  dbus send bus=system path=/
-       interface=com.ubuntu.SoftwareProperties
-       peer=(name=:*, label=software-properties-dbus),
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*),
-
-  dbus send bus=system path=/
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
-
-  dbus send bus=system path=/com/canonical/UbuntuAdvantage/Manager
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=ubuntu-advantage-desktop-daemon),
+  #aa:dbus own bus=session name=com.ubuntu.SoftwareProperties
+  #aa:dbus talk bus=system name=com.canonical.UbuntuAdvantage label=ubuntu-advantage-desktop-daemon
 
   @{exec_path} mr,
 
   @{bin}/ r,
 
+  @{sh_path}                      rix,
   @{bin}/python3.@{int}           r,
-  @{bin}/{,da,ba}sh               rix,
   @{bin}/aplay                    rPx,
   @{bin}/apt-key                  rPx,
   @{bin}/dpkg                     rPx -> child-dpkg,
@@ -73,9 +53,9 @@ profile software-properties-gtk @{exec_path} {
   /var/crash/*software-properties-gtk.@{uid}.crash rw,
   /var/lib/ubuntu-advantage/status.json r,
 
-  owner @{tmp}/???????? rw,
-  owner @{tmp}/tmp????????/ rw, # change to 'c'
-  owner @{tmp}/tmp????????/apt.conf rw,
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/tmp@{word8}/ rw,
+  owner @{tmp}/tmp@{word8}/apt.conf rw,
 
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
 
diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf
index 08886b640..7113dac5e 100644
--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@@ -22,7 +22,7 @@ profile subiquity-console-conf @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/{,da,ba}sh  rix,
+  @{sh_path}         rix,
   @{bin}/cat         rix,
   @{bin}/grep        rix,
   @{bin}/ip          rix,
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
index 2e35697c0..ddb689b53 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
@@ -14,17 +14,8 @@ profile ubuntu-advantage-desktop-daemon @{exec_path} flags=(attach_disconnected)
 
   capability sys_nice,
 
-  dbus bind bus=system name=com.canonical.UbuntuAdvantage,
-
-  dbus receive bus=system path=/
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=:*, label=software-properties-gtk),
-
-  dbus receive bus=system
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=software-properties-gtk),
+  #aa:dbus own bus=system name=com.canonical.UbuntuAdvantage
+  #aa:dbus talk bus=system name=com.ubuntu.SoftwareProperties label=software-properties-gtk
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index def1d76b2..78503c7be 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -60,6 +60,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/                    /var/lib/docker/tmp/**/,
 
   ptrace read peer=docker-*,
+  ptrace read peer=runc,
   ptrace read peer=unconfined,
 
   signal send set=int  peer=docker-proxy,
diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index 7f79d3a06..3e7c28e24 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -135,7 +135,7 @@ profile qbittorrent @{exec_path} {
 
     owner @{user_torrents_dirs}/** r,
 
-    owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/@{int},  # unconventional '_' tail
+    owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/@{int},
     owner /dev/shm/* rw,
 
     owner @{tmp}/@{int} rw,
diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo
index 6f3ba2417..5f491cd5e 100644
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@@ -51,7 +51,7 @@ profile repo @{exec_path} {
   owner @{tmp}/ssh-*/ rw,
 
   owner /dev/shm/* rw,
-  owner /dev/shm/sem.mp-???????? rwl -> /dev/shm/*,  # unconventional '_' tail
+  owner /dev/shm/sem.mp-@{word8} rwl -> /dev/shm/*,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber
index 6b8bca6c0..eadb669cd 100644
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@@ -24,7 +24,7 @@ profile wireplumber @{exec_path} {
   network bluetooth stream,
   network netlink raw,
 
-  dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio0,
+  #aa:dbus own bus=session name=org.freedesktop.ReserveDevice1.Audio0
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

From a5df9dc61ef3c752cfb0650875a922c65a4480d4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 13:53:36 +0100
Subject: [PATCH 221/315] docs: add Labelled programs section.

---
 docs/development/internal.md | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/docs/development/internal.md b/docs/development/internal.md
index c7dc4af14..58d66058f 100644
--- a/docs/development/internal.md
+++ b/docs/development/internal.md
@@ -42,7 +42,7 @@ Instead of allowing the ability to run all software in `@{bin}/`, the purpose of
       @{bin}/flatpak                rPx,
       @{bin}/snap                   rPx,
 
-      # Labeled programs
+      # Labelled programs
       @{archive_viewers_path}       rPUx,
       @{browsers_path}              rPx,
       @{document_viewers_path}      rPUx,
@@ -81,9 +81,6 @@ Instead of allowing the ability to run all software in `@{bin}/`, the purpose of
 
       # Backup
        @{lib}/deja-dup/deja-dup-monitor rPx,
-
-      @{browsers_path}              rPx,
-      @{help_path}                  rPx,
     ```
 
 ### **`child-open-browsers`**
@@ -155,6 +152,12 @@ Common `systemctl` action. Do not use it too much as most of the time you will n
 It is recommended to transition [in a subprofile](abstractions.md#appsystemctl) everything that is not generic and that may require some access (so restart, enable...), while `child-systemctl` can handle the more basic tasks.
 
 
+## Labelled programs
+
+All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and 
+[`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path.
+
+
 ## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")
 
 !!! warning "TODO"

From 5ed4df691608d7570c2f4bf8f0a52bc278b24d29 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 14:04:08 +0100
Subject: [PATCH 222/315] feat(profile): update all profile to abi 4.0 by
 default.

---
 apparmor.d/groups/_full/bwrap                                   | 2 +-
 apparmor.d/groups/_full/bwrap-app                               | 2 +-
 apparmor.d/groups/_full/default                                 | 2 +-
 apparmor.d/groups/_full/default-sudo                            | 2 +-
 apparmor.d/groups/_full/systemd                                 | 2 +-
 apparmor.d/groups/_full/systemd-service                         | 2 +-
 apparmor.d/groups/_full/systemd-user                            | 2 +-
 apparmor.d/groups/_full/systemd-user-service                    | 2 +-
 apparmor.d/groups/akonadi/akonadi_akonotes_resource             | 2 +-
 apparmor.d/groups/akonadi/akonadi_archivemail_agent             | 2 +-
 apparmor.d/groups/akonadi/akonadi_birthdays_resource            | 2 +-
 apparmor.d/groups/akonadi/akonadi_contacts_resource             | 2 +-
 apparmor.d/groups/akonadi/akonadi_control                       | 2 +-
 apparmor.d/groups/akonadi/akonadi_followupreminder_agent        | 2 +-
 apparmor.d/groups/akonadi/akonadi_ical_resource                 | 2 +-
 apparmor.d/groups/akonadi/akonadi_indexing_agent                | 2 +-
 apparmor.d/groups/akonadi/akonadi_maildir_resource              | 2 +-
 apparmor.d/groups/akonadi/akonadi_maildispatcher_agent          | 2 +-
 apparmor.d/groups/akonadi/akonadi_mailfilter_agent              | 2 +-
 apparmor.d/groups/akonadi/akonadi_mailmerge_agent               | 2 +-
 apparmor.d/groups/akonadi/akonadi_migration_agent               | 2 +-
 apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent         | 2 +-
 apparmor.d/groups/akonadi/akonadi_notes_agent                   | 2 +-
 apparmor.d/groups/akonadi/akonadi_sendlater_agent               | 2 +-
 apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent          | 2 +-
 apparmor.d/groups/apt/apt                                       | 2 +-
 apparmor.d/groups/apt/apt-cache                                 | 2 +-
 apparmor.d/groups/apt/apt-cdrom                                 | 2 +-
 apparmor.d/groups/apt/apt-config                                | 2 +-
 apparmor.d/groups/apt/apt-extracttemplates                      | 2 +-
 apparmor.d/groups/apt/apt-file                                  | 2 +-
 apparmor.d/groups/apt/apt-forktracer                            | 2 +-
 apparmor.d/groups/apt/apt-ftparchive                            | 2 +-
 apparmor.d/groups/apt/apt-helper                                | 2 +-
 apparmor.d/groups/apt/apt-key                                   | 2 +-
 apparmor.d/groups/apt/apt-listbugs                              | 2 +-
 apparmor.d/groups/apt/apt-listbugs-aptcleanup                   | 2 +-
 apparmor.d/groups/apt/apt-listbugs-migratepins                  | 2 +-
 apparmor.d/groups/apt/apt-listbugs-prefclean                    | 2 +-
 apparmor.d/groups/apt/apt-listchanges                           | 2 +-
 apparmor.d/groups/apt/apt-mark                                  | 2 +-
 apparmor.d/groups/apt/apt-methods-cdrom                         | 2 +-
 apparmor.d/groups/apt/apt-methods-copy                          | 2 +-
 apparmor.d/groups/apt/apt-methods-file                          | 2 +-
 apparmor.d/groups/apt/apt-methods-ftp                           | 2 +-
 apparmor.d/groups/apt/apt-methods-gpgv                          | 2 +-
 apparmor.d/groups/apt/apt-methods-http                          | 2 +-
 apparmor.d/groups/apt/apt-methods-mirror                        | 2 +-
 apparmor.d/groups/apt/apt-methods-rred                          | 2 +-
 apparmor.d/groups/apt/apt-methods-rsh                           | 2 +-
 apparmor.d/groups/apt/apt-methods-store                         | 2 +-
 apparmor.d/groups/apt/apt-overlay                               | 2 +-
 apparmor.d/groups/apt/apt-show-versions                         | 2 +-
 apparmor.d/groups/apt/apt-sortpkgs                              | 2 +-
 apparmor.d/groups/apt/apt-systemd-daily                         | 2 +-
 apparmor.d/groups/apt/aptitude                                  | 2 +-
 apparmor.d/groups/apt/aptitude-changelog-parser                 | 2 +-
 apparmor.d/groups/apt/aptitude-create-state-bundle              | 2 +-
 apparmor.d/groups/apt/aptitude-run-state-bundle                 | 2 +-
 apparmor.d/groups/apt/command-not-found                         | 2 +-
 apparmor.d/groups/apt/debconf-apt-progress                      | 2 +-
 apparmor.d/groups/apt/debconf-show                              | 2 +-
 apparmor.d/groups/apt/deborphan                                 | 2 +-
 apparmor.d/groups/apt/debsecan                                  | 2 +-
 apparmor.d/groups/apt/debsign                                   | 2 +-
 apparmor.d/groups/apt/debsums                                   | 2 +-
 apparmor.d/groups/apt/debtags                                   | 2 +-
 apparmor.d/groups/apt/dpkg                                      | 2 +-
 apparmor.d/groups/apt/dpkg-architecture                         | 2 +-
 apparmor.d/groups/apt/dpkg-buildflags                           | 2 +-
 apparmor.d/groups/apt/dpkg-checkbuilddeps                       | 2 +-
 apparmor.d/groups/apt/dpkg-deb                                  | 2 +-
 apparmor.d/groups/apt/dpkg-divert                               | 2 +-
 apparmor.d/groups/apt/dpkg-genbuildinfo                         | 2 +-
 apparmor.d/groups/apt/dpkg-genchanges                           | 2 +-
 apparmor.d/groups/apt/dpkg-preconfigure                         | 2 +-
 apparmor.d/groups/apt/dpkg-query                                | 2 +-
 apparmor.d/groups/apt/dpkg-split                                | 2 +-
 apparmor.d/groups/apt/dpkg-trigger                              | 2 +-
 apparmor.d/groups/apt/dpkg-vendor                               | 2 +-
 apparmor.d/groups/apt/querybts                                  | 2 +-
 apparmor.d/groups/apt/reportbug                                 | 2 +-
 apparmor.d/groups/apt/synaptic                                  | 2 +-
 apparmor.d/groups/apt/unattended-upgrade                        | 2 +-
 apparmor.d/groups/apt/unattended-upgrade-shutdown               | 2 +-
 apparmor.d/groups/apt/update-apt-xapian-index                   | 2 +-
 apparmor.d/groups/avahi/avahi-autoipd                           | 2 +-
 apparmor.d/groups/avahi/avahi-browse                            | 2 +-
 apparmor.d/groups/avahi/avahi-publish                           | 2 +-
 apparmor.d/groups/avahi/avahi-resolve                           | 2 +-
 apparmor.d/groups/avahi/avahi-set-host-name                     | 2 +-
 apparmor.d/groups/browsers/brave                                | 2 +-
 apparmor.d/groups/browsers/brave-crashpad-handler               | 2 +-
 apparmor.d/groups/browsers/brave-sandbox                        | 2 +-
 apparmor.d/groups/browsers/brave-wrapper                        | 2 +-
 apparmor.d/groups/browsers/chrome                               | 2 +-
 apparmor.d/groups/browsers/chrome-crashpad-handler              | 2 +-
 apparmor.d/groups/browsers/chrome-sandbox                       | 2 +-
 apparmor.d/groups/browsers/chrome-wrapper                       | 2 +-
 apparmor.d/groups/browsers/chromium                             | 2 +-
 apparmor.d/groups/browsers/chromium-crashpad-handler            | 2 +-
 apparmor.d/groups/browsers/chromium-sandbox                     | 2 +-
 apparmor.d/groups/browsers/chromium-wrapper                     | 2 +-
 apparmor.d/groups/browsers/ephy-profile-migrator                | 2 +-
 apparmor.d/groups/browsers/epiphany                             | 2 +-
 apparmor.d/groups/browsers/firefox                              | 2 +-
 apparmor.d/groups/browsers/firefox-crashreporter                | 2 +-
 apparmor.d/groups/browsers/firefox-glxtest                      | 2 +-
 apparmor.d/groups/browsers/firefox-kmozillahelper               | 2 +-
 apparmor.d/groups/browsers/firefox-minidump-analyzer            | 2 +-
 apparmor.d/groups/browsers/firefox-pingsender                   | 2 +-
 apparmor.d/groups/browsers/firefox-plugin-container             | 2 +-
 apparmor.d/groups/browsers/firefox-vaapitest                    | 2 +-
 apparmor.d/groups/browsers/msedge                               | 2 +-
 apparmor.d/groups/browsers/msedge-crashpad-handler              | 2 +-
 apparmor.d/groups/browsers/msedge-sandbox                       | 2 +-
 apparmor.d/groups/browsers/msedge-wrapper                       | 2 +-
 apparmor.d/groups/browsers/opera                                | 2 +-
 apparmor.d/groups/browsers/opera-crashreporter                  | 2 +-
 apparmor.d/groups/browsers/opera-sandbox                        | 2 +-
 apparmor.d/groups/browsers/torbrowser                           | 2 +-
 apparmor.d/groups/browsers/torbrowser-glxtest                   | 2 +-
 apparmor.d/groups/browsers/torbrowser-launcher                  | 2 +-
 apparmor.d/groups/browsers/torbrowser-plugin-container          | 2 +-
 apparmor.d/groups/browsers/torbrowser-start                     | 2 +-
 apparmor.d/groups/browsers/torbrowser-tor                       | 2 +-
 apparmor.d/groups/browsers/torbrowser-updater                   | 2 +-
 apparmor.d/groups/browsers/torbrowser-vaapitest                 | 2 +-
 apparmor.d/groups/bus/at-spi2-registryd                         | 2 +-
 apparmor.d/groups/bus/dbus-accessibility                        | 2 +-
 apparmor.d/groups/bus/dbus-session                              | 2 +-
 apparmor.d/groups/bus/dbus-system                               | 2 +-
 apparmor.d/groups/bus/ibus-daemon                               | 2 +-
 apparmor.d/groups/bus/ibus-dconf                                | 2 +-
 apparmor.d/groups/bus/ibus-engine-simple                        | 2 +-
 apparmor.d/groups/bus/ibus-engine-table                         | 2 +-
 apparmor.d/groups/bus/ibus-extension-gtk3                       | 2 +-
 apparmor.d/groups/bus/ibus-memconf                              | 2 +-
 apparmor.d/groups/bus/ibus-portal                               | 2 +-
 apparmor.d/groups/bus/ibus-x11                                  | 2 +-
 apparmor.d/groups/children/child-dpkg                           | 2 +-
 apparmor.d/groups/children/child-dpkg-divert                    | 2 +-
 apparmor.d/groups/children/child-modprobe-nvidia                | 2 +-
 apparmor.d/groups/children/child-open                           | 2 +-
 apparmor.d/groups/children/child-open-any                       | 2 +-
 apparmor.d/groups/children/child-open-browsers                  | 2 +-
 apparmor.d/groups/children/child-open-help                      | 2 +-
 apparmor.d/groups/children/child-open-strict                    | 2 +-
 apparmor.d/groups/children/child-pager                          | 2 +-
 apparmor.d/groups/children/child-systemctl                      | 2 +-
 apparmor.d/groups/children/user_confined                        | 2 +-
 apparmor.d/groups/children/user_default                         | 2 +-
 apparmor.d/groups/children/user_unconfined                      | 2 +-
 apparmor.d/groups/cron/cron                                     | 2 +-
 apparmor.d/groups/cron/cron-anacron                             | 2 +-
 apparmor.d/groups/cron/cron-apport                              | 2 +-
 apparmor.d/groups/cron/cron-apt                                 | 2 +-
 apparmor.d/groups/cron/cron-apt-compat                          | 2 +-
 apparmor.d/groups/cron/cron-apt-listbugs                        | 2 +-
 apparmor.d/groups/cron/cron-apt-show-versions                   | 2 +-
 apparmor.d/groups/cron/cron-apt-xapian-index                    | 2 +-
 apparmor.d/groups/cron/cron-aptitude                            | 2 +-
 apparmor.d/groups/cron/cron-cracklib                            | 2 +-
 apparmor.d/groups/cron/cron-debsums                             | 2 +-
 apparmor.d/groups/cron/cron-debtags                             | 2 +-
 apparmor.d/groups/cron/cron-dlocate                             | 2 +-
 apparmor.d/groups/cron/cron-etckeeper                           | 2 +-
 apparmor.d/groups/cron/cron-exim4-base                          | 2 +-
 apparmor.d/groups/cron/cron-ipset-autoban-save                  | 2 +-
 apparmor.d/groups/cron/cron-logrotate                           | 2 +-
 apparmor.d/groups/cron/cron-man-db                              | 2 +-
 apparmor.d/groups/cron/cron-mlocate                             | 2 +-
 apparmor.d/groups/cron/cron-ntp                                 | 2 +-
 apparmor.d/groups/cron/cron-plocate                             | 2 +-
 apparmor.d/groups/cron/cron-popularity-contest                  | 2 +-
 apparmor.d/groups/cron/cron-sysstat                             | 2 +-
 apparmor.d/groups/cron/crontab                                  | 2 +-
 apparmor.d/groups/display-manager/lightdm                       | 2 +-
 apparmor.d/groups/display-manager/lightdm-gtk-greeter           | 2 +-
 apparmor.d/groups/display-manager/lightdm-xsession              | 2 +-
 apparmor.d/groups/display-manager/x11-xsession                  | 2 +-
 apparmor.d/groups/display-manager/xdm-xsession                  | 2 +-
 apparmor.d/groups/freedesktop/accounts-daemon                   | 2 +-
 apparmor.d/groups/freedesktop/colord                            | 2 +-
 apparmor.d/groups/freedesktop/colord-session                    | 2 +-
 apparmor.d/groups/freedesktop/cpupower                          | 2 +-
 apparmor.d/groups/freedesktop/dconf                             | 2 +-
 apparmor.d/groups/freedesktop/dconf-editor                      | 2 +-
 apparmor.d/groups/freedesktop/dconf-service                     | 2 +-
 apparmor.d/groups/freedesktop/desktop-file-install              | 2 +-
 apparmor.d/groups/freedesktop/fc-cache                          | 2 +-
 apparmor.d/groups/freedesktop/fc-list                           | 2 +-
 apparmor.d/groups/freedesktop/geoclue                           | 2 +-
 apparmor.d/groups/freedesktop/iio-sensor-proxy                  | 2 +-
 apparmor.d/groups/freedesktop/pipewire                          | 2 +-
 apparmor.d/groups/freedesktop/pipewire-media-session            | 2 +-
 apparmor.d/groups/freedesktop/pipewire-pulse                    | 2 +-
 apparmor.d/groups/freedesktop/plymouth                          | 2 +-
 apparmor.d/groups/freedesktop/plymouth-set-default-theme        | 2 +-
 apparmor.d/groups/freedesktop/plymouthd                         | 2 +-
 apparmor.d/groups/freedesktop/polkit-agent-helper               | 2 +-
 apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent | 2 +-
 apparmor.d/groups/freedesktop/polkit-kde-authentication-agent   | 2 +-
 apparmor.d/groups/freedesktop/polkit-mate-authentication-agent  | 2 +-
 apparmor.d/groups/freedesktop/polkitd                           | 2 +-
 apparmor.d/groups/freedesktop/pulseaudio                        | 2 +-
 apparmor.d/groups/freedesktop/update-desktop-database           | 2 +-
 apparmor.d/groups/freedesktop/update-mime-database              | 2 +-
 apparmor.d/groups/freedesktop/upower                            | 2 +-
 apparmor.d/groups/freedesktop/upowerd                           | 2 +-
 apparmor.d/groups/freedesktop/xdg-dbus-proxy                    | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-icon                  | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-menu                  | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-portal                | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome          | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk            | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland       | 2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-portal-kde            | 2 +-
 .../groups/freedesktop/xdg-desktop-portal-rewrite-launchers     | 2 +-
 apparmor.d/groups/freedesktop/xdg-document-portal               | 2 +-
 apparmor.d/groups/freedesktop/xdg-email                         | 2 +-
 apparmor.d/groups/freedesktop/xdg-icon-resource                 | 2 +-
 apparmor.d/groups/freedesktop/xdg-mime                          | 2 +-
 apparmor.d/groups/freedesktop/xdg-open                          | 2 +-
 apparmor.d/groups/freedesktop/xdg-permission-store              | 2 +-
 apparmor.d/groups/freedesktop/xdg-screensaver                   | 2 +-
 apparmor.d/groups/freedesktop/xdg-settings                      | 2 +-
 apparmor.d/groups/freedesktop/xdg-user-dir                      | 2 +-
 apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update          | 2 +-
 apparmor.d/groups/freedesktop/xdg-user-dirs-update              | 2 +-
 apparmor.d/groups/freedesktop/xhost                             | 2 +-
 apparmor.d/groups/freedesktop/xkbcomp                           | 2 +-
 apparmor.d/groups/freedesktop/xorg                              | 2 +-
 apparmor.d/groups/freedesktop/xprop                             | 2 +-
 apparmor.d/groups/freedesktop/xrandr                            | 2 +-
 apparmor.d/groups/freedesktop/xrdb                              | 2 +-
 apparmor.d/groups/freedesktop/xset                              | 2 +-
 apparmor.d/groups/freedesktop/xsetroot                          | 2 +-
 apparmor.d/groups/freedesktop/xwayland                          | 2 +-
 apparmor.d/groups/gnome/chrome-gnome-shell                      | 2 +-
 apparmor.d/groups/gnome/deja-dup-monitor                        | 2 +-
 apparmor.d/groups/gnome/epiphany-search-provider                | 2 +-
 apparmor.d/groups/gnome/epiphany-webapp-provider                | 2 +-
 apparmor.d/groups/gnome/evolution-addressbook-factory           | 2 +-
 apparmor.d/groups/gnome/evolution-alarm-notify                  | 2 +-
 apparmor.d/groups/gnome/evolution-calendar-factory              | 2 +-
 apparmor.d/groups/gnome/evolution-source-registry               | 2 +-
 apparmor.d/groups/gnome/evolution-user-prompter                 | 2 +-
 apparmor.d/groups/gnome/gcr-prompter                            | 2 +-
 apparmor.d/groups/gnome/gcr-ssh-agent                           | 2 +-
 apparmor.d/groups/gnome/gdm                                     | 2 +-
 apparmor.d/groups/gnome/gdm-generate-config                     | 2 +-
 apparmor.d/groups/gnome/gdm-prime-defaut                        | 2 +-
 apparmor.d/groups/gnome/gdm-runtime-config                      | 2 +-
 apparmor.d/groups/gnome/gdm-session                             | 2 +-
 apparmor.d/groups/gnome/gdm-session-worker                      | 2 +-
 apparmor.d/groups/gnome/gdm-xsession                            | 2 +-
 apparmor.d/groups/gnome/gio-launch-desktop                      | 2 +-
 apparmor.d/groups/gnome/gjs-console                             | 2 +-
 apparmor.d/groups/gnome/gkbd-keyboard-display                   | 2 +-
 apparmor.d/groups/gnome/gnome-boxes                             | 2 +-
 apparmor.d/groups/gnome/gnome-browser-connector-host            | 2 +-
 apparmor.d/groups/gnome/gnome-calculator                        | 2 +-
 apparmor.d/groups/gnome/gnome-calculator-search-provider        | 2 +-
 apparmor.d/groups/gnome/gnome-calendar                          | 2 +-
 apparmor.d/groups/gnome/gnome-characters                        | 2 +-
 apparmor.d/groups/gnome/gnome-characters-backgroudservice       | 2 +-
 apparmor.d/groups/gnome/gnome-clocks                            | 2 +-
 apparmor.d/groups/gnome/gnome-contacts                          | 2 +-
 apparmor.d/groups/gnome/gnome-contacts-search-provider          | 2 +-
 apparmor.d/groups/gnome/gnome-control-center                    | 2 +-
 apparmor.d/groups/gnome/gnome-control-center-goa-helper         | 2 +-
 apparmor.d/groups/gnome/gnome-control-center-print-renderer     | 2 +-
 apparmor.d/groups/gnome/gnome-control-center-search-provider    | 2 +-
 apparmor.d/groups/gnome/gnome-desktop-thumbnailers              | 2 +-
 apparmor.d/groups/gnome/gnome-disk-image-mounter                | 2 +-
 apparmor.d/groups/gnome/gnome-disks                             | 2 +-
 apparmor.d/groups/gnome/gnome-extension-ding                    | 2 +-
 apparmor.d/groups/gnome/gnome-extension-gsconnect               | 2 +-
 apparmor.d/groups/gnome/gnome-extension-manager                 | 2 +-
 apparmor.d/groups/gnome/gnome-extensions-app                    | 2 +-
 apparmor.d/groups/gnome/gnome-firmware                          | 2 +-
 apparmor.d/groups/gnome/gnome-font-viewer                       | 2 +-
 apparmor.d/groups/gnome/gnome-initial-setup                     | 2 +-
 apparmor.d/groups/gnome/gnome-keyring-daemon                    | 2 +-
 apparmor.d/groups/gnome/gnome-logs                              | 2 +-
 apparmor.d/groups/gnome/gnome-maps                              | 2 +-
 apparmor.d/groups/gnome/gnome-music                             | 2 +-
 apparmor.d/groups/gnome/gnome-photos-thumbnailer                | 2 +-
 apparmor.d/groups/gnome/gnome-recipes                           | 2 +-
 apparmor.d/groups/gnome/gnome-remote-desktop-daemon             | 2 +-
 apparmor.d/groups/gnome/gnome-session                           | 2 +-
 apparmor.d/groups/gnome/gnome-session-binary                    | 2 +-
 apparmor.d/groups/gnome/gnome-session-ctl                       | 2 +-
 apparmor.d/groups/gnome/gnome-shell                             | 2 +-
 apparmor.d/groups/gnome/gnome-shell-calendar-server             | 2 +-
 apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer             | 2 +-
 apparmor.d/groups/gnome/gnome-shell-overrides-migration         | 2 +-
 apparmor.d/groups/gnome/gnome-software                          | 2 +-
 apparmor.d/groups/gnome/gnome-system-monitor                    | 2 +-
 apparmor.d/groups/gnome/gnome-terminal-server                   | 2 +-
 apparmor.d/groups/gnome/gnome-text-editor                       | 2 +-
 apparmor.d/groups/gnome/gnome-tour                              | 2 +-
 apparmor.d/groups/gnome/gnome-tweaks                            | 2 +-
 apparmor.d/groups/gnome/gnome-user-share-webdav                 | 2 +-
 apparmor.d/groups/gnome/gnome-weather                           | 2 +-
 apparmor.d/groups/gnome/goa-daemon                              | 2 +-
 apparmor.d/groups/gnome/goa-identity-service                    | 2 +-
 apparmor.d/groups/gnome/gsd-a11y-settings                       | 2 +-
 apparmor.d/groups/gnome/gsd-color                               | 2 +-
 apparmor.d/groups/gnome/gsd-datetime                            | 2 +-
 apparmor.d/groups/gnome/gsd-disk-utility-notify                 | 2 +-
 apparmor.d/groups/gnome/gsd-housekeeping                        | 2 +-
 apparmor.d/groups/gnome/gsd-keyboard                            | 2 +-
 apparmor.d/groups/gnome/gsd-media-keys                          | 2 +-
 apparmor.d/groups/gnome/gsd-power                               | 2 +-
 apparmor.d/groups/gnome/gsd-print-notifications                 | 2 +-
 apparmor.d/groups/gnome/gsd-printer                             | 2 +-
 apparmor.d/groups/gnome/gsd-rfkill                              | 2 +-
 apparmor.d/groups/gnome/gsd-screensaver-proxy                   | 2 +-
 apparmor.d/groups/gnome/gsd-sharing                             | 2 +-
 apparmor.d/groups/gnome/gsd-smartcard                           | 2 +-
 apparmor.d/groups/gnome/gsd-sound                               | 2 +-
 apparmor.d/groups/gnome/gsd-usb-protection                      | 2 +-
 apparmor.d/groups/gnome/gsd-wacom                               | 2 +-
 apparmor.d/groups/gnome/gsd-wwan                                | 2 +-
 apparmor.d/groups/gnome/gsd-xsettings                           | 2 +-
 apparmor.d/groups/gnome/kgx                                     | 2 +-
 apparmor.d/groups/gnome/loupe                                   | 2 +-
 apparmor.d/groups/gnome/mutter-x11-frames                       | 2 +-
 apparmor.d/groups/gnome/nautilus                                | 2 +-
 apparmor.d/groups/gnome/org.gnome.NautilusPreviewer             | 2 +-
 apparmor.d/groups/gnome/seahorse                                | 2 +-
 apparmor.d/groups/gnome/session-migration                       | 2 +-
 apparmor.d/groups/gnome/tracker-extract                         | 2 +-
 apparmor.d/groups/gnome/tracker-miner                           | 2 +-
 apparmor.d/groups/gnome/tracker-writeback                       | 2 +-
 apparmor.d/groups/gnome/tracker-xdg-portal                      | 2 +-
 apparmor.d/groups/gnome/yelp                                    | 2 +-
 apparmor.d/groups/gpg/dirmngr                                   | 2 +-
 apparmor.d/groups/gpg/gpg                                       | 2 +-
 apparmor.d/groups/gpg/gpg-agent                                 | 2 +-
 apparmor.d/groups/gpg/gpg-connect-agent                         | 2 +-
 apparmor.d/groups/gpg/gpgconf                                   | 2 +-
 apparmor.d/groups/gpg/gpgsm                                     | 2 +-
 apparmor.d/groups/gpg/keyboxd                                   | 2 +-
 apparmor.d/groups/gpg/scdaemon                                  | 2 +-
 apparmor.d/groups/grub/grub-bios-setup                          | 2 +-
 apparmor.d/groups/grub/grub-check-signatures                    | 2 +-
 apparmor.d/groups/grub/grub-editenv                             | 2 +-
 apparmor.d/groups/grub/grub-file                                | 2 +-
 apparmor.d/groups/grub/grub-fstest                              | 2 +-
 apparmor.d/groups/grub/grub-glue-efi                            | 2 +-
 apparmor.d/groups/grub/grub-install                             | 2 +-
 apparmor.d/groups/grub/grub-kbdcomp                             | 2 +-
 apparmor.d/groups/grub/grub-macbless                            | 2 +-
 apparmor.d/groups/grub/grub-menulst2cfg                         | 2 +-
 apparmor.d/groups/grub/grub-mkconfig                            | 2 +-
 apparmor.d/groups/grub/grub-mkdevicemap                         | 2 +-
 apparmor.d/groups/grub/grub-mkfont                              | 2 +-
 apparmor.d/groups/grub/grub-mkimage                             | 2 +-
 apparmor.d/groups/grub/grub-mklayout                            | 2 +-
 apparmor.d/groups/grub/grub-mknetdir                            | 2 +-
 apparmor.d/groups/grub/grub-mkpasswd-pbkdf2                     | 2 +-
 apparmor.d/groups/grub/grub-mkrelpath                           | 2 +-
 apparmor.d/groups/grub/grub-mkrescue                            | 2 +-
 apparmor.d/groups/grub/grub-mkstandalone                        | 2 +-
 apparmor.d/groups/grub/grub-mount                               | 2 +-
 apparmor.d/groups/grub/grub-multi-install                       | 2 +-
 apparmor.d/groups/grub/grub-ntldr-img                           | 2 +-
 apparmor.d/groups/grub/grub-probe                               | 2 +-
 apparmor.d/groups/grub/grub-reboot                              | 2 +-
 apparmor.d/groups/grub/grub-render-label                        | 2 +-
 apparmor.d/groups/grub/grub-script-check                        | 2 +-
 apparmor.d/groups/grub/grub-set-default                         | 2 +-
 apparmor.d/groups/grub/grub-sort-version                        | 2 +-
 apparmor.d/groups/grub/grub-syslinux2cfg                        | 2 +-
 apparmor.d/groups/grub/update-grub                              | 2 +-
 apparmor.d/groups/gvfs/gvfs-afc-volume-monitor                  | 2 +-
 apparmor.d/groups/gvfs/gvfs-goa-volume-monitor                  | 2 +-
 apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor              | 2 +-
 apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor                  | 2 +-
 apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor              | 2 +-
 apparmor.d/groups/gvfs/gvfsd                                    | 2 +-
 apparmor.d/groups/gvfs/gvfsd-admin                              | 2 +-
 apparmor.d/groups/gvfs/gvfsd-afc                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-afp                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-afp-browse                         | 2 +-
 apparmor.d/groups/gvfs/gvfsd-archive                            | 2 +-
 apparmor.d/groups/gvfs/gvfsd-burn                               | 2 +-
 apparmor.d/groups/gvfs/gvfsd-cdda                               | 2 +-
 apparmor.d/groups/gvfs/gvfsd-computer                           | 2 +-
 apparmor.d/groups/gvfs/gvfsd-dav                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-dnssd                              | 2 +-
 apparmor.d/groups/gvfs/gvfsd-ftp                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-fuse                               | 2 +-
 apparmor.d/groups/gvfs/gvfsd-google                             | 2 +-
 apparmor.d/groups/gvfs/gvfsd-gphoto2                            | 2 +-
 apparmor.d/groups/gvfs/gvfsd-http                               | 2 +-
 apparmor.d/groups/gvfs/gvfsd-localtest                          | 2 +-
 apparmor.d/groups/gvfs/gvfsd-metadata                           | 2 +-
 apparmor.d/groups/gvfs/gvfsd-mtp                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-network                            | 2 +-
 apparmor.d/groups/gvfs/gvfsd-nfs                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-recent                             | 2 +-
 apparmor.d/groups/gvfs/gvfsd-sftp                               | 2 +-
 apparmor.d/groups/gvfs/gvfsd-smb                                | 2 +-
 apparmor.d/groups/gvfs/gvfsd-smb-browse                         | 2 +-
 apparmor.d/groups/gvfs/gvfsd-trash                              | 2 +-
 apparmor.d/groups/gvfs/gvfsd-wsdd                               | 2 +-
 apparmor.d/groups/hyprland/hyprctl                              | 2 +-
 apparmor.d/groups/hyprland/hyprland                             | 2 +-
 apparmor.d/groups/hyprland/hyprlock                             | 2 +-
 apparmor.d/groups/hyprland/hyprpaper                            | 2 +-
 apparmor.d/groups/hyprland/hyprpicker                           | 2 +-
 apparmor.d/groups/hyprland/hyprpm                               | 2 +-
 apparmor.d/groups/kde/DiscoverNotifier                          | 2 +-
 apparmor.d/groups/kde/baloo                                     | 2 +-
 apparmor.d/groups/kde/baloorunner                               | 2 +-
 apparmor.d/groups/kde/dolphin                                   | 2 +-
 apparmor.d/groups/kde/drkonqi                                   | 2 +-
 apparmor.d/groups/kde/drkonqi-coredump-cleanup                  | 2 +-
 apparmor.d/groups/kde/drkonqi-coredump-processor                | 2 +-
 apparmor.d/groups/kde/gmenudbusmenuproxy                        | 2 +-
 apparmor.d/groups/kde/kaccess                                   | 2 +-
 apparmor.d/groups/kde/kactivitymanagerd                         | 2 +-
 apparmor.d/groups/kde/kalendarac                                | 2 +-
 apparmor.d/groups/kde/kauth-backlighthelper                     | 2 +-
 apparmor.d/groups/kde/kauth-chargethresholdhelper               | 2 +-
 apparmor.d/groups/kde/kauth-discretegpuhelper                   | 2 +-
 apparmor.d/groups/kde/kauth-fontinst                            | 2 +-
 apparmor.d/groups/kde/kauth-kded-smart-helper                   | 2 +-
 apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper        | 2 +-
 apparmor.d/groups/kde/kbuildsycoca                              | 2 +-
 apparmor.d/groups/kde/kcminit                                   | 2 +-
 apparmor.d/groups/kde/kconf_update                              | 2 +-
 apparmor.d/groups/kde/kde-powerdevil                            | 2 +-
 apparmor.d/groups/kde/kde-systemd-start-condition               | 2 +-
 apparmor.d/groups/kde/kded                                      | 2 +-
 apparmor.d/groups/kde/kglobalacceld                             | 2 +-
 apparmor.d/groups/kde/kio_http_cache_cleaner                    | 2 +-
 apparmor.d/groups/kde/kiod                                      | 2 +-
 apparmor.d/groups/kde/kioworker                                 | 2 +-
 apparmor.d/groups/kde/konsole                                   | 2 +-
 apparmor.d/groups/kde/kreadconfig                               | 2 +-
 apparmor.d/groups/kde/kscreen_backend_launcher                  | 2 +-
 apparmor.d/groups/kde/kscreen_osd_service                       | 2 +-
 apparmor.d/groups/kde/kscreenlocker_greet                       | 2 +-
 apparmor.d/groups/kde/ksmserver                                 | 2 +-
 apparmor.d/groups/kde/ksmserver-logout-greeter                  | 2 +-
 apparmor.d/groups/kde/ksplashqml                                | 2 +-
 apparmor.d/groups/kde/kstart                                    | 2 +-
 apparmor.d/groups/kde/kwalletd                                  | 2 +-
 apparmor.d/groups/kde/kwalletmanager                            | 2 +-
 apparmor.d/groups/kde/kwin_wayland                              | 2 +-
 apparmor.d/groups/kde/kwin_wayland_wrapper                      | 2 +-
 apparmor.d/groups/kde/kwin_x11                                  | 2 +-
 apparmor.d/groups/kde/okular                                    | 2 +-
 apparmor.d/groups/kde/pam_kwallet_init                          | 2 +-
 apparmor.d/groups/kde/plasma-browser-integration-host           | 2 +-
 apparmor.d/groups/kde/plasma-discover                           | 2 +-
 apparmor.d/groups/kde/plasma-emojier                            | 2 +-
 apparmor.d/groups/kde/plasma_session                            | 2 +-
 apparmor.d/groups/kde/plasma_waitforname                        | 2 +-
 apparmor.d/groups/kde/plasmashell                               | 2 +-
 apparmor.d/groups/kde/sddm                                      | 2 +-
 apparmor.d/groups/kde/sddm-greeter                              | 2 +-
 apparmor.d/groups/kde/sddm-xsession                             | 2 +-
 apparmor.d/groups/kde/startplasma                               | 2 +-
 apparmor.d/groups/kde/systemsettings                            | 2 +-
 apparmor.d/groups/kde/utempter                                  | 2 +-
 apparmor.d/groups/kde/wayland-session                           | 2 +-
 apparmor.d/groups/kde/xembedsniproxy                            | 2 +-
 apparmor.d/groups/kde/xsettingsd                                | 2 +-
 apparmor.d/groups/kde/xwaylandvideobridge                       | 2 +-
 apparmor.d/groups/network/ModemManager                          | 2 +-
 apparmor.d/groups/network/NetworkManager                        | 2 +-
 apparmor.d/groups/network/dhcpcd                                | 2 +-
 apparmor.d/groups/network/iwctl                                 | 2 +-
 apparmor.d/groups/network/iwd                                   | 2 +-
 apparmor.d/groups/network/mullvad-daemon                        | 2 +-
 apparmor.d/groups/network/mullvad-gui                           | 2 +-
 apparmor.d/groups/network/netplan.script                        | 2 +-
 apparmor.d/groups/network/networkd-dispatcher                   | 2 +-
 apparmor.d/groups/network/nm-daemon-helper                      | 2 +-
 apparmor.d/groups/network/nm-dhcp-helper                        | 2 +-
 apparmor.d/groups/network/nm-dispatcher                         | 2 +-
 apparmor.d/groups/network/nm-iface-helper                       | 2 +-
 apparmor.d/groups/network/nm-initrd-generator                   | 2 +-
 apparmor.d/groups/network/nm-online                             | 2 +-
 apparmor.d/groups/network/nm-openvpn-auth-dialog                | 2 +-
 apparmor.d/groups/network/nm-openvpn-service                    | 2 +-
 apparmor.d/groups/network/nm-openvpn-service-openvpn-helper     | 2 +-
 apparmor.d/groups/network/nm-priv-helper                        | 2 +-
 apparmor.d/groups/network/nmcli                                 | 2 +-
 apparmor.d/groups/network/openvpn                               | 2 +-
 apparmor.d/groups/network/rpcbind                               | 2 +-
 apparmor.d/groups/network/socat                                 | 2 +-
 apparmor.d/groups/network/tailscale                             | 2 +-
 apparmor.d/groups/network/tailscaled                            | 2 +-
 apparmor.d/groups/network/wg                                    | 2 +-
 apparmor.d/groups/network/wg-quick                              | 2 +-
 apparmor.d/groups/pacman/arch-audit                             | 2 +-
 apparmor.d/groups/pacman/archlinux-java                         | 2 +-
 apparmor.d/groups/pacman/archlinux-keyring-wkd-sync             | 2 +-
 apparmor.d/groups/pacman/aurpublish                             | 2 +-
 apparmor.d/groups/pacman/makepkg                                | 2 +-
 apparmor.d/groups/pacman/mkinitcpio                             | 2 +-
 apparmor.d/groups/pacman/paccache                               | 2 +-
 apparmor.d/groups/pacman/pacdiff                                | 2 +-
 apparmor.d/groups/pacman/pacman                                 | 2 +-
 apparmor.d/groups/pacman/pacman-conf                            | 2 +-
 apparmor.d/groups/pacman/pacman-hook-code                       | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dconf                      | 2 +-
 apparmor.d/groups/pacman/pacman-hook-depmod                     | 2 +-
 apparmor.d/groups/pacman/pacman-hook-dkms                       | 2 +-
 apparmor.d/groups/pacman/pacman-hook-fontconfig                 | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gio                        | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gtk                        | 2 +-
 apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules          | 2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio                 | 2 +-
 apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove          | 2 +-
 apparmor.d/groups/pacman/pacman-hook-perl                       | 2 +-
 apparmor.d/groups/pacman/pacman-hook-systemd                    | 2 +-
 apparmor.d/groups/pacman/pacman-key                             | 2 +-
 apparmor.d/groups/pacman/reflector                              | 2 +-
 apparmor.d/groups/pacman/yay                                    | 2 +-
 apparmor.d/groups/ssh/sftp-server                               | 2 +-
 apparmor.d/groups/ssh/ssh                                       | 2 +-
 apparmor.d/groups/ssh/ssh-agent                                 | 2 +-
 apparmor.d/groups/ssh/ssh-agent-launch                          | 2 +-
 apparmor.d/groups/ssh/ssh-keygen                                | 2 +-
 apparmor.d/groups/ssh/sshd                                      | 2 +-
 apparmor.d/groups/ssh/sshfs                                     | 2 +-
 apparmor.d/groups/systemd/bootctl                               | 2 +-
 apparmor.d/groups/systemd/busctl                                | 2 +-
 apparmor.d/groups/systemd/coredumpctl                           | 2 +-
 apparmor.d/groups/systemd/hostnamectl                           | 2 +-
 apparmor.d/groups/systemd/journalctl                            | 2 +-
 apparmor.d/groups/systemd/localectl                             | 2 +-
 apparmor.d/groups/systemd/loginctl                              | 2 +-
 apparmor.d/groups/systemd/networkctl                            | 2 +-
 apparmor.d/groups/systemd/systemd-ac-power                      | 2 +-
 apparmor.d/groups/systemd/systemd-analyze                       | 2 +-
 apparmor.d/groups/systemd/systemd-ask-password                  | 2 +-
 apparmor.d/groups/systemd/systemd-backlight                     | 2 +-
 apparmor.d/groups/systemd/systemd-binfmt                        | 2 +-
 apparmor.d/groups/systemd/systemd-cat                           | 2 +-
 apparmor.d/groups/systemd/systemd-cgls                          | 2 +-
 apparmor.d/groups/systemd/systemd-cgtop                         | 2 +-
 apparmor.d/groups/systemd/systemd-coredump                      | 2 +-
 apparmor.d/groups/systemd/systemd-cryptsetup                    | 2 +-
 apparmor.d/groups/systemd/systemd-delta                         | 2 +-
 apparmor.d/groups/systemd/systemd-detect-virt                   | 2 +-
 apparmor.d/groups/systemd/systemd-dissect                       | 2 +-
 apparmor.d/groups/systemd/systemd-escape                        | 2 +-
 apparmor.d/groups/systemd/systemd-fsck                          | 2 +-
 apparmor.d/groups/systemd/systemd-fsckd                         | 2 +-
 apparmor.d/groups/systemd/systemd-generator-bless-boot          | 2 +-
 apparmor.d/groups/systemd/systemd-generator-cloud-init          | 2 +-
 apparmor.d/groups/systemd/systemd-generator-cryptsetup          | 2 +-
 apparmor.d/groups/systemd/systemd-generator-debug               | 2 +-
 apparmor.d/groups/systemd/systemd-generator-ds-identify         | 2 +-
 apparmor.d/groups/systemd/systemd-generator-environment-arch    | 2 +-
 apparmor.d/groups/systemd/systemd-generator-environment-flatpak | 2 +-
 apparmor.d/groups/systemd/systemd-generator-fstab               | 2 +-
 apparmor.d/groups/systemd/systemd-generator-getty               | 2 +-
 apparmor.d/groups/systemd/systemd-generator-gpt-auto            | 2 +-
 apparmor.d/groups/systemd/systemd-generator-hibernate-resume    | 2 +-
 apparmor.d/groups/systemd/systemd-generator-integritysetup      | 2 +-
 apparmor.d/groups/systemd/systemd-generator-ostree              | 2 +-
 apparmor.d/groups/systemd/systemd-generator-run                 | 2 +-
 apparmor.d/groups/systemd/systemd-generator-system-update       | 2 +-
 apparmor.d/groups/systemd/systemd-generator-user-autostart      | 2 +-
 apparmor.d/groups/systemd/systemd-generator-user-environment    | 2 +-
 apparmor.d/groups/systemd/systemd-generator-veritysetup         | 2 +-
 apparmor.d/groups/systemd/systemd-homed                         | 2 +-
 apparmor.d/groups/systemd/systemd-homework                      | 2 +-
 apparmor.d/groups/systemd/systemd-hostnamed                     | 2 +-
 apparmor.d/groups/systemd/systemd-hwdb                          | 2 +-
 apparmor.d/groups/systemd/systemd-id128                         | 2 +-
 apparmor.d/groups/systemd/systemd-inhibit                       | 2 +-
 apparmor.d/groups/systemd/systemd-journald                      | 2 +-
 apparmor.d/groups/systemd/systemd-localed                       | 2 +-
 apparmor.d/groups/systemd/systemd-logind                        | 2 +-
 apparmor.d/groups/systemd/systemd-machine-id-setup              | 2 +-
 apparmor.d/groups/systemd/systemd-machined                      | 2 +-
 apparmor.d/groups/systemd/systemd-makefs                        | 2 +-
 apparmor.d/groups/systemd/systemd-modules-load                  | 2 +-
 apparmor.d/groups/systemd/systemd-mount                         | 2 +-
 apparmor.d/groups/systemd/systemd-network-generator             | 2 +-
 apparmor.d/groups/systemd/systemd-networkd                      | 2 +-
 apparmor.d/groups/systemd/systemd-networkd-wait-online          | 2 +-
 apparmor.d/groups/systemd/systemd-notify                        | 2 +-
 apparmor.d/groups/systemd/systemd-oomd                          | 2 +-
 apparmor.d/groups/systemd/systemd-path                          | 2 +-
 apparmor.d/groups/systemd/systemd-portabled                     | 2 +-
 apparmor.d/groups/systemd/systemd-random-seed                   | 2 +-
 apparmor.d/groups/systemd/systemd-remount-fs                    | 2 +-
 apparmor.d/groups/systemd/systemd-resolve                       | 2 +-
 apparmor.d/groups/systemd/systemd-resolved                      | 2 +-
 apparmor.d/groups/systemd/systemd-rfkill                        | 2 +-
 apparmor.d/groups/systemd/systemd-shutdown                      | 2 +-
 apparmor.d/groups/systemd/systemd-sleep                         | 2 +-
 apparmor.d/groups/systemd/systemd-sleep-grub2                   | 2 +-
 apparmor.d/groups/systemd/systemd-sleep-hdparm                  | 2 +-
 apparmor.d/groups/systemd/systemd-sleep-nvidia                  | 2 +-
 apparmor.d/groups/systemd/systemd-sleep-sysstat                 | 2 +-
 apparmor.d/groups/systemd/systemd-sleep-tlp                     | 2 +-
 apparmor.d/groups/systemd/systemd-sleep-upgrades                | 2 +-
 apparmor.d/groups/systemd/systemd-socket-proxyd                 | 2 +-
 apparmor.d/groups/systemd/systemd-sulogin-shell                 | 2 +-
 apparmor.d/groups/systemd/systemd-sysctl                        | 2 +-
 apparmor.d/groups/systemd/systemd-sysusers                      | 2 +-
 apparmor.d/groups/systemd/systemd-timedated                     | 2 +-
 apparmor.d/groups/systemd/systemd-timesyncd                     | 2 +-
 apparmor.d/groups/systemd/systemd-tmpfiles                      | 2 +-
 apparmor.d/groups/systemd/systemd-tty-ask-password-agent        | 2 +-
 apparmor.d/groups/systemd/systemd-udevd                         | 2 +-
 apparmor.d/groups/systemd/systemd-update-done                   | 2 +-
 apparmor.d/groups/systemd/systemd-update-utmp                   | 2 +-
 apparmor.d/groups/systemd/systemd-user-runtime-dir              | 2 +-
 apparmor.d/groups/systemd/systemd-user-sessions                 | 2 +-
 apparmor.d/groups/systemd/systemd-userdbd                       | 2 +-
 apparmor.d/groups/systemd/systemd-userwork                      | 2 +-
 apparmor.d/groups/systemd/systemd-vconsole-setup                | 2 +-
 apparmor.d/groups/systemd/userdbctl                             | 2 +-
 apparmor.d/groups/systemd/zram-generator                        | 2 +-
 apparmor.d/groups/systemd/zramctl                               | 2 +-
 apparmor.d/groups/ubuntu/apport                                 | 2 +-
 apparmor.d/groups/ubuntu/apport-checkreports                    | 2 +-
 apparmor.d/groups/ubuntu/apport-gtk                             | 2 +-
 apparmor.d/groups/ubuntu/apt-esm-hook                           | 2 +-
 apparmor.d/groups/ubuntu/apt-esm-json-hook                      | 2 +-
 apparmor.d/groups/ubuntu/check-new-release-gtk                  | 2 +-
 apparmor.d/groups/ubuntu/cron-ubuntu-fan                        | 2 +-
 apparmor.d/groups/ubuntu/do-release-upgrade                     | 2 +-
 apparmor.d/groups/ubuntu/hwe-support-status                     | 2 +-
 apparmor.d/groups/ubuntu/list-oem-metapackages                  | 2 +-
 apparmor.d/groups/ubuntu/livepatch-notification                 | 2 +-
 apparmor.d/groups/ubuntu/notify-reboot-required                 | 2 +-
 apparmor.d/groups/ubuntu/notify-updates-outdated                | 2 +-
 apparmor.d/groups/ubuntu/package-data-downloader                | 2 +-
 apparmor.d/groups/ubuntu/package-system-locked                  | 2 +-
 apparmor.d/groups/ubuntu/release-upgrade-motd                   | 2 +-
 apparmor.d/groups/ubuntu/software-properties-dbus               | 2 +-
 apparmor.d/groups/ubuntu/software-properties-gtk                | 2 +-
 apparmor.d/groups/ubuntu/subiquity-console-conf                 | 2 +-
 apparmor.d/groups/ubuntu/ubuntu-advantage                       | 2 +-
 apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon        | 2 +-
 apparmor.d/groups/ubuntu/ubuntu-advantage-notification          | 2 +-
 apparmor.d/groups/ubuntu/ubuntu-distro-info                     | 2 +-
 apparmor.d/groups/ubuntu/ubuntu-report                          | 2 +-
 apparmor.d/groups/ubuntu/update-manager                         | 2 +-
 apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot             | 2 +-
 apparmor.d/groups/ubuntu/update-motd-updates-available          | 2 +-
 apparmor.d/groups/ubuntu/update-notifier                        | 2 +-
 apparmor.d/groups/virt/cni-bandwidth                            | 2 +-
 apparmor.d/groups/virt/cni-bridge                               | 2 +-
 apparmor.d/groups/virt/cni-calico                               | 2 +-
 apparmor.d/groups/virt/cni-firewall                             | 2 +-
 apparmor.d/groups/virt/cni-flannel                              | 2 +-
 apparmor.d/groups/virt/cni-host-local                           | 2 +-
 apparmor.d/groups/virt/cni-loopback                             | 2 +-
 apparmor.d/groups/virt/cni-portmap                              | 2 +-
 apparmor.d/groups/virt/cni-tuning                               | 2 +-
 apparmor.d/groups/virt/cockpit-askpass                          | 2 +-
 apparmor.d/groups/virt/cockpit-bridge                           | 2 +-
 apparmor.d/groups/virt/cockpit-certificate-ensure               | 2 +-
 apparmor.d/groups/virt/cockpit-certificate-helper               | 2 +-
 apparmor.d/groups/virt/cockpit-desktop                          | 2 +-
 apparmor.d/groups/virt/cockpit-pcp                              | 2 +-
 apparmor.d/groups/virt/cockpit-session                          | 2 +-
 apparmor.d/groups/virt/cockpit-ssh                              | 2 +-
 apparmor.d/groups/virt/cockpit-tls                              | 2 +-
 apparmor.d/groups/virt/cockpit-update-motd                      | 2 +-
 apparmor.d/groups/virt/cockpit-ws                               | 2 +-
 apparmor.d/groups/virt/cockpit-wsinstance-factory               | 2 +-
 apparmor.d/groups/virt/containerd                               | 2 +-
 apparmor.d/groups/virt/containerd-shim-runc-v2                  | 2 +-
 apparmor.d/groups/virt/docker-proxy                             | 2 +-
 apparmor.d/groups/virt/dockerd                                  | 2 +-
 apparmor.d/groups/virt/k3s                                      | 2 +-
 apparmor.d/groups/virt/kubernetes-pause                         | 2 +-
 apparmor.d/groups/virt/libvirt-dbus                             | 2 +-
 apparmor.d/groups/virt/libvirtd                                 | 2 +-
 apparmor.d/groups/virt/qemu-bridge-helper                       | 2 +-
 apparmor.d/groups/virt/virt-aa-helper                           | 2 +-
 apparmor.d/groups/virt/virtinterfaced                           | 2 +-
 apparmor.d/groups/virt/virtiofsd                                | 2 +-
 apparmor.d/groups/virt/virtlockd                                | 2 +-
 apparmor.d/groups/virt/virtlogd                                 | 2 +-
 apparmor.d/groups/virt/virtnetworkd                             | 2 +-
 apparmor.d/groups/virt/virtnodedevd                             | 2 +-
 apparmor.d/groups/virt/virtsecretd                              | 2 +-
 apparmor.d/groups/virt/virtstoraged                             | 2 +-
 apparmor.d/groups/virt/xtables                                  | 2 +-
 apparmor.d/groups/whonix/anondate                               | 2 +-
 apparmor.d/groups/whonix/msgcollector                           | 2 +-
 apparmor.d/groups/whonix/msgcollector-br-add                    | 2 +-
 apparmor.d/groups/whonix/msgcollector-generic-gui-message       | 2 +-
 apparmor.d/groups/whonix/msgcollector-striphtml                 | 2 +-
 apparmor.d/groups/whonix/msgdispatcher                          | 2 +-
 apparmor.d/groups/whonix/msgdispatcher-autostart                | 2 +-
 apparmor.d/groups/whonix/msgdispatcher-delete                   | 2 +-
 apparmor.d/groups/whonix/msgdispatcher-dispatch                 | 2 +-
 apparmor.d/groups/whonix/open-link-confirmation                 | 2 +-
 apparmor.d/groups/whonix/pam-abort-on-locked-password           | 2 +-
 apparmor.d/groups/whonix/pam-info                               | 2 +-
 apparmor.d/groups/whonix/pam_faillock_not_if_x                  | 2 +-
 apparmor.d/groups/whonix/rads                                   | 2 +-
 apparmor.d/groups/whonix/sdwdate                                | 2 +-
 apparmor.d/groups/whonix/sdwdate-clock-jump                     | 2 +-
 apparmor.d/groups/whonix/sdwdate-gui                            | 2 +-
 apparmor.d/groups/whonix/sdwdate-start                          | 2 +-
 apparmor.d/groups/whonix/sdwdate-wrapper                        | 2 +-
 apparmor.d/groups/whonix/sensible-browser                       | 2 +-
 apparmor.d/groups/whonix/systemcheck-canary                     | 2 +-
 apparmor.d/groups/whonix/timesanitycheck                        | 2 +-
 apparmor.d/groups/whonix/tor-bootstrap-check                    | 2 +-
 apparmor.d/groups/whonix/tor-consensus-valid-after              | 2 +-
 apparmor.d/groups/whonix/torbrowser-updater-permission-fix      | 2 +-
 apparmor.d/groups/whonix/torbrowser-wrapper                     | 2 +-
 apparmor.d/groups/whonix/whonix-firewall-edit                   | 2 +-
 apparmor.d/groups/whonix/whonix-firewall-restarter              | 2 +-
 apparmor.d/groups/whonix/whonix-firewalld                       | 2 +-
 apparmor.d/groups/xfce/mousepad                                 | 2 +-
 apparmor.d/groups/xfce/ristretto                                | 2 +-
 apparmor.d/groups/xfce/startxfce                                | 2 +-
 apparmor.d/groups/xfce/thunar                                   | 2 +-
 apparmor.d/groups/xfce/thunar-volman                            | 2 +-
 apparmor.d/groups/xfce/tumblerd                                 | 2 +-
 apparmor.d/groups/xfce/xfce-about                               | 2 +-
 apparmor.d/groups/xfce/xfce-appfinder                           | 2 +-
 apparmor.d/groups/xfce/xfce-clipman-settings                    | 2 +-
 apparmor.d/groups/xfce/xfce-dict                                | 2 +-
 apparmor.d/groups/xfce/xfce-mime-helper                         | 2 +-
 apparmor.d/groups/xfce/xfce-notifyd                             | 2 +-
 apparmor.d/groups/xfce/xfce-panel                               | 2 +-
 apparmor.d/groups/xfce/xfce-power-manager                       | 2 +-
 apparmor.d/groups/xfce/xfce-screensaver                         | 2 +-
 apparmor.d/groups/xfce/xfce-sensors                             | 2 +-
 apparmor.d/groups/xfce/xfce-session                             | 2 +-
 apparmor.d/groups/xfce/xfce-terminal                            | 2 +-
 apparmor.d/groups/xfce/xfconfd                                  | 2 +-
 apparmor.d/groups/xfce/xfdesktop                                | 2 +-
 apparmor.d/groups/xfce/xfpm-power-backlight-helper              | 2 +-
 apparmor.d/groups/xfce/xfsettingsd                              | 2 +-
 apparmor.d/groups/xfce/xfwm                                     | 2 +-
 apparmor.d/profiles-a-f/aa-enabled                              | 2 +-
 apparmor.d/profiles-a-f/aa-enforce                              | 2 +-
 apparmor.d/profiles-a-f/aa-log                                  | 2 +-
 apparmor.d/profiles-a-f/aa-notify                               | 2 +-
 apparmor.d/profiles-a-f/aa-status                               | 2 +-
 apparmor.d/profiles-a-f/aa-teardown                             | 2 +-
 apparmor.d/profiles-a-f/aa-unconfined                           | 2 +-
 apparmor.d/profiles-a-f/abook                                   | 2 +-
 apparmor.d/profiles-a-f/acpi                                    | 2 +-
 apparmor.d/profiles-a-f/acpi-powerbtn                           | 2 +-
 apparmor.d/profiles-a-f/acpid                                   | 2 +-
 apparmor.d/profiles-a-f/adb                                     | 2 +-
 apparmor.d/profiles-a-f/adduser                                 | 2 +-
 apparmor.d/profiles-a-f/adequate                                | 2 +-
 apparmor.d/profiles-a-f/agetty                                  | 2 +-
 apparmor.d/profiles-a-f/alacarte                                | 2 +-
 apparmor.d/profiles-a-f/alsactl                                 | 2 +-
 apparmor.d/profiles-a-f/amixer                                  | 2 +-
 apparmor.d/profiles-a-f/anacron                                 | 2 +-
 apparmor.d/profiles-a-f/anyremote                               | 2 +-
 apparmor.d/profiles-a-f/aplay                                   | 2 +-
 apparmor.d/profiles-a-f/apparmor.systemd                        | 2 +-
 apparmor.d/profiles-a-f/apparmor_parser                         | 2 +-
 apparmor.d/profiles-a-f/appstreamcli                            | 2 +-
 apparmor.d/profiles-a-f/arandr                                  | 2 +-
 apparmor.d/profiles-a-f/archivemount                            | 2 +-
 apparmor.d/profiles-a-f/arduino                                 | 2 +-
 apparmor.d/profiles-a-f/arduino-builder                         | 2 +-
 apparmor.d/profiles-a-f/arduino-ctags                           | 2 +-
 apparmor.d/profiles-a-f/aspell                                  | 2 +-
 apparmor.d/profiles-a-f/aspell-autobuildhash                    | 2 +-
 apparmor.d/profiles-a-f/at                                      | 2 +-
 apparmor.d/profiles-a-f/atd                                     | 2 +-
 apparmor.d/profiles-a-f/atftpd                                  | 2 +-
 apparmor.d/profiles-a-f/atool                                   | 2 +-
 apparmor.d/profiles-a-f/atril                                   | 2 +-
 apparmor.d/profiles-a-f/atrild                                  | 2 +-
 apparmor.d/profiles-a-f/auditctl                                | 2 +-
 apparmor.d/profiles-a-f/auditd                                  | 2 +-
 apparmor.d/profiles-a-f/augenrules                              | 2 +-
 apparmor.d/profiles-a-f/badblocks                               | 2 +-
 apparmor.d/profiles-a-f/baobab                                  | 2 +-
 apparmor.d/profiles-a-f/biosdecode                              | 2 +-
 apparmor.d/profiles-a-f/birdtray                                | 2 +-
 apparmor.d/profiles-a-f/blkdeactivate                           | 2 +-
 apparmor.d/profiles-a-f/blkid                                   | 2 +-
 apparmor.d/profiles-a-f/blockdev                                | 2 +-
 apparmor.d/profiles-a-f/blueman                                 | 2 +-
 apparmor.d/profiles-a-f/blueman-mechanism                       | 2 +-
 apparmor.d/profiles-a-f/blueman-rfcomm-watcher                  | 2 +-
 apparmor.d/profiles-a-f/bluemoon                                | 2 +-
 apparmor.d/profiles-a-f/bluetoothctl                            | 2 +-
 apparmor.d/profiles-a-f/bluetoothd                              | 2 +-
 apparmor.d/profiles-a-f/bmon                                    | 2 +-
 apparmor.d/profiles-a-f/boltd                                   | 2 +-
 apparmor.d/profiles-a-f/borg                                    | 2 +-
 apparmor.d/profiles-a-f/browserpass                             | 2 +-
 apparmor.d/profiles-a-f/btop                                    | 2 +-
 apparmor.d/profiles-a-f/btrfs                                   | 2 +-
 apparmor.d/profiles-a-f/btrfs-convert                           | 2 +-
 apparmor.d/profiles-a-f/btrfs-find-root                         | 2 +-
 apparmor.d/profiles-a-f/btrfs-image                             | 2 +-
 apparmor.d/profiles-a-f/btrfs-map-logical                       | 2 +-
 apparmor.d/profiles-a-f/btrfs-select-super                      | 2 +-
 apparmor.d/profiles-a-f/btrfstune                               | 2 +-
 apparmor.d/profiles-a-f/calibre                                 | 2 +-
 apparmor.d/profiles-a-f/cawbird                                 | 2 +-
 apparmor.d/profiles-a-f/cc-remote-login-helper                  | 2 +-
 apparmor.d/profiles-a-f/cctk                                    | 2 +-
 apparmor.d/profiles-a-f/ccze                                    | 2 +-
 apparmor.d/profiles-a-f/cemu                                    | 2 +-
 apparmor.d/profiles-a-f/cert-sync                               | 2 +-
 apparmor.d/profiles-a-f/cfdisk                                  | 2 +-
 apparmor.d/profiles-a-f/cgdisk                                  | 2 +-
 apparmor.d/profiles-a-f/cgrulesengd                             | 2 +-
 apparmor.d/profiles-a-f/chage                                   | 2 +-
 apparmor.d/profiles-a-f/changestool                             | 2 +-
 apparmor.d/profiles-a-f/check-bios-nx                           | 2 +-
 apparmor.d/profiles-a-f/check-support-status                    | 2 +-
 apparmor.d/profiles-a-f/check-support-status-hook               | 2 +-
 apparmor.d/profiles-a-f/chfn                                    | 2 +-
 apparmor.d/profiles-a-f/chronyd                                 | 2 +-
 apparmor.d/profiles-a-f/chsh                                    | 2 +-
 apparmor.d/profiles-a-f/claws-mail                              | 2 +-
 apparmor.d/profiles-a-f/cmus                                    | 2 +-
 apparmor.d/profiles-a-f/code-extension-git-askpass              | 2 +-
 apparmor.d/profiles-a-f/code-extension-git-editor               | 2 +-
 apparmor.d/profiles-a-f/compton                                 | 2 +-
 apparmor.d/profiles-a-f/conky                                   | 2 +-
 apparmor.d/profiles-a-f/console-setup                           | 2 +-
 apparmor.d/profiles-a-f/convertall                              | 2 +-
 apparmor.d/profiles-a-f/cppw-cpgr                               | 2 +-
 apparmor.d/profiles-a-f/cpuid                                   | 2 +-
 apparmor.d/profiles-a-f/cracklib-packer                         | 2 +-
 apparmor.d/profiles-a-f/crda                                    | 2 +-
 apparmor.d/profiles-a-f/cups-backend-beh                        | 2 +-
 apparmor.d/profiles-a-f/cups-backend-bluetooth                  | 2 +-
 apparmor.d/profiles-a-f/cups-backend-brf                        | 2 +-
 apparmor.d/profiles-a-f/cups-backend-dnssd                      | 2 +-
 apparmor.d/profiles-a-f/cups-backend-hp                         | 2 +-
 apparmor.d/profiles-a-f/cups-backend-implicitclass              | 2 +-
 apparmor.d/profiles-a-f/cups-backend-ipp                        | 2 +-
 apparmor.d/profiles-a-f/cups-backend-lpd                        | 2 +-
 apparmor.d/profiles-a-f/cups-backend-mdns                       | 2 +-
 apparmor.d/profiles-a-f/cups-backend-parallel                   | 2 +-
 apparmor.d/profiles-a-f/cups-backend-pdf                        | 2 +-
 apparmor.d/profiles-a-f/cups-backend-serial                     | 2 +-
 apparmor.d/profiles-a-f/cups-backend-snmp                       | 2 +-
 apparmor.d/profiles-a-f/cups-backend-socket                     | 2 +-
 apparmor.d/profiles-a-f/cups-backend-usb                        | 2 +-
 apparmor.d/profiles-a-f/cups-browsed                            | 2 +-
 apparmor.d/profiles-a-f/cups-notifier-dbus                      | 2 +-
 apparmor.d/profiles-a-f/cups-notifier-mailto                    | 2 +-
 apparmor.d/profiles-a-f/cups-notifier-rss                       | 2 +-
 apparmor.d/profiles-a-f/cups-pk-helper-mechanism                | 2 +-
 apparmor.d/profiles-a-f/czkawka-cli                             | 2 +-
 apparmor.d/profiles-a-f/czkawka-gui                             | 2 +-
 apparmor.d/profiles-a-f/ddclient                                | 2 +-
 apparmor.d/profiles-a-f/ddcutil                                 | 2 +-
 apparmor.d/profiles-a-f/deltachat-desktop                       | 2 +-
 apparmor.d/profiles-a-f/deluser                                 | 2 +-
 apparmor.d/profiles-a-f/df                                      | 2 +-
 apparmor.d/profiles-a-f/dfc                                     | 2 +-
 apparmor.d/profiles-a-f/dhclient                                | 2 +-
 apparmor.d/profiles-a-f/dhclient-script                         | 2 +-
 apparmor.d/profiles-a-f/dig                                     | 2 +-
 apparmor.d/profiles-a-f/dino                                    | 2 +-
 apparmor.d/profiles-a-f/discord                                 | 2 +-
 apparmor.d/profiles-a-f/discord-chrome-sandbox                  | 2 +-
 apparmor.d/profiles-a-f/dkms                                    | 2 +-
 apparmor.d/profiles-a-f/dkms-autoinstaller                      | 2 +-
 apparmor.d/profiles-a-f/dleyna-renderer-service                 | 2 +-
 apparmor.d/profiles-a-f/dleyna-server-service                   | 2 +-
 apparmor.d/profiles-a-f/dlocate                                 | 2 +-
 apparmor.d/profiles-a-f/dmcrypt-get-device                      | 2 +-
 apparmor.d/profiles-a-f/dmesg                                   | 2 +-
 apparmor.d/profiles-a-f/dmeventd                                | 2 +-
 apparmor.d/profiles-a-f/dmidecode                               | 2 +-
 apparmor.d/profiles-a-f/dmsetup                                 | 2 +-
 apparmor.d/profiles-a-f/dnscrypt-proxy                          | 2 +-
 apparmor.d/profiles-a-f/downloadhelper                          | 2 +-
 apparmor.d/profiles-a-f/dring                                   | 2 +-
 apparmor.d/profiles-a-f/dropbox                                 | 2 +-
 apparmor.d/profiles-a-f/dumpcap                                 | 2 +-
 apparmor.d/profiles-a-f/dumpe2fs                                | 2 +-
 apparmor.d/profiles-a-f/dunst                                   | 2 +-
 apparmor.d/profiles-a-f/dunstctl                                | 2 +-
 apparmor.d/profiles-a-f/dunstify                                | 2 +-
 apparmor.d/profiles-a-f/e2fsck                                  | 2 +-
 apparmor.d/profiles-a-f/e2image                                 | 2 +-
 apparmor.d/profiles-a-f/e2scrub_all                             | 2 +-
 apparmor.d/profiles-a-f/earlyoom                                | 2 +-
 apparmor.d/profiles-a-f/edid-decode                             | 2 +-
 apparmor.d/profiles-a-f/eject                                   | 2 +-
 apparmor.d/profiles-a-f/element-desktop                         | 2 +-
 apparmor.d/profiles-a-f/elinks                                  | 2 +-
 apparmor.d/profiles-a-f/engrampa                                | 2 +-
 apparmor.d/profiles-a-f/etckeeper                               | 2 +-
 apparmor.d/profiles-a-f/evince                                  | 2 +-
 apparmor.d/profiles-a-f/evince-previewer                        | 2 +-
 apparmor.d/profiles-a-f/evince-thumbnailer                      | 2 +-
 apparmor.d/profiles-a-f/execute-dcut                            | 2 +-
 apparmor.d/profiles-a-f/execute-dput                            | 2 +-
 apparmor.d/profiles-a-f/exiftool                                | 2 +-
 apparmor.d/profiles-a-f/exim4                                   | 2 +-
 apparmor.d/profiles-a-f/exo-compose-mail                        | 2 +-
 apparmor.d/profiles-a-f/exo-helper                              | 2 +-
 apparmor.d/profiles-a-f/exo-open                                | 2 +-
 apparmor.d/profiles-a-f/f3brew                                  | 2 +-
 apparmor.d/profiles-a-f/f3fix                                   | 2 +-
 apparmor.d/profiles-a-f/f3probe                                 | 2 +-
 apparmor.d/profiles-a-f/f3read                                  | 2 +-
 apparmor.d/profiles-a-f/f3write                                 | 2 +-
 apparmor.d/profiles-a-f/fail2ban-client                         | 2 +-
 apparmor.d/profiles-a-f/fail2ban-server                         | 2 +-
 apparmor.d/profiles-a-f/fatlabel                                | 2 +-
 apparmor.d/profiles-a-f/fatresize                               | 2 +-
 apparmor.d/profiles-a-f/fdisk                                   | 2 +-
 apparmor.d/profiles-a-f/ffmpeg                                  | 2 +-
 apparmor.d/profiles-a-f/ffmpegthumbnailer                       | 2 +-
 apparmor.d/profiles-a-f/ffplay                                  | 2 +-
 apparmor.d/profiles-a-f/ffprobe                                 | 2 +-
 apparmor.d/profiles-a-f/file-roller                             | 2 +-
 apparmor.d/profiles-a-f/filecap                                 | 2 +-
 apparmor.d/profiles-a-f/filezilla                               | 2 +-
 apparmor.d/profiles-a-f/findmnt                                 | 2 +-
 apparmor.d/profiles-a-f/firecfg                                 | 2 +-
 apparmor.d/profiles-a-f/firewall-applet                         | 2 +-
 apparmor.d/profiles-a-f/firewall-config                         | 2 +-
 apparmor.d/profiles-a-f/firewalld                               | 2 +-
 apparmor.d/profiles-a-f/flameshot                               | 2 +-
 apparmor.d/profiles-a-f/flatpak                                 | 2 +-
 apparmor.d/profiles-a-f/flatpak-app                             | 2 +-
 apparmor.d/profiles-a-f/flatpak-oci-authenticator               | 2 +-
 apparmor.d/profiles-a-f/flatpak-portal                          | 2 +-
 apparmor.d/profiles-a-f/flatpak-session-helper                  | 2 +-
 apparmor.d/profiles-a-f/flatpak-system-helper                   | 2 +-
 apparmor.d/profiles-a-f/flatpak-validate-icon                   | 2 +-
 apparmor.d/profiles-a-f/foliate                                 | 2 +-
 apparmor.d/profiles-a-f/font-manager                            | 2 +-
 apparmor.d/profiles-a-f/fping                                   | 2 +-
 apparmor.d/profiles-a-f/fprintd                                 | 2 +-
 apparmor.d/profiles-a-f/fractal                                 | 2 +-
 apparmor.d/profiles-a-f/freefall                                | 2 +-
 apparmor.d/profiles-a-f/freetube                                | 2 +-
 apparmor.d/profiles-a-f/fritzing                                | 2 +-
 apparmor.d/profiles-a-f/frontend                                | 2 +-
 apparmor.d/profiles-a-f/fsck                                    | 2 +-
 apparmor.d/profiles-a-f/fsck.btrfs                              | 2 +-
 apparmor.d/profiles-a-f/fsck.fat                                | 2 +-
 apparmor.d/profiles-a-f/fstrim                                  | 2 +-
 apparmor.d/profiles-a-f/fuse-overlayfs                          | 2 +-
 apparmor.d/profiles-a-f/fuseiso                                 | 2 +-
 apparmor.d/profiles-a-f/fusermount                              | 2 +-
 apparmor.d/profiles-a-f/fwupd                                   | 2 +-
 apparmor.d/profiles-a-f/fwupdmgr                                | 2 +-
 apparmor.d/profiles-g-l/gajim                                   | 2 +-
 apparmor.d/profiles-g-l/gamemoded                               | 2 +-
 apparmor.d/profiles-g-l/ganyremote                              | 2 +-
 apparmor.d/profiles-g-l/gconfd                                  | 2 +-
 apparmor.d/profiles-g-l/gdisk                                   | 2 +-
 apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders                | 2 +-
 apparmor.d/profiles-g-l/ghc-pkg                                 | 2 +-
 apparmor.d/profiles-g-l/gimp                                    | 2 +-
 apparmor.d/profiles-g-l/gio-querymodules                        | 2 +-
 apparmor.d/profiles-g-l/git                                     | 2 +-
 apparmor.d/profiles-g-l/gitg                                    | 2 +-
 apparmor.d/profiles-g-l/gitstatusd                              | 2 +-
 apparmor.d/profiles-g-l/glib-compile-resources                  | 2 +-
 apparmor.d/profiles-g-l/glib-compile-schemas                    | 2 +-
 apparmor.d/profiles-g-l/glib-pacrunner                          | 2 +-
 apparmor.d/profiles-g-l/globaltime                              | 2 +-
 apparmor.d/profiles-g-l/glxgears                                | 2 +-
 apparmor.d/profiles-g-l/glxinfo                                 | 2 +-
 apparmor.d/profiles-g-l/gpa                                     | 2 +-
 apparmor.d/profiles-g-l/gparted                                 | 2 +-
 apparmor.d/profiles-g-l/gpartedbin                              | 2 +-
 apparmor.d/profiles-g-l/gpasswd                                 | 2 +-
 apparmor.d/profiles-g-l/gping                                   | 2 +-
 apparmor.d/profiles-g-l/gpo                                     | 2 +-
 apparmor.d/profiles-g-l/gpodder                                 | 2 +-
 apparmor.d/profiles-g-l/gpodder-migrate2tres                    | 2 +-
 apparmor.d/profiles-g-l/gpu-manager                             | 2 +-
 apparmor.d/profiles-g-l/groupadd                                | 2 +-
 apparmor.d/profiles-g-l/groupdel                                | 2 +-
 apparmor.d/profiles-g-l/groupmod                                | 2 +-
 apparmor.d/profiles-g-l/groups                                  | 2 +-
 apparmor.d/profiles-g-l/grpck                                   | 2 +-
 apparmor.d/profiles-g-l/gsettings                               | 2 +-
 apparmor.d/profiles-g-l/gsimplecal                              | 2 +-
 apparmor.d/profiles-g-l/gsmartcontrol                           | 2 +-
 apparmor.d/profiles-g-l/gsmartcontrol-root                      | 2 +-
 apparmor.d/profiles-g-l/gssproxy                                | 2 +-
 apparmor.d/profiles-g-l/gtk-query-immodules                     | 2 +-
 apparmor.d/profiles-g-l/gtk-update-icon-cache                   | 2 +-
 apparmor.d/profiles-g-l/gtk-youtube-viewer                      | 2 +-
 apparmor.d/profiles-g-l/hardinfo                                | 2 +-
 apparmor.d/profiles-g-l/haveged                                 | 2 +-
 apparmor.d/profiles-g-l/hbbr                                    | 2 +-
 apparmor.d/profiles-g-l/hbbs                                    | 2 +-
 apparmor.d/profiles-g-l/hciconfig                               | 2 +-
 apparmor.d/profiles-g-l/hddtemp                                 | 2 +-
 apparmor.d/profiles-g-l/hdparm                                  | 2 +-
 apparmor.d/profiles-g-l/hexchat                                 | 2 +-
 apparmor.d/profiles-g-l/highlight                               | 2 +-
 apparmor.d/profiles-g-l/homebank                                | 2 +-
 apparmor.d/profiles-g-l/host                                    | 2 +-
 apparmor.d/profiles-g-l/hostname                                | 2 +-
 apparmor.d/profiles-g-l/htop                                    | 2 +-
 apparmor.d/profiles-g-l/hugeadm                                 | 2 +-
 apparmor.d/profiles-g-l/hugo                                    | 2 +-
 apparmor.d/profiles-g-l/hw-probe                                | 2 +-
 apparmor.d/profiles-g-l/hwinfo                                  | 2 +-
 apparmor.d/profiles-g-l/hypnotix                                | 2 +-
 apparmor.d/profiles-g-l/i2cdetect                               | 2 +-
 apparmor.d/profiles-g-l/i3lock                                  | 2 +-
 apparmor.d/profiles-g-l/i3lock-fancy                            | 2 +-
 apparmor.d/profiles-g-l/iceauth                                 | 2 +-
 apparmor.d/profiles-g-l/id                                      | 2 +-
 apparmor.d/profiles-g-l/ifconfig                                | 2 +-
 apparmor.d/profiles-g-l/ifup                                    | 2 +-
 apparmor.d/profiles-g-l/im-launch                               | 2 +-
 apparmor.d/profiles-g-l/img2txt                                 | 2 +-
 apparmor.d/profiles-g-l/imv-wayland                             | 2 +-
 apparmor.d/profiles-g-l/initd-kexec                             | 2 +-
 apparmor.d/profiles-g-l/initd-kexec-load                        | 2 +-
 apparmor.d/profiles-g-l/initd-kmod                              | 2 +-
 apparmor.d/profiles-g-l/install-catalog                         | 2 +-
 apparmor.d/profiles-g-l/install-info                            | 2 +-
 apparmor.d/profiles-g-l/install-printerdriver                   | 2 +-
 apparmor.d/profiles-g-l/inxi                                    | 2 +-
 apparmor.d/profiles-g-l/ioping                                  | 2 +-
 apparmor.d/profiles-g-l/iotop                                   | 2 +-
 apparmor.d/profiles-g-l/ip                                      | 2 +-
 apparmor.d/profiles-g-l/ipcalc                                  | 2 +-
 apparmor.d/profiles-g-l/irqbalance                              | 2 +-
 apparmor.d/profiles-g-l/issue-generator                         | 2 +-
 apparmor.d/profiles-g-l/iw                                      | 2 +-
 apparmor.d/profiles-g-l/iwconfig                                | 2 +-
 apparmor.d/profiles-g-l/iwlist                                  | 2 +-
 apparmor.d/profiles-g-l/jackdbus                                | 2 +-
 apparmor.d/profiles-g-l/jami-gnome                              | 2 +-
 apparmor.d/profiles-g-l/jdownloader                             | 2 +-
 apparmor.d/profiles-g-l/jekyll                                  | 2 +-
 apparmor.d/profiles-g-l/jgmenu                                  | 2 +-
 apparmor.d/profiles-g-l/jitterentropy-rngd                      | 2 +-
 apparmor.d/profiles-g-l/jmtpfs                                  | 2 +-
 apparmor.d/profiles-g-l/kanyremote                              | 2 +-
 apparmor.d/profiles-g-l/kcheckpass                              | 2 +-
 apparmor.d/profiles-g-l/kconfig-hardened-check                  | 2 +-
 apparmor.d/profiles-g-l/keepassxc                               | 2 +-
 apparmor.d/profiles-g-l/keepassxc-cli                           | 2 +-
 apparmor.d/profiles-g-l/keepassxc-proxy                         | 2 +-
 apparmor.d/profiles-g-l/kernel-install                          | 2 +-
 apparmor.d/profiles-g-l/kerneloops                              | 2 +-
 apparmor.d/profiles-g-l/kerneloops-applet                       | 2 +-
 apparmor.d/profiles-g-l/kexec                                   | 2 +-
 apparmor.d/profiles-g-l/kmod                                    | 2 +-
 apparmor.d/profiles-g-l/kodi                                    | 2 +-
 apparmor.d/profiles-g-l/kodi-xrandr                             | 2 +-
 apparmor.d/profiles-g-l/kvm-ok                                  | 2 +-
 apparmor.d/profiles-g-l/labwc                                   | 2 +-
 apparmor.d/profiles-g-l/landscape-sysinfo                       | 2 +-
 apparmor.d/profiles-g-l/landscape-sysinfo.wrapper               | 2 +-
 apparmor.d/profiles-g-l/language-validate                       | 2 +-
 apparmor.d/profiles-g-l/last                                    | 2 +-
 apparmor.d/profiles-g-l/lastlog                                 | 2 +-
 apparmor.d/profiles-g-l/libreoffice                             | 2 +-
 apparmor.d/profiles-g-l/light                                   | 2 +-
 apparmor.d/profiles-g-l/light-locker                            | 2 +-
 apparmor.d/profiles-g-l/light-locker-command                    | 2 +-
 apparmor.d/profiles-g-l/lightworks                              | 2 +-
 apparmor.d/profiles-g-l/lightworks-ntcardvt                     | 2 +-
 apparmor.d/profiles-g-l/linux-check-removal                     | 2 +-
 apparmor.d/profiles-g-l/linux-version                           | 2 +-
 apparmor.d/profiles-g-l/linuxqq                                 | 2 +-
 apparmor.d/profiles-g-l/locale-gen                              | 2 +-
 apparmor.d/profiles-g-l/localepurge                             | 2 +-
 apparmor.d/profiles-g-l/login                                   | 2 +-
 apparmor.d/profiles-g-l/logrotate                               | 2 +-
 apparmor.d/profiles-g-l/losetup                                 | 2 +-
 apparmor.d/profiles-g-l/low-memory-monitor                      | 2 +-
 apparmor.d/profiles-g-l/lsblk                                   | 2 +-
 apparmor.d/profiles-g-l/lscpu                                   | 2 +-
 apparmor.d/profiles-g-l/lsinitramfs                             | 2 +-
 apparmor.d/profiles-g-l/lspci                                   | 2 +-
 apparmor.d/profiles-g-l/lsusb                                   | 2 +-
 apparmor.d/profiles-g-l/lvm                                     | 2 +-
 apparmor.d/profiles-g-l/lvmconfig                               | 2 +-
 apparmor.d/profiles-g-l/lvmdump                                 | 2 +-
 apparmor.d/profiles-g-l/lvmpolld                                | 2 +-
 apparmor.d/profiles-g-l/lxappearance                            | 2 +-
 apparmor.d/profiles-g-l/lynx                                    | 2 +-
 apparmor.d/profiles-m-r/macchanger                              | 2 +-
 apparmor.d/profiles-m-r/man                                     | 2 +-
 apparmor.d/profiles-m-r/mandb                                   | 2 +-
 apparmor.d/profiles-m-r/mate-notification-daemon                | 2 +-
 apparmor.d/profiles-m-r/mdevctl                                 | 2 +-
 apparmor.d/profiles-m-r/mediainfo                               | 2 +-
 apparmor.d/profiles-m-r/mediainfo-gui                           | 2 +-
 apparmor.d/profiles-m-r/megasync                                | 2 +-
 apparmor.d/profiles-m-r/memtester                               | 2 +-
 apparmor.d/profiles-m-r/merkaartor                              | 2 +-
 apparmor.d/profiles-m-r/metadata-cleaner                        | 2 +-
 apparmor.d/profiles-m-r/mimetype                                | 2 +-
 apparmor.d/profiles-m-r/minitube                                | 2 +-
 apparmor.d/profiles-m-r/mission-control                         | 2 +-
 apparmor.d/profiles-m-r/mkcert                                  | 2 +-
 apparmor.d/profiles-m-r/mke2fs                                  | 2 +-
 apparmor.d/profiles-m-r/mkfs-btrfs                              | 2 +-
 apparmor.d/profiles-m-r/mkfs-fat                                | 2 +-
 apparmor.d/profiles-m-r/mkinitramfs                             | 2 +-
 apparmor.d/profiles-m-r/mkntfs                                  | 2 +-
 apparmor.d/profiles-m-r/mkswap                                  | 2 +-
 apparmor.d/profiles-m-r/mkvmerge                                | 2 +-
 apparmor.d/profiles-m-r/mkvtoolnix-gui                          | 2 +-
 apparmor.d/profiles-m-r/mlocate                                 | 2 +-
 apparmor.d/profiles-m-r/modprobed-db                            | 2 +-
 apparmor.d/profiles-m-r/molly-guard                             | 2 +-
 apparmor.d/profiles-m-r/monitorix                               | 2 +-
 apparmor.d/profiles-m-r/mono-sgen                               | 2 +-
 apparmor.d/profiles-m-r/mount                                   | 2 +-
 apparmor.d/profiles-m-r/mount-cifs                              | 2 +-
 apparmor.d/profiles-m-r/mount-nfs                               | 2 +-
 apparmor.d/profiles-m-r/mount-zfs                               | 2 +-
 apparmor.d/profiles-m-r/mpd                                     | 2 +-
 apparmor.d/profiles-m-r/mpsyt                                   | 2 +-
 apparmor.d/profiles-m-r/mpv                                     | 2 +-
 apparmor.d/profiles-m-r/mtools                                  | 2 +-
 apparmor.d/profiles-m-r/mtr                                     | 2 +-
 apparmor.d/profiles-m-r/mtr-packet                              | 2 +-
 apparmor.d/profiles-m-r/mullvad-setup                           | 2 +-
 apparmor.d/profiles-m-r/multipath                               | 2 +-
 apparmor.d/profiles-m-r/multipathd                              | 2 +-
 apparmor.d/profiles-m-r/mumble                                  | 2 +-
 apparmor.d/profiles-m-r/mumble-overlay                          | 2 +-
 apparmor.d/profiles-m-r/mutt                                    | 2 +-
 apparmor.d/profiles-m-r/needrestart                             | 2 +-
 apparmor.d/profiles-m-r/needrestart-apt-pinvoke                 | 2 +-
 apparmor.d/profiles-m-r/needrestart-dpkg-status                 | 2 +-
 apparmor.d/profiles-m-r/needrestart-iucode-scan-versions        | 2 +-
 apparmor.d/profiles-m-r/nemo                                    | 2 +-
 apparmor.d/profiles-m-r/netcap                                  | 2 +-
 apparmor.d/profiles-m-r/nethogs                                 | 2 +-
 apparmor.d/profiles-m-r/netstat                                 | 2 +-
 apparmor.d/profiles-m-r/newgidmap                               | 2 +-
 apparmor.d/profiles-m-r/newgrp                                  | 2 +-
 apparmor.d/profiles-m-r/newuidmap                               | 2 +-
 apparmor.d/profiles-m-r/nfsdcld                                 | 2 +-
 apparmor.d/profiles-m-r/nft                                     | 2 +-
 apparmor.d/profiles-m-r/nmap                                    | 2 +-
 apparmor.d/profiles-m-r/nologin                                 | 2 +-
 apparmor.d/profiles-m-r/nslookup                                | 2 +-
 apparmor.d/profiles-m-r/ntfs-3g                                 | 2 +-
 apparmor.d/profiles-m-r/ntfs-3g-probe                           | 2 +-
 apparmor.d/profiles-m-r/ntfscat                                 | 2 +-
 apparmor.d/profiles-m-r/ntfsclone                               | 2 +-
 apparmor.d/profiles-m-r/ntfscluster                             | 2 +-
 apparmor.d/profiles-m-r/ntfscmp                                 | 2 +-
 apparmor.d/profiles-m-r/ntfscp                                  | 2 +-
 apparmor.d/profiles-m-r/ntfsdecrypt                             | 2 +-
 apparmor.d/profiles-m-r/ntfsfallocate                           | 2 +-
 apparmor.d/profiles-m-r/ntfsfix                                 | 2 +-
 apparmor.d/profiles-m-r/ntfsinfo                                | 2 +-
 apparmor.d/profiles-m-r/ntfslabel                               | 2 +-
 apparmor.d/profiles-m-r/ntfsls                                  | 2 +-
 apparmor.d/profiles-m-r/ntfsmove                                | 2 +-
 apparmor.d/profiles-m-r/ntfsrecover                             | 2 +-
 apparmor.d/profiles-m-r/ntfsresize                              | 2 +-
 apparmor.d/profiles-m-r/ntfssecaudit                            | 2 +-
 apparmor.d/profiles-m-r/ntfstruncate                            | 2 +-
 apparmor.d/profiles-m-r/ntfsundelete                            | 2 +-
 apparmor.d/profiles-m-r/ntfsusermap                             | 2 +-
 apparmor.d/profiles-m-r/ntfswipe                                | 2 +-
 apparmor.d/profiles-m-r/nullmailer-send                         | 2 +-
 apparmor.d/profiles-m-r/numlockx                                | 2 +-
 apparmor.d/profiles-m-r/nvidia-detector                         | 2 +-
 apparmor.d/profiles-m-r/nvidia-persistenced                     | 2 +-
 apparmor.d/profiles-m-r/nvidia-settings                         | 2 +-
 apparmor.d/profiles-m-r/nvidia-smi                              | 2 +-
 apparmor.d/profiles-m-r/nvtop                                   | 2 +-
 apparmor.d/profiles-m-r/obamenu                                 | 2 +-
 apparmor.d/profiles-m-r/obconf                                  | 2 +-
 apparmor.d/profiles-m-r/obex-folder-listing                     | 2 +-
 apparmor.d/profiles-m-r/obexautofs                              | 2 +-
 apparmor.d/profiles-m-r/obexctl                                 | 2 +-
 apparmor.d/profiles-m-r/obexd                                   | 2 +-
 apparmor.d/profiles-m-r/obexfs                                  | 2 +-
 apparmor.d/profiles-m-r/obexpush-atd                            | 2 +-
 apparmor.d/profiles-m-r/obexpushd                               | 2 +-
 apparmor.d/profiles-m-r/obxprop                                 | 2 +-
 apparmor.d/profiles-m-r/odt2txt                                 | 2 +-
 apparmor.d/profiles-m-r/ollama                                  | 2 +-
 apparmor.d/profiles-m-r/on-ac-power                             | 2 +-
 apparmor.d/profiles-m-r/onefetch                                | 2 +-
 apparmor.d/profiles-m-r/openbox                                 | 2 +-
 apparmor.d/profiles-m-r/openbox-session                         | 2 +-
 apparmor.d/profiles-m-r/orage                                   | 2 +-
 apparmor.d/profiles-m-r/os-prober                               | 2 +-
 apparmor.d/profiles-m-r/ouch                                    | 2 +-
 apparmor.d/profiles-m-r/packagekitd                             | 2 +-
 apparmor.d/profiles-m-r/pacmd                                   | 2 +-
 apparmor.d/profiles-m-r/pactl                                   | 2 +-
 apparmor.d/profiles-m-r/pagesize                                | 2 +-
 apparmor.d/profiles-m-r/pam-auth-update                         | 2 +-
 apparmor.d/profiles-m-r/pam-tmpdir-helper                       | 2 +-
 apparmor.d/profiles-m-r/parted                                  | 2 +-
 apparmor.d/profiles-m-r/partprobe                               | 2 +-
 apparmor.d/profiles-m-r/pass                                    | 2 +-
 apparmor.d/profiles-m-r/pass-import                             | 2 +-
 apparmor.d/profiles-m-r/passimd                                 | 2 +-
 apparmor.d/profiles-m-r/passwd                                  | 2 +-
 apparmor.d/profiles-m-r/pavucontrol                             | 2 +-
 apparmor.d/profiles-m-r/pcb-gtk                                 | 2 +-
 apparmor.d/profiles-m-r/pcscd                                   | 2 +-
 apparmor.d/profiles-m-r/pdftotext                               | 2 +-
 apparmor.d/profiles-m-r/picom                                   | 2 +-
 apparmor.d/profiles-m-r/pidof                                   | 2 +-
 apparmor.d/profiles-m-r/pinentry                                | 2 +-
 apparmor.d/profiles-m-r/pinentry-curses                         | 2 +-
 apparmor.d/profiles-m-r/pinentry-gnome3                         | 2 +-
 apparmor.d/profiles-m-r/pinentry-gtk-2                          | 2 +-
 apparmor.d/profiles-m-r/pinentry-kwallet                        | 2 +-
 apparmor.d/profiles-m-r/pinentry-qt                             | 2 +-
 apparmor.d/profiles-m-r/pkcs11-register                         | 2 +-
 apparmor.d/profiles-m-r/pkexec                                  | 2 +-
 apparmor.d/profiles-m-r/pkttyagent                              | 2 +-
 apparmor.d/profiles-m-r/plank                                   | 2 +-
 apparmor.d/profiles-m-r/plocate                                 | 2 +-
 apparmor.d/profiles-m-r/plocate-build                           | 2 +-
 apparmor.d/profiles-m-r/pokemmo                                 | 2 +-
 apparmor.d/profiles-m-r/popularity-contest                      | 2 +-
 apparmor.d/profiles-m-r/power-profiles-daemon                   | 2 +-
 apparmor.d/profiles-m-r/protonmail                              | 2 +-
 apparmor.d/profiles-m-r/protonmail-bridge                       | 2 +-
 apparmor.d/profiles-m-r/protonmail-bridge-core                  | 2 +-
 apparmor.d/profiles-m-r/ps                                      | 2 +-
 apparmor.d/profiles-m-r/ps-mem                                  | 2 +-
 apparmor.d/profiles-m-r/pscap                                   | 2 +-
 apparmor.d/profiles-m-r/psi                                     | 2 +-
 apparmor.d/profiles-m-r/psi-plus                                | 2 +-
 apparmor.d/profiles-m-r/pstree                                  | 2 +-
 apparmor.d/profiles-m-r/pulseeffects                            | 2 +-
 apparmor.d/profiles-m-r/pwck                                    | 2 +-
 apparmor.d/profiles-m-r/qbittorrent                             | 2 +-
 apparmor.d/profiles-m-r/qbittorrent-nox                         | 2 +-
 apparmor.d/profiles-m-r/qdbus                                   | 2 +-
 apparmor.d/profiles-m-r/qemu-ga                                 | 2 +-
 apparmor.d/profiles-m-r/qnapi                                   | 2 +-
 apparmor.d/profiles-m-r/qpdfview                                | 2 +-
 apparmor.d/profiles-m-r/qt5ct                                   | 2 +-
 apparmor.d/profiles-m-r/qtchooser                               | 2 +-
 apparmor.d/profiles-m-r/qtox                                    | 2 +-
 apparmor.d/profiles-m-r/quiterss                                | 2 +-
 apparmor.d/profiles-m-r/rdmsr                                   | 2 +-
 apparmor.d/profiles-m-r/remmina                                 | 2 +-
 apparmor.d/profiles-m-r/repo                                    | 2 +-
 apparmor.d/profiles-m-r/reprepro                                | 2 +-
 apparmor.d/profiles-m-r/resize2fs                               | 2 +-
 apparmor.d/profiles-m-r/resolvconf                              | 2 +-
 apparmor.d/profiles-m-r/rfkill                                  | 2 +-
 apparmor.d/profiles-m-r/rngd                                    | 2 +-
 apparmor.d/profiles-m-r/rpi-imager                              | 2 +-
 apparmor.d/profiles-m-r/rredtool                                | 2 +-
 apparmor.d/profiles-m-r/rsyslogd                                | 2 +-
 apparmor.d/profiles-m-r/rtkit-daemon                            | 2 +-
 apparmor.d/profiles-m-r/rtkitctl                                | 2 +-
 apparmor.d/profiles-m-r/run-parts                               | 2 +-
 apparmor.d/profiles-m-r/runuser                                 | 2 +-
 apparmor.d/profiles-m-r/rustdesk                                | 2 +-
 apparmor.d/profiles-m-r/rustdesk-utils                          | 2 +-
 apparmor.d/profiles-s-z/YACReader                               | 2 +-
 apparmor.d/profiles-s-z/YACReaderLibrary                        | 2 +-
 apparmor.d/profiles-s-z/s3fs                                    | 2 +-
 apparmor.d/profiles-s-z/sanoid                                  | 2 +-
 apparmor.d/profiles-s-z/sbctl                                   | 2 +-
 apparmor.d/profiles-s-z/scrcpy                                  | 2 +-
 apparmor.d/profiles-s-z/scrot                                   | 2 +-
 apparmor.d/profiles-s-z/sdcv                                    | 2 +-
 apparmor.d/profiles-s-z/secure-time-sync                        | 2 +-
 apparmor.d/profiles-s-z/sensors                                 | 2 +-
 apparmor.d/profiles-s-z/sensors-detect                          | 2 +-
 apparmor.d/profiles-s-z/session-desktop                         | 2 +-
 apparmor.d/profiles-s-z/setpci                                  | 2 +-
 apparmor.d/profiles-s-z/setvtrgb                                | 2 +-
 apparmor.d/profiles-s-z/sfdisk                                  | 2 +-
 apparmor.d/profiles-s-z/sgdisk                                  | 2 +-
 apparmor.d/profiles-s-z/signal-desktop                          | 2 +-
 apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox           | 2 +-
 apparmor.d/profiles-s-z/sing-box                                | 2 +-
 apparmor.d/profiles-s-z/slirp4netns                             | 2 +-
 apparmor.d/profiles-s-z/smartctl                                | 2 +-
 apparmor.d/profiles-s-z/smartd                                  | 2 +-
 apparmor.d/profiles-s-z/smbspool                                | 2 +-
 apparmor.d/profiles-s-z/smplayer                                | 2 +-
 apparmor.d/profiles-s-z/smtube                                  | 2 +-
 apparmor.d/profiles-s-z/snap                                    | 2 +-
 apparmor.d/profiles-s-z/snap-bootstrap                          | 2 +-
 apparmor.d/profiles-s-z/snap-device-helper                      | 2 +-
 apparmor.d/profiles-s-z/snap-discard-ns                         | 2 +-
 apparmor.d/profiles-s-z/snap-failure                            | 2 +-
 apparmor.d/profiles-s-z/snap-repair                             | 2 +-
 apparmor.d/profiles-s-z/snap-seccomp                            | 2 +-
 apparmor.d/profiles-s-z/snap-update-ns                          | 2 +-
 apparmor.d/profiles-s-z/snapd                                   | 2 +-
 apparmor.d/profiles-s-z/snapd-aa-prompt-listener                | 2 +-
 apparmor.d/profiles-s-z/snapd-aa-prompt-ui                      | 2 +-
 apparmor.d/profiles-s-z/snapd-apparmor                          | 2 +-
 apparmor.d/profiles-s-z/snapd-core-fixup                        | 2 +-
 apparmor.d/profiles-s-z/snapshot                                | 2 +-
 apparmor.d/profiles-s-z/spacefm-auth                            | 2 +-
 apparmor.d/profiles-s-z/spectre-meltdown-checker                | 2 +-
 apparmor.d/profiles-s-z/speech-dispatcher                       | 2 +-
 apparmor.d/profiles-s-z/speedtest                               | 2 +-
 apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper        | 2 +-
 apparmor.d/profiles-s-z/spice-vdagent                           | 2 +-
 apparmor.d/profiles-s-z/spice-vdagentd                          | 2 +-
 apparmor.d/profiles-s-z/spotify                                 | 2 +-
 apparmor.d/profiles-s-z/ss                                      | 2 +-
 apparmor.d/profiles-s-z/sslocal                                 | 2 +-
 apparmor.d/profiles-s-z/ssmanager                               | 2 +-
 apparmor.d/profiles-s-z/ssserver                                | 2 +-
 apparmor.d/profiles-s-z/ssservice                               | 2 +-
 apparmor.d/profiles-s-z/ssurl                                   | 2 +-
 apparmor.d/profiles-s-z/start-pulseaudio-x11                    | 2 +-
 apparmor.d/profiles-s-z/startx                                  | 2 +-
 apparmor.d/profiles-s-z/steam                                   | 2 +-
 apparmor.d/profiles-s-z/steam-fossilize                         | 2 +-
 apparmor.d/profiles-s-z/steam-game-native                       | 2 +-
 apparmor.d/profiles-s-z/steam-game-proton                       | 2 +-
 apparmor.d/profiles-s-z/steam-gameoverlayui                     | 2 +-
 apparmor.d/profiles-s-z/steam-launch                            | 2 +-
 apparmor.d/profiles-s-z/steam-launcher                          | 2 +-
 apparmor.d/profiles-s-z/steam-runtime                           | 2 +-
 apparmor.d/profiles-s-z/steam-runtime-steam-remote              | 2 +-
 apparmor.d/profiles-s-z/steamerrorreporter                      | 2 +-
 apparmor.d/profiles-s-z/strawberry                              | 2 +-
 apparmor.d/profiles-s-z/strawberry-tagreader                    | 2 +-
 apparmor.d/profiles-s-z/su                                      | 2 +-
 apparmor.d/profiles-s-z/sudo                                    | 2 +-
 apparmor.d/profiles-s-z/sulogin                                 | 2 +-
 apparmor.d/profiles-s-z/superproductivity                       | 2 +-
 apparmor.d/profiles-s-z/swaplabel                               | 2 +-
 apparmor.d/profiles-s-z/swapon                                  | 2 +-
 apparmor.d/profiles-s-z/switcheroo-control                      | 2 +-
 apparmor.d/profiles-s-z/switcherooctl                           | 2 +-
 apparmor.d/profiles-s-z/swtpm                                   | 2 +-
 apparmor.d/profiles-s-z/swtpm_ioctl                             | 2 +-
 apparmor.d/profiles-s-z/swtpm_localca                           | 2 +-
 apparmor.d/profiles-s-z/swtpm_setup                             | 2 +-
 apparmor.d/profiles-s-z/sync                                    | 2 +-
 apparmor.d/profiles-s-z/syncoid                                 | 2 +-
 apparmor.d/profiles-s-z/syncthing                               | 2 +-
 apparmor.d/profiles-s-z/sysctl                                  | 2 +-
 apparmor.d/profiles-s-z/system-config-printer                   | 2 +-
 apparmor.d/profiles-s-z/system-config-printer-applet            | 2 +-
 apparmor.d/profiles-s-z/task                                    | 2 +-
 apparmor.d/profiles-s-z/tasksel                                 | 2 +-
 apparmor.d/profiles-s-z/taskwarrior-tui                         | 2 +-
 apparmor.d/profiles-s-z/telegram-desktop                        | 2 +-
 apparmor.d/profiles-s-z/terminator                              | 2 +-
 apparmor.d/profiles-s-z/tftp                                    | 2 +-
 apparmor.d/profiles-s-z/thermald                                | 2 +-
 apparmor.d/profiles-s-z/thinkfan                                | 2 +-
 apparmor.d/profiles-s-z/thunderbird                             | 2 +-
 apparmor.d/profiles-s-z/thunderbird-glxtest                     | 2 +-
 apparmor.d/profiles-s-z/thunderbird-vaapitest                   | 2 +-
 apparmor.d/profiles-s-z/tint2                                   | 2 +-
 apparmor.d/profiles-s-z/tint2conf                               | 2 +-
 apparmor.d/profiles-s-z/tomb                                    | 2 +-
 apparmor.d/profiles-s-z/top                                     | 2 +-
 apparmor.d/profiles-s-z/torify                                  | 2 +-
 apparmor.d/profiles-s-z/torsocks                                | 2 +-
 apparmor.d/profiles-s-z/totem                                   | 2 +-
 apparmor.d/profiles-s-z/tpacpi-bat                              | 2 +-
 apparmor.d/profiles-s-z/transmission                            | 2 +-
 apparmor.d/profiles-s-z/tune2fs                                 | 2 +-
 apparmor.d/profiles-s-z/udev-dmi-memory-id                      | 2 +-
 apparmor.d/profiles-s-z/udiskie                                 | 2 +-
 apparmor.d/profiles-s-z/udiskie-info                            | 2 +-
 apparmor.d/profiles-s-z/udiskie-mount                           | 2 +-
 apparmor.d/profiles-s-z/udiskie-umount                          | 2 +-
 apparmor.d/profiles-s-z/udisksctl                               | 2 +-
 apparmor.d/profiles-s-z/udisksd                                 | 2 +-
 apparmor.d/profiles-s-z/ufw                                     | 2 +-
 apparmor.d/profiles-s-z/umount                                  | 2 +-
 apparmor.d/profiles-s-z/umount.udisks2                          | 2 +-
 apparmor.d/profiles-s-z/uname                                   | 2 +-
 apparmor.d/profiles-s-z/unhide-linux                            | 2 +-
 apparmor.d/profiles-s-z/unhide-posix                            | 2 +-
 apparmor.d/profiles-s-z/unhide-rb                               | 2 +-
 apparmor.d/profiles-s-z/unhide-tcp                              | 2 +-
 apparmor.d/profiles-s-z/unix-chkpwd                             | 2 +-
 apparmor.d/profiles-s-z/unmkinitramfs                           | 2 +-
 apparmor.d/profiles-s-z/update-alternatives                     | 2 +-
 apparmor.d/profiles-s-z/update-ca-certificates                  | 2 +-
 apparmor.d/profiles-s-z/update-ca-trust                         | 2 +-
 apparmor.d/profiles-s-z/update-command-not-found                | 2 +-
 apparmor.d/profiles-s-z/update-cracklib                         | 2 +-
 apparmor.d/profiles-s-z/update-dlocatedb                        | 2 +-
 apparmor.d/profiles-s-z/update-initramfs                        | 2 +-
 apparmor.d/profiles-s-z/update-pciids                           | 2 +-
 apparmor.d/profiles-s-z/update-secureboot-policy                | 2 +-
 apparmor.d/profiles-s-z/update-smart-drivedb                    | 2 +-
 apparmor.d/profiles-s-z/updatedb-mlocate                        | 2 +-
 apparmor.d/profiles-s-z/updatedb.plocate                        | 2 +-
 apparmor.d/profiles-s-z/uptime                                  | 2 +-
 apparmor.d/profiles-s-z/uptimed                                 | 2 +-
 apparmor.d/profiles-s-z/usb-devices                             | 2 +-
 apparmor.d/profiles-s-z/usbguard                                | 2 +-
 apparmor.d/profiles-s-z/usbguard-applet-qt                      | 2 +-
 apparmor.d/profiles-s-z/usbguard-daemon                         | 2 +-
 apparmor.d/profiles-s-z/usbguard-dbus                           | 2 +-
 apparmor.d/profiles-s-z/usbguard-notifier                       | 2 +-
 apparmor.d/profiles-s-z/useradd                                 | 2 +-
 apparmor.d/profiles-s-z/userdel                                 | 2 +-
 apparmor.d/profiles-s-z/usermod                                 | 2 +-
 apparmor.d/profiles-s-z/users                                   | 2 +-
 apparmor.d/profiles-s-z/utmpdump                                | 2 +-
 apparmor.d/profiles-s-z/utox                                    | 2 +-
 apparmor.d/profiles-s-z/uuidd                                   | 2 +-
 apparmor.d/profiles-s-z/uuidgen                                 | 2 +-
 apparmor.d/profiles-s-z/uupdate                                 | 2 +-
 apparmor.d/profiles-s-z/vcsi                                    | 2 +-
 apparmor.d/profiles-s-z/veracrypt                               | 2 +-
 apparmor.d/profiles-s-z/vesktop                                 | 2 +-
 apparmor.d/profiles-s-z/vidcutter                               | 2 +-
 apparmor.d/profiles-s-z/vipw-vigr                               | 2 +-
 apparmor.d/profiles-s-z/virt-manager                            | 2 +-
 apparmor.d/profiles-s-z/vlc                                     | 2 +-
 apparmor.d/profiles-s-z/vlc-cache-gen                           | 2 +-
 apparmor.d/profiles-s-z/vnstat                                  | 2 +-
 apparmor.d/profiles-s-z/vnstatd                                 | 2 +-
 apparmor.d/profiles-s-z/volumeicon                              | 2 +-
 apparmor.d/profiles-s-z/vsftpd                                  | 2 +-
 apparmor.d/profiles-s-z/w                                       | 2 +-
 apparmor.d/profiles-s-z/w3m                                     | 2 +-
 apparmor.d/profiles-s-z/wavemon                                 | 2 +-
 apparmor.d/profiles-s-z/waybar                                  | 2 +-
 apparmor.d/profiles-s-z/wechat-universal                        | 2 +-
 apparmor.d/profiles-s-z/wemeet                                  | 2 +-
 apparmor.d/profiles-s-z/whatis                                  | 2 +-
 apparmor.d/profiles-s-z/whdd                                    | 2 +-
 apparmor.d/profiles-s-z/whereis                                 | 2 +-
 apparmor.d/profiles-s-z/which                                   | 2 +-
 apparmor.d/profiles-s-z/whiptail                                | 2 +-
 apparmor.d/profiles-s-z/who                                     | 2 +-
 apparmor.d/profiles-s-z/whoami                                  | 2 +-
 apparmor.d/profiles-s-z/wireplumber                             | 2 +-
 apparmor.d/profiles-s-z/wireshark                               | 2 +-
 apparmor.d/profiles-s-z/wl-copy                                 | 2 +-
 apparmor.d/profiles-s-z/wmctrl                                  | 2 +-
 apparmor.d/profiles-s-z/wpa-action                              | 2 +-
 apparmor.d/profiles-s-z/wpa-cli                                 | 2 +-
 apparmor.d/profiles-s-z/wpa-gui                                 | 2 +-
 apparmor.d/profiles-s-z/wpa-supplicant                          | 2 +-
 apparmor.d/profiles-s-z/wrmsr                                   | 2 +-
 apparmor.d/profiles-s-z/wsdd                                    | 2 +-
 apparmor.d/profiles-s-z/xarchiver                               | 2 +-
 apparmor.d/profiles-s-z/xauth                                   | 2 +-
 apparmor.d/profiles-s-z/xautolock                               | 2 +-
 apparmor.d/profiles-s-z/xbacklight                              | 2 +-
 apparmor.d/profiles-s-z/xbrlapi                                 | 2 +-
 apparmor.d/profiles-s-z/xclip                                   | 2 +-
 apparmor.d/profiles-s-z/xdpyinfo                                | 2 +-
 apparmor.d/profiles-s-z/xinit                                   | 2 +-
 apparmor.d/profiles-s-z/xinput                                  | 2 +-
 apparmor.d/profiles-s-z/xsane-gimp                              | 2 +-
 apparmor.d/profiles-s-z/xsel                                    | 2 +-
 apparmor.d/profiles-s-z/youtube-dl                              | 2 +-
 apparmor.d/profiles-s-z/youtube-viewer                          | 2 +-
 apparmor.d/profiles-s-z/yt-dlp                                  | 2 +-
 apparmor.d/profiles-s-z/ytdl                                    | 2 +-
 apparmor.d/profiles-s-z/zathura                                 | 2 +-
 apparmor.d/profiles-s-z/zed                                     | 2 +-
 apparmor.d/profiles-s-z/zenmap                                  | 2 +-
 apparmor.d/profiles-s-z/zfs                                     | 2 +-
 apparmor.d/profiles-s-z/zpool                                   | 2 +-
 apparmor.d/profiles-s-z/zsys-system-autosnapshot                | 2 +-
 apparmor.d/profiles-s-z/zsysd                                   | 2 +-
 dists/ubuntu/abstractions/trash                                 | 2 +-
 docs/development/workflow.md                                    | 2 +-
 1491 files changed, 1491 insertions(+), 1491 deletions(-)

diff --git a/apparmor.d/groups/_full/bwrap b/apparmor.d/groups/_full/bwrap
index e9ad60683..0a4b9efdf 100644
--- a/apparmor.d/groups/_full/bwrap
+++ b/apparmor.d/groups/_full/bwrap
@@ -4,7 +4,7 @@
 
 # Default profile for bwrap.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/bwrap-app b/apparmor.d/groups/_full/bwrap-app
index d0ddfaaad..b6d45478a 100644
--- a/apparmor.d/groups/_full/bwrap-app
+++ b/apparmor.d/groups/_full/bwrap-app
@@ -4,7 +4,7 @@
 
 # Default profile for user sandboxed application
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default
index b6689cb1d..d3fd26682 100644
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@@ -4,7 +4,7 @@
 
 # Default profile for unconfined programs
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/default-sudo b/apparmor.d/groups/_full/default-sudo
index 36cebc626..609191970 100644
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index 36c31e60e..7538b9ed3 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -11,7 +11,7 @@
 
 # Distributions and other programs can add rules in the usr/systemd.d directory
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service
index 3a72cfe7e..e6c4a4b7b 100644
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@@ -8,7 +8,7 @@
 # It does not specify an attachment path because it is intended to be used only
 # via "Px -> systemd-service" exec transitions from the systemd profile.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index 7b6ef77fb..71b9048a4 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -11,7 +11,7 @@
 
 # Distributions and other programs can add rules in the usr/systemd-user.d directory
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/_full/systemd-user-service b/apparmor.d/groups/_full/systemd-user-service
index 0aaeba215..d65846f82 100644
--- a/apparmor.d/groups/_full/systemd-user-service
+++ b/apparmor.d/groups/_full/systemd-user-service
@@ -8,7 +8,7 @@
 # It does not specify an attachment path because it is intended to be used only
 # via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_akonotes_resource b/apparmor.d/groups/akonadi/akonadi_akonotes_resource
index 0d9822088..f0145d670 100644
--- a/apparmor.d/groups/akonadi/akonadi_akonotes_resource
+++ b/apparmor.d/groups/akonadi/akonadi_akonotes_resource
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_archivemail_agent b/apparmor.d/groups/akonadi/akonadi_archivemail_agent
index 13d45c38a..ed72aa21b 100644
--- a/apparmor.d/groups/akonadi/akonadi_archivemail_agent
+++ b/apparmor.d/groups/akonadi/akonadi_archivemail_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_birthdays_resource b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
index 8fb383054..d3bf2074c 100644
--- a/apparmor.d/groups/akonadi/akonadi_birthdays_resource
+++ b/apparmor.d/groups/akonadi/akonadi_birthdays_resource
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_contacts_resource b/apparmor.d/groups/akonadi/akonadi_contacts_resource
index 733e4a85b..c3e5dc716 100644
--- a/apparmor.d/groups/akonadi/akonadi_contacts_resource
+++ b/apparmor.d/groups/akonadi/akonadi_contacts_resource
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_control b/apparmor.d/groups/akonadi/akonadi_control
index eba2bb4d9..945cc82b9 100644
--- a/apparmor.d/groups/akonadi/akonadi_control
+++ b/apparmor.d/groups/akonadi/akonadi_control
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
index ba3b0227c..e85bdcba3 100644
--- a/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
+++ b/apparmor.d/groups/akonadi/akonadi_followupreminder_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_ical_resource b/apparmor.d/groups/akonadi/akonadi_ical_resource
index 5689a2d88..465eebd33 100644
--- a/apparmor.d/groups/akonadi/akonadi_ical_resource
+++ b/apparmor.d/groups/akonadi/akonadi_ical_resource
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_indexing_agent b/apparmor.d/groups/akonadi/akonadi_indexing_agent
index 1f5096a82..32a332793 100644
--- a/apparmor.d/groups/akonadi/akonadi_indexing_agent
+++ b/apparmor.d/groups/akonadi/akonadi_indexing_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_maildir_resource b/apparmor.d/groups/akonadi/akonadi_maildir_resource
index 905fe7d68..fc518e4f7 100644
--- a/apparmor.d/groups/akonadi/akonadi_maildir_resource
+++ b/apparmor.d/groups/akonadi/akonadi_maildir_resource
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
index 24b2dd695..c353ea819 100644
--- a/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
+++ b/apparmor.d/groups/akonadi/akonadi_maildispatcher_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
index 9ca03ba33..37612c9ca 100644
--- a/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailfilter_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
index b6c8a34e0..2083318e7 100644
--- a/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
+++ b/apparmor.d/groups/akonadi/akonadi_mailmerge_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_migration_agent b/apparmor.d/groups/akonadi/akonadi_migration_agent
index 63e83d214..b3541299a 100644
--- a/apparmor.d/groups/akonadi/akonadi_migration_agent
+++ b/apparmor.d/groups/akonadi/akonadi_migration_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
index b9e8debb2..28ce1123c 100644
--- a/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
+++ b/apparmor.d/groups/akonadi/akonadi_newmailnotifier_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_notes_agent b/apparmor.d/groups/akonadi/akonadi_notes_agent
index 97a3e8067..8e8665e40 100644
--- a/apparmor.d/groups/akonadi/akonadi_notes_agent
+++ b/apparmor.d/groups/akonadi/akonadi_notes_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_sendlater_agent b/apparmor.d/groups/akonadi/akonadi_sendlater_agent
index 157d963fb..2053bf298 100644
--- a/apparmor.d/groups/akonadi/akonadi_sendlater_agent
+++ b/apparmor.d/groups/akonadi/akonadi_sendlater_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
index 5a623c860..4e0e5820a 100644
--- a/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
+++ b/apparmor.d/groups/akonadi/akonadi_unifiedmailbox_agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 9907ae02f..5b362f123 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-cache b/apparmor.d/groups/apt/apt-cache
index 0c11fbfb2..1251fe449 100644
--- a/apparmor.d/groups/apt/apt-cache
+++ b/apparmor.d/groups/apt/apt-cache
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-cdrom b/apparmor.d/groups/apt/apt-cdrom
index 0f3bce398..a99b964c7 100644
--- a/apparmor.d/groups/apt/apt-cdrom
+++ b/apparmor.d/groups/apt/apt-cdrom
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-config b/apparmor.d/groups/apt/apt-config
index 48a540043..505a4b037 100644
--- a/apparmor.d/groups/apt/apt-config
+++ b/apparmor.d/groups/apt/apt-config
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-extracttemplates b/apparmor.d/groups/apt/apt-extracttemplates
index f958d2575..2e41b10bf 100644
--- a/apparmor.d/groups/apt/apt-extracttemplates
+++ b/apparmor.d/groups/apt/apt-extracttemplates
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-file b/apparmor.d/groups/apt/apt-file
index bc6e523b4..7ee51cfed 100644
--- a/apparmor.d/groups/apt/apt-file
+++ b/apparmor.d/groups/apt/apt-file
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-forktracer b/apparmor.d/groups/apt/apt-forktracer
index ea687173f..2fbb5d95b 100644
--- a/apparmor.d/groups/apt/apt-forktracer
+++ b/apparmor.d/groups/apt/apt-forktracer
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-ftparchive b/apparmor.d/groups/apt/apt-ftparchive
index 4b8e45799..f7e9b4651 100644
--- a/apparmor.d/groups/apt/apt-ftparchive
+++ b/apparmor.d/groups/apt/apt-ftparchive
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-helper b/apparmor.d/groups/apt/apt-helper
index d6d4b5d7b..f02c01819 100644
--- a/apparmor.d/groups/apt/apt-helper
+++ b/apparmor.d/groups/apt/apt-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key
index 2d0f6a664..25a53282d 100644
--- a/apparmor.d/groups/apt/apt-key
+++ b/apparmor.d/groups/apt/apt-key
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-listbugs b/apparmor.d/groups/apt/apt-listbugs
index a04bd459a..403573a9d 100644
--- a/apparmor.d/groups/apt/apt-listbugs
+++ b/apparmor.d/groups/apt/apt-listbugs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-listbugs-aptcleanup b/apparmor.d/groups/apt/apt-listbugs-aptcleanup
index 3500ead6c..ccf56a603 100644
--- a/apparmor.d/groups/apt/apt-listbugs-aptcleanup
+++ b/apparmor.d/groups/apt/apt-listbugs-aptcleanup
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-listbugs-migratepins b/apparmor.d/groups/apt/apt-listbugs-migratepins
index f8eca9dfb..6a261aab9 100644
--- a/apparmor.d/groups/apt/apt-listbugs-migratepins
+++ b/apparmor.d/groups/apt/apt-listbugs-migratepins
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-listbugs-prefclean b/apparmor.d/groups/apt/apt-listbugs-prefclean
index 461edace9..4e0fea86f 100644
--- a/apparmor.d/groups/apt/apt-listbugs-prefclean
+++ b/apparmor.d/groups/apt/apt-listbugs-prefclean
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-listchanges b/apparmor.d/groups/apt/apt-listchanges
index fbabcd983..89cf63067 100644
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-mark b/apparmor.d/groups/apt/apt-mark
index f76159e78..4af469c30 100644
--- a/apparmor.d/groups/apt/apt-mark
+++ b/apparmor.d/groups/apt/apt-mark
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-cdrom b/apparmor.d/groups/apt/apt-methods-cdrom
index 222f7540c..9cf47e758 100644
--- a/apparmor.d/groups/apt/apt-methods-cdrom
+++ b/apparmor.d/groups/apt/apt-methods-cdrom
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-copy b/apparmor.d/groups/apt/apt-methods-copy
index 2cd44be7b..6d906bf80 100644
--- a/apparmor.d/groups/apt/apt-methods-copy
+++ b/apparmor.d/groups/apt/apt-methods-copy
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-file b/apparmor.d/groups/apt/apt-methods-file
index ef49d144f..6d3e9d408 100644
--- a/apparmor.d/groups/apt/apt-methods-file
+++ b/apparmor.d/groups/apt/apt-methods-file
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-ftp b/apparmor.d/groups/apt/apt-methods-ftp
index d57cc71f2..47c679ea1 100644
--- a/apparmor.d/groups/apt/apt-methods-ftp
+++ b/apparmor.d/groups/apt/apt-methods-ftp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-gpgv b/apparmor.d/groups/apt/apt-methods-gpgv
index e2a7ed2b7..4b2a15773 100644
--- a/apparmor.d/groups/apt/apt-methods-gpgv
+++ b/apparmor.d/groups/apt/apt-methods-gpgv
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http
index 72b39e719..0638120ba 100644
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-mirror b/apparmor.d/groups/apt/apt-methods-mirror
index 31656857f..5acecd67a 100644
--- a/apparmor.d/groups/apt/apt-methods-mirror
+++ b/apparmor.d/groups/apt/apt-methods-mirror
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-rred b/apparmor.d/groups/apt/apt-methods-rred
index e5dc4d609..85da35efc 100644
--- a/apparmor.d/groups/apt/apt-methods-rred
+++ b/apparmor.d/groups/apt/apt-methods-rred
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-rsh b/apparmor.d/groups/apt/apt-methods-rsh
index bf51e32f7..95d70b31f 100644
--- a/apparmor.d/groups/apt/apt-methods-rsh
+++ b/apparmor.d/groups/apt/apt-methods-rsh
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-methods-store b/apparmor.d/groups/apt/apt-methods-store
index a3d2ce33a..4c414f07c 100644
--- a/apparmor.d/groups/apt/apt-methods-store
+++ b/apparmor.d/groups/apt/apt-methods-store
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay
index 158e7c57b..4ba9e57d7 100644
--- a/apparmor.d/groups/apt/apt-overlay
+++ b/apparmor.d/groups/apt/apt-overlay
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-show-versions b/apparmor.d/groups/apt/apt-show-versions
index b060e0a12..7885afca4 100644
--- a/apparmor.d/groups/apt/apt-show-versions
+++ b/apparmor.d/groups/apt/apt-show-versions
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-sortpkgs b/apparmor.d/groups/apt/apt-sortpkgs
index 56162c9d2..af5ec2ef0 100644
--- a/apparmor.d/groups/apt/apt-sortpkgs
+++ b/apparmor.d/groups/apt/apt-sortpkgs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily
index 1acaa6aff..04907876e 100644
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/aptitude b/apparmor.d/groups/apt/aptitude
index 7b36e4abe..972123a06 100644
--- a/apparmor.d/groups/apt/aptitude
+++ b/apparmor.d/groups/apt/aptitude
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/aptitude-changelog-parser b/apparmor.d/groups/apt/aptitude-changelog-parser
index 039de3095..91a47110a 100644
--- a/apparmor.d/groups/apt/aptitude-changelog-parser
+++ b/apparmor.d/groups/apt/aptitude-changelog-parser
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/aptitude-create-state-bundle b/apparmor.d/groups/apt/aptitude-create-state-bundle
index a81c3dafb..c700e325f 100644
--- a/apparmor.d/groups/apt/aptitude-create-state-bundle
+++ b/apparmor.d/groups/apt/aptitude-create-state-bundle
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/aptitude-run-state-bundle b/apparmor.d/groups/apt/aptitude-run-state-bundle
index 9119e243c..fa3a45315 100644
--- a/apparmor.d/groups/apt/aptitude-run-state-bundle
+++ b/apparmor.d/groups/apt/aptitude-run-state-bundle
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found
index 00818d011..e6c0fdee6 100644
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress
index 31b55a24e..7b80201df 100644
--- a/apparmor.d/groups/apt/debconf-apt-progress
+++ b/apparmor.d/groups/apt/debconf-apt-progress
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/debconf-show b/apparmor.d/groups/apt/debconf-show
index 709e76f1f..b00cecd1b 100644
--- a/apparmor.d/groups/apt/debconf-show
+++ b/apparmor.d/groups/apt/debconf-show
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/deborphan b/apparmor.d/groups/apt/deborphan
index 76068b32d..236069e99 100644
--- a/apparmor.d/groups/apt/deborphan
+++ b/apparmor.d/groups/apt/deborphan
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/debsecan b/apparmor.d/groups/apt/debsecan
index ab391f72e..ee29b4923 100644
--- a/apparmor.d/groups/apt/debsecan
+++ b/apparmor.d/groups/apt/debsecan
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/debsign b/apparmor.d/groups/apt/debsign
index 7ed318aa7..b2f72f6cd 100644
--- a/apparmor.d/groups/apt/debsign
+++ b/apparmor.d/groups/apt/debsign
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/debsums b/apparmor.d/groups/apt/debsums
index ee371bee8..01e9ac152 100644
--- a/apparmor.d/groups/apt/debsums
+++ b/apparmor.d/groups/apt/debsums
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/debtags b/apparmor.d/groups/apt/debtags
index dff64bed3..8bda4efff 100644
--- a/apparmor.d/groups/apt/debtags
+++ b/apparmor.d/groups/apt/debtags
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index c22ba0ae5..dd87414bf 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture
index ce6dfe8d5..e5ccb2f89 100644
--- a/apparmor.d/groups/apt/dpkg-architecture
+++ b/apparmor.d/groups/apt/dpkg-architecture
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-buildflags b/apparmor.d/groups/apt/dpkg-buildflags
index 39271db07..e7558acdf 100644
--- a/apparmor.d/groups/apt/dpkg-buildflags
+++ b/apparmor.d/groups/apt/dpkg-buildflags
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-checkbuilddeps b/apparmor.d/groups/apt/dpkg-checkbuilddeps
index 8c2ff03cf..e7542aadd 100644
--- a/apparmor.d/groups/apt/dpkg-checkbuilddeps
+++ b/apparmor.d/groups/apt/dpkg-checkbuilddeps
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb
index 6f9c2600b..4fedbcd5f 100644
--- a/apparmor.d/groups/apt/dpkg-deb
+++ b/apparmor.d/groups/apt/dpkg-deb
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-divert b/apparmor.d/groups/apt/dpkg-divert
index a770662a7..6712b8b7c 100644
--- a/apparmor.d/groups/apt/dpkg-divert
+++ b/apparmor.d/groups/apt/dpkg-divert
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-genbuildinfo b/apparmor.d/groups/apt/dpkg-genbuildinfo
index 47d7f6ece..4e22ecf19 100644
--- a/apparmor.d/groups/apt/dpkg-genbuildinfo
+++ b/apparmor.d/groups/apt/dpkg-genbuildinfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-genchanges b/apparmor.d/groups/apt/dpkg-genchanges
index 27991261c..73be1b913 100644
--- a/apparmor.d/groups/apt/dpkg-genchanges
+++ b/apparmor.d/groups/apt/dpkg-genchanges
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure
index f94d95251..cf957ab4f 100644
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-query b/apparmor.d/groups/apt/dpkg-query
index 9a5512c2c..e0f4dbcdf 100644
--- a/apparmor.d/groups/apt/dpkg-query
+++ b/apparmor.d/groups/apt/dpkg-query
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split
index 551b84c03..e307e9867 100644
--- a/apparmor.d/groups/apt/dpkg-split
+++ b/apparmor.d/groups/apt/dpkg-split
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-trigger b/apparmor.d/groups/apt/dpkg-trigger
index 3aa674d0b..547123cf2 100644
--- a/apparmor.d/groups/apt/dpkg-trigger
+++ b/apparmor.d/groups/apt/dpkg-trigger
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/dpkg-vendor b/apparmor.d/groups/apt/dpkg-vendor
index 5a786e815..aee717257 100644
--- a/apparmor.d/groups/apt/dpkg-vendor
+++ b/apparmor.d/groups/apt/dpkg-vendor
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts
index ba91e898a..da7c45275 100644
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/reportbug b/apparmor.d/groups/apt/reportbug
index 1571298af..dfc578117 100644
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/synaptic b/apparmor.d/groups/apt/synaptic
index 6edd79767..4189c7170 100644
--- a/apparmor.d/groups/apt/synaptic
+++ b/apparmor.d/groups/apt/synaptic
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index eaac10851..c528fb984 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown
index bd963a006..673775006 100644
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index
index 80b5d0fab..15af33d88 100644
--- a/apparmor.d/groups/apt/update-apt-xapian-index
+++ b/apparmor.d/groups/apt/update-apt-xapian-index
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/avahi/avahi-autoipd b/apparmor.d/groups/avahi/avahi-autoipd
index 8d18f1a75..a6e724214 100644
--- a/apparmor.d/groups/avahi/avahi-autoipd
+++ b/apparmor.d/groups/avahi/avahi-autoipd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
index 3c7bfdf05..f04637ae3 100644
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/avahi/avahi-publish b/apparmor.d/groups/avahi/avahi-publish
index 92f02d6d5..490303443 100644
--- a/apparmor.d/groups/avahi/avahi-publish
+++ b/apparmor.d/groups/avahi/avahi-publish
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/avahi/avahi-resolve b/apparmor.d/groups/avahi/avahi-resolve
index 459bc57da..ff2cae183 100644
--- a/apparmor.d/groups/avahi/avahi-resolve
+++ b/apparmor.d/groups/avahi/avahi-resolve
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/avahi/avahi-set-host-name b/apparmor.d/groups/avahi/avahi-set-host-name
index de986c7bc..dd9eaba6c 100644
--- a/apparmor.d/groups/avahi/avahi-set-host-name
+++ b/apparmor.d/groups/avahi/avahi-set-host-name
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/brave b/apparmor.d/groups/browsers/brave
index 543548f98..cc3d18b58 100644
--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/brave-crashpad-handler b/apparmor.d/groups/browsers/brave-crashpad-handler
index 2bfe2ff94..ae90c734e 100644
--- a/apparmor.d/groups/browsers/brave-crashpad-handler
+++ b/apparmor.d/groups/browsers/brave-crashpad-handler
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/brave-sandbox b/apparmor.d/groups/browsers/brave-sandbox
index 7928b1385..8ab3dd522 100644
--- a/apparmor.d/groups/browsers/brave-sandbox
+++ b/apparmor.d/groups/browsers/brave-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/brave-wrapper b/apparmor.d/groups/browsers/brave-wrapper
index f1127d860..b4f70689c 100644
--- a/apparmor.d/groups/browsers/brave-wrapper
+++ b/apparmor.d/groups/browsers/brave-wrapper
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome
index 93413c25c..5b4738408 100644
--- a/apparmor.d/groups/browsers/chrome
+++ b/apparmor.d/groups/browsers/chrome
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chrome-crashpad-handler b/apparmor.d/groups/browsers/chrome-crashpad-handler
index 67c0d0e8d..ea3d7d64a 100644
--- a/apparmor.d/groups/browsers/chrome-crashpad-handler
+++ b/apparmor.d/groups/browsers/chrome-crashpad-handler
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chrome-sandbox b/apparmor.d/groups/browsers/chrome-sandbox
index 709f57bc8..eceec9f89 100644
--- a/apparmor.d/groups/browsers/chrome-sandbox
+++ b/apparmor.d/groups/browsers/chrome-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chrome-wrapper b/apparmor.d/groups/browsers/chrome-wrapper
index 8e9e1ba5d..709eb79a1 100644
--- a/apparmor.d/groups/browsers/chrome-wrapper
+++ b/apparmor.d/groups/browsers/chrome-wrapper
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium
index eb0d87f4f..04fa2c756 100644
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chromium-crashpad-handler b/apparmor.d/groups/browsers/chromium-crashpad-handler
index 2bac71620..8d6ab2461 100644
--- a/apparmor.d/groups/browsers/chromium-crashpad-handler
+++ b/apparmor.d/groups/browsers/chromium-crashpad-handler
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chromium-sandbox b/apparmor.d/groups/browsers/chromium-sandbox
index b07828e3b..98ebf5b62 100644
--- a/apparmor.d/groups/browsers/chromium-sandbox
+++ b/apparmor.d/groups/browsers/chromium-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper
index 9300e46e7..40a775dba 100644
--- a/apparmor.d/groups/browsers/chromium-wrapper
+++ b/apparmor.d/groups/browsers/chromium-wrapper
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/ephy-profile-migrator b/apparmor.d/groups/browsers/ephy-profile-migrator
index ec343816d..e6f8902dd 100644
--- a/apparmor.d/groups/browsers/ephy-profile-migrator
+++ b/apparmor.d/groups/browsers/ephy-profile-migrator
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany
index be42cb9a0..54eeb79e3 100644
--- a/apparmor.d/groups/browsers/epiphany
+++ b/apparmor.d/groups/browsers/epiphany
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox b/apparmor.d/groups/browsers/firefox
index f35949078..27eb0d54d 100644
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-crashreporter b/apparmor.d/groups/browsers/firefox-crashreporter
index 5223486d0..1c418eef4 100644
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 7a63d82e8..ad4fbb1ff 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-kmozillahelper b/apparmor.d/groups/browsers/firefox-kmozillahelper
index 2ad6e2263..efcad72f8 100644
--- a/apparmor.d/groups/browsers/firefox-kmozillahelper
+++ b/apparmor.d/groups/browsers/firefox-kmozillahelper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-minidump-analyzer b/apparmor.d/groups/browsers/firefox-minidump-analyzer
index 08cfc081a..6e13ee872 100644
--- a/apparmor.d/groups/browsers/firefox-minidump-analyzer
+++ b/apparmor.d/groups/browsers/firefox-minidump-analyzer
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender
index 94dacaf2c..4c86af87a 100644
--- a/apparmor.d/groups/browsers/firefox-pingsender
+++ b/apparmor.d/groups/browsers/firefox-pingsender
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-plugin-container b/apparmor.d/groups/browsers/firefox-plugin-container
index c7a11b75b..b326d14b4 100644
--- a/apparmor.d/groups/browsers/firefox-plugin-container
+++ b/apparmor.d/groups/browsers/firefox-plugin-container
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/firefox-vaapitest b/apparmor.d/groups/browsers/firefox-vaapitest
index 603b7a5d6..36069d36f 100644
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge
index 41f8bb3cc..fbe4288a3 100644
--- a/apparmor.d/groups/browsers/msedge
+++ b/apparmor.d/groups/browsers/msedge
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Jose Maldonado <josemald89@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/msedge-crashpad-handler b/apparmor.d/groups/browsers/msedge-crashpad-handler
index 9ac6cec22..67e8212ff 100644
--- a/apparmor.d/groups/browsers/msedge-crashpad-handler
+++ b/apparmor.d/groups/browsers/msedge-crashpad-handler
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Jose Maldonado <josemald89@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/msedge-sandbox b/apparmor.d/groups/browsers/msedge-sandbox
index 6424e7bd0..2d4dcdd3e 100644
--- a/apparmor.d/groups/browsers/msedge-sandbox
+++ b/apparmor.d/groups/browsers/msedge-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Jose Maldonado <josemald89@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/msedge-wrapper b/apparmor.d/groups/browsers/msedge-wrapper
index 5fbb9b8f2..8268db2e1 100644
--- a/apparmor.d/groups/browsers/msedge-wrapper
+++ b/apparmor.d/groups/browsers/msedge-wrapper
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Jose Maldonado <josemald89@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/opera b/apparmor.d/groups/browsers/opera
index 33ce558d3..54cc05481 100644
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/opera-crashreporter b/apparmor.d/groups/browsers/opera-crashreporter
index 7b7d6b8d5..01661215a 100644
--- a/apparmor.d/groups/browsers/opera-crashreporter
+++ b/apparmor.d/groups/browsers/opera-crashreporter
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/opera-sandbox b/apparmor.d/groups/browsers/opera-sandbox
index 4dc591aa3..bebe0a902 100644
--- a/apparmor.d/groups/browsers/opera-sandbox
+++ b/apparmor.d/groups/browsers/opera-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser
index c0c4a893e..8d8336d6d 100644
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest
index 54e1d5ad0..ab5eee07f 100644
--- a/apparmor.d/groups/browsers/torbrowser-glxtest
+++ b/apparmor.d/groups/browsers/torbrowser-glxtest
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-launcher b/apparmor.d/groups/browsers/torbrowser-launcher
index 2d52cd2b4..343d3e0d0 100644
--- a/apparmor.d/groups/browsers/torbrowser-launcher
+++ b/apparmor.d/groups/browsers/torbrowser-launcher
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-plugin-container b/apparmor.d/groups/browsers/torbrowser-plugin-container
index fa31652c5..88abc411c 100644
--- a/apparmor.d/groups/browsers/torbrowser-plugin-container
+++ b/apparmor.d/groups/browsers/torbrowser-plugin-container
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-start b/apparmor.d/groups/browsers/torbrowser-start
index e7072c856..58bb31ac8 100644
--- a/apparmor.d/groups/browsers/torbrowser-start
+++ b/apparmor.d/groups/browsers/torbrowser-start
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-tor b/apparmor.d/groups/browsers/torbrowser-tor
index 7eaa85c5c..73a111206 100644
--- a/apparmor.d/groups/browsers/torbrowser-tor
+++ b/apparmor.d/groups/browsers/torbrowser-tor
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-updater b/apparmor.d/groups/browsers/torbrowser-updater
index 5aaa82c2a..a5c1e7cc3 100644
--- a/apparmor.d/groups/browsers/torbrowser-updater
+++ b/apparmor.d/groups/browsers/torbrowser-updater
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/browsers/torbrowser-vaapitest b/apparmor.d/groups/browsers/torbrowser-vaapitest
index cf68f3ea7..37ea80f91 100644
--- a/apparmor.d/groups/browsers/torbrowser-vaapitest
+++ b/apparmor.d/groups/browsers/torbrowser-vaapitest
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd
index 46b404f2b..6c4bf4c69 100644
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index bf6a680a2..054af7202 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/dbus-session b/apparmor.d/groups/bus/dbus-session
index 1aa90f2c4..ecec3cb49 100644
--- a/apparmor.d/groups/bus/dbus-session
+++ b/apparmor.d/groups/bus/dbus-session
@@ -7,7 +7,7 @@
 # "dbus-system". It is intended to be used only via "Px ->" or via
 # systemd drop-in AppArmorProfile= setting.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index 74853231a..ed2f931cd 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -7,7 +7,7 @@
 # "dbus-session". It is intended to be used only via "Px ->" or via 
 # systemd drop-in AppArmorProfile= setting.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-daemon b/apparmor.d/groups/bus/ibus-daemon
index 52707ff63..dca91e5f2 100644
--- a/apparmor.d/groups/bus/ibus-daemon
+++ b/apparmor.d/groups/bus/ibus-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-dconf b/apparmor.d/groups/bus/ibus-dconf
index f45474e45..8746e3795 100644
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-engine-simple b/apparmor.d/groups/bus/ibus-engine-simple
index 250ffafbd..ab3b2b2fd 100644
--- a/apparmor.d/groups/bus/ibus-engine-simple
+++ b/apparmor.d/groups/bus/ibus-engine-simple
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-engine-table b/apparmor.d/groups/bus/ibus-engine-table
index ea39af4be..5182b0dca 100644
--- a/apparmor.d/groups/bus/ibus-engine-table
+++ b/apparmor.d/groups/bus/ibus-engine-table
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3
index 27b7613d5..34d881a8a 100644
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf
index 66fef2950..7e7299bc1 100644
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-portal b/apparmor.d/groups/bus/ibus-portal
index c902e20d0..5d96f359e 100644
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/bus/ibus-x11 b/apparmor.d/groups/bus/ibus-x11
index fbb924969..1096594aa 100644
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg
index a90f2a85b..24df581f9 100644
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@@ -9,7 +9,7 @@
 # is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-dpkg-divert b/apparmor.d/groups/children/child-dpkg-divert
index 227b92249..6ea41a9e8 100644
--- a/apparmor.d/groups/children/child-dpkg-divert
+++ b/apparmor.d/groups/children/child-dpkg-divert
@@ -9,7 +9,7 @@
 # it is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia
index 45b1ff120..b3b0db7ff 100644
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@@ -12,7 +12,7 @@
 # intended to be used only via "Px -> child-modprobe-nvidia" exec transitions 
 # from other profiles.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open
index 9b34f319e..6804326aa 100644
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@@ -15,7 +15,7 @@
 # intended to be used only via "Px -> child-open" exec transitions
 # from other profiles.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-open-any b/apparmor.d/groups/children/child-open-any
index 3fcfe4abe..58847a3e3 100644
--- a/apparmor.d/groups/children/child-open-any
+++ b/apparmor.d/groups/children/child-open-any
@@ -7,7 +7,7 @@
 
 # This version of child-open allows to open any programs.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-open-browsers b/apparmor.d/groups/children/child-open-browsers
index e3da8f38d..6873ea2fc 100644
--- a/apparmor.d/groups/children/child-open-browsers
+++ b/apparmor.d/groups/children/child-open-browsers
@@ -11,7 +11,7 @@
 # intended to be used only via "Px -> child-open-browsers" exec transitions
 # from other profiles.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-open-help b/apparmor.d/groups/children/child-open-help
index 23f9beade..d70cd920a 100644
--- a/apparmor.d/groups/children/child-open-help
+++ b/apparmor.d/groups/children/child-open-help
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict
index f5d0d8ca0..98bbdcdb9 100644
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@@ -7,7 +7,7 @@
 
 # This version of child-open only allow to open browsers & folders.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-pager b/apparmor.d/groups/children/child-pager
index 7170009ae..4f9edd9ea 100644
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@@ -9,7 +9,7 @@
 # is invoked from other confined applications, but not when it is used
 # in regular (unconfined) shell scripts or run directly by the user.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl
index d9657a627..6dd9afd4a 100644
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@@ -9,7 +9,7 @@
 # it is invoked from other confined applications, but not when it is
 # used in regular (unconfined) shell scripts or run directly by the user.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/user_confined b/apparmor.d/groups/children/user_confined
index 1d07d7c16..c4d3c9fed 100644
--- a/apparmor.d/groups/children/user_confined
+++ b/apparmor.d/groups/children/user_confined
@@ -5,7 +5,7 @@
 # Allow confined users to read, write, lock and link to their own files
 # anywhere, and execute from some places.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/user_default b/apparmor.d/groups/children/user_default
index 4b010d22c..2853a8deb 100644
--- a/apparmor.d/groups/children/user_default
+++ b/apparmor.d/groups/children/user_default
@@ -6,7 +6,7 @@
 # but only write to files in their home directory. Only allow limited execution
 # of files.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined
index ea40d67bf..f6e4e835e 100644
--- a/apparmor.d/groups/children/user_unconfined
+++ b/apparmor.d/groups/children/user_unconfined
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index 3636138c0..61dce67db 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-anacron b/apparmor.d/groups/cron/cron-anacron
index ccce517a9..15d1b9737 100644
--- a/apparmor.d/groups/cron/cron-anacron
+++ b/apparmor.d/groups/cron/cron-anacron
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-apport b/apparmor.d/groups/cron/cron-apport
index e521016cb..61aeaf881 100644
--- a/apparmor.d/groups/cron/cron-apport
+++ b/apparmor.d/groups/cron/cron-apport
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-apt b/apparmor.d/groups/cron/cron-apt
index 41c27ecc7..29294fa53 100644
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-apt-compat b/apparmor.d/groups/cron/cron-apt-compat
index 5c0c8054a..2aaa6b142 100644
--- a/apparmor.d/groups/cron/cron-apt-compat
+++ b/apparmor.d/groups/cron/cron-apt-compat
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs
index 6415e66b1..f2623dbf4 100644
--- a/apparmor.d/groups/cron/cron-apt-listbugs
+++ b/apparmor.d/groups/cron/cron-apt-listbugs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-apt-show-versions b/apparmor.d/groups/cron/cron-apt-show-versions
index 460a98d7e..213ed194f 100644
--- a/apparmor.d/groups/cron/cron-apt-show-versions
+++ b/apparmor.d/groups/cron/cron-apt-show-versions
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-apt-xapian-index b/apparmor.d/groups/cron/cron-apt-xapian-index
index 335576536..2c3f90a9a 100644
--- a/apparmor.d/groups/cron/cron-apt-xapian-index
+++ b/apparmor.d/groups/cron/cron-apt-xapian-index
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-aptitude b/apparmor.d/groups/cron/cron-aptitude
index 5769edadf..76657dc94 100644
--- a/apparmor.d/groups/cron/cron-aptitude
+++ b/apparmor.d/groups/cron/cron-aptitude
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-cracklib b/apparmor.d/groups/cron/cron-cracklib
index 5bc3aed32..8a87bd2af 100644
--- a/apparmor.d/groups/cron/cron-cracklib
+++ b/apparmor.d/groups/cron/cron-cracklib
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums
index 6ca80c582..33e785ee0 100644
--- a/apparmor.d/groups/cron/cron-debsums
+++ b/apparmor.d/groups/cron/cron-debsums
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-debtags b/apparmor.d/groups/cron/cron-debtags
index ce32b715e..3e6c182a7 100644
--- a/apparmor.d/groups/cron/cron-debtags
+++ b/apparmor.d/groups/cron/cron-debtags
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-dlocate b/apparmor.d/groups/cron/cron-dlocate
index fa4b03f8d..9599b6b4d 100644
--- a/apparmor.d/groups/cron/cron-dlocate
+++ b/apparmor.d/groups/cron/cron-dlocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-etckeeper b/apparmor.d/groups/cron/cron-etckeeper
index 36e105eb6..28a845cfe 100644
--- a/apparmor.d/groups/cron/cron-etckeeper
+++ b/apparmor.d/groups/cron/cron-etckeeper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-exim4-base b/apparmor.d/groups/cron/cron-exim4-base
index 8fdfb9126..42f2f0823 100644
--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-ipset-autoban-save b/apparmor.d/groups/cron/cron-ipset-autoban-save
index 6f569d364..601368446 100644
--- a/apparmor.d/groups/cron/cron-ipset-autoban-save
+++ b/apparmor.d/groups/cron/cron-ipset-autoban-save
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-logrotate b/apparmor.d/groups/cron/cron-logrotate
index 723ffe0d8..abe3542f6 100644
--- a/apparmor.d/groups/cron/cron-logrotate
+++ b/apparmor.d/groups/cron/cron-logrotate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-man-db b/apparmor.d/groups/cron/cron-man-db
index 941f2ef11..8629f7be2 100644
--- a/apparmor.d/groups/cron/cron-man-db
+++ b/apparmor.d/groups/cron/cron-man-db
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-mlocate b/apparmor.d/groups/cron/cron-mlocate
index 9ee08974a..852e85141 100644
--- a/apparmor.d/groups/cron/cron-mlocate
+++ b/apparmor.d/groups/cron/cron-mlocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-ntp b/apparmor.d/groups/cron/cron-ntp
index ebc53dcf2..17ab7f745 100644
--- a/apparmor.d/groups/cron/cron-ntp
+++ b/apparmor.d/groups/cron/cron-ntp
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Jeroen Rijken <jeroen.rijken@xs4all.nl>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-plocate b/apparmor.d/groups/cron/cron-plocate
index bae69e971..7080658c3 100644
--- a/apparmor.d/groups/cron/cron-plocate
+++ b/apparmor.d/groups/cron/cron-plocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest
index 3d25fecff..a1247a0b9 100644
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/cron-sysstat b/apparmor.d/groups/cron/cron-sysstat
index 064ebc792..4ca22b6a1 100644
--- a/apparmor.d/groups/cron/cron-sysstat
+++ b/apparmor.d/groups/cron/cron-sysstat
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/cron/crontab b/apparmor.d/groups/cron/crontab
index 1144b39c5..bfd4158ad 100644
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/display-manager/lightdm b/apparmor.d/groups/display-manager/lightdm
index 3c66936d0..04accbbf0 100644
--- a/apparmor.d/groups/display-manager/lightdm
+++ b/apparmor.d/groups/display-manager/lightdm
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/display-manager/lightdm-gtk-greeter b/apparmor.d/groups/display-manager/lightdm-gtk-greeter
index 8cc278fc7..e0f5f02f2 100644
--- a/apparmor.d/groups/display-manager/lightdm-gtk-greeter
+++ b/apparmor.d/groups/display-manager/lightdm-gtk-greeter
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/display-manager/lightdm-xsession b/apparmor.d/groups/display-manager/lightdm-xsession
index 14df741df..69a49eecf 100644
--- a/apparmor.d/groups/display-manager/lightdm-xsession
+++ b/apparmor.d/groups/display-manager/lightdm-xsession
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/display-manager/x11-xsession b/apparmor.d/groups/display-manager/x11-xsession
index 6d95290c8..d2f005264 100644
--- a/apparmor.d/groups/display-manager/x11-xsession
+++ b/apparmor.d/groups/display-manager/x11-xsession
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/display-manager/xdm-xsession b/apparmor.d/groups/display-manager/xdm-xsession
index 346f0e5b1..687e0e920 100644
--- a/apparmor.d/groups/display-manager/xdm-xsession
+++ b/apparmor.d/groups/display-manager/xdm-xsession
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/accounts-daemon b/apparmor.d/groups/freedesktop/accounts-daemon
index 1389b2ee6..539a2a57d 100644
--- a/apparmor.d/groups/freedesktop/accounts-daemon
+++ b/apparmor.d/groups/freedesktop/accounts-daemon
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index 8ed35020a..f3ab4fedb 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/colord-session b/apparmor.d/groups/freedesktop/colord-session
index e61063bda..16c109970 100644
--- a/apparmor.d/groups/freedesktop/colord-session
+++ b/apparmor.d/groups/freedesktop/colord-session
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/cpupower b/apparmor.d/groups/freedesktop/cpupower
index 2022a208c..b9811b1a6 100644
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/dconf b/apparmor.d/groups/freedesktop/dconf
index 6abd28da3..be4972f04 100644
--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/dconf-editor b/apparmor.d/groups/freedesktop/dconf-editor
index 00d6553ec..3fdbb8b65 100644
--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/dconf-service b/apparmor.d/groups/freedesktop/dconf-service
index 120ff3920..ccebcad74 100644
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/desktop-file-install b/apparmor.d/groups/freedesktop/desktop-file-install
index 269a6b39a..aa9ccae1b 100644
--- a/apparmor.d/groups/freedesktop/desktop-file-install
+++ b/apparmor.d/groups/freedesktop/desktop-file-install
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/fc-cache b/apparmor.d/groups/freedesktop/fc-cache
index 3fbd77be0..c74ad2958 100644
--- a/apparmor.d/groups/freedesktop/fc-cache
+++ b/apparmor.d/groups/freedesktop/fc-cache
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/fc-list b/apparmor.d/groups/freedesktop/fc-list
index cd31a79de..3f2fb4e02 100644
--- a/apparmor.d/groups/freedesktop/fc-list
+++ b/apparmor.d/groups/freedesktop/fc-list
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/geoclue b/apparmor.d/groups/freedesktop/geoclue
index 7e2a282ac..ec1633a9e 100644
--- a/apparmor.d/groups/freedesktop/geoclue
+++ b/apparmor.d/groups/freedesktop/geoclue
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/iio-sensor-proxy b/apparmor.d/groups/freedesktop/iio-sensor-proxy
index c8ab6b2b8..d7122bdbb 100644
--- a/apparmor.d/groups/freedesktop/iio-sensor-proxy
+++ b/apparmor.d/groups/freedesktop/iio-sensor-proxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index bdadeabe3..cf98a133e 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/pipewire-media-session b/apparmor.d/groups/freedesktop/pipewire-media-session
index f316df3b0..212898a84 100644
--- a/apparmor.d/groups/freedesktop/pipewire-media-session
+++ b/apparmor.d/groups/freedesktop/pipewire-media-session
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse
index a0026b4e1..b5644440f 100644
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/plymouth b/apparmor.d/groups/freedesktop/plymouth
index 278c09aea..327eca3e5 100644
--- a/apparmor.d/groups/freedesktop/plymouth
+++ b/apparmor.d/groups/freedesktop/plymouth
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/plymouth-set-default-theme b/apparmor.d/groups/freedesktop/plymouth-set-default-theme
index e5440d614..bd5a34dcd 100644
--- a/apparmor.d/groups/freedesktop/plymouth-set-default-theme
+++ b/apparmor.d/groups/freedesktop/plymouth-set-default-theme
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/plymouthd b/apparmor.d/groups/freedesktop/plymouthd
index 815375f20..8e5933073 100644
--- a/apparmor.d/groups/freedesktop/plymouthd
+++ b/apparmor.d/groups/freedesktop/plymouthd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/polkit-agent-helper b/apparmor.d/groups/freedesktop/polkit-agent-helper
index d6265589f..bb6e457ff 100644
--- a/apparmor.d/groups/freedesktop/polkit-agent-helper
+++ b/apparmor.d/groups/freedesktop/polkit-agent-helper
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
index 71709ed4f..94bc7ece6 100644
--- a/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
index e67ccbf6a..7ca73cd63 100644
--- a/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-kde-authentication-agent
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
index 3aa47de3c..0dfea7525 100644
--- a/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
+++ b/apparmor.d/groups/freedesktop/polkit-mate-authentication-agent
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/polkitd b/apparmor.d/groups/freedesktop/polkitd
index 2533b1982..089e61744 100644
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index e4a563755..804020b7b 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -4,7 +4,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database
index e070bff2f..19aa4079a 100644
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/update-mime-database b/apparmor.d/groups/freedesktop/update-mime-database
index 778af218c..9efd9cccc 100644
--- a/apparmor.d/groups/freedesktop/update-mime-database
+++ b/apparmor.d/groups/freedesktop/update-mime-database
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/upower b/apparmor.d/groups/freedesktop/upower
index 0428aebfc..1cb7c9583 100644
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index a6032976d..e9b6f5c05 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index 6e5b5adb0..6ebc28929 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon
index 7379369e1..0b0953f6e 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-icon
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu
index 4204c51d1..147d4c090 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-menu
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 720d794b7..00cb35b62 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 8184ffbdf..9cbf81bc6 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
index 9eaea73aa..0daa77899 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
index 05c12eaf3..876825ee4 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-hyprland
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
index ae2691cb0..309248e18 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-kde
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers
index a76f73b36..62adb343b 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index 2735c8633..611e1ab9c 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email
index fa8abd38f..d7228b653 100644
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource
index 66cd5435f..bda6621d3 100644
--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index 28c1836c9..c31ff0064 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -5,7 +5,7 @@
 
 # TODO: This profile needs to be rewritten and integrated with the xdg-open profiles.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index e7ee7dc8c..096132af5 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store
index fa139a9ec..057c64208 100644
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver
index 792c6b859..784c63364 100644
--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index a4d611712..38ae2c1b5 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dir b/apparmor.d/groups/freedesktop/xdg-user-dir
index 7fcf6f3ec..f963a21b9 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dir
+++ b/apparmor.d/groups/freedesktop/xdg-user-dir
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
index 01a289533..8892bd1ce 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-user-dirs-update b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
index 4730ca091..7177703a9 100644
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-update
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xhost b/apparmor.d/groups/freedesktop/xhost
index 26b1bc598..6032179e4 100644
--- a/apparmor.d/groups/freedesktop/xhost
+++ b/apparmor.d/groups/freedesktop/xhost
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index c055b9be2..941cc8f92 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index 6be9e2126..dce42dc85 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop
index aaa19b998..99959fc73 100644
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xrandr b/apparmor.d/groups/freedesktop/xrandr
index 99e07a121..fc1935c4b 100644
--- a/apparmor.d/groups/freedesktop/xrandr
+++ b/apparmor.d/groups/freedesktop/xrandr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xrdb b/apparmor.d/groups/freedesktop/xrdb
index 638f6ebee..55d069815 100644
--- a/apparmor.d/groups/freedesktop/xrdb
+++ b/apparmor.d/groups/freedesktop/xrdb
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xset b/apparmor.d/groups/freedesktop/xset
index ff09d2b1a..20dc2b1fb 100644
--- a/apparmor.d/groups/freedesktop/xset
+++ b/apparmor.d/groups/freedesktop/xset
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xsetroot b/apparmor.d/groups/freedesktop/xsetroot
index db5d0a7aa..bc1291ef4 100644
--- a/apparmor.d/groups/freedesktop/xsetroot
+++ b/apparmor.d/groups/freedesktop/xsetroot
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index 9b61e7dea..c2710eb83 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/chrome-gnome-shell b/apparmor.d/groups/gnome/chrome-gnome-shell
index 9063afc57..8c6372ba5 100644
--- a/apparmor.d/groups/gnome/chrome-gnome-shell
+++ b/apparmor.d/groups/gnome/chrome-gnome-shell
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/deja-dup-monitor b/apparmor.d/groups/gnome/deja-dup-monitor
index 444fc581f..cc6645590 100644
--- a/apparmor.d/groups/gnome/deja-dup-monitor
+++ b/apparmor.d/groups/gnome/deja-dup-monitor
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/epiphany-search-provider b/apparmor.d/groups/gnome/epiphany-search-provider
index ca1213df9..88ec63ea7 100644
--- a/apparmor.d/groups/gnome/epiphany-search-provider
+++ b/apparmor.d/groups/gnome/epiphany-search-provider
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/epiphany-webapp-provider b/apparmor.d/groups/gnome/epiphany-webapp-provider
index 7dda86245..c161a5a0c 100644
--- a/apparmor.d/groups/gnome/epiphany-webapp-provider
+++ b/apparmor.d/groups/gnome/epiphany-webapp-provider
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/evolution-addressbook-factory b/apparmor.d/groups/gnome/evolution-addressbook-factory
index de7c3c299..c6494c95f 100644
--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/evolution-alarm-notify b/apparmor.d/groups/gnome/evolution-alarm-notify
index abae74d45..ce8f799bb 100644
--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory
index d1ec45ac4..f856a06d2 100644
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/evolution-source-registry b/apparmor.d/groups/gnome/evolution-source-registry
index 7c97acc2e..379ea5bef 100644
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/evolution-user-prompter b/apparmor.d/groups/gnome/evolution-user-prompter
index d9d2e6a55..d1c095abf 100644
--- a/apparmor.d/groups/gnome/evolution-user-prompter
+++ b/apparmor.d/groups/gnome/evolution-user-prompter
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gcr-prompter b/apparmor.d/groups/gnome/gcr-prompter
index 7ecb4fb84..a1e323c87 100644
--- a/apparmor.d/groups/gnome/gcr-prompter
+++ b/apparmor.d/groups/gnome/gcr-prompter
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gcr-ssh-agent b/apparmor.d/groups/gnome/gcr-ssh-agent
index a6f0f22fd..24e94d9cb 100644
--- a/apparmor.d/groups/gnome/gcr-ssh-agent
+++ b/apparmor.d/groups/gnome/gcr-ssh-agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm b/apparmor.d/groups/gnome/gdm
index 2817f668e..b0f5e81a5 100644
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm-generate-config b/apparmor.d/groups/gnome/gdm-generate-config
index d9e121c41..dc11e8169 100644
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut
index 5e4e02b6f..b5b111604 100644
--- a/apparmor.d/groups/gnome/gdm-prime-defaut
+++ b/apparmor.d/groups/gnome/gdm-prime-defaut
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm-runtime-config b/apparmor.d/groups/gnome/gdm-runtime-config
index 26ce14234..558f3677c 100644
--- a/apparmor.d/groups/gnome/gdm-runtime-config
+++ b/apparmor.d/groups/gnome/gdm-runtime-config
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm-session b/apparmor.d/groups/gnome/gdm-session
index da99a23db..4e3440656 100644
--- a/apparmor.d/groups/gnome/gdm-session
+++ b/apparmor.d/groups/gnome/gdm-session
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index f50e30311..8f6770ec1 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gdm-xsession b/apparmor.d/groups/gnome/gdm-xsession
index a48958b40..2cdae783d 100644
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 4e9539968..4b395eb82 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -8,7 +8,7 @@
 # - Direct access should only be needed is some special context and it should not
 #   require access to that much resources.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index d84a3378f..613be32d3 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -7,7 +7,7 @@
 # confined under this profile. The resulting profile is quite broad.
 # This architecture needs to be rethinked.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gkbd-keyboard-display b/apparmor.d/groups/gnome/gkbd-keyboard-display
index 7b9fc07cd..18b11e9be 100644
--- a/apparmor.d/groups/gnome/gkbd-keyboard-display
+++ b/apparmor.d/groups/gnome/gkbd-keyboard-display
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-boxes b/apparmor.d/groups/gnome/gnome-boxes
index 46007489e..f44f42e63 100644
--- a/apparmor.d/groups/gnome/gnome-boxes
+++ b/apparmor.d/groups/gnome/gnome-boxes
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-browser-connector-host b/apparmor.d/groups/gnome/gnome-browser-connector-host
index 09ac8dbad..d31811152 100644
--- a/apparmor.d/groups/gnome/gnome-browser-connector-host
+++ b/apparmor.d/groups/gnome/gnome-browser-connector-host
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator
index 2ac0e4ca7..17fcdc4f6 100644
--- a/apparmor.d/groups/gnome/gnome-calculator
+++ b/apparmor.d/groups/gnome/gnome-calculator
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider
index a0a5f7e6f..2eaacdefb 100644
--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar
index 2db321baf..16cfa77c8 100644
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters
index 457bcfea2..730feb31c 100644
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
index 6e975a7dd..4b70cdfa6 100644
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks
index d8f77070b..da42a2ef7 100644
--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts
index fc96424a9..66651f3a2 100644
--- a/apparmor.d/groups/gnome/gnome-contacts
+++ b/apparmor.d/groups/gnome/gnome-contacts
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-contacts-search-provider b/apparmor.d/groups/gnome/gnome-contacts-search-provider
index a0a74f62e..0abc39acd 100644
--- a/apparmor.d/groups/gnome/gnome-contacts-search-provider
+++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index b0006d774..310b7a981 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center-goa-helper b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
index a210cbd18..4695c87d4 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
index db68c40b5..59679deb8 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider
index 53ced47f0..3dfd1bf03 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
index bb1f5012a..436d82443 100644
--- a/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
+++ b/apparmor.d/groups/gnome/gnome-desktop-thumbnailers
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-disk-image-mounter b/apparmor.d/groups/gnome/gnome-disk-image-mounter
index fe743f186..379a887b3 100644
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-disks b/apparmor.d/groups/gnome/gnome-disks
index 575668029..4d5301262 100644
--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-extension-ding b/apparmor.d/groups/gnome/gnome-extension-ding
index 1cef7f074..7c9a80777 100644
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-extension-gsconnect b/apparmor.d/groups/gnome/gnome-extension-gsconnect
index 58b528704..4c4b00c5d 100644
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager
index d3ed3794b..942d7b404 100644
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index 1b110f6e3..29899f8f1 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware
index 307fc06e3..7d33b3103 100644
--- a/apparmor.d/groups/gnome/gnome-firmware
+++ b/apparmor.d/groups/gnome/gnome-firmware
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer
index 2844be9b7..2e16f9f41 100644
--- a/apparmor.d/groups/gnome/gnome-font-viewer
+++ b/apparmor.d/groups/gnome/gnome-font-viewer
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup
index c3904d836..d27ccb8bb 100644
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon
index 5d945b641..905c16b89 100644
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs
index ab0a6144f..ae81fc825 100644
--- a/apparmor.d/groups/gnome/gnome-logs
+++ b/apparmor.d/groups/gnome/gnome-logs
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps
index 36f93215f..1f2faafbb 100644
--- a/apparmor.d/groups/gnome/gnome-maps
+++ b/apparmor.d/groups/gnome/gnome-maps
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index 710393390..a40c25fd8 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-photos-thumbnailer b/apparmor.d/groups/gnome/gnome-photos-thumbnailer
index 410953e49..0182e9dad 100644
--- a/apparmor.d/groups/gnome/gnome-photos-thumbnailer
+++ b/apparmor.d/groups/gnome/gnome-photos-thumbnailer
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes
index c2e11a805..5ebd788c0 100644
--- a/apparmor.d/groups/gnome/gnome-recipes
+++ b/apparmor.d/groups/gnome/gnome-recipes
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
index 46d21977c..19e448b1b 100644
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-session b/apparmor.d/groups/gnome/gnome-session
index 171a93338..597a47c12 100644
--- a/apparmor.d/groups/gnome/gnome-session
+++ b/apparmor.d/groups/gnome/gnome-session
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 25be8038c..0825d418f 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-session-ctl b/apparmor.d/groups/gnome/gnome-session-ctl
index 220a9cac3..04c4ce628 100644
--- a/apparmor.d/groups/gnome/gnome-session-ctl
+++ b/apparmor.d/groups/gnome/gnome-session-ctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 0fd0d1e83..b83de9bf4 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-shell-calendar-server b/apparmor.d/groups/gnome/gnome-shell-calendar-server
index 371ed3e01..357104e57 100644
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
index f0e9bf398..51d5b43cf 100644
--- a/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
+++ b/apparmor.d/groups/gnome/gnome-shell-hotplug-sniffer
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-shell-overrides-migration b/apparmor.d/groups/gnome/gnome-shell-overrides-migration
index d041df4de..8d5cc4d1d 100644
--- a/apparmor.d/groups/gnome/gnome-shell-overrides-migration
+++ b/apparmor.d/groups/gnome/gnome-shell-overrides-migration
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 343205e12..da5ed232f 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-system-monitor b/apparmor.d/groups/gnome/gnome-system-monitor
index 730ea1ffe..92cbd369e 100644
--- a/apparmor.d/groups/gnome/gnome-system-monitor
+++ b/apparmor.d/groups/gnome/gnome-system-monitor
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index c5b1ec821..d96c20c36 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor
index 8641e01bd..efbb55f35 100644
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour
index fc6605232..1dcb2af68 100644
--- a/apparmor.d/groups/gnome/gnome-tour
+++ b/apparmor.d/groups/gnome/gnome-tour
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks
index 01518446b..d21e23824 100644
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-user-share-webdav b/apparmor.d/groups/gnome/gnome-user-share-webdav
index 37e1ea496..d54d7476a 100644
--- a/apparmor.d/groups/gnome/gnome-user-share-webdav
+++ b/apparmor.d/groups/gnome/gnome-user-share-webdav
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather
index a49fe97bd..11e75cb2a 100644
--- a/apparmor.d/groups/gnome/gnome-weather
+++ b/apparmor.d/groups/gnome/gnome-weather
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/goa-daemon b/apparmor.d/groups/gnome/goa-daemon
index 968bf154a..8176d6c7c 100644
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/goa-identity-service b/apparmor.d/groups/gnome/goa-identity-service
index cf62b5f50..3992811c2 100644
--- a/apparmor.d/groups/gnome/goa-identity-service
+++ b/apparmor.d/groups/gnome/goa-identity-service
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings
index f9d3804c7..86ca1bbf2 100644
--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
index 8d77f6cb2..3f4895dbd 100644
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime
index db829825b..b7a3e4bcb 100644
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-disk-utility-notify b/apparmor.d/groups/gnome/gsd-disk-utility-notify
index d1e65865f..55e6b3736 100644
--- a/apparmor.d/groups/gnome/gsd-disk-utility-notify
+++ b/apparmor.d/groups/gnome/gsd-disk-utility-notify
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping
index 7194b7a2b..f7d0f51ad 100644
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard
index d621a43ae..baac36f87 100644
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index dc6e8aeb7..6fee16f5c 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 9a197e5bf..452d18afd 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications
index b684c0c7c..bb047e917 100644
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer
index 9db9abb09..4c485e172 100644
--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill
index 456361e88..c7eb53e60 100644
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy
index e0d3dc1b0..8115ca01b 100644
--- a/apparmor.d/groups/gnome/gsd-screensaver-proxy
+++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing
index 83a444c7d..a2fdf107a 100644
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard
index 0f04ae120..9cda7f5d3 100644
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound
index ea063aeda..ae4844956 100644
--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-usb-protection b/apparmor.d/groups/gnome/gsd-usb-protection
index 4db37cb0a..2359c9f39 100644
--- a/apparmor.d/groups/gnome/gsd-usb-protection
+++ b/apparmor.d/groups/gnome/gsd-usb-protection
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom
index 9b6e13fdb..ff0dc419c 100644
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-wwan b/apparmor.d/groups/gnome/gsd-wwan
index 9c8852055..ab2b2b089 100644
--- a/apparmor.d/groups/gnome/gsd-wwan
+++ b/apparmor.d/groups/gnome/gsd-wwan
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index 4b489c259..51bcf2e10 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx
index b704e580b..66a278036 100644
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe
index 56c4a2c5d..fb7bef34a 100644
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index 0a208c6ad..183e6cf4a 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index d7736d7a8..ccaf5d6f7 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index 15a9170cd..2d06a9ab3 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/seahorse b/apparmor.d/groups/gnome/seahorse
index cb41a046d..921f6aa30 100644
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/session-migration b/apparmor.d/groups/gnome/session-migration
index 41c9b28af..d519dca6e 100644
--- a/apparmor.d/groups/gnome/session-migration
+++ b/apparmor.d/groups/gnome/session-migration
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index 7752d9dd3..a8dc13b19 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index f54f05731..e58f9b982 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/tracker-writeback b/apparmor.d/groups/gnome/tracker-writeback
index 426b1be60..a5346b463 100644
--- a/apparmor.d/groups/gnome/tracker-writeback
+++ b/apparmor.d/groups/gnome/tracker-writeback
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/tracker-xdg-portal b/apparmor.d/groups/gnome/tracker-xdg-portal
index bf612104f..20ed6bdce 100644
--- a/apparmor.d/groups/gnome/tracker-xdg-portal
+++ b/apparmor.d/groups/gnome/tracker-xdg-portal
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index e10c0cc22..71d8f7504 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/dirmngr b/apparmor.d/groups/gpg/dirmngr
index a0c131bcd..167e8757c 100644
--- a/apparmor.d/groups/gpg/dirmngr
+++ b/apparmor.d/groups/gpg/dirmngr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index a7aa93d2b..247c6e4ac 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index b7e00a45d..17e360d09 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/gpg-connect-agent b/apparmor.d/groups/gpg/gpg-connect-agent
index 9bf2bf897..d6c88c4fd 100644
--- a/apparmor.d/groups/gpg/gpg-connect-agent
+++ b/apparmor.d/groups/gpg/gpg-connect-agent
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/gpgconf b/apparmor.d/groups/gpg/gpgconf
index 9537c60c6..61c6cf8de 100644
--- a/apparmor.d/groups/gpg/gpgconf
+++ b/apparmor.d/groups/gpg/gpgconf
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/gpgsm b/apparmor.d/groups/gpg/gpgsm
index 5bfa3fdf4..364c05f73 100644
--- a/apparmor.d/groups/gpg/gpgsm
+++ b/apparmor.d/groups/gpg/gpgsm
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/keyboxd b/apparmor.d/groups/gpg/keyboxd
index bf77509fd..cb0046fd6 100644
--- a/apparmor.d/groups/gpg/keyboxd
+++ b/apparmor.d/groups/gpg/keyboxd
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gpg/scdaemon b/apparmor.d/groups/gpg/scdaemon
index 2160cbea9..e88f34d4b 100644
--- a/apparmor.d/groups/gpg/scdaemon
+++ b/apparmor.d/groups/gpg/scdaemon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-bios-setup b/apparmor.d/groups/grub/grub-bios-setup
index 44602a4ee..b0d606701 100644
--- a/apparmor.d/groups/grub/grub-bios-setup
+++ b/apparmor.d/groups/grub/grub-bios-setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-check-signatures b/apparmor.d/groups/grub/grub-check-signatures
index 1ab754daf..1a1110091 100644
--- a/apparmor.d/groups/grub/grub-check-signatures
+++ b/apparmor.d/groups/grub/grub-check-signatures
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-editenv b/apparmor.d/groups/grub/grub-editenv
index 414f12909..6bdc7362a 100644
--- a/apparmor.d/groups/grub/grub-editenv
+++ b/apparmor.d/groups/grub/grub-editenv
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-file b/apparmor.d/groups/grub/grub-file
index 0c43d739d..6551bd553 100644
--- a/apparmor.d/groups/grub/grub-file
+++ b/apparmor.d/groups/grub/grub-file
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-fstest b/apparmor.d/groups/grub/grub-fstest
index c8f4d48a8..3819fe890 100644
--- a/apparmor.d/groups/grub/grub-fstest
+++ b/apparmor.d/groups/grub/grub-fstest
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-glue-efi b/apparmor.d/groups/grub/grub-glue-efi
index 0c2d91173..f72664388 100644
--- a/apparmor.d/groups/grub/grub-glue-efi
+++ b/apparmor.d/groups/grub/grub-glue-efi
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-install b/apparmor.d/groups/grub/grub-install
index 7902bf02d..83e30cbf6 100644
--- a/apparmor.d/groups/grub/grub-install
+++ b/apparmor.d/groups/grub/grub-install
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-kbdcomp b/apparmor.d/groups/grub/grub-kbdcomp
index 7c49e93ec..0334bf2f5 100644
--- a/apparmor.d/groups/grub/grub-kbdcomp
+++ b/apparmor.d/groups/grub/grub-kbdcomp
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-macbless b/apparmor.d/groups/grub/grub-macbless
index 8f73e3807..c2571ea73 100644
--- a/apparmor.d/groups/grub/grub-macbless
+++ b/apparmor.d/groups/grub/grub-macbless
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-menulst2cfg b/apparmor.d/groups/grub/grub-menulst2cfg
index 826de1e1d..cd2d0121d 100644
--- a/apparmor.d/groups/grub/grub-menulst2cfg
+++ b/apparmor.d/groups/grub/grub-menulst2cfg
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index cd9c825f6..2a60d69c5 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkdevicemap b/apparmor.d/groups/grub/grub-mkdevicemap
index 0af9aab2d..533f9780b 100644
--- a/apparmor.d/groups/grub/grub-mkdevicemap
+++ b/apparmor.d/groups/grub/grub-mkdevicemap
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkfont b/apparmor.d/groups/grub/grub-mkfont
index 52d719b38..a1e4b1eff 100644
--- a/apparmor.d/groups/grub/grub-mkfont
+++ b/apparmor.d/groups/grub/grub-mkfont
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkimage b/apparmor.d/groups/grub/grub-mkimage
index ac5fef3b4..54f8dcc80 100644
--- a/apparmor.d/groups/grub/grub-mkimage
+++ b/apparmor.d/groups/grub/grub-mkimage
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mklayout b/apparmor.d/groups/grub/grub-mklayout
index 616627f35..11263914b 100644
--- a/apparmor.d/groups/grub/grub-mklayout
+++ b/apparmor.d/groups/grub/grub-mklayout
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mknetdir b/apparmor.d/groups/grub/grub-mknetdir
index 9bb011422..10aaa77d4 100644
--- a/apparmor.d/groups/grub/grub-mknetdir
+++ b/apparmor.d/groups/grub/grub-mknetdir
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2 b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
index 58b7da49b..45cefcedf 100644
--- a/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
+++ b/apparmor.d/groups/grub/grub-mkpasswd-pbkdf2
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkrelpath b/apparmor.d/groups/grub/grub-mkrelpath
index 22e0b754a..a60a6aaba 100644
--- a/apparmor.d/groups/grub/grub-mkrelpath
+++ b/apparmor.d/groups/grub/grub-mkrelpath
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkrescue b/apparmor.d/groups/grub/grub-mkrescue
index 4eee01abf..dfd9ce031 100644
--- a/apparmor.d/groups/grub/grub-mkrescue
+++ b/apparmor.d/groups/grub/grub-mkrescue
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mkstandalone b/apparmor.d/groups/grub/grub-mkstandalone
index c891fd4bf..8cce05fb9 100644
--- a/apparmor.d/groups/grub/grub-mkstandalone
+++ b/apparmor.d/groups/grub/grub-mkstandalone
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-mount b/apparmor.d/groups/grub/grub-mount
index a21f427e8..e660069bd 100644
--- a/apparmor.d/groups/grub/grub-mount
+++ b/apparmor.d/groups/grub/grub-mount
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-multi-install b/apparmor.d/groups/grub/grub-multi-install
index 9360173af..94c4c7e2b 100644
--- a/apparmor.d/groups/grub/grub-multi-install
+++ b/apparmor.d/groups/grub/grub-multi-install
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-ntldr-img b/apparmor.d/groups/grub/grub-ntldr-img
index 885384b6d..676b16f1b 100644
--- a/apparmor.d/groups/grub/grub-ntldr-img
+++ b/apparmor.d/groups/grub/grub-ntldr-img
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-probe b/apparmor.d/groups/grub/grub-probe
index d0ef6b78b..80d517deb 100644
--- a/apparmor.d/groups/grub/grub-probe
+++ b/apparmor.d/groups/grub/grub-probe
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-reboot b/apparmor.d/groups/grub/grub-reboot
index 236a46241..7d94a22af 100644
--- a/apparmor.d/groups/grub/grub-reboot
+++ b/apparmor.d/groups/grub/grub-reboot
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-render-label b/apparmor.d/groups/grub/grub-render-label
index 005823ffa..5d7c4cfe0 100644
--- a/apparmor.d/groups/grub/grub-render-label
+++ b/apparmor.d/groups/grub/grub-render-label
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-script-check b/apparmor.d/groups/grub/grub-script-check
index 9cb595834..93b344cf8 100644
--- a/apparmor.d/groups/grub/grub-script-check
+++ b/apparmor.d/groups/grub/grub-script-check
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-set-default b/apparmor.d/groups/grub/grub-set-default
index 729ff11d9..11c78024b 100644
--- a/apparmor.d/groups/grub/grub-set-default
+++ b/apparmor.d/groups/grub/grub-set-default
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-sort-version b/apparmor.d/groups/grub/grub-sort-version
index bea282862..5e65fe835 100644
--- a/apparmor.d/groups/grub/grub-sort-version
+++ b/apparmor.d/groups/grub/grub-sort-version
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/grub-syslinux2cfg b/apparmor.d/groups/grub/grub-syslinux2cfg
index 581ab262b..584e33268 100644
--- a/apparmor.d/groups/grub/grub-syslinux2cfg
+++ b/apparmor.d/groups/grub/grub-syslinux2cfg
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/grub/update-grub b/apparmor.d/groups/grub/update-grub
index e74f72349..03df05295 100644
--- a/apparmor.d/groups/grub/update-grub
+++ b/apparmor.d/groups/grub/update-grub
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
index 0b35916b0..a681f2626 100644
--- a/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-afc-volume-monitor
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
index 66681c8af..1e65e2183 100644
--- a/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-goa-volume-monitor
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
index 5b21c3a6b..a8d7ffb35 100644
--- a/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-gphoto2-volume-monitor
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
index dfdf41113..d71b71523 100644
--- a/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-mtp-volume-monitor
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
index 477354574..ccbe15fd1 100644
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd b/apparmor.d/groups/gvfs/gvfsd
index c31c1038f..c5c4dc3c1 100644
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-admin b/apparmor.d/groups/gvfs/gvfsd-admin
index 34e4cdfd6..7a1584d48 100644
--- a/apparmor.d/groups/gvfs/gvfsd-admin
+++ b/apparmor.d/groups/gvfs/gvfsd-admin
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-afc b/apparmor.d/groups/gvfs/gvfsd-afc
index 6054f50b8..68d4b689e 100644
--- a/apparmor.d/groups/gvfs/gvfsd-afc
+++ b/apparmor.d/groups/gvfs/gvfsd-afc
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-afp b/apparmor.d/groups/gvfs/gvfsd-afp
index 1ea7c14b8..eeaaec059 100644
--- a/apparmor.d/groups/gvfs/gvfsd-afp
+++ b/apparmor.d/groups/gvfs/gvfsd-afp
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-afp-browse b/apparmor.d/groups/gvfs/gvfsd-afp-browse
index 8baf49101..48680f12f 100644
--- a/apparmor.d/groups/gvfs/gvfsd-afp-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-afp-browse
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-archive b/apparmor.d/groups/gvfs/gvfsd-archive
index 4c860fe45..918841320 100644
--- a/apparmor.d/groups/gvfs/gvfsd-archive
+++ b/apparmor.d/groups/gvfs/gvfsd-archive
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-burn b/apparmor.d/groups/gvfs/gvfsd-burn
index 4063141d4..b70fa7110 100644
--- a/apparmor.d/groups/gvfs/gvfsd-burn
+++ b/apparmor.d/groups/gvfs/gvfsd-burn
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-cdda b/apparmor.d/groups/gvfs/gvfsd-cdda
index dc69cea53..0648f5dc0 100644
--- a/apparmor.d/groups/gvfs/gvfsd-cdda
+++ b/apparmor.d/groups/gvfs/gvfsd-cdda
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-computer b/apparmor.d/groups/gvfs/gvfsd-computer
index b1479d780..e756c8440 100644
--- a/apparmor.d/groups/gvfs/gvfsd-computer
+++ b/apparmor.d/groups/gvfs/gvfsd-computer
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-dav b/apparmor.d/groups/gvfs/gvfsd-dav
index bb86dd7db..77e1a2f6f 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-dnssd b/apparmor.d/groups/gvfs/gvfsd-dnssd
index 1bad8c349..2f3b8d8f2 100644
--- a/apparmor.d/groups/gvfs/gvfsd-dnssd
+++ b/apparmor.d/groups/gvfs/gvfsd-dnssd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-ftp b/apparmor.d/groups/gvfs/gvfsd-ftp
index 47b58d639..5b7c833a5 100644
--- a/apparmor.d/groups/gvfs/gvfsd-ftp
+++ b/apparmor.d/groups/gvfs/gvfsd-ftp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-fuse b/apparmor.d/groups/gvfs/gvfsd-fuse
index b49ad1d90..375040ec3 100644
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-google b/apparmor.d/groups/gvfs/gvfsd-google
index b6aa722e7..eb80f3a7a 100644
--- a/apparmor.d/groups/gvfs/gvfsd-google
+++ b/apparmor.d/groups/gvfs/gvfsd-google
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-gphoto2 b/apparmor.d/groups/gvfs/gvfsd-gphoto2
index 731bdd204..688f03c27 100644
--- a/apparmor.d/groups/gvfs/gvfsd-gphoto2
+++ b/apparmor.d/groups/gvfs/gvfsd-gphoto2
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-http b/apparmor.d/groups/gvfs/gvfsd-http
index a2d02063c..2fe0a1e2b 100644
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-localtest b/apparmor.d/groups/gvfs/gvfsd-localtest
index da0a21386..5ffbabb40 100644
--- a/apparmor.d/groups/gvfs/gvfsd-localtest
+++ b/apparmor.d/groups/gvfs/gvfsd-localtest
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-metadata b/apparmor.d/groups/gvfs/gvfsd-metadata
index 6237715a8..902bbf40e 100644
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-mtp b/apparmor.d/groups/gvfs/gvfsd-mtp
index a5a4c8ce2..3c747b8b3 100644
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-network b/apparmor.d/groups/gvfs/gvfsd-network
index 8fc843290..87851fc16 100644
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-nfs b/apparmor.d/groups/gvfs/gvfsd-nfs
index 0a2ab4d1c..575d9de39 100644
--- a/apparmor.d/groups/gvfs/gvfsd-nfs
+++ b/apparmor.d/groups/gvfs/gvfsd-nfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-recent b/apparmor.d/groups/gvfs/gvfsd-recent
index 9509d3184..38819e872 100644
--- a/apparmor.d/groups/gvfs/gvfsd-recent
+++ b/apparmor.d/groups/gvfs/gvfsd-recent
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-sftp b/apparmor.d/groups/gvfs/gvfsd-sftp
index 05c8a2bbf..cabee57c2 100644
--- a/apparmor.d/groups/gvfs/gvfsd-sftp
+++ b/apparmor.d/groups/gvfs/gvfsd-sftp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-smb b/apparmor.d/groups/gvfs/gvfsd-smb
index 4eb770986..24891e9c3 100644
--- a/apparmor.d/groups/gvfs/gvfsd-smb
+++ b/apparmor.d/groups/gvfs/gvfsd-smb
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-smb-browse b/apparmor.d/groups/gvfs/gvfsd-smb-browse
index 3882e6f1c..f285a3c15 100644
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-trash b/apparmor.d/groups/gvfs/gvfsd-trash
index d65edb691..683d271a8 100644
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/gvfs/gvfsd-wsdd b/apparmor.d/groups/gvfs/gvfsd-wsdd
index b2ff47c91..f971b5f6a 100644
--- a/apparmor.d/groups/gvfs/gvfsd-wsdd
+++ b/apparmor.d/groups/gvfs/gvfsd-wsdd
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/hyprland/hyprctl b/apparmor.d/groups/hyprland/hyprctl
index f7d41d484..96440098e 100644
--- a/apparmor.d/groups/hyprland/hyprctl
+++ b/apparmor.d/groups/hyprland/hyprctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 44bed0cdd..136ebabb0 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/hyprland/hyprlock b/apparmor.d/groups/hyprland/hyprlock
index 9459018ef..b17c0c66a 100644
--- a/apparmor.d/groups/hyprland/hyprlock
+++ b/apparmor.d/groups/hyprland/hyprlock
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/hyprland/hyprpaper b/apparmor.d/groups/hyprland/hyprpaper
index 1005ee8f1..3cb8dca92 100644
--- a/apparmor.d/groups/hyprland/hyprpaper
+++ b/apparmor.d/groups/hyprland/hyprpaper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/hyprland/hyprpicker b/apparmor.d/groups/hyprland/hyprpicker
index 77edc07dc..38eccd297 100644
--- a/apparmor.d/groups/hyprland/hyprpicker
+++ b/apparmor.d/groups/hyprland/hyprpicker
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/hyprland/hyprpm b/apparmor.d/groups/hyprland/hyprpm
index 5f5ce4c66..3a5878808 100644
--- a/apparmor.d/groups/hyprland/hyprpm
+++ b/apparmor.d/groups/hyprland/hyprpm
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/DiscoverNotifier b/apparmor.d/groups/kde/DiscoverNotifier
index 5f293a9e1..197f90f88 100644
--- a/apparmor.d/groups/kde/DiscoverNotifier
+++ b/apparmor.d/groups/kde/DiscoverNotifier
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index 0b1ee4fa4..aa67ba5f5 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/baloorunner b/apparmor.d/groups/kde/baloorunner
index 894c2cb7b..e3fca1f8f 100644
--- a/apparmor.d/groups/kde/baloorunner
+++ b/apparmor.d/groups/kde/baloorunner
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin
index 577cdd085..8465da560 100644
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/drkonqi b/apparmor.d/groups/kde/drkonqi
index d096c9ba8..961c18cfe 100644
--- a/apparmor.d/groups/kde/drkonqi
+++ b/apparmor.d/groups/kde/drkonqi
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/drkonqi-coredump-cleanup b/apparmor.d/groups/kde/drkonqi-coredump-cleanup
index fe2fd0566..c74276b95 100644
--- a/apparmor.d/groups/kde/drkonqi-coredump-cleanup
+++ b/apparmor.d/groups/kde/drkonqi-coredump-cleanup
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/drkonqi-coredump-processor b/apparmor.d/groups/kde/drkonqi-coredump-processor
index f014b671b..e07a6c1d4 100644
--- a/apparmor.d/groups/kde/drkonqi-coredump-processor
+++ b/apparmor.d/groups/kde/drkonqi-coredump-processor
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy
index c1a63931e..1d85b3a6b 100644
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kaccess b/apparmor.d/groups/kde/kaccess
index e9ed1399d..42c1400ef 100644
--- a/apparmor.d/groups/kde/kaccess
+++ b/apparmor.d/groups/kde/kaccess
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kactivitymanagerd b/apparmor.d/groups/kde/kactivitymanagerd
index 8fccca289..fdc0730c4 100644
--- a/apparmor.d/groups/kde/kactivitymanagerd
+++ b/apparmor.d/groups/kde/kactivitymanagerd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kalendarac b/apparmor.d/groups/kde/kalendarac
index 97bdef983..661090bc1 100644
--- a/apparmor.d/groups/kde/kalendarac
+++ b/apparmor.d/groups/kde/kalendarac
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kauth-backlighthelper b/apparmor.d/groups/kde/kauth-backlighthelper
index 9b42d9a10..61308e83b 100644
--- a/apparmor.d/groups/kde/kauth-backlighthelper
+++ b/apparmor.d/groups/kde/kauth-backlighthelper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kauth-chargethresholdhelper b/apparmor.d/groups/kde/kauth-chargethresholdhelper
index 29dfe216b..44a6d0239 100644
--- a/apparmor.d/groups/kde/kauth-chargethresholdhelper
+++ b/apparmor.d/groups/kde/kauth-chargethresholdhelper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kauth-discretegpuhelper b/apparmor.d/groups/kde/kauth-discretegpuhelper
index 98e6614b8..f03dfb007 100644
--- a/apparmor.d/groups/kde/kauth-discretegpuhelper
+++ b/apparmor.d/groups/kde/kauth-discretegpuhelper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kauth-fontinst b/apparmor.d/groups/kde/kauth-fontinst
index 3a9c21b7b..d05975eac 100644
--- a/apparmor.d/groups/kde/kauth-fontinst
+++ b/apparmor.d/groups/kde/kauth-fontinst
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kauth-kded-smart-helper b/apparmor.d/groups/kde/kauth-kded-smart-helper
index fa1345d74..6483fe39f 100644
--- a/apparmor.d/groups/kde/kauth-kded-smart-helper
+++ b/apparmor.d/groups/kde/kauth-kded-smart-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
index a172c3404..5ae1f5f12 100644
--- a/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
+++ b/apparmor.d/groups/kde/kauth-kinfocenter-dmidecode-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kbuildsycoca b/apparmor.d/groups/kde/kbuildsycoca
index beb235536..db3aed9dc 100644
--- a/apparmor.d/groups/kde/kbuildsycoca
+++ b/apparmor.d/groups/kde/kbuildsycoca
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kcminit b/apparmor.d/groups/kde/kcminit
index 95fdd6e63..93378bf76 100644
--- a/apparmor.d/groups/kde/kcminit
+++ b/apparmor.d/groups/kde/kcminit
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update
index ce11fb914..d699f9d59 100644
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 3a24b3db8..5af21ae75 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kde-systemd-start-condition b/apparmor.d/groups/kde/kde-systemd-start-condition
index 31367f47c..efec3a8a6 100644
--- a/apparmor.d/groups/kde/kde-systemd-start-condition
+++ b/apparmor.d/groups/kde/kde-systemd-start-condition
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index f93144c5f..c14ba7e98 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kglobalacceld b/apparmor.d/groups/kde/kglobalacceld
index 4d2616e3e..9da19046d 100644
--- a/apparmor.d/groups/kde/kglobalacceld
+++ b/apparmor.d/groups/kde/kglobalacceld
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kio_http_cache_cleaner b/apparmor.d/groups/kde/kio_http_cache_cleaner
index fa3f494c7..dc1b28dcc 100644
--- a/apparmor.d/groups/kde/kio_http_cache_cleaner
+++ b/apparmor.d/groups/kde/kio_http_cache_cleaner
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kiod b/apparmor.d/groups/kde/kiod
index d83749455..f6a7ba95a 100644
--- a/apparmor.d/groups/kde/kiod
+++ b/apparmor.d/groups/kde/kiod
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kioworker b/apparmor.d/groups/kde/kioworker
index 5bd01bb15..37dd3eeae 100644
--- a/apparmor.d/groups/kde/kioworker
+++ b/apparmor.d/groups/kde/kioworker
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/konsole b/apparmor.d/groups/kde/konsole
index 164510ae7..17ed13f27 100644
--- a/apparmor.d/groups/kde/konsole
+++ b/apparmor.d/groups/kde/konsole
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kreadconfig b/apparmor.d/groups/kde/kreadconfig
index 4dbe69f9d..8ad9c4b5b 100644
--- a/apparmor.d/groups/kde/kreadconfig
+++ b/apparmor.d/groups/kde/kreadconfig
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kscreen_backend_launcher b/apparmor.d/groups/kde/kscreen_backend_launcher
index 94890bacc..5e09b0cbe 100644
--- a/apparmor.d/groups/kde/kscreen_backend_launcher
+++ b/apparmor.d/groups/kde/kscreen_backend_launcher
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kscreen_osd_service b/apparmor.d/groups/kde/kscreen_osd_service
index cafd59a67..8bff3306f 100644
--- a/apparmor.d/groups/kde/kscreen_osd_service
+++ b/apparmor.d/groups/kde/kscreen_osd_service
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kscreenlocker_greet b/apparmor.d/groups/kde/kscreenlocker_greet
index b67fe50f1..79e2b4c59 100644
--- a/apparmor.d/groups/kde/kscreenlocker_greet
+++ b/apparmor.d/groups/kde/kscreenlocker_greet
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index f36d8f2f2..3f95292f6 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter
index 55379861e..01fe51783 100644
--- a/apparmor.d/groups/kde/ksmserver-logout-greeter
+++ b/apparmor.d/groups/kde/ksmserver-logout-greeter
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/ksplashqml b/apparmor.d/groups/kde/ksplashqml
index 8b878457b..be59fe842 100644
--- a/apparmor.d/groups/kde/ksplashqml
+++ b/apparmor.d/groups/kde/ksplashqml
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kstart b/apparmor.d/groups/kde/kstart
index 6aefc1d43..fa0f88f75 100644
--- a/apparmor.d/groups/kde/kstart
+++ b/apparmor.d/groups/kde/kstart
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kwalletd b/apparmor.d/groups/kde/kwalletd
index 282f4231b..c4e25e9ff 100644
--- a/apparmor.d/groups/kde/kwalletd
+++ b/apparmor.d/groups/kde/kwalletd
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kwalletmanager b/apparmor.d/groups/kde/kwalletmanager
index a5c5ddfef..dc64cbb9e 100644
--- a/apparmor.d/groups/kde/kwalletmanager
+++ b/apparmor.d/groups/kde/kwalletmanager
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 162f2cfc3..0bd53e3a6 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kwin_wayland_wrapper b/apparmor.d/groups/kde/kwin_wayland_wrapper
index f28106373..1a7573d77 100644
--- a/apparmor.d/groups/kde/kwin_wayland_wrapper
+++ b/apparmor.d/groups/kde/kwin_wayland_wrapper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/kwin_x11 b/apparmor.d/groups/kde/kwin_x11
index 0454e70e1..e05e443ff 100644
--- a/apparmor.d/groups/kde/kwin_x11
+++ b/apparmor.d/groups/kde/kwin_x11
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/okular b/apparmor.d/groups/kde/okular
index a27751eb4..f7f168364 100644
--- a/apparmor.d/groups/kde/okular
+++ b/apparmor.d/groups/kde/okular
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/pam_kwallet_init b/apparmor.d/groups/kde/pam_kwallet_init
index b84407863..764917a1f 100644
--- a/apparmor.d/groups/kde/pam_kwallet_init
+++ b/apparmor.d/groups/kde/pam_kwallet_init
@@ -2,7 +2,7 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/plasma-browser-integration-host b/apparmor.d/groups/kde/plasma-browser-integration-host
index bcf1af528..dce3545f7 100644
--- a/apparmor.d/groups/kde/plasma-browser-integration-host
+++ b/apparmor.d/groups/kde/plasma-browser-integration-host
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/plasma-discover b/apparmor.d/groups/kde/plasma-discover
index e94fd036e..1247d0fdf 100644
--- a/apparmor.d/groups/kde/plasma-discover
+++ b/apparmor.d/groups/kde/plasma-discover
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/plasma-emojier b/apparmor.d/groups/kde/plasma-emojier
index 3862706a9..ba00660fc 100644
--- a/apparmor.d/groups/kde/plasma-emojier
+++ b/apparmor.d/groups/kde/plasma-emojier
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/plasma_session b/apparmor.d/groups/kde/plasma_session
index 172c643c7..1fbeda384 100644
--- a/apparmor.d/groups/kde/plasma_session
+++ b/apparmor.d/groups/kde/plasma_session
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/plasma_waitforname b/apparmor.d/groups/kde/plasma_waitforname
index 432c49ac3..a509135af 100644
--- a/apparmor.d/groups/kde/plasma_waitforname
+++ b/apparmor.d/groups/kde/plasma_waitforname
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 954431f86..89e0dfeae 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 5030d18f4..7f48fbec0 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index 6f33e233a..54284f03a 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/sddm-xsession b/apparmor.d/groups/kde/sddm-xsession
index 3e566b458..b5cceee95 100644
--- a/apparmor.d/groups/kde/sddm-xsession
+++ b/apparmor.d/groups/kde/sddm-xsession
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma
index c0cd5690c..e78464253 100644
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/systemsettings b/apparmor.d/groups/kde/systemsettings
index c17a34e59..e68d248b6 100644
--- a/apparmor.d/groups/kde/systemsettings
+++ b/apparmor.d/groups/kde/systemsettings
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/utempter b/apparmor.d/groups/kde/utempter
index 1ff12062f..309b9c444 100644
--- a/apparmor.d/groups/kde/utempter
+++ b/apparmor.d/groups/kde/utempter
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/wayland-session b/apparmor.d/groups/kde/wayland-session
index b9e7cf4fc..124cf2fda 100644
--- a/apparmor.d/groups/kde/wayland-session
+++ b/apparmor.d/groups/kde/wayland-session
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy
index a4474a64a..dc6b215f2 100644
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/xsettingsd b/apparmor.d/groups/kde/xsettingsd
index 7e422a3d0..7cebbb43c 100644
--- a/apparmor.d/groups/kde/xsettingsd
+++ b/apparmor.d/groups/kde/xsettingsd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/kde/xwaylandvideobridge b/apparmor.d/groups/kde/xwaylandvideobridge
index 0f6aeb48a..889018a13 100644
--- a/apparmor.d/groups/kde/xwaylandvideobridge
+++ b/apparmor.d/groups/kde/xwaylandvideobridge
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 06e0c0fe5..9a780107b 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 50614a60a..ff317ec94 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/dhcpcd b/apparmor.d/groups/network/dhcpcd
index 79b7283eb..6d4ea3f7e 100644
--- a/apparmor.d/groups/network/dhcpcd
+++ b/apparmor.d/groups/network/dhcpcd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/iwctl b/apparmor.d/groups/network/iwctl
index 3ccafc80a..0b5bd090e 100644
--- a/apparmor.d/groups/network/iwctl
+++ b/apparmor.d/groups/network/iwctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd
index a80a4c37a..c6dda71ad 100644
--- a/apparmor.d/groups/network/iwd
+++ b/apparmor.d/groups/network/iwd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index a57213481..fd43bc33b 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index 91cfaab0f..b5346964c 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/netplan.script b/apparmor.d/groups/network/netplan.script
index c9cc3fff7..53297493e 100644
--- a/apparmor.d/groups/network/netplan.script
+++ b/apparmor.d/groups/network/netplan.script
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/networkd-dispatcher b/apparmor.d/groups/network/networkd-dispatcher
index 361cf8d3b..de8f9ccb0 100644
--- a/apparmor.d/groups/network/networkd-dispatcher
+++ b/apparmor.d/groups/network/networkd-dispatcher
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-daemon-helper b/apparmor.d/groups/network/nm-daemon-helper
index f8d262a44..7d16292f2 100644
--- a/apparmor.d/groups/network/nm-daemon-helper
+++ b/apparmor.d/groups/network/nm-daemon-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-dhcp-helper b/apparmor.d/groups/network/nm-dhcp-helper
index 434dce19f..5e93bdbf5 100644
--- a/apparmor.d/groups/network/nm-dhcp-helper
+++ b/apparmor.d/groups/network/nm-dhcp-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-dispatcher b/apparmor.d/groups/network/nm-dispatcher
index 1a82fdbf5..40984f7fa 100644
--- a/apparmor.d/groups/network/nm-dispatcher
+++ b/apparmor.d/groups/network/nm-dispatcher
@@ -4,7 +4,7 @@
 
 # TODO: rethink how the scripts should be managed
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-iface-helper b/apparmor.d/groups/network/nm-iface-helper
index 36fa1ca30..c74379698 100644
--- a/apparmor.d/groups/network/nm-iface-helper
+++ b/apparmor.d/groups/network/nm-iface-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-initrd-generator b/apparmor.d/groups/network/nm-initrd-generator
index 095347370..611587547 100644
--- a/apparmor.d/groups/network/nm-initrd-generator
+++ b/apparmor.d/groups/network/nm-initrd-generator
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-online b/apparmor.d/groups/network/nm-online
index 159b890d1..144fd84cb 100644
--- a/apparmor.d/groups/network/nm-online
+++ b/apparmor.d/groups/network/nm-online
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-openvpn-auth-dialog b/apparmor.d/groups/network/nm-openvpn-auth-dialog
index 854614345..87e3e4f40 100644
--- a/apparmor.d/groups/network/nm-openvpn-auth-dialog
+++ b/apparmor.d/groups/network/nm-openvpn-auth-dialog
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-openvpn-service b/apparmor.d/groups/network/nm-openvpn-service
index d65aa8f1a..675c14679 100644
--- a/apparmor.d/groups/network/nm-openvpn-service
+++ b/apparmor.d/groups/network/nm-openvpn-service
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
index 130067a76..b2f4ca0e3 100644
--- a/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
+++ b/apparmor.d/groups/network/nm-openvpn-service-openvpn-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nm-priv-helper b/apparmor.d/groups/network/nm-priv-helper
index e07c9f685..13a283c52 100644
--- a/apparmor.d/groups/network/nm-priv-helper
+++ b/apparmor.d/groups/network/nm-priv-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/nmcli b/apparmor.d/groups/network/nmcli
index 6c9a13203..a964ab958 100644
--- a/apparmor.d/groups/network/nmcli
+++ b/apparmor.d/groups/network/nmcli
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn
index e94315846..3e6a1cb55 100644
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@@ -18,7 +18,7 @@
 # If a user wants to type user/pass interactively, systemd-ask-password is
 # invoked for that.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/rpcbind b/apparmor.d/groups/network/rpcbind
index 049605f97..f9dcac8d1 100644
--- a/apparmor.d/groups/network/rpcbind
+++ b/apparmor.d/groups/network/rpcbind
@@ -2,7 +2,7 @@
 # Copyright (C) 2023 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/socat b/apparmor.d/groups/network/socat
index 8ffa2f9bf..25f975d25 100644
--- a/apparmor.d/groups/network/socat
+++ b/apparmor.d/groups/network/socat
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Nishit Majithia (nishitm)
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/tailscale b/apparmor.d/groups/network/tailscale
index 37029973b..4e5bba684 100644
--- a/apparmor.d/groups/network/tailscale
+++ b/apparmor.d/groups/network/tailscale
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/tailscaled b/apparmor.d/groups/network/tailscaled
index b59c668b8..7bab28a22 100644
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/wg b/apparmor.d/groups/network/wg
index 2ddaee94c..781a52f7a 100644
--- a/apparmor.d/groups/network/wg
+++ b/apparmor.d/groups/network/wg
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/network/wg-quick b/apparmor.d/groups/network/wg-quick
index 89d89162a..c7ea6b1bd 100644
--- a/apparmor.d/groups/network/wg-quick
+++ b/apparmor.d/groups/network/wg-quick
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/arch-audit b/apparmor.d/groups/pacman/arch-audit
index ba4987a31..b8c622c6e 100644
--- a/apparmor.d/groups/pacman/arch-audit
+++ b/apparmor.d/groups/pacman/arch-audit
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/archlinux-java b/apparmor.d/groups/pacman/archlinux-java
index 5a78db048..e6728a606 100644
--- a/apparmor.d/groups/pacman/archlinux-java
+++ b/apparmor.d/groups/pacman/archlinux-java
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
index dab6a2edd..014073443 100644
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/aurpublish b/apparmor.d/groups/pacman/aurpublish
index cae1d7dca..82f935dcb 100644
--- a/apparmor.d/groups/pacman/aurpublish
+++ b/apparmor.d/groups/pacman/aurpublish
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 2c72da3b0..12ead7ce8 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 0598b5d64..a9902e54b 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index 3089b2f3e..f537afdb3 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
index 417e48504..e2a0f2609 100644
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index 48778d6e4..1c7015b1f 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-conf b/apparmor.d/groups/pacman/pacman-conf
index ebf99cbff..b57ab746d 100644
--- a/apparmor.d/groups/pacman/pacman-conf
+++ b/apparmor.d/groups/pacman/pacman-conf
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code
index 39389f42f..3a6bbd7fe 100644
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-dconf b/apparmor.d/groups/pacman/pacman-hook-dconf
index 91e3b367d..b5a330d75 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dconf
+++ b/apparmor.d/groups/pacman/pacman-hook-dconf
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-depmod b/apparmor.d/groups/pacman/pacman-hook-depmod
index c54523d86..45336a100 100644
--- a/apparmor.d/groups/pacman/pacman-hook-depmod
+++ b/apparmor.d/groups/pacman/pacman-hook-depmod
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-dkms b/apparmor.d/groups/pacman/pacman-hook-dkms
index fd449cd10..a039db414 100644
--- a/apparmor.d/groups/pacman/pacman-hook-dkms
+++ b/apparmor.d/groups/pacman/pacman-hook-dkms
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-fontconfig b/apparmor.d/groups/pacman/pacman-hook-fontconfig
index 8068d83dc..de0d33e16 100644
--- a/apparmor.d/groups/pacman/pacman-hook-fontconfig
+++ b/apparmor.d/groups/pacman/pacman-hook-fontconfig
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-gio b/apparmor.d/groups/pacman/pacman-hook-gio
index dcbfe6e28..5aa612a3c 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gio
+++ b/apparmor.d/groups/pacman/pacman-hook-gio
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk b/apparmor.d/groups/pacman/pacman-hook-gtk
index d75527d79..ce7b931ca 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
index 54a002506..a0be0e39b 100644
--- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
index 178cee539..09529cbb0 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
index 8d26de0b4..7c0006153 100644
--- a/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
+++ b/apparmor.d/groups/pacman/pacman-hook-mkinitcpio-remove
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-perl b/apparmor.d/groups/pacman/pacman-hook-perl
index 894ba266c..1254f97e2 100644
--- a/apparmor.d/groups/pacman/pacman-hook-perl
+++ b/apparmor.d/groups/pacman/pacman-hook-perl
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index f704f5ddb..3a4bd0eb3 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/pacman-key b/apparmor.d/groups/pacman/pacman-key
index a8fb360cd..728bd84d2 100644
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/reflector b/apparmor.d/groups/pacman/reflector
index 135a5bdf3..588c39ccc 100644
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay
index 8f3dede75..32ac11d7e 100644
--- a/apparmor.d/groups/pacman/yay
+++ b/apparmor.d/groups/pacman/yay
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/sftp-server b/apparmor.d/groups/ssh/sftp-server
index 672d9b5e5..3deddb092 100644
--- a/apparmor.d/groups/ssh/sftp-server
+++ b/apparmor.d/groups/ssh/sftp-server
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 5dce3ec80..69f594f7a 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index 174efb5a4..72d6618e6 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch
index a243069c0..34b1ea1dc 100644
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/ssh-keygen b/apparmor.d/groups/ssh/ssh-keygen
index f31ac1195..af43fb046 100644
--- a/apparmor.d/groups/ssh/ssh-keygen
+++ b/apparmor.d/groups/ssh/ssh-keygen
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index 3746c4261..29cc38432 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -11,7 +11,7 @@
 # If you want real protection disallow SSH access.
 
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs
index 7623cd87a..a367b0f7a 100644
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 4a5d4d832..c59284e72 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index 64396608f..d251e9b26 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index b291c0493..89a19fa11 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/hostnamectl b/apparmor.d/groups/systemd/hostnamectl
index 47e7f531e..65e6ed11f 100644
--- a/apparmor.d/groups/systemd/hostnamectl
+++ b/apparmor.d/groups/systemd/hostnamectl
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index 79af65679..6020f60fa 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl
index 3ab09cfca..2cac865a4 100644
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl
index b5228f222..681d1438e 100644
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/networkctl b/apparmor.d/groups/systemd/networkctl
index ae188df5f..dee55195d 100644
--- a/apparmor.d/groups/systemd/networkctl
+++ b/apparmor.d/groups/systemd/networkctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-ac-power b/apparmor.d/groups/systemd/systemd-ac-power
index 44cbad98c..1353547f0 100644
--- a/apparmor.d/groups/systemd/systemd-ac-power
+++ b/apparmor.d/groups/systemd/systemd-ac-power
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-analyze b/apparmor.d/groups/systemd/systemd-analyze
index 0c3b38d64..09d432b2f 100644
--- a/apparmor.d/groups/systemd/systemd-analyze
+++ b/apparmor.d/groups/systemd/systemd-analyze
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-ask-password b/apparmor.d/groups/systemd/systemd-ask-password
index 9a5e04306..6eec2ee6b 100644
--- a/apparmor.d/groups/systemd/systemd-ask-password
+++ b/apparmor.d/groups/systemd/systemd-ask-password
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-backlight b/apparmor.d/groups/systemd/systemd-backlight
index 066dbf33e..f67cb301c 100644
--- a/apparmor.d/groups/systemd/systemd-backlight
+++ b/apparmor.d/groups/systemd/systemd-backlight
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-binfmt b/apparmor.d/groups/systemd/systemd-binfmt
index 8fae04706..d34bbe4cb 100644
--- a/apparmor.d/groups/systemd/systemd-binfmt
+++ b/apparmor.d/groups/systemd/systemd-binfmt
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-cat b/apparmor.d/groups/systemd/systemd-cat
index 0ccfd68c0..967d776d2 100644
--- a/apparmor.d/groups/systemd/systemd-cat
+++ b/apparmor.d/groups/systemd/systemd-cat
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-cgls b/apparmor.d/groups/systemd/systemd-cgls
index e58fec015..d0ded5ee7 100644
--- a/apparmor.d/groups/systemd/systemd-cgls
+++ b/apparmor.d/groups/systemd/systemd-cgls
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-cgtop b/apparmor.d/groups/systemd/systemd-cgtop
index cd0f1e416..90ecc99f8 100644
--- a/apparmor.d/groups/systemd/systemd-cgtop
+++ b/apparmor.d/groups/systemd/systemd-cgtop
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index 1902c6799..8c90be6f6 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-cryptsetup b/apparmor.d/groups/systemd/systemd-cryptsetup
index 6ca3e3237..5e4b33a12 100644
--- a/apparmor.d/groups/systemd/systemd-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-cryptsetup
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-delta b/apparmor.d/groups/systemd/systemd-delta
index 9ac4e8239..7cf546a56 100644
--- a/apparmor.d/groups/systemd/systemd-delta
+++ b/apparmor.d/groups/systemd/systemd-delta
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt
index 63e97171c..35f4afbc4 100644
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect
index 5dc785198..b81b100db 100644
--- a/apparmor.d/groups/systemd/systemd-dissect
+++ b/apparmor.d/groups/systemd/systemd-dissect
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-escape b/apparmor.d/groups/systemd/systemd-escape
index c292c1d96..0a38bf0fb 100644
--- a/apparmor.d/groups/systemd/systemd-escape
+++ b/apparmor.d/groups/systemd/systemd-escape
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck
index 2d6326d71..a7290dc48 100644
--- a/apparmor.d/groups/systemd/systemd-fsck
+++ b/apparmor.d/groups/systemd/systemd-fsck
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-fsckd b/apparmor.d/groups/systemd/systemd-fsckd
index 9fc59bfe0..33a433a09 100644
--- a/apparmor.d/groups/systemd/systemd-fsckd
+++ b/apparmor.d/groups/systemd/systemd-fsckd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-bless-boot b/apparmor.d/groups/systemd/systemd-generator-bless-boot
index e09b01d5a..32e2aac65 100644
--- a/apparmor.d/groups/systemd/systemd-generator-bless-boot
+++ b/apparmor.d/groups/systemd/systemd-generator-bless-boot
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-cloud-init b/apparmor.d/groups/systemd/systemd-generator-cloud-init
index d57de673b..2737a94f4 100644
--- a/apparmor.d/groups/systemd/systemd-generator-cloud-init
+++ b/apparmor.d/groups/systemd/systemd-generator-cloud-init
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-cryptsetup b/apparmor.d/groups/systemd/systemd-generator-cryptsetup
index e29178fbd..1979dba1d 100644
--- a/apparmor.d/groups/systemd/systemd-generator-cryptsetup
+++ b/apparmor.d/groups/systemd/systemd-generator-cryptsetup
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-debug b/apparmor.d/groups/systemd/systemd-generator-debug
index 2d83cc0ba..4ce9d2974 100644
--- a/apparmor.d/groups/systemd/systemd-generator-debug
+++ b/apparmor.d/groups/systemd/systemd-generator-debug
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-ds-identify b/apparmor.d/groups/systemd/systemd-generator-ds-identify
index b88d2387f..6b42e55ed 100644
--- a/apparmor.d/groups/systemd/systemd-generator-ds-identify
+++ b/apparmor.d/groups/systemd/systemd-generator-ds-identify
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-arch b/apparmor.d/groups/systemd/systemd-generator-environment-arch
index 6311ad9c4..738144547 100644
--- a/apparmor.d/groups/systemd/systemd-generator-environment-arch
+++ b/apparmor.d/groups/systemd/systemd-generator-environment-arch
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
index e03b70cca..a4ba2afe1 100644
--- a/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
+++ b/apparmor.d/groups/systemd/systemd-generator-environment-flatpak
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-fstab b/apparmor.d/groups/systemd/systemd-generator-fstab
index a15100300..55736d142 100644
--- a/apparmor.d/groups/systemd/systemd-generator-fstab
+++ b/apparmor.d/groups/systemd/systemd-generator-fstab
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-getty b/apparmor.d/groups/systemd/systemd-generator-getty
index 92b5a4ffa..0eadabec8 100644
--- a/apparmor.d/groups/systemd/systemd-generator-getty
+++ b/apparmor.d/groups/systemd/systemd-generator-getty
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-gpt-auto b/apparmor.d/groups/systemd/systemd-generator-gpt-auto
index 613380b43..0d6c09c6b 100644
--- a/apparmor.d/groups/systemd/systemd-generator-gpt-auto
+++ b/apparmor.d/groups/systemd/systemd-generator-gpt-auto
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume
index dbfee2fcd..7c5e9ec80 100644
--- a/apparmor.d/groups/systemd/systemd-generator-hibernate-resume
+++ b/apparmor.d/groups/systemd/systemd-generator-hibernate-resume
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-integritysetup b/apparmor.d/groups/systemd/systemd-generator-integritysetup
index 9eb46a451..72ef28061 100644
--- a/apparmor.d/groups/systemd/systemd-generator-integritysetup
+++ b/apparmor.d/groups/systemd/systemd-generator-integritysetup
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-ostree b/apparmor.d/groups/systemd/systemd-generator-ostree
index c38e3690b..f50544f81 100644
--- a/apparmor.d/groups/systemd/systemd-generator-ostree
+++ b/apparmor.d/groups/systemd/systemd-generator-ostree
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-run b/apparmor.d/groups/systemd/systemd-generator-run
index 272073edc..39c8b0fd6 100644
--- a/apparmor.d/groups/systemd/systemd-generator-run
+++ b/apparmor.d/groups/systemd/systemd-generator-run
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-system-update b/apparmor.d/groups/systemd/systemd-generator-system-update
index f9d09d634..557e4ab6e 100644
--- a/apparmor.d/groups/systemd/systemd-generator-system-update
+++ b/apparmor.d/groups/systemd/systemd-generator-system-update
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-user-autostart b/apparmor.d/groups/systemd/systemd-generator-user-autostart
index 8ca09d56b..c42548ef5 100644
--- a/apparmor.d/groups/systemd/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd/systemd-generator-user-autostart
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-user-environment b/apparmor.d/groups/systemd/systemd-generator-user-environment
index 420ef84a9..db128405f 100644
--- a/apparmor.d/groups/systemd/systemd-generator-user-environment
+++ b/apparmor.d/groups/systemd/systemd-generator-user-environment
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-generator-veritysetup b/apparmor.d/groups/systemd/systemd-generator-veritysetup
index a0084a26b..97776312f 100644
--- a/apparmor.d/groups/systemd/systemd-generator-veritysetup
+++ b/apparmor.d/groups/systemd/systemd-generator-veritysetup
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-homed b/apparmor.d/groups/systemd/systemd-homed
index 2fae7144d..5fe748abd 100644
--- a/apparmor.d/groups/systemd/systemd-homed
+++ b/apparmor.d/groups/systemd/systemd-homed
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-homework b/apparmor.d/groups/systemd/systemd-homework
index 8dc8a825d..f0fe98a16 100644
--- a/apparmor.d/groups/systemd/systemd-homework
+++ b/apparmor.d/groups/systemd/systemd-homework
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-hostnamed b/apparmor.d/groups/systemd/systemd-hostnamed
index 52e6f0894..04cbbaf5e 100644
--- a/apparmor.d/groups/systemd/systemd-hostnamed
+++ b/apparmor.d/groups/systemd/systemd-hostnamed
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-hwdb b/apparmor.d/groups/systemd/systemd-hwdb
index 4ee18fb34..5664cde02 100644
--- a/apparmor.d/groups/systemd/systemd-hwdb
+++ b/apparmor.d/groups/systemd/systemd-hwdb
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-id128 b/apparmor.d/groups/systemd/systemd-id128
index afa516e39..f0944db26 100644
--- a/apparmor.d/groups/systemd/systemd-id128
+++ b/apparmor.d/groups/systemd/systemd-id128
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit
index 01b3e0bcd..2051a5b19 100644
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index 6ac35cb68..a50ed62e3 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index c149f37ee..48318da8f 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index d1fa06e7c..f4628c019 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup
index 26e5e5980..105f72e46 100644
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined
index cb0eab79b..3a111f7f3 100644
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-makefs b/apparmor.d/groups/systemd/systemd-makefs
index 05ec6dc34..8556e51d7 100644
--- a/apparmor.d/groups/systemd/systemd-makefs
+++ b/apparmor.d/groups/systemd/systemd-makefs
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load
index 4ecbd0acb..abb437f83 100644
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount
index a86bf152d..b78de3312 100644
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator
index cce35fae6..c65980901 100644
--- a/apparmor.d/groups/systemd/systemd-network-generator
+++ b/apparmor.d/groups/systemd/systemd-network-generator
@@ -2,7 +2,7 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index 18f1e6ab2..b4d137940 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-networkd-wait-online b/apparmor.d/groups/systemd/systemd-networkd-wait-online
index 8e9ec3438..0d5e40730 100644
--- a/apparmor.d/groups/systemd/systemd-networkd-wait-online
+++ b/apparmor.d/groups/systemd/systemd-networkd-wait-online
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-notify b/apparmor.d/groups/systemd/systemd-notify
index 7be0e88ed..aafb0d74c 100644
--- a/apparmor.d/groups/systemd/systemd-notify
+++ b/apparmor.d/groups/systemd/systemd-notify
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd
index 21ef79495..e5dce916c 100644
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-path b/apparmor.d/groups/systemd/systemd-path
index 7ab73f52e..747527776 100644
--- a/apparmor.d/groups/systemd/systemd-path
+++ b/apparmor.d/groups/systemd/systemd-path
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-portabled b/apparmor.d/groups/systemd/systemd-portabled
index a54c5d8db..bee3df8df 100644
--- a/apparmor.d/groups/systemd/systemd-portabled
+++ b/apparmor.d/groups/systemd/systemd-portabled
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-random-seed b/apparmor.d/groups/systemd/systemd-random-seed
index e9753150c..be33d39cd 100644
--- a/apparmor.d/groups/systemd/systemd-random-seed
+++ b/apparmor.d/groups/systemd/systemd-random-seed
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs
index 44ab5cfaf..8c63a1d5a 100644
--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve
index cfb0732dc..f716aa3af 100644
--- a/apparmor.d/groups/systemd/systemd-resolve
+++ b/apparmor.d/groups/systemd/systemd-resolve
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index 34597caa1..ff5a98134 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-3.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-rfkill b/apparmor.d/groups/systemd/systemd-rfkill
index 1ff164b86..ff9e2d540 100644
--- a/apparmor.d/groups/systemd/systemd-rfkill
+++ b/apparmor.d/groups/systemd/systemd-rfkill
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-shutdown b/apparmor.d/groups/systemd/systemd-shutdown
index 02abda424..e9887c0cb 100644
--- a/apparmor.d/groups/systemd/systemd-shutdown
+++ b/apparmor.d/groups/systemd/systemd-shutdown
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index a683e3a78..34916ecc6 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub2
index 9c718f7b0..b2b42bf44 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-grub2
+++ b/apparmor.d/groups/systemd/systemd-sleep-grub2
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-hdparm b/apparmor.d/groups/systemd/systemd-sleep-hdparm
index 9a282e7f8..71008c96d 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-hdparm
+++ b/apparmor.d/groups/systemd/systemd-sleep-hdparm
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-nvidia b/apparmor.d/groups/systemd/systemd-sleep-nvidia
index 4ff89f5a7..4ebb4851f 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-nvidia
+++ b/apparmor.d/groups/systemd/systemd-sleep-nvidia
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-sysstat b/apparmor.d/groups/systemd/systemd-sleep-sysstat
index d854cd7f7..94e2e8daf 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-sysstat
+++ b/apparmor.d/groups/systemd/systemd-sleep-sysstat
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-tlp b/apparmor.d/groups/systemd/systemd-sleep-tlp
index 03fb69356..60a28d4af 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-tlp
+++ b/apparmor.d/groups/systemd/systemd-sleep-tlp
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-upgrades b/apparmor.d/groups/systemd/systemd-sleep-upgrades
index 9d1758e25..4f2cce637 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-upgrades
+++ b/apparmor.d/groups/systemd/systemd-sleep-upgrades
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-socket-proxyd b/apparmor.d/groups/systemd/systemd-socket-proxyd
index 0a9c75aa3..7290e6d0c 100644
--- a/apparmor.d/groups/systemd/systemd-socket-proxyd
+++ b/apparmor.d/groups/systemd/systemd-socket-proxyd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sulogin-shell b/apparmor.d/groups/systemd/systemd-sulogin-shell
index bb0f082b9..094366391 100644
--- a/apparmor.d/groups/systemd/systemd-sulogin-shell
+++ b/apparmor.d/groups/systemd/systemd-sulogin-shell
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl
index f209745fc..454105011 100644
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-sysusers b/apparmor.d/groups/systemd/systemd-sysusers
index 18ef93df0..d6b1cb266 100644
--- a/apparmor.d/groups/systemd/systemd-sysusers
+++ b/apparmor.d/groups/systemd/systemd-sysusers
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
index 4d9ae9ce1..e2b6caaa7 100644
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-timesyncd b/apparmor.d/groups/systemd/systemd-timesyncd
index 4f0903d1f..de544c9d7 100644
--- a/apparmor.d/groups/systemd/systemd-timesyncd
+++ b/apparmor.d/groups/systemd/systemd-timesyncd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-tmpfiles b/apparmor.d/groups/systemd/systemd-tmpfiles
index 595ccf7da..f591ef9f7 100644
--- a/apparmor.d/groups/systemd/systemd-tmpfiles
+++ b/apparmor.d/groups/systemd/systemd-tmpfiles
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
index f1da3f8a6..6083fc233 100644
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 612fda9eb..dae5ae67e 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-update-done b/apparmor.d/groups/systemd/systemd-update-done
index 046bc3e65..c17be7ab2 100644
--- a/apparmor.d/groups/systemd/systemd-update-done
+++ b/apparmor.d/groups/systemd/systemd-update-done
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-update-utmp b/apparmor.d/groups/systemd/systemd-update-utmp
index 60227f08a..8703709c4 100644
--- a/apparmor.d/groups/systemd/systemd-update-utmp
+++ b/apparmor.d/groups/systemd/systemd-update-utmp
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-user-runtime-dir b/apparmor.d/groups/systemd/systemd-user-runtime-dir
index cd70cc8bd..84dfb27ee 100644
--- a/apparmor.d/groups/systemd/systemd-user-runtime-dir
+++ b/apparmor.d/groups/systemd/systemd-user-runtime-dir
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-user-sessions b/apparmor.d/groups/systemd/systemd-user-sessions
index 25e5befef..6f16b2f19 100644
--- a/apparmor.d/groups/systemd/systemd-user-sessions
+++ b/apparmor.d/groups/systemd/systemd-user-sessions
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd
index f591faf3d..a38e455f3 100644
--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-userwork b/apparmor.d/groups/systemd/systemd-userwork
index c7e4b6292..29641fd74 100644
--- a/apparmor.d/groups/systemd/systemd-userwork
+++ b/apparmor.d/groups/systemd/systemd-userwork
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/systemd-vconsole-setup b/apparmor.d/groups/systemd/systemd-vconsole-setup
index 000bd6957..5f28050c1 100644
--- a/apparmor.d/groups/systemd/systemd-vconsole-setup
+++ b/apparmor.d/groups/systemd/systemd-vconsole-setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index 279560e99..db1a3dda8 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/zram-generator b/apparmor.d/groups/systemd/zram-generator
index 2e8c20737..f6406811d 100644
--- a/apparmor.d/groups/systemd/zram-generator
+++ b/apparmor.d/groups/systemd/zram-generator
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/systemd/zramctl b/apparmor.d/groups/systemd/zramctl
index 289dc4f0f..9dbf23243 100644
--- a/apparmor.d/groups/systemd/zramctl
+++ b/apparmor.d/groups/systemd/zramctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/apport b/apparmor.d/groups/ubuntu/apport
index bc03772b6..ed39c7583 100644
--- a/apparmor.d/groups/ubuntu/apport
+++ b/apparmor.d/groups/ubuntu/apport
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/apport-checkreports b/apparmor.d/groups/ubuntu/apport-checkreports
index dec9a5d7d..665b3eaca 100644
--- a/apparmor.d/groups/ubuntu/apport-checkreports
+++ b/apparmor.d/groups/ubuntu/apport-checkreports
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index f8d2c9973..25d136722 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/apt-esm-hook b/apparmor.d/groups/ubuntu/apt-esm-hook
index c200de4d5..a04fc771d 100644
--- a/apparmor.d/groups/ubuntu/apt-esm-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-hook
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/apt-esm-json-hook b/apparmor.d/groups/ubuntu/apt-esm-json-hook
index 4ce754d65..60569edd2 100644
--- a/apparmor.d/groups/ubuntu/apt-esm-json-hook
+++ b/apparmor.d/groups/ubuntu/apt-esm-json-hook
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk
index a6db303e5..b2fe83f6b 100644
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
index aaf3b9f33..c5c31edd3 100644
--- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan
+++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/do-release-upgrade b/apparmor.d/groups/ubuntu/do-release-upgrade
index 4ee62b2e0..86c211f24 100644
--- a/apparmor.d/groups/ubuntu/do-release-upgrade
+++ b/apparmor.d/groups/ubuntu/do-release-upgrade
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/hwe-support-status b/apparmor.d/groups/ubuntu/hwe-support-status
index 0752e6358..3b4280e33 100644
--- a/apparmor.d/groups/ubuntu/hwe-support-status
+++ b/apparmor.d/groups/ubuntu/hwe-support-status
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/list-oem-metapackages b/apparmor.d/groups/ubuntu/list-oem-metapackages
index 93059dc34..0023b48cb 100644
--- a/apparmor.d/groups/ubuntu/list-oem-metapackages
+++ b/apparmor.d/groups/ubuntu/list-oem-metapackages
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification
index 66739c7bc..4d5ecb46a 100644
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/notify-reboot-required b/apparmor.d/groups/ubuntu/notify-reboot-required
index 0c7d008e8..ee9e22e21 100644
--- a/apparmor.d/groups/ubuntu/notify-reboot-required
+++ b/apparmor.d/groups/ubuntu/notify-reboot-required
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/notify-updates-outdated b/apparmor.d/groups/ubuntu/notify-updates-outdated
index 39ce41c73..a42b3ba1c 100644
--- a/apparmor.d/groups/ubuntu/notify-updates-outdated
+++ b/apparmor.d/groups/ubuntu/notify-updates-outdated
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/package-data-downloader b/apparmor.d/groups/ubuntu/package-data-downloader
index bba0add83..0e6641977 100644
--- a/apparmor.d/groups/ubuntu/package-data-downloader
+++ b/apparmor.d/groups/ubuntu/package-data-downloader
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index 6876687e2..f4e040975 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/release-upgrade-motd b/apparmor.d/groups/ubuntu/release-upgrade-motd
index 3130f196e..08a54df0a 100644
--- a/apparmor.d/groups/ubuntu/release-upgrade-motd
+++ b/apparmor.d/groups/ubuntu/release-upgrade-motd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-dbus b/apparmor.d/groups/ubuntu/software-properties-dbus
index 32b4e27c3..93fd9ffcc 100644
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 6d7dc732f..4715f570c 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf
index 7113dac5e..1b04bd383 100644
--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage
index bb5f81b82..92b9deef7 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
index ddb689b53..5265a2df3 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-desktop-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
index c9a48ed47..bf3d4c6c0 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-distro-info b/apparmor.d/groups/ubuntu/ubuntu-distro-info
index a444aada3..6806a4e27 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-distro-info
+++ b/apparmor.d/groups/ubuntu/ubuntu-distro-info
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/ubuntu-report b/apparmor.d/groups/ubuntu/ubuntu-report
index 54e444532..19273f449 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-report
+++ b/apparmor.d/groups/ubuntu/ubuntu-report
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 2cf2f3e99..8fb717323 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
index b0e62994f..7fb3a2b29 100644
--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/update-motd-updates-available b/apparmor.d/groups/ubuntu/update-motd-updates-available
index bf1acfb1b..b0101504c 100644
--- a/apparmor.d/groups/ubuntu/update-motd-updates-available
+++ b/apparmor.d/groups/ubuntu/update-motd-updates-available
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index df73d4e40..c75c3f83e 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-bandwidth b/apparmor.d/groups/virt/cni-bandwidth
index 0159f603e..a27f41fc0 100644
--- a/apparmor.d/groups/virt/cni-bandwidth
+++ b/apparmor.d/groups/virt/cni-bandwidth
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-bridge b/apparmor.d/groups/virt/cni-bridge
index 70347fe59..1e27d04a3 100644
--- a/apparmor.d/groups/virt/cni-bridge
+++ b/apparmor.d/groups/virt/cni-bridge
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-calico b/apparmor.d/groups/virt/cni-calico
index 47d5590a2..878a09119 100644
--- a/apparmor.d/groups/virt/cni-calico
+++ b/apparmor.d/groups/virt/cni-calico
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-firewall b/apparmor.d/groups/virt/cni-firewall
index 028f5bd6f..d5171e8dc 100644
--- a/apparmor.d/groups/virt/cni-firewall
+++ b/apparmor.d/groups/virt/cni-firewall
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-flannel b/apparmor.d/groups/virt/cni-flannel
index ac473fbcb..6bdccec8c 100644
--- a/apparmor.d/groups/virt/cni-flannel
+++ b/apparmor.d/groups/virt/cni-flannel
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-host-local b/apparmor.d/groups/virt/cni-host-local
index 50b8f315b..5f645ce3f 100644
--- a/apparmor.d/groups/virt/cni-host-local
+++ b/apparmor.d/groups/virt/cni-host-local
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-loopback b/apparmor.d/groups/virt/cni-loopback
index a7d24e306..30e2800ce 100644
--- a/apparmor.d/groups/virt/cni-loopback
+++ b/apparmor.d/groups/virt/cni-loopback
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-portmap b/apparmor.d/groups/virt/cni-portmap
index bc4a00fa2..bd0206c4c 100644
--- a/apparmor.d/groups/virt/cni-portmap
+++ b/apparmor.d/groups/virt/cni-portmap
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cni-tuning b/apparmor.d/groups/virt/cni-tuning
index c0e3a3fd2..c6cc1f1dc 100644
--- a/apparmor.d/groups/virt/cni-tuning
+++ b/apparmor.d/groups/virt/cni-tuning
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-askpass b/apparmor.d/groups/virt/cockpit-askpass
index daa5cf009..b46a415ac 100644
--- a/apparmor.d/groups/virt/cockpit-askpass
+++ b/apparmor.d/groups/virt/cockpit-askpass
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index 1ae8c7109..7487c8e70 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-ensure b/apparmor.d/groups/virt/cockpit-certificate-ensure
index 0ef40f4ba..7429b0021 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-ensure
+++ b/apparmor.d/groups/virt/cockpit-certificate-ensure
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-certificate-helper b/apparmor.d/groups/virt/cockpit-certificate-helper
index 01d23171b..ac9dd5f6f 100644
--- a/apparmor.d/groups/virt/cockpit-certificate-helper
+++ b/apparmor.d/groups/virt/cockpit-certificate-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-desktop b/apparmor.d/groups/virt/cockpit-desktop
index d8e7f81de..c2a7455ce 100644
--- a/apparmor.d/groups/virt/cockpit-desktop
+++ b/apparmor.d/groups/virt/cockpit-desktop
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-pcp b/apparmor.d/groups/virt/cockpit-pcp
index c1afe3fbf..8008fe360 100644
--- a/apparmor.d/groups/virt/cockpit-pcp
+++ b/apparmor.d/groups/virt/cockpit-pcp
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index fda673c6e..67ecd800e 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-ssh b/apparmor.d/groups/virt/cockpit-ssh
index 2903d9eb9..e81eb492f 100644
--- a/apparmor.d/groups/virt/cockpit-ssh
+++ b/apparmor.d/groups/virt/cockpit-ssh
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-tls b/apparmor.d/groups/virt/cockpit-tls
index f83ac2c7b..0037b132c 100644
--- a/apparmor.d/groups/virt/cockpit-tls
+++ b/apparmor.d/groups/virt/cockpit-tls
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-update-motd b/apparmor.d/groups/virt/cockpit-update-motd
index cf4bf5bb7..c1a39a895 100644
--- a/apparmor.d/groups/virt/cockpit-update-motd
+++ b/apparmor.d/groups/virt/cockpit-update-motd
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-ws b/apparmor.d/groups/virt/cockpit-ws
index 589765f35..c78f63a63 100644
--- a/apparmor.d/groups/virt/cockpit-ws
+++ b/apparmor.d/groups/virt/cockpit-ws
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/cockpit-wsinstance-factory b/apparmor.d/groups/virt/cockpit-wsinstance-factory
index 61e7e8fa1..b14a1e36f 100644
--- a/apparmor.d/groups/virt/cockpit-wsinstance-factory
+++ b/apparmor.d/groups/virt/cockpit-wsinstance-factory
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/containerd b/apparmor.d/groups/virt/containerd
index 182240228..627515640 100644
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index 428473f5d..bff45ca39 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/docker-proxy b/apparmor.d/groups/virt/docker-proxy
index 4bb1d9497..2861514aa 100644
--- a/apparmor.d/groups/virt/docker-proxy
+++ b/apparmor.d/groups/virt/docker-proxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 78503c7be..3342c0d58 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index c2183c33b..96e50ba35 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/kubernetes-pause b/apparmor.d/groups/virt/kubernetes-pause
index 8172d00fc..c762515a4 100644
--- a/apparmor.d/groups/virt/kubernetes-pause
+++ b/apparmor.d/groups/virt/kubernetes-pause
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus
index 75c7d853b..44d24f1ae 100644
--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 4f8c76a81..f6519a619 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -10,7 +10,7 @@
 
 # Warning: Such a profile is limited as it gives access to a lot of resources.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/qemu-bridge-helper b/apparmor.d/groups/virt/qemu-bridge-helper
index a814dd265..e462eeca1 100644
--- a/apparmor.d/groups/virt/qemu-bridge-helper
+++ b/apparmor.d/groups/virt/qemu-bridge-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virt-aa-helper b/apparmor.d/groups/virt/virt-aa-helper
index abbef1f88..74a93737b 100644
--- a/apparmor.d/groups/virt/virt-aa-helper
+++ b/apparmor.d/groups/virt/virt-aa-helper
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced
index ccda93f6b..8ef827a10 100644
--- a/apparmor.d/groups/virt/virtinterfaced
+++ b/apparmor.d/groups/virt/virtinterfaced
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd
index 50efd188b..7389119b8 100644
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtlockd b/apparmor.d/groups/virt/virtlockd
index 44c5e20ef..ea9336cef 100644
--- a/apparmor.d/groups/virt/virtlockd
+++ b/apparmor.d/groups/virt/virtlockd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd
index 0cb7202ee..095084ef4 100644
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd
index 5be9abb71..2ed2a73fd 100644
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd
index 7e2c76c92..c0498c6cc 100644
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd
index f6c56ca10..58e228d50 100644
--- a/apparmor.d/groups/virt/virtsecretd
+++ b/apparmor.d/groups/virt/virtsecretd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged
index 3ef20199d..847140a50 100644
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@@ -4,7 +4,7 @@
 
 # TODO: Similar with virtqemud. Could be merged?
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/virt/xtables b/apparmor.d/groups/virt/xtables
index 82eb1a733..71f75b642 100644
--- a/apparmor.d/groups/virt/xtables
+++ b/apparmor.d/groups/virt/xtables
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/anondate b/apparmor.d/groups/whonix/anondate
index cb263922c..d39517569 100644
--- a/apparmor.d/groups/whonix/anondate
+++ b/apparmor.d/groups/whonix/anondate
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgcollector b/apparmor.d/groups/whonix/msgcollector
index 0c3038d1e..05b07ec47 100644
--- a/apparmor.d/groups/whonix/msgcollector
+++ b/apparmor.d/groups/whonix/msgcollector
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgcollector-br-add b/apparmor.d/groups/whonix/msgcollector-br-add
index be5b7dd69..587094df6 100644
--- a/apparmor.d/groups/whonix/msgcollector-br-add
+++ b/apparmor.d/groups/whonix/msgcollector-br-add
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgcollector-generic-gui-message b/apparmor.d/groups/whonix/msgcollector-generic-gui-message
index 8b52e2db7..46b7847ff 100644
--- a/apparmor.d/groups/whonix/msgcollector-generic-gui-message
+++ b/apparmor.d/groups/whonix/msgcollector-generic-gui-message
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgcollector-striphtml b/apparmor.d/groups/whonix/msgcollector-striphtml
index 1e4e3d9ab..8cf1dec71 100644
--- a/apparmor.d/groups/whonix/msgcollector-striphtml
+++ b/apparmor.d/groups/whonix/msgcollector-striphtml
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgdispatcher b/apparmor.d/groups/whonix/msgdispatcher
index 9f2871eef..fd1a9f034 100644
--- a/apparmor.d/groups/whonix/msgdispatcher
+++ b/apparmor.d/groups/whonix/msgdispatcher
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgdispatcher-autostart b/apparmor.d/groups/whonix/msgdispatcher-autostart
index c4dae811e..d292e3850 100644
--- a/apparmor.d/groups/whonix/msgdispatcher-autostart
+++ b/apparmor.d/groups/whonix/msgdispatcher-autostart
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgdispatcher-delete b/apparmor.d/groups/whonix/msgdispatcher-delete
index cf69e77c8..2a5839e0c 100644
--- a/apparmor.d/groups/whonix/msgdispatcher-delete
+++ b/apparmor.d/groups/whonix/msgdispatcher-delete
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/msgdispatcher-dispatch b/apparmor.d/groups/whonix/msgdispatcher-dispatch
index f42280e1a..0adfe2797 100644
--- a/apparmor.d/groups/whonix/msgdispatcher-dispatch
+++ b/apparmor.d/groups/whonix/msgdispatcher-dispatch
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/open-link-confirmation b/apparmor.d/groups/whonix/open-link-confirmation
index e74d2f26a..a6f7ec440 100644
--- a/apparmor.d/groups/whonix/open-link-confirmation
+++ b/apparmor.d/groups/whonix/open-link-confirmation
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/pam-abort-on-locked-password b/apparmor.d/groups/whonix/pam-abort-on-locked-password
index 79cb70d28..99ac5616d 100644
--- a/apparmor.d/groups/whonix/pam-abort-on-locked-password
+++ b/apparmor.d/groups/whonix/pam-abort-on-locked-password
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/pam-info b/apparmor.d/groups/whonix/pam-info
index d54cab832..51053ccee 100644
--- a/apparmor.d/groups/whonix/pam-info
+++ b/apparmor.d/groups/whonix/pam-info
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/pam_faillock_not_if_x b/apparmor.d/groups/whonix/pam_faillock_not_if_x
index c0d05d8a7..1934be8d5 100644
--- a/apparmor.d/groups/whonix/pam_faillock_not_if_x
+++ b/apparmor.d/groups/whonix/pam_faillock_not_if_x
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/rads b/apparmor.d/groups/whonix/rads
index fdacd13d4..e76570b34 100644
--- a/apparmor.d/groups/whonix/rads
+++ b/apparmor.d/groups/whonix/rads
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/sdwdate b/apparmor.d/groups/whonix/sdwdate
index 21b457aca..d34f8087c 100644
--- a/apparmor.d/groups/whonix/sdwdate
+++ b/apparmor.d/groups/whonix/sdwdate
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/sdwdate-clock-jump b/apparmor.d/groups/whonix/sdwdate-clock-jump
index f70da1977..02b0e866b 100644
--- a/apparmor.d/groups/whonix/sdwdate-clock-jump
+++ b/apparmor.d/groups/whonix/sdwdate-clock-jump
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/sdwdate-gui b/apparmor.d/groups/whonix/sdwdate-gui
index 642b14b46..23c0a6df4 100644
--- a/apparmor.d/groups/whonix/sdwdate-gui
+++ b/apparmor.d/groups/whonix/sdwdate-gui
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/sdwdate-start b/apparmor.d/groups/whonix/sdwdate-start
index 0b952ce19..113f7504c 100644
--- a/apparmor.d/groups/whonix/sdwdate-start
+++ b/apparmor.d/groups/whonix/sdwdate-start
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/sdwdate-wrapper b/apparmor.d/groups/whonix/sdwdate-wrapper
index fe8390da9..19713faba 100644
--- a/apparmor.d/groups/whonix/sdwdate-wrapper
+++ b/apparmor.d/groups/whonix/sdwdate-wrapper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/sensible-browser b/apparmor.d/groups/whonix/sensible-browser
index 48e2f0f08..1a6f4e26a 100644
--- a/apparmor.d/groups/whonix/sensible-browser
+++ b/apparmor.d/groups/whonix/sensible-browser
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary
index d46c227fb..2a38680bd 100644
--- a/apparmor.d/groups/whonix/systemcheck-canary
+++ b/apparmor.d/groups/whonix/systemcheck-canary
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/timesanitycheck b/apparmor.d/groups/whonix/timesanitycheck
index 3ca78981a..73f643099 100644
--- a/apparmor.d/groups/whonix/timesanitycheck
+++ b/apparmor.d/groups/whonix/timesanitycheck
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/tor-bootstrap-check b/apparmor.d/groups/whonix/tor-bootstrap-check
index 0795b0b35..8a5d8f537 100644
--- a/apparmor.d/groups/whonix/tor-bootstrap-check
+++ b/apparmor.d/groups/whonix/tor-bootstrap-check
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/tor-consensus-valid-after b/apparmor.d/groups/whonix/tor-consensus-valid-after
index d6656afe5..f7d806ef1 100644
--- a/apparmor.d/groups/whonix/tor-consensus-valid-after
+++ b/apparmor.d/groups/whonix/tor-consensus-valid-after
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix
index 39ec37ae3..90aaca321 100644
--- a/apparmor.d/groups/whonix/torbrowser-updater-permission-fix
+++ b/apparmor.d/groups/whonix/torbrowser-updater-permission-fix
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/torbrowser-wrapper b/apparmor.d/groups/whonix/torbrowser-wrapper
index a659d00f0..ccdfe2ed4 100644
--- a/apparmor.d/groups/whonix/torbrowser-wrapper
+++ b/apparmor.d/groups/whonix/torbrowser-wrapper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/whonix-firewall-edit b/apparmor.d/groups/whonix/whonix-firewall-edit
index aeea9cf05..28c1d01b4 100644
--- a/apparmor.d/groups/whonix/whonix-firewall-edit
+++ b/apparmor.d/groups/whonix/whonix-firewall-edit
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/whonix-firewall-restarter b/apparmor.d/groups/whonix/whonix-firewall-restarter
index 87a3713d4..a818e46a6 100644
--- a/apparmor.d/groups/whonix/whonix-firewall-restarter
+++ b/apparmor.d/groups/whonix/whonix-firewall-restarter
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld
index 53b1dba81..f0f8f5d46 100644
--- a/apparmor.d/groups/whonix/whonix-firewalld
+++ b/apparmor.d/groups/whonix/whonix-firewalld
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/mousepad b/apparmor.d/groups/xfce/mousepad
index 1bcd283fa..d8bc79b95 100644
--- a/apparmor.d/groups/xfce/mousepad
+++ b/apparmor.d/groups/xfce/mousepad
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/ristretto b/apparmor.d/groups/xfce/ristretto
index d9151ca80..2aae3f0d3 100644
--- a/apparmor.d/groups/xfce/ristretto
+++ b/apparmor.d/groups/xfce/ristretto
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/startxfce b/apparmor.d/groups/xfce/startxfce
index 7d8a0165f..84abf8ced 100644
--- a/apparmor.d/groups/xfce/startxfce
+++ b/apparmor.d/groups/xfce/startxfce
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/thunar b/apparmor.d/groups/xfce/thunar
index c16365f74..d8f04d49c 100644
--- a/apparmor.d/groups/xfce/thunar
+++ b/apparmor.d/groups/xfce/thunar
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/thunar-volman b/apparmor.d/groups/xfce/thunar-volman
index c49f71458..350255834 100644
--- a/apparmor.d/groups/xfce/thunar-volman
+++ b/apparmor.d/groups/xfce/thunar-volman
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/tumblerd b/apparmor.d/groups/xfce/tumblerd
index f85e6d4cb..99971abb8 100644
--- a/apparmor.d/groups/xfce/tumblerd
+++ b/apparmor.d/groups/xfce/tumblerd
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-about b/apparmor.d/groups/xfce/xfce-about
index 701e98773..0dae6e060 100644
--- a/apparmor.d/groups/xfce/xfce-about
+++ b/apparmor.d/groups/xfce/xfce-about
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-appfinder b/apparmor.d/groups/xfce/xfce-appfinder
index c0753acd8..4b574ce5e 100644
--- a/apparmor.d/groups/xfce/xfce-appfinder
+++ b/apparmor.d/groups/xfce/xfce-appfinder
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-clipman-settings b/apparmor.d/groups/xfce/xfce-clipman-settings
index 499980f17..248d60b7e 100644
--- a/apparmor.d/groups/xfce/xfce-clipman-settings
+++ b/apparmor.d/groups/xfce/xfce-clipman-settings
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-dict b/apparmor.d/groups/xfce/xfce-dict
index 423c09b4e..4b34a3d0b 100644
--- a/apparmor.d/groups/xfce/xfce-dict
+++ b/apparmor.d/groups/xfce/xfce-dict
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-mime-helper b/apparmor.d/groups/xfce/xfce-mime-helper
index 7851cd74e..b1708e58b 100644
--- a/apparmor.d/groups/xfce/xfce-mime-helper
+++ b/apparmor.d/groups/xfce/xfce-mime-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-notifyd b/apparmor.d/groups/xfce/xfce-notifyd
index 06d2b1df3..f5c80e07c 100644
--- a/apparmor.d/groups/xfce/xfce-notifyd
+++ b/apparmor.d/groups/xfce/xfce-notifyd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel
index 44f237f4b..3c91e7893 100644
--- a/apparmor.d/groups/xfce/xfce-panel
+++ b/apparmor.d/groups/xfce/xfce-panel
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager
index f0654ac68..ff78b6f16 100644
--- a/apparmor.d/groups/xfce/xfce-power-manager
+++ b/apparmor.d/groups/xfce/xfce-power-manager
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver
index aaa5f7fa4..ce0a76612 100644
--- a/apparmor.d/groups/xfce/xfce-screensaver
+++ b/apparmor.d/groups/xfce/xfce-screensaver
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-sensors b/apparmor.d/groups/xfce/xfce-sensors
index ae72f8dbc..e7ee1080b 100644
--- a/apparmor.d/groups/xfce/xfce-sensors
+++ b/apparmor.d/groups/xfce/xfce-sensors
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-session b/apparmor.d/groups/xfce/xfce-session
index b19c11b3b..17007122e 100644
--- a/apparmor.d/groups/xfce/xfce-session
+++ b/apparmor.d/groups/xfce/xfce-session
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfce-terminal b/apparmor.d/groups/xfce/xfce-terminal
index 88a042dad..342ffd3b4 100644
--- a/apparmor.d/groups/xfce/xfce-terminal
+++ b/apparmor.d/groups/xfce/xfce-terminal
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfconfd b/apparmor.d/groups/xfce/xfconfd
index 345851278..0ab17ac5c 100644
--- a/apparmor.d/groups/xfce/xfconfd
+++ b/apparmor.d/groups/xfce/xfconfd
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfdesktop b/apparmor.d/groups/xfce/xfdesktop
index c01a057e7..d19e3de63 100644
--- a/apparmor.d/groups/xfce/xfdesktop
+++ b/apparmor.d/groups/xfce/xfdesktop
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfpm-power-backlight-helper b/apparmor.d/groups/xfce/xfpm-power-backlight-helper
index 5f71150e1..236028f2e 100644
--- a/apparmor.d/groups/xfce/xfpm-power-backlight-helper
+++ b/apparmor.d/groups/xfce/xfpm-power-backlight-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfsettingsd b/apparmor.d/groups/xfce/xfsettingsd
index ec46f5448..3eec3377f 100644
--- a/apparmor.d/groups/xfce/xfsettingsd
+++ b/apparmor.d/groups/xfce/xfsettingsd
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/groups/xfce/xfwm b/apparmor.d/groups/xfce/xfwm
index 27bb23bfd..d7af2ccb9 100644
--- a/apparmor.d/groups/xfce/xfwm
+++ b/apparmor.d/groups/xfce/xfwm
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-enabled b/apparmor.d/profiles-a-f/aa-enabled
index d5ebe0c10..fe350b2f6 100644
--- a/apparmor.d/profiles-a-f/aa-enabled
+++ b/apparmor.d/profiles-a-f/aa-enabled
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 5f00f8386..a5b18eb4e 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-log b/apparmor.d/profiles-a-f/aa-log
index 8ad4d1a24..39c42d435 100644
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-notify b/apparmor.d/profiles-a-f/aa-notify
index 95d24c9e9..7e901509f 100644
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status
index 5d5840f6f..a48dc693c 100644
--- a/apparmor.d/profiles-a-f/aa-status
+++ b/apparmor.d/profiles-a-f/aa-status
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-teardown b/apparmor.d/profiles-a-f/aa-teardown
index 263c7b9af..b625ad8c6 100644
--- a/apparmor.d/profiles-a-f/aa-teardown
+++ b/apparmor.d/profiles-a-f/aa-teardown
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aa-unconfined b/apparmor.d/profiles-a-f/aa-unconfined
index a47fa60eb..08c401270 100644
--- a/apparmor.d/profiles-a-f/aa-unconfined
+++ b/apparmor.d/profiles-a-f/aa-unconfined
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/abook b/apparmor.d/profiles-a-f/abook
index f4252aeee..380faac53 100644
--- a/apparmor.d/profiles-a-f/abook
+++ b/apparmor.d/profiles-a-f/abook
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/acpi b/apparmor.d/profiles-a-f/acpi
index 4f6132c25..2914180e6 100644
--- a/apparmor.d/profiles-a-f/acpi
+++ b/apparmor.d/profiles-a-f/acpi
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn
index 519f7f868..2a87bdb85 100644
--- a/apparmor.d/profiles-a-f/acpi-powerbtn
+++ b/apparmor.d/profiles-a-f/acpi-powerbtn
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/acpid b/apparmor.d/profiles-a-f/acpid
index 10600e3d7..7c1a7d4ba 100644
--- a/apparmor.d/profiles-a-f/acpid
+++ b/apparmor.d/profiles-a-f/acpid
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/adb b/apparmor.d/profiles-a-f/adb
index 52e2621fe..3affe4e7a 100644
--- a/apparmor.d/profiles-a-f/adb
+++ b/apparmor.d/profiles-a-f/adb
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/adduser b/apparmor.d/profiles-a-f/adduser
index 350f070b0..9103b25b3 100644
--- a/apparmor.d/profiles-a-f/adduser
+++ b/apparmor.d/profiles-a-f/adduser
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate
index fe3e7565f..404a09840 100644
--- a/apparmor.d/profiles-a-f/adequate
+++ b/apparmor.d/profiles-a-f/adequate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/agetty b/apparmor.d/profiles-a-f/agetty
index 3db817006..9e6db414e 100644
--- a/apparmor.d/profiles-a-f/agetty
+++ b/apparmor.d/profiles-a-f/agetty
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/alacarte b/apparmor.d/profiles-a-f/alacarte
index e1e228618..7ebb3b629 100644
--- a/apparmor.d/profiles-a-f/alacarte
+++ b/apparmor.d/profiles-a-f/alacarte
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl
index bde626660..b881e27e1 100644
--- a/apparmor.d/profiles-a-f/alsactl
+++ b/apparmor.d/profiles-a-f/alsactl
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/amixer b/apparmor.d/profiles-a-f/amixer
index 8a625b547..85989a7bf 100644
--- a/apparmor.d/profiles-a-f/amixer
+++ b/apparmor.d/profiles-a-f/amixer
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron
index 8893f1d70..06c50aee3 100644
--- a/apparmor.d/profiles-a-f/anacron
+++ b/apparmor.d/profiles-a-f/anacron
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/anyremote b/apparmor.d/profiles-a-f/anyremote
index 4953ab293..2ad4791d7 100644
--- a/apparmor.d/profiles-a-f/anyremote
+++ b/apparmor.d/profiles-a-f/anyremote
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aplay b/apparmor.d/profiles-a-f/aplay
index 0bb417ae2..fb4f2cb85 100644
--- a/apparmor.d/profiles-a-f/aplay
+++ b/apparmor.d/profiles-a-f/aplay
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/apparmor.systemd b/apparmor.d/profiles-a-f/apparmor.systemd
index a6d517b2a..75394f5de 100644
--- a/apparmor.d/profiles-a-f/apparmor.systemd
+++ b/apparmor.d/profiles-a-f/apparmor.systemd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/apparmor_parser b/apparmor.d/profiles-a-f/apparmor_parser
index 82acd0d0f..bb4fe0739 100644
--- a/apparmor.d/profiles-a-f/apparmor_parser
+++ b/apparmor.d/profiles-a-f/apparmor_parser
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/appstreamcli b/apparmor.d/profiles-a-f/appstreamcli
index 25f4ff40c..72ee1e9dc 100644
--- a/apparmor.d/profiles-a-f/appstreamcli
+++ b/apparmor.d/profiles-a-f/appstreamcli
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/arandr b/apparmor.d/profiles-a-f/arandr
index 6baddcf18..e260321e6 100644
--- a/apparmor.d/profiles-a-f/arandr
+++ b/apparmor.d/profiles-a-f/arandr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount
index 03836a9dc..6489139d9 100644
--- a/apparmor.d/profiles-a-f/archivemount
+++ b/apparmor.d/profiles-a-f/archivemount
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino
index 47d784212..0304dbc6c 100644
--- a/apparmor.d/profiles-a-f/arduino
+++ b/apparmor.d/profiles-a-f/arduino
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/arduino-builder b/apparmor.d/profiles-a-f/arduino-builder
index d35004e35..2ef7e37fa 100644
--- a/apparmor.d/profiles-a-f/arduino-builder
+++ b/apparmor.d/profiles-a-f/arduino-builder
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/arduino-ctags b/apparmor.d/profiles-a-f/arduino-ctags
index 0c3849643..d85a6f3a8 100644
--- a/apparmor.d/profiles-a-f/arduino-ctags
+++ b/apparmor.d/profiles-a-f/arduino-ctags
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aspell b/apparmor.d/profiles-a-f/aspell
index c5bd8d4f4..16b5b6f6d 100644
--- a/apparmor.d/profiles-a-f/aspell
+++ b/apparmor.d/profiles-a-f/aspell
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash
index 078fa0139..9920fb2b3 100644
--- a/apparmor.d/profiles-a-f/aspell-autobuildhash
+++ b/apparmor.d/profiles-a-f/aspell-autobuildhash
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/at b/apparmor.d/profiles-a-f/at
index 2da487b9c..0c309ad72 100644
--- a/apparmor.d/profiles-a-f/at
+++ b/apparmor.d/profiles-a-f/at
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/atd b/apparmor.d/profiles-a-f/atd
index b1b54f0fa..f8d39c8f5 100644
--- a/apparmor.d/profiles-a-f/atd
+++ b/apparmor.d/profiles-a-f/atd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/atftpd b/apparmor.d/profiles-a-f/atftpd
index 02a0a018b..dc7f2bf36 100644
--- a/apparmor.d/profiles-a-f/atftpd
+++ b/apparmor.d/profiles-a-f/atftpd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/atool b/apparmor.d/profiles-a-f/atool
index a027f7a4f..99cb0fed6 100644
--- a/apparmor.d/profiles-a-f/atool
+++ b/apparmor.d/profiles-a-f/atool
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/atril b/apparmor.d/profiles-a-f/atril
index 3b78d9c02..284c35911 100644
--- a/apparmor.d/profiles-a-f/atril
+++ b/apparmor.d/profiles-a-f/atril
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/atrild b/apparmor.d/profiles-a-f/atrild
index c44686d5a..f66f25936 100644
--- a/apparmor.d/profiles-a-f/atrild
+++ b/apparmor.d/profiles-a-f/atrild
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/auditctl b/apparmor.d/profiles-a-f/auditctl
index daaee243f..d6881f3e7 100644
--- a/apparmor.d/profiles-a-f/auditctl
+++ b/apparmor.d/profiles-a-f/auditctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/auditd b/apparmor.d/profiles-a-f/auditd
index 8c1878604..92afa1d08 100644
--- a/apparmor.d/profiles-a-f/auditd
+++ b/apparmor.d/profiles-a-f/auditd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/augenrules b/apparmor.d/profiles-a-f/augenrules
index 5f192e8cc..7a515c1ba 100644
--- a/apparmor.d/profiles-a-f/augenrules
+++ b/apparmor.d/profiles-a-f/augenrules
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/badblocks b/apparmor.d/profiles-a-f/badblocks
index 48b4cc8af..e0f686b90 100644
--- a/apparmor.d/profiles-a-f/badblocks
+++ b/apparmor.d/profiles-a-f/badblocks
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab
index 63a6ebd22..92977471b 100644
--- a/apparmor.d/profiles-a-f/baobab
+++ b/apparmor.d/profiles-a-f/baobab
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/biosdecode b/apparmor.d/profiles-a-f/biosdecode
index caf8a50d2..8010b380a 100644
--- a/apparmor.d/profiles-a-f/biosdecode
+++ b/apparmor.d/profiles-a-f/biosdecode
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/birdtray b/apparmor.d/profiles-a-f/birdtray
index b6314e942..c63a8de7c 100644
--- a/apparmor.d/profiles-a-f/birdtray
+++ b/apparmor.d/profiles-a-f/birdtray
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/blkdeactivate b/apparmor.d/profiles-a-f/blkdeactivate
index f9db3e96f..ad575351f 100644
--- a/apparmor.d/profiles-a-f/blkdeactivate
+++ b/apparmor.d/profiles-a-f/blkdeactivate
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/blkid b/apparmor.d/profiles-a-f/blkid
index ad8134064..282081330 100644
--- a/apparmor.d/profiles-a-f/blkid
+++ b/apparmor.d/profiles-a-f/blkid
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/blockdev b/apparmor.d/profiles-a-f/blockdev
index 1b6cc77cb..88059a4c5 100644
--- a/apparmor.d/profiles-a-f/blockdev
+++ b/apparmor.d/profiles-a-f/blockdev
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman
index 9ac1c2c2b..08a553c1d 100644
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/blueman-mechanism b/apparmor.d/profiles-a-f/blueman-mechanism
index 152520fad..aae5d53cd 100644
--- a/apparmor.d/profiles-a-f/blueman-mechanism
+++ b/apparmor.d/profiles-a-f/blueman-mechanism
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher
index a8753ac8f..516f14bdd 100644
--- a/apparmor.d/profiles-a-f/blueman-rfcomm-watcher
+++ b/apparmor.d/profiles-a-f/blueman-rfcomm-watcher
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/bluemoon b/apparmor.d/profiles-a-f/bluemoon
index 06f4040f8..88cb70621 100644
--- a/apparmor.d/profiles-a-f/bluemoon
+++ b/apparmor.d/profiles-a-f/bluemoon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/bluetoothctl b/apparmor.d/profiles-a-f/bluetoothctl
index 603998f2c..01565b4ff 100644
--- a/apparmor.d/profiles-a-f/bluetoothctl
+++ b/apparmor.d/profiles-a-f/bluetoothctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/bluetoothd b/apparmor.d/profiles-a-f/bluetoothd
index 66cc35860..ee7efdcfd 100644
--- a/apparmor.d/profiles-a-f/bluetoothd
+++ b/apparmor.d/profiles-a-f/bluetoothd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/bmon b/apparmor.d/profiles-a-f/bmon
index 77feb3210..d29d9fde7 100644
--- a/apparmor.d/profiles-a-f/bmon
+++ b/apparmor.d/profiles-a-f/bmon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd
index e5464290a..b70b72088 100644
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
index 6a8eff043..15c6b71c9 100644
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/browserpass b/apparmor.d/profiles-a-f/browserpass
index f35e0c640..86da0e6a7 100644
--- a/apparmor.d/profiles-a-f/browserpass
+++ b/apparmor.d/profiles-a-f/browserpass
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop
index b6c3556ec..bab483dde 100644
--- a/apparmor.d/profiles-a-f/btop
+++ b/apparmor.d/profiles-a-f/btop
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfs b/apparmor.d/profiles-a-f/btrfs
index 41e6fff57..cdf5eb0df 100644
--- a/apparmor.d/profiles-a-f/btrfs
+++ b/apparmor.d/profiles-a-f/btrfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfs-convert b/apparmor.d/profiles-a-f/btrfs-convert
index 8b443cf6e..2dccbf1fd 100644
--- a/apparmor.d/profiles-a-f/btrfs-convert
+++ b/apparmor.d/profiles-a-f/btrfs-convert
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfs-find-root b/apparmor.d/profiles-a-f/btrfs-find-root
index 03c2d47bd..eef4b6823 100644
--- a/apparmor.d/profiles-a-f/btrfs-find-root
+++ b/apparmor.d/profiles-a-f/btrfs-find-root
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfs-image b/apparmor.d/profiles-a-f/btrfs-image
index c1508bb09..6f18ac095 100644
--- a/apparmor.d/profiles-a-f/btrfs-image
+++ b/apparmor.d/profiles-a-f/btrfs-image
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfs-map-logical b/apparmor.d/profiles-a-f/btrfs-map-logical
index 12d2b09d6..f871bc946 100644
--- a/apparmor.d/profiles-a-f/btrfs-map-logical
+++ b/apparmor.d/profiles-a-f/btrfs-map-logical
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfs-select-super b/apparmor.d/profiles-a-f/btrfs-select-super
index f083363cf..0019aa906 100644
--- a/apparmor.d/profiles-a-f/btrfs-select-super
+++ b/apparmor.d/profiles-a-f/btrfs-select-super
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/btrfstune b/apparmor.d/profiles-a-f/btrfstune
index cd8f7adfe..f8fa4a047 100644
--- a/apparmor.d/profiles-a-f/btrfstune
+++ b/apparmor.d/profiles-a-f/btrfstune
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/calibre b/apparmor.d/profiles-a-f/calibre
index c00490a75..6d71ed28d 100644
--- a/apparmor.d/profiles-a-f/calibre
+++ b/apparmor.d/profiles-a-f/calibre
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird
index ee3bab550..ab2ac687c 100644
--- a/apparmor.d/profiles-a-f/cawbird
+++ b/apparmor.d/profiles-a-f/cawbird
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper
index bc12ec50b..cefc60f6d 100644
--- a/apparmor.d/profiles-a-f/cc-remote-login-helper
+++ b/apparmor.d/profiles-a-f/cc-remote-login-helper
@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cctk b/apparmor.d/profiles-a-f/cctk
index 3795d9836..40c5199b3 100644
--- a/apparmor.d/profiles-a-f/cctk
+++ b/apparmor.d/profiles-a-f/cctk
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ccze b/apparmor.d/profiles-a-f/ccze
index e51310b63..338f71a78 100644
--- a/apparmor.d/profiles-a-f/ccze
+++ b/apparmor.d/profiles-a-f/ccze
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cemu b/apparmor.d/profiles-a-f/cemu
index 40920ebd0..1201f2476 100644
--- a/apparmor.d/profiles-a-f/cemu
+++ b/apparmor.d/profiles-a-f/cemu
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cert-sync b/apparmor.d/profiles-a-f/cert-sync
index e2770bda1..fa70c395f 100644
--- a/apparmor.d/profiles-a-f/cert-sync
+++ b/apparmor.d/profiles-a-f/cert-sync
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cfdisk b/apparmor.d/profiles-a-f/cfdisk
index 7559b5c84..9cacb9324 100644
--- a/apparmor.d/profiles-a-f/cfdisk
+++ b/apparmor.d/profiles-a-f/cfdisk
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cgdisk b/apparmor.d/profiles-a-f/cgdisk
index f19e70c26..0f91c1e85 100644
--- a/apparmor.d/profiles-a-f/cgdisk
+++ b/apparmor.d/profiles-a-f/cgdisk
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cgrulesengd b/apparmor.d/profiles-a-f/cgrulesengd
index 6c51eead1..08b1d83b5 100644
--- a/apparmor.d/profiles-a-f/cgrulesengd
+++ b/apparmor.d/profiles-a-f/cgrulesengd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/chage b/apparmor.d/profiles-a-f/chage
index 3eaa0efb9..a89e204a8 100644
--- a/apparmor.d/profiles-a-f/chage
+++ b/apparmor.d/profiles-a-f/chage
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool
index 9dd650d51..6ff8ed55d 100644
--- a/apparmor.d/profiles-a-f/changestool
+++ b/apparmor.d/profiles-a-f/changestool
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/check-bios-nx b/apparmor.d/profiles-a-f/check-bios-nx
index 877677bca..775e3f640 100644
--- a/apparmor.d/profiles-a-f/check-bios-nx
+++ b/apparmor.d/profiles-a-f/check-bios-nx
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status
index bdd9719d3..1a1d4bfd6 100644
--- a/apparmor.d/profiles-a-f/check-support-status
+++ b/apparmor.d/profiles-a-f/check-support-status
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook
index e0c312423..b77bcfd6d 100644
--- a/apparmor.d/profiles-a-f/check-support-status-hook
+++ b/apparmor.d/profiles-a-f/check-support-status-hook
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/chfn b/apparmor.d/profiles-a-f/chfn
index 162a08b84..7201d1a7a 100644
--- a/apparmor.d/profiles-a-f/chfn
+++ b/apparmor.d/profiles-a-f/chfn
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/chronyd b/apparmor.d/profiles-a-f/chronyd
index 79fbf8d80..155d82f07 100644
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@@ -4,7 +4,7 @@
 
 # Based on https://salsa.debian.org/debian/chrony/-/blob/debian/latest/debian/usr.sbin.chronyd
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/chsh b/apparmor.d/profiles-a-f/chsh
index ffcdb5bdf..61885ed4e 100644
--- a/apparmor.d/profiles-a-f/chsh
+++ b/apparmor.d/profiles-a-f/chsh
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail
index 4de4543a4..82387d044 100644
--- a/apparmor.d/profiles-a-f/claws-mail
+++ b/apparmor.d/profiles-a-f/claws-mail
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus
index b667d81f0..1cff2fb63 100644
--- a/apparmor.d/profiles-a-f/cmus
+++ b/apparmor.d/profiles-a-f/cmus
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/code-extension-git-askpass b/apparmor.d/profiles-a-f/code-extension-git-askpass
index 6954ca966..5a31889b9 100644
--- a/apparmor.d/profiles-a-f/code-extension-git-askpass
+++ b/apparmor.d/profiles-a-f/code-extension-git-askpass
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/code-extension-git-editor b/apparmor.d/profiles-a-f/code-extension-git-editor
index 104e01281..8e56ac3aa 100644
--- a/apparmor.d/profiles-a-f/code-extension-git-editor
+++ b/apparmor.d/profiles-a-f/code-extension-git-editor
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/compton b/apparmor.d/profiles-a-f/compton
index b27228807..a6c7d193f 100644
--- a/apparmor.d/profiles-a-f/compton
+++ b/apparmor.d/profiles-a-f/compton
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky
index 1e1b10abc..9116a116e 100644
--- a/apparmor.d/profiles-a-f/conky
+++ b/apparmor.d/profiles-a-f/conky
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup
index d7b41ff20..d3aaddf7f 100644
--- a/apparmor.d/profiles-a-f/console-setup
+++ b/apparmor.d/profiles-a-f/console-setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/convertall b/apparmor.d/profiles-a-f/convertall
index f3ce650e6..8c38f85a3 100644
--- a/apparmor.d/profiles-a-f/convertall
+++ b/apparmor.d/profiles-a-f/convertall
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cppw-cpgr b/apparmor.d/profiles-a-f/cppw-cpgr
index 9e0aa0ad1..a5b7d8302 100644
--- a/apparmor.d/profiles-a-f/cppw-cpgr
+++ b/apparmor.d/profiles-a-f/cppw-cpgr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cpuid b/apparmor.d/profiles-a-f/cpuid
index 8df6f750e..c374d4685 100644
--- a/apparmor.d/profiles-a-f/cpuid
+++ b/apparmor.d/profiles-a-f/cpuid
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cracklib-packer b/apparmor.d/profiles-a-f/cracklib-packer
index d29bfbbee..cc183f527 100644
--- a/apparmor.d/profiles-a-f/cracklib-packer
+++ b/apparmor.d/profiles-a-f/cracklib-packer
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/crda b/apparmor.d/profiles-a-f/crda
index 96fb4c706..50d34bad4 100644
--- a/apparmor.d/profiles-a-f/crda
+++ b/apparmor.d/profiles-a-f/crda
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-beh b/apparmor.d/profiles-a-f/cups-backend-beh
index 5945ac6ea..e2dbc1b51 100644
--- a/apparmor.d/profiles-a-f/cups-backend-beh
+++ b/apparmor.d/profiles-a-f/cups-backend-beh
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-bluetooth b/apparmor.d/profiles-a-f/cups-backend-bluetooth
index ba606c7ef..ada4926ce 100644
--- a/apparmor.d/profiles-a-f/cups-backend-bluetooth
+++ b/apparmor.d/profiles-a-f/cups-backend-bluetooth
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-brf b/apparmor.d/profiles-a-f/cups-backend-brf
index 2ea66ba05..27e98efc3 100644
--- a/apparmor.d/profiles-a-f/cups-backend-brf
+++ b/apparmor.d/profiles-a-f/cups-backend-brf
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-dnssd b/apparmor.d/profiles-a-f/cups-backend-dnssd
index 0bb1a34d1..f45b99216 100644
--- a/apparmor.d/profiles-a-f/cups-backend-dnssd
+++ b/apparmor.d/profiles-a-f/cups-backend-dnssd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-hp b/apparmor.d/profiles-a-f/cups-backend-hp
index f82ce7e0a..636121553 100644
--- a/apparmor.d/profiles-a-f/cups-backend-hp
+++ b/apparmor.d/profiles-a-f/cups-backend-hp
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-implicitclass b/apparmor.d/profiles-a-f/cups-backend-implicitclass
index 6a50ec237..ba85c62fa 100644
--- a/apparmor.d/profiles-a-f/cups-backend-implicitclass
+++ b/apparmor.d/profiles-a-f/cups-backend-implicitclass
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-ipp b/apparmor.d/profiles-a-f/cups-backend-ipp
index 706e1a5ae..b473ecaa3 100644
--- a/apparmor.d/profiles-a-f/cups-backend-ipp
+++ b/apparmor.d/profiles-a-f/cups-backend-ipp
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-lpd b/apparmor.d/profiles-a-f/cups-backend-lpd
index 077a913a0..af2901be0 100644
--- a/apparmor.d/profiles-a-f/cups-backend-lpd
+++ b/apparmor.d/profiles-a-f/cups-backend-lpd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-mdns b/apparmor.d/profiles-a-f/cups-backend-mdns
index a520e9a19..0b9cce0da 100644
--- a/apparmor.d/profiles-a-f/cups-backend-mdns
+++ b/apparmor.d/profiles-a-f/cups-backend-mdns
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-parallel b/apparmor.d/profiles-a-f/cups-backend-parallel
index fe2e752ef..a985e5042 100644
--- a/apparmor.d/profiles-a-f/cups-backend-parallel
+++ b/apparmor.d/profiles-a-f/cups-backend-parallel
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf
index efbb2a85d..b6e6d59ad 100644
--- a/apparmor.d/profiles-a-f/cups-backend-pdf
+++ b/apparmor.d/profiles-a-f/cups-backend-pdf
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-serial b/apparmor.d/profiles-a-f/cups-backend-serial
index e2ec19bce..3959a091d 100644
--- a/apparmor.d/profiles-a-f/cups-backend-serial
+++ b/apparmor.d/profiles-a-f/cups-backend-serial
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp
index 1532db04b..35f0392de 100644
--- a/apparmor.d/profiles-a-f/cups-backend-snmp
+++ b/apparmor.d/profiles-a-f/cups-backend-snmp
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-socket b/apparmor.d/profiles-a-f/cups-backend-socket
index 338d2e2e6..3efcf183b 100644
--- a/apparmor.d/profiles-a-f/cups-backend-socket
+++ b/apparmor.d/profiles-a-f/cups-backend-socket
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-backend-usb b/apparmor.d/profiles-a-f/cups-backend-usb
index e647939f4..fa21e0204 100644
--- a/apparmor.d/profiles-a-f/cups-backend-usb
+++ b/apparmor.d/profiles-a-f/cups-backend-usb
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-browsed b/apparmor.d/profiles-a-f/cups-browsed
index 6b01087b9..41d22ed9b 100644
--- a/apparmor.d/profiles-a-f/cups-browsed
+++ b/apparmor.d/profiles-a-f/cups-browsed
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus
index 9632ca91d..e22b2f6a4 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-dbus
+++ b/apparmor.d/profiles-a-f/cups-notifier-dbus
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto
index aad9f73c3..0df4984d4 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-mailto
+++ b/apparmor.d/profiles-a-f/cups-notifier-mailto
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss
index 86dfecc9e..129cb8d6f 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-rss
+++ b/apparmor.d/profiles-a-f/cups-notifier-rss
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
index 7c67e3e6a..89d55c2f1 100644
--- a/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
+++ b/apparmor.d/profiles-a-f/cups-pk-helper-mechanism
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/czkawka-cli b/apparmor.d/profiles-a-f/czkawka-cli
index 6ad4c553b..ddbc8b59b 100644
--- a/apparmor.d/profiles-a-f/czkawka-cli
+++ b/apparmor.d/profiles-a-f/czkawka-cli
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui
index 68a30c769..30dc56b29 100644
--- a/apparmor.d/profiles-a-f/czkawka-gui
+++ b/apparmor.d/profiles-a-f/czkawka-gui
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ddclient b/apparmor.d/profiles-a-f/ddclient
index 000e61013..c16629d6d 100644
--- a/apparmor.d/profiles-a-f/ddclient
+++ b/apparmor.d/profiles-a-f/ddclient
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ddcutil b/apparmor.d/profiles-a-f/ddcutil
index ee12dcd5d..c752dcbb8 100644
--- a/apparmor.d/profiles-a-f/ddcutil
+++ b/apparmor.d/profiles-a-f/ddcutil
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop
index eaf12a933..b3afbfc09 100644
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser
index 67e52b376..540079175 100644
--- a/apparmor.d/profiles-a-f/deluser
+++ b/apparmor.d/profiles-a-f/deluser
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/df b/apparmor.d/profiles-a-f/df
index 18b3687e1..1a823e4db 100644
--- a/apparmor.d/profiles-a-f/df
+++ b/apparmor.d/profiles-a-f/df
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dfc b/apparmor.d/profiles-a-f/dfc
index b4ccf6743..d23028a47 100644
--- a/apparmor.d/profiles-a-f/dfc
+++ b/apparmor.d/profiles-a-f/dfc
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dhclient b/apparmor.d/profiles-a-f/dhclient
index 20e45b87f..30d68f6e5 100644
--- a/apparmor.d/profiles-a-f/dhclient
+++ b/apparmor.d/profiles-a-f/dhclient
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script
index 4261a8be7..1552ee0e4 100644
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dig b/apparmor.d/profiles-a-f/dig
index 87b80e3da..3e95a05dd 100644
--- a/apparmor.d/profiles-a-f/dig
+++ b/apparmor.d/profiles-a-f/dig
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dino b/apparmor.d/profiles-a-f/dino
index dad921850..e2ee5e9b2 100644
--- a/apparmor.d/profiles-a-f/dino
+++ b/apparmor.d/profiles-a-f/dino
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/discord b/apparmor.d/profiles-a-f/discord
index 3ff222b4a..74d1ce740 100644
--- a/apparmor.d/profiles-a-f/discord
+++ b/apparmor.d/profiles-a-f/discord
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/discord-chrome-sandbox b/apparmor.d/profiles-a-f/discord-chrome-sandbox
index d30a2a57f..4cfefd651 100644
--- a/apparmor.d/profiles-a-f/discord-chrome-sandbox
+++ b/apparmor.d/profiles-a-f/discord-chrome-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index bfd287741..5e8a3ea0c 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -4,7 +4,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dkms-autoinstaller b/apparmor.d/profiles-a-f/dkms-autoinstaller
index f266791a1..00f1d8117 100644
--- a/apparmor.d/profiles-a-f/dkms-autoinstaller
+++ b/apparmor.d/profiles-a-f/dkms-autoinstaller
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dleyna-renderer-service b/apparmor.d/profiles-a-f/dleyna-renderer-service
index d56098048..139dfaeaf 100644
--- a/apparmor.d/profiles-a-f/dleyna-renderer-service
+++ b/apparmor.d/profiles-a-f/dleyna-renderer-service
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dleyna-server-service b/apparmor.d/profiles-a-f/dleyna-server-service
index f41d250f6..552abeadc 100644
--- a/apparmor.d/profiles-a-f/dleyna-server-service
+++ b/apparmor.d/profiles-a-f/dleyna-server-service
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate
index e17a72c84..ff042c321 100644
--- a/apparmor.d/profiles-a-f/dlocate
+++ b/apparmor.d/profiles-a-f/dlocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dmcrypt-get-device b/apparmor.d/profiles-a-f/dmcrypt-get-device
index 2fa3fc6a9..7d5b8062a 100644
--- a/apparmor.d/profiles-a-f/dmcrypt-get-device
+++ b/apparmor.d/profiles-a-f/dmcrypt-get-device
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dmesg b/apparmor.d/profiles-a-f/dmesg
index f2d0c7665..68fa13298 100644
--- a/apparmor.d/profiles-a-f/dmesg
+++ b/apparmor.d/profiles-a-f/dmesg
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dmeventd b/apparmor.d/profiles-a-f/dmeventd
index 2d904eec0..0484cf99d 100644
--- a/apparmor.d/profiles-a-f/dmeventd
+++ b/apparmor.d/profiles-a-f/dmeventd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dmidecode b/apparmor.d/profiles-a-f/dmidecode
index 061bc40ac..aba455535 100644
--- a/apparmor.d/profiles-a-f/dmidecode
+++ b/apparmor.d/profiles-a-f/dmidecode
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dmsetup b/apparmor.d/profiles-a-f/dmsetup
index 305e03573..d532bb8cf 100644
--- a/apparmor.d/profiles-a-f/dmsetup
+++ b/apparmor.d/profiles-a-f/dmsetup
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dnscrypt-proxy b/apparmor.d/profiles-a-f/dnscrypt-proxy
index 6727b8201..08dad1bd2 100644
--- a/apparmor.d/profiles-a-f/dnscrypt-proxy
+++ b/apparmor.d/profiles-a-f/dnscrypt-proxy
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/downloadhelper b/apparmor.d/profiles-a-f/downloadhelper
index 05b4085b3..bb54ca251 100644
--- a/apparmor.d/profiles-a-f/downloadhelper
+++ b/apparmor.d/profiles-a-f/downloadhelper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dring b/apparmor.d/profiles-a-f/dring
index 8d0045030..32a914268 100644
--- a/apparmor.d/profiles-a-f/dring
+++ b/apparmor.d/profiles-a-f/dring
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dropbox b/apparmor.d/profiles-a-f/dropbox
index 8aa054238..065fe92c5 100644
--- a/apparmor.d/profiles-a-f/dropbox
+++ b/apparmor.d/profiles-a-f/dropbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dumpcap b/apparmor.d/profiles-a-f/dumpcap
index e03ad1742..634aebd02 100644
--- a/apparmor.d/profiles-a-f/dumpcap
+++ b/apparmor.d/profiles-a-f/dumpcap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dumpe2fs b/apparmor.d/profiles-a-f/dumpe2fs
index 725f725c5..eb3d4d61a 100644
--- a/apparmor.d/profiles-a-f/dumpe2fs
+++ b/apparmor.d/profiles-a-f/dumpe2fs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dunst b/apparmor.d/profiles-a-f/dunst
index 220652247..e73e3370c 100644
--- a/apparmor.d/profiles-a-f/dunst
+++ b/apparmor.d/profiles-a-f/dunst
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dunstctl b/apparmor.d/profiles-a-f/dunstctl
index a00668556..45ec6886c 100644
--- a/apparmor.d/profiles-a-f/dunstctl
+++ b/apparmor.d/profiles-a-f/dunstctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/dunstify b/apparmor.d/profiles-a-f/dunstify
index 42a8be4ad..c62e87f66 100644
--- a/apparmor.d/profiles-a-f/dunstify
+++ b/apparmor.d/profiles-a-f/dunstify
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/e2fsck b/apparmor.d/profiles-a-f/e2fsck
index a02c8735e..be5d26b9f 100644
--- a/apparmor.d/profiles-a-f/e2fsck
+++ b/apparmor.d/profiles-a-f/e2fsck
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/e2image b/apparmor.d/profiles-a-f/e2image
index ccb4cc5a4..b099f1ccf 100644
--- a/apparmor.d/profiles-a-f/e2image
+++ b/apparmor.d/profiles-a-f/e2image
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/e2scrub_all b/apparmor.d/profiles-a-f/e2scrub_all
index de648cac2..25fab12c7 100644
--- a/apparmor.d/profiles-a-f/e2scrub_all
+++ b/apparmor.d/profiles-a-f/e2scrub_all
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/earlyoom b/apparmor.d/profiles-a-f/earlyoom
index 6752cbae6..01484cdc6 100644
--- a/apparmor.d/profiles-a-f/earlyoom
+++ b/apparmor.d/profiles-a-f/earlyoom
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/edid-decode b/apparmor.d/profiles-a-f/edid-decode
index 8925e5e2d..f15d6db6c 100644
--- a/apparmor.d/profiles-a-f/edid-decode
+++ b/apparmor.d/profiles-a-f/edid-decode
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/eject b/apparmor.d/profiles-a-f/eject
index bd467c2be..84168322a 100644
--- a/apparmor.d/profiles-a-f/eject
+++ b/apparmor.d/profiles-a-f/eject
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/element-desktop b/apparmor.d/profiles-a-f/element-desktop
index a792b7341..e4a9bef28 100644
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/elinks b/apparmor.d/profiles-a-f/elinks
index 1909ab896..f833c303d 100644
--- a/apparmor.d/profiles-a-f/elinks
+++ b/apparmor.d/profiles-a-f/elinks
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/engrampa b/apparmor.d/profiles-a-f/engrampa
index 86077c89b..c302ff400 100644
--- a/apparmor.d/profiles-a-f/engrampa
+++ b/apparmor.d/profiles-a-f/engrampa
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper
index 6f10293c7..d42b07dee 100644
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/evince b/apparmor.d/profiles-a-f/evince
index 3ac55439a..2638ad0e3 100644
--- a/apparmor.d/profiles-a-f/evince
+++ b/apparmor.d/profiles-a-f/evince
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/evince-previewer b/apparmor.d/profiles-a-f/evince-previewer
index 7a2b939a6..1597c35af 100644
--- a/apparmor.d/profiles-a-f/evince-previewer
+++ b/apparmor.d/profiles-a-f/evince-previewer
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/evince-thumbnailer b/apparmor.d/profiles-a-f/evince-thumbnailer
index d4e63c924..95fdba512 100644
--- a/apparmor.d/profiles-a-f/evince-thumbnailer
+++ b/apparmor.d/profiles-a-f/evince-thumbnailer
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/execute-dcut b/apparmor.d/profiles-a-f/execute-dcut
index 9f03de7fc..41d2324f6 100644
--- a/apparmor.d/profiles-a-f/execute-dcut
+++ b/apparmor.d/profiles-a-f/execute-dcut
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput
index 10edc6164..915213dac 100644
--- a/apparmor.d/profiles-a-f/execute-dput
+++ b/apparmor.d/profiles-a-f/execute-dput
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/exiftool b/apparmor.d/profiles-a-f/exiftool
index 9db5d83ea..fecb1af22 100644
--- a/apparmor.d/profiles-a-f/exiftool
+++ b/apparmor.d/profiles-a-f/exiftool
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/exim4 b/apparmor.d/profiles-a-f/exim4
index 3dae4cae6..98364f0f1 100644
--- a/apparmor.d/profiles-a-f/exim4
+++ b/apparmor.d/profiles-a-f/exim4
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/exo-compose-mail b/apparmor.d/profiles-a-f/exo-compose-mail
index 990c67b85..3e1f92742 100644
--- a/apparmor.d/profiles-a-f/exo-compose-mail
+++ b/apparmor.d/profiles-a-f/exo-compose-mail
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/exo-helper b/apparmor.d/profiles-a-f/exo-helper
index af38a5fa3..b9d7652ee 100644
--- a/apparmor.d/profiles-a-f/exo-helper
+++ b/apparmor.d/profiles-a-f/exo-helper
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/exo-open b/apparmor.d/profiles-a-f/exo-open
index 04d5f8b36..2c5e86e30 100644
--- a/apparmor.d/profiles-a-f/exo-open
+++ b/apparmor.d/profiles-a-f/exo-open
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/f3brew b/apparmor.d/profiles-a-f/f3brew
index 8572f369c..312512010 100644
--- a/apparmor.d/profiles-a-f/f3brew
+++ b/apparmor.d/profiles-a-f/f3brew
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/f3fix b/apparmor.d/profiles-a-f/f3fix
index a5d327e72..4d743fbb7 100644
--- a/apparmor.d/profiles-a-f/f3fix
+++ b/apparmor.d/profiles-a-f/f3fix
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/f3probe b/apparmor.d/profiles-a-f/f3probe
index c7843c91f..d935075eb 100644
--- a/apparmor.d/profiles-a-f/f3probe
+++ b/apparmor.d/profiles-a-f/f3probe
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/f3read b/apparmor.d/profiles-a-f/f3read
index a25e7e0cc..93058cfa9 100644
--- a/apparmor.d/profiles-a-f/f3read
+++ b/apparmor.d/profiles-a-f/f3read
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/f3write b/apparmor.d/profiles-a-f/f3write
index 25282dff8..25c56778d 100644
--- a/apparmor.d/profiles-a-f/f3write
+++ b/apparmor.d/profiles-a-f/f3write
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fail2ban-client b/apparmor.d/profiles-a-f/fail2ban-client
index 23fd61125..7fae1218c 100644
--- a/apparmor.d/profiles-a-f/fail2ban-client
+++ b/apparmor.d/profiles-a-f/fail2ban-client
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fail2ban-server b/apparmor.d/profiles-a-f/fail2ban-server
index 2706c8e43..e858c2d8e 100644
--- a/apparmor.d/profiles-a-f/fail2ban-server
+++ b/apparmor.d/profiles-a-f/fail2ban-server
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fatlabel b/apparmor.d/profiles-a-f/fatlabel
index df95d83c0..c7ac0d399 100644
--- a/apparmor.d/profiles-a-f/fatlabel
+++ b/apparmor.d/profiles-a-f/fatlabel
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fatresize b/apparmor.d/profiles-a-f/fatresize
index b94e0e49c..e299a109b 100644
--- a/apparmor.d/profiles-a-f/fatresize
+++ b/apparmor.d/profiles-a-f/fatresize
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fdisk b/apparmor.d/profiles-a-f/fdisk
index 8e6ea58fa..e6a7aeebf 100644
--- a/apparmor.d/profiles-a-f/fdisk
+++ b/apparmor.d/profiles-a-f/fdisk
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ffmpeg b/apparmor.d/profiles-a-f/ffmpeg
index 864becf32..6e47ec8cb 100644
--- a/apparmor.d/profiles-a-f/ffmpeg
+++ b/apparmor.d/profiles-a-f/ffmpeg
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ffmpegthumbnailer b/apparmor.d/profiles-a-f/ffmpegthumbnailer
index 04ecf16cc..acc33199c 100644
--- a/apparmor.d/profiles-a-f/ffmpegthumbnailer
+++ b/apparmor.d/profiles-a-f/ffmpegthumbnailer
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ffplay b/apparmor.d/profiles-a-f/ffplay
index 0615d1042..6d3e1972d 100644
--- a/apparmor.d/profiles-a-f/ffplay
+++ b/apparmor.d/profiles-a-f/ffplay
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/ffprobe b/apparmor.d/profiles-a-f/ffprobe
index f5448d7ef..793361489 100644
--- a/apparmor.d/profiles-a-f/ffprobe
+++ b/apparmor.d/profiles-a-f/ffprobe
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index 8f81ad522..57eb19aef 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/filecap b/apparmor.d/profiles-a-f/filecap
index afad4070c..6729ebb91 100644
--- a/apparmor.d/profiles-a-f/filecap
+++ b/apparmor.d/profiles-a-f/filecap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/filezilla b/apparmor.d/profiles-a-f/filezilla
index 8b3786eb5..be734ed50 100644
--- a/apparmor.d/profiles-a-f/filezilla
+++ b/apparmor.d/profiles-a-f/filezilla
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/findmnt b/apparmor.d/profiles-a-f/findmnt
index 7fb7c9e1b..bcffc5b89 100644
--- a/apparmor.d/profiles-a-f/findmnt
+++ b/apparmor.d/profiles-a-f/findmnt
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/firecfg b/apparmor.d/profiles-a-f/firecfg
index c470d068a..a3aba8af1 100644
--- a/apparmor.d/profiles-a-f/firecfg
+++ b/apparmor.d/profiles-a-f/firecfg
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/firewall-applet b/apparmor.d/profiles-a-f/firewall-applet
index b3571e628..17fca1462 100644
--- a/apparmor.d/profiles-a-f/firewall-applet
+++ b/apparmor.d/profiles-a-f/firewall-applet
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/firewall-config b/apparmor.d/profiles-a-f/firewall-config
index a752954e6..760a75200 100644
--- a/apparmor.d/profiles-a-f/firewall-config
+++ b/apparmor.d/profiles-a-f/firewall-config
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/firewalld b/apparmor.d/profiles-a-f/firewalld
index e450c78cd..142b25cde 100644
--- a/apparmor.d/profiles-a-f/firewalld
+++ b/apparmor.d/profiles-a-f/firewalld
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flameshot b/apparmor.d/profiles-a-f/flameshot
index 877e42912..f0d042ba8 100644
--- a/apparmor.d/profiles-a-f/flameshot
+++ b/apparmor.d/profiles-a-f/flameshot
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index d89f8c524..05873c4e2 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 71ec660d8..d91b9ac53 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -18,7 +18,7 @@
 #    This this only defence in depth. 
 # 3. The main purpose of this profile is to ensure all processes are confined.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak-oci-authenticator b/apparmor.d/profiles-a-f/flatpak-oci-authenticator
index 9b379b55d..be6c7b320 100644
--- a/apparmor.d/profiles-a-f/flatpak-oci-authenticator
+++ b/apparmor.d/profiles-a-f/flatpak-oci-authenticator
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal
index 570a3ea8c..3f3d1e28e 100644
--- a/apparmor.d/profiles-a-f/flatpak-portal
+++ b/apparmor.d/profiles-a-f/flatpak-portal
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 1706f4b21..7144a237a 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak-system-helper b/apparmor.d/profiles-a-f/flatpak-system-helper
index a2141b111..2268de064 100644
--- a/apparmor.d/profiles-a-f/flatpak-system-helper
+++ b/apparmor.d/profiles-a-f/flatpak-system-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/flatpak-validate-icon b/apparmor.d/profiles-a-f/flatpak-validate-icon
index 7669bb1e6..41701a5ff 100644
--- a/apparmor.d/profiles-a-f/flatpak-validate-icon
+++ b/apparmor.d/profiles-a-f/flatpak-validate-icon
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate
index 3592893e9..0474684e7 100644
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/font-manager b/apparmor.d/profiles-a-f/font-manager
index 6d7096ad7..81c53aafd 100644
--- a/apparmor.d/profiles-a-f/font-manager
+++ b/apparmor.d/profiles-a-f/font-manager
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fping b/apparmor.d/profiles-a-f/fping
index 5d30e4522..ee6213cb5 100644
--- a/apparmor.d/profiles-a-f/fping
+++ b/apparmor.d/profiles-a-f/fping
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd
index 2c474b27b..9a0d4058a 100644
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal
index 54abde9d3..20eaa34af 100644
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/freefall b/apparmor.d/profiles-a-f/freefall
index 0499beb0a..7af1ef8c9 100644
--- a/apparmor.d/profiles-a-f/freefall
+++ b/apparmor.d/profiles-a-f/freefall
@@ -2,7 +2,7 @@
 # Copyright (C) 2021 Alexandre Pujol
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/freetube b/apparmor.d/profiles-a-f/freetube
index a400bf9d9..333c9f368 100644
--- a/apparmor.d/profiles-a-f/freetube
+++ b/apparmor.d/profiles-a-f/freetube
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fritzing b/apparmor.d/profiles-a-f/fritzing
index 3e3dde2e9..18b990bbc 100644
--- a/apparmor.d/profiles-a-f/fritzing
+++ b/apparmor.d/profiles-a-f/fritzing
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend
index eb90c18d6..51bfc3610 100644
--- a/apparmor.d/profiles-a-f/frontend
+++ b/apparmor.d/profiles-a-f/frontend
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fsck b/apparmor.d/profiles-a-f/fsck
index d04b32e96..5d0588026 100644
--- a/apparmor.d/profiles-a-f/fsck
+++ b/apparmor.d/profiles-a-f/fsck
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fsck.btrfs b/apparmor.d/profiles-a-f/fsck.btrfs
index 470b5a3d3..f8ac9419d 100644
--- a/apparmor.d/profiles-a-f/fsck.btrfs
+++ b/apparmor.d/profiles-a-f/fsck.btrfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fsck.fat b/apparmor.d/profiles-a-f/fsck.fat
index c188574ee..fd944532f 100644
--- a/apparmor.d/profiles-a-f/fsck.fat
+++ b/apparmor.d/profiles-a-f/fsck.fat
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fstrim b/apparmor.d/profiles-a-f/fstrim
index a4ba7fedb..a55337659 100644
--- a/apparmor.d/profiles-a-f/fstrim
+++ b/apparmor.d/profiles-a-f/fstrim
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fuse-overlayfs b/apparmor.d/profiles-a-f/fuse-overlayfs
index 643371c60..da61184a3 100644
--- a/apparmor.d/profiles-a-f/fuse-overlayfs
+++ b/apparmor.d/profiles-a-f/fuse-overlayfs
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso
index e4d6cfd99..330a8b07e 100644
--- a/apparmor.d/profiles-a-f/fuseiso
+++ b/apparmor.d/profiles-a-f/fuseiso
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fusermount b/apparmor.d/profiles-a-f/fusermount
index 4695c2d3b..2bad1d773 100644
--- a/apparmor.d/profiles-a-f/fusermount
+++ b/apparmor.d/profiles-a-f/fusermount
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index d8fa6d355..7c1f2024a 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 8f6885b46..382822fab 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gajim b/apparmor.d/profiles-g-l/gajim
index 033f082f2..1de493892 100644
--- a/apparmor.d/profiles-g-l/gajim
+++ b/apparmor.d/profiles-g-l/gajim
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded
index e17a9e537..af1f34005 100644
--- a/apparmor.d/profiles-g-l/gamemoded
+++ b/apparmor.d/profiles-g-l/gamemoded
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ganyremote b/apparmor.d/profiles-g-l/ganyremote
index 7db7a5cb8..e9f4d4e30 100644
--- a/apparmor.d/profiles-g-l/ganyremote
+++ b/apparmor.d/profiles-g-l/ganyremote
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gconfd b/apparmor.d/profiles-g-l/gconfd
index 5dffe8a0c..7ceee1022 100644
--- a/apparmor.d/profiles-g-l/gconfd
+++ b/apparmor.d/profiles-g-l/gconfd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gdisk b/apparmor.d/profiles-g-l/gdisk
index 8c3662ba1..1357b03b6 100644
--- a/apparmor.d/profiles-g-l/gdisk
+++ b/apparmor.d/profiles-g-l/gdisk
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
index a01425bb9..b64c34a4b 100644
--- a/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
+++ b/apparmor.d/profiles-g-l/gdk-pixbuf-query-loaders
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ghc-pkg b/apparmor.d/profiles-g-l/ghc-pkg
index 8fdffbf87..df6613042 100644
--- a/apparmor.d/profiles-g-l/ghc-pkg
+++ b/apparmor.d/profiles-g-l/ghc-pkg
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gimp b/apparmor.d/profiles-g-l/gimp
index 040af8fac..a9be29bec 100644
--- a/apparmor.d/profiles-g-l/gimp
+++ b/apparmor.d/profiles-g-l/gimp
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gio-querymodules b/apparmor.d/profiles-g-l/gio-querymodules
index 3f4ef7fed..494fef0ab 100644
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/git b/apparmor.d/profiles-g-l/git
index 032da7124..71bace3c3 100644
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gitg b/apparmor.d/profiles-g-l/gitg
index 3d6da038c..ff5e12444 100644
--- a/apparmor.d/profiles-g-l/gitg
+++ b/apparmor.d/profiles-g-l/gitg
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd
index 5dbce6ae3..e5cbf1959 100644
--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/glib-compile-resources b/apparmor.d/profiles-g-l/glib-compile-resources
index 45e787840..f52aa33d7 100644
--- a/apparmor.d/profiles-g-l/glib-compile-resources
+++ b/apparmor.d/profiles-g-l/glib-compile-resources
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/glib-compile-schemas b/apparmor.d/profiles-g-l/glib-compile-schemas
index 5463405f9..fcabd84c3 100644
--- a/apparmor.d/profiles-g-l/glib-compile-schemas
+++ b/apparmor.d/profiles-g-l/glib-compile-schemas
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/glib-pacrunner b/apparmor.d/profiles-g-l/glib-pacrunner
index e3dfec88c..bf7c7c53a 100644
--- a/apparmor.d/profiles-g-l/glib-pacrunner
+++ b/apparmor.d/profiles-g-l/glib-pacrunner
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/globaltime b/apparmor.d/profiles-g-l/globaltime
index 566f58ee3..7f349b650 100644
--- a/apparmor.d/profiles-g-l/globaltime
+++ b/apparmor.d/profiles-g-l/globaltime
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/glxgears b/apparmor.d/profiles-g-l/glxgears
index 9ad458720..1e27790df 100644
--- a/apparmor.d/profiles-g-l/glxgears
+++ b/apparmor.d/profiles-g-l/glxgears
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/glxinfo b/apparmor.d/profiles-g-l/glxinfo
index 7defbaf80..eea7b6050 100644
--- a/apparmor.d/profiles-g-l/glxinfo
+++ b/apparmor.d/profiles-g-l/glxinfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpa b/apparmor.d/profiles-g-l/gpa
index 9ed18534e..8a9c42443 100644
--- a/apparmor.d/profiles-g-l/gpa
+++ b/apparmor.d/profiles-g-l/gpa
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gparted b/apparmor.d/profiles-g-l/gparted
index f225b5c06..dd7d3bff3 100644
--- a/apparmor.d/profiles-g-l/gparted
+++ b/apparmor.d/profiles-g-l/gparted
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin
index b60e386bb..e6f32d27c 100644
--- a/apparmor.d/profiles-g-l/gpartedbin
+++ b/apparmor.d/profiles-g-l/gpartedbin
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpasswd b/apparmor.d/profiles-g-l/gpasswd
index 11c1e9767..8afdff8db 100644
--- a/apparmor.d/profiles-g-l/gpasswd
+++ b/apparmor.d/profiles-g-l/gpasswd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gping b/apparmor.d/profiles-g-l/gping
index 956a1781f..34a9401a4 100644
--- a/apparmor.d/profiles-g-l/gping
+++ b/apparmor.d/profiles-g-l/gping
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpo b/apparmor.d/profiles-g-l/gpo
index 411d078bd..4088f51fb 100644
--- a/apparmor.d/profiles-g-l/gpo
+++ b/apparmor.d/profiles-g-l/gpo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpodder b/apparmor.d/profiles-g-l/gpodder
index 10b8492e9..ec1adabe4 100644
--- a/apparmor.d/profiles-g-l/gpodder
+++ b/apparmor.d/profiles-g-l/gpodder
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpodder-migrate2tres b/apparmor.d/profiles-g-l/gpodder-migrate2tres
index f8e2c73f4..11896a26c 100644
--- a/apparmor.d/profiles-g-l/gpodder-migrate2tres
+++ b/apparmor.d/profiles-g-l/gpodder-migrate2tres
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gpu-manager b/apparmor.d/profiles-g-l/gpu-manager
index 4444662fc..8cc49acdf 100644
--- a/apparmor.d/profiles-g-l/gpu-manager
+++ b/apparmor.d/profiles-g-l/gpu-manager
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/groupadd b/apparmor.d/profiles-g-l/groupadd
index 4c6e80c59..9450974a1 100644
--- a/apparmor.d/profiles-g-l/groupadd
+++ b/apparmor.d/profiles-g-l/groupadd
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/groupdel b/apparmor.d/profiles-g-l/groupdel
index a28fb72f7..99b7fddaa 100644
--- a/apparmor.d/profiles-g-l/groupdel
+++ b/apparmor.d/profiles-g-l/groupdel
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/groupmod b/apparmor.d/profiles-g-l/groupmod
index a37273af6..4b9b0446a 100644
--- a/apparmor.d/profiles-g-l/groupmod
+++ b/apparmor.d/profiles-g-l/groupmod
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups
index 4c0f07d87..916a73b22 100644
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/grpck b/apparmor.d/profiles-g-l/grpck
index 3e42f90c7..5fad8960c 100644
--- a/apparmor.d/profiles-g-l/grpck
+++ b/apparmor.d/profiles-g-l/grpck
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gsettings b/apparmor.d/profiles-g-l/gsettings
index cd7ce37ce..4ac891769 100644
--- a/apparmor.d/profiles-g-l/gsettings
+++ b/apparmor.d/profiles-g-l/gsettings
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gsimplecal b/apparmor.d/profiles-g-l/gsimplecal
index ba7ba4da4..b0b743359 100644
--- a/apparmor.d/profiles-g-l/gsimplecal
+++ b/apparmor.d/profiles-g-l/gsimplecal
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gsmartcontrol b/apparmor.d/profiles-g-l/gsmartcontrol
index 9ce2b10dc..5d04e33fb 100644
--- a/apparmor.d/profiles-g-l/gsmartcontrol
+++ b/apparmor.d/profiles-g-l/gsmartcontrol
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gsmartcontrol-root b/apparmor.d/profiles-g-l/gsmartcontrol-root
index 565634e10..10c1f445b 100644
--- a/apparmor.d/profiles-g-l/gsmartcontrol-root
+++ b/apparmor.d/profiles-g-l/gsmartcontrol-root
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gssproxy b/apparmor.d/profiles-g-l/gssproxy
index 6a16d1dc7..8fa3da0d7 100644
--- a/apparmor.d/profiles-g-l/gssproxy
+++ b/apparmor.d/profiles-g-l/gssproxy
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gtk-query-immodules b/apparmor.d/profiles-g-l/gtk-query-immodules
index a92092f8c..46aece91a 100644
--- a/apparmor.d/profiles-g-l/gtk-query-immodules
+++ b/apparmor.d/profiles-g-l/gtk-query-immodules
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache
index a91dc3069..b1a6779ae 100644
--- a/apparmor.d/profiles-g-l/gtk-update-icon-cache
+++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer
index 5f2e4fde7..18c3bd445 100644
--- a/apparmor.d/profiles-g-l/gtk-youtube-viewer
+++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo
index 9cadb774a..79c77f3a7 100644
--- a/apparmor.d/profiles-g-l/hardinfo
+++ b/apparmor.d/profiles-g-l/hardinfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged
index ff3870880..e61b4404b 100644
--- a/apparmor.d/profiles-g-l/haveged
+++ b/apparmor.d/profiles-g-l/haveged
@@ -5,7 +5,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-3.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr
index 78c15672b..5257195f8 100644
--- a/apparmor.d/profiles-g-l/hbbr
+++ b/apparmor.d/profiles-g-l/hbbr
@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs
index 69ac0cc8c..fd8aa3e74 100644
--- a/apparmor.d/profiles-g-l/hbbs
+++ b/apparmor.d/profiles-g-l/hbbs
@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hciconfig b/apparmor.d/profiles-g-l/hciconfig
index eb0319c5f..1bf4c02f8 100644
--- a/apparmor.d/profiles-g-l/hciconfig
+++ b/apparmor.d/profiles-g-l/hciconfig
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hddtemp b/apparmor.d/profiles-g-l/hddtemp
index e0be907a6..e96a45237 100644
--- a/apparmor.d/profiles-g-l/hddtemp
+++ b/apparmor.d/profiles-g-l/hddtemp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hdparm b/apparmor.d/profiles-g-l/hdparm
index f29bc1c20..606540bb9 100644
--- a/apparmor.d/profiles-g-l/hdparm
+++ b/apparmor.d/profiles-g-l/hdparm
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hexchat b/apparmor.d/profiles-g-l/hexchat
index aaa550dfc..064e850c2 100644
--- a/apparmor.d/profiles-g-l/hexchat
+++ b/apparmor.d/profiles-g-l/hexchat
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/highlight b/apparmor.d/profiles-g-l/highlight
index fb90c4475..bd375b520 100644
--- a/apparmor.d/profiles-g-l/highlight
+++ b/apparmor.d/profiles-g-l/highlight
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank
index 4c0b0316a..cb459919f 100644
--- a/apparmor.d/profiles-g-l/homebank
+++ b/apparmor.d/profiles-g-l/homebank
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/host b/apparmor.d/profiles-g-l/host
index 5894c85a0..cb9f8d2d9 100644
--- a/apparmor.d/profiles-g-l/host
+++ b/apparmor.d/profiles-g-l/host
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hostname b/apparmor.d/profiles-g-l/hostname
index efda5b4a8..326d156ef 100644
--- a/apparmor.d/profiles-g-l/hostname
+++ b/apparmor.d/profiles-g-l/hostname
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop
index 7e8faecfa..08b58ebd2 100644
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hugeadm b/apparmor.d/profiles-g-l/hugeadm
index 731483cf6..95bc7037b 100644
--- a/apparmor.d/profiles-g-l/hugeadm
+++ b/apparmor.d/profiles-g-l/hugeadm
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hugo b/apparmor.d/profiles-g-l/hugo
index 9cf73dc49..6bb737ca0 100644
--- a/apparmor.d/profiles-g-l/hugo
+++ b/apparmor.d/profiles-g-l/hugo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hw-probe b/apparmor.d/profiles-g-l/hw-probe
index 7c6b87b6c..7c960482a 100644
--- a/apparmor.d/profiles-g-l/hw-probe
+++ b/apparmor.d/profiles-g-l/hw-probe
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hwinfo b/apparmor.d/profiles-g-l/hwinfo
index f7953e346..e7bf2937c 100644
--- a/apparmor.d/profiles-g-l/hwinfo
+++ b/apparmor.d/profiles-g-l/hwinfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/hypnotix b/apparmor.d/profiles-g-l/hypnotix
index 0a54528be..be18726a0 100644
--- a/apparmor.d/profiles-g-l/hypnotix
+++ b/apparmor.d/profiles-g-l/hypnotix
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/i2cdetect b/apparmor.d/profiles-g-l/i2cdetect
index f045b489d..5ce4da0bb 100644
--- a/apparmor.d/profiles-g-l/i2cdetect
+++ b/apparmor.d/profiles-g-l/i2cdetect
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/i3lock b/apparmor.d/profiles-g-l/i3lock
index d2fbdff2c..ea72704c1 100644
--- a/apparmor.d/profiles-g-l/i3lock
+++ b/apparmor.d/profiles-g-l/i3lock
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy
index fce4ff7d4..242c43de5 100644
--- a/apparmor.d/profiles-g-l/i3lock-fancy
+++ b/apparmor.d/profiles-g-l/i3lock-fancy
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/iceauth b/apparmor.d/profiles-g-l/iceauth
index 66111ff55..b3dbef04f 100644
--- a/apparmor.d/profiles-g-l/iceauth
+++ b/apparmor.d/profiles-g-l/iceauth
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/id b/apparmor.d/profiles-g-l/id
index 6ba6001b6..933e5d712 100644
--- a/apparmor.d/profiles-g-l/id
+++ b/apparmor.d/profiles-g-l/id
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ifconfig b/apparmor.d/profiles-g-l/ifconfig
index 8dd7eaac0..5bebad691 100644
--- a/apparmor.d/profiles-g-l/ifconfig
+++ b/apparmor.d/profiles-g-l/ifconfig
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup
index 4788daeb6..7df4e5ea6 100644
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/im-launch b/apparmor.d/profiles-g-l/im-launch
index 5520e990c..c5c4aa276 100644
--- a/apparmor.d/profiles-g-l/im-launch
+++ b/apparmor.d/profiles-g-l/im-launch
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/img2txt b/apparmor.d/profiles-g-l/img2txt
index 41d77339b..5529ded9b 100644
--- a/apparmor.d/profiles-g-l/img2txt
+++ b/apparmor.d/profiles-g-l/img2txt
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/imv-wayland b/apparmor.d/profiles-g-l/imv-wayland
index 72eaecc9c..d83945934 100644
--- a/apparmor.d/profiles-g-l/imv-wayland
+++ b/apparmor.d/profiles-g-l/imv-wayland
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/initd-kexec b/apparmor.d/profiles-g-l/initd-kexec
index f17356fcc..272679ede 100644
--- a/apparmor.d/profiles-g-l/initd-kexec
+++ b/apparmor.d/profiles-g-l/initd-kexec
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load
index d36584ec9..eb5b6ead1 100644
--- a/apparmor.d/profiles-g-l/initd-kexec-load
+++ b/apparmor.d/profiles-g-l/initd-kexec-load
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/initd-kmod b/apparmor.d/profiles-g-l/initd-kmod
index f8f975211..a73ddb8bf 100644
--- a/apparmor.d/profiles-g-l/initd-kmod
+++ b/apparmor.d/profiles-g-l/initd-kmod
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/install-catalog b/apparmor.d/profiles-g-l/install-catalog
index 370cbf154..b1a56c41d 100644
--- a/apparmor.d/profiles-g-l/install-catalog
+++ b/apparmor.d/profiles-g-l/install-catalog
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/install-info b/apparmor.d/profiles-g-l/install-info
index 54e40386f..f155339b1 100644
--- a/apparmor.d/profiles-g-l/install-info
+++ b/apparmor.d/profiles-g-l/install-info
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/install-printerdriver b/apparmor.d/profiles-g-l/install-printerdriver
index ddbf2e31c..8ea351857 100644
--- a/apparmor.d/profiles-g-l/install-printerdriver
+++ b/apparmor.d/profiles-g-l/install-printerdriver
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/inxi b/apparmor.d/profiles-g-l/inxi
index 0dbe03687..97bd3bfed 100644
--- a/apparmor.d/profiles-g-l/inxi
+++ b/apparmor.d/profiles-g-l/inxi
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ioping b/apparmor.d/profiles-g-l/ioping
index 497e5cb1c..1ff3615f1 100644
--- a/apparmor.d/profiles-g-l/ioping
+++ b/apparmor.d/profiles-g-l/ioping
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/iotop b/apparmor.d/profiles-g-l/iotop
index be2738443..c53b4656d 100644
--- a/apparmor.d/profiles-g-l/iotop
+++ b/apparmor.d/profiles-g-l/iotop
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ip b/apparmor.d/profiles-g-l/ip
index 7fee79abc..1c870d94e 100644
--- a/apparmor.d/profiles-g-l/ip
+++ b/apparmor.d/profiles-g-l/ip
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/ipcalc b/apparmor.d/profiles-g-l/ipcalc
index dd750b8c9..ff7f1c799 100644
--- a/apparmor.d/profiles-g-l/ipcalc
+++ b/apparmor.d/profiles-g-l/ipcalc
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/irqbalance b/apparmor.d/profiles-g-l/irqbalance
index 2226e6dd2..fec2d7c93 100644
--- a/apparmor.d/profiles-g-l/irqbalance
+++ b/apparmor.d/profiles-g-l/irqbalance
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator
index 60f5f22ee..d358f080b 100644
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/iw b/apparmor.d/profiles-g-l/iw
index 3b62c32ba..8639b8aad 100644
--- a/apparmor.d/profiles-g-l/iw
+++ b/apparmor.d/profiles-g-l/iw
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/iwconfig b/apparmor.d/profiles-g-l/iwconfig
index 62bc16041..962b4ab23 100644
--- a/apparmor.d/profiles-g-l/iwconfig
+++ b/apparmor.d/profiles-g-l/iwconfig
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/iwlist b/apparmor.d/profiles-g-l/iwlist
index ef2a280e0..298c94688 100644
--- a/apparmor.d/profiles-g-l/iwlist
+++ b/apparmor.d/profiles-g-l/iwlist
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jackdbus b/apparmor.d/profiles-g-l/jackdbus
index ed1094a17..8326a3e40 100644
--- a/apparmor.d/profiles-g-l/jackdbus
+++ b/apparmor.d/profiles-g-l/jackdbus
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jami-gnome b/apparmor.d/profiles-g-l/jami-gnome
index 9d22933fc..3a1e504a8 100644
--- a/apparmor.d/profiles-g-l/jami-gnome
+++ b/apparmor.d/profiles-g-l/jami-gnome
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader
index 9dc2ed226..1220e9bbd 100644
--- a/apparmor.d/profiles-g-l/jdownloader
+++ b/apparmor.d/profiles-g-l/jdownloader
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jekyll b/apparmor.d/profiles-g-l/jekyll
index 667b9304f..d3444fea5 100644
--- a/apparmor.d/profiles-g-l/jekyll
+++ b/apparmor.d/profiles-g-l/jekyll
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jgmenu b/apparmor.d/profiles-g-l/jgmenu
index 6c7f3c1ff..044eda493 100644
--- a/apparmor.d/profiles-g-l/jgmenu
+++ b/apparmor.d/profiles-g-l/jgmenu
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jitterentropy-rngd b/apparmor.d/profiles-g-l/jitterentropy-rngd
index 5b96e0c58..49d5c6c57 100644
--- a/apparmor.d/profiles-g-l/jitterentropy-rngd
+++ b/apparmor.d/profiles-g-l/jitterentropy-rngd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs
index 77127171c..57ab39a75 100644
--- a/apparmor.d/profiles-g-l/jmtpfs
+++ b/apparmor.d/profiles-g-l/jmtpfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kanyremote b/apparmor.d/profiles-g-l/kanyremote
index fef624841..0e27fa5ae 100644
--- a/apparmor.d/profiles-g-l/kanyremote
+++ b/apparmor.d/profiles-g-l/kanyremote
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kcheckpass b/apparmor.d/profiles-g-l/kcheckpass
index 9dddbe470..33bd9c641 100644
--- a/apparmor.d/profiles-g-l/kcheckpass
+++ b/apparmor.d/profiles-g-l/kcheckpass
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kconfig-hardened-check b/apparmor.d/profiles-g-l/kconfig-hardened-check
index 6858f1b45..743da77a1 100644
--- a/apparmor.d/profiles-g-l/kconfig-hardened-check
+++ b/apparmor.d/profiles-g-l/kconfig-hardened-check
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/keepassxc b/apparmor.d/profiles-g-l/keepassxc
index c494e16d5..f48113b02 100644
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/keepassxc-cli b/apparmor.d/profiles-g-l/keepassxc-cli
index b1d6e0e86..c8e189f4e 100644
--- a/apparmor.d/profiles-g-l/keepassxc-cli
+++ b/apparmor.d/profiles-g-l/keepassxc-cli
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/keepassxc-proxy b/apparmor.d/profiles-g-l/keepassxc-proxy
index a193df0ee..24a30c56c 100644
--- a/apparmor.d/profiles-g-l/keepassxc-proxy
+++ b/apparmor.d/profiles-g-l/keepassxc-proxy
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install
index 69096fe45..07c058124 100644
--- a/apparmor.d/profiles-g-l/kernel-install
+++ b/apparmor.d/profiles-g-l/kernel-install
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kerneloops b/apparmor.d/profiles-g-l/kerneloops
index f3c7e3b37..815fa4e38 100644
--- a/apparmor.d/profiles-g-l/kerneloops
+++ b/apparmor.d/profiles-g-l/kerneloops
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kerneloops-applet b/apparmor.d/profiles-g-l/kerneloops-applet
index e6860c5b9..8f5e66cbc 100644
--- a/apparmor.d/profiles-g-l/kerneloops-applet
+++ b/apparmor.d/profiles-g-l/kerneloops-applet
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kexec b/apparmor.d/profiles-g-l/kexec
index dc027eae6..102b75d83 100644
--- a/apparmor.d/profiles-g-l/kexec
+++ b/apparmor.d/profiles-g-l/kexec
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kmod b/apparmor.d/profiles-g-l/kmod
index ac03c2501..08fc10c22 100644
--- a/apparmor.d/profiles-g-l/kmod
+++ b/apparmor.d/profiles-g-l/kmod
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kodi b/apparmor.d/profiles-g-l/kodi
index 3d8800cc7..fc6a6ede5 100644
--- a/apparmor.d/profiles-g-l/kodi
+++ b/apparmor.d/profiles-g-l/kodi
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kodi-xrandr b/apparmor.d/profiles-g-l/kodi-xrandr
index 932b869b8..450600d78 100644
--- a/apparmor.d/profiles-g-l/kodi-xrandr
+++ b/apparmor.d/profiles-g-l/kodi-xrandr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/kvm-ok b/apparmor.d/profiles-g-l/kvm-ok
index 22e087146..eb3d1cc80 100644
--- a/apparmor.d/profiles-g-l/kvm-ok
+++ b/apparmor.d/profiles-g-l/kvm-ok
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc
index 8fa7552af..93234bf52 100644
--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo
index a9df8a2b3..52252882d 100644
--- a/apparmor.d/profiles-g-l/landscape-sysinfo
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
index e33195eb1..e765a5dc6 100644
--- a/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo.wrapper
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/language-validate b/apparmor.d/profiles-g-l/language-validate
index e77d997c5..bf999b79e 100644
--- a/apparmor.d/profiles-g-l/language-validate
+++ b/apparmor.d/profiles-g-l/language-validate
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/last b/apparmor.d/profiles-g-l/last
index fd0c403a4..ee40f81af 100644
--- a/apparmor.d/profiles-g-l/last
+++ b/apparmor.d/profiles-g-l/last
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lastlog b/apparmor.d/profiles-g-l/lastlog
index 3df955097..392aba362 100644
--- a/apparmor.d/profiles-g-l/lastlog
+++ b/apparmor.d/profiles-g-l/lastlog
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 1271b8c1a..2198ad925 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/light b/apparmor.d/profiles-g-l/light
index 379f32ac8..6ce5f2f57 100644
--- a/apparmor.d/profiles-g-l/light
+++ b/apparmor.d/profiles-g-l/light
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/light-locker b/apparmor.d/profiles-g-l/light-locker
index 8e8732c19..8d2fcdcc8 100644
--- a/apparmor.d/profiles-g-l/light-locker
+++ b/apparmor.d/profiles-g-l/light-locker
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/light-locker-command b/apparmor.d/profiles-g-l/light-locker-command
index 21daa1853..78e9983b3 100644
--- a/apparmor.d/profiles-g-l/light-locker-command
+++ b/apparmor.d/profiles-g-l/light-locker-command
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lightworks b/apparmor.d/profiles-g-l/lightworks
index f2e6c74cf..6462a0b6c 100644
--- a/apparmor.d/profiles-g-l/lightworks
+++ b/apparmor.d/profiles-g-l/lightworks
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lightworks-ntcardvt b/apparmor.d/profiles-g-l/lightworks-ntcardvt
index b4dc21398..941798245 100644
--- a/apparmor.d/profiles-g-l/lightworks-ntcardvt
+++ b/apparmor.d/profiles-g-l/lightworks-ntcardvt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal
index 41813c1a1..9854fd554 100644
--- a/apparmor.d/profiles-g-l/linux-check-removal
+++ b/apparmor.d/profiles-g-l/linux-check-removal
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/linux-version b/apparmor.d/profiles-g-l/linux-version
index 998c48780..1a8ffbb0d 100644
--- a/apparmor.d/profiles-g-l/linux-version
+++ b/apparmor.d/profiles-g-l/linux-version
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 06811fbd4..9efceaa7a 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/locale-gen b/apparmor.d/profiles-g-l/locale-gen
index 093074d1b..b9254171a 100644
--- a/apparmor.d/profiles-g-l/locale-gen
+++ b/apparmor.d/profiles-g-l/locale-gen
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/localepurge b/apparmor.d/profiles-g-l/localepurge
index 30018bf00..f6781f4b1 100644
--- a/apparmor.d/profiles-g-l/localepurge
+++ b/apparmor.d/profiles-g-l/localepurge
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/login b/apparmor.d/profiles-g-l/login
index 41fa293b4..cbaac35b7 100644
--- a/apparmor.d/profiles-g-l/login
+++ b/apparmor.d/profiles-g-l/login
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/logrotate b/apparmor.d/profiles-g-l/logrotate
index 9bfe64a72..f98457155 100644
--- a/apparmor.d/profiles-g-l/logrotate
+++ b/apparmor.d/profiles-g-l/logrotate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/losetup b/apparmor.d/profiles-g-l/losetup
index fb8b448d1..fd2472dce 100644
--- a/apparmor.d/profiles-g-l/losetup
+++ b/apparmor.d/profiles-g-l/losetup
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/low-memory-monitor b/apparmor.d/profiles-g-l/low-memory-monitor
index 4471dbd2e..e2baa4a26 100644
--- a/apparmor.d/profiles-g-l/low-memory-monitor
+++ b/apparmor.d/profiles-g-l/low-memory-monitor
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lsblk b/apparmor.d/profiles-g-l/lsblk
index 56aad52b8..147e1ba24 100644
--- a/apparmor.d/profiles-g-l/lsblk
+++ b/apparmor.d/profiles-g-l/lsblk
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lscpu b/apparmor.d/profiles-g-l/lscpu
index 804e67632..caa2b5628 100644
--- a/apparmor.d/profiles-g-l/lscpu
+++ b/apparmor.d/profiles-g-l/lscpu
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lsinitramfs b/apparmor.d/profiles-g-l/lsinitramfs
index e5b6ff750..2e3a20ad0 100644
--- a/apparmor.d/profiles-g-l/lsinitramfs
+++ b/apparmor.d/profiles-g-l/lsinitramfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci
index 656597c1c..0f3abf1dc 100644
--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lsusb b/apparmor.d/profiles-g-l/lsusb
index 22e8a7cd2..b628b3668 100644
--- a/apparmor.d/profiles-g-l/lsusb
+++ b/apparmor.d/profiles-g-l/lsusb
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm
index 0bd6ef2e8..e579d7a91 100644
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lvmconfig b/apparmor.d/profiles-g-l/lvmconfig
index f38bd6780..5e5a0d1dd 100644
--- a/apparmor.d/profiles-g-l/lvmconfig
+++ b/apparmor.d/profiles-g-l/lvmconfig
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lvmdump b/apparmor.d/profiles-g-l/lvmdump
index 9dbe000f7..6a443fc57 100644
--- a/apparmor.d/profiles-g-l/lvmdump
+++ b/apparmor.d/profiles-g-l/lvmdump
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lvmpolld b/apparmor.d/profiles-g-l/lvmpolld
index 7a4bc90b3..fdc3bad3f 100644
--- a/apparmor.d/profiles-g-l/lvmpolld
+++ b/apparmor.d/profiles-g-l/lvmpolld
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lxappearance b/apparmor.d/profiles-g-l/lxappearance
index c4ef29625..a7c3a2177 100644
--- a/apparmor.d/profiles-g-l/lxappearance
+++ b/apparmor.d/profiles-g-l/lxappearance
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-g-l/lynx b/apparmor.d/profiles-g-l/lynx
index 143472569..a1f4ced89 100644
--- a/apparmor.d/profiles-g-l/lynx
+++ b/apparmor.d/profiles-g-l/lynx
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/macchanger b/apparmor.d/profiles-m-r/macchanger
index 8f4efc921..c3e0c0556 100644
--- a/apparmor.d/profiles-m-r/macchanger
+++ b/apparmor.d/profiles-m-r/macchanger
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/man b/apparmor.d/profiles-m-r/man
index aa0195853..c60325742 100644
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb
index beeba50e8..e1404aba0 100644
--- a/apparmor.d/profiles-m-r/mandb
+++ b/apparmor.d/profiles-m-r/mandb
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mate-notification-daemon b/apparmor.d/profiles-m-r/mate-notification-daemon
index 871434151..19b0c7fba 100644
--- a/apparmor.d/profiles-m-r/mate-notification-daemon
+++ b/apparmor.d/profiles-m-r/mate-notification-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mdevctl b/apparmor.d/profiles-m-r/mdevctl
index a2631c768..f1b5034e6 100644
--- a/apparmor.d/profiles-m-r/mdevctl
+++ b/apparmor.d/profiles-m-r/mdevctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mediainfo b/apparmor.d/profiles-m-r/mediainfo
index bb7c2d59b..c3333b860 100644
--- a/apparmor.d/profiles-m-r/mediainfo
+++ b/apparmor.d/profiles-m-r/mediainfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui
index 4648d4ddf..1d18d5187 100644
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/megasync b/apparmor.d/profiles-m-r/megasync
index 236041778..3796c2b75 100644
--- a/apparmor.d/profiles-m-r/megasync
+++ b/apparmor.d/profiles-m-r/megasync
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/memtester b/apparmor.d/profiles-m-r/memtester
index 506892f0e..aeb26d004 100644
--- a/apparmor.d/profiles-m-r/memtester
+++ b/apparmor.d/profiles-m-r/memtester
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/merkaartor b/apparmor.d/profiles-m-r/merkaartor
index 739d18e2f..e43460210 100644
--- a/apparmor.d/profiles-m-r/merkaartor
+++ b/apparmor.d/profiles-m-r/merkaartor
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner
index 142ccb78a..87a26b0f3 100644
--- a/apparmor.d/profiles-m-r/metadata-cleaner
+++ b/apparmor.d/profiles-m-r/metadata-cleaner
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype
index d9e34f8b5..d6823da9b 100644
--- a/apparmor.d/profiles-m-r/mimetype
+++ b/apparmor.d/profiles-m-r/mimetype
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/minitube b/apparmor.d/profiles-m-r/minitube
index b349940ca..ce8380261 100644
--- a/apparmor.d/profiles-m-r/minitube
+++ b/apparmor.d/profiles-m-r/minitube
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control
index a6f1e5803..a908feb57 100644
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkcert b/apparmor.d/profiles-m-r/mkcert
index 0941ad343..3ae643e1d 100644
--- a/apparmor.d/profiles-m-r/mkcert
+++ b/apparmor.d/profiles-m-r/mkcert
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mke2fs b/apparmor.d/profiles-m-r/mke2fs
index 038de3c73..acf88197f 100644
--- a/apparmor.d/profiles-m-r/mke2fs
+++ b/apparmor.d/profiles-m-r/mke2fs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkfs-btrfs b/apparmor.d/profiles-m-r/mkfs-btrfs
index 237fc8006..1e6c95838 100644
--- a/apparmor.d/profiles-m-r/mkfs-btrfs
+++ b/apparmor.d/profiles-m-r/mkfs-btrfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkfs-fat b/apparmor.d/profiles-m-r/mkfs-fat
index d7f7a1cc9..1aba124ae 100644
--- a/apparmor.d/profiles-m-r/mkfs-fat
+++ b/apparmor.d/profiles-m-r/mkfs-fat
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkinitramfs b/apparmor.d/profiles-m-r/mkinitramfs
index b24bdbdf1..3b02d97c2 100644
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@@ -4,7 +4,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkntfs b/apparmor.d/profiles-m-r/mkntfs
index ccfa5f4ed..5141c5385 100644
--- a/apparmor.d/profiles-m-r/mkntfs
+++ b/apparmor.d/profiles-m-r/mkntfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkswap b/apparmor.d/profiles-m-r/mkswap
index 4c732c2c6..4a818cd58 100644
--- a/apparmor.d/profiles-m-r/mkswap
+++ b/apparmor.d/profiles-m-r/mkswap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkvmerge b/apparmor.d/profiles-m-r/mkvmerge
index 22251b87e..a13a22e7ed 100644
--- a/apparmor.d/profiles-m-r/mkvmerge
+++ b/apparmor.d/profiles-m-r/mkvmerge
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mkvtoolnix-gui b/apparmor.d/profiles-m-r/mkvtoolnix-gui
index 595a24666..835e1a391 100644
--- a/apparmor.d/profiles-m-r/mkvtoolnix-gui
+++ b/apparmor.d/profiles-m-r/mkvtoolnix-gui
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mlocate b/apparmor.d/profiles-m-r/mlocate
index 08fdee129..f54b2f047 100644
--- a/apparmor.d/profiles-m-r/mlocate
+++ b/apparmor.d/profiles-m-r/mlocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/modprobed-db b/apparmor.d/profiles-m-r/modprobed-db
index 3798332ea..cd2ddc0e6 100644
--- a/apparmor.d/profiles-m-r/modprobed-db
+++ b/apparmor.d/profiles-m-r/modprobed-db
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/molly-guard b/apparmor.d/profiles-m-r/molly-guard
index d75a5092b..df1806311 100644
--- a/apparmor.d/profiles-m-r/molly-guard
+++ b/apparmor.d/profiles-m-r/molly-guard
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/monitorix b/apparmor.d/profiles-m-r/monitorix
index 38cbecd71..e847db872 100644
--- a/apparmor.d/profiles-m-r/monitorix
+++ b/apparmor.d/profiles-m-r/monitorix
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mono-sgen b/apparmor.d/profiles-m-r/mono-sgen
index e010a83d7..bdaafd9c8 100644
--- a/apparmor.d/profiles-m-r/mono-sgen
+++ b/apparmor.d/profiles-m-r/mono-sgen
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount
index 09b682c6b..f8616cd88 100644
--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@@ -4,7 +4,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mount-cifs b/apparmor.d/profiles-m-r/mount-cifs
index bbadcc7e0..78651ba23 100644
--- a/apparmor.d/profiles-m-r/mount-cifs
+++ b/apparmor.d/profiles-m-r/mount-cifs
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mount-nfs b/apparmor.d/profiles-m-r/mount-nfs
index 698f350ce..3fafd269a 100644
--- a/apparmor.d/profiles-m-r/mount-nfs
+++ b/apparmor.d/profiles-m-r/mount-nfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mount-zfs b/apparmor.d/profiles-m-r/mount-zfs
index bc47f0a30..552f96b05 100644
--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mpd b/apparmor.d/profiles-m-r/mpd
index 14a6c4acf..89b66253a 100644
--- a/apparmor.d/profiles-m-r/mpd
+++ b/apparmor.d/profiles-m-r/mpd
@@ -4,7 +4,7 @@
 # Copyright (C) 2023 Jose Maldonado <josemald89@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mpsyt b/apparmor.d/profiles-m-r/mpsyt
index 46f239fce..9a138ff50 100644
--- a/apparmor.d/profiles-m-r/mpsyt
+++ b/apparmor.d/profiles-m-r/mpsyt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mpv b/apparmor.d/profiles-m-r/mpv
index d5e6371c3..3d044049e 100644
--- a/apparmor.d/profiles-m-r/mpv
+++ b/apparmor.d/profiles-m-r/mpv
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mtools b/apparmor.d/profiles-m-r/mtools
index 75c95fffd..5fea49231 100644
--- a/apparmor.d/profiles-m-r/mtools
+++ b/apparmor.d/profiles-m-r/mtools
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mtr b/apparmor.d/profiles-m-r/mtr
index 5b341d8f5..4ff851662 100644
--- a/apparmor.d/profiles-m-r/mtr
+++ b/apparmor.d/profiles-m-r/mtr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mtr-packet b/apparmor.d/profiles-m-r/mtr-packet
index 4bf15b7d5..d771c58ec 100644
--- a/apparmor.d/profiles-m-r/mtr-packet
+++ b/apparmor.d/profiles-m-r/mtr-packet
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mullvad-setup b/apparmor.d/profiles-m-r/mullvad-setup
index 46e10927b..77ac07045 100644
--- a/apparmor.d/profiles-m-r/mullvad-setup
+++ b/apparmor.d/profiles-m-r/mullvad-setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/multipath b/apparmor.d/profiles-m-r/multipath
index b79db6418..409834fbc 100644
--- a/apparmor.d/profiles-m-r/multipath
+++ b/apparmor.d/profiles-m-r/multipath
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/multipathd b/apparmor.d/profiles-m-r/multipathd
index 510fb3417..14bb16caf 100644
--- a/apparmor.d/profiles-m-r/multipathd
+++ b/apparmor.d/profiles-m-r/multipathd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mumble b/apparmor.d/profiles-m-r/mumble
index 879d2b9bf..48ed42d84 100644
--- a/apparmor.d/profiles-m-r/mumble
+++ b/apparmor.d/profiles-m-r/mumble
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mumble-overlay b/apparmor.d/profiles-m-r/mumble-overlay
index 61b287329..8d17ef3d6 100644
--- a/apparmor.d/profiles-m-r/mumble-overlay
+++ b/apparmor.d/profiles-m-r/mumble-overlay
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt
index 9d01e2269..4e218a8a0 100644
--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@@ -2,7 +2,7 @@
 # Copyright (C) 2023 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
index e3222d2ff..1f32df8c3 100644
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
index 805f69678..0a9e1dc33 100644
--- a/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
+++ b/apparmor.d/profiles-m-r/needrestart-apt-pinvoke
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/needrestart-dpkg-status b/apparmor.d/profiles-m-r/needrestart-dpkg-status
index fff97e67c..3d54f896d 100644
--- a/apparmor.d/profiles-m-r/needrestart-dpkg-status
+++ b/apparmor.d/profiles-m-r/needrestart-dpkg-status
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
index 37dd180c3..b60b5f488 100644
--- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
+++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nemo b/apparmor.d/profiles-m-r/nemo
index a51854414..e3edb99c3 100644
--- a/apparmor.d/profiles-m-r/nemo
+++ b/apparmor.d/profiles-m-r/nemo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/netcap b/apparmor.d/profiles-m-r/netcap
index d1e5a2852..a73dbffe4 100644
--- a/apparmor.d/profiles-m-r/netcap
+++ b/apparmor.d/profiles-m-r/netcap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nethogs b/apparmor.d/profiles-m-r/nethogs
index fbdaecaac..c1a9f611a 100644
--- a/apparmor.d/profiles-m-r/nethogs
+++ b/apparmor.d/profiles-m-r/nethogs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/netstat b/apparmor.d/profiles-m-r/netstat
index 039109ea2..e19884997 100644
--- a/apparmor.d/profiles-m-r/netstat
+++ b/apparmor.d/profiles-m-r/netstat
@@ -5,7 +5,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/newgidmap b/apparmor.d/profiles-m-r/newgidmap
index 9398350e1..4a7196fc2 100644
--- a/apparmor.d/profiles-m-r/newgidmap
+++ b/apparmor.d/profiles-m-r/newgidmap
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/newgrp b/apparmor.d/profiles-m-r/newgrp
index 1878b9b5e..ebd15d4b6 100644
--- a/apparmor.d/profiles-m-r/newgrp
+++ b/apparmor.d/profiles-m-r/newgrp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/newuidmap b/apparmor.d/profiles-m-r/newuidmap
index eeba22557..549eb06ef 100644
--- a/apparmor.d/profiles-m-r/newuidmap
+++ b/apparmor.d/profiles-m-r/newuidmap
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nfsdcld b/apparmor.d/profiles-m-r/nfsdcld
index a02e226c6..be122a3cb 100644
--- a/apparmor.d/profiles-m-r/nfsdcld
+++ b/apparmor.d/profiles-m-r/nfsdcld
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nft b/apparmor.d/profiles-m-r/nft
index 3595bb4c5..292b22043 100644
--- a/apparmor.d/profiles-m-r/nft
+++ b/apparmor.d/profiles-m-r/nft
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nmap b/apparmor.d/profiles-m-r/nmap
index 0eb1eceba..348c3ac0e 100644
--- a/apparmor.d/profiles-m-r/nmap
+++ b/apparmor.d/profiles-m-r/nmap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nologin b/apparmor.d/profiles-m-r/nologin
index fad964b64..3ee32cf34 100644
--- a/apparmor.d/profiles-m-r/nologin
+++ b/apparmor.d/profiles-m-r/nologin
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nslookup b/apparmor.d/profiles-m-r/nslookup
index 9ee225d9d..41435f2f0 100644
--- a/apparmor.d/profiles-m-r/nslookup
+++ b/apparmor.d/profiles-m-r/nslookup
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfs-3g b/apparmor.d/profiles-m-r/ntfs-3g
index bc2cb7ef3..d94d7a0f2 100644
--- a/apparmor.d/profiles-m-r/ntfs-3g
+++ b/apparmor.d/profiles-m-r/ntfs-3g
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfs-3g-probe b/apparmor.d/profiles-m-r/ntfs-3g-probe
index ef870e0f0..73ba17229 100644
--- a/apparmor.d/profiles-m-r/ntfs-3g-probe
+++ b/apparmor.d/profiles-m-r/ntfs-3g-probe
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfscat b/apparmor.d/profiles-m-r/ntfscat
index 069a597e9..c1d14927b 100644
--- a/apparmor.d/profiles-m-r/ntfscat
+++ b/apparmor.d/profiles-m-r/ntfscat
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsclone b/apparmor.d/profiles-m-r/ntfsclone
index 06fe65684..c239e81af 100644
--- a/apparmor.d/profiles-m-r/ntfsclone
+++ b/apparmor.d/profiles-m-r/ntfsclone
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfscluster b/apparmor.d/profiles-m-r/ntfscluster
index 62aff85c8..80fdf01ce 100644
--- a/apparmor.d/profiles-m-r/ntfscluster
+++ b/apparmor.d/profiles-m-r/ntfscluster
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfscmp b/apparmor.d/profiles-m-r/ntfscmp
index c5ecddc5f..db9a723d4 100644
--- a/apparmor.d/profiles-m-r/ntfscmp
+++ b/apparmor.d/profiles-m-r/ntfscmp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfscp b/apparmor.d/profiles-m-r/ntfscp
index 3beeb2b7a..2e36046ba 100644
--- a/apparmor.d/profiles-m-r/ntfscp
+++ b/apparmor.d/profiles-m-r/ntfscp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsdecrypt b/apparmor.d/profiles-m-r/ntfsdecrypt
index e7ffe3188..63f771ed3 100644
--- a/apparmor.d/profiles-m-r/ntfsdecrypt
+++ b/apparmor.d/profiles-m-r/ntfsdecrypt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsfallocate b/apparmor.d/profiles-m-r/ntfsfallocate
index 670092820..80654cb7a 100644
--- a/apparmor.d/profiles-m-r/ntfsfallocate
+++ b/apparmor.d/profiles-m-r/ntfsfallocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsfix b/apparmor.d/profiles-m-r/ntfsfix
index 179b3b7a9..e840ed6c5 100644
--- a/apparmor.d/profiles-m-r/ntfsfix
+++ b/apparmor.d/profiles-m-r/ntfsfix
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsinfo b/apparmor.d/profiles-m-r/ntfsinfo
index 3156e7004..08b5bea43 100644
--- a/apparmor.d/profiles-m-r/ntfsinfo
+++ b/apparmor.d/profiles-m-r/ntfsinfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfslabel b/apparmor.d/profiles-m-r/ntfslabel
index 6eee15ef8..471aefaa1 100644
--- a/apparmor.d/profiles-m-r/ntfslabel
+++ b/apparmor.d/profiles-m-r/ntfslabel
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsls b/apparmor.d/profiles-m-r/ntfsls
index 56c2c28de..3badd08b2 100644
--- a/apparmor.d/profiles-m-r/ntfsls
+++ b/apparmor.d/profiles-m-r/ntfsls
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsmove b/apparmor.d/profiles-m-r/ntfsmove
index 876113c98..4c7ade080 100644
--- a/apparmor.d/profiles-m-r/ntfsmove
+++ b/apparmor.d/profiles-m-r/ntfsmove
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsrecover b/apparmor.d/profiles-m-r/ntfsrecover
index 43de112c1..fff3e1b52 100644
--- a/apparmor.d/profiles-m-r/ntfsrecover
+++ b/apparmor.d/profiles-m-r/ntfsrecover
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsresize b/apparmor.d/profiles-m-r/ntfsresize
index e0e8f58d2..5c7d5c835 100644
--- a/apparmor.d/profiles-m-r/ntfsresize
+++ b/apparmor.d/profiles-m-r/ntfsresize
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfssecaudit b/apparmor.d/profiles-m-r/ntfssecaudit
index ee38f60a0..a323a898d 100644
--- a/apparmor.d/profiles-m-r/ntfssecaudit
+++ b/apparmor.d/profiles-m-r/ntfssecaudit
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfstruncate b/apparmor.d/profiles-m-r/ntfstruncate
index c9dec413a..7f245ee07 100644
--- a/apparmor.d/profiles-m-r/ntfstruncate
+++ b/apparmor.d/profiles-m-r/ntfstruncate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsundelete b/apparmor.d/profiles-m-r/ntfsundelete
index a01876961..4d96d1dbd 100644
--- a/apparmor.d/profiles-m-r/ntfsundelete
+++ b/apparmor.d/profiles-m-r/ntfsundelete
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfsusermap b/apparmor.d/profiles-m-r/ntfsusermap
index acc6e8bbc..0cdfb9f71 100644
--- a/apparmor.d/profiles-m-r/ntfsusermap
+++ b/apparmor.d/profiles-m-r/ntfsusermap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ntfswipe b/apparmor.d/profiles-m-r/ntfswipe
index 1471e1d27..9b64136bd 100644
--- a/apparmor.d/profiles-m-r/ntfswipe
+++ b/apparmor.d/profiles-m-r/ntfswipe
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nullmailer-send b/apparmor.d/profiles-m-r/nullmailer-send
index e27e15429..6f7b8f225 100644
--- a/apparmor.d/profiles-m-r/nullmailer-send
+++ b/apparmor.d/profiles-m-r/nullmailer-send
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/numlockx b/apparmor.d/profiles-m-r/numlockx
index 25903ed8b..5c88ec846 100644
--- a/apparmor.d/profiles-m-r/numlockx
+++ b/apparmor.d/profiles-m-r/numlockx
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nvidia-detector b/apparmor.d/profiles-m-r/nvidia-detector
index b0465ef85..d438b598d 100644
--- a/apparmor.d/profiles-m-r/nvidia-detector
+++ b/apparmor.d/profiles-m-r/nvidia-detector
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nvidia-persistenced b/apparmor.d/profiles-m-r/nvidia-persistenced
index 33dac3dba..9f44c8f13 100644
--- a/apparmor.d/profiles-m-r/nvidia-persistenced
+++ b/apparmor.d/profiles-m-r/nvidia-persistenced
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nvidia-settings b/apparmor.d/profiles-m-r/nvidia-settings
index 87271a03d..9e5944bff 100644
--- a/apparmor.d/profiles-m-r/nvidia-settings
+++ b/apparmor.d/profiles-m-r/nvidia-settings
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nvidia-smi b/apparmor.d/profiles-m-r/nvidia-smi
index 571ab3311..143808f76 100644
--- a/apparmor.d/profiles-m-r/nvidia-smi
+++ b/apparmor.d/profiles-m-r/nvidia-smi
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index a27a9d0f9..aed19fa5f 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obamenu b/apparmor.d/profiles-m-r/obamenu
index 070ac10af..b0c4d88c6 100644
--- a/apparmor.d/profiles-m-r/obamenu
+++ b/apparmor.d/profiles-m-r/obamenu
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obconf b/apparmor.d/profiles-m-r/obconf
index 37e94369e..7b11aaac5 100644
--- a/apparmor.d/profiles-m-r/obconf
+++ b/apparmor.d/profiles-m-r/obconf
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obex-folder-listing b/apparmor.d/profiles-m-r/obex-folder-listing
index 7aa4070c5..ebbd8ae50 100644
--- a/apparmor.d/profiles-m-r/obex-folder-listing
+++ b/apparmor.d/profiles-m-r/obex-folder-listing
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obexautofs b/apparmor.d/profiles-m-r/obexautofs
index 972829890..e50fadddf 100644
--- a/apparmor.d/profiles-m-r/obexautofs
+++ b/apparmor.d/profiles-m-r/obexautofs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obexctl b/apparmor.d/profiles-m-r/obexctl
index d87243b75..5cd5853d5 100644
--- a/apparmor.d/profiles-m-r/obexctl
+++ b/apparmor.d/profiles-m-r/obexctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obexd b/apparmor.d/profiles-m-r/obexd
index 9043489eb..3da9b4f5d 100644
--- a/apparmor.d/profiles-m-r/obexd
+++ b/apparmor.d/profiles-m-r/obexd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/profiles-m-r/obexfs
index 4a746ecf1..07eb4a20d 100644
--- a/apparmor.d/profiles-m-r/obexfs
+++ b/apparmor.d/profiles-m-r/obexfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obexpush-atd b/apparmor.d/profiles-m-r/obexpush-atd
index 17b0a2d37..2645ec678 100644
--- a/apparmor.d/profiles-m-r/obexpush-atd
+++ b/apparmor.d/profiles-m-r/obexpush-atd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obexpushd b/apparmor.d/profiles-m-r/obexpushd
index 33a922f41..44b938401 100644
--- a/apparmor.d/profiles-m-r/obexpushd
+++ b/apparmor.d/profiles-m-r/obexpushd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/obxprop b/apparmor.d/profiles-m-r/obxprop
index 724f83de7..b0f1c7c27 100644
--- a/apparmor.d/profiles-m-r/obxprop
+++ b/apparmor.d/profiles-m-r/obxprop
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/odt2txt b/apparmor.d/profiles-m-r/odt2txt
index a2ed448e2..065e953f3 100644
--- a/apparmor.d/profiles-m-r/odt2txt
+++ b/apparmor.d/profiles-m-r/odt2txt
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ollama b/apparmor.d/profiles-m-r/ollama
index e7ff1db50..7b5521802 100644
--- a/apparmor.d/profiles-m-r/ollama
+++ b/apparmor.d/profiles-m-r/ollama
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/on-ac-power b/apparmor.d/profiles-m-r/on-ac-power
index d9b5a412e..c92d4d849 100644
--- a/apparmor.d/profiles-m-r/on-ac-power
+++ b/apparmor.d/profiles-m-r/on-ac-power
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/onefetch b/apparmor.d/profiles-m-r/onefetch
index 84a68634c..ded4a204a 100644
--- a/apparmor.d/profiles-m-r/onefetch
+++ b/apparmor.d/profiles-m-r/onefetch
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/openbox b/apparmor.d/profiles-m-r/openbox
index ac0831f05..d136ee08f 100644
--- a/apparmor.d/profiles-m-r/openbox
+++ b/apparmor.d/profiles-m-r/openbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/openbox-session b/apparmor.d/profiles-m-r/openbox-session
index 61666f756..5313ed948 100644
--- a/apparmor.d/profiles-m-r/openbox-session
+++ b/apparmor.d/profiles-m-r/openbox-session
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage
index 39e960587..39d9a35dd 100644
--- a/apparmor.d/profiles-m-r/orage
+++ b/apparmor.d/profiles-m-r/orage
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/os-prober b/apparmor.d/profiles-m-r/os-prober
index c9c9ea2df..c058003ff 100644
--- a/apparmor.d/profiles-m-r/os-prober
+++ b/apparmor.d/profiles-m-r/os-prober
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch
index efd796d19..fb71c8ece 100644
--- a/apparmor.d/profiles-m-r/ouch
+++ b/apparmor.d/profiles-m-r/ouch
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd
index 7482cda65..267ce1dbe 100644
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pacmd b/apparmor.d/profiles-m-r/pacmd
index 752c3edd7..8512c1c67 100644
--- a/apparmor.d/profiles-m-r/pacmd
+++ b/apparmor.d/profiles-m-r/pacmd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pactl b/apparmor.d/profiles-m-r/pactl
index 2f8092a02..1e89ef3f2 100644
--- a/apparmor.d/profiles-m-r/pactl
+++ b/apparmor.d/profiles-m-r/pactl
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pagesize b/apparmor.d/profiles-m-r/pagesize
index f6615a71e..0ec7c31f6 100644
--- a/apparmor.d/profiles-m-r/pagesize
+++ b/apparmor.d/profiles-m-r/pagesize
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update
index 3d805f24c..e9da3686d 100644
--- a/apparmor.d/profiles-m-r/pam-auth-update
+++ b/apparmor.d/profiles-m-r/pam-auth-update
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pam-tmpdir-helper b/apparmor.d/profiles-m-r/pam-tmpdir-helper
index 5c86a1b27..510c2abad 100644
--- a/apparmor.d/profiles-m-r/pam-tmpdir-helper
+++ b/apparmor.d/profiles-m-r/pam-tmpdir-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/parted b/apparmor.d/profiles-m-r/parted
index 9408674f8..4a98dbae8 100644
--- a/apparmor.d/profiles-m-r/parted
+++ b/apparmor.d/profiles-m-r/parted
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/partprobe b/apparmor.d/profiles-m-r/partprobe
index 0d0d82388..6a0a6c9cf 100644
--- a/apparmor.d/profiles-m-r/partprobe
+++ b/apparmor.d/profiles-m-r/partprobe
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pass b/apparmor.d/profiles-m-r/pass
index a5a46ac48..0736f98c4 100644
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pass-import b/apparmor.d/profiles-m-r/pass-import
index 655804ccc..bb2bc9107 100644
--- a/apparmor.d/profiles-m-r/pass-import
+++ b/apparmor.d/profiles-m-r/pass-import
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/passimd b/apparmor.d/profiles-m-r/passimd
index 8afbac8e5..4e64e5fb9 100644
--- a/apparmor.d/profiles-m-r/passimd
+++ b/apparmor.d/profiles-m-r/passimd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/passwd b/apparmor.d/profiles-m-r/passwd
index b0e326b2d..9d81c0bea 100644
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pavucontrol b/apparmor.d/profiles-m-r/pavucontrol
index de3782b09..596cbacbd 100644
--- a/apparmor.d/profiles-m-r/pavucontrol
+++ b/apparmor.d/profiles-m-r/pavucontrol
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pcb-gtk b/apparmor.d/profiles-m-r/pcb-gtk
index 99ad50a64..e736299fa 100644
--- a/apparmor.d/profiles-m-r/pcb-gtk
+++ b/apparmor.d/profiles-m-r/pcb-gtk
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd
index 200319c6c..984b566cf 100644
--- a/apparmor.d/profiles-m-r/pcscd
+++ b/apparmor.d/profiles-m-r/pcscd
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pdftotext b/apparmor.d/profiles-m-r/pdftotext
index 417375a79..0394687f7 100644
--- a/apparmor.d/profiles-m-r/pdftotext
+++ b/apparmor.d/profiles-m-r/pdftotext
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/picom b/apparmor.d/profiles-m-r/picom
index 124d5c9c3..7d423f148 100644
--- a/apparmor.d/profiles-m-r/picom
+++ b/apparmor.d/profiles-m-r/picom
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pidof b/apparmor.d/profiles-m-r/pidof
index a294705b0..2a7b63038 100644
--- a/apparmor.d/profiles-m-r/pidof
+++ b/apparmor.d/profiles-m-r/pidof
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pinentry b/apparmor.d/profiles-m-r/pinentry
index c466f05aa..b69fcecaf 100644
--- a/apparmor.d/profiles-m-r/pinentry
+++ b/apparmor.d/profiles-m-r/pinentry
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pinentry-curses b/apparmor.d/profiles-m-r/pinentry-curses
index 1fd585f47..a3ec65c45 100644
--- a/apparmor.d/profiles-m-r/pinentry-curses
+++ b/apparmor.d/profiles-m-r/pinentry-curses
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pinentry-gnome3 b/apparmor.d/profiles-m-r/pinentry-gnome3
index d6fc0abb0..f332ef21f 100644
--- a/apparmor.d/profiles-m-r/pinentry-gnome3
+++ b/apparmor.d/profiles-m-r/pinentry-gnome3
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pinentry-gtk-2 b/apparmor.d/profiles-m-r/pinentry-gtk-2
index efad3a6f1..49e9ac307 100644
--- a/apparmor.d/profiles-m-r/pinentry-gtk-2
+++ b/apparmor.d/profiles-m-r/pinentry-gtk-2
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pinentry-kwallet b/apparmor.d/profiles-m-r/pinentry-kwallet
index c9dc12ba1..adff98c53 100644
--- a/apparmor.d/profiles-m-r/pinentry-kwallet
+++ b/apparmor.d/profiles-m-r/pinentry-kwallet
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pinentry-qt b/apparmor.d/profiles-m-r/pinentry-qt
index 97e84c7ec..3c5ec0a94 100644
--- a/apparmor.d/profiles-m-r/pinentry-qt
+++ b/apparmor.d/profiles-m-r/pinentry-qt
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pkcs11-register b/apparmor.d/profiles-m-r/pkcs11-register
index c8238688e..989f6ec8b 100644
--- a/apparmor.d/profiles-m-r/pkcs11-register
+++ b/apparmor.d/profiles-m-r/pkcs11-register
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index d3e47a350..ce1ea9dcd 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pkttyagent b/apparmor.d/profiles-m-r/pkttyagent
index 68c85487b..de0eeef33 100644
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/plank b/apparmor.d/profiles-m-r/plank
index 77bad6788..9619326f2 100644
--- a/apparmor.d/profiles-m-r/plank
+++ b/apparmor.d/profiles-m-r/plank
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/plocate b/apparmor.d/profiles-m-r/plocate
index e66d0c14c..3877f89cd 100644
--- a/apparmor.d/profiles-m-r/plocate
+++ b/apparmor.d/profiles-m-r/plocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/plocate-build b/apparmor.d/profiles-m-r/plocate-build
index 5e81be8a3..afc322958 100644
--- a/apparmor.d/profiles-m-r/plocate-build
+++ b/apparmor.d/profiles-m-r/plocate-build
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pokemmo b/apparmor.d/profiles-m-r/pokemmo
index a6c1e83f7..111b157c5 100644
--- a/apparmor.d/profiles-m-r/pokemmo
+++ b/apparmor.d/profiles-m-r/pokemmo
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/popularity-contest b/apparmor.d/profiles-m-r/popularity-contest
index a4b93d5b5..166404dfa 100644
--- a/apparmor.d/profiles-m-r/popularity-contest
+++ b/apparmor.d/profiles-m-r/popularity-contest
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon
index 8f85f3c03..d409ced7b 100644
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
index e34722fb9..b4d806a9f 100644
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 curiosityseeker
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge b/apparmor.d/profiles-m-r/protonmail-bridge
index 7e8dfe9d4..fc8092ef9 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge
+++ b/apparmor.d/profiles-m-r/protonmail-bridge
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core
index d9f0facb5..81f27c40e 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@@ -7,7 +7,7 @@
 #   deny @{bin}/pass x,
 #   deny owner @{user_password_store_dirs}/** r,
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ps b/apparmor.d/profiles-m-r/ps
index bdcd6cee2..1d9ae50cb 100644
--- a/apparmor.d/profiles-m-r/ps
+++ b/apparmor.d/profiles-m-r/ps
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/ps-mem b/apparmor.d/profiles-m-r/ps-mem
index f34992ccb..da5753161 100644
--- a/apparmor.d/profiles-m-r/ps-mem
+++ b/apparmor.d/profiles-m-r/ps-mem
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pscap b/apparmor.d/profiles-m-r/pscap
index 8a88b26a4..f4bc2b76e 100644
--- a/apparmor.d/profiles-m-r/pscap
+++ b/apparmor.d/profiles-m-r/pscap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi
index 762af3bfc..ed6544c3f 100644
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus
index 076d96da7..c7f310ac8 100644
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pstree b/apparmor.d/profiles-m-r/pstree
index a2630d212..bd2265e32 100644
--- a/apparmor.d/profiles-m-r/pstree
+++ b/apparmor.d/profiles-m-r/pstree
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pulseeffects b/apparmor.d/profiles-m-r/pulseeffects
index 0ef899263..e57e221dd 100644
--- a/apparmor.d/profiles-m-r/pulseeffects
+++ b/apparmor.d/profiles-m-r/pulseeffects
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/pwck b/apparmor.d/profiles-m-r/pwck
index af459593a..0c9e1ac0a 100644
--- a/apparmor.d/profiles-m-r/pwck
+++ b/apparmor.d/profiles-m-r/pwck
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index 3e7c28e24..97c81ebd4 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox
index 87bc84d51..81cf43011 100644
--- a/apparmor.d/profiles-m-r/qbittorrent-nox
+++ b/apparmor.d/profiles-m-r/qbittorrent-nox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qdbus b/apparmor.d/profiles-m-r/qdbus
index f8e028b88..fa67bad97 100644
--- a/apparmor.d/profiles-m-r/qdbus
+++ b/apparmor.d/profiles-m-r/qdbus
@@ -2,7 +2,7 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qemu-ga b/apparmor.d/profiles-m-r/qemu-ga
index ac94727c3..5bf8fceb8 100644
--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qnapi b/apparmor.d/profiles-m-r/qnapi
index e72a6a5c6..d02ff9426 100644
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qpdfview b/apparmor.d/profiles-m-r/qpdfview
index e1ff13a92..f743e95b3 100644
--- a/apparmor.d/profiles-m-r/qpdfview
+++ b/apparmor.d/profiles-m-r/qpdfview
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qt5ct b/apparmor.d/profiles-m-r/qt5ct
index 4026983ab..880476b14 100644
--- a/apparmor.d/profiles-m-r/qt5ct
+++ b/apparmor.d/profiles-m-r/qt5ct
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qtchooser b/apparmor.d/profiles-m-r/qtchooser
index 2202d8c5f..a2485b41d 100644
--- a/apparmor.d/profiles-m-r/qtchooser
+++ b/apparmor.d/profiles-m-r/qtchooser
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/qtox b/apparmor.d/profiles-m-r/qtox
index e97bcc2ec..4b0d9b79c 100644
--- a/apparmor.d/profiles-m-r/qtox
+++ b/apparmor.d/profiles-m-r/qtox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss
index 1154ff337..05de0d490 100644
--- a/apparmor.d/profiles-m-r/quiterss
+++ b/apparmor.d/profiles-m-r/quiterss
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rdmsr b/apparmor.d/profiles-m-r/rdmsr
index c3a4a8a22..47dd9beab 100644
--- a/apparmor.d/profiles-m-r/rdmsr
+++ b/apparmor.d/profiles-m-r/rdmsr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina
index dcee35f62..9e2414b5e 100644
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/repo b/apparmor.d/profiles-m-r/repo
index 5f491cd5e..a1fd7b3b3 100644
--- a/apparmor.d/profiles-m-r/repo
+++ b/apparmor.d/profiles-m-r/repo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro
index 4ef5e6b42..7710953b8 100644
--- a/apparmor.d/profiles-m-r/reprepro
+++ b/apparmor.d/profiles-m-r/reprepro
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/resize2fs b/apparmor.d/profiles-m-r/resize2fs
index 698ec99fd..7b28a1d22 100644
--- a/apparmor.d/profiles-m-r/resize2fs
+++ b/apparmor.d/profiles-m-r/resize2fs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/resolvconf b/apparmor.d/profiles-m-r/resolvconf
index caa13b97d..6601b8169 100644
--- a/apparmor.d/profiles-m-r/resolvconf
+++ b/apparmor.d/profiles-m-r/resolvconf
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rfkill b/apparmor.d/profiles-m-r/rfkill
index f64dd20ba..041a03e07 100644
--- a/apparmor.d/profiles-m-r/rfkill
+++ b/apparmor.d/profiles-m-r/rfkill
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rngd b/apparmor.d/profiles-m-r/rngd
index 0f65d8f71..8ae73c5d0 100644
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rpi-imager b/apparmor.d/profiles-m-r/rpi-imager
index b341bb736..7b48d57b1 100644
--- a/apparmor.d/profiles-m-r/rpi-imager
+++ b/apparmor.d/profiles-m-r/rpi-imager
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rredtool b/apparmor.d/profiles-m-r/rredtool
index d8024b279..97e96d652 100644
--- a/apparmor.d/profiles-m-r/rredtool
+++ b/apparmor.d/profiles-m-r/rredtool
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rsyslogd b/apparmor.d/profiles-m-r/rsyslogd
index 423e7e41a..b4ae4b211 100644
--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rtkit-daemon b/apparmor.d/profiles-m-r/rtkit-daemon
index 21e715579..ddb62cb5f 100644
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rtkitctl b/apparmor.d/profiles-m-r/rtkitctl
index d855c0a35..9417c93b1 100644
--- a/apparmor.d/profiles-m-r/rtkitctl
+++ b/apparmor.d/profiles-m-r/rtkitctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index 81c52aa1f..1347ca211 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -10,7 +10,7 @@
 # - As rCx -> run-parts,
 # - As rPx -> foo-run-parts,
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/runuser b/apparmor.d/profiles-m-r/runuser
index 5fc2d65c4..9931c07fb 100644
--- a/apparmor.d/profiles-m-r/runuser
+++ b/apparmor.d/profiles-m-r/runuser
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk
index 956aaeaa4..7733730a6 100644
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils
index 0707f9c8f..d52e2b709 100644
--- a/apparmor.d/profiles-m-r/rustdesk-utils
+++ b/apparmor.d/profiles-m-r/rustdesk-utils
@@ -1,7 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/YACReader b/apparmor.d/profiles-s-z/YACReader
index 3038df49a..de55bf829 100644
--- a/apparmor.d/profiles-s-z/YACReader
+++ b/apparmor.d/profiles-s-z/YACReader
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/YACReaderLibrary b/apparmor.d/profiles-s-z/YACReaderLibrary
index 19bf0e9c2..38336fbc7 100644
--- a/apparmor.d/profiles-s-z/YACReaderLibrary
+++ b/apparmor.d/profiles-s-z/YACReaderLibrary
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/s3fs b/apparmor.d/profiles-s-z/s3fs
index d614330d2..985f124de 100644
--- a/apparmor.d/profiles-s-z/s3fs
+++ b/apparmor.d/profiles-s-z/s3fs
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
index 755efba9b..e9a8f8818 100644
--- a/apparmor.d/profiles-s-z/sanoid
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sbctl b/apparmor.d/profiles-s-z/sbctl
index db71eb7e0..4c5d62597 100644
--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/scrcpy b/apparmor.d/profiles-s-z/scrcpy
index f1af86477..3d33e8a3e 100644
--- a/apparmor.d/profiles-s-z/scrcpy
+++ b/apparmor.d/profiles-s-z/scrcpy
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/scrot b/apparmor.d/profiles-s-z/scrot
index 377bb7962..9573da520 100644
--- a/apparmor.d/profiles-s-z/scrot
+++ b/apparmor.d/profiles-s-z/scrot
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sdcv b/apparmor.d/profiles-s-z/sdcv
index cfc6c1b3c..4f6b26e39 100644
--- a/apparmor.d/profiles-s-z/sdcv
+++ b/apparmor.d/profiles-s-z/sdcv
@@ -3,7 +3,7 @@
 # Copyright (C) 2023 Andy Ramos <maplewood_broer@8shield.net>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/secure-time-sync b/apparmor.d/profiles-s-z/secure-time-sync
index 3ded8b7ae..51016373d 100644
--- a/apparmor.d/profiles-s-z/secure-time-sync
+++ b/apparmor.d/profiles-s-z/secure-time-sync
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sensors b/apparmor.d/profiles-s-z/sensors
index 618332bce..fd839099e 100644
--- a/apparmor.d/profiles-s-z/sensors
+++ b/apparmor.d/profiles-s-z/sensors
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect
index 18e4c135f..ea81f6593 100644
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop
index 72c704741..d088bb0b1 100644
--- a/apparmor.d/profiles-s-z/session-desktop
+++ b/apparmor.d/profiles-s-z/session-desktop
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/setpci b/apparmor.d/profiles-s-z/setpci
index 25fe43065..72c9b8a93 100644
--- a/apparmor.d/profiles-s-z/setpci
+++ b/apparmor.d/profiles-s-z/setpci
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/setvtrgb b/apparmor.d/profiles-s-z/setvtrgb
index aef3b00fe..6c9a3fe62 100644
--- a/apparmor.d/profiles-s-z/setvtrgb
+++ b/apparmor.d/profiles-s-z/setvtrgb
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sfdisk b/apparmor.d/profiles-s-z/sfdisk
index c82aff776..0009d52cb 100644
--- a/apparmor.d/profiles-s-z/sfdisk
+++ b/apparmor.d/profiles-s-z/sfdisk
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sgdisk b/apparmor.d/profiles-s-z/sgdisk
index 00a8c7a56..ecc6abcdb 100644
--- a/apparmor.d/profiles-s-z/sgdisk
+++ b/apparmor.d/profiles-s-z/sgdisk
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop
index 484f42dd9..972f111f4 100644
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
index 10e1de4b3..b9efca35a 100644
--- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sing-box b/apparmor.d/profiles-s-z/sing-box
index 221da9617..9f395735e 100644
--- a/apparmor.d/profiles-s-z/sing-box
+++ b/apparmor.d/profiles-s-z/sing-box
@@ -4,7 +4,7 @@
 
 # https://github.com/SagerNet/sing-box
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns
index 0ec43cc9b..e2d3b6b1f 100644
--- a/apparmor.d/profiles-s-z/slirp4netns
+++ b/apparmor.d/profiles-s-z/slirp4netns
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl
index 6487e82e3..4af40c8ab 100644
--- a/apparmor.d/profiles-s-z/smartctl
+++ b/apparmor.d/profiles-s-z/smartctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/smartd b/apparmor.d/profiles-s-z/smartd
index 9222fbbbd..d0f9c28fd 100644
--- a/apparmor.d/profiles-s-z/smartd
+++ b/apparmor.d/profiles-s-z/smartd
@@ -4,7 +4,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/smbspool b/apparmor.d/profiles-s-z/smbspool
index 010226342..a0d9600ad 100644
--- a/apparmor.d/profiles-s-z/smbspool
+++ b/apparmor.d/profiles-s-z/smbspool
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/smplayer b/apparmor.d/profiles-s-z/smplayer
index 0248d4218..858c73637 100644
--- a/apparmor.d/profiles-s-z/smplayer
+++ b/apparmor.d/profiles-s-z/smplayer
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube
index af761d43c..bbb404c8f 100644
--- a/apparmor.d/profiles-s-z/smtube
+++ b/apparmor.d/profiles-s-z/smtube
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap b/apparmor.d/profiles-s-z/snap
index e5e5bef97..912ab1a8b 100644
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-bootstrap b/apparmor.d/profiles-s-z/snap-bootstrap
index 71a4ad8f2..95cc306fc 100644
--- a/apparmor.d/profiles-s-z/snap-bootstrap
+++ b/apparmor.d/profiles-s-z/snap-bootstrap
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-device-helper b/apparmor.d/profiles-s-z/snap-device-helper
index ec342d4e2..5a9fded35 100644
--- a/apparmor.d/profiles-s-z/snap-device-helper
+++ b/apparmor.d/profiles-s-z/snap-device-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-discard-ns b/apparmor.d/profiles-s-z/snap-discard-ns
index ab90529b7..f1f6f9d67 100644
--- a/apparmor.d/profiles-s-z/snap-discard-ns
+++ b/apparmor.d/profiles-s-z/snap-discard-ns
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-failure b/apparmor.d/profiles-s-z/snap-failure
index 61372b169..e9bef6d4e 100644
--- a/apparmor.d/profiles-s-z/snap-failure
+++ b/apparmor.d/profiles-s-z/snap-failure
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-repair b/apparmor.d/profiles-s-z/snap-repair
index d5f282ffa..fe9be759a 100644
--- a/apparmor.d/profiles-s-z/snap-repair
+++ b/apparmor.d/profiles-s-z/snap-repair
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-seccomp b/apparmor.d/profiles-s-z/snap-seccomp
index 5018ff379..235ef2080 100644
--- a/apparmor.d/profiles-s-z/snap-seccomp
+++ b/apparmor.d/profiles-s-z/snap-seccomp
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snap-update-ns b/apparmor.d/profiles-s-z/snap-update-ns
index 2092ab1c9..3021a1ad7 100644
--- a/apparmor.d/profiles-s-z/snap-update-ns
+++ b/apparmor.d/profiles-s-z/snap-update-ns
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snapd b/apparmor.d/profiles-s-z/snapd
index ae061b032..e6ded0956 100644
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
index 6cc8801aa..5620fc975 100644
--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-listener
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui
index d7b9b3713..14354cfb9 100644
--- a/apparmor.d/profiles-s-z/snapd-aa-prompt-ui
+++ b/apparmor.d/profiles-s-z/snapd-aa-prompt-ui
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snapd-apparmor b/apparmor.d/profiles-s-z/snapd-apparmor
index edd266c20..e7a3b4946 100644
--- a/apparmor.d/profiles-s-z/snapd-apparmor
+++ b/apparmor.d/profiles-s-z/snapd-apparmor
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snapd-core-fixup b/apparmor.d/profiles-s-z/snapd-core-fixup
index fffbc4468..0e33aaea0 100644
--- a/apparmor.d/profiles-s-z/snapd-core-fixup
+++ b/apparmor.d/profiles-s-z/snapd-core-fixup
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot
index 5afff36e6..e7d84b0b3 100644
--- a/apparmor.d/profiles-s-z/snapshot
+++ b/apparmor.d/profiles-s-z/snapshot
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # vim:syntax=apparmor
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/spacefm-auth b/apparmor.d/profiles-s-z/spacefm-auth
index 754908eac..60111288f 100644
--- a/apparmor.d/profiles-s-z/spacefm-auth
+++ b/apparmor.d/profiles-s-z/spacefm-auth
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/spectre-meltdown-checker b/apparmor.d/profiles-s-z/spectre-meltdown-checker
index 33c02ce44..e70a5c499 100644
--- a/apparmor.d/profiles-s-z/spectre-meltdown-checker
+++ b/apparmor.d/profiles-s-z/spectre-meltdown-checker
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/speech-dispatcher b/apparmor.d/profiles-s-z/speech-dispatcher
index e2c00e2af..13ed65c09 100644
--- a/apparmor.d/profiles-s-z/speech-dispatcher
+++ b/apparmor.d/profiles-s-z/speech-dispatcher
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/speedtest b/apparmor.d/profiles-s-z/speedtest
index 0fe00bc24..f31818354 100644
--- a/apparmor.d/profiles-s-z/speedtest
+++ b/apparmor.d/profiles-s-z/speedtest
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
index aae606395..58da03738 100644
--- a/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
+++ b/apparmor.d/profiles-s-z/spice-client-glib-usb-acl-helper
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index 93be9c783..f0731fd64 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/spice-vdagentd b/apparmor.d/profiles-s-z/spice-vdagentd
index 70eca91fe..bebfbe419 100644
--- a/apparmor.d/profiles-s-z/spice-vdagentd
+++ b/apparmor.d/profiles-s-z/spice-vdagentd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index ef939ef07..4bc0cb4be 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ss b/apparmor.d/profiles-s-z/ss
index 7346ebd62..3b55547be 100644
--- a/apparmor.d/profiles-s-z/ss
+++ b/apparmor.d/profiles-s-z/ss
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal
index beff6a1e9..0c46e5581 100644
--- a/apparmor.d/profiles-s-z/sslocal
+++ b/apparmor.d/profiles-s-z/sslocal
@@ -4,7 +4,7 @@
 # shadowsocks-rust only:
 # https://github.com/shadowsocks/shadowsocks-rust
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager
index 7a89ea8bd..7e6fb0906 100644
--- a/apparmor.d/profiles-s-z/ssmanager
+++ b/apparmor.d/profiles-s-z/ssmanager
@@ -4,7 +4,7 @@
 # shadowsocks-rust only:
 # https://github.com/shadowsocks/shadowsocks-rust
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver
index 51dc62837..c71fc1ea7 100644
--- a/apparmor.d/profiles-s-z/ssserver
+++ b/apparmor.d/profiles-s-z/ssserver
@@ -4,7 +4,7 @@
 # shadowsocks-rust only:
 # https://github.com/shadowsocks/shadowsocks-rust
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice
index 1c62764b2..5157bba63 100644
--- a/apparmor.d/profiles-s-z/ssservice
+++ b/apparmor.d/profiles-s-z/ssservice
@@ -4,7 +4,7 @@
 # shadowsocks-rust only:
 # https://github.com/shadowsocks/shadowsocks-rust
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl
index e1c7b9068..a066a9df6 100644
--- a/apparmor.d/profiles-s-z/ssurl
+++ b/apparmor.d/profiles-s-z/ssurl
@@ -4,7 +4,7 @@
 # shadowsocks-rust only:
 # https://github.com/shadowsocks/shadowsocks-rust
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/start-pulseaudio-x11 b/apparmor.d/profiles-s-z/start-pulseaudio-x11
index 616b66963..85ec45d5c 100644
--- a/apparmor.d/profiles-s-z/start-pulseaudio-x11
+++ b/apparmor.d/profiles-s-z/start-pulseaudio-x11
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/startx b/apparmor.d/profiles-s-z/startx
index 26cf4027f..34f6d4724 100644
--- a/apparmor.d/profiles-s-z/startx
+++ b/apparmor.d/profiles-s-z/startx
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index b1dd83471..3ad53cf0a 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -17,7 +17,7 @@
 # ├── steam-gameoverlayui    # Steam game overlay
 # └── steamerrorreporter     # Error reporter
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-fossilize b/apparmor.d/profiles-s-z/steam-fossilize
index 1786a5e40..e3e7f87e2 100644
--- a/apparmor.d/profiles-s-z/steam-fossilize
+++ b/apparmor.d/profiles-s-z/steam-fossilize
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-game-native b/apparmor.d/profiles-s-z/steam-game-native
index 4246f7870..ca80801d7 100644
--- a/apparmor.d/profiles-s-z/steam-game-native
+++ b/apparmor.d/profiles-s-z/steam-game-native
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index 0facb49ac..bad85a84b 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-gameoverlayui b/apparmor.d/profiles-s-z/steam-gameoverlayui
index ae01bf5d3..0cd837135 100644
--- a/apparmor.d/profiles-s-z/steam-gameoverlayui
+++ b/apparmor.d/profiles-s-z/steam-gameoverlayui
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-launch b/apparmor.d/profiles-s-z/steam-launch
index 975e432a6..977248c96 100644
--- a/apparmor.d/profiles-s-z/steam-launch
+++ b/apparmor.d/profiles-s-z/steam-launch
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-launcher b/apparmor.d/profiles-s-z/steam-launcher
index 2605c15f1..12138e360 100644
--- a/apparmor.d/profiles-s-z/steam-launcher
+++ b/apparmor.d/profiles-s-z/steam-launcher
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-runtime b/apparmor.d/profiles-s-z/steam-runtime
index b1fca8df4..abf84d3c0 100644
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
index c962f61ee..b3a36eac4 100644
--- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/steamerrorreporter b/apparmor.d/profiles-s-z/steamerrorreporter
index 1d55e59af..8214a1fb9 100644
--- a/apparmor.d/profiles-s-z/steamerrorreporter
+++ b/apparmor.d/profiles-s-z/steamerrorreporter
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/strawberry b/apparmor.d/profiles-s-z/strawberry
index acba17f78..6a337a66b 100644
--- a/apparmor.d/profiles-s-z/strawberry
+++ b/apparmor.d/profiles-s-z/strawberry
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/strawberry-tagreader b/apparmor.d/profiles-s-z/strawberry-tagreader
index 0e1aced4f..8de73c57c 100644
--- a/apparmor.d/profiles-s-z/strawberry-tagreader
+++ b/apparmor.d/profiles-s-z/strawberry-tagreader
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/su b/apparmor.d/profiles-s-z/su
index d292cab8b..02a212150 100644
--- a/apparmor.d/profiles-s-z/su
+++ b/apparmor.d/profiles-s-z/su
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sudo b/apparmor.d/profiles-s-z/sudo
index 9574b98d1..49df90aa3 100644
--- a/apparmor.d/profiles-s-z/sudo
+++ b/apparmor.d/profiles-s-z/sudo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sulogin b/apparmor.d/profiles-s-z/sulogin
index 3793df043..556808aeb 100644
--- a/apparmor.d/profiles-s-z/sulogin
+++ b/apparmor.d/profiles-s-z/sulogin
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity
index f8295f311..91ceef33d 100644
--- a/apparmor.d/profiles-s-z/superproductivity
+++ b/apparmor.d/profiles-s-z/superproductivity
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/swaplabel b/apparmor.d/profiles-s-z/swaplabel
index 03d2fe8d0..05dc5783a 100644
--- a/apparmor.d/profiles-s-z/swaplabel
+++ b/apparmor.d/profiles-s-z/swaplabel
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/swapon b/apparmor.d/profiles-s-z/swapon
index 31ee2e93a..83d2c6a3b 100644
--- a/apparmor.d/profiles-s-z/swapon
+++ b/apparmor.d/profiles-s-z/swapon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/switcheroo-control b/apparmor.d/profiles-s-z/switcheroo-control
index 4cfa8ba96..b2df1a346 100644
--- a/apparmor.d/profiles-s-z/switcheroo-control
+++ b/apparmor.d/profiles-s-z/switcheroo-control
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/switcherooctl b/apparmor.d/profiles-s-z/switcherooctl
index 1e9d50989..538931554 100644
--- a/apparmor.d/profiles-s-z/switcherooctl
+++ b/apparmor.d/profiles-s-z/switcherooctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/swtpm b/apparmor.d/profiles-s-z/swtpm
index 4f6d1b38c..783e58237 100644
--- a/apparmor.d/profiles-s-z/swtpm
+++ b/apparmor.d/profiles-s-z/swtpm
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/swtpm_ioctl b/apparmor.d/profiles-s-z/swtpm_ioctl
index c77810624..f1e41aa6e 100644
--- a/apparmor.d/profiles-s-z/swtpm_ioctl
+++ b/apparmor.d/profiles-s-z/swtpm_ioctl
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/swtpm_localca b/apparmor.d/profiles-s-z/swtpm_localca
index a9749c91f..dbe202581 100644
--- a/apparmor.d/profiles-s-z/swtpm_localca
+++ b/apparmor.d/profiles-s-z/swtpm_localca
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/swtpm_setup b/apparmor.d/profiles-s-z/swtpm_setup
index f4b01f0e0..08ee1532e 100644
--- a/apparmor.d/profiles-s-z/swtpm_setup
+++ b/apparmor.d/profiles-s-z/swtpm_setup
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sync b/apparmor.d/profiles-s-z/sync
index 6bdb55732..3b18ad36e 100644
--- a/apparmor.d/profiles-s-z/sync
+++ b/apparmor.d/profiles-s-z/sync
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/syncoid b/apparmor.d/profiles-s-z/syncoid
index ba3e774e6..821a3fd63 100644
--- a/apparmor.d/profiles-s-z/syncoid
+++ b/apparmor.d/profiles-s-z/syncoid
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing
index b65a56145..f668f5a00 100644
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl
index 02964dd7d..6dd12a023 100644
--- a/apparmor.d/profiles-s-z/sysctl
+++ b/apparmor.d/profiles-s-z/sysctl
@@ -4,7 +4,7 @@
 
 # TODO: Rethink this profile. Should not be called by another profile.
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer
index f929adcae..4db5c6f92 100644
--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/system-config-printer-applet b/apparmor.d/profiles-s-z/system-config-printer-applet
index 0112b152a..0197e3c3b 100644
--- a/apparmor.d/profiles-s-z/system-config-printer-applet
+++ b/apparmor.d/profiles-s-z/system-config-printer-applet
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/task b/apparmor.d/profiles-s-z/task
index 87b9be2df..598e59341 100644
--- a/apparmor.d/profiles-s-z/task
+++ b/apparmor.d/profiles-s-z/task
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel
index b96200dea..9073591f5 100644
--- a/apparmor.d/profiles-s-z/tasksel
+++ b/apparmor.d/profiles-s-z/tasksel
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/taskwarrior-tui b/apparmor.d/profiles-s-z/taskwarrior-tui
index f125c993d..8a02b8d04 100644
--- a/apparmor.d/profiles-s-z/taskwarrior-tui
+++ b/apparmor.d/profiles-s-z/taskwarrior-tui
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/telegram-desktop b/apparmor.d/profiles-s-z/telegram-desktop
index a31d4c601..d967f4229 100644
--- a/apparmor.d/profiles-s-z/telegram-desktop
+++ b/apparmor.d/profiles-s-z/telegram-desktop
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator
index 3d6470dbc..e72588420 100644
--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tftp b/apparmor.d/profiles-s-z/tftp
index fb848cb1c..33f6fe6dc 100644
--- a/apparmor.d/profiles-s-z/tftp
+++ b/apparmor.d/profiles-s-z/tftp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index abea43b61..6bff0f1d8 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -4,7 +4,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/thinkfan b/apparmor.d/profiles-s-z/thinkfan
index 56a39736e..ddf7e1ff2 100644
--- a/apparmor.d/profiles-s-z/thinkfan
+++ b/apparmor.d/profiles-s-z/thinkfan
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index a9490c6f7..e5404615c 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest
index 17fda9d56..a742a41fb 100644
--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest
index a401173f1..c93d14bd7 100644
--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tint2 b/apparmor.d/profiles-s-z/tint2
index 2e44d0fab..8b6f0dc45 100644
--- a/apparmor.d/profiles-s-z/tint2
+++ b/apparmor.d/profiles-s-z/tint2
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tint2conf b/apparmor.d/profiles-s-z/tint2conf
index 776b843a3..737bc90f8 100644
--- a/apparmor.d/profiles-s-z/tint2conf
+++ b/apparmor.d/profiles-s-z/tint2conf
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb
index cc540ae93..0b35cff02 100644
--- a/apparmor.d/profiles-s-z/tomb
+++ b/apparmor.d/profiles-s-z/tomb
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/top b/apparmor.d/profiles-s-z/top
index 418accd3c..6a5d272a3 100644
--- a/apparmor.d/profiles-s-z/top
+++ b/apparmor.d/profiles-s-z/top
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/torify b/apparmor.d/profiles-s-z/torify
index fcc4c9b98..c4cb88902 100644
--- a/apparmor.d/profiles-s-z/torify
+++ b/apparmor.d/profiles-s-z/torify
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/torsocks b/apparmor.d/profiles-s-z/torsocks
index 8d75133da..c7c914387 100644
--- a/apparmor.d/profiles-s-z/torsocks
+++ b/apparmor.d/profiles-s-z/torsocks
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem
index ef11ad786..7a7dd709e 100644
--- a/apparmor.d/profiles-s-z/totem
+++ b/apparmor.d/profiles-s-z/totem
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tpacpi-bat b/apparmor.d/profiles-s-z/tpacpi-bat
index 673f46e32..ee4de1e45 100644
--- a/apparmor.d/profiles-s-z/tpacpi-bat
+++ b/apparmor.d/profiles-s-z/tpacpi-bat
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission
index 44f89d2b1..ff3373a2c 100644
--- a/apparmor.d/profiles-s-z/transmission
+++ b/apparmor.d/profiles-s-z/transmission
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/tune2fs b/apparmor.d/profiles-s-z/tune2fs
index d9a8c5409..6f0fdad94 100644
--- a/apparmor.d/profiles-s-z/tune2fs
+++ b/apparmor.d/profiles-s-z/tune2fs
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udev-dmi-memory-id b/apparmor.d/profiles-s-z/udev-dmi-memory-id
index ab6a2de77..a26c4a263 100644
--- a/apparmor.d/profiles-s-z/udev-dmi-memory-id
+++ b/apparmor.d/profiles-s-z/udev-dmi-memory-id
@@ -2,7 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie
index 505017bcd..6105c7dae 100644
--- a/apparmor.d/profiles-s-z/udiskie
+++ b/apparmor.d/profiles-s-z/udiskie
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udiskie-info b/apparmor.d/profiles-s-z/udiskie-info
index aa359ef56..855c5b54c 100644
--- a/apparmor.d/profiles-s-z/udiskie-info
+++ b/apparmor.d/profiles-s-z/udiskie-info
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udiskie-mount b/apparmor.d/profiles-s-z/udiskie-mount
index 7e72e9713..a57a6091f 100644
--- a/apparmor.d/profiles-s-z/udiskie-mount
+++ b/apparmor.d/profiles-s-z/udiskie-mount
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udiskie-umount b/apparmor.d/profiles-s-z/udiskie-umount
index 8dc30eb9a..8fe075f94 100644
--- a/apparmor.d/profiles-s-z/udiskie-umount
+++ b/apparmor.d/profiles-s-z/udiskie-umount
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udisksctl b/apparmor.d/profiles-s-z/udisksctl
index 5e7320a63..6ae685723 100644
--- a/apparmor.d/profiles-s-z/udisksctl
+++ b/apparmor.d/profiles-s-z/udisksctl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index a0071a759..af2eec34e 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 685eed20a..1c34b8579 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/umount b/apparmor.d/profiles-s-z/umount
index e066dff89..66fae00bb 100644
--- a/apparmor.d/profiles-s-z/umount
+++ b/apparmor.d/profiles-s-z/umount
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/umount.udisks2 b/apparmor.d/profiles-s-z/umount.udisks2
index 2a6f7747d..4e842c7fb 100644
--- a/apparmor.d/profiles-s-z/umount.udisks2
+++ b/apparmor.d/profiles-s-z/umount.udisks2
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname
index 31508b640..7c5cb0cb1 100644
--- a/apparmor.d/profiles-s-z/uname
+++ b/apparmor.d/profiles-s-z/uname
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/unhide-linux b/apparmor.d/profiles-s-z/unhide-linux
index d03561452..0d543513c 100644
--- a/apparmor.d/profiles-s-z/unhide-linux
+++ b/apparmor.d/profiles-s-z/unhide-linux
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/unhide-posix b/apparmor.d/profiles-s-z/unhide-posix
index 1277e299c..730d1aaa6 100644
--- a/apparmor.d/profiles-s-z/unhide-posix
+++ b/apparmor.d/profiles-s-z/unhide-posix
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/unhide-rb b/apparmor.d/profiles-s-z/unhide-rb
index e503f639a..ecc19849a 100644
--- a/apparmor.d/profiles-s-z/unhide-rb
+++ b/apparmor.d/profiles-s-z/unhide-rb
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/unhide-tcp b/apparmor.d/profiles-s-z/unhide-tcp
index bb54d19b1..c4b30b884 100644
--- a/apparmor.d/profiles-s-z/unhide-tcp
+++ b/apparmor.d/profiles-s-z/unhide-tcp
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/unix-chkpwd b/apparmor.d/profiles-s-z/unix-chkpwd
index c24da3bab..85b99b8ab 100644
--- a/apparmor.d/profiles-s-z/unix-chkpwd
+++ b/apparmor.d/profiles-s-z/unix-chkpwd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/unmkinitramfs b/apparmor.d/profiles-s-z/unmkinitramfs
index d5d1cb953..6b5607ed1 100644
--- a/apparmor.d/profiles-s-z/unmkinitramfs
+++ b/apparmor.d/profiles-s-z/unmkinitramfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-alternatives b/apparmor.d/profiles-s-z/update-alternatives
index dfe7725d8..a83e985d7 100644
--- a/apparmor.d/profiles-s-z/update-alternatives
+++ b/apparmor.d/profiles-s-z/update-alternatives
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-ca-certificates b/apparmor.d/profiles-s-z/update-ca-certificates
index f08383fba..b87f60ec4 100644
--- a/apparmor.d/profiles-s-z/update-ca-certificates
+++ b/apparmor.d/profiles-s-z/update-ca-certificates
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-ca-trust b/apparmor.d/profiles-s-z/update-ca-trust
index 8b69cd1f4..c0f220919 100644
--- a/apparmor.d/profiles-s-z/update-ca-trust
+++ b/apparmor.d/profiles-s-z/update-ca-trust
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-command-not-found b/apparmor.d/profiles-s-z/update-command-not-found
index 56c215402..f1bf99bf8 100644
--- a/apparmor.d/profiles-s-z/update-command-not-found
+++ b/apparmor.d/profiles-s-z/update-command-not-found
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-cracklib b/apparmor.d/profiles-s-z/update-cracklib
index 6b4192903..9bef23a77 100644
--- a/apparmor.d/profiles-s-z/update-cracklib
+++ b/apparmor.d/profiles-s-z/update-cracklib
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb
index 08687c6c8..c0f3a9cb0 100644
--- a/apparmor.d/profiles-s-z/update-dlocatedb
+++ b/apparmor.d/profiles-s-z/update-dlocatedb
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-initramfs b/apparmor.d/profiles-s-z/update-initramfs
index fc62d99f2..6948f2812 100644
--- a/apparmor.d/profiles-s-z/update-initramfs
+++ b/apparmor.d/profiles-s-z/update-initramfs
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids
index 233ed60be..5f5b39ec8 100644
--- a/apparmor.d/profiles-s-z/update-pciids
+++ b/apparmor.d/profiles-s-z/update-pciids
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-secureboot-policy b/apparmor.d/profiles-s-z/update-secureboot-policy
index 8431fd1e6..e5ffca44f 100644
--- a/apparmor.d/profiles-s-z/update-secureboot-policy
+++ b/apparmor.d/profiles-s-z/update-secureboot-policy
@@ -3,7 +3,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb
index 7140bbd5b..2dcd3cc9e 100644
--- a/apparmor.d/profiles-s-z/update-smart-drivedb
+++ b/apparmor.d/profiles-s-z/update-smart-drivedb
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/updatedb-mlocate b/apparmor.d/profiles-s-z/updatedb-mlocate
index 9e470d878..7a951b7e7 100644
--- a/apparmor.d/profiles-s-z/updatedb-mlocate
+++ b/apparmor.d/profiles-s-z/updatedb-mlocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/updatedb.plocate b/apparmor.d/profiles-s-z/updatedb.plocate
index 67ea546fd..60aa760d4 100644
--- a/apparmor.d/profiles-s-z/updatedb.plocate
+++ b/apparmor.d/profiles-s-z/updatedb.plocate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/uptime b/apparmor.d/profiles-s-z/uptime
index 1b28a07da..904ebe415 100644
--- a/apparmor.d/profiles-s-z/uptime
+++ b/apparmor.d/profiles-s-z/uptime
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/uptimed b/apparmor.d/profiles-s-z/uptimed
index a850d7771..7e978c1dd 100644
--- a/apparmor.d/profiles-s-z/uptimed
+++ b/apparmor.d/profiles-s-z/uptimed
@@ -2,7 +2,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usb-devices b/apparmor.d/profiles-s-z/usb-devices
index 94e6526ab..c67b78faf 100644
--- a/apparmor.d/profiles-s-z/usb-devices
+++ b/apparmor.d/profiles-s-z/usb-devices
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usbguard b/apparmor.d/profiles-s-z/usbguard
index deb5ef46d..798352c89 100644
--- a/apparmor.d/profiles-s-z/usbguard
+++ b/apparmor.d/profiles-s-z/usbguard
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usbguard-applet-qt b/apparmor.d/profiles-s-z/usbguard-applet-qt
index bc004b86f..a76398dd9 100644
--- a/apparmor.d/profiles-s-z/usbguard-applet-qt
+++ b/apparmor.d/profiles-s-z/usbguard-applet-qt
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usbguard-daemon b/apparmor.d/profiles-s-z/usbguard-daemon
index 674da7ad4..1fb97459d 100644
--- a/apparmor.d/profiles-s-z/usbguard-daemon
+++ b/apparmor.d/profiles-s-z/usbguard-daemon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usbguard-dbus b/apparmor.d/profiles-s-z/usbguard-dbus
index b02524d55..d406d5262 100644
--- a/apparmor.d/profiles-s-z/usbguard-dbus
+++ b/apparmor.d/profiles-s-z/usbguard-dbus
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usbguard-notifier b/apparmor.d/profiles-s-z/usbguard-notifier
index 48f88d0aa..963fcb2e8 100644
--- a/apparmor.d/profiles-s-z/usbguard-notifier
+++ b/apparmor.d/profiles-s-z/usbguard-notifier
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/useradd b/apparmor.d/profiles-s-z/useradd
index a6094867a..42ab87607 100644
--- a/apparmor.d/profiles-s-z/useradd
+++ b/apparmor.d/profiles-s-z/useradd
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel
index 6b95a4848..05df64874 100644
--- a/apparmor.d/profiles-s-z/userdel
+++ b/apparmor.d/profiles-s-z/userdel
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/usermod b/apparmor.d/profiles-s-z/usermod
index cfcdc6bdc..c0f8f0e45 100644
--- a/apparmor.d/profiles-s-z/usermod
+++ b/apparmor.d/profiles-s-z/usermod
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/users b/apparmor.d/profiles-s-z/users
index fbad304bf..67d7a83e7 100644
--- a/apparmor.d/profiles-s-z/users
+++ b/apparmor.d/profiles-s-z/users
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/utmpdump b/apparmor.d/profiles-s-z/utmpdump
index 054bb69ce..363524355 100644
--- a/apparmor.d/profiles-s-z/utmpdump
+++ b/apparmor.d/profiles-s-z/utmpdump
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/utox b/apparmor.d/profiles-s-z/utox
index e5642c263..483fef619 100644
--- a/apparmor.d/profiles-s-z/utox
+++ b/apparmor.d/profiles-s-z/utox
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/uuidd b/apparmor.d/profiles-s-z/uuidd
index c98d8175f..69f28da32 100644
--- a/apparmor.d/profiles-s-z/uuidd
+++ b/apparmor.d/profiles-s-z/uuidd
@@ -2,7 +2,7 @@
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/uuidgen b/apparmor.d/profiles-s-z/uuidgen
index b00ed1f26..56e8abef9 100644
--- a/apparmor.d/profiles-s-z/uuidgen
+++ b/apparmor.d/profiles-s-z/uuidgen
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate
index f49441ebf..2d429135f 100644
--- a/apparmor.d/profiles-s-z/uupdate
+++ b/apparmor.d/profiles-s-z/uupdate
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vcsi b/apparmor.d/profiles-s-z/vcsi
index 37422840c..25f4a979f 100644
--- a/apparmor.d/profiles-s-z/vcsi
+++ b/apparmor.d/profiles-s-z/vcsi
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/veracrypt b/apparmor.d/profiles-s-z/veracrypt
index 148d28957..6612846cd 100644
--- a/apparmor.d/profiles-s-z/veracrypt
+++ b/apparmor.d/profiles-s-z/veracrypt
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop
index ce420ea12..bcbb30883 100644
--- a/apparmor.d/profiles-s-z/vesktop
+++ b/apparmor.d/profiles-s-z/vesktop
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 include <tunables/global>
 
 @{name} = vesktop
diff --git a/apparmor.d/profiles-s-z/vidcutter b/apparmor.d/profiles-s-z/vidcutter
index 226a0dd98..283eab051 100644
--- a/apparmor.d/profiles-s-z/vidcutter
+++ b/apparmor.d/profiles-s-z/vidcutter
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vipw-vigr b/apparmor.d/profiles-s-z/vipw-vigr
index 3705f0bab..50ada1d64 100644
--- a/apparmor.d/profiles-s-z/vipw-vigr
+++ b/apparmor.d/profiles-s-z/vipw-vigr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index 310b94683..bce236989 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc
index 508deaeac..fabde247b 100644
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vlc-cache-gen b/apparmor.d/profiles-s-z/vlc-cache-gen
index b464f1712..1c089b0f8 100644
--- a/apparmor.d/profiles-s-z/vlc-cache-gen
+++ b/apparmor.d/profiles-s-z/vlc-cache-gen
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vnstat b/apparmor.d/profiles-s-z/vnstat
index 25bdcfb1b..b780eb8d1 100644
--- a/apparmor.d/profiles-s-z/vnstat
+++ b/apparmor.d/profiles-s-z/vnstat
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vnstatd b/apparmor.d/profiles-s-z/vnstatd
index c37c8b6d7..1270ecf42 100644
--- a/apparmor.d/profiles-s-z/vnstatd
+++ b/apparmor.d/profiles-s-z/vnstatd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/volumeicon b/apparmor.d/profiles-s-z/volumeicon
index c58381d7d..e354c3cbd 100644
--- a/apparmor.d/profiles-s-z/volumeicon
+++ b/apparmor.d/profiles-s-z/volumeicon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/vsftpd b/apparmor.d/profiles-s-z/vsftpd
index aa45b805e..2b6af3561 100644
--- a/apparmor.d/profiles-s-z/vsftpd
+++ b/apparmor.d/profiles-s-z/vsftpd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/w b/apparmor.d/profiles-s-z/w
index a3fc8c9e3..3745015c1 100644
--- a/apparmor.d/profiles-s-z/w
+++ b/apparmor.d/profiles-s-z/w
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/w3m b/apparmor.d/profiles-s-z/w3m
index b4601147a..1a0e33418 100644
--- a/apparmor.d/profiles-s-z/w3m
+++ b/apparmor.d/profiles-s-z/w3m
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wavemon b/apparmor.d/profiles-s-z/wavemon
index 9ec082580..6c2fee4df 100644
--- a/apparmor.d/profiles-s-z/wavemon
+++ b/apparmor.d/profiles-s-z/wavemon
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/waybar b/apparmor.d/profiles-s-z/waybar
index 3646a616d..8499a1ad6 100644
--- a/apparmor.d/profiles-s-z/waybar
+++ b/apparmor.d/profiles-s-z/waybar
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 odomingao
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
index e684e157f..493a940af 100644
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 EricLin
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet
index e866b5e51..39862913c 100644
--- a/apparmor.d/profiles-s-z/wemeet
+++ b/apparmor.d/profiles-s-z/wemeet
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 EricLin <ericlin050914@gmail.com>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/whatis b/apparmor.d/profiles-s-z/whatis
index e99900304..43fa8ff09 100644
--- a/apparmor.d/profiles-s-z/whatis
+++ b/apparmor.d/profiles-s-z/whatis
@@ -3,7 +3,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/whdd b/apparmor.d/profiles-s-z/whdd
index e5e111b8b..cc4ae2959 100644
--- a/apparmor.d/profiles-s-z/whdd
+++ b/apparmor.d/profiles-s-z/whdd
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/whereis b/apparmor.d/profiles-s-z/whereis
index 4a1293c0a..32d4ffa51 100644
--- a/apparmor.d/profiles-s-z/whereis
+++ b/apparmor.d/profiles-s-z/whereis
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
index 32d0945e1..855db3f4b 100644
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/whiptail b/apparmor.d/profiles-s-z/whiptail
index f2339717a..a7b98ebee 100644
--- a/apparmor.d/profiles-s-z/whiptail
+++ b/apparmor.d/profiles-s-z/whiptail
@@ -3,7 +3,7 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/who b/apparmor.d/profiles-s-z/who
index 54b4375b2..3da07f89d 100644
--- a/apparmor.d/profiles-s-z/who
+++ b/apparmor.d/profiles-s-z/who
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/whoami b/apparmor.d/profiles-s-z/whoami
index 3072d7da0..3fc9e26b4 100644
--- a/apparmor.d/profiles-s-z/whoami
+++ b/apparmor.d/profiles-s-z/whoami
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wireplumber b/apparmor.d/profiles-s-z/wireplumber
index eadb669cd..87b4e27ca 100644
--- a/apparmor.d/profiles-s-z/wireplumber
+++ b/apparmor.d/profiles-s-z/wireplumber
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wireshark b/apparmor.d/profiles-s-z/wireshark
index ed8fd0efa..c29543d6b 100644
--- a/apparmor.d/profiles-s-z/wireshark
+++ b/apparmor.d/profiles-s-z/wireshark
@@ -4,7 +4,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wl-copy b/apparmor.d/profiles-s-z/wl-copy
index a71e4cbd9..1b4ae7501 100644
--- a/apparmor.d/profiles-s-z/wl-copy
+++ b/apparmor.d/profiles-s-z/wl-copy
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wmctrl b/apparmor.d/profiles-s-z/wmctrl
index 47a17669d..51feb0071 100644
--- a/apparmor.d/profiles-s-z/wmctrl
+++ b/apparmor.d/profiles-s-z/wmctrl
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wpa-action b/apparmor.d/profiles-s-z/wpa-action
index 3495849e7..136caa781 100644
--- a/apparmor.d/profiles-s-z/wpa-action
+++ b/apparmor.d/profiles-s-z/wpa-action
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wpa-cli b/apparmor.d/profiles-s-z/wpa-cli
index 5edd2f177..c9987fa01 100644
--- a/apparmor.d/profiles-s-z/wpa-cli
+++ b/apparmor.d/profiles-s-z/wpa-cli
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wpa-gui b/apparmor.d/profiles-s-z/wpa-gui
index 3a729a989..fd10713cc 100644
--- a/apparmor.d/profiles-s-z/wpa-gui
+++ b/apparmor.d/profiles-s-z/wpa-gui
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant
index f3da61258..23f77f840 100644
--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wrmsr b/apparmor.d/profiles-s-z/wrmsr
index 1ee5bd806..7de522fc8 100644
--- a/apparmor.d/profiles-s-z/wrmsr
+++ b/apparmor.d/profiles-s-z/wrmsr
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/wsdd b/apparmor.d/profiles-s-z/wsdd
index 56a852d11..22713e3bf 100644
--- a/apparmor.d/profiles-s-z/wsdd
+++ b/apparmor.d/profiles-s-z/wsdd
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver
index a5ec89fd9..514ea5c36 100644
--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xauth b/apparmor.d/profiles-s-z/xauth
index c5e741b8f..e1a4199db 100644
--- a/apparmor.d/profiles-s-z/xauth
+++ b/apparmor.d/profiles-s-z/xauth
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xautolock b/apparmor.d/profiles-s-z/xautolock
index 89de67bd1..cb9426583 100644
--- a/apparmor.d/profiles-s-z/xautolock
+++ b/apparmor.d/profiles-s-z/xautolock
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xbacklight b/apparmor.d/profiles-s-z/xbacklight
index 19eb4a9f3..b2be0446b 100644
--- a/apparmor.d/profiles-s-z/xbacklight
+++ b/apparmor.d/profiles-s-z/xbacklight
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi
index dc30114bd..35006d46b 100644
--- a/apparmor.d/profiles-s-z/xbrlapi
+++ b/apparmor.d/profiles-s-z/xbrlapi
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xclip b/apparmor.d/profiles-s-z/xclip
index 9f82aff64..cdb68ed70 100644
--- a/apparmor.d/profiles-s-z/xclip
+++ b/apparmor.d/profiles-s-z/xclip
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xdpyinfo b/apparmor.d/profiles-s-z/xdpyinfo
index 902905d09..169851550 100644
--- a/apparmor.d/profiles-s-z/xdpyinfo
+++ b/apparmor.d/profiles-s-z/xdpyinfo
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xinit b/apparmor.d/profiles-s-z/xinit
index 521a182ba..0801ac188 100644
--- a/apparmor.d/profiles-s-z/xinit
+++ b/apparmor.d/profiles-s-z/xinit
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xinput b/apparmor.d/profiles-s-z/xinput
index 18eab6a78..c88210cca 100644
--- a/apparmor.d/profiles-s-z/xinput
+++ b/apparmor.d/profiles-s-z/xinput
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xsane-gimp b/apparmor.d/profiles-s-z/xsane-gimp
index 1ae25a35e..41ac0b973 100644
--- a/apparmor.d/profiles-s-z/xsane-gimp
+++ b/apparmor.d/profiles-s-z/xsane-gimp
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/xsel b/apparmor.d/profiles-s-z/xsel
index 5f97c83f3..05b93fed9 100644
--- a/apparmor.d/profiles-s-z/xsel
+++ b/apparmor.d/profiles-s-z/xsel
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/youtube-dl b/apparmor.d/profiles-s-z/youtube-dl
index 85da6bfe0..781e24768 100644
--- a/apparmor.d/profiles-s-z/youtube-dl
+++ b/apparmor.d/profiles-s-z/youtube-dl
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer
index 1c405e8fe..ac8e8f215 100644
--- a/apparmor.d/profiles-s-z/youtube-viewer
+++ b/apparmor.d/profiles-s-z/youtube-viewer
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/yt-dlp b/apparmor.d/profiles-s-z/yt-dlp
index c71b87efd..551a8edf4 100644
--- a/apparmor.d/profiles-s-z/yt-dlp
+++ b/apparmor.d/profiles-s-z/yt-dlp
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/ytdl b/apparmor.d/profiles-s-z/ytdl
index 230e15f80..81ccfc284 100644
--- a/apparmor.d/profiles-s-z/ytdl
+++ b/apparmor.d/profiles-s-z/ytdl
@@ -3,7 +3,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zathura b/apparmor.d/profiles-s-z/zathura
index d45ad5f1e..5d0d1a745 100644
--- a/apparmor.d/profiles-s-z/zathura
+++ b/apparmor.d/profiles-s-z/zathura
@@ -2,7 +2,7 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zed b/apparmor.d/profiles-s-z/zed
index c966ce839..048f2410c 100644
--- a/apparmor.d/profiles-s-z/zed
+++ b/apparmor.d/profiles-s-z/zed
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zenmap b/apparmor.d/profiles-s-z/zenmap
index bc4090be8..59a8d772e 100644
--- a/apparmor.d/profiles-s-z/zenmap
+++ b/apparmor.d/profiles-s-z/zenmap
@@ -3,7 +3,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zfs b/apparmor.d/profiles-s-z/zfs
index 9538b9c13..9ba71f45b 100644
--- a/apparmor.d/profiles-s-z/zfs
+++ b/apparmor.d/profiles-s-z/zfs
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zpool b/apparmor.d/profiles-s-z/zpool
index 7d12cf3b7..2cb997fd7 100644
--- a/apparmor.d/profiles-s-z/zpool
+++ b/apparmor.d/profiles-s-z/zpool
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zsys-system-autosnapshot b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
index 653690898..cbf48ba4f 100644
--- a/apparmor.d/profiles-s-z/zsys-system-autosnapshot
+++ b/apparmor.d/profiles-s-z/zsys-system-autosnapshot
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index eabe2d62c..30a17a6ad 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -2,7 +2,7 @@
 # Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 
diff --git a/dists/ubuntu/abstractions/trash b/dists/ubuntu/abstractions/trash
index aab16b92c..d9ad01221 100644
--- a/dists/ubuntu/abstractions/trash
+++ b/dists/ubuntu/abstractions/trash
@@ -1,4 +1,4 @@
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 # requires <tunables/home>
 
diff --git a/docs/development/workflow.md b/docs/development/workflow.md
index 7455d97c7..a1631e3d8 100644
--- a/docs/development/workflow.md
+++ b/docs/development/workflow.md
@@ -39,7 +39,7 @@ title: Workflow
 # Copyright (C) 2024 You <your@email>
 # SPDX-License-Identifier: GPL-2.0-only
 
-abi <abi/3.0>,
+abi <abi/4.0>,
 
 include <tunables/global>
 

From d6b7bef89ea833cc86835899699c68322d8098f6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 14:19:26 +0100
Subject: [PATCH 223/315] feat(profile): enable abi 4 rules by default.

---
 apparmor.d/abstractions/app/chromium           | 2 +-
 apparmor.d/abstractions/app/firefox            | 2 +-
 apparmor.d/abstractions/common/bwrap           | 2 +-
 apparmor.d/abstractions/common/chromium        | 2 +-
 apparmor.d/abstractions/common/electron        | 2 +-
 apparmor.d/groups/gnome/nautilus               | 2 +-
 apparmor.d/groups/kde/plasmashell              | 2 +-
 apparmor.d/groups/systemd/systemd-coredump     | 2 +-
 apparmor.d/groups/systemd/systemd-logind       | 2 +-
 apparmor.d/groups/ubuntu/package-system-locked | 2 +-
 apparmor.d/groups/virt/virtiofsd               | 2 +-
 apparmor.d/profiles-a-f/flatpak                | 2 +-
 apparmor.d/profiles-g-l/lvm                    | 2 +-
 13 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index 0aa8f5ef1..81d37113d 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -43,7 +43,7 @@
   include <abstractions/user-read-strict>
   include <abstractions/video>
 
-  # userns,
+  userns,
 
   capability setgid,
   capability setuid,
diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 23a91593f..c94ef8476 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -30,7 +30,7 @@
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
 
-  # userns,
+  userns,
 
   capability sys_admin, # If kernel.unprivileged_userns_clone = 1
   capability sys_chroot, # If kernel.unprivileged_userns_clone = 1
diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap
index a73626bb1..711117f6d 100644
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@@ -7,7 +7,7 @@
 # - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'
 
-  # userns,
+  userns,
 
   capability net_admin,
   capability setpcap,
diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium
index 28effd768..cad07669a 100644
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@@ -6,7 +6,7 @@
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/chromium instead.
 
-  # userns,
+  userns,
 
   capability setgid, # If kernel.unprivileged_userns_clone = 1
   capability setuid, # If kernel.unprivileged_userns_clone = 1
diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index 9cf480718..da792131d 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -18,7 +18,7 @@
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  # userns,
+  userns,
 
   capability setgid, # If kernel.unprivileged_userns_clone = 1
   capability setuid, # If kernel.unprivileged_userns_clone = 1
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index ccaf5d6f7..e4990a3e3 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -26,7 +26,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/trash-strict>
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   #aa:dbus own bus=session name=org.gnome.Nautilus interface=org.gtk.{Application,Actions}
   #aa:dbus own bus=session name=org.freedesktop.FileManager1
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 89e0dfeae..a7bde918e 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -28,7 +28,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
 
-  # userns,
+  userns,
 
   capability sys_ptrace,
 
diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index 8c90be6f6..2e841dc51 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -13,7 +13,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
   include <abstractions/nameservice-strict>
   include <abstractions/common/systemd>
 
-  # userns,
+  userns,
 
   capability dac_override,
   capability dac_read_search,
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index f4628c019..53dd0acf8 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -27,7 +27,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   unix (bind) type=stream addr=@@{hex16}/bus/systemd-logind/system,
 
diff --git a/apparmor.d/groups/ubuntu/package-system-locked b/apparmor.d/groups/ubuntu/package-system-locked
index f4e040975..7398fc404 100644
--- a/apparmor.d/groups/ubuntu/package-system-locked
+++ b/apparmor.d/groups/ubuntu/package-system-locked
@@ -17,7 +17,7 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
   network inet dgram,
   network inet6 dgram,
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   ptrace (read),
 
diff --git a/apparmor.d/groups/virt/virtiofsd b/apparmor.d/groups/virt/virtiofsd
index 7389119b8..905e2c170 100644
--- a/apparmor.d/groups/virt/virtiofsd
+++ b/apparmor.d/groups/virt/virtiofsd
@@ -10,7 +10,7 @@ include <tunables/global>
 profile virtiofsd @{exec_path} {
   include <abstractions/base>
 
-  # userns,
+  userns,
 
   capability chown,
   capability dac_override,
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index 05873c4e2..b38a03537 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -18,7 +18,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  # userns,
+  userns,
 
   capability dac_override,
   capability dac_read_search,
diff --git a/apparmor.d/profiles-g-l/lvm b/apparmor.d/profiles-g-l/lvm
index e579d7a91..cff4ce186 100644
--- a/apparmor.d/profiles-g-l/lvm
+++ b/apparmor.d/profiles-g-l/lvm
@@ -23,7 +23,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
-  # mqueue r type=posix /,
+  mqueue r type=posix /,
 
   @{exec_path} rm,
 

From 59ac54e2fcb069c39242306f206f6aaeb3c665a9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 16:22:46 +0100
Subject: [PATCH 224/315] build: reorganise build: abi4, fallback, prebuild cli

- ABI4 by default, fallback to abi 3.
- aa-prebuild cli that can be used by other project shipping profiles.
- --file option to cli to only build one dev profile.
- add abi version filter to only & exclude directives.
---
 cmd/prebuild/main.go                          | 120 +++++-------
 cmd/prebuild/main_test.go                     |  61 ++----
 docs/development/directives.md                |   1 +
 pkg/prebuild/builder/abi.go                   |  14 +-
 pkg/prebuild/builder/complain.go              |   6 +-
 pkg/prebuild/builder/core.go                  |   4 +-
 pkg/prebuild/builder/core_test.go             |  16 +-
 pkg/prebuild/builder/dev.go                   |   6 +-
 pkg/prebuild/builder/enforce.go               |   6 +-
 pkg/prebuild/builder/fsp.go                   |   6 +-
 pkg/prebuild/builder/userspace.go             |  10 +-
 pkg/prebuild/cli/cli.go                       | 181 ++++++++++++++++++
 .../{prebuild_test.go => cli/cli_test.go}     |  29 ++-
 pkg/prebuild/{cfg => }/core.go                |  12 +-
 pkg/prebuild/{cfg => }/core_test.go           |   5 +-
 pkg/prebuild/directive/core.go                |  14 +-
 pkg/prebuild/directive/dbus.go                |   6 +-
 pkg/prebuild/directive/exec.go                |   8 +-
 pkg/prebuild/directive/exec_test.go           |   4 +-
 pkg/prebuild/directive/filter.go              |  17 +-
 pkg/prebuild/directive/filter_test.go         |  10 +-
 pkg/prebuild/directive/stack.go               |   8 +-
 pkg/prebuild/directive/stack_test.go          |   4 +-
 pkg/prebuild/{cfg => }/directories.go         |  10 +-
 pkg/prebuild/{cfg => }/files.go               |  35 +---
 pkg/prebuild/{cfg => }/files_test.go          |   2 +-
 pkg/prebuild/{cfg => }/os.go                  |   2 +-
 pkg/prebuild/{cfg => }/os_test.go             |   2 +-
 pkg/prebuild/prebuild.go                      | 117 -----------
 pkg/prebuild/prepare/configure.go             |  71 +++++--
 pkg/prebuild/prepare/core.go                  |   4 +-
 pkg/prebuild/prepare/core_test.go             |  14 +-
 pkg/prebuild/prepare/flags.go                 |  14 +-
 pkg/prebuild/prepare/fsp.go                   |  14 +-
 pkg/prebuild/prepare/ignore.go                |  16 +-
 pkg/prebuild/prepare/merge.go                 |  12 +-
 pkg/prebuild/prepare/synchronise.go           |  30 ++-
 pkg/prebuild/prepare/systemd.go               |  14 +-
 tests/cmd/main.go                             |   8 +-
 39 files changed, 473 insertions(+), 440 deletions(-)
 create mode 100644 pkg/prebuild/cli/cli.go
 rename pkg/prebuild/{prebuild_test.go => cli/cli_test.go} (79%)
 rename pkg/prebuild/{cfg => }/core.go (73%)
 rename pkg/prebuild/{cfg => }/core_test.go (90%)
 rename pkg/prebuild/{cfg => }/directories.go (83%)
 rename pkg/prebuild/{cfg => }/files.go (63%)
 rename pkg/prebuild/{cfg => }/files_test.go (99%)
 rename pkg/prebuild/{cfg => }/os.go (99%)
 rename pkg/prebuild/{cfg => }/os_test.go (99%)
 delete mode 100644 pkg/prebuild/prebuild.go

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index d909cc818..6b2b2422f 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -5,92 +5,66 @@
 package main
 
 import (
-	"flag"
-	"fmt"
-	"os"
+	"slices"
 
-	"github.com/roddhjav/apparmor.d/pkg/logging"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/directive"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild/cli"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
 )
 
-const usage = `prebuild [-h] [--full] [--complain | --enforce]
-
-    Prebuild apparmor.d profiles for a given distribution and apply
-    internal built-in directives.
-
-Options:
-    -h, --help      Show this help message and exit.
-    -f, --full      Set AppArmor for full system policy.
-    -c, --complain  Set complain flag on all profiles.
-    -e, --enforce   Set enforce flag on all profiles.
-        --abi4      Convert the profiles to Apparmor abi/4.0.
-
-`
-
-var (
-	help     bool
-	full     bool
-	complain bool
-	enforce  bool
-	abi4     bool
-)
-
 func init() {
-	flag.BoolVar(&help, "h", false, "Show this help message and exit.")
-	flag.BoolVar(&help, "help", false, "Show this help message and exit.")
-	flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.")
-	flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
-	flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
-	flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
-	flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
-	flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
-	flag.BoolVar(&abi4, "abi4", false, "Convert the profiles to Apparmor abi/4.0.")
-}
+	// Define the tasks applied by default
+	prepare.Register(
+		"synchronise",
+		"ignore",
+		"merge",
+		"configure",
+		"setflags",
+		"systemd-default",
+	)
 
-func aaPrebuild() error {
-	logging.Step("Building apparmor.d profiles for %s.", cfg.Distribution)
+	// Build tasks applied by default
+	builder.Register(
+		"userspace", // Resolve variable in  the userspace profile
+		"dev",       // Temporary fix for #74, #80 & #235
+	)
 
-	if full {
-		prepare.Register("fsp")
-		builder.Register("fsp")
-	} else {
-		prepare.Register("systemd-early")
+	// Compatibility with AppArmor 3
+	switch prebuild.Distribution {
+	case "arch":
+		prebuild.ABI = 3
+
+	case "ubuntu":
+		if !slices.Contains([]string{"noble"}, prebuild.Release["VERSION_CODENAME"]) {
+			prebuild.ABI = 3
+		}
+
+	case "debian":
+		prebuild.ABI = 3
+
+	case "whonix":
+		prebuild.ABI = 3
+
+		// Hide rewrittem Whonix profiles
+		prebuild.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure
+		/etc/apparmor.d/home.tor-browser.firefox
+		/etc/apparmor.d/tunables/homsanitycheck
+		/etc/apparmor.d/usr.bin.url_e.d/anondist
+		/etc/apparmor.d/tunables/home.d/live-mode
+		/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
+		/etc/apparmor.d/usr.bin.hexchat
+		/etc/apparmor.d/usr.bin.sdwdate
+		/etc/apparmor.d/usr.bin.systemcheck
+		/etc/apparmor.d/usr.bin.timeto_unixtime
+		/etc/apparmor.d/whonix-firewall
+		`
 	}
-
-	if complain {
-		builder.Register("complain")
-	} else if enforce {
-		builder.Register("enforce")
-	}
-
-	if abi4 {
+	if prebuild.ABI == 3 {
 		builder.Register("abi3")
 	}
-
-	if err := prebuild.Prepare(); err != nil {
-		return err
-	}
-	return prebuild.Build()
 }
 
 func main() {
-	flag.Usage = func() {
-		fmt.Printf("%s%s\n%s\n%s", usage,
-			cfg.Help("Prepare", prepare.Tasks),
-			cfg.Help("Build", builder.Builders),
-			cfg.Usage("Directives", directive.Directives),
-		)
-	}
-	flag.Parse()
-	if help {
-		flag.Usage()
-		os.Exit(0)
-	}
-	if err := aaPrebuild(); err != nil {
-		logging.Fatal("%s", err.Error())
-	}
+	cli.Prebuild()
 }
diff --git a/cmd/prebuild/main_test.go b/cmd/prebuild/main_test.go
index 8e80c3ab3..d3c28f025 100644
--- a/cmd/prebuild/main_test.go
+++ b/cmd/prebuild/main_test.go
@@ -9,9 +9,7 @@ import (
 	"os/exec"
 	"testing"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 func chdirGitRoot() {
@@ -26,64 +24,33 @@ func chdirGitRoot() {
 	}
 }
 
-func Test_AAPrebuild(t *testing.T) {
+func Test_main(t *testing.T) {
 	tests := []struct {
-		name     string
-		wantErr  bool
-		full     bool
-		complain bool
-		dist     string
+		name string
+		dist string
 	}{
 		{
-			name:     "Build for Archlinux",
-			wantErr:  false,
-			full:     false,
-			complain: true,
-			dist:     "arch",
+			name: "Build for Archlinux",
+			dist: "arch",
 		},
 		{
-			name:     "Build for Ubuntu",
-			wantErr:  false,
-			full:     true,
-			complain: false,
-			dist:     "ubuntu",
+			name: "Build for Ubuntu",
+			dist: "ubuntu",
 		},
 		{
-			name:     "Build for Debian",
-			wantErr:  false,
-			full:     true,
-			complain: false,
-			dist:     "debian",
+			name: "Build for Debian",
+			dist: "debian",
 		},
 		{
-			name:     "Build for OpenSUSE Tumbleweed",
-			wantErr:  false,
-			full:     true,
-			complain: true,
-			dist:     "opensuse",
+			name: "Build for OpenSUSE Tumbleweed",
+			dist: "opensuse",
 		},
-		// {
-		// 	name:     "Build for Fedora",
-		// 	wantErr:  true,
-		// 	full:     false,
-		// 	complain: false,
-		// 	dist:     "fedora",
-		// },
 	}
 	chdirGitRoot()
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg.Distribution = tt.dist
-			if tt.full {
-				prepare.Register("fsp")
-				builder.Register("fsp")
-			}
-			if tt.complain {
-				builder.Register("complain")
-			}
-			if err := aaPrebuild(); (err != nil) != tt.wantErr {
-				t.Errorf("aaPrebuild() error = %v, wantErr %v", err, tt.wantErr)
-			}
+			prebuild.Distribution = tt.dist
+			main()
 		})
 	}
 }
diff --git a/docs/development/directives.md b/docs/development/directives.md
index 7263b4910..8897f9519 100644
--- a/docs/development/directives.md
+++ b/docs/development/directives.md
@@ -40,6 +40,7 @@ The `only` and `exclude` directives can be used to filter individual rule or rul
 
     - A supported target distribution: `arch`, `debian`, `ubuntu`, `opensuse`, `whonix`.
     - A supported distribution family: `apt`, `pacman`, `zypper`.
+    - A supported ABI: `abi3`, `abi4`.
 
 **Example**
 
diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go
index 72b3943d3..4e74a5411 100644
--- a/pkg/prebuild/builder/abi.go
+++ b/pkg/prebuild/builder/abi.go
@@ -5,25 +5,25 @@
 package builder
 
 import (
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 var (
-	regAbi4To3 = util.ToRegexRepl([]string{ // Currently Abi3 -> Abi4
-		`abi/3.0`, `abi/4.0`,
-		`# userns,`, `userns,`,
-		`# mqueue`, `mqueue`,
+	regAbi4To3 = util.ToRegexRepl([]string{
+		`abi/4.0`, `abi/3.0`,
+		`userns,`, `# userns,`,
+		`mqueue`, `# mqueue`,
 	})
 )
 
 type ABI3 struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterBuilder(&ABI3{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "abi3",
 			Msg:     "Convert all profiles from abi 4.0 to abi 3.0",
 		},
diff --git a/pkg/prebuild/builder/complain.go b/pkg/prebuild/builder/complain.go
index 68dcc9f48..dbd9b3478 100644
--- a/pkg/prebuild/builder/complain.go
+++ b/pkg/prebuild/builder/complain.go
@@ -9,7 +9,7 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 var (
@@ -18,12 +18,12 @@ var (
 )
 
 type Complain struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterBuilder(&Complain{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "complain",
 			Msg:     "Set complain flag on all profiles",
 		},
diff --git a/pkg/prebuild/builder/core.go b/pkg/prebuild/builder/core.go
index 64046721f..b45075e15 100644
--- a/pkg/prebuild/builder/core.go
+++ b/pkg/prebuild/builder/core.go
@@ -8,7 +8,7 @@ import (
 	"fmt"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 var (
@@ -21,7 +21,7 @@ var (
 
 // Main directive interface
 type Builder interface {
-	cfg.BaseInterface
+	prebuild.BaseInterface
 	Apply(opt *Option, profile string) (string, error)
 }
 
diff --git a/pkg/prebuild/builder/core_test.go b/pkg/prebuild/builder/core_test.go
index 597832b91..5a1a39da0 100644
--- a/pkg/prebuild/builder/core_test.go
+++ b/pkg/prebuild/builder/core_test.go
@@ -8,7 +8,7 @@ import (
 	"slices"
 	"testing"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 func TestBuilder_Apply(t *testing.T) {
@@ -23,17 +23,17 @@ func TestBuilder_Apply(t *testing.T) {
 			name: "abi3",
 			b:    Builders["abi3"],
 			profile: `
-			  abi <abi/3.0>,
-			  profile test {
-			    # userns,
-			    # mqueue r type=posix /,
-			  }`,
-			want: `
 			  abi <abi/4.0>,
 			  profile test {
 			    userns,
 			    mqueue r type=posix /,
 			  }`,
+			want: `
+			  abi <abi/3.0>,
+			  profile test {
+			    # userns,
+			    # mqueue r type=posix /,
+			  }`,
 		},
 		{
 			name: "complain-1",
@@ -234,7 +234,7 @@ func TestBuilder_Apply(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			opt := &Option{File: cfg.RootApparmord.Join(tt.name)}
+			opt := &Option{File: prebuild.RootApparmord.Join(tt.name)}
 			got, err := tt.b.Apply(opt, tt.profile)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Builder.Apply() error = %v, wantErr %v", err, tt.wantErr)
diff --git a/pkg/prebuild/builder/dev.go b/pkg/prebuild/builder/dev.go
index f8ebdff02..19fbe409d 100644
--- a/pkg/prebuild/builder/dev.go
+++ b/pkg/prebuild/builder/dev.go
@@ -5,7 +5,7 @@
 package builder
 
 import (
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
@@ -19,12 +19,12 @@ var (
 )
 
 type Dev struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterBuilder(&Dev{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "dev",
 			Msg:     "Apply test development changes",
 		},
diff --git a/pkg/prebuild/builder/enforce.go b/pkg/prebuild/builder/enforce.go
index d453da51b..a7ce90a7a 100644
--- a/pkg/prebuild/builder/enforce.go
+++ b/pkg/prebuild/builder/enforce.go
@@ -8,16 +8,16 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 type Enforce struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterBuilder(&Enforce{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "enforce",
 			Msg:     "All profiles have been enforced",
 		},
diff --git a/pkg/prebuild/builder/fsp.go b/pkg/prebuild/builder/fsp.go
index 003f79525..ed2285de5 100644
--- a/pkg/prebuild/builder/fsp.go
+++ b/pkg/prebuild/builder/fsp.go
@@ -5,7 +5,7 @@
 package builder
 
 import (
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
@@ -16,12 +16,12 @@ var (
 )
 
 type FullSystemPolicy struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterBuilder(&FullSystemPolicy{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "fsp",
 			Msg:     "Prevent unconfined transitions in profile rules",
 		},
diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go
index 8a7df0bc9..be5886cbd 100644
--- a/pkg/prebuild/builder/userspace.go
+++ b/pkg/prebuild/builder/userspace.go
@@ -10,7 +10,7 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/aa"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 const tokATTACHMENT = "@{exec_path}"
@@ -20,12 +20,12 @@ var (
 )
 
 type Userspace struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterBuilder(&Userspace{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "userspace",
 			Msg:     "Bypass userspace tools restriction",
 		},
@@ -33,10 +33,10 @@ func init() {
 }
 
 func (b Userspace) Apply(opt *Option, profile string) (string, error) {
-	if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("abstractions")); ok {
+	if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("abstractions")); ok {
 		return profile, nil
 	}
-	if ok, _ := opt.File.IsInsideDir(cfg.RootApparmord.Join("tunables")); ok {
+	if ok, _ := opt.File.IsInsideDir(prebuild.RootApparmord.Join("tunables")); ok {
 		return profile, nil
 	}
 
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
new file mode 100644
index 000000000..6fd0a36f5
--- /dev/null
+++ b/pkg/prebuild/cli/cli.go
@@ -0,0 +1,181 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package cli
+
+import (
+	"flag"
+	"fmt"
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/logging"
+	"github.com/roddhjav/apparmor.d/pkg/paths"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild/directive"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
+	"github.com/roddhjav/apparmor.d/pkg/util"
+)
+
+const (
+	nilABI uint = 0
+	usage       = `aa-prebuild [-h] [--complain | --enforce] [--full] [--abi 3|4]
+
+    Prebuild apparmor.d profiles for a given distribution and apply
+    internal built-in directives.
+
+Options:
+    -h, --help      Show this help message and exit.
+    -c, --complain  Set complain flag on all profiles.
+    -e, --enforce   Set enforce flag on all profiles.
+    -a, --abi ABI   Target apparmor ABI.
+    -f, --full      Set AppArmor for full system policy.
+    -F, --file      Only prebuild a given file.
+`
+)
+
+var (
+	help     bool
+	complain bool
+	enforce  bool
+	full     bool
+	abi      uint
+	file     string
+)
+
+func init() {
+	flag.BoolVar(&help, "h", false, "Show this help message and exit.")
+	flag.BoolVar(&help, "help", false, "Show this help message and exit.")
+	flag.BoolVar(&full, "f", false, "Set AppArmor for full system policy.")
+	flag.BoolVar(&full, "full", false, "Set AppArmor for full system policy.")
+	flag.BoolVar(&complain, "c", false, "Set complain flag on all profiles.")
+	flag.BoolVar(&complain, "complain", false, "Set complain flag on all profiles.")
+	flag.BoolVar(&enforce, "e", false, "Set enforce flag on all profiles.")
+	flag.BoolVar(&enforce, "enforce", false, "Set enforce flag on all profiles.")
+	flag.UintVar(&abi, "a", nilABI, "Target apparmor ABI.")
+	flag.UintVar(&abi, "abi", nilABI, "Target apparmor ABI.")
+	flag.StringVar(&file, "F", "", "Only prebuild a given file.")
+	flag.StringVar(&file, "file", "", "Only prebuild a given file.")
+}
+
+func Prebuild() {
+	flag.Usage = func() {
+		fmt.Printf("%s%s\n%s\n%s", usage,
+			prebuild.Help("Prepare", prepare.Tasks),
+			prebuild.Help("Build", builder.Builders),
+			directive.Usage(),
+		)
+	}
+	flag.Parse()
+	if help {
+		flag.Usage()
+		return
+	}
+	logging.Step("Building apparmor.d profiles for %s.", prebuild.Distribution)
+
+	if full {
+		prepare.Register("fsp")
+		builder.Register("fsp")
+	} else {
+		prepare.Register("systemd-early")
+	}
+
+	if complain {
+		builder.Register("complain")
+	} else if enforce {
+		builder.Register("enforce")
+	}
+
+	switch abi {
+	case 3:
+		prebuild.ABI = 3
+		builder.Register("abi3")
+	case 4:
+		prebuild.ABI = 4
+		for i, b := range builder.Builds {
+			if b.Name() == "abi3" {
+				builder.Builds = append(builder.Builds[:i], builder.Builds[i+1:]...)
+				break
+			}
+		}
+	case nilABI:
+	default:
+		logging.Fatal("ABI %d not supported", abi)
+	}
+
+	if file != "" {
+		sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise)
+		sync.Path = file
+		configure, _ := prepare.Tasks["configure"].(*prepare.Configure)
+		configure.OneFile = true
+	}
+
+	if err := Prepare(); err != nil {
+		logging.Fatal("%s", err.Error())
+	}
+	if err := Build(); err != nil {
+		logging.Fatal("%s", err.Error())
+	}
+}
+
+func Prepare() error {
+	for _, task := range prepare.Prepares {
+		msg, err := task.Apply()
+		if err != nil {
+			return err
+		}
+		if file != "" && task.Name() == "setflags" {
+			continue
+		}
+		logging.Success("%s", task.Message())
+		logging.Indent = "   "
+		for _, line := range msg {
+			if strings.Contains(line, "not found") {
+				logging.Warning("%s", line)
+			} else {
+				logging.Bullet("%s", line)
+			}
+		}
+		logging.Indent = ""
+	}
+	return nil
+}
+
+func Build() error {
+	files, _ := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories())
+	for _, file := range files {
+		if !file.Exist() {
+			continue
+		}
+		profile, err := util.ReadFile(file)
+		if err != nil {
+			return err
+		}
+		profile, err = builder.Run(file, profile)
+		if err != nil {
+			return err
+		}
+		profile, err = directive.Run(file, profile)
+		if err != nil {
+			return err
+		}
+		if err := file.WriteFile([]byte(profile)); err != nil {
+			return err
+		}
+	}
+
+	logging.Success("Build tasks:")
+	logging.Indent = "   "
+	for _, task := range builder.Builds {
+		logging.Bullet("%s", task.Message())
+	}
+	logging.Indent = ""
+	logging.Success("Directives processed:")
+	logging.Indent = "   "
+	for _, dir := range directive.Directives {
+		logging.Bullet("%s%s", directive.Keyword, dir.Name())
+	}
+	logging.Indent = ""
+	return nil
+}
diff --git a/pkg/prebuild/prebuild_test.go b/pkg/prebuild/cli/cli_test.go
similarity index 79%
rename from pkg/prebuild/prebuild_test.go
rename to pkg/prebuild/cli/cli_test.go
index db709c315..782d81756 100644
--- a/pkg/prebuild/prebuild_test.go
+++ b/pkg/prebuild/cli/cli_test.go
@@ -2,7 +2,7 @@
 // Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package prebuild
+package cli
 
 import (
 	"os"
@@ -10,15 +10,15 @@ import (
 	"testing"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
 )
 
 func setTestBuildDirectories(name string) {
 	testRoot := paths.New("/tmp/tests")
-	cfg.Root = testRoot.Join(name)
-	cfg.RootApparmord = cfg.Root.Join("apparmor.d")
+	prebuild.Root = testRoot.Join(name)
+	prebuild.RootApparmord = prebuild.Root.Join("apparmor.d")
 }
 
 func chdirGitRoot() {
@@ -33,7 +33,7 @@ func chdirGitRoot() {
 	}
 }
 
-func Test_PreBuild(t *testing.T) {
+func Test_Prebuild(t *testing.T) {
 	tests := []struct {
 		name     string
 		wantErr  bool
@@ -79,17 +79,26 @@ func Test_PreBuild(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			setTestBuildDirectories(tt.name)
-			cfg.Distribution = tt.dist
-			if tt.full {
+			prebuild.Distribution = tt.dist
+			prepare.Prepares = []prepare.Task{}
+			prepare.Register(
+				"synchronise", "ignore", "merge",
+				"configure", "setflags", "systemd-default",
+			)
+
+			if full {
 				prepare.Register("fsp")
 				builder.Register("fsp")
+			} else {
+				prepare.Register("systemd-early")
 			}
-			if tt.complain {
+
+			if complain {
 				builder.Register("complain")
-			}
-			if tt.enforce {
+			} else if enforce {
 				builder.Register("enforce")
 			}
+
 			if err := Prepare(); (err != nil) != tt.wantErr {
 				t.Errorf("Prepare() error = %v, wantErr %v", err, tt.wantErr)
 			}
diff --git a/pkg/prebuild/cfg/core.go b/pkg/prebuild/core.go
similarity index 73%
rename from pkg/prebuild/cfg/core.go
rename to pkg/prebuild/core.go
index 56b91ed6f..8c2410d10 100644
--- a/pkg/prebuild/cfg/core.go
+++ b/pkg/prebuild/core.go
@@ -2,7 +2,7 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import "fmt"
 
@@ -37,13 +37,3 @@ func Help[T BaseInterface](name string, tasks map[string]T) string {
 	}
 	return res
 }
-
-func Usage[T BaseInterface](name string, tasks map[string]T) string {
-	res := fmt.Sprintf("%s\n", name)
-	for _, t := range tasks {
-		for _, h := range t.Usage() {
-			res += fmt.Sprintf("    #aa:%s %s\n", t.Name(), h)
-		}
-	}
-	return res
-}
diff --git a/pkg/prebuild/cfg/core_test.go b/pkg/prebuild/core_test.go
similarity index 90%
rename from pkg/prebuild/cfg/core_test.go
rename to pkg/prebuild/core_test.go
index 7cde166a1..5abf0a9c1 100644
--- a/pkg/prebuild/cfg/core_test.go
+++ b/pkg/prebuild/core_test.go
@@ -2,7 +2,7 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import (
 	"slices"
@@ -57,9 +57,6 @@ func TestHelp(t *testing.T) {
 			if got := Help(tt.name, tt.tasks); !strings.Contains(got, tt.want) {
 				t.Errorf("Help() = %v, want %v", got, tt.want)
 			}
-			if got := Usage(tt.name, tt.tasks); !strings.Contains(got, tt.want) {
-				t.Errorf("Usage() = %v, want %v", got, tt.want)
-			}
 		})
 	}
 }
diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go
index 0e791730f..2568cb098 100644
--- a/pkg/prebuild/directive/core.go
+++ b/pkg/prebuild/directive/core.go
@@ -10,7 +10,7 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 var (
@@ -25,10 +25,20 @@ var (
 
 // Main directive interface
 type Directive interface {
-	cfg.BaseInterface
+	prebuild.BaseInterface
 	Apply(opt *Option, profile string) (string, error)
 }
 
+func Usage() string {
+	res := fmt.Sprintf("Directive:\n")
+	for _, d := range Directives {
+		for _, h := range d.Usage() {
+			res += fmt.Sprintf("    %s%s %s\n", Keyword, d.Name(), h)
+		}
+	}
+	return res
+}
+
 // Directive options
 type Option struct {
 	Name    string
diff --git a/pkg/prebuild/directive/dbus.go b/pkg/prebuild/directive/dbus.go
index 98f5cd61c..a1135d675 100644
--- a/pkg/prebuild/directive/dbus.go
+++ b/pkg/prebuild/directive/dbus.go
@@ -18,7 +18,7 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/aa"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 var defaultInterfaces = []string{
@@ -27,12 +27,12 @@ var defaultInterfaces = []string{
 }
 
 type Dbus struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterDirective(&Dbus{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "dbus",
 			Msg:     "Dbus directive applied",
 			Help: []string{
diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go
index 64c97e9cd..c856b7268 100644
--- a/pkg/prebuild/directive/exec.go
+++ b/pkg/prebuild/directive/exec.go
@@ -12,17 +12,17 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/aa"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type Exec struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterDirective(&Exec{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "exec",
 			Msg:     "Exec directive applied",
 			Help:    []string{"[P|U|p|u|PU|pu|] profiles..."},
@@ -44,7 +44,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) {
 
 	rules := aa.Rules{}
 	for name := range opt.ArgMap {
-		profiletoTransition := util.MustReadFile(cfg.RootApparmord.Join(name))
+		profiletoTransition := util.MustReadFile(prebuild.RootApparmord.Join(name))
 		dstProfile := aa.DefaultTunables()
 		if _, err := dstProfile.Parse(profiletoTransition); err != nil {
 			return "", err
diff --git a/pkg/prebuild/directive/exec_test.go b/pkg/prebuild/directive/exec_test.go
index c6d4e32a7..5581d7f2b 100644
--- a/pkg/prebuild/directive/exec_test.go
+++ b/pkg/prebuild/directive/exec_test.go
@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 func TestExec_Apply(t *testing.T) {
@@ -51,7 +51,7 @@ func TestExec_Apply(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg.RootApparmord = tt.rootApparmord
+			prebuild.RootApparmord = tt.rootApparmord
 			got, err := Directives["exec"].Apply(tt.opt, tt.profile)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Exec.Apply() error = %v, wantErr %v", err, tt.wantErr)
diff --git a/pkg/prebuild/directive/filter.go b/pkg/prebuild/directive/filter.go
index 1aa2e1c76..2fe46e6f2 100644
--- a/pkg/prebuild/directive/filter.go
+++ b/pkg/prebuild/directive/filter.go
@@ -5,31 +5,32 @@
 package directive
 
 import (
+	"fmt"
 	"regexp"
 	"slices"
 	"strings"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 type FilterOnly struct {
-	cfg.Base
+	prebuild.Base
 }
 
 type FilterExclude struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterDirective(&FilterOnly{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "only",
 			Msg:     "Only directive applied",
 			Help:    []string{"filters..."},
 		},
 	})
 	RegisterDirective(&FilterExclude{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "exclude",
 			Msg:     "Exclude directive applied",
 			Help:    []string{"filters..."},
@@ -38,7 +39,11 @@ func init() {
 }
 
 func filterRuleForUs(opt *Option) bool {
-	return slices.Contains(opt.ArgList, cfg.Distribution) || slices.Contains(opt.ArgList, cfg.Family)
+	abiStr := fmt.Sprintf("abi%d", prebuild.ABI)
+	if slices.Contains(opt.ArgList, abiStr) {
+		return true
+	}
+	return slices.Contains(opt.ArgList, prebuild.Distribution) || slices.Contains(opt.ArgList, prebuild.Family)
 }
 
 func filter(only bool, opt *Option, profile string) (string, error) {
diff --git a/pkg/prebuild/directive/filter_test.go b/pkg/prebuild/directive/filter_test.go
index 465ba50a5..ebbd5ef5c 100644
--- a/pkg/prebuild/directive/filter_test.go
+++ b/pkg/prebuild/directive/filter_test.go
@@ -7,7 +7,7 @@ package directive
 import (
 	"testing"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 func TestFilterOnly_Apply(t *testing.T) {
@@ -78,8 +78,8 @@ func TestFilterOnly_Apply(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg.Distribution = tt.dist
-			cfg.Family = tt.family
+			prebuild.Distribution = tt.dist
+			prebuild.Family = tt.family
 			got, err := Directives["only"].Apply(tt.opt, tt.profile)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("FilterOnly.Apply() error = %v, wantErr %v", err, tt.wantErr)
@@ -133,8 +133,8 @@ func TestFilterExclude_Apply(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg.Distribution = tt.dist
-			cfg.Family = tt.family
+			prebuild.Distribution = tt.dist
+			prebuild.Family = tt.family
 			got, err := Directives["exclude"].Apply(tt.opt, tt.profile)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("FilterExclude.Apply() error = %v, wantErr %v", err, tt.wantErr)
diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go
index c673a1701..707405362 100644
--- a/pkg/prebuild/directive/stack.go
+++ b/pkg/prebuild/directive/stack.go
@@ -10,7 +10,7 @@ import (
 	"slices"
 	"strings"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
@@ -25,12 +25,12 @@ var (
 )
 
 type Stack struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterDirective(&Stack{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "stack",
 			Msg:     "Stack directive applied",
 			Help:    []string{"[X] profiles..."},
@@ -55,7 +55,7 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) {
 
 	res := ""
 	for name := range opt.ArgMap {
-		stackedProfile := util.MustReadFile(cfg.RootApparmord.Join(name))
+		stackedProfile := util.MustReadFile(prebuild.RootApparmord.Join(name))
 		m := regRules.FindStringSubmatch(stackedProfile)
 		if len(m) < 2 {
 			return "", fmt.Errorf("No profile found in %s", name)
diff --git a/pkg/prebuild/directive/stack_test.go b/pkg/prebuild/directive/stack_test.go
index ef603aae6..8f99d6f7a 100644
--- a/pkg/prebuild/directive/stack_test.go
+++ b/pkg/prebuild/directive/stack_test.go
@@ -8,7 +8,7 @@ import (
 	"testing"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 func TestStack_Apply(t *testing.T) {
@@ -68,7 +68,7 @@ profile parent @{exec_path} {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			cfg.RootApparmord = tt.rootApparmord
+			prebuild.RootApparmord = tt.rootApparmord
 			got, err := Directives["stack"].Apply(tt.opt, tt.profile)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("Stack.Apply() error = %v, wantErr %v", err, tt.wantErr)
diff --git a/pkg/prebuild/cfg/directories.go b/pkg/prebuild/directories.go
similarity index 83%
rename from pkg/prebuild/cfg/directories.go
rename to pkg/prebuild/directories.go
index 282aa1ad8..6fbde10be 100644
--- a/pkg/prebuild/cfg/directories.go
+++ b/pkg/prebuild/directories.go
@@ -2,11 +2,14 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import "github.com/roddhjav/apparmor.d/pkg/paths"
 
 var (
+	// AppArmor ABI version
+	ABI uint = 0
+
 	// Root is the root directory for the build
 	Root *paths.Path = paths.New(".build")
 
@@ -28,11 +31,6 @@ var (
 	// DebianDir is the directory where the debian specific files are stored
 	DebianDir *paths.Path = paths.New("debian")
 
-	// AppArmor 4.0 contains several profiles that allow userns and are otherwise
-	// unconfined. Overwriter disables upstream profile in favor of (better) apparmor.d
-	// counterpart
-	Overwrite Overwriter = false
-
 	// DebianHide is the path to the debian/apparmor.d.hide file
 	DebianHide = DebianHider{path: DebianDir.Join("apparmor.d.hide")}
 
diff --git a/pkg/prebuild/cfg/files.go b/pkg/prebuild/files.go
similarity index 63%
rename from pkg/prebuild/cfg/files.go
rename to pkg/prebuild/files.go
index 6f81d25bc..d275c916d 100644
--- a/pkg/prebuild/cfg/files.go
+++ b/pkg/prebuild/files.go
@@ -2,11 +2,9 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import (
-	"fmt"
-	"os"
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
@@ -54,37 +52,6 @@ func (i Ignorer) Read(name string) []string {
 	return util.MustReadFileAsLines(path)
 }
 
-type Overwriter bool
-
-// Overwrite upstream profile: disable upstream & rename ours
-func (o Overwriter) Apply() error {
-	const ext = ".apparmor.d"
-	disableDir := RootApparmord.Join("disable")
-	if err := disableDir.Mkdir(); err != nil {
-		return err
-	}
-
-	path := DistDir.Join("overwrite")
-	if !path.Exist() {
-		return fmt.Errorf("%s not found", path)
-	}
-	for _, name := range util.MustReadFileAsLines(path) {
-		origin := RootApparmord.Join(name)
-		dest := RootApparmord.Join(name + ext)
-		if err := origin.Rename(dest); err != nil {
-			return err
-		}
-		originRel, err := origin.RelFrom(dest)
-		if err != nil {
-			return err
-		}
-		if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 type DebianHider struct {
 	path *paths.Path
 }
diff --git a/pkg/prebuild/cfg/files_test.go b/pkg/prebuild/files_test.go
similarity index 99%
rename from pkg/prebuild/cfg/files_test.go
rename to pkg/prebuild/files_test.go
index b4ce13a1c..24d621fd6 100644
--- a/pkg/prebuild/cfg/files_test.go
+++ b/pkg/prebuild/files_test.go
@@ -2,7 +2,7 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import (
 	"reflect"
diff --git a/pkg/prebuild/cfg/os.go b/pkg/prebuild/os.go
similarity index 99%
rename from pkg/prebuild/cfg/os.go
rename to pkg/prebuild/os.go
index b742a3988..352f4e185 100644
--- a/pkg/prebuild/cfg/os.go
+++ b/pkg/prebuild/os.go
@@ -2,7 +2,7 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import (
 	"os"
diff --git a/pkg/prebuild/cfg/os_test.go b/pkg/prebuild/os_test.go
similarity index 99%
rename from pkg/prebuild/cfg/os_test.go
rename to pkg/prebuild/os_test.go
index 44aef1074..8f9bd338f 100644
--- a/pkg/prebuild/cfg/os_test.go
+++ b/pkg/prebuild/os_test.go
@@ -2,7 +2,7 @@
 // Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package cfg
+package prebuild
 
 import (
 	"reflect"
diff --git a/pkg/prebuild/prebuild.go b/pkg/prebuild/prebuild.go
deleted file mode 100644
index 30bf5c2e6..000000000
--- a/pkg/prebuild/prebuild.go
+++ /dev/null
@@ -1,117 +0,0 @@
-// apparmor.d - Full set of apparmor profiles
-// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-// SPDX-License-Identifier: GPL-2.0-only
-
-package prebuild
-
-import (
-	"strings"
-
-	"github.com/roddhjav/apparmor.d/pkg/logging"
-	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/directive"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
-	"github.com/roddhjav/apparmor.d/pkg/util"
-)
-
-func init() {
-	// Define the tasks applied by default
-	prepare.Register(
-		"synchronise",
-		"ignore",
-		"merge",
-		"configure",
-		"setflags",
-		"systemd-default",
-	)
-
-	// Build tasks applied by default
-	builder.Register("userspace")
-	builder.Register("dev")
-
-	switch cfg.Distribution {
-	case "opensuse":
-		builder.Register("abi3")
-		cfg.Overwrite = true
-
-	case "ubuntu":
-		if cfg.Release["VERSION_CODENAME"] == "noble" {
-			builder.Register("abi3")
-			cfg.Overwrite = true
-		}
-
-	case "whonix":
-		cfg.Hide += `/etc/apparmor.d/abstractions/base.d/kicksecure
-/etc/apparmor.d/home.tor-browser.firefox
-/etc/apparmor.d/tunables/homsanitycheck
-/etc/apparmor.d/usr.bin.url_e.d/anondist
-/etc/apparmor.d/tunables/home.d/live-mode
-/etc/apparmor.d/tunables/home.d/qubes-whonix-anondist
-/etc/apparmor.d/usr.bin.hexchat
-/etc/apparmor.d/usr.bin.sdwdate
-/etc/apparmor.d/usr.bin.systemcheck
-/etc/apparmor.d/usr.bin.timeto_unixtime
-/etc/apparmor.d/whonix-firewall
-`
-	}
-}
-
-func Prepare() error {
-	for _, task := range prepare.Prepares {
-		msg, err := task.Apply()
-		if err != nil {
-			return err
-		}
-		logging.Success("%s", task.Message())
-		logging.Indent = "   "
-		for _, line := range msg {
-			if strings.Contains(line, "not found") {
-				logging.Warning("%s", line)
-			} else {
-				logging.Bullet("%s", line)
-			}
-		}
-		logging.Indent = ""
-	}
-	return nil
-}
-
-func Build() error {
-	files, _ := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories())
-	for _, file := range files {
-		if !file.Exist() {
-			continue
-		}
-		profile, err := util.ReadFile(file)
-		if err != nil {
-			return err
-		}
-		profile, err = builder.Run(file, profile)
-		if err != nil {
-			return err
-		}
-		profile, err = directive.Run(file, profile)
-		if err != nil {
-			return err
-		}
-		if err := file.WriteFile([]byte(profile)); err != nil {
-			return err
-		}
-	}
-
-	logging.Success("Build tasks:")
-	logging.Indent = "   "
-	for _, task := range builder.Builds {
-		logging.Bullet("%s", task.Message())
-	}
-	logging.Indent = ""
-	logging.Success("Directives processed:")
-	logging.Indent = "   "
-	for _, dir := range directive.Directives {
-		logging.Bullet("%s%s", directive.Keyword, dir.Name())
-	}
-	logging.Indent = ""
-	return nil
-}
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index df4daaeb1..6be35d3dd 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -6,62 +6,95 @@ package prepare
 
 import (
 	"fmt"
+	"os"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type Configure struct {
-	cfg.Base
+	prebuild.Base
+	OneFile bool
 }
 
 func init() {
 	RegisterTask(&Configure{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "configure",
 			Msg:     "Set distribution specificities",
 		},
+		OneFile: false,
 	})
 }
 
 func (p Configure) Apply() ([]string, error) {
 	res := []string{}
-	switch cfg.Distribution {
-	case "arch", "opensuse":
-		if cfg.Overwrite {
-			if err := cfg.Overwrite.Apply(); err != nil {
-				return res, err
-			}
+
+	if prebuild.ABI == 4 {
+		if err := OverwriteUpstreamProfile(p.OneFile); err != nil {
+			return res, err
 		}
+	}
+	switch prebuild.Distribution {
+	case "arch", "opensuse":
 
 	case "ubuntu":
-		if err := cfg.DebianHide.Init(); err != nil {
+		if err := prebuild.DebianHide.Init(); err != nil {
 			return res, err
 		}
 
-		if cfg.Overwrite {
-			if err := cfg.Overwrite.Apply(); err != nil {
-				return res, err
-			}
-		} else {
-			if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil {
+		if prebuild.ABI == 3 {
+			if err := util.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil {
 				return res, err
 			}
 		}
 
 	case "debian", "whonix":
-		if err := cfg.DebianHide.Init(); err != nil {
+		if err := prebuild.DebianHide.Init(); err != nil {
 			return res, err
 		}
 
 		// Copy Debian specific abstractions
-		if err := util.CopyTo(cfg.DistDir.Join("ubuntu"), cfg.RootApparmord); err != nil {
+		if err := util.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil {
 			return res, err
 		}
 
 	default:
-		return []string{}, fmt.Errorf("%s is not a supported distribution", cfg.Distribution)
+		return []string{}, fmt.Errorf("%s is not a supported distribution", prebuild.Distribution)
 
 	}
 	return res, nil
 }
+
+// Overwrite upstream profile: disable upstream & rename ours
+func OverwriteUpstreamProfile(oneFile bool) error {
+	const ext = ".apparmor.d"
+	disableDir := prebuild.RootApparmord.Join("disable")
+	if err := disableDir.Mkdir(); err != nil {
+		return err
+	}
+
+	path := prebuild.DistDir.Join("overwrite")
+	if !path.Exist() {
+		return fmt.Errorf("%s not found", path)
+	}
+	for _, name := range util.MustReadFileAsLines(path) {
+		origin := prebuild.RootApparmord.Join(name)
+		dest := prebuild.RootApparmord.Join(name + ext)
+		if !dest.Exist() && oneFile {
+			continue
+		}
+		if err := origin.Rename(dest); err != nil {
+
+			return err
+		}
+		originRel, err := origin.RelFrom(dest)
+		if err != nil {
+			return err
+		}
+		if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/pkg/prebuild/prepare/core.go b/pkg/prebuild/prepare/core.go
index 3daf19d8b..d96e21043 100644
--- a/pkg/prebuild/prepare/core.go
+++ b/pkg/prebuild/prepare/core.go
@@ -7,7 +7,7 @@ package prepare
 import (
 	"fmt"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 var (
@@ -20,7 +20,7 @@ var (
 
 // Main directive interface
 type Task interface {
-	cfg.BaseInterface
+	prebuild.BaseInterface
 	Apply() ([]string, error)
 }
 
diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/prebuild/prepare/core_test.go
index 34071ff30..3c35e3e8f 100644
--- a/pkg/prebuild/prepare/core_test.go
+++ b/pkg/prebuild/prepare/core_test.go
@@ -11,7 +11,7 @@ import (
 	"testing"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 func chdirGitRoot() {
@@ -39,7 +39,7 @@ func TestTask_Apply(t *testing.T) {
 			name:      "synchronise",
 			task:      Tasks["synchronise"],
 			wantErr:   false,
-			wantFiles: paths.PathList{cfg.RootApparmord.Join("/groups/_full/systemd")},
+			wantFiles: paths.PathList{prebuild.RootApparmord.Join("/groups/_full/systemd")},
 		},
 		{
 			name:    "ignore",
@@ -51,7 +51,7 @@ func TestTask_Apply(t *testing.T) {
 			name:      "merge",
 			task:      Tasks["merge"],
 			wantErr:   false,
-			wantFiles: paths.PathList{cfg.RootApparmord.Join("aa-log")},
+			wantFiles: paths.PathList{prebuild.RootApparmord.Join("aa-log")},
 		},
 		{
 			name:    "configure",
@@ -68,23 +68,23 @@ func TestTask_Apply(t *testing.T) {
 			name:      "systemd-default",
 			task:      Tasks["systemd-default"],
 			wantErr:   false,
-			wantFiles: paths.PathList{cfg.Root.Join("systemd/system/dbus.service")},
+			wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/dbus.service")},
 		},
 		{
 			name:      "systemd-early",
 			task:      Tasks["systemd-early"],
 			wantErr:   false,
-			wantFiles: paths.PathList{cfg.Root.Join("systemd/system/pcscd.service")},
+			wantFiles: paths.PathList{prebuild.Root.Join("systemd/system/pcscd.service")},
 		},
 		{
 			name:      "fsp",
 			task:      Tasks["fsp"],
 			wantErr:   false,
-			wantFiles: paths.PathList{cfg.RootApparmord.Join("systemd")},
+			wantFiles: paths.PathList{prebuild.RootApparmord.Join("systemd")},
 		},
 	}
 	chdirGitRoot()
-	_ = cfg.Root.RemoveAll()
+	_ = prebuild.Root.RemoveAll()
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			got, err := tt.task.Apply()
diff --git a/pkg/prebuild/prepare/flags.go b/pkg/prebuild/prepare/flags.go
index 4ef41ef56..23998d4d0 100644
--- a/pkg/prebuild/prepare/flags.go
+++ b/pkg/prebuild/prepare/flags.go
@@ -9,7 +9,7 @@ import (
 	"regexp"
 	"strings"
 
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
@@ -19,12 +19,12 @@ var (
 )
 
 type SetFlags struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterTask(&SetFlags{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "setflags",
 			Msg:     "Set flags on some profiles",
 		},
@@ -33,9 +33,9 @@ func init() {
 
 func (p SetFlags) Apply() ([]string, error) {
 	res := []string{}
-	for _, name := range []string{"main", cfg.Distribution} {
-		for profile, flags := range cfg.Flags.Read(name) {
-			file := cfg.RootApparmord.Join(profile)
+	for _, name := range []string{"main", prebuild.Distribution} {
+		for profile, flags := range prebuild.Flags.Read(name) {
+			file := prebuild.RootApparmord.Join(profile)
 			if !file.Exist() {
 				res = append(res, fmt.Sprintf("Profile %s not found, ignoring", profile))
 				continue
@@ -57,7 +57,7 @@ func (p SetFlags) Apply() ([]string, error) {
 				}
 			}
 		}
-		res = append(res, cfg.FlagDir.Join(name+".flags").String())
+		res = append(res, prebuild.FlagDir.Join(name+".flags").String())
 	}
 	return res, nil
 }
diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go
index ac3e05045..af57ed9d7 100644
--- a/pkg/prebuild/prepare/fsp.go
+++ b/pkg/prebuild/prepare/fsp.go
@@ -8,17 +8,17 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type FullSystemPolicy struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterTask(&FullSystemPolicy{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "fsp",
 			Msg:     "Configure AppArmor for full system policy",
 		},
@@ -29,12 +29,12 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 	res := []string{}
 
 	// Install full system policy profiles
-	if err := util.CopyTo(paths.New("apparmor.d/groups/_full/"), cfg.Root.Join("apparmor.d")); err != nil {
+	if err := util.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil {
 		return res, err
 	}
 
 	// Set systemd profile name
-	path := cfg.RootApparmord.Join("tunables/multiarch.d/system")
+	path := prebuild.RootApparmord.Join("tunables/multiarch.d/system")
 	out, err := util.ReadFile(path)
 	if err != nil {
 		return res, err
@@ -46,7 +46,7 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 	}
 
 	// Fix conflicting x modifiers in abstractions - FIXME: Temporary solution
-	path = cfg.RootApparmord.Join("abstractions/gstreamer")
+	path = prebuild.RootApparmord.Join("abstractions/gstreamer")
 	out, err = util.ReadFile(path)
 	if err != nil {
 		return res, err
@@ -58,5 +58,5 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 	}
 
 	// Set systemd unit drop-in files
-	return res, util.CopyTo(cfg.SystemdDir.Join("full"), cfg.Root.Join("systemd"))
+	return res, util.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd"))
 }
diff --git a/pkg/prebuild/prepare/ignore.go b/pkg/prebuild/prepare/ignore.go
index 92a1498a7..2aece5174 100644
--- a/pkg/prebuild/prepare/ignore.go
+++ b/pkg/prebuild/prepare/ignore.go
@@ -6,16 +6,16 @@ package prepare
 
 import (
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 type Ignore struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterTask(&Ignore{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "ignore",
 			Msg:     "Ignore profiles and files from:",
 		},
@@ -24,11 +24,11 @@ func init() {
 
 func (p Ignore) Apply() ([]string, error) {
 	res := []string{}
-	for _, name := range []string{"main", cfg.Distribution} {
-		for _, ignore := range cfg.Ignore.Read(name) {
-			profile := cfg.Root.Join(ignore)
+	for _, name := range []string{"main", prebuild.Distribution} {
+		for _, ignore := range prebuild.Ignore.Read(name) {
+			profile := prebuild.Root.Join(ignore)
 			if profile.NotExist() {
-				files, err := cfg.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore))
+				files, err := prebuild.RootApparmord.ReadDirRecursiveFiltered(nil, paths.FilterNames(ignore))
 				if err != nil {
 					return res, err
 				}
@@ -43,7 +43,7 @@ func (p Ignore) Apply() ([]string, error) {
 				}
 			}
 		}
-		res = append(res, cfg.IgnoreDir.Join(name+".ignore").String())
+		res = append(res, prebuild.IgnoreDir.Join(name+".ignore").String())
 	}
 	return res, nil
 }
diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go
index 86a2ceade..75945b812 100644
--- a/pkg/prebuild/prepare/merge.go
+++ b/pkg/prebuild/prepare/merge.go
@@ -9,16 +9,16 @@ import (
 	"path/filepath"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 )
 
 type Merge struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterTask(&Merge{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "merge",
 			Msg:     "Merge all profiles into a unified apparmor.d directory",
 		},
@@ -35,18 +35,18 @@ func (p Merge) Apply() ([]string, error) {
 	idx := 0
 	for idx < len(dirToMerge)-1 {
 		dirMoved, dirRemoved := dirToMerge[idx], dirToMerge[idx+1]
-		files, err := filepath.Glob(cfg.RootApparmord.Join(dirMoved).String())
+		files, err := filepath.Glob(prebuild.RootApparmord.Join(dirMoved).String())
 		if err != nil {
 			return res, err
 		}
 		for _, file := range files {
-			err := os.Rename(file, cfg.RootApparmord.Join(filepath.Base(file)).String())
+			err := os.Rename(file, prebuild.RootApparmord.Join(filepath.Base(file)).String())
 			if err != nil {
 				return res, err
 			}
 		}
 
-		files, err = filepath.Glob(cfg.RootApparmord.Join(dirRemoved).String())
+		files, err = filepath.Glob(prebuild.RootApparmord.Join(dirRemoved).String())
 		if err != nil {
 			return []string{}, err
 		}
diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go
index e2b5dacd6..741c015c4 100644
--- a/pkg/prebuild/prepare/synchronise.go
+++ b/pkg/prebuild/prepare/synchronise.go
@@ -6,35 +6,53 @@ package prepare
 
 import (
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type Synchronise struct {
-	cfg.Base
+	prebuild.Base
+	Path string
 }
 
 func init() {
 	RegisterTask(&Synchronise{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "synchronise",
 			Msg:     "Initialize a new clean apparmor.d build directory",
 		},
+		Path: "",
 	})
 }
 
 func (p Synchronise) Apply() ([]string, error) {
 	res := []string{}
-	dirs := paths.PathList{cfg.RootApparmord, cfg.Root.Join("root"), cfg.Root.Join("systemd")}
+	dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("root"), prebuild.Root.Join("systemd")}
 	for _, dir := range dirs {
 		if err := dir.RemoveAll(); err != nil {
 			return res, err
 		}
 	}
-	for _, name := range []string{"apparmor.d", "root"} {
-		if err := util.CopyTo(paths.New(name), cfg.Root.Join(name)); err != nil {
+	if p.Path == "" {
+		for _, name := range []string{"apparmor.d", "root"} {
+			if err := util.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil {
+				return res, err
+			}
+		}
+	} else {
+		file := paths.New(p.Path)
+		destination, err := file.RelFrom(paths.New("apparmor.d"))
+		if err != nil {
 			return res, err
 		}
+		destination = prebuild.RootApparmord.JoinPath(destination)
+		if err := destination.Parent().MkdirAll(); err != nil {
+			return res, err
+		}
+		if err := file.CopyTo(destination); err != nil {
+			return res, err
+		}
+		res = append(res, destination.String())
 	}
 	return res, nil
 }
diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/prebuild/prepare/systemd.go
index 5681783ce..cee952854 100644
--- a/pkg/prebuild/prepare/systemd.go
+++ b/pkg/prebuild/prepare/systemd.go
@@ -5,27 +5,27 @@
 package prepare
 
 import (
-	"github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type SystemdDefault struct {
-	cfg.Base
+	prebuild.Base
 }
 
 type SystemdEarly struct {
-	cfg.Base
+	prebuild.Base
 }
 
 func init() {
 	RegisterTask(&SystemdDefault{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "systemd-default",
 			Msg:     "Configure systemd unit drop in files to a profile for some units",
 		},
 	})
 	RegisterTask(&SystemdEarly{
-		Base: cfg.Base{
+		Base: prebuild.Base{
 			Keyword: "systemd-early",
 			Msg:     "Configure systemd unit drop in files to ensure some service start after apparmor",
 		},
@@ -33,9 +33,9 @@ func init() {
 }
 
 func (p SystemdDefault) Apply() ([]string, error) {
-	return []string{}, util.CopyTo(cfg.SystemdDir.Join("default"), cfg.Root.Join("systemd"))
+	return []string{}, util.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd"))
 }
 
 func (p SystemdEarly) Apply() ([]string, error) {
-	return []string{}, util.CopyTo(cfg.SystemdDir.Join("early"), cfg.Root.Join("systemd"))
+	return []string{}, util.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd"))
 }
diff --git a/tests/cmd/main.go b/tests/cmd/main.go
index 057994f86..b549aab34 100644
--- a/tests/cmd/main.go
+++ b/tests/cmd/main.go
@@ -14,7 +14,7 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/aa"
 	"github.com/roddhjav/apparmor.d/pkg/logging"
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	bcfg "github.com/roddhjav/apparmor.d/pkg/prebuild/cfg"
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/tests/integration"
 )
 
@@ -28,8 +28,8 @@ Options:
     -r, --run          Run a predefined list of tests.
     -l, --list         List the configured tests.
     -f, --file FILE    Set a tests file. Default: tests/tests.yml
-	-d, --deps         Install tests dependencies.
-	-D, --dryrun       Do not do the action, list it.
+    -d, --deps         Install tests dependencies.
+    -D, --dryrun       Do not do the action, list it.
 
 `
 
@@ -123,7 +123,7 @@ func testDeps(dryRun bool) error {
 	}
 
 	deps := tSuite.GetDependencies()
-	switch bcfg.Distribution {
+	switch prebuild.Distribution {
 	case "arch":
 		arg := []string{"pacman", "-Sy", "--noconfirm"}
 		arg = append(arg, deps...)

From 344ccf30031baef3320f28e8c12fd97da15393c2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 16:44:15 +0100
Subject: [PATCH 225/315] build: set default ABI to abi4.

---
 cmd/prebuild/main.go           | 4 ++++
 pkg/prebuild/cli/cli.go        | 2 +-
 pkg/prebuild/directive/core.go | 2 +-
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 6b2b2422f..629b37ed3 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -13,7 +13,11 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
 )
 
+// Cli arguments have priority over the settings entered here
 func init() {
+	// Define the default ABI
+	prebuild.ABI = 4
+
 	// Define the tasks applied by default
 	prepare.Register(
 		"synchronise",
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index 6fd0a36f5..b82d918a7 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -72,7 +72,6 @@ func Prebuild() {
 		flag.Usage()
 		return
 	}
-	logging.Step("Building apparmor.d profiles for %s.", prebuild.Distribution)
 
 	if full {
 		prepare.Register("fsp")
@@ -111,6 +110,7 @@ func Prebuild() {
 		configure.OneFile = true
 	}
 
+	logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI)
 	if err := Prepare(); err != nil {
 		logging.Fatal("%s", err.Error())
 	}
diff --git a/pkg/prebuild/directive/core.go b/pkg/prebuild/directive/core.go
index 2568cb098..aadf9294e 100644
--- a/pkg/prebuild/directive/core.go
+++ b/pkg/prebuild/directive/core.go
@@ -30,7 +30,7 @@ type Directive interface {
 }
 
 func Usage() string {
-	res := fmt.Sprintf("Directive:\n")
+	res := "Directive:\n"
 	for _, d := range Directives {
 		for _, h := range d.Usage() {
 			res += fmt.Sprintf("    %s%s %s\n", Keyword, d.Name(), h)

From 8ddaa136ba10de63f38aa2b606f738319ef53813 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 16:50:54 +0100
Subject: [PATCH 226/315] fix(test): update unit test result to abi 4.

---
 pkg/aa/apparmor_test.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go
index d7a22b5bb..19cfd5a42 100644
--- a/pkg/aa/apparmor_test.go
+++ b/pkg/aa/apparmor_test.go
@@ -208,7 +208,7 @@ func TestAppArmorProfileFile_Integration(t *testing.T) {
 					&Comment{Base: Base{Comment: " Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>", IsLineRule: true}},
 					&Comment{Base: Base{Comment: " SPDX-License-Identifier: GPL-2.0-only", IsLineRule: true}},
 					nil,
-					&Abi{IsMagic: true, Path: "abi/3.0"},
+					&Abi{IsMagic: true, Path: "abi/4.0"},
 					&Include{IsMagic: true, Path: "tunables/global"},
 					&Variable{
 						Name: "exec_path", Define: true,

From c5505dee8bf0b25e0b36cea48e39a79f1797d081 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 19:24:12 +0100
Subject: [PATCH 227/315] fix(build): abi 4 to abi 3 conversion.

---
 pkg/prebuild/builder/abi.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/prebuild/builder/abi.go b/pkg/prebuild/builder/abi.go
index 4e74a5411..818edbb76 100644
--- a/pkg/prebuild/builder/abi.go
+++ b/pkg/prebuild/builder/abi.go
@@ -12,8 +12,8 @@ import (
 var (
 	regAbi4To3 = util.ToRegexRepl([]string{
 		`abi/4.0`, `abi/3.0`,
-		`userns,`, `# userns,`,
-		`mqueue`, `# mqueue`,
+		`  userns,`, `  # userns,`,
+		`  mqueue`, `  # mqueue`,
 	})
 )
 

From 7ba556b15ce69a1f6e0e4e166760e91cea0d5a4d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 19:49:21 +0100
Subject: [PATCH 228/315] build: add make dev name=<profile-name>.

---
 Makefile | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 88febbb5e..8057a171e 100644
--- a/Makefile
+++ b/Makefile
@@ -9,7 +9,7 @@ PKGDEST := /tmp/pkg
 PKGNAME := apparmor.d
 P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 
-.PHONY: all build enforce full install local $(P) pkg dpkg rpm tests lint man docs serve clean
+.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint man docs serve clean
 
 all: build
 	@./${BUILD}/prebuild --complain
@@ -71,6 +71,12 @@ $(P):
 	done;
 	@systemctl restart apparmor || systemctl status apparmor
 
+name ?= 
+dev:
+	@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
+	@sudo install -Dm644 ${BUILD}/${name} /etc/apparmor.d/${name}
+	@sudo systemctl restart apparmor || systemctl status apparmor
+
 dist ?= archlinux
 package:
 	@bash dists/docker.sh ${dist}

From 3f98e86e24fa8a5f6ad6b64010c53bd2716b1cfa Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 20:48:36 +0100
Subject: [PATCH 229/315] fix(aa-log): too much cleaning in pci path.

see #505
---
 pkg/logs/logs.go              |  2 +-
 pkg/logs/logs_test.go         | 20 ++++++++++++++++++++
 tests/testdata/logs/audit.log |  1 +
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 67197e53c..49d680108 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -82,7 +82,7 @@ var (
 		`/sys/`, `@{sys}/`,
 		`@{PROC}@{sys}/`, `@{PROC}/sys/`,
 		`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
-		`@{pci_bus}/[0-9a-f:*./]*`, `@{pci}/`,
+		`@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`,
 		`1000`, `@{uid}`,
 
 		// Some system glob
diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go
index c70909dcb..0b14ba990 100644
--- a/pkg/logs/logs_test.go
+++ b/pkg/logs/logs_test.go
@@ -247,6 +247,26 @@ func TestNew(t *testing.T) {
 			path: filepath.Join(testdata, "audit.log"),
 			want: refPowerProfiles,
 		},
+		{
+			name: "signal-desktop",
+			path: filepath.Join(testdata, "audit.log"),
+			want: AppArmorLogs{
+				{
+					"apparmor":       "ALLOWED",
+					"profile":        "signal-desktop",
+					"operation":      "open",
+					"class":          "file",
+					"name":           "@{sys}/devices/@{pci}/boot_vga",
+					"comm":           "signal-desktop",
+					"requested_mask": "r",
+					"denied_mask":    "r",
+					"fsuid":          "1000",
+					"ouid":           "0",
+					"FSUID":          "user",
+					"OUID":           "root",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/tests/testdata/logs/audit.log b/tests/testdata/logs/audit.log
index 0680d2a7a..ed897ea6c 100644
--- a/tests/testdata/logs/audit.log
+++ b/tests/testdata/logs/audit.log
@@ -53,4 +53,5 @@ profile="sddm-greeter" operation="setsockopt" class="net"  comm="sddm-greeter" f
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" profile="xorg" pid=16195 comm="Xorg.bin" capability=17  capname="sys_rawio"
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman"  comm="killall" capability=19  capname="sys_ptrace"
+apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga"  comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root"
 

From 14a5d8deaef0aa068127cc0ddd8f04e0b85966f5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 21:06:45 +0100
Subject: [PATCH 230/315] fix(aa-log): ensure we also split quote in log value

fix #229
---
 pkg/logs/logs.go              |  7 ++++++-
 pkg/logs/logs_test.go         | 21 +++++++++++++++++++++
 tests/testdata/logs/audit.log |  1 +
 3 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 49d680108..01c4fcbb4 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -138,7 +138,12 @@ func New(file io.Reader, profile string) AppArmorLogs {
 
 		aa := make(AppArmorLog)
 		for _, item := range tmp {
-			kv := strings.Split(item, "=")
+			kv := strings.FieldsFunc(item, func(r rune) bool {
+				if r == '"' {
+					quoted = !quoted
+				}
+				return !quoted && r == '='
+			})
 			if len(kv) >= 2 {
 				key, value := kv[0], kv[1]
 				if slices.Contains(toClean, key) {
diff --git a/pkg/logs/logs_test.go b/pkg/logs/logs_test.go
index 0b14ba990..6ddd5ac9e 100644
--- a/pkg/logs/logs_test.go
+++ b/pkg/logs/logs_test.go
@@ -267,6 +267,27 @@ func TestNew(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "startplasma",
+			path: filepath.Join(testdata, "audit.log"),
+			want: AppArmorLogs{
+				{
+					"apparmor":       "ALLOWED",
+					"operation":      "link",
+					"class":          "file",
+					"profile":        "startplasma",
+					"name":           "@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz",
+					"target":         "@{user_cache_dirs}/#@{int}",
+					"comm":           "startplasma-way",
+					"denied_mask":    "k",
+					"requested_mask": "k",
+					"fsuid":          "1000",
+					"ouid":           "1000",
+					"FSUID":          "user",
+					"OUID":           "user",
+				},
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/tests/testdata/logs/audit.log b/tests/testdata/logs/audit.log
index ed897ea6c..11b8770d2 100644
--- a/tests/testdata/logs/audit.log
+++ b/tests/testdata/logs/audit.log
@@ -54,4 +54,5 @@ type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable"
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="getattr" class="file" profile="pacman//null-/usr/share/code-features/patch.py" name="/etc/ld.so.preload" pid=18817 comm="patch.py" requested_mask="r" denied_mask="r" fsuid=0 ouid=0FSUID="root" OUID="root"
 type=AVC msg=audit(1111111111.111:1111): apparmor="ALLOWED" operation="capable" class="cap" info="optional: no audit" error=-1 profile="pacman"  comm="killall" capability=19  capname="sys_ptrace"
 apparmor="ALLOWED" operation="open" class="file" profile="signal-desktop" name="/sys/devices/pci0000:00/0000:00:02.0/boot_vga"  comm="signal-desktop" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0 FSUID="user" OUID="root"
+apparmor="ALLOWED" operation="link" class="file" profile="startplasma" name="@{user_cache_dirs}/ksycoca5_de_LQ6f0J2qZg4vOKgw2NbXuW7iuVU=.isNSBz"  comm="startplasma-way" requested_mask="k" denied_mask="k" fsuid=1000 ouid=1000 target="@{user_cache_dirs}/#@{int}" FSUID="user" OUID="user"
 

From 35b305f04376cd17eeb8e71873e3dcaf0c4d4aa0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 2 Oct 2024 21:25:01 +0100
Subject: [PATCH 231/315] fix(build): fix path in make dev.

---
 Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 8057a171e..e8929aec8 100644
--- a/Makefile
+++ b/Makefile
@@ -74,7 +74,7 @@ $(P):
 name ?= 
 dev:
 	@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
-	@sudo install -Dm644 ${BUILD}/${name} /etc/apparmor.d/${name}
+	@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
 	@sudo systemctl restart apparmor || systemctl status apparmor
 
 dist ?= archlinux

From 896254c2ec69f61d564303f3995e769ffb1c029d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 3 Oct 2024 11:47:58 +0100
Subject: [PATCH 232/315] feat(profile): rewrite all xdg script profiles.

---
 .../groups/freedesktop/xdg-desktop-icon       |  32 +++++-
 .../groups/freedesktop/xdg-desktop-menu       |  58 +++++-----
 .../groups/freedesktop/xdg-document-portal    |   2 +-
 apparmor.d/groups/freedesktop/xdg-email       |  47 +++++---
 .../groups/freedesktop/xdg-icon-resource      |  53 ++++++----
 apparmor.d/groups/freedesktop/xdg-mime        | 100 +++++++-----------
 apparmor.d/groups/freedesktop/xdg-open        |  58 ++++------
 apparmor.d/groups/freedesktop/xdg-screensaver |  55 ++++++----
 apparmor.d/groups/freedesktop/xdg-settings    |  73 ++++++-------
 9 files changed, 255 insertions(+), 223 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon
index 0b0953f6e..0d8512b5c 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-icon
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon
@@ -9,8 +9,38 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-desktop-icon
 profile xdg-desktop-icon @{exec_path} {
   include <abstractions/base>
+  include <abstractions/freedesktop.org>
 
-  @{exec_path} mr,
+  @{exec_path} r,
+
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/chmod      ix,
+  @{bin}/cp         ix,
+  @{bin}/cut        ix,
+  @{bin}/mkdir      ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/rm         ix,
+  @{bin}/sed        ix,
+  @{bin}/tr         ix,
+  @{bin}/umask      ix,
+  @{bin}/uname      ix,
+
+  # To get DE information
+  @{bin}/kde{,4}-config       ix,
+
+  @{bin}/dbus-send            Cx -> bus,
+  @{bin}/xprop                Px,
+
+  profile bus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
+    include if exists <local/xdg-settings_bus>
+  }
 
   include if exists <local/xdg-desktop-icon>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-menu b/apparmor.d/groups/freedesktop/xdg-desktop-menu
index 147d4c090..f86fbedc8 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-menu
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-menu
@@ -10,37 +10,47 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-desktop-menu
 profile xdg-desktop-menu @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} r,
 
-  @{sh_path}        rix,
-  @{bin}/mkdir      rix,
-  @{bin}/sed        rix,
-  @{bin}/cut        rix,
-  @{bin}/basename   rix,
-  @{bin}/rm         rix,
-  @{bin}/cp         rix,
-  @{bin}/cat        rix,
-  @{bin}/touch      rix,
-  @{bin}/{m,g,}awk  rix,
-  @{bin}/whoami     rix,
-  @{bin}/mv         rix,
-  @{bin}/{,e}grep   rix,
-  @{bin}/readlink   rix,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/{m,g,}awk  ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/chmod      ix,
+  @{bin}/cp         ix,
+  @{bin}/cut        ix,
+  @{bin}/dirname    ix,
+  @{bin}/ln         ix,
+  @{bin}/mkdir      ix,
+  @{bin}/mktemp     ix,
+  @{bin}/mv         ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/rm         ix,
+  @{bin}/sed        ix,
+  @{bin}/touch      ix,
+  @{bin}/tr         ix,
+  @{bin}/umask      ix,
+  @{bin}/uname      ix,
 
-  @{bin}/update-desktop-database rPx,
+  # To get DE information
+  @{bin}/kde{,4}-config           ix,
 
-  owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu rw,
-  owner @{user_share_dirs}/applications/chrome-*.desktop rw,
-  owner @{HOME}/.gnome/apps/chrome-*.desktop rw,
+  @{bin}/dbus-send                Cx -> bus,
+  @{bin}/update-desktop-database  Px,
+  @{bin}/xprop                    Px,
 
-  /usr/share/applications/*.desktop rw,
-  /usr/share/*/*.desktop r,
-
-  /usr/share/applications/defaults.list r,
-  /usr/share/applications/defaults.list.new w,
+  profile bus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
+    include if exists <local/xdg-desktop-menu_bus>
+  }
 
   include if exists <local/xdg-desktop-menu>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index 611e1ab9c..f93a4f2b0 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -59,7 +59,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
         /dev/fuse rw,
   owner /dev/tty@{int} rw,
 
-  profile fusermount {
+  profile fusermount flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-email b/apparmor.d/groups/freedesktop/xdg-email
index d7228b653..cf580ceac 100644
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@@ -15,22 +15,39 @@ profile xdg-email @{exec_path} flags=(complain) {
 
   @{exec_path}  r,
 
-  @{sh_path}          rix,
-  @{bin}/{,e}grep     rix,
-  @{bin}/{m,g,}awk    rix,
-  @{bin}/basename     rix,
-  @{bin}/cut          rix,
-  @{bin}/echo         rix,
-  @{bin}/gio          rPx,
-  @{bin}/kreadconfig5 rPx,
-  @{bin}/readlink     rix,
-  @{bin}/sed          rix,
-  @{bin}/tail         rix,
-  @{bin}/which{,.debianutils} rix,
-  @{bin}/xdg-mime     rPx,
-  @{thunderbird_path} rPx,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/{m,g,}awk  ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/cut        ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/sed        ix,
+  @{bin}/tail       ix,
+  @{bin}/tr         ix,
+  @{bin}/uname      ix,
 
-  owner /dev/tty@{int} rw,
+  # To get DE information
+  @{bin}/kde{,4}-config       ix,
+  @{bin}/gconftool{,-2}       ix,
+  @{bin}/qtxdg-mat            ix,
+
+  @{bin}/dbus-send            Cx -> bus,
+  @{bin}/gdbus                Cx -> bus,
+  @{bin}/kreadconfig{,5}      Px,
+  @{bin}/xdg-mime             Px,
+  @{bin}/xprop                Px,
+  @{open_path}                Px -> child-open-email,
+  @{thunderbird_path}         Px,
+
+  profile bus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
+
+    include if exists <local/xdg-email_bus>
+  }
 
   include if exists <local/xdg-email>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-icon-resource b/apparmor.d/groups/freedesktop/xdg-icon-resource
index bda6621d3..4f29d38a0 100644
--- a/apparmor.d/groups/freedesktop/xdg-icon-resource
+++ b/apparmor.d/groups/freedesktop/xdg-icon-resource
@@ -11,36 +11,43 @@ include <tunables/global>
 profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
   include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
-  @{sh_path}        rix,
-  @{bin}/{,e}grep   rix,
-  @{bin}/whoami     rix,
-  @{bin}/sed        rix,
-  @{bin}/basename   rix,
-  @{bin}/mkdir      rix,
-  @{bin}/cp         rix,
-  @{bin}/rm         rix,
-  @{bin}/readlink   rix,
-  @{bin}/touch      rix,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/{m,g,}awk  ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/cp         ix,
+  @{bin}/cut        ix,
+  @{bin}/dirname    ix,
+  @{bin}/ln         ix,
+  @{bin}/mkdir      ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/rm         ix,
+  @{bin}/sed        ix,
+  @{bin}/touch      ix,
+  @{bin}/tr         ix,
+  @{bin}/umask      ix,
+  @{bin}/uname      ix,
+  @{bin}/whoami     ix,
 
-  @{bin}/gtk{,4}-update-icon-cache rPx,
+  # To get DE information
+  @{bin}/kde{,4}-config            ix,
 
-  /usr/share/**/icons/**.png r,
-  /usr/share/icons/**.png rw,
-  /usr/share/icons/*/.xdg-icon-resource-dummy rw,
-  /usr/share/terminfo/** r,
+  @{bin}/dbus-send                 Cx -> bus,
+  @{bin}/gtk{,4}-update-icon-cache Px,
+  @{bin}/xprop                     Px,
 
-  owner @{tmp}/.com.google.Chrome.*/chrome-*.png r,
-
-  owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw,
-  owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw,
-  /opt/**/*.png r,
-
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  profile bus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
+    include if exists <local/xdg-icon-resource_bus>
+  }
 
   include if exists <local/xdg-icon-resource>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index c31ff0064..e2486f9fd 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -3,8 +3,6 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# TODO: This profile needs to be rewritten and integrated with the xdg-open profiles.
-
 abi <abi/4.0>,
 
 include <tunables/global>
@@ -16,73 +14,51 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} r,
 
-  @{sh_path}        rix,
-  @{bin}/{,e}grep   rix,
-  @{bin}/{m,g,}awk  rix,
-  @{bin}/basename   rix,
-  @{bin}/cat        rix,
-  @{bin}/cut        rix,
-  @{bin}/file       rix,
-  @{bin}/head       rix,
-  @{bin}/mv         rix,
-  @{bin}/readlink   rix,
-  @{bin}/realpath   rix,
-  @{bin}/sed        rix,
-  @{bin}/tr         rix,
-  @{bin}/uname      rix,
-  @{bin}/which{,.debianutils}      rix,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/{m,g,}awk  ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/cut        ix,
+  @{bin}/file       ix,
+  @{bin}/head       ix,
+  @{bin}/mkdir      ix,
+  @{bin}/mv         ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/rm         ix,
+  @{bin}/sed        ix,
+  @{bin}/touch      ix,
+  @{bin}/tr         ix,
+  @{bin}/umask      ix,
+  @{bin}/uname      ix,
 
-  @{bin}/gio        rPx,
-  @{bin}/kbuildsycoca5 rPx,
-  @{bin}/ktraderclient5 rPUx,
-  @{bin}/vendor_perl/mimetype rPx,
-  @{bin}/mimetype   rPx,
-  @{bin}/xprop      rPx,
+  # To query DE information
+  @{bin}/gio                  ix,
+  @{bin}/gnomevfs-info        ix,
+  @{bin}/gvfs-info            ix,
+  @{bin}/kde{,4}-config       ix,
+  @{bin}/kfile                ix,
+  @{bin}/kmimetypefinder{,5}  ix,
+  @{bin}/ktraderclient{,5}    ix,
+  @{bin}/qtpaths              ix,
+  @{bin}/qtxdg-mat            ix,
 
-  /usr/share/file/misc/** r,
-  /usr/share/terminfo/** r,
+  @{bin}/dbus-send            Cx -> bus,
+  @{bin}/kbuildsycoca{,5}     Px,
+  @{bin}/mimetype             Px,
+  @{bin}/vendor_perl/mimetype Px,
+  @{bin}/xprop                Px,
 
-  owner @{HOME}/** r,
-  owner @{HOME}/.Xauthority r,
-  owner @{user_config_dirs}/mimeapps.list{,.new} rw,
+  owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
 
-  owner @{run}/user/@{uid}/ r,
-
-  owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
-
-  @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
-  @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
-
-  @{PROC}/version r,
-
-  /dev/dri/card@{int} rw,
   /dev/tty rw,
 
-  # When xdg-mime is run as root, it wants to exec dbus-launch, and hence it creates the two
-  # following root processes:
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Xdg-mime works fine without this.
-  #@{bin}/dbus-launch        rCx -> dbus,
-  #@{bin}/dbus-send          rCx -> dbus,
-  deny @{bin}/dbus-launch rx,
-  deny @{bin}/dbus-send   rx,
-
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
-  profile dbus {
+  profile bus flags=(complain) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
-
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon  rPx,
-
-          @{HOME}/.Xauthority r,
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    include if exists <local/xdg-mime_dbus>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
+    include if exists <local/xdg-mime_bus>
   }
 
   include if exists <local/xdg-mime>
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 096132af5..8e90bc423 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -10,51 +10,37 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-open
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/app-launcher-user>
   include <abstractions/consoles>
+  include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
-  @{sh_path}          rix,
-  @{bin}/{,e}grep     rix,
-  @{bin}/sed          rix,
-  @{bin}/cut          rix,
-  @{bin}/which{,.debianutils}        rix,
-  @{bin}/cat          rix,
-  @{bin}/uname        rix,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/cut        ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/sed        ix,
+  @{bin}/tr         ix,
+  @{bin}/uname      ix,
 
-  @{bin}/xprop        rPx,
-  @{bin}/xdg-mime     rPx,
+  # To get DE information
+  @{bin}/kde{,4}-config       ix,
 
-  @{bin}/exo-open     rPx,
-  @{bin}/gio          rPx,
-  #@{bin}/kde-open5  rPUx,
-  @{bin}/ktraderclient5 rPUx,
+  @{bin}/dbus-send            Cx -> bus,
+  @{bin}/gdbus                Cx -> bus,
+  @{bin}/xprop                Px,
+  @{bin}/xdg-mime             Px,
+  @{open_path}                Px -> child-open-any,
 
-  @{bin}/dbus-launch  rCx -> dbus,
-  @{bin}/dbus-send    rCx -> dbus,
-
-        /** r,
-  owner /** rw,
-
-  # freedesktop.org-strict
-  owner @{user_share_dirs}/applications/ r,
-  /usr/share/applications/*.desktop r,
-
-  /dev/tty rw,
-
-  profile dbus {
+  profile bus {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
 
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon  rPx,
-
-    # for dbus-launch
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    @{HOME}/.Xauthority r,
+    include if exists <local/xdg-open_bus>
   }
 
   include if exists <local/xdg-open>
diff --git a/apparmor.d/groups/freedesktop/xdg-screensaver b/apparmor.d/groups/freedesktop/xdg-screensaver
index 784c63364..c142d137d 100644
--- a/apparmor.d/groups/freedesktop/xdg-screensaver
+++ b/apparmor.d/groups/freedesktop/xdg-screensaver
@@ -8,38 +8,49 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xdg-screensaver
-profile xdg-screensaver @{exec_path} {
+profile xdg-screensaver @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 
   @{exec_path} r,
 
-  @{bin}/             r,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
+  @{bin}/{m,g,}awk  ix,
+  @{bin}/basename   ix,
+  @{bin}/cat        ix,
+  @{bin}/cut        ix,
+  @{bin}/dirname    ix,
+  @{bin}/kill       ix,
+  @{bin}/ln         ix,
+  @{bin}/lockfile   ix,
+  @{bin}/mktemp     ix,
+  @{bin}/mv         ix,
+  @{bin}/perl       ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath   ix,
+  @{bin}/rm         ix,
+  @{bin}/sed        ix,
+  @{bin}/uname      ix,
+  @{bin}/xautolock  ix,
 
-  @{sh_path}          rix,
-  @{bin}/mv           rix,
-  @{bin}/{,e}grep     rix,
-  @{bin}/sed          rix,
-  @{bin}/which{,.debianutils}        rix,
-  @{bin}/cat          rix,
-  @{bin}/uname        rix,
+  @{bin}/dbus-send            Cx -> bus,
+  @{bin}/xprop                Px,
+  @{bin}/xset                 Px,
+  @{bin}/ps                   Px,
+  @{bin}/hostname             Px,
 
-  @{bin}/xautolock    rix,
-  @{bin}/dbus-send    rix,
+  profile bus flags=(complain) {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
 
-  @{bin}/xprop        rPx,
-  @{bin}/xdg-mime     rPx,
-  @{bin}/xset         rPx,
-  @{bin}/hostname     rix,
+    #aa:dbus talk bus=session name=org.freedesktop.ScreenSaver label=gsd-screensaver-proxy
+    #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
 
-  owner @{HOME}/ r,
-  owner @{HOME}/.Xauthority r,
-  owner @{tmp}/xauth-@{int}-_[0-9] r,
-
-  owner @{run}/user/@{uid}/ r,
-
-  /dev/dri/card@{int} rw,
+    include if exists <local/xdg-screensaver_bus>
+  }
 
   include if exists <local/xdg-screensaver>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 38ae2c1b5..f64b879f6 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -15,53 +15,48 @@ profile xdg-settings @{exec_path} {
 
   @{exec_path} r,
 
-  @{sh_path}        rix,
-  @{bin}/{,e}grep   rix,
-  @{bin}/basename   rix,
-  @{bin}/cat        rix,
-  @{bin}/cut        rix,
-  @{bin}/mktemp     rix,
-  @{bin}/mv         rix,
-  @{bin}/readlink   rix,
-  @{bin}/realpath   rix,
-  @{bin}/sed        rix,
-  @{bin}/sort       rix,
-  @{bin}/uname      rix,
-  @{bin}/wc         rix,
-  @{bin}/which{,.debianutils}      rix,
+  @{sh_path}       rix,
+  @{bin}/{,e}grep  rix,
+  @{bin}/basename  rix,
+  @{bin}/cat        ix,
+  @{bin}/cut       rix,
+  @{bin}/head       ix,
+  @{bin}/mkdir      ix,
+  @{bin}/mktemp     ix,
+  @{bin}/mv         ix,
+  @{bin}/readlink   ix,
+  @{bin}/realpath  rix,
+  @{bin}/rm         ix,
+  @{bin}/sed        ix,
+  @{bin}/sort       ix,
+  @{bin}/touch      ix,
+  @{bin}/tr         ix,
+  @{bin}/uname      ix,
+  @{bin}/wc         ix,
 
-  @{bin}/dbus-launch  rCx -> dbus,
-  @{bin}/dbus-send    rCx -> dbus,
-  @{bin}/kreadconfig5 rPx,
-  @{bin}/xdg-mime     rPx,
-  @{bin}/xprop        rPx,
+  # To set/get DE information
+  @{bin}/gconftool{,-2}       ix,
+  @{bin}/kde{,4}-config       ix,
+  @{bin}/kwriteconfig{,5,6}   ix,
+  @{bin}/qtxdg-mat            ix,
 
-  /usr/share/terminfo/** r,
+  @{bin}/dbus-send            Cx -> bus,
+  @{bin}/kreadconfig{,5}      Px,
+  @{bin}/xdg-mime             Px,
+  @{bin}/xprop                Px,
 
-  /etc/xdg/xfce4/helpers.rc r,
-  /etc/machine-id r,
-  /var/lib/dbus/machine-id r,
+  owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw,
 
-  owner @{HOME}/ r,
-  owner @{HOME}/.Xauthority r,
+  @{PROC}/version r,
 
-  owner @{user_config_dirs}/xfce4/helpers.rc{,.*} rw,
+  owner /dev/pts/@{int} rw,
 
-  owner @{run}/user/@{uid}/ r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-
-  profile dbus {
+  profile bus flags=(complain) {
     include <abstractions/base>
-    include <abstractions/nameservice-strict>
+    include <abstractions/app/bus>
+    include <abstractions/bus-session>
 
-    @{bin}/dbus-launch   mr,
-    @{bin}/dbus-send     mr,
-    @{bin}/dbus-daemon  rPx,
-
-    owner @{HOME}/.dbus/session-bus/@{hex}-[0-9] w,
-
-    include if exists <local/xdg-settings_dbus>
+    include if exists <local/xdg-settings_bus>
   }
 
   include if exists <local/xdg-settings>

From de21ff07a677959d9ed6f0349efafdbe28ce4403 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 3 Oct 2024 11:55:33 +0100
Subject: [PATCH 233/315] build: move upstream overwrite to its own build
 tasks.

It allow us to controll when we want to do it and either or not it should be enabled.
---
 cmd/prebuild/main.go              |  1 +
 pkg/prebuild/cli/cli.go           |  4 +-
 pkg/prebuild/prepare/configure.go | 41 -------------------
 pkg/prebuild/prepare/core_test.go |  6 +++
 pkg/prebuild/prepare/overwrite.go | 67 +++++++++++++++++++++++++++++++
 5 files changed, 76 insertions(+), 43 deletions(-)
 create mode 100644 pkg/prebuild/prepare/overwrite.go

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 629b37ed3..51bbca854 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -25,6 +25,7 @@ func init() {
 		"merge",
 		"configure",
 		"setflags",
+		"overwrite",
 		"systemd-default",
 	)
 
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index b82d918a7..e629b46c5 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -106,8 +106,8 @@ func Prebuild() {
 	if file != "" {
 		sync, _ := prepare.Tasks["synchronise"].(*prepare.Synchronise)
 		sync.Path = file
-		configure, _ := prepare.Tasks["configure"].(*prepare.Configure)
-		configure.OneFile = true
+		overwrite, _ := prepare.Tasks["overwrite"].(*prepare.Overwrite)
+		overwrite.OneFile = true
 	}
 
 	logging.Step("Building apparmor.d profiles for %s on ABI%d.", prebuild.Distribution, prebuild.ABI)
diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 6be35d3dd..9a423060f 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -6,7 +6,6 @@ package prepare
 
 import (
 	"fmt"
-	"os"
 
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
 	"github.com/roddhjav/apparmor.d/pkg/util"
@@ -14,7 +13,6 @@ import (
 
 type Configure struct {
 	prebuild.Base
-	OneFile bool
 }
 
 func init() {
@@ -23,18 +21,12 @@ func init() {
 			Keyword: "configure",
 			Msg:     "Set distribution specificities",
 		},
-		OneFile: false,
 	})
 }
 
 func (p Configure) Apply() ([]string, error) {
 	res := []string{}
 
-	if prebuild.ABI == 4 {
-		if err := OverwriteUpstreamProfile(p.OneFile); err != nil {
-			return res, err
-		}
-	}
 	switch prebuild.Distribution {
 	case "arch", "opensuse":
 
@@ -65,36 +57,3 @@ func (p Configure) Apply() ([]string, error) {
 	}
 	return res, nil
 }
-
-// Overwrite upstream profile: disable upstream & rename ours
-func OverwriteUpstreamProfile(oneFile bool) error {
-	const ext = ".apparmor.d"
-	disableDir := prebuild.RootApparmord.Join("disable")
-	if err := disableDir.Mkdir(); err != nil {
-		return err
-	}
-
-	path := prebuild.DistDir.Join("overwrite")
-	if !path.Exist() {
-		return fmt.Errorf("%s not found", path)
-	}
-	for _, name := range util.MustReadFileAsLines(path) {
-		origin := prebuild.RootApparmord.Join(name)
-		dest := prebuild.RootApparmord.Join(name + ext)
-		if !dest.Exist() && oneFile {
-			continue
-		}
-		if err := origin.Rename(dest); err != nil {
-
-			return err
-		}
-		originRel, err := origin.RelFrom(dest)
-		if err != nil {
-			return err
-		}
-		if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil {
-			return err
-		}
-	}
-	return nil
-}
diff --git a/pkg/prebuild/prepare/core_test.go b/pkg/prebuild/prepare/core_test.go
index 3c35e3e8f..ea18d2cd8 100644
--- a/pkg/prebuild/prepare/core_test.go
+++ b/pkg/prebuild/prepare/core_test.go
@@ -64,6 +64,12 @@ func TestTask_Apply(t *testing.T) {
 			wantErr: false,
 			want:    "dists/flags/main.flags",
 		},
+		{
+			name:      "overwrite",
+			task:      Tasks["overwrite"],
+			wantErr:   false,
+			wantFiles: paths.PathList{prebuild.RootApparmord.Join("flatpak.apparmor.d")},
+		},
 		{
 			name:      "systemd-default",
 			task:      Tasks["systemd-default"],
diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go
new file mode 100644
index 000000000..209e8dc81
--- /dev/null
+++ b/pkg/prebuild/prepare/overwrite.go
@@ -0,0 +1,67 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package prepare
+
+import (
+	"fmt"
+	"os"
+
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+	"github.com/roddhjav/apparmor.d/pkg/util"
+)
+
+const ext = ".apparmor.d"
+
+type Overwrite struct {
+	prebuild.Base
+	OneFile bool
+}
+
+func init() {
+	RegisterTask(&Overwrite{
+		Base: prebuild.Base{
+			Keyword: "overwrite",
+			Msg:     "Overwrite dummy upstream profiles",
+		},
+		OneFile: false,
+	})
+}
+
+func (p Overwrite) Apply() ([]string, error) {
+	res := []string{}
+	if prebuild.ABI == 3 {
+		return res, nil
+	}
+
+	disableDir := prebuild.RootApparmord.Join("disable")
+	if err := disableDir.Mkdir(); err != nil {
+		return res, err
+	}
+
+	path := prebuild.DistDir.Join("overwrite")
+	if !path.Exist() {
+		return res, fmt.Errorf("%s not found", path)
+	}
+	for _, name := range util.MustReadFileAsLines(path) {
+		origin := prebuild.RootApparmord.Join(name)
+		dest := prebuild.RootApparmord.Join(name + ext)
+		if !dest.Exist() && p.OneFile {
+			continue
+		}
+		if err := origin.Rename(dest); err != nil {
+
+			return res, err
+		}
+		originRel, err := origin.RelFrom(dest)
+		if err != nil {
+			return res, err
+		}
+		if err := os.Symlink(originRel.String(), disableDir.Join(name).String()); err != nil {
+			return res, err
+		}
+	}
+
+	return res, nil
+}

From cc5416f57a098b8f459db85415148d4022065dd6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 3 Oct 2024 11:58:25 +0100
Subject: [PATCH 234/315] build: cleanup flags manifest & enforce a few
 profiles.

---
 dists/flags/arch.flags   |  1 +
 dists/flags/debian.flags |  1 +
 dists/flags/main.flags   | 23 ++---------------------
 dists/flags/ubuntu.flags |  4 ++++
 dists/flags/whonix.flags |  4 ++++
 5 files changed, 12 insertions(+), 21 deletions(-)

diff --git a/dists/flags/arch.flags b/dists/flags/arch.flags
index ba883e3c2..8910bb280 100644
--- a/dists/flags/arch.flags
+++ b/dists/flags/arch.flags
@@ -1,3 +1,4 @@
+aurpublish complain
 makepkg complain
 mkinitcpio attach_disconnected,complain
 pacman attach_disconnected,complain
diff --git a/dists/flags/debian.flags b/dists/flags/debian.flags
index b659675b6..5e29c0153 100644
--- a/dists/flags/debian.flags
+++ b/dists/flags/debian.flags
@@ -1,3 +1,4 @@
+apt-helper complain
 dhclient complain
 dhclient-script complain
 dpkg complain
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index e1c8a057a..f2c938a19 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -10,7 +10,8 @@ systemd-service attach_disconnected,complain
 systemd-user attach_disconnected,mediate_deleted,complain
 
 aa-load complain
-acpid attach_disconnected,complain
+aa-logprof attach_disconnected,complain
+aa-notify complain
 akonadi_akonotes_resource complain
 akonadi_archivemail_agent complain
 akonadi_birthdays_resource complain
@@ -30,11 +31,8 @@ akonadi_sendlater_agent complain
 akonadi_unifiedmailbox_agent complain
 anacron complain
 appimagelauncherd complain
-apport attach_disconnected,complain
-apt-helper complain
 at complain
 atd complain
-atril-previewer complain
 auditctl attach_disconnected,complain
 auditd attach_disconnected,complain
 augenrules attach_disconnected,complain
@@ -51,8 +49,6 @@ cc-remote-login-helper complain
 cctk complain
 child-modprobe-nvidia attach_disconnected,complain
 child-open attach_disconnected,complain
-child-open-any attach_disconnected,complain
-child-open-browsers attach_disconnected,complain
 chronyd attach_disconnected,complain
 cockpit-askpass complain
 cockpit-bridge complain
@@ -64,7 +60,6 @@ cockpit-ssh complain
 cockpit-tls attach_disconnected,complain
 cockpit-ws complain
 cockpit-wsinstance-factory complain
-ctop complain
 cups-backend-beh complain
 cups-backend-bluetooth complain
 cups-backend-brf complain
@@ -96,7 +91,6 @@ dmsetup complain
 dockerd attach_disconnected,complain
 dolphin complain
 downloadhelper complain
-dpkg-genbuildinfo complain
 drkonqi complain
 drkonqi-coredump-cleanup complain
 drkonqi-coredump-processor complain
@@ -120,8 +114,6 @@ flatpak-portal attach_disconnected,complain
 flatpak-session-helper attach_disconnected,complain
 flatpak-system-helper complain
 flatpak-validate-icon complain
-foliate attach_disconnected,complain
-fractal attach_disconnected,complain
 fstrim complain
 fuse-overlayfs complain
 fusermount complain
@@ -131,7 +123,6 @@ gdm-session attach_disconnected,complain
 gdm-xsession complain
 gimp complain
 gmenudbusmenuproxy complain
-gnome-boxes complain
 gnome-browser-connector-host complain
 gnome-control-center attach_disconnected,complain
 gnome-control-center-goa-helper complain
@@ -143,11 +134,9 @@ gnome-initial-setup complain
 gnome-music attach_disconnected,complain
 gnome-photos-thumbnailer complain
 gnome-remote-desktop-daemon complain
-gnome-session complain
 gnome-software complain
 gnome-system-monitor attach_disconnected,complain
 gnome-terminal-server complain
-gnome-text-editor complain
 gnome-tweaks complain
 grub-bios-setup complain
 grub-editenv complain
@@ -216,7 +205,6 @@ kgx complain
 kio_http_cache_cleaner complain
 kiod complain
 kioworker complain
-kmod attach_disconnected,complain
 konsole attach_disconnected,mediate_deleted,complain
 kscreen_backend_launcher complain
 kscreen_osd_service complain
@@ -262,11 +250,8 @@ nm-priv-helper complain
 nmcli complain
 nvidia-detector complain
 nvidia-persistenced complain
-nvidia-smi complain
-okular complain
 ollama attach_disconnected,complain
 os-prober attach_disconnected,complain
-package-data-downloader complain
 pam_kwallet_init complain
 pam-tmpdir-helper complain
 passim complain
@@ -283,7 +268,6 @@ plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
 qdbus complain
-protonmail complain
 realmd complain
 remmina complain
 run-parts complain
@@ -324,8 +308,6 @@ steam-runtime attach_disconnected,complain
 steamerrorreporter attach_disconnected,complain
 strawberry attach_disconnected,mediate_deleted,complain
 sulogin complain
-superproductivity attach_disconnected,complain
-switcherooctl complain
 swtpm complain
 swtpm_ioctl complain
 swtpm_localca complain
@@ -337,7 +319,6 @@ systemd-binfmt attach_disconnected,complain
 systemd-bsod complain
 systemd-cgls complain
 systemd-cgtop complain
-systemd-coredump attach_disconnected,mediate_deleted,complain
 systemd-cryptsetup complain
 systemd-dissect attach_disconnected,complain
 systemd-escape complain
diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags
index c491729dc..30e21282d 100644
--- a/dists/flags/ubuntu.flags
+++ b/dists/flags/ubuntu.flags
@@ -1,13 +1,17 @@
+apport attach_disconnected,complain
 apport-checkreports complain
 apport-gtk complain
 apt-esm-hook complain
 apt-esm-json-hook complain
+apt-helper complain
 check-new-release-gtk complain
 do-release-upgrade complain
+dpkg-genbuildinfo complain
 hwe-support-status complain
 list-oem-metapackages complain
 livepatch-notification complain
 notify-reboot-required complain
+package-data-downloader complain
 package-system-locked attach_disconnected,complain
 pro complain
 release-upgrade-motd complain
diff --git a/dists/flags/whonix.flags b/dists/flags/whonix.flags
index bbb744355..dc984d690 100644
--- a/dists/flags/whonix.flags
+++ b/dists/flags/whonix.flags
@@ -1,4 +1,6 @@
 anondate complain
+apt-helper complain
+dpkg-genbuildinfo complain
 msgcollector complain
 msgcollector-br-add complain
 msgcollector-generic-gui-message complain
@@ -28,8 +30,10 @@ torbrowser-plugin-container complain
 torbrowser-start complain
 torbrowser-updater complain
 torbrowser-updater-permission-fix complain
+torbrowser-updater-permission-fix complain
 torbrowser-vaapitest complain
 torbrowser-wrapper complain
+torbrowser-wrapper complain
 whonix-firewall-edit complain
 whonix-firewall-restarter complain
 whonix-firewalld complain

From 9b5754631259bd42fd0901671b2125a7e6035155 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 3 Oct 2024 13:09:20 +0100
Subject: [PATCH 235/315] chore(fsp): add note of current profile stage.

---
 apparmor.d/groups/_full/systemd      | 11 +++++++++++
 apparmor.d/groups/_full/systemd-user |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index 7538b9ed3..9e1737a2a 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -11,6 +11,17 @@
 
 # Distributions and other programs can add rules in the usr/systemd.d directory
 
+# TODO: rework this to get a controlled environment: (cf security model)
+# - No global allow anymore: in high security environments, we must manage the list
+#   of program/service that can be started by systemd and ensure that they are all
+#   listed and confined. Programs not listed will not be able to start.
+# - Outside common systemd service, the list may have to be automatically
+#   generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec`
+# - Stop disabling nnp flags in systemd dropin files.
+# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo)
+#   need they own profile, profile name configured as a dropin unit file.
+# - When this is done: the fallback profile as root will not be needed.
+
 abi <abi/4.0>,
 
 include <tunables/global>
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index 71b9048a4..32228f21b 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -11,6 +11,8 @@
 
 # Distributions and other programs can add rules in the usr/systemd-user.d directory
 
+# TODO: rework this to get a controlled environment. cf comments in systemd profile.
+
 abi <abi/4.0>,
 
 include <tunables/global>

From 2ef038e8d9c7c6678cb4dd1d79953f3025f4d672 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 3 Oct 2024 13:28:40 +0100
Subject: [PATCH 236/315] feat(profile): minor abi specific changes.

---
 apparmor.d/abstractions/authentication.d/complete | 2 +-
 apparmor.d/profiles-s-z/slirp4netns               | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/abstractions/authentication.d/complete b/apparmor.d/abstractions/authentication.d/complete
index 738166dba..ef54e6e78 100644
--- a/apparmor.d/abstractions/authentication.d/complete
+++ b/apparmor.d/abstractions/authentication.d/complete
@@ -4,7 +4,7 @@
 
   @{bin}/pam-tmpdir-helper rPx,
 
-  #aa:exclude ubuntu opensuse
+  #aa:only abi3
   @{bin}/unix_chkpwd rPx,
 
   #aa:only whonix
diff --git a/apparmor.d/profiles-s-z/slirp4netns b/apparmor.d/profiles-s-z/slirp4netns
index e2d3b6b1f..ed4dd8d5e 100644
--- a/apparmor.d/profiles-s-z/slirp4netns
+++ b/apparmor.d/profiles-s-z/slirp4netns
@@ -10,7 +10,7 @@ include <tunables/global>
 profile slirp4netns @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
-  # userns,
+  userns,
 
   capability net_admin,
   capability setpcap,

From 7b73adceeb1b6a570af96c9126d735adcef78b03 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 4 Oct 2024 14:31:54 +0100
Subject: [PATCH 237/315] feat(abs): common/gnome: remove open_path from the
 abs, add bus accessibility.

---
 apparmor.d/abstractions/common/gnome         | 16 +++++++++++-----
 apparmor.d/groups/browsers/epiphany          |  4 ++--
 apparmor.d/groups/gnome/gnome-calculator     |  2 ++
 apparmor.d/groups/gnome/gnome-calendar       |  3 +--
 apparmor.d/groups/gnome/gnome-clocks         |  3 +--
 apparmor.d/groups/gnome/gnome-contacts       |  3 +--
 apparmor.d/groups/gnome/gnome-extensions-app |  1 +
 apparmor.d/groups/gnome/gnome-firmware       |  1 +
 apparmor.d/groups/gnome/gnome-font-viewer    |  1 +
 apparmor.d/groups/gnome/gnome-logs           |  1 +
 apparmor.d/groups/gnome/gnome-maps           |  2 ++
 apparmor.d/groups/gnome/gnome-music          |  3 +++
 apparmor.d/groups/gnome/gnome-recipes        |  1 +
 apparmor.d/groups/gnome/gnome-text-editor    |  2 ++
 apparmor.d/groups/gnome/gnome-tour           |  1 +
 apparmor.d/groups/gnome/gnome-weather        |  1 +
 apparmor.d/groups/gnome/yelp                 |  5 ++---
 apparmor.d/profiles-a-f/baobab               |  2 ++
 apparmor.d/profiles-a-f/file-roller          |  6 ++----
 apparmor.d/profiles-a-f/foliate              |  2 +-
 apparmor.d/profiles-a-f/fractal              | 10 ++--------
 apparmor.d/profiles-s-z/snapshot             |  4 ++--
 apparmor.d/profiles-s-z/totem                |  4 +---
 23 files changed, 44 insertions(+), 34 deletions(-)

diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome
index ced9cb1b1..653221e1d 100644
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@@ -4,24 +4,30 @@
 
 # Minimal set of rules for all gnome based UI application.
 
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
 
-  @{open_path}  rPx -> child-open-help,
-
   /usr/share/@{profile_name}/{,**} r,
 
+  / r,
+
   owner @{user_cache_dirs}/@{profile_name}/ rw,
-  owner @{user_cache_dirs}/@{profile_name}/** rwlk,
+  owner @{user_cache_dirs}/@{profile_name}/** rwlk -> @{user_cache_dirs}/@{profile_name}/**,
 
   owner @{user_config_dirs}/@{profile_name}/ rw,
-  owner @{user_config_dirs}/@{profile_name}/** rwlk,
+  owner @{user_config_dirs}/@{profile_name}/** rwlk -> @{user_config_dirs}/@{profile_name}/**,
 
   owner @{user_share_dirs}/@{profile_name}/ rw,
-  owner @{user_share_dirs}/@{profile_name}/** rwlk,
+  owner @{user_share_dirs}/@{profile_name}/** rwlk -> @{user_share_dirs}/@{profile_name}/**,
+
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany
index 54eeb79e3..a64850f1a 100644
--- a/apparmor.d/groups/browsers/epiphany
+++ b/apparmor.d/groups/browsers/epiphany
@@ -10,7 +10,6 @@ include <tunables/global>
 profile epiphany @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-server>
-  include <abstractions/bus-accessibility>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.GeoClue2>
   include <abstractions/common/bwrap>
@@ -33,6 +32,8 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open,
+
   @{bin}/bwrap           rix,
   @{bin}/xdg-dbus-proxy  rix,
   @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
@@ -64,7 +65,6 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/smaps r,
   owner @{PROC}/@{pid}/statm r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/groups/gnome/gnome-calculator b/apparmor.d/groups/gnome/gnome-calculator
index 17fcdc4f6..2e553d9f4 100644
--- a/apparmor.d/groups/gnome/gnome-calculator
+++ b/apparmor.d/groups/gnome/gnome-calculator
@@ -21,6 +21,8 @@ profile gnome-calculator @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   include if exists <local/gnome-calculator>
 }
 
diff --git a/apparmor.d/groups/gnome/gnome-calendar b/apparmor.d/groups/gnome/gnome-calendar
index 16cfa77c8..741be7709 100644
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@@ -9,9 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-calendar
 profile gnome-calendar @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus-accessibility>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
@@ -40,6 +38,7 @@ profile gnome-calendar @{exec_path} {
        peer=(name=:*, label=evolution-source-registry),
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   /usr/share/evolution-data-server/{,**} r,
   /usr/share/libgweather/Locations.xml r,
diff --git a/apparmor.d/groups/gnome/gnome-clocks b/apparmor.d/groups/gnome/gnome-clocks
index da42a2ef7..fd6ded04f 100644
--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@@ -10,9 +10,7 @@ include <tunables/global>
 profile gnome-clocks @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/common/gnome>
@@ -24,6 +22,7 @@ profile gnome-clocks @{exec_path} {
   #aa:dbus own bus=session name=org.gnome.clocks
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   include if exists <local/gnome-clocks>
 }
diff --git a/apparmor.d/groups/gnome/gnome-contacts b/apparmor.d/groups/gnome/gnome-contacts
index 66651f3a2..b6474cf55 100644
--- a/apparmor.d/groups/gnome/gnome-contacts
+++ b/apparmor.d/groups/gnome/gnome-contacts
@@ -9,8 +9,6 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-contacts
 profile gnome-contacts @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus-accessibility>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/common/gnome>
   include <abstractions/gstreamer>
@@ -26,6 +24,7 @@ profile gnome-contacts @{exec_path} {
   #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
   owner @{user_share_dirs}/folks/relationships.ini r,
diff --git a/apparmor.d/groups/gnome/gnome-extensions-app b/apparmor.d/groups/gnome/gnome-extensions-app
index 29899f8f1..f1e229b59 100644
--- a/apparmor.d/groups/gnome/gnome-extensions-app
+++ b/apparmor.d/groups/gnome/gnome-extensions-app
@@ -16,6 +16,7 @@ profile gnome-extensions-app @{exec_path} {
 
   @{sh_path}         rix,
   @{bin}/gjs-console rix,
+  @{open_path}       rPx -> child-open-help,
 
   /usr/share/gnome-shell/org.gnome.Extensions* r,
   /usr/share/terminfo/** r,
diff --git a/apparmor.d/groups/gnome/gnome-firmware b/apparmor.d/groups/gnome/gnome-firmware
index 7d33b3103..af44afbec 100644
--- a/apparmor.d/groups/gnome/gnome-firmware
+++ b/apparmor.d/groups/gnome/gnome-firmware
@@ -24,6 +24,7 @@ profile gnome-firmware @{exec_path} {
   #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   include if exists <local/gnome-firmware>
 }
diff --git a/apparmor.d/groups/gnome/gnome-font-viewer b/apparmor.d/groups/gnome/gnome-font-viewer
index 2e16f9f41..0895bd7f0 100644
--- a/apparmor.d/groups/gnome/gnome-font-viewer
+++ b/apparmor.d/groups/gnome/gnome-font-viewer
@@ -12,6 +12,7 @@ profile gnome-font-viewer @{exec_path} {
   include <abstractions/common/gnome>
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   include if exists <local/gnome-font-viewer>
 }
diff --git a/apparmor.d/groups/gnome/gnome-logs b/apparmor.d/groups/gnome/gnome-logs
index ae81fc825..5e3ab03bd 100644
--- a/apparmor.d/groups/gnome/gnome-logs
+++ b/apparmor.d/groups/gnome/gnome-logs
@@ -13,6 +13,7 @@ profile gnome-logs @{exec_path} {
   include <abstractions/user-download-strict>
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   /etc/machine-id r,
 
diff --git a/apparmor.d/groups/gnome/gnome-maps b/apparmor.d/groups/gnome/gnome-maps
index 1f2faafbb..294d6229a 100644
--- a/apparmor.d/groups/gnome/gnome-maps
+++ b/apparmor.d/groups/gnome/gnome-maps
@@ -22,6 +22,8 @@ profile gnome-maps @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   audit @{bin}/gjs-console rix,
 
   owner @{user_pictures_dirs}/** rw,
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index a40c25fd8..834e67037 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -28,6 +28,9 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=session name=org.freedesktop.Tracker3.Writeback label=tracker-writeback
 
   @{exec_path} mr,
+
+  @{open_path}  rPx -> child-open-help,
+
   @{bin}/ r,
   @{bin}/env r,
   @{bin}/python3.@{int} rix,
diff --git a/apparmor.d/groups/gnome/gnome-recipes b/apparmor.d/groups/gnome/gnome-recipes
index 5ebd788c0..900259447 100644
--- a/apparmor.d/groups/gnome/gnome-recipes
+++ b/apparmor.d/groups/gnome/gnome-recipes
@@ -24,6 +24,7 @@ profile gnome-recipes @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/tar rix,
+  @{open_path}  rPx -> child-open-help,
 
   include if exists <local/gnome-recipes>
 }
diff --git a/apparmor.d/groups/gnome/gnome-text-editor b/apparmor.d/groups/gnome/gnome-text-editor
index efbb55f35..22823753b 100644
--- a/apparmor.d/groups/gnome/gnome-text-editor
+++ b/apparmor.d/groups/gnome/gnome-text-editor
@@ -19,6 +19,8 @@ profile gnome-text-editor @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   owner @{user_share_dirs}/org.gnome.TextEditor/{,**} rw,
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/groups/gnome/gnome-tour b/apparmor.d/groups/gnome/gnome-tour
index 1dcb2af68..8ae95f4a0 100644
--- a/apparmor.d/groups/gnome/gnome-tour
+++ b/apparmor.d/groups/gnome/gnome-tour
@@ -13,6 +13,7 @@ profile gnome-tour @{exec_path} {
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   include if exists <local/gnome-tour>
 }
diff --git a/apparmor.d/groups/gnome/gnome-weather b/apparmor.d/groups/gnome/gnome-weather
index 11e75cb2a..c73ff0a19 100644
--- a/apparmor.d/groups/gnome/gnome-weather
+++ b/apparmor.d/groups/gnome/gnome-weather
@@ -23,6 +23,7 @@ profile gnome-weather @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/gjs-console rix,
+  @{open_path}  rPx -> child-open-help,
 
   /usr/share/org.gnome.Weather/{,**} r,
 
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index 71d8f7504..d9b709f99 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -10,8 +10,6 @@ include <tunables/global>
 profile yelp @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/bus-accessibility>
-  include <abstractions/bus/org.a11y>
   include <abstractions/common/gnome>
 
   network netlink raw,
@@ -19,6 +17,7 @@ profile yelp @{exec_path} {
   #aa:dbus own bus=session name=org.gnome.Yelp
 
   @{exec_path} mr,
+  @{open_path}  rPx -> child-open-help,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess rix,
@@ -32,7 +31,7 @@ profile yelp @{exec_path} {
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
 
-  owner @{sys}/fs/cgroup/user.slice/user-1000.slice/user@1000.service/app.slice/*.slice/*/memory.* r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
 
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab
index 92977471b..e66d8d66a 100644
--- a/apparmor.d/profiles-a-f/baobab
+++ b/apparmor.d/profiles-a-f/baobab
@@ -17,6 +17,8 @@ profile baobab @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   # As a directory tree analyzer it needs full access to the filesystem
   / r,
   /** r,
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index 57eb19aef..1ea3b8e73 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -9,8 +9,6 @@ include <tunables/global>
 @{exec_path} = @{bin}/file-roller
 profile file-roller @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus-accessibility>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/common/gnome>
   include <abstractions/nameservice-strict>
@@ -23,6 +21,8 @@ profile file-roller @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   # Archivers
   @{bin}/7z            rix,
   @{bin}/7zz           rix,
@@ -38,8 +38,6 @@ profile file-roller @{exec_path} {
   @{bin}/zstd          rix,
   @{lib}/p7zip/7z      rix,
 
-  / r,
-
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate
index 0474684e7..b1c485408 100644
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@@ -32,6 +32,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
   @{bin}/gjs-console     rix,
   @{bin}/xdg-dbus-proxy  rix,
   @{bin}/speech-dispatcher rPx,
+  @{open_path}             rPx -> child-open-help,
 
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess  rix,
   @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess      rix,
@@ -65,7 +66,6 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/smaps r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/statm r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
diff --git a/apparmor.d/profiles-a-f/fractal b/apparmor.d/profiles-a-f/fractal
index 20eaa34af..637cc0970 100644
--- a/apparmor.d/profiles-a-f/fractal
+++ b/apparmor.d/profiles-a-f/fractal
@@ -23,23 +23,17 @@ profile fractal @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /usr/share/xml/iso-codes/{,**} r,
+  @{open_path}  rPx -> child-open-help,
 
-  / r,
+  /usr/share/xml/iso-codes/{,**} r,
 
   owner @{tmp}/.@{rand6} rw, 
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/@{rand6} rw,
 
-        @{sys}/fs/cgroup/user.slice/cpu.max r,
-        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
-        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
-  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
-
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/ r,
 
diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot
index e7d84b0b3..9c5d5b9d6 100644
--- a/apparmor.d/profiles-s-z/snapshot
+++ b/apparmor.d/profiles-s-z/snapshot
@@ -17,11 +17,11 @@ profile snapshot @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   owner @{user_pictures_dirs}/Camera/{,**} rw,
   owner @{user_videos_dirs}/Camera/{,**} rw,
 
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-
   include if exists <local/snapshot>
 }
 
diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem
index 7a7dd709e..a71a80c06 100644
--- a/apparmor.d/profiles-s-z/totem
+++ b/apparmor.d/profiles-s-z/totem
@@ -10,8 +10,6 @@ include <tunables/global>
 profile totem @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/bus-accessibility>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/common/gnome>
@@ -30,6 +28,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/bwrap rCx -> bwrap,
+  @{open_path}  rPx -> child-open-help,
 
   /usr/share/xml/iso-codes/{,**} r,
   /usr/share/grilo-plugins/{,**} r,
@@ -56,7 +55,6 @@ profile totem @{exec_path} flags=(attach_disconnected) {
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm w,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 

From 18a71512a9519585216f6fec11b4b7371630990f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 4 Oct 2024 14:42:11 +0100
Subject: [PATCH 238/315] feat(tunable): add u32 & u64.

- Reorganize the file
- @{u32} == @{uid}
---
 apparmor.d/tunables/multiarch.d/system | 80 ++++++++++++++++----------
 1 file changed, 50 insertions(+), 30 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 40f56216d..2dd715567 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -2,8 +2,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# To allow extended personalisation without breaking everything.
-# All apparmor profiles should always use the variables defined here.
+# Base variables
+# --------------
 
 # Any digit
 @{d}=[0-9]
@@ -23,18 +23,23 @@
 # Integer up to 10 digits (0-9999999999)
 @{int}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}{@{d},}
 
-# Unsigned integer over 8 bits (0-255)
-#      0 - 99       100 - 199   200 - 249   250 - 255
-@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
-
-# Unsigned integer over 16 bits (0-65535, 5 digits)
-@{u16}=@{d}{@{d},}{@{d},}{@{d},}{@{d},}
-
 # hexadecimal, alphanumeric and word up to 64 characters
 @{hex}=@{h}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}{@{h},}
 @{rand}=@{c}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}{@{c},}
 @{word}=@{w}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
 
+# Unsigned integer over 8 bits (0...255)
+@{u8}=[0-9]{[0-9],} 1[0-9][0-9] 2[0-4][0-9] 25[0-5]
+
+# Unsigned integer over 16 bits (0...65,535 5 digits)
+@{u16}={@{d},[1-9]@{d},[1-9][@{d}@{d},[1-9]@{d}@{d}@{d},[1-6]@{d}@{d}@{d}@{d}}
+
+# Unsigned integer over 32 bits (0...4,294,967,295 10 digits)
+@{u32}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-4]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
+
+# Unsigned integer over 64 bits (0...18,446,744,073,709,551,615 20 digits).
+@{u64}={@{d},[1-9]@{d},[1-9]@{d}@{d},[1-9]@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},[1-9]@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d},1@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}@{d}}
+
 # Any x digits characters
 @{int2}=@{d}@{d}
 @{int4}=@{int2}@{int2}
@@ -88,23 +93,9 @@
 @{word32}=@{word16}@{word16}
 @{word64}=@{word32}@{word32}
 
-# Universally unique identifier
-@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
 
-# Username & group valid characters
-@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
-@{group}=@{user}
-
-# Semantic version
-@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},}
-
-# Shortcut for PCI device
-@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
-@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
-@{pci}=@{pci_bus}/**/
-
-# hci devices
-@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}
+# System Paths
+# ------------
 
 # @{MOUNTDIRS} is a space-separated list of where user mount directories
 # are stored, for programs that must enumerate all mount directories on a
@@ -121,17 +112,46 @@
 # Common places for temporary files
 @{tmp}=/tmp/ /tmp/user/@{uid}/
 
-# Udev data dynamic assignment ranges
-@{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
-@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
-# Dbus unique name
-@{busname}=:1.@{u16} :not.active.yet
+# System Variables
+# ----------------
 
 # Common architecture names
 @{arch}=x86_64 amd64 i386 i686
 
+# Dbus unique name
+@{busname}=:1.@{u16} :not.active.yet
+
+# Universally unique identifier
+@{uuid}=@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}[-_]@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}@{h}
+
+# Username & group valid characters
+@{user}=[a-zA-Z_]{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}{@{w},}
+@{group}=@{user}
+
+# Semantic version
+@{version}=@{int}{.@{int},}{.@{int},}{-@{rand},}
+
 # OpenSUSE does not have the same multiarch structure
 @{multiarch}+=*-suse-linux*  #aa:only opensuse
 
+
+# System Internal
+# ---------------
+
+# Shortcut for PCI device
+@{pci_id}=@{h}@{h}@{h}@{h}:@{h}@{h}:@{h}@{h}.@{h}
+@{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
+@{pci}=@{pci_bus}/**/
+
+# hci devices
+@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}
+
+# Udev data dynamic assignment ranges
+@{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
+@{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
+
+# Container path given to attach_disconnected.path=@{ct}@{profile_name}
+@{ct}=/ct-
+
 # vim:syntax=apparmor

From 4b5f7f2b5238fc65815a74efdecc8c81fc473fb3 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 4 Oct 2024 16:14:40 +0100
Subject: [PATCH 239/315] chore: document build the enabled task.

---
 cmd/prebuild/main.go          | 19 ++++++++-----------
 pkg/prebuild/cli/cli.go       | 20 +++++---------------
 pkg/prebuild/prepare/merge.go |  2 +-
 3 files changed, 14 insertions(+), 27 deletions(-)

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 51bbca854..25e422cfd 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -20,18 +20,18 @@ func init() {
 
 	// Define the tasks applied by default
 	prepare.Register(
-		"synchronise",
-		"ignore",
-		"merge",
-		"configure",
-		"setflags",
-		"overwrite",
-		"systemd-default",
+		"synchronise",     // Initialize a new clean apparmor.d build directory
+		"ignore",          // Ignore profiles and files from dist/ignore
+		"merge",           // Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory
+		"configure",       // Set distribution specificities
+		"setflags",        // Set flags as definied in dist/flags
+		"overwrite",       // Overwrite dummy upstream profiles
+		"systemd-default", // Set systemd unit drop in files for dbus profiles
 	)
 
 	// Build tasks applied by default
 	builder.Register(
-		"userspace", // Resolve variable in  the userspace profile
+		"userspace", // Resolve variable in the userspace profile
 		"dev",       // Temporary fix for #74, #80 & #235
 	)
 
@@ -65,9 +65,6 @@ func init() {
 		/etc/apparmor.d/whonix-firewall
 		`
 	}
-	if prebuild.ABI == 3 {
-		builder.Register("abi3")
-	}
 }
 
 func main() {
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index e629b46c5..da19c1171 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -86,21 +86,11 @@ func Prebuild() {
 		builder.Register("enforce")
 	}
 
-	switch abi {
-	case 3:
-		prebuild.ABI = 3
-		builder.Register("abi3")
-	case 4:
-		prebuild.ABI = 4
-		for i, b := range builder.Builds {
-			if b.Name() == "abi3" {
-				builder.Builds = append(builder.Builds[:i], builder.Builds[i+1:]...)
-				break
-			}
-		}
-	case nilABI:
-	default:
-		logging.Fatal("ABI %d not supported", abi)
+	if abi != nilABI {
+		prebuild.ABI = abi
+	}
+	if prebuild.ABI == 3 {
+		builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
 	}
 
 	if file != "" {
diff --git a/pkg/prebuild/prepare/merge.go b/pkg/prebuild/prepare/merge.go
index 75945b812..d2c720003 100644
--- a/pkg/prebuild/prepare/merge.go
+++ b/pkg/prebuild/prepare/merge.go
@@ -20,7 +20,7 @@ func init() {
 	RegisterTask(&Merge{
 		Base: prebuild.Base{
 			Keyword: "merge",
-			Msg:     "Merge all profiles into a unified apparmor.d directory",
+			Msg:     "Merge profiles (from group/, profiles-*-*/) to a unified apparmor.d directory",
 		},
 	})
 }

From 7757038a4f463f464da290e01a0b3e05ede3482d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 5 Oct 2024 23:03:41 +0100
Subject: [PATCH 240/315] build: update path helpers

---
 pkg/paths/process.go                          |  5 ++--
 .../{process_others.go => process_linux.go}   | 28 ++++++++++++++++++-
 2 files changed, 30 insertions(+), 3 deletions(-)
 rename pkg/paths/{process_others.go => process_linux.go} (69%)

diff --git a/pkg/paths/process.go b/pkg/paths/process.go
index 4c8692866..ebfe71343 100644
--- a/pkg/paths/process.go
+++ b/pkg/paths/process.go
@@ -55,7 +55,8 @@ func NewProcess(extraEnv []string, args ...string) (*Process, error) {
 		cmd: exec.Command(args[0], args[1:]...),
 	}
 	p.cmd.Env = append(os.Environ(), extraEnv...)
-	p.TellCommandNotToSpawnShell()
+	tellCommandNotToSpawnShell(p.cmd)          // windows specific
+	tellCommandToStartOnNewProcessGroup(p.cmd) // linux specific
 
 	// This is required because some tools detects if the program is running
 	// from terminal by looking at the stdin/out bindings.
@@ -146,7 +147,7 @@ func (p *Process) Signal(sig os.Signal) error {
 // actually exited. This only kills the Process itself, not any other processes it may
 // have started.
 func (p *Process) Kill() error {
-	return p.cmd.Process.Kill()
+	return kill(p.cmd)
 }
 
 // SetDir sets the working directory of the command. If Dir is the empty string, Run
diff --git a/pkg/paths/process_others.go b/pkg/paths/process_linux.go
similarity index 69%
rename from pkg/paths/process_others.go
rename to pkg/paths/process_linux.go
index 39bd3e161..5735a85c3 100644
--- a/pkg/paths/process_others.go
+++ b/pkg/paths/process_linux.go
@@ -31,8 +31,34 @@
 
 package paths
 
-import "os/exec"
+import (
+	"os/exec"
+	"syscall"
+)
 
 func tellCommandNotToSpawnShell(_ *exec.Cmd) {
 	// no op
 }
+
+func tellCommandToStartOnNewProcessGroup(oscmd *exec.Cmd) {
+	// https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8
+
+	// Start the process in a new process group.
+	// This is needed to kill the process and its children
+	// if we need to kill the process.
+	if oscmd.SysProcAttr == nil {
+		oscmd.SysProcAttr = &syscall.SysProcAttr{}
+	}
+	oscmd.SysProcAttr.Setpgid = true
+}
+
+func kill(oscmd *exec.Cmd) error {
+	// https://groups.google.com/g/golang-nuts/c/XoQ3RhFBJl8
+
+	// Kill the process group
+	pgid, err := syscall.Getpgid(oscmd.Process.Pid)
+	if err != nil {
+		return err
+	}
+	return syscall.Kill(-pgid, syscall.SIGKILL)
+}

From 36f620dab18c82237d1b624e0525ef60b712cca7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 15:39:21 +0100
Subject: [PATCH 241/315] tests: add 'make check' for common issues in Apparmor
 profiles.

---
 .gitlab-ci.yml |  2 +-
 Makefile       | 19 ++++++------
 tests/check.sh | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 90 insertions(+), 9 deletions(-)
 create mode 100644 tests/check.sh

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7737e2d3c..40f212768 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -23,7 +23,7 @@ bash:
   image: koalaman/shellcheck-alpine
   script:
     - shellcheck --shell=bash
-        PKGBUILD dists/build.sh dists/docker.sh
+        PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
         tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
 
 golangci-lint:
diff --git a/Makefile b/Makefile
index e8929aec8..9b25bb5ec 100644
--- a/Makefile
+++ b/Makefile
@@ -4,12 +4,12 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 DESTDIR ?= /
-BUILD := .build
-PKGDEST := /tmp/pkg
+BUILD ?= .build
+PKGDEST ?= /tmp/pkg
 PKGNAME := apparmor.d
 P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 
-.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint man docs serve clean
+.PHONY: all build enforce full install local $(P) dev package pkg dpkg rpm tests lint check manual docs serve clean
 
 all: build
 	@./${BUILD}/prebuild --complain
@@ -101,18 +101,21 @@ lint:
 	@golangci-lint run
 	@make --directory=tests lint
 	@shellcheck --shell=bash \
-		PKGBUILD dists/build.sh dists/docker.sh \
+		PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
 		tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
 		debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
 
-man:
-	pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
+check:
+	@bash tests/check.sh
+
+manual:
+	@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
 
 docs:
-	ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
+	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
 
 serve:
-	ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
+	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
 
 clean:
 	@rm -rf \
diff --git a/tests/check.sh b/tests/check.sh
new file mode 100644
index 000000000..5704ebfba
--- /dev/null
+++ b/tests/check.sh
@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Usage: make check
+# shellcheck disable=SC2044
+
+set -eu -o pipefail
+
+readonly APPARMORD="apparmor.d"
+
+check_profiles() {
+    echo "⋅ Checking if all profiles contain:"
+    echo "    - 'abi <abi/4.0>,'"
+    echo "    - 'profile *profile_name* {'"
+    echo "    - 'include if exists <local/*>'"
+    echo "    - include if exists local for subprofiles"
+    directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*")
+    # shellcheck disable=SC2068
+    for dir in ${directories[@]}; do
+        for file in $(find "$dir" -maxdepth 1 -type f); do
+            case "$file" in */README.md) continue ;; esac
+            name="$(basename "$file")"
+            name="${name/.apparmor.d/}"
+            include="include if exists <local/$name>"
+            if ! grep -q "^  *${include}$" "$file"; then
+                echo "$name does not contain '$include'"
+                exit 1
+            fi
+            if ! grep -q "^ *abi <abi/4.0>," "$file"; then
+                echo "$name does not contain 'abi <abi/4.0>,'"
+                exit 1
+            fi
+            if ! grep -q "^profile $name" "$file"; then
+                echo "$name does not contain 'profile $name'"
+                exit 1
+            fi
+            mapfile -t subrofiles < <(grep "^  *profile*" "$file" | awk '{print $2}')
+            for subprofile in "${subrofiles[@]}"; do
+                include="include if exists <local/${name}_${subprofile}>"
+                if ! grep -q "^  *${include}$" "$file"; then
+                    echo "$name: $name//$subprofile does not contain '$include'"
+                    exit 1
+                fi
+            done
+        done
+    done
+}
+
+check_abstractions() {
+    echo "⋅ Checking if all abstractions contain:"
+    echo "    - 'abi <abi/4.0>,'"
+    echo "    - 'include if exists <abstractions/*.d>'"
+    directories=(
+        "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"
+        "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"
+    )
+    for dir in "${directories[@]}"; do
+        for file in $(find "$dir" -maxdepth 1 -type f); do
+            name="$(basename "$file")"
+            root="${dir/${APPARMORD}\/abstractions\//}"
+            include="include if exists <abstractions/${root}${name}.d>"
+            if ! grep -q "^  *${include}$" "$file"; then
+                echo "$file does not contain '$include'"
+                exit 1
+            fi
+            # if ! grep -q "^ *abi <abi/4.0>," "$file"; then
+            # 	echo "$file does not contain 'abi <abi/4.0>,'"
+            # 	exit 1
+            # fi
+        done
+    done
+
+}
+
+check_profiles
+check_abstractions

From 105a9b4def4582b7025f09d00136d13517f8e061 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 15:46:07 +0100
Subject: [PATCH 242/315] feat(profile): cleanup and remove open subprofile
 when it is useless.

---
 apparmor.d/groups/apt/querybts             | 35 +-------
 apparmor.d/profiles-a-f/arduino            | 27 +------
 apparmor.d/profiles-a-f/cawbird            | 36 ++-------
 apparmor.d/profiles-a-f/czkawka-gui        | 28 +------
 apparmor.d/profiles-a-f/deltachat-desktop  | 87 ++++++--------------
 apparmor.d/profiles-a-f/deluser            | 17 ++--
 apparmor.d/profiles-g-l/gtk-youtube-viewer | 28 +------
 apparmor.d/profiles-g-l/hardinfo           | 94 ++++++++--------------
 apparmor.d/profiles-m-r/mediainfo-gui      | 24 +-----
 apparmor.d/profiles-m-r/orage              | 36 +--------
 apparmor.d/profiles-m-r/quiterss           | 80 +++++-------------
 apparmor.d/profiles-s-z/smtube             | 29 +------
 apparmor.d/profiles-s-z/udiskie            | 32 +-------
 apparmor.d/profiles-s-z/xarchiver          | 40 +--------
 14 files changed, 111 insertions(+), 482 deletions(-)

diff --git a/apparmor.d/groups/apt/querybts b/apparmor.d/groups/apt/querybts
index da7c45275..5c46246a2 100644
--- a/apparmor.d/groups/apt/querybts
+++ b/apparmor.d/groups/apt/querybts
@@ -33,7 +33,7 @@ profile querybts @{exec_path} {
   @{bin}/stty       rix,
   @{bin}/ldconfig   rix,
 
-  @{bin}/xdg-open   rCx -> open,
+  @{open_path} rPx -> child-open-browsers,
 
   @{bin}/dpkg       rPx -> child-dpkg,
 
@@ -46,41 +46,14 @@ profile querybts @{exec_path} {
   /etc/dpkg/origins/ r,
   /etc/dpkg/origins/debian r,
 
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/fd/ r,
-
   /etc/fstab r,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/querybts>
 }
diff --git a/apparmor.d/profiles-a-f/arduino b/apparmor.d/profiles-a-f/arduino
index 0304dbc6c..cfac12d42 100644
--- a/apparmor.d/profiles-a-f/arduino
+++ b/apparmor.d/profiles-a-f/arduino
@@ -39,7 +39,7 @@ profile arduino @{exec_path} {
   @{bin}/chmod              rix,
   @{bin}/avrdude            rix,
 
-  @{bin}/xdg-open           rCx -> open,
+  @{open_path}             rCx -> child-open,
 
   @{bin}/dpkg-architecture  rPx,
   @{bin}/arduino-builder    rPx,
@@ -109,31 +109,6 @@ profile arduino @{exec_path} {
   # Silencer
   deny /usr/share/arduino/** w,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-    @{bin}/spacefm         rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/arduino>
 }
 
diff --git a/apparmor.d/profiles-a-f/cawbird b/apparmor.d/profiles-a-f/cawbird
index ab2ac687c..0d8c6a000 100644
--- a/apparmor.d/profiles-a-f/cawbird
+++ b/apparmor.d/profiles-a-f/cawbird
@@ -31,8 +31,12 @@ profile cawbird @{exec_path} {
 
   @{sh_path}         rix,
 
-  @{bin}/xdg-open    rCx -> open,
-  @{bin}/exo-open    rCx -> open,
+  @{open_path}       rPx -> child-open,
+
+  /usr/share/xml/iso-codes/{,**} r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
 
   owner @{user_config_dirs}/cawbird/ rw,
   owner @{user_config_dirs}/cawbird/** rwk,
@@ -40,36 +44,8 @@ profile cawbird @{exec_path} {
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/cawbird-* rw,
 
-  /usr/share/xml/iso-codes/{,**} r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   owner @{PROC}/@{pid}/fd/ r,
 
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/cawbird>
 }
 
diff --git a/apparmor.d/profiles-a-f/czkawka-gui b/apparmor.d/profiles-a-f/czkawka-gui
index 30dc56b29..d7bb93f41 100644
--- a/apparmor.d/profiles-a-f/czkawka-gui
+++ b/apparmor.d/profiles-a-f/czkawka-gui
@@ -18,7 +18,7 @@ profile czkawka-gui @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/xdg-open   rCx -> open,
+  @{open_path} rPx -> child-open,
 
   # Dirs to scan for duplicates
   #owner @{HOME}/** rw,
@@ -38,32 +38,6 @@ profile czkawka-gui @{exec_path} {
 
   @{sys}/fs/cgroup/{,**} r,
 
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    #@{lib}/firefox/firefox  rPx,
-    @{bin}/smplayer          rPx,
-    @{bin}/geany             rPx,
-    @{bin}/viewnior         rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/czkawka-gui>
 }
 
diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop
index b3afbfc09..4f60099a9 100644
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@@ -7,13 +7,9 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{DCD_LIBDIR} =  @{lib}/deltachat-desktop
-@{DCD_LIBDIR} += @{lib}/deltachat
-@{DCD_LIBDIR} += /opt/DeltaChat/
+@{lib_dirs} = @{lib}/deltachat-desktop @{lib}/deltachat /opt/DeltaChat/
 
-@{exec_path}   = /usr/bin/deltachat-desktop
-@{exec_path}  += /opt/DeltaChat/deltachat-desktop
-#@{exec_path} += @{DCD_LIBDIR}/deltachat-desktop
+@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop
 profile deltachat-desktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -35,15 +31,18 @@ profile deltachat-desktop @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{DCD_LIBDIR}/ r,
-  @{DCD_LIBDIR}/** r,
-  @{DCD_LIBDIR}/libffmpeg.so mr,
-  @{DCD_LIBDIR}/{swiftshader/,}libGLESv2.so mr,
-  @{DCD_LIBDIR}/{swiftshader/,}libEGL.so mr,
-  @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.node mr,
-  @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so mr,
-  @{DCD_LIBDIR}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
-  @{DCD_LIBDIR}/chrome-sandbox rPx,
+  @{lib_dirs}/ r,
+  @{lib_dirs}/** r,
+  @{lib_dirs}/libffmpeg.so mr,
+  @{lib_dirs}/{swiftshader/,}libGLESv2.so mr,
+  @{lib_dirs}/{swiftshader/,}libEGL.so mr,
+  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.node mr,
+  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so mr,
+  @{lib_dirs}/resources/app.asar.unpacked/node_modules/**.so.[0-9]* mr,
+  @{lib_dirs}/chrome-sandbox rPx,
+
+  @{bin}/xdg-settings    rPx,
+  @{open_path} rPx -> child-open-browsers,
 
   owner @{user_config_dirs}/DeltaChat/ rw,
   owner @{user_config_dirs}/DeltaChat/** rwk,
@@ -53,58 +52,24 @@ profile deltachat-desktop @{exec_path} {
   owner @{tmp}/@{hex}/db.sqlite rwk,
   owner @{tmp}/@{hex}/db.sqlite-journal rw,
 
-             @{PROC}/ r,
-       owner @{PROC}/@{pid}/fd/ r,
-             @{PROC}/@{pids}/task/ r,
-             @{PROC}/@{pids}/task/@{tid}/status r,
-             @{PROC}/@{pids}/stat r,
-       owner @{PROC}/@{pids}/statm r,
-  deny owner @{PROC}/@{pid}/cmdline r,
-       owner @{PROC}/@{pids}/oom_{,score_}adj r,
-  deny owner @{PROC}/@{pids}/oom_{,score_}adj w,
-       owner @{PROC}/@{pid}/cgroup r,
-             @{PROC}/sys/kernel/yama/ptrace_scope r,
-             @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/ r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/task/ r,
+        @{PROC}/@{pid}/task/@{tid}/status r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+        @{PROC}/sys/kernel/yama/ptrace_scope r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
+  owner @{PROC}/@{pid}/statm r,
 
-        /dev/ r,
+  /dev/ r,
 
   # (#FIXME#)
   deny @{sys}/bus/pci/devices/ r,
-
   deny @{sys}/devices/virtual/tty/tty@{int}/active r,
 
-  # no new privs
-  @{bin}/xdg-settings    rPx,
-
-  @{bin}/xdg-open        rCx -> open,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPx,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/deltachat-desktop>
 }
 
diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser
index 540079175..eac7429bf 100644
--- a/apparmor.d/profiles-a-f/deluser
+++ b/apparmor.d/profiles-a-f/deluser
@@ -14,24 +14,18 @@ profile deluser @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # The deluser command is issued as root and its task is to delete regular user accounts. It
-  # optionally can remove user files (via --remove-home or --remove-all-files) or create a backup.
-  # Because of that, the deluser command needs the following CAPs to be able to do so.
   capability dac_read_search,
   capability dac_override,
 
   @{exec_path} r,
   @{bin}/perl r,
 
-  @{sh_path}        rix,
-
-  @{bin}/userdel   rPx,
+  @{sh_path}       rix,
+  @{bin}/crontab   rPx,
+  @{bin}/gpasswd   rPx,
   @{bin}/groupdel  rPx,
-  @{bin}/gpasswd    rPx,
-
-  @{bin}/crontab    rPx,
-
-  @{bin}/mount      rCx -> mount,
+  @{bin}/mount     rCx -> mount,
+  @{bin}/userdel   rPx,
 
   /etc/adduser.conf r,
   /etc/deluser.conf r,
@@ -45,7 +39,6 @@ profile deluser @{exec_path} {
   /   r,
   /** rw,
 
-
   profile mount {
     include <abstractions/base>
 
diff --git a/apparmor.d/profiles-g-l/gtk-youtube-viewer b/apparmor.d/profiles-g-l/gtk-youtube-viewer
index 18c3bd445..029e542ee 100644
--- a/apparmor.d/profiles-g-l/gtk-youtube-viewer
+++ b/apparmor.d/profiles-g-l/gtk-youtube-viewer
@@ -40,8 +40,7 @@ profile gtk-youtube-viewer @{exec_path} {
 
   @{lib}/firefox/firefox  rPx,
 
-  @{bin}/xdg-open                                         rCx -> open,
-  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
+  @{open_path}            rPx -> child-open,
 
   owner @{user_config_dirs}/youtube-viewer/{,*} rw,
 
@@ -91,30 +90,7 @@ profile gtk-youtube-viewer @{exec_path} {
     # file_inherit
     owner @{HOME}/.xsession-errors w,
 
-  }
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
+    include if exists <local/gtk-youtube-viewer_xterm>
   }
 
   include if exists <local/gtk-youtube-viewer>
diff --git a/apparmor.d/profiles-g-l/hardinfo b/apparmor.d/profiles-g-l/hardinfo
index 79c77f3a7..f91887297 100644
--- a/apparmor.d/profiles-g-l/hardinfo
+++ b/apparmor.d/profiles-g-l/hardinfo
@@ -12,9 +12,7 @@ profile hardinfo @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/desktop>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/user-download-strict>
@@ -49,7 +47,7 @@ profile hardinfo @{exec_path} {
   @{lib}/@{multiarch}/valgrind/memcheck-*-linux rix,
 
   @{bin}/lsb_release rPx -> lsb_release,
-  @{bin}/xdg-open    rCx -> open,
+  @{open_path}       rPx -> child-open,
   @{bin}/ccache      rCx -> ccache,
   @{bin}/kmod        rCx -> kmod,
 
@@ -62,8 +60,22 @@ profile hardinfo @{exec_path} {
 
   @{lib}/jvm/java-[0-9]*-openjdk-amd64/bin/javac rCx -> javac,
 
+  /usr/share/gdb/python/ r,
+  /usr/share/gdb/python/** r,
   /usr/share/hardinfo/{,**} r,
 
+  /etc/fstab r,
+  /etc/exports r,
+  /etc/samba/smb.conf  r,
+
+  /etc/gdb/gdbinit.d/ r,
+
+  /var/log/wtmp r,
+
+  owner @{HOME}/.hardinfo/ rw,
+
+  owner @{tmp}/#@{int} rw,
+
   @{sys}/class/power_supply/ r,
   @{sys}/class/thermal/ r,
   @{sys}/bus/i2c/drivers/eeprom/ r,
@@ -78,48 +90,27 @@ profile hardinfo @{exec_path} {
   @{sys}/devices/@{pci}/hwmon/hwmon@{int}/temp* r,
   @{sys}/devices/**/power_supply/** r,
 
-        @{PROC}/@{pid}/net/wireless r,
-        @{PROC}/@{pid}/net/dev r,
         @{PROC}/@{pid}/net/arp r,
+        @{PROC}/@{pid}/net/dev r,
+        @{PROC}/@{pid}/net/route r,
+        @{PROC}/@{pid}/net/wireless r,
+        @{PROC}/@{pids}/loginuid r,
+        @{PROC}/asound/cards r,
+        @{PROC}/bus/input/devices r,
+        @{PROC}/dma r,
+        @{PROC}/iomem r,
+        @{PROC}/ioports r,
+        @{PROC}/loadavg r,
+        @{PROC}/scsi/scsi r,
+        @{PROC}/sys/kernel/random/entropy_avail r,
+        @{PROC}/uptime r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/@{pids}/loginuid r,
-        @{PROC}/uptime r,
-        @{PROC}/loadavg r,
-        @{PROC}/ioports r,
-        @{PROC}/iomem r,
-        @{PROC}/dma r,
-        @{PROC}/asound/cards r,
-        @{PROC}/scsi/scsi r,
-        @{PROC}/bus/input/devices r,
-        @{PROC}/sys/kernel/random/entropy_avail r,
-        @{PROC}/@{pids}/net/route r,
 
-  /etc/fstab r,
-  /etc/exports r,
-  /etc/samba/smb.conf  r,
-
-  /etc/gdb/gdbinit.d/ r,
-
-  /usr/share/gdb/python/ r,
-  /usr/share/gdb/python/** r,
-
-  /var/log/wtmp r,
-
-  owner @{HOME}/.hardinfo/ rw,
-
-  owner @{tmp}/#@{int} rw,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
-
-  # Silencer
-  deny /usr/share/gdb/python/** w,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
+  deny /usr/share/gdb/python/** w,
 
   profile ccache {
     include <abstractions/base>
@@ -134,6 +125,7 @@ profile hardinfo @{exec_path} {
 
     /etc/debian_version r,
 
+    include if exists <local/hardinfo_ccache>
   }
 
   profile javac {
@@ -157,29 +149,7 @@ profile hardinfo @{exec_path} {
     owner @{tmp}/hsperfdata_@{user}/ rw,
     owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
 
-  }
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
+    include if exists <local/hardinfo_javac>
   }
 
   profile kmod {
diff --git a/apparmor.d/profiles-m-r/mediainfo-gui b/apparmor.d/profiles-m-r/mediainfo-gui
index 1d18d5187..5a723d002 100644
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@@ -19,29 +19,7 @@ profile mediainfo-gui @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/xdg-open    rCx -> open,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    @{lib}/firefox/firefox rPx,
-
-    owner @{HOME}/ r,
-    owner @{run}/user/@{uid}/ r,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
+  @{open_path} rPx -> child-open-browsers,
 
   include if exists <local/mediainfo-gui>
 }
diff --git a/apparmor.d/profiles-m-r/orage b/apparmor.d/profiles-m-r/orage
index 39d9a35dd..f87c0fa92 100644
--- a/apparmor.d/profiles-m-r/orage
+++ b/apparmor.d/profiles-m-r/orage
@@ -21,9 +21,9 @@ profile orage @{exec_path} {
 
   @{bin}/globaltime rPx,
 
-  @{bin}/xdg-open   rCx -> open,
-  @{bin}/exo-open   rCx -> open,
-  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
+  @{open_path}      rPx -> child-open,
+
+  /etc/fstab r,
 
   owner @{user_config_dirs}/orage/ rw,
   owner @{user_config_dirs}/orage/* rw,
@@ -35,38 +35,8 @@ profile orage @{exec_path} {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
 
-  /etc/fstab r,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/orage>
 }
 
diff --git a/apparmor.d/profiles-m-r/quiterss b/apparmor.d/profiles-m-r/quiterss
index 05de0d490..89395f8b5 100644
--- a/apparmor.d/profiles-m-r/quiterss
+++ b/apparmor.d/profiles-m-r/quiterss
@@ -10,22 +10,16 @@ include <tunables/global>
 @{exec_path} = @{bin}/quiterss
 profile quiterss @{exec_path} {
   include <abstractions/base>
-  include <abstractions/X>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/qt5>
-  include <abstractions/qt5-settings-write>
-  include <abstractions/qt5-compose-cache-write>
-  include <abstractions/mesa>
-  include <abstractions/dri-enumerate>
-  include <abstractions/nameservice-strict>
-  include <abstractions/user-download-strict>
-  include <abstractions/wayland>
-  include <abstractions/ssl_certs>
-  include <abstractions/gstreamer>
   include <abstractions/audio-client>
+  include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
+  include <abstractions/gstreamer>
+  include <abstractions/nameservice-strict>
+  include <abstractions/qt5-compose-cache-write>
+  include <abstractions/qt5-settings-write>
+  include <abstractions/ssl_certs>
+  include <abstractions/user-download-strict>
 
   network inet dgram,
   network inet6 dgram,
@@ -36,9 +30,14 @@ profile quiterss @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/xdg-open rCx -> open,
+  @{open_path} rPx -> child-open,
 
   /usr/share/quiterss/** r,
+
+  /etc/fstab r,
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
   owner @{user_config_dirs}/QuiteRss/ rw,
   owner @{user_config_dirs}/QuiteRss/** rwkl -> @{user_config_dirs}/QuiteRss/**,
   owner @{user_share_dirs}/QuiteRss/ rw,
@@ -46,55 +45,20 @@ profile quiterss @{exec_path} {
   owner @{user_cache_dirs}/QuiteRss/ rw,
   owner @{user_cache_dirs}/QuiteRss/** rwl -> @{user_cache_dirs}/QuiteRss/**,
 
-       owner @{PROC}/@{pid}/fd/ r,
-  deny       @{PROC}/sys/kernel/random/boot_id r,
-  deny owner @{PROC}/@{pid}/cmdline r,
-       owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/mounts r,
-
-  /etc/fstab r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  /usr/share/hwdata/pnp.ids r,
-
-  /dev/shm/#@{int} rw,
-
   owner @{tmp}/qtsingleapp-quiter-@{int}-@{int} rw,
   owner @{tmp}/qtsingleapp-quiter-@{int}-@{int}-lockfile rwk,
   owner /var/tmp/etilqs_@{hex16} rw,
 
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
+        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+
+  /dev/shm/#@{int} rw,
 
-  # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/quiterss>
 }
 
diff --git a/apparmor.d/profiles-s-z/smtube b/apparmor.d/profiles-s-z/smtube
index bbb404c8f..c318328b6 100644
--- a/apparmor.d/profiles-s-z/smtube
+++ b/apparmor.d/profiles-s-z/smtube
@@ -68,38 +68,11 @@ profile smtube @{exec_path} {
   @{bin}/youtube-dl rPUx,
   @{bin}/yt-dlp     rPUx,
 
-  @{bin}/xdg-open   rCx -> open,
-
-  # Allowed apps to open
-  @{lib}/firefox/firefox rPUx,
+  @{open_path}       rPx -> child-open,
 
   # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/smtube>
 }
 
diff --git a/apparmor.d/profiles-s-z/udiskie b/apparmor.d/profiles-s-z/udiskie
index 6105c7dae..014955032 100644
--- a/apparmor.d/profiles-s-z/udiskie
+++ b/apparmor.d/profiles-s-z/udiskie
@@ -26,7 +26,9 @@ profile udiskie @{exec_path} {
   @{bin}/python3.@{int} r,
 
   @{bin}/ r,
-  @{bin}/xdg-open rCx -> open,
+  @{open_path} rPx -> child-open,
+
+  /etc/fstab r,
 
   owner @{user_config_dirs}/udiskie/ r,
   owner @{user_config_dirs}/udiskie/config.yml r,
@@ -35,37 +37,9 @@ profile udiskie @{exec_path} {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/mountinfo r,
 
-  /etc/fstab r,
-
-  # Allowed apps to open
-  @{bin}/spacefm rPx,
-
   # Silencer
   deny @{lib}/** w,
 
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{bin}/spacefm rPx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/udiskie>
 }
 
diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver
index 514ea5c36..9f87e3b9d 100644
--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@@ -42,7 +42,9 @@ profile xarchiver @{exec_path} {
   # For deb packages
   @{bin}/{,@{multiarch}-}ar rix,
 
-  @{bin}/xdg-open      rCx -> open,
+  @{path_open}         rPx -> child-open,
+
+  /etc/fstab r,
 
   owner @{user_config_dirs}/xarchiver/ rw,
   owner @{user_config_dirs}/xarchiver/xarchiverrc{,.*} rw,
@@ -58,46 +60,12 @@ profile xarchiver @{exec_path} {
         /tmp/ r,
   owner @{tmp}/** rw,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/fd/ r,
 
-  /etc/fstab r,
-
-  # Allowed apps to open
-  @{bin}/engrampa  rPUx,
-  @{bin}/geany     rPUx,
-  @{bin}/viewnior  rPUx,
-
-  # file_inherit
   owner /dev/tty@{int} rw,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{bin}/engrampa  rPUx,
-    @{bin}/geany     rPUx,
-    @{bin}/viewnior  rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/xarchiver>
 }
 

From 7ccaab823425208639ba1bbd89c550349668bcdf Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 15:57:47 +0100
Subject: [PATCH 243/315] chore(profile): add abi and local include when
 missing.

---
 apparmor.d/groups/apt/apt-key                        |  2 +-
 apparmor.d/groups/apt/debconf-apt-progress           |  1 +
 apparmor.d/groups/apt/dpkg-architecture              |  1 +
 apparmor.d/groups/cron/cron                          |  2 +-
 apparmor.d/groups/cron/cron-apt-listbugs             |  1 +
 apparmor.d/groups/cron/cron-debsums                  |  1 +
 apparmor.d/groups/cron/cron-popularity-contest       |  2 +-
 apparmor.d/groups/freedesktop/xdg-desktop-icon       |  2 +-
 apparmor.d/groups/gnome/gdm-prime-defaut             |  2 +-
 apparmor.d/groups/network/openvpn                    |  2 ++
 apparmor.d/groups/pacman/yay                         |  2 +-
 apparmor.d/groups/ssh/ssh-sk-helper                  |  2 ++
 apparmor.d/groups/systemd/journalctl                 |  2 +-
 apparmor.d/groups/systemd/systemd-resolved           |  2 +-
 .../{systemd-sleep-grub2 => systemd-sleep-grub}      |  0
 apparmor.d/groups/ubuntu/subiquity-console-conf      |  1 +
 apparmor.d/groups/ubuntu/ubuntu-advantage            |  1 +
 apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot  |  1 +
 apparmor.d/groups/virt/libvirtd                      |  2 ++
 apparmor.d/groups/whonix/whonix-firewalld            |  4 ++--
 apparmor.d/groups/xfce/xfce-panel                    |  2 +-
 apparmor.d/profiles-a-f/acpi-powerbtn                |  2 ++
 apparmor.d/profiles-a-f/adequate                     |  3 +++
 apparmor.d/profiles-a-f/anacron                      |  2 +-
 apparmor.d/profiles-a-f/archivemount                 |  2 +-
 apparmor.d/profiles-a-f/aspell-autobuildhash         |  1 +
 apparmor.d/profiles-a-f/changestool                  |  1 +
 apparmor.d/profiles-a-f/check-support-status         |  2 +-
 apparmor.d/profiles-a-f/check-support-status-hook    |  4 ++++
 apparmor.d/profiles-a-f/chpasswd                     |  2 ++
 apparmor.d/profiles-a-f/claws-mail                   |  1 +
 apparmor.d/profiles-a-f/conky                        |  1 +
 apparmor.d/profiles-a-f/cupsd                        |  2 ++
 apparmor.d/profiles-a-f/deluser                      |  1 +
 apparmor.d/profiles-a-f/dhclient-script              |  1 +
 apparmor.d/profiles-a-f/dlocate                      |  2 +-
 apparmor.d/profiles-a-f/etckeeper                    |  1 +
 apparmor.d/profiles-a-f/execute-dput                 |  1 +
 apparmor.d/profiles-a-f/frontend                     |  1 +
 apparmor.d/profiles-a-f/fuseiso                      |  1 +
 apparmor.d/profiles-a-f/fwupdmgr                     |  2 +-
 apparmor.d/profiles-g-l/gpartedbin                   |  2 +-
 apparmor.d/profiles-g-l/i3lock-fancy                 |  1 +
 apparmor.d/profiles-g-l/ifup                         |  1 +
 apparmor.d/profiles-g-l/{imv-wayland => imv}         |  2 +-
 apparmor.d/profiles-g-l/initd-kexec-load             |  2 ++
 apparmor.d/profiles-g-l/jmtpfs                       |  1 +
 apparmor.d/profiles-g-l/linux-check-removal          |  1 +
 apparmor.d/profiles-m-r/murmurd                      |  2 ++
 apparmor.d/profiles-m-r/obexfs                       |  1 +
 apparmor.d/profiles-m-r/pam-auth-update              |  1 +
 apparmor.d/profiles-m-r/reprepro                     |  2 +-
 apparmor.d/profiles-m-r/run-parts                    |  3 +++
 apparmor.d/profiles-s-z/sensors-detect               |  2 +-
 apparmor.d/profiles-s-z/tasksel                      |  3 ++-
 apparmor.d/profiles-s-z/update-dlocatedb             |  1 +
 apparmor.d/profiles-s-z/update-pciids                |  1 +
 apparmor.d/profiles-s-z/update-smart-drivedb         |  2 ++
 apparmor.d/profiles-s-z/uupdate                      |  2 +-
 apparmor.d/profiles-s-z/yadifad                      |  2 ++
 apparmor.d/profiles-s-z/youtube-viewer               | 12 ++++++------
 61 files changed, 84 insertions(+), 28 deletions(-)
 rename apparmor.d/groups/systemd/{systemd-sleep-grub2 => systemd-sleep-grub} (100%)
 rename apparmor.d/profiles-g-l/{imv-wayland => imv} (94%)

diff --git a/apparmor.d/groups/apt/apt-key b/apparmor.d/groups/apt/apt-key
index 25a53282d..f73df39d1 100644
--- a/apparmor.d/groups/apt/apt-key
+++ b/apparmor.d/groups/apt/apt-key
@@ -102,7 +102,7 @@ profile apt-key @{exec_path} {
     owner @{PROC}/@{pid}/fd/ r,
     owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-    include if exists <local/apt-key_pgp>
+    include if exists <local/apt-key_gpg>
   }
 
   include if exists <local/apt-key>
diff --git a/apparmor.d/groups/apt/debconf-apt-progress b/apparmor.d/groups/apt/debconf-apt-progress
index 7b80201df..4ddcca5ca 100644
--- a/apparmor.d/groups/apt/debconf-apt-progress
+++ b/apparmor.d/groups/apt/debconf-apt-progress
@@ -46,6 +46,7 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
 
     /etc/shadow r,
 
+    include if exists <local/debconf-apt-progress_frontend>
   }
 
   include if exists <local/debconf-apt-progress>
diff --git a/apparmor.d/groups/apt/dpkg-architecture b/apparmor.d/groups/apt/dpkg-architecture
index e5ccb2f89..a58257271 100644
--- a/apparmor.d/groups/apt/dpkg-architecture
+++ b/apparmor.d/groups/apt/dpkg-architecture
@@ -45,6 +45,7 @@ profile dpkg-architecture @{exec_path} {
 
     /etc/debian_version r,
 
+    include if exists <local/dpkg-architecture_ccache>
   }
 
   include if exists <local/dpkg-architecture>
diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index 61dce67db..7db10924c 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
 
     owner @{tmp}/#@{int} rw,
 
-   include if exists <local/cron_run_parts>
+   include if exists <local/cron_run-parts>
   }
 
   include if exists <local/cron>
diff --git a/apparmor.d/groups/cron/cron-apt-listbugs b/apparmor.d/groups/cron/cron-apt-listbugs
index f2623dbf4..1b3f40d87 100644
--- a/apparmor.d/groups/cron/cron-apt-listbugs
+++ b/apparmor.d/groups/cron/cron-apt-listbugs
@@ -33,6 +33,7 @@ profile cron-apt-listbugs @{exec_path} {
 
     /var/spool/apt-listbugs/lastprefclean rw,
 
+    include if exists <local/cron-apt-listbugs_prefclean>
   }
 
   include if exists <local/cron-apt-listbugs>
diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums
index 33e785ee0..5a7adf141 100644
--- a/apparmor.d/groups/cron/cron-debsums
+++ b/apparmor.d/groups/cron/cron-debsums
@@ -43,6 +43,7 @@ profile cron-debsums @{exec_path} {
 
     owner @{PROC}/@{pid}/fd/3 rw,
 
+    include if exists <local/cron-debsums_tee>
   }
 
   include if exists <local/cron-debsums>
diff --git a/apparmor.d/groups/cron/cron-popularity-contest b/apparmor.d/groups/cron/cron-popularity-contest
index a1247a0b9..dd50a7494 100644
--- a/apparmor.d/groups/cron/cron-popularity-contest
+++ b/apparmor.d/groups/cron/cron-popularity-contest
@@ -152,7 +152,7 @@ profile cron-popularity-contest @{exec_path} {
 
     owner @{tmp}/#@{int} rw,  # file_inherit
 
-    include if exists <local/cron-popularity-contest_/popcon-upload>
+    include if exists <local/cron-popularity-contest_popcon-upload>
   }
 
   include if exists <local/cron-popularity-contest>
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-icon b/apparmor.d/groups/freedesktop/xdg-desktop-icon
index 0d8512b5c..ba699bdbd 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-icon
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-icon
@@ -39,7 +39,7 @@ profile xdg-desktop-icon @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
-    include if exists <local/xdg-settings_bus>
+    include if exists <local/xdg-desktop-icon_bus>
   }
 
   include if exists <local/xdg-desktop-icon>
diff --git a/apparmor.d/groups/gnome/gdm-prime-defaut b/apparmor.d/groups/gnome/gdm-prime-defaut
index b5b111604..189e166f2 100644
--- a/apparmor.d/groups/gnome/gdm-prime-defaut
+++ b/apparmor.d/groups/gnome/gdm-prime-defaut
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = /etc/gdm{3,}/{Init,Prime}/Default
-profile gdm-defaut @{exec_path} flags=(complain) {
+profile gdm-prime-defaut @{exec_path} flags=(complain) {
   include <abstractions/base>
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/network/openvpn b/apparmor.d/groups/network/openvpn
index 3e6a1cb55..532c65f78 100644
--- a/apparmor.d/groups/network/openvpn
+++ b/apparmor.d/groups/network/openvpn
@@ -90,6 +90,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
     /etc/iproute2/rt_tables r,
     /etc/iproute2/rt_tables.d/ r,
 
+    include if exists <local/openvpn_update-resolv>
   }
 
   profile force-user-traffic-via-vpn {
@@ -121,6 +122,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
 
     owner @{PROC}/sys/net/ipv{4,}/route/flush w,
 
+    include if exists <local/openvpn_force-user-traffic-via-vpn>
   }
 
   include if exists <local/openvpn>
diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay
index 32ac11d7e..c737d4caa 100644
--- a/apparmor.d/groups/pacman/yay
+++ b/apparmor.d/groups/pacman/yay
@@ -60,7 +60,7 @@ profile yay @{exec_path} {
     owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,
     owner @{user_config_dirs}/git/{,*} r,
 
-    include if exists <local/pass_git>
+    include if exists <local/yay_git>
   }
 
   profile editor {
diff --git a/apparmor.d/groups/ssh/ssh-sk-helper b/apparmor.d/groups/ssh/ssh-sk-helper
index defa9ac1b..d913e2a2d 100644
--- a/apparmor.d/groups/ssh/ssh-sk-helper
+++ b/apparmor.d/groups/ssh/ssh-sk-helper
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 valoq <valoq@mailbox.org>
 # SPDX-License-Identifier: GPL-2.0-only
 
+abi <abi/4.0>,
+
 include <tunables/global>
 
 @{exec_path} = @{lib}/ssh/ssh-sk-helper
diff --git a/apparmor.d/groups/systemd/journalctl b/apparmor.d/groups/systemd/journalctl
index 6020f60fa..3c5595345 100644
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@@ -55,7 +55,7 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
   deny network inet stream,
   deny network inet6 stream,
 
-  include if exists <local/systemd-journalctl>
+  include if exists <local/journalctl>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index ff5a98134..9b6bfdd94 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -50,7 +50,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 
-  include if exists <local/systemd-timesyncd>
+  include if exists <local/systemd-resolved>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub
similarity index 100%
rename from apparmor.d/groups/systemd/systemd-sleep-grub2
rename to apparmor.d/groups/systemd/systemd-sleep-grub
diff --git a/apparmor.d/groups/ubuntu/subiquity-console-conf b/apparmor.d/groups/ubuntu/subiquity-console-conf
index 1b04bd383..58323b8ff 100644
--- a/apparmor.d/groups/ubuntu/subiquity-console-conf
+++ b/apparmor.d/groups/ubuntu/subiquity-console-conf
@@ -109,6 +109,7 @@ profile subiquity-console-conf @{exec_path} {
     /var/lib/dbus/machine-id r,
     /etc/machine-id r,
 
+    include if exists <local/subiquity-console-conf_journalctl>
   }
 
   include if exists <local/subiquity-console-conf>
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage b/apparmor.d/groups/ubuntu/ubuntu-advantage
index 92b9deef7..abbde2455 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage
@@ -87,6 +87,7 @@ profile ubuntu-advantage @{exec_path} {
 
     /dev/kmsg w,
 
+    include if exists <local/ubuntu-advantage_systemctl>
   }
 
   include if exists <local/ubuntu-advantage>
diff --git a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
index 7fb3a2b29..86ac61f41 100644
--- a/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
+++ b/apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot
@@ -45,6 +45,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
 
     /dev/tty@{int} rw,
 
+    include if exists <local/update-motd-fsck-at-reboot_mount>
   }
 
   include if exists <local/update-motd-fsck-at-reboot>
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index f6519a619..e1aa55d57 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -290,6 +290,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
     owner @{PROC}/@{pids}/status r,
 
     /dev/net/tun rw,
+
+    include if exists <local/libvirtd_qemu_bridge_helper>
   }
 
   include if exists <usr/libvirtd>
diff --git a/apparmor.d/groups/whonix/whonix-firewalld b/apparmor.d/groups/whonix/whonix-firewalld
index f0f8f5d46..01e1cb418 100644
--- a/apparmor.d/groups/whonix/whonix-firewalld
+++ b/apparmor.d/groups/whonix/whonix-firewalld
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/whonix_firewall @{lib}/whonix-firewall/reloadfirewall
-profile whonix-firewall @{exec_path} {
+profile whonix-firewalld @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -45,7 +45,7 @@ profile whonix-firewall @{exec_path} {
   owner @{run}/updatesproxycheck/{,**} rw,
   owner @{run}/whonix_firewall/{,**} rw,
 
-  include if exists <local/whonix-firewall>
+  include if exists <local/whonix-firewalld>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/xfce/xfce-panel b/apparmor.d/groups/xfce/xfce-panel
index 3c91e7893..7b192ffc5 100644
--- a/apparmor.d/groups/xfce/xfce-panel
+++ b/apparmor.d/groups/xfce/xfce-panel
@@ -48,7 +48,7 @@ profile xfce-panel @{exec_path} {
 
     @{bin}/lsblk rPx,
 
-    include if exists <local/xfce-panel-wrapper_root>
+    include if exists <local/xfce-panel_root>
   }
 
   include if exists <local/xfce-panel>
diff --git a/apparmor.d/profiles-a-f/acpi-powerbtn b/apparmor.d/profiles-a-f/acpi-powerbtn
index 2a87bdb85..c25d94526 100644
--- a/apparmor.d/profiles-a-f/acpi-powerbtn
+++ b/apparmor.d/profiles-a-f/acpi-powerbtn
@@ -43,6 +43,8 @@ profile acpi-powerbtn flags=(attach_disconnected) {
 
           /dev/tty       rw,
     owner /dev/tty@{int} rw,
+
+    include if exists <local/acpi-powerbtn_fgconsole>
   }
 
   profile bus flags=(complain) {
diff --git a/apparmor.d/profiles-a-f/adequate b/apparmor.d/profiles-a-f/adequate
index 404a09840..6f2e1d5c7 100644
--- a/apparmor.d/profiles-a-f/adequate
+++ b/apparmor.d/profiles-a-f/adequate
@@ -64,6 +64,7 @@ profile adequate @{exec_path} flags=(complain) {
     @{lib}/@{multiarch}/ld-*.so rix,
     @{lib}{,x}32/ld-*.so        rix,
 
+    include if exists <local/adequate_ldd>
   }
 
   profile frontend flags=(complain) {
@@ -98,6 +99,7 @@ profile adequate @{exec_path} flags=(complain) {
 
     /etc/shadow r,
 
+    include if exists <local/adequate_frontend>
   }
 
   profile pkg-config flags=(complain) {
@@ -105,6 +107,7 @@ profile adequate @{exec_path} flags=(complain) {
 
     @{bin}/pkg-config mr,
 
+    include if exists <local/adequate_pkg-config>
   }
 
   include if exists <local/adequate>
diff --git a/apparmor.d/profiles-a-f/anacron b/apparmor.d/profiles-a-f/anacron
index 06c50aee3..3e7c9d092 100644
--- a/apparmor.d/profiles-a-f/anacron
+++ b/apparmor.d/profiles-a-f/anacron
@@ -39,7 +39,7 @@ profile anacron @{exec_path} {
     owner @{tmp}/#@{int} rw,
     owner @{tmp}/file@{rand6} rw,
 
-   include if exists <local/anacron_run_parts>
+    include if exists <local/anacron_run-parts>
   }
 
   include if exists <local/anacron>
diff --git a/apparmor.d/profiles-a-f/archivemount b/apparmor.d/profiles-a-f/archivemount
index 6489139d9..64f25e181 100644
--- a/apparmor.d/profiles-a-f/archivemount
+++ b/apparmor.d/profiles-a-f/archivemount
@@ -29,7 +29,6 @@ profile archivemount @{exec_path} {
 
   /dev/fuse rw,
 
-
   profile fusermount {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
@@ -52,6 +51,7 @@ profile archivemount @{exec_path} {
 
     @{PROC}/@{pid}/mounts r,
 
+    include if exists <local/archivemount_fusermount>
   }
 
   include if exists <local/archivemount>
diff --git a/apparmor.d/profiles-a-f/aspell-autobuildhash b/apparmor.d/profiles-a-f/aspell-autobuildhash
index 9920fb2b3..769f15cf0 100644
--- a/apparmor.d/profiles-a-f/aspell-autobuildhash
+++ b/apparmor.d/profiles-a-f/aspell-autobuildhash
@@ -69,6 +69,7 @@ profile aspell-autobuildhash @{exec_path} flags=(complain) {
     owner @{PROC}/@{pid}/mounts r,
     @{HOME}/.Xauthority r,
 
+    include if exists <local/aspell-autobuildhash_frontend>
   }
 
   include if exists <local/aspell-autobuildhash>
diff --git a/apparmor.d/profiles-a-f/changestool b/apparmor.d/profiles-a-f/changestool
index 6ff8ed55d..c73243041 100644
--- a/apparmor.d/profiles-a-f/changestool
+++ b/apparmor.d/profiles-a-f/changestool
@@ -33,6 +33,7 @@ profile changestool @{exec_path} {
     owner @{HOME}/@{XDG_GPG_DIR}/ r,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    include if exists <local/changestool_gpg>
   }
 
   include if exists <local/changestool>
diff --git a/apparmor.d/profiles-a-f/check-support-status b/apparmor.d/profiles-a-f/check-support-status
index 1a1d4bfd6..313fa6c54 100644
--- a/apparmor.d/profiles-a-f/check-support-status
+++ b/apparmor.d/profiles-a-f/check-support-status
@@ -65,7 +65,6 @@ profile check-support-status @{exec_path} {
   /usr/share/debian-security-support/ r,
   /usr/share/debian-security-support/* r,
 
-
   profile debconf-escape {
     include <abstractions/base>
     include <abstractions/perl>
@@ -75,6 +74,7 @@ profile check-support-status @{exec_path} {
 
     owner @{tmp}/debian-security-support.postinst.*/output r,
 
+    include if exists <local/check-support-status_debconf-escape>
   }
 
   include if exists <local/check-support-status>
diff --git a/apparmor.d/profiles-a-f/check-support-status-hook b/apparmor.d/profiles-a-f/check-support-status-hook
index b77bcfd6d..5eb0eda0f 100644
--- a/apparmor.d/profiles-a-f/check-support-status-hook
+++ b/apparmor.d/profiles-a-f/check-support-status-hook
@@ -58,6 +58,7 @@ profile check-support-status-hook @{exec_path} {
           /tmp/ r,
     owner @{tmp}/debian-security-support.postinst.*/output r,
 
+    include if exists <local/check-support-status-hook_debconf-escape>
   }
 
   profile frontend {
@@ -90,6 +91,7 @@ profile check-support-status-hook @{exec_path} {
     owner @{PROC}/@{pid}/mounts r,
     @{HOME}/.Xauthority r,
 
+    include if exists <local/check-support-status-hook_frontend>
   }
 
   profile runuser {
@@ -124,6 +126,8 @@ profile check-support-status-hook @{exec_path} {
 
           /tmp/ r,
     owner @{tmp}/debian-security-support.postinst.*/output w,
+
+    include if exists <local/check-support-status-hook_runuser>
   }
 
   include if exists <local/check-support-status-hook>
diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd
index 1fd84f53c..fb8438cc1 100644
--- a/apparmor.d/profiles-a-f/chpasswd
+++ b/apparmor.d/profiles-a-f/chpasswd
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+abi <abi/4.0>,
+
 include <tunables/global>
 
 @{exec_path} = @{bin}/chpasswd
diff --git a/apparmor.d/profiles-a-f/claws-mail b/apparmor.d/profiles-a-f/claws-mail
index 82387d044..7c5486c50 100644
--- a/apparmor.d/profiles-a-f/claws-mail
+++ b/apparmor.d/profiles-a-f/claws-mail
@@ -66,6 +66,7 @@ profile claws-mail @{exec_path} flags=(complain) {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    include if exists <local/claws-mail_gpg>
   }
 
   include if exists <local/claws-mail>
diff --git a/apparmor.d/profiles-a-f/conky b/apparmor.d/profiles-a-f/conky
index 9116a116e..3c059abcf 100644
--- a/apparmor.d/profiles-a-f/conky
+++ b/apparmor.d/profiles-a-f/conky
@@ -200,6 +200,7 @@ profile conky @{exec_path} {
     deny @{PROC}/@{pid}/net/route r,
     deny @{sys}/devices/**/hwmon/**/temp*_input r,
 
+    include if exists <local/conky_browse>
   }
 
   include if exists <local/conky>
diff --git a/apparmor.d/profiles-a-f/cupsd b/apparmor.d/profiles-a-f/cupsd
index 9511c7495..ac9984746 100644
--- a/apparmor.d/profiles-a-f/cupsd
+++ b/apparmor.d/profiles-a-f/cupsd
@@ -2,6 +2,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+abi <abi/4.0>,
+
 include <tunables/global>
 
 @{exec_path} = @{bin}/cupsd
diff --git a/apparmor.d/profiles-a-f/deluser b/apparmor.d/profiles-a-f/deluser
index eac7429bf..1f2e86579 100644
--- a/apparmor.d/profiles-a-f/deluser
+++ b/apparmor.d/profiles-a-f/deluser
@@ -48,6 +48,7 @@ profile deluser @{exec_path} {
 
     @{sys}/devices/virtual/block/**/name r,
 
+    include if exists <local/deluser_mount>
   }
 
   include if exists <local/deluser>
diff --git a/apparmor.d/profiles-a-f/dhclient-script b/apparmor.d/profiles-a-f/dhclient-script
index 1552ee0e4..b650498cf 100644
--- a/apparmor.d/profiles-a-f/dhclient-script
+++ b/apparmor.d/profiles-a-f/dhclient-script
@@ -77,6 +77,7 @@ profile dhclient-script @{exec_path} {
     # file_inherit
     owner /var/lib/dhcp/dhclient.leases r,
 
+    include if exists <local/dhclient-script_run-parts>
   }
 
   include if exists <local/dhclient-script>
diff --git a/apparmor.d/profiles-a-f/dlocate b/apparmor.d/profiles-a-f/dlocate
index ff042c321..9f78af639 100644
--- a/apparmor.d/profiles-a-f/dlocate
+++ b/apparmor.d/profiles-a-f/dlocate
@@ -49,7 +49,6 @@ profile dlocate @{exec_path} {
 
   / r,
 
-
   profile md5sum {
     include <abstractions/base>
 
@@ -59,6 +58,7 @@ profile dlocate @{exec_path} {
     /boot/** r,
     /usr/** r,
 
+    include if exists <local/dlocate_md5sum>
   }
 
   include if exists <local/dlocate>
diff --git a/apparmor.d/profiles-a-f/etckeeper b/apparmor.d/profiles-a-f/etckeeper
index d42b07dee..023d13b47 100644
--- a/apparmor.d/profiles-a-f/etckeeper
+++ b/apparmor.d/profiles-a-f/etckeeper
@@ -73,6 +73,7 @@ profile etckeeper @{exec_path} {
 
     owner @{PROC}/@{pid}/fd/ r,
 
+    include if exists <local/etckeeper_gpg>
   }
 
   include if exists <local/etckeeper>
diff --git a/apparmor.d/profiles-a-f/execute-dput b/apparmor.d/profiles-a-f/execute-dput
index 915213dac..0decde05c 100644
--- a/apparmor.d/profiles-a-f/execute-dput
+++ b/apparmor.d/profiles-a-f/execute-dput
@@ -46,6 +46,7 @@ profile execute-dput @{exec_path} flags=(complain) {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    include if exists <local/execute-dput_gpg>
   }
 
   include if exists <local/execute-dput>
diff --git a/apparmor.d/profiles-a-f/frontend b/apparmor.d/profiles-a-f/frontend
index 51bfc3610..ac8a6a5a8 100644
--- a/apparmor.d/profiles-a-f/frontend
+++ b/apparmor.d/profiles-a-f/frontend
@@ -121,6 +121,7 @@ profile frontend @{exec_path} flags=(complain) {
           /tmp/     r,
     owner @{tmp}/**   rw,
 
+    include if exists <local/frontend_scripts>
   }
 
   include if exists <local/frontend>
diff --git a/apparmor.d/profiles-a-f/fuseiso b/apparmor.d/profiles-a-f/fuseiso
index 330a8b07e..ed2bcc936 100644
--- a/apparmor.d/profiles-a-f/fuseiso
+++ b/apparmor.d/profiles-a-f/fuseiso
@@ -58,6 +58,7 @@ profile fuseiso @{exec_path} {
 
     /dev/fuse rw,
 
+    include if exists <local/fuseiso_fusermount>
   }
 
   include if exists <local/fuseiso>
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 382822fab..1ec9fe657 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -54,7 +54,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
   profile bus flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/bus>
-    include if exists <local/fwupdmgr_dbus>
+    include if exists <local/fwupdmgr_bus>
   }
 
   include if exists <local/fwupdmgr>
diff --git a/apparmor.d/profiles-g-l/gpartedbin b/apparmor.d/profiles-g-l/gpartedbin
index e6f32d27c..6cc77b9bc 100644
--- a/apparmor.d/profiles-g-l/gpartedbin
+++ b/apparmor.d/profiles-g-l/gpartedbin
@@ -94,7 +94,7 @@ profile gpartedbin @{exec_path} {
 
     @{bin}/mount mr,
 
-    include if exists <local/gpartedbin_umount>
+    include if exists <local/gpartedbin_mount>
   }
 
   profile umount {
diff --git a/apparmor.d/profiles-g-l/i3lock-fancy b/apparmor.d/profiles-g-l/i3lock-fancy
index 242c43de5..78c5081d6 100644
--- a/apparmor.d/profiles-g-l/i3lock-fancy
+++ b/apparmor.d/profiles-g-l/i3lock-fancy
@@ -67,6 +67,7 @@ profile i3lock-fancy @{exec_path} {
     # file_inherit
     owner /dev/tty@{int} rw,
 
+    include if exists <local/i3lock-fancy_imagemagic>
   }
 
   include if exists <local/i3lock-fancy>
diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup
index 7df4e5ea6..c800267c7 100644
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@@ -92,6 +92,7 @@ profile ifup @{exec_path} {
     /etc/network/if-up.d/openvpn               rPUx,
     /etc/network/if-up.d/wpasupplicant         rPUx,
 
+    include if exists <local/ifup_run-parts>
   }
 
   profile kmod {
diff --git a/apparmor.d/profiles-g-l/imv-wayland b/apparmor.d/profiles-g-l/imv
similarity index 94%
rename from apparmor.d/profiles-g-l/imv-wayland
rename to apparmor.d/profiles-g-l/imv
index d83945934..f75e4c957 100644
--- a/apparmor.d/profiles-g-l/imv-wayland
+++ b/apparmor.d/profiles-g-l/imv
@@ -25,7 +25,7 @@ profile imv @{exec_path} {
 
   owner @{run}/user/@{uid}/imv-*.sock w,
 
-  include if exists <local/imv-wayland>
+  include if exists <local/imv>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-g-l/initd-kexec-load b/apparmor.d/profiles-g-l/initd-kexec-load
index eb5b6ead1..1b27d1a4e 100644
--- a/apparmor.d/profiles-g-l/initd-kexec-load
+++ b/apparmor.d/profiles-g-l/initd-kexec-load
@@ -48,6 +48,7 @@ profile initd-kexec-load @{exec_path} {
 
     /etc/default/kexec.d/ r,
 
+    include if exists <local/initd-kexec-load_run-parts>
   }
 
   profile systemctl {
@@ -74,6 +75,7 @@ profile initd-kexec-load @{exec_path} {
     owner @{run}/systemd/ask-password/ rw,
     owner @{run}/systemd/ask-password-block/* rw,
 
+    include if exists <local/initd-kexec-load_systemctl>
   }
 
   include if exists <local/initd-kexec-load>
diff --git a/apparmor.d/profiles-g-l/jmtpfs b/apparmor.d/profiles-g-l/jmtpfs
index 57ab39a75..eb51b1239 100644
--- a/apparmor.d/profiles-g-l/jmtpfs
+++ b/apparmor.d/profiles-g-l/jmtpfs
@@ -58,6 +58,7 @@ profile jmtpfs @{exec_path} {
 
     @{PROC}/@{pid}/mounts r,
 
+    include if exists <local/jmtpfs_fusermount>
   }
 
   include if exists <local/jmtpfs>
diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal
index 9854fd554..a0c184032 100644
--- a/apparmor.d/profiles-g-l/linux-check-removal
+++ b/apparmor.d/profiles-g-l/linux-check-removal
@@ -46,6 +46,7 @@ profile linux-check-removal @{exec_path} flags=(complain) {
     owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
     /usr/share/debconf/templates/adequate.templates r,
 
+    include if exists <local/linux-check-removal_frontend>
   }
 
   include if exists <local/linux-check-removal>
diff --git a/apparmor.d/profiles-m-r/murmurd b/apparmor.d/profiles-m-r/murmurd
index aca74e562..9d7663ebb 100644
--- a/apparmor.d/profiles-m-r/murmurd
+++ b/apparmor.d/profiles-m-r/murmurd
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+abi <abi/4.0>,
+
 include <tunables/global>
 
 @{exec_path} = @{bin}/murmurd
diff --git a/apparmor.d/profiles-m-r/obexfs b/apparmor.d/profiles-m-r/obexfs
index 07eb4a20d..5a9d0dfbf 100644
--- a/apparmor.d/profiles-m-r/obexfs
+++ b/apparmor.d/profiles-m-r/obexfs
@@ -48,6 +48,7 @@ profile obexfs @{exec_path} {
 
     @{PROC}/@{pid}/mounts r,
 
+    include if exists <local/obexfs_fusermount>
   }
 
   include if exists <local/obexfs>
diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update
index e9da3686d..e2846f8e6 100644
--- a/apparmor.d/profiles-m-r/pam-auth-update
+++ b/apparmor.d/profiles-m-r/pam-auth-update
@@ -60,6 +60,7 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
     /etc/shadow r,
 
+    include if exists <local/pam-auth-update_frontend>
   }
 
   include if exists <local/pam-auth-update>
diff --git a/apparmor.d/profiles-m-r/reprepro b/apparmor.d/profiles-m-r/reprepro
index 7710953b8..866b7cbfa 100644
--- a/apparmor.d/profiles-m-r/reprepro
+++ b/apparmor.d/profiles-m-r/reprepro
@@ -55,7 +55,6 @@ profile reprepro @{exec_path} {
   owner @{user_build_dirs}/pbuilder/result/*.deb r,
   owner @{user_build_dirs}/pbuilder/result/*.tar.* r,
 
-
   profile gpg {
     include <abstractions/base>
 
@@ -66,6 +65,7 @@ profile reprepro @{exec_path} {
     owner @{HOME}/@{XDG_GPG_DIR}/ rw,
     owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
 
+    include if exists <local/reprepro_gpg>
   }
 
   include if exists <local/reprepro>
diff --git a/apparmor.d/profiles-m-r/run-parts b/apparmor.d/profiles-m-r/run-parts
index 1347ca211..69e8c4d0d 100644
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@@ -191,6 +191,8 @@ profile run-parts @{exec_path} {
     @{PROC}/@{pids}/mounts r,
 
     /dev/tty@{int} rw,
+
+    include if exists <local/run-parts_motd>
   }
 
   profile kernel {
@@ -248,6 +250,7 @@ profile run-parts @{exec_path} {
     @{PROC}/devices r,
     @{PROC}/cmdline r,
 
+    include if exists <local/run-parts_kernel>
   }
 
   include if exists <local/run-parts>
diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect
index ea81f6593..b781ae1d0 100644
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@@ -50,7 +50,7 @@ profile sensors-detect @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/kmod>
 
-    include if exists <local/sensors-detect_udevadm>
+    include if exists <local/sensors-detect_kmod>
   }
 
   profile systemctl {
diff --git a/apparmor.d/profiles-s-z/tasksel b/apparmor.d/profiles-s-z/tasksel
index 9073591f5..bc2779d51 100644
--- a/apparmor.d/profiles-s-z/tasksel
+++ b/apparmor.d/profiles-s-z/tasksel
@@ -40,13 +40,13 @@ profile tasksel @{exec_path} flags=(complain) {
 
   owner @{tmp}/file* w,
 
-
   profile tasksel-tests flags=(complain) {
     include <abstractions/base>
 
     @{lib}/tasksel/tests/* r,
     @{sh_path}        rix,
 
+    include if exists <local/tasksel_tasksel-tests>
   }
 
   profile frontend flags=(complain) {
@@ -76,6 +76,7 @@ profile tasksel @{exec_path} flags=(complain) {
 
     /etc/shadow r,
 
+    include if exists <local/tasksel_frontend>
   }
 
   include if exists <local/tasksel>
diff --git a/apparmor.d/profiles-s-z/update-dlocatedb b/apparmor.d/profiles-s-z/update-dlocatedb
index c0f3a9cb0..c0e64f0f9 100644
--- a/apparmor.d/profiles-s-z/update-dlocatedb
+++ b/apparmor.d/profiles-s-z/update-dlocatedb
@@ -58,6 +58,7 @@ profile update-dlocatedb @{exec_path} {
     @{bin}/gzip rix,
     /var/lib/dlocate/dlocatedb.gz rw,
 
+    include if exists <local/update-dlocatedb_updatedb>
   }
 
   include if exists <local/update-dlocatedb>
diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids
index 5f5b39ec8..3d07f75d9 100644
--- a/apparmor.d/profiles-s-z/update-pciids
+++ b/apparmor.d/profiles-s-z/update-pciids
@@ -62,6 +62,7 @@ profile update-pciids @{exec_path} {
     /usr/share/misc/pci.ids.new w,
     /usr/share/misc/pci.ids.gz.new w,
 
+    include if exists <local/update-pciids_browse>
   }
 
   include if exists <local/update-pciids>
diff --git a/apparmor.d/profiles-s-z/update-smart-drivedb b/apparmor.d/profiles-s-z/update-smart-drivedb
index 2dcd3cc9e..2ce61cebf 100644
--- a/apparmor.d/profiles-s-z/update-smart-drivedb
+++ b/apparmor.d/profiles-s-z/update-smart-drivedb
@@ -58,6 +58,7 @@ profile update-smart-drivedb @{exec_path} {
     owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/ rw,
     owner /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/** rwkl -> /var/lib/smartmontools/drivedb/.gnupg.@{int}.tmp/**,
 
+    include if exists <local/update-smart-drivedb_gpg>
   }
 
   profile browse {
@@ -88,6 +89,7 @@ profile update-smart-drivedb @{exec_path} {
 
     /var/lib/smartmontools/drivedb/drivedb.h.new{,.raw.asc} w,
 
+    include if exists <local/update-smart-drivedb_browse>
   }
 
   include if exists <local/update-smart-drivedb>
diff --git a/apparmor.d/profiles-s-z/uupdate b/apparmor.d/profiles-s-z/uupdate
index 2d429135f..8858a80f1 100644
--- a/apparmor.d/profiles-s-z/uupdate
+++ b/apparmor.d/profiles-s-z/uupdate
@@ -50,7 +50,7 @@ profile uupdate @{exec_path} flags=(complain) {
   # For package building
   owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
 
-  include if exists <local/uupdates>
+  include if exists <local/uupdate>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/yadifad b/apparmor.d/profiles-s-z/yadifad
index bb896bd8c..15599fa72 100644
--- a/apparmor.d/profiles-s-z/yadifad
+++ b/apparmor.d/profiles-s-z/yadifad
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+abi <abi/4.0>,
+
 include <tunables/global>
 
 @{exec_path} = @{bin}/yadifad
diff --git a/apparmor.d/profiles-s-z/youtube-viewer b/apparmor.d/profiles-s-z/youtube-viewer
index ac8e8f215..46b0c6c06 100644
--- a/apparmor.d/profiles-s-z/youtube-viewer
+++ b/apparmor.d/profiles-s-z/youtube-viewer
@@ -32,12 +32,6 @@ profile youtube-viewer @{exec_path} {
 
   @{bin}/wget       rCx -> wget,
 
-  owner @{user_config_dirs}/youtube-viewer/{,*} rw,
-  owner @{user_cache_dirs}/youtube-viewer/{,*} rw,
-  owner @{HOME}/Downloads/youtube-viewer/{,*} rw,
-
-  /etc/inputrc r,
-
   # Players
   @{bin}/mpv      rPUx,
   @{bin}/vlc      rPUx,
@@ -45,6 +39,11 @@ profile youtube-viewer @{exec_path} {
 
   @{bin}/ffmpeg   rPUx,
 
+  /etc/inputrc r,
+
+  owner @{user_config_dirs}/youtube-viewer/{,*} rw,
+  owner @{user_cache_dirs}/youtube-viewer/{,*} rw,
+  owner @{HOME}/Downloads/youtube-viewer/{,*} rw,
 
   profile wget {
     include <abstractions/base>
@@ -62,6 +61,7 @@ profile youtube-viewer @{exec_path} {
     owner @{HOME}/.wget-hsts r,
     owner @{HOME}/wget-log{,.@{int}} rw,
 
+    include if exists <local/youtube-viewer_wget>
   }
 
   include if exists <local/youtube-viewer>

From afb1831fc32c2d9bd536536c882ad241a604c85e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 15:58:53 +0100
Subject: [PATCH 244/315] chore(profile): remove jdownloader

Note: this profile was for a locally installed program.
---
 apparmor.d/profiles-g-l/jdownloader | 128 ----------------------------
 1 file changed, 128 deletions(-)
 delete mode 100644 apparmor.d/profiles-g-l/jdownloader

diff --git a/apparmor.d/profiles-g-l/jdownloader b/apparmor.d/profiles-g-l/jdownloader
deleted file mode 100644
index 1220e9bbd..000000000
--- a/apparmor.d/profiles-g-l/jdownloader
+++ /dev/null
@@ -1,128 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{JD_INSTALLDIR} = /home/*/jd2
-
-@{exec_path} = @{JD_INSTALLDIR}/*JDownloader*
-profile jdownloader @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/user-download-strict>
-  include <abstractions/nameservice-strict>
-
-  @{exec_path} rix,
-
-  @{bin}/basename rix,
-  @{bin}/dirname  rix,
-  @{bin}/expr     rix,
-  @{bin}/cut      rix,
-  @{bin}/ls       rix,
-  @{bin}/{,e}grep rix,
-  @{bin}/find     rix,
-  @{bin}/sed      rix,
-  @{bin}/chmod    rix,
-
-  @{bin}/ffmpeg   rPx,
-
-  # These are needed when the above tools are in some nonstandard locations
-  #@{bin}/which{,.debianutils}   rix,
-  #/usr/ r,
-  #/usr/local/ r,
-  #@{bin}/ r,
-  #@{lib}/ r,
-
-  deny /opt/ r,
-
-  owner @{HOME}/ r,
-  owner @{JD_INSTALLDIR}/ rw,
-  owner @{JD_INSTALLDIR}/** rwk,
-  owner @{JD_INSTALLDIR}/jre/bin/java rix,
-  owner @{JD_INSTALLDIR}/jre/lib/*/jli/libjli.so mrw,
-  owner @{JD_INSTALLDIR}/jre/lib/*/server/libjvm.so mrw,
-  owner @{JD_INSTALLDIR}/jre/lib/*/*.so mrw,
-  owner @{JD_INSTALLDIR}/tmp/jna/jna@{int}.tmp mrw,
-  owner @{JD_INSTALLDIR}/tmp/7zip/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
-
-  owner @{HOME}/.oracle_jre_usage/@{hex}.timestamp rw,
-  owner @{HOME}/.java/.userPrefs/.user.lock.* rwk,
-  owner @{HOME}/.java/.userPrefs/com/install4j/installations/prefs.xml rw,
-  owner @{HOME}/.java/fonts/@{int}/ rw,
-  owner @{HOME}/.java/fonts/@{int}/fcinfo*.tmp rw,
-  owner @{HOME}/.java/fonts/@{int}/fcinfo-*.properties rw,
-
-  owner @{HOME}/.install4j rw,
-
-  owner @{tmp}/hsperfdata_@{user}/ rw,
-  owner @{tmp}/hsperfdata_@{user}/@{pid} rw,
-  # If the @{JD_INSTALLDIR}/tmp/ dir can't be accessed, the /tmp/ dir will be used instead
-  owner @{tmp}/SevenZipJBinding-*/ rw,
-  owner @{tmp}/SevenZipJBinding-*/lib7-Zip-JBinding.so mrw,
-  # For auto updates
-  owner @{tmp}/lastChanceSrc@{int}lch rw,
-  owner @{tmp}/lastChanceDst@{int}.jar rw,
-  owner @{tmp}/i4j_log_jd2_@{int}.log rw,
-  owner @{tmp}/install4jError@{int}.log rw,
-
-  owner @{HOME}/.Xauthority r,
-
-  # What's this for?
-  deny owner @{HOME}/.mozilla/firefox/ r,
-  deny owner @{HOME}/.mozilla/firefox/*.*/prefs.js r,
-
-       owner @{PROC}/@{pid}/fd/ r,
-  deny       @{PROC}/@{pid}/net/ipv6_route r,
-  deny       @{PROC}/@{pid}/net/if_inet6 r,
-       owner @{PROC}/@{pid}/mountinfo r,
-       owner @{PROC}/@{pid}/mounts r,
-  deny owner @{PROC}/@{pid}/cmdline r,
-  deny       @{PROC}/asound/version r,
-
-  # For Reconnect -> Share Settings/Get Route
-  #@{bin}/netstat rix,
-  #@{bin}/route rix,
-  #@{bin}/ping rix,
-  #@{bin}/ip rix,
-  #@{PROC}/@{pid}/net/route r,
-
-  # To open a web browser for CAPTCHA
-  @{bin}/xdg-open                                    rCx -> open,
-  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop rCx -> open,
-
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    @{bin}/xdg-open mr,
-    @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mr,
-
-    @{sh_path}             rix,
-    @{bin}/{m,g,}awk       rix,
-    @{bin}/readlink        rix,
-    @{bin}/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-    @{lib}/firefox/firefox rPUx,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
-  include if exists <local/jdownloader>
-}
-
-# vim:syntax=apparmor

From 1e28428574fdbecd0ec0375ba3490ce355f6dd07 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 16:19:11 +0100
Subject: [PATCH 245/315] ci: run on ubuntu 24.04 & enable make check.

---
 .github/workflows/main.yml        | 12 +++++++-----
 .gitlab-ci.yml                    |  5 +++++
 apparmor.d/profiles-s-z/xarchiver |  2 +-
 3 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 8a57149d5..b3fc6b999 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -8,17 +8,16 @@ jobs:
     strategy:
       matrix:
         os:
-          # - ubuntu-24.04
+          - ubuntu-24.04
           - ubuntu-22.04
         mode:
           - default
           - full-system-policy
     steps:
-
       - name: Check out repository code
         uses: actions/checkout@v4
 
-      - name: Install Build dependencies 
+      - name: Install Build dependencies
         run: |
           sudo apt-get update -q
           sudo apt-get install -y \
@@ -39,12 +38,15 @@ jobs:
         run: sudo dpkg --install ../apparmor.d_*_amd64.deb || true
 
       - name: Reload AppArmor
-        run: | 
+        run: |
           sudo systemctl restart apparmor.service || true
           sudo systemctl status apparmor.service
 
       - name: Ensure compatibility with some AppArmor userspace tools
-        run: sudo aa-enforce /etc/apparmor.d/aa-notify
+        run: 
+          if [[ ${{ matrix.os }} != ubuntu-24.04 ]]; then
+            sudo aa-enforce /etc/apparmor.d/aa-notify
+          fi
 
       - name: Show AppArmor log and rules
         run: |
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 40f212768..2aed9b551 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -63,6 +63,11 @@ tests:
     - go test $(go list ./pkg/... | grep -v /pkg/paths) -v -cover -coverprofile=coverage.out
     - go tool cover -func=coverage.out
 
+check:
+  stage: lint
+  image: registry.gitlab.com/roddhjav/builders/archlinux
+  script:
+    - make check
 
 # Package Build
 # -------------
diff --git a/apparmor.d/profiles-s-z/xarchiver b/apparmor.d/profiles-s-z/xarchiver
index 9f87e3b9d..003770008 100644
--- a/apparmor.d/profiles-s-z/xarchiver
+++ b/apparmor.d/profiles-s-z/xarchiver
@@ -42,7 +42,7 @@ profile xarchiver @{exec_path} {
   # For deb packages
   @{bin}/{,@{multiarch}-}ar rix,
 
-  @{path_open}         rPx -> child-open,
+  @{open_path}         rPx -> child-open,
 
   /etc/fstab r,
 

From 0e96b3b66f78383fe87aa4ff45c508050ca4191a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 17:44:23 +0100
Subject: [PATCH 246/315] build: cleanup flag manifest.

---
 dists/flags/main.flags   | 12 ------------
 dists/flags/ubuntu.flags |  1 -
 2 files changed, 13 deletions(-)

diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index f2c938a19..ac4547850 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -9,8 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain
 systemd-service attach_disconnected,complain
 systemd-user attach_disconnected,mediate_deleted,complain
 
-aa-load complain
-aa-logprof attach_disconnected,complain
 aa-notify complain
 akonadi_akonotes_resource complain
 akonadi_archivemail_agent complain
@@ -30,7 +28,6 @@ akonadi_notes_agent complain
 akonadi_sendlater_agent complain
 akonadi_unifiedmailbox_agent complain
 anacron complain
-appimagelauncherd complain
 at complain
 atd complain
 auditctl attach_disconnected,complain
@@ -49,7 +46,6 @@ cc-remote-login-helper complain
 cctk complain
 child-modprobe-nvidia attach_disconnected,complain
 child-open attach_disconnected,complain
-chronyd attach_disconnected,complain
 cockpit-askpass complain
 cockpit-bridge complain
 cockpit-certificate-ensure attach_disconnected,complain
@@ -179,7 +175,6 @@ hyprpm complain
 ibus-engine-table complain
 ibus-memconf attach_disconnected,complain
 im-launch complain
-init-exim4 complain
 install-info complain
 iwctl complain
 iwd complain
@@ -240,7 +235,6 @@ ModemManager attach_disconnected,complain
 mount attach_disconnected,complain
 multipath attach_disconnected,complain
 multipathd complain
-netplan complain
 netplan.script attach_disconnected,complain
 networkctl attach_disconnected,complain
 networkd-dispatcher complain
@@ -254,7 +248,6 @@ ollama attach_disconnected,complain
 os-prober attach_disconnected,complain
 pam_kwallet_init complain
 pam-tmpdir-helper complain
-passim complain
 passimd attach_disconnected,complain
 pidof complain
 pkttyagent complain
@@ -268,7 +261,6 @@ plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 polkit-kde-authentication-agent attach_disconnected,complain,mediate_deleted
 qdbus complain
-realmd complain
 remmina complain
 run-parts complain
 runuser complain
@@ -314,15 +306,12 @@ swtpm_localca complain
 swtpm_setup complain
 systemd-analyze complain
 systemd-ask-password complain
-systemd-battery-check complain
 systemd-binfmt attach_disconnected,complain
-systemd-bsod complain
 systemd-cgls complain
 systemd-cgtop complain
 systemd-cryptsetup complain
 systemd-dissect attach_disconnected,complain
 systemd-escape complain
-systemd-firstboot complain
 systemd-generator-bless-boot attach_disconnected,complain
 systemd-generator-cloud-init attach_disconnected,complain
 systemd-generator-cryptsetup attach_disconnected,complain
@@ -346,7 +335,6 @@ systemd-homework complain
 systemd-inhibit attach_disconnected,complain
 systemd-mount complain
 systemd-network-generator complain
-systemd-pcrphase complain
 systemd-portabled complain
 systemd-remount-fs complain
 systemd-resolve complain
diff --git a/dists/flags/ubuntu.flags b/dists/flags/ubuntu.flags
index 30e21282d..a6d6bcc85 100644
--- a/dists/flags/ubuntu.flags
+++ b/dists/flags/ubuntu.flags
@@ -13,7 +13,6 @@ livepatch-notification complain
 notify-reboot-required complain
 package-data-downloader complain
 package-system-locked attach_disconnected,complain
-pro complain
 release-upgrade-motd complain
 software-properties-gtk complain
 ubuntu-advantage complain

From 52b3a1dfd4930c8ddb2971efa833f89c9702a4d4 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 17:44:46 +0100
Subject: [PATCH 247/315] fix(ci): github workflows.

---
 .github/workflows/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index b3fc6b999..ddc95834a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -43,7 +43,7 @@ jobs:
           sudo systemctl status apparmor.service
 
       - name: Ensure compatibility with some AppArmor userspace tools
-        run: 
+        run: |
           if [[ ${{ matrix.os }} != ubuntu-24.04 ]]; then
             sudo aa-enforce /etc/apparmor.d/aa-notify
           fi

From effd4ef267f4bcf533912b007f5294506a31ea2b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 17:51:30 +0100
Subject: [PATCH 248/315] ci: move check job stage.

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 2aed9b551..1acf9151f 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -64,7 +64,7 @@ tests:
     - go tool cover -func=coverage.out
 
 check:
-  stage: lint
+  stage: test
   image: registry.gitlab.com/roddhjav/builders/archlinux
   script:
     - make check

From 856c425dd549d0336ed3c706ff84aa0c1a3b01bf Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 20:15:13 +0100
Subject: [PATCH 249/315] chore(build): minor cosmetic.

---
 pkg/prebuild/cli/cli.go      | 2 +-
 pkg/prebuild/cli/cli_test.go | 2 +-
 pkg/prebuild/directories.go  | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index da19c1171..329729e94 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -61,7 +61,7 @@ func init() {
 
 func Prebuild() {
 	flag.Usage = func() {
-		fmt.Printf("%s%s\n%s\n%s", usage,
+		fmt.Printf("%s\n%s\n%s\n%s", usage,
 			prebuild.Help("Prepare", prepare.Tasks),
 			prebuild.Help("Build", builder.Builders),
 			directive.Usage(),
diff --git a/pkg/prebuild/cli/cli_test.go b/pkg/prebuild/cli/cli_test.go
index 782d81756..dab310020 100644
--- a/pkg/prebuild/cli/cli_test.go
+++ b/pkg/prebuild/cli/cli_test.go
@@ -78,7 +78,7 @@ func Test_Prebuild(t *testing.T) {
 	chdirGitRoot()
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			setTestBuildDirectories(tt.name)
+			setTestBuildDirectories(tt.dist)
 			prebuild.Distribution = tt.dist
 			prepare.Prepares = []prepare.Task{}
 			prepare.Register(
diff --git a/pkg/prebuild/directories.go b/pkg/prebuild/directories.go
index 6fbde10be..cd5958b72 100644
--- a/pkg/prebuild/directories.go
+++ b/pkg/prebuild/directories.go
@@ -10,10 +10,10 @@ var (
 	// AppArmor ABI version
 	ABI uint = 0
 
-	// Root is the root directory for the build
+	// Root is the root directory for the build (default: .build)
 	Root *paths.Path = paths.New(".build")
 
-	// RootApparmord is the final built apparmor.d directory
+	// RootApparmord is the final built apparmor.d directory (default: .build/apparmor.d)
 	RootApparmord *paths.Path = Root.Join("apparmor.d")
 
 	// DistDir is the directory where the distribution specific files are stored

From 29a164259867a853dc0ced6be2d07b042d026b15 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 20:17:19 +0100
Subject: [PATCH 250/315] feat(aa-log): unify the isOwner function across
 features.

---
 pkg/aa/file.go   | 6 +++---
 pkg/logs/logs.go | 5 ++---
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/pkg/aa/file.go b/pkg/aa/file.go
index 14ade6997..36c7101a4 100644
--- a/pkg/aa/file.go
+++ b/pkg/aa/file.go
@@ -29,7 +29,7 @@ func init() {
 	}
 }
 
-func isOwner(log map[string]string) bool {
+func IsOwner(log map[string]string) bool {
 	fsuid, hasFsUID := log["fsuid"]
 	ouid, hasOuUID := log["ouid"]
 	isDbus := strings.Contains(log["operation"], "dbus")
@@ -98,7 +98,7 @@ func newFileFromLog(log map[string]string) Rule {
 	return &File{
 		Base:      newBaseFromLog(log),
 		Qualifier: newQualifierFromLog(log),
-		Owner:     isOwner(log),
+		Owner:     IsOwner(log),
 		Path:      log["name"],
 		Access:    accesses,
 		Target:    log["target"],
@@ -262,7 +262,7 @@ func newLinkFromLog(log map[string]string) Rule {
 	return &Link{
 		Base:      newBaseFromLog(log),
 		Qualifier: newQualifierFromLog(log),
-		Owner:     isOwner(log),
+		Owner:     IsOwner(log),
 		Path:      log["name"],
 		Target:    log["target"],
 	}
diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 01c4fcbb4..246394604 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -200,12 +200,11 @@ func (aaLogs AppArmorLogs) String() string {
 	for _, log := range aaLogs {
 		seen := map[string]bool{"apparmor": true}
 		res.WriteString(state[log["apparmor"]])
-		fsuid := log["fsuid"]
-		ouid := log["ouid"]
+		owner := aa.IsOwner(log)
 
 		for _, key := range keys {
 			if item, present := log[key]; present {
-				if key == "name" && fsuid == ouid && !strings.Contains(log["operation"], "dbus") {
+				if key == "name" && owner {
 					res.WriteString(template[key] + " owner" + reset)
 				}
 				if temp, present := template[key]; present {

From 01a1af6c1bc5da2d12740c0d1e76f8268f2aa2aa Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 20:19:09 +0100
Subject: [PATCH 251/315] feat(systemd): ensure dbus service are started after
 apparmor.

---
 systemd/default/system/dbus-broker.service | 3 +++
 systemd/default/system/dbus.service        | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/systemd/default/system/dbus-broker.service b/systemd/default/system/dbus-broker.service
index 8d3ed8b73..899828b40 100644
--- a/systemd/default/system/dbus-broker.service
+++ b/systemd/default/system/dbus-broker.service
@@ -1,2 +1,5 @@
+[Unit]
+After=apparmor.service
+
 [Service]
 AppArmorProfile=dbus-system
diff --git a/systemd/default/system/dbus.service b/systemd/default/system/dbus.service
index 8d3ed8b73..899828b40 100644
--- a/systemd/default/system/dbus.service
+++ b/systemd/default/system/dbus.service
@@ -1,2 +1,5 @@
+[Unit]
+After=apparmor.service
+
 [Service]
 AppArmorProfile=dbus-system

From 6b0b49824444c7647bd05679d78feb6aff2a6a26 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 20:43:18 +0100
Subject: [PATCH 252/315] feat(profile): small profiles update.

---
 apparmor.d/abstractions/gnome-strict          |  2 ++
 apparmor.d/groups/cron/cron-debsums           | 14 ++++------
 apparmor.d/groups/gnome/gio-launch-desktop    |  1 -
 apparmor.d/groups/gnome/gnome-characters      |  1 +
 .../groups/gnome/gnome-extension-manager      |  1 +
 apparmor.d/groups/gnome/gnome-software        |  1 +
 apparmor.d/groups/systemd/systemd-dissect     |  7 +++--
 apparmor.d/groups/virt/dockerd                | 28 ++++++++++++++-----
 apparmor.d/profiles-m-r/mandb                 |  2 +-
 apparmor.d/profiles-m-r/metadata-cleaner      | 12 ++++----
 apparmor.d/profiles-m-r/power-profiles-daemon |  4 +--
 apparmor.d/profiles-m-r/remmina               | 16 +++++------
 apparmor.d/profiles-s-z/totem                 |  7 ++++-
 13 files changed, 57 insertions(+), 39 deletions(-)

diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict
index 833aaa59b..ed3f2f4c0 100644
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@@ -27,6 +27,8 @@
 
   /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
 
+  / r,
+
   owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   include if exists <abstractions/gnome-strict.d>
diff --git a/apparmor.d/groups/cron/cron-debsums b/apparmor.d/groups/cron/cron-debsums
index 5a7adf141..46a3bbe07 100644
--- a/apparmor.d/groups/cron/cron-debsums
+++ b/apparmor.d/groups/cron/cron-debsums
@@ -14,15 +14,13 @@ profile cron-debsums @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}        rix,
-  @{bin}/true       rix,
+  @{bin}/{,e}grep   rix,
+  @{bin}/debsums    rPx,
+  @{bin}/ionice     rix,
   @{bin}/logger     rix,
   @{bin}/sed        rix,
-  @{bin}/{,e}grep   rix,
-
-  @{bin}/ionice     rix,
-
-  @{bin}/debsums    rPx,
   @{bin}/tee        rCx -> tee,
+  @{bin}/true       rix,
 
   /etc/ r,
   /etc/default/debsums r,
@@ -31,17 +29,15 @@ profile cron-debsums @{exec_path} {
   # For shell pwd
   / r,
 
-
   profile tee {
     include <abstractions/base>
     include <abstractions/consoles>
 
-    # Needed to write to /proc/self/fd/3
     capability dac_override,
 
     @{bin}/tee mr,
 
-    owner @{PROC}/@{pid}/fd/3 rw,
+    owner @{PROC}/@{pid}/fd/@{int} rw,
 
     include if exists <local/cron-debsums_tee>
   }
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 4b395eb82..12473b491 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -43,7 +43,6 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   /dev/dri/card@{int} rw,
 
-  deny @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/gio-launch-desktop>
 }
diff --git a/apparmor.d/groups/gnome/gnome-characters b/apparmor.d/groups/gnome/gnome-characters
index 730feb31c..9ae8a7b8a 100644
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@@ -24,6 +24,7 @@ profile gnome-characters @{exec_path} {
   @{open_path} rPx -> child-open-help,
 
   /usr/share/org.gnome.Characters/{,**} r,
+  /usr/share/xml/iso-codes/{,**} r,
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
diff --git a/apparmor.d/groups/gnome/gnome-extension-manager b/apparmor.d/groups/gnome/gnome-extension-manager
index 942d7b404..3b23d4ffc 100644
--- a/apparmor.d/groups/gnome/gnome-extension-manager
+++ b/apparmor.d/groups/gnome/gnome-extension-manager
@@ -32,6 +32,7 @@ profile gnome-extension-manager @{exec_path} {
 
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   # Silencer
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index da5ed232f..4726881e6 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -125,6 +125,7 @@ profile gnome-software @{exec_path} {
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/fuse rw,
  
diff --git a/apparmor.d/groups/systemd/systemd-dissect b/apparmor.d/groups/systemd/systemd-dissect
index b81b100db..7dc10fd46 100644
--- a/apparmor.d/groups/systemd/systemd-dissect
+++ b/apparmor.d/groups/systemd/systemd-dissect
@@ -17,10 +17,11 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_resource,
 
-  mount options=(rw rshared rslave)                 -> /,
-  mount options=(rw nodev)                          -> /mnt/*/,
   mount                                             -> /tmp/dissect-@{rand6}/,
-  mount options=(ro nodev)          /dev/loop* -> @{run}/systemd/dissect-root/,
+  mount fstype=tmpfs options=(rw nodev)      rootfs -> @{run}/systemd/dissect-root/,
+  mount options=(ro nodev)               /dev/loop* -> @{run}/systemd/dissect-root/{,**/},
+  mount options=(rw nodev)                          -> /mnt/*/,
+  mount options=(rw rshared rslave)                 -> /,
 
   umount @{run}/systemd/dissect-root/,
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 3342c0d58..91d7baf3e 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -83,10 +83,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   # TODO: should be in a sub profile started with pivot_root, not supported yet.
   /{,**} rwl,
 
+  /etc/docker/{,**} r,
+
+  / r,
+
+  owner @{lib}/containerd/** w,
   owner @{lib}/docker/overlay2/*/work/{,**} rw,
+  owner /var/lib/containerd/** w,
   owner /var/lib/docker/{,**} rwk,
   owner /var/lib/docker/tmp/qemu-check@{int}/check rix,
 
+  owner @{run}/docker/ rw,
+  owner @{run}/docker/** rwlk,
+  owner @{run}/docker.pid rw,
+
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/cpuset.cpus.effective r,
   @{sys}/fs/cgroup/cpuset.mems.effective r,
@@ -101,16 +111,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/threads-max r,
         @{PROC}/sys/net/bridge/bridge-nf-call-ip*tables r,
         @{PROC}/sys/net/core/somaxconn r,
-        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} rw,
+        @{PROC}/sys/net/ipv{4,6}/conf/*/disable_ipv{4,6} rw,
         @{PROC}/sys/net/ipv{4,6}/conf/docker@{int}/accept_ra rw,
         @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
         @{PROC}/sys/net/ipv{4,6}/ip_local_port_range r,
-  owner @{PROC}/@{pids}/attr/current r,
-  owner @{PROC}/@{pids}/cgroup r,
-  owner @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pids}/mountinfo r,
-  owner @{PROC}/@{pids}/net/ip_tables_names r,
-  owner @{PROC}/@{pids}/uid_map r,
+  owner @{PROC}/@{pid}/attr/current r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/net/ip_tables_names r,
+  owner @{PROC}/@{pid}/task/@{tid}/mountinfo r,
+  owner @{PROC}/@{pid}/uid_map r,
+
+  /dev/ r,
+  /dev/**/ r,
 
   include if exists <local/dockerd>
 }
diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb
index e1404aba0..4826337d0 100644
--- a/apparmor.d/profiles-m-r/mandb
+++ b/apparmor.d/profiles-m-r/mandb
@@ -30,7 +30,7 @@ profile mandb @{exec_path} flags=(complain) {
   /usr/{,share/}man/{,**} r,
   /usr/local/{,share/}man/{,**} r,
 
-  /usr/share/**/man/man@{int}/*.@{int}.gz r,
+  /usr/share/**/man/man@{u8}/*.@{int}.gz r,
 
   owner @{user_share_dirs}/man/** rwk,
 
diff --git a/apparmor.d/profiles-m-r/metadata-cleaner b/apparmor.d/profiles-m-r/metadata-cleaner
index 87a26b0f3..0de151536 100644
--- a/apparmor.d/profiles-m-r/metadata-cleaner
+++ b/apparmor.d/profiles-m-r/metadata-cleaner
@@ -10,7 +10,7 @@ include <tunables/global>
 profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dconf-write>
-  include <abstractions/desktop>
+  include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
@@ -31,17 +31,17 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
   /etc/httpd/conf/mime.types r,
   /etc/mime.types r,
 
-  owner @{tmp}/@{hex64}.png r,
-  owner @{tmp}/@{hex64}.png w,
+  owner @{tmp}/@{hex64}.* rw,
   owner @{tmp}/@{rand8} rw,
-  owner @{tmp}/tmp@{rand4}_*/{,**} rw,
-  owner @{tmp}/tmp@{rand8}/{,**} rw,
+  owner @{tmp}/tmp@{word8} rw,
+  owner @{tmp}/tmp@{word8}/{,**} rw,
 
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
   deny owner @{user_cache_dirs}/thumbnails/** r,
diff --git a/apparmor.d/profiles-m-r/power-profiles-daemon b/apparmor.d/profiles-m-r/power-profiles-daemon
index d409ced7b..b39682804 100644
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@@ -34,10 +34,8 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
   @{sys}/bus/platform/devices/ r,
   @{sys}/class/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/**/power_supply/*/scope r,
-  @{sys}/devices/**/power_supply/*/uevent r,
-  @{sys}/devices/platform/**/uevent r,
+  @{sys}/devices/**/uevent r,
   @{sys}/devices/system/cpu/*_pstate/{no_turbo,turbo_pct} r,
   @{sys}/devices/system/cpu/*_pstate/status r,
   @{sys}/devices/system/cpu/cpu@{int}/power/energy_perf_bias rw,
diff --git a/apparmor.d/profiles-m-r/remmina b/apparmor.d/profiles-m-r/remmina
index 9e2414b5e..f59880046 100644
--- a/apparmor.d/profiles-m-r/remmina
+++ b/apparmor.d/profiles-m-r/remmina
@@ -9,30 +9,31 @@ include <tunables/global>
 @{exec_path} = @{bin}/remmina
 profile remmina @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.hostname1>
+  include <abstractions/bus/org.freedesktop.Notifications>
   include <abstractions/bus/org.freedesktop.secrets>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/dconf-write>
-  include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/desktop>
   include <abstractions/ibus>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
-  include <abstractions/X-strict>
+  include <abstractions/user-download-strict>
 
   network inet stream,
   network inet6 stream,
   network netlink raw,
 
   #aa:dbus own bus=session name=org.remmina.Remmina
-
-  dbus (send, receive) bus=session path=/org/ayatana/NotificationItem/remmina_icon{,/**}
-       peer=(name="{:*,org.freedesktop.DBus}"),  # all interfaces and members
+  #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
   @{exec_path} r,
 
@@ -42,14 +43,13 @@ profile remmina @{exec_path} {
   /etc/timezone r,
   /etc/ssh/ssh_config r,
   /etc/ssh/ssh_config.d/{,*} r,
-  /etc/gtk-3.0/settings.ini r,
 
   owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
 
+  owner @{user_cache_dirs}/org.remmina.Remmina/{,**} rw,
   owner @{user_cache_dirs}/remmina/{,**} rw,
   owner @{user_config_dirs}/autostart/remmina-applet.desktop r,
   owner @{user_config_dirs}/freerdp/known_hosts2 rwk,
-  owner @{user_config_dirs}/gtk-3.0/bookmarks r,
   owner @{user_config_dirs}/remmina/{,**} rw,
   owner @{user_share_dirs}/remmina/{,**} rw,
 
diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem
index a71a80c06..6883e48f2 100644
--- a/apparmor.d/profiles-s-z/totem
+++ b/apparmor.d/profiles-s-z/totem
@@ -63,6 +63,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
     include <abstractions/common/bwrap>
     include <abstractions/fonts>
     include <abstractions/freedesktop.org>
+    include <abstractions/graphics>
     include <abstractions/gstreamer>
 
     capability dac_override,
@@ -70,9 +71,13 @@ profile totem @{exec_path} flags=(attach_disconnected) {
     @{bin}/bwrap mr,
     @{bin}/totem-video-thumbnailer rix,
 
+    /usr/share/ladspa/rdf/{,*} r,
+
+    owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,
+
     owner @{tmp}/flatpak-seccomp-@{rand6} rw,
     owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw,
-    owner @{user_cache_dirs}/gnome-desktop-thumbnailer/{,**} rw,
+    owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw,
 
           @{PROC}/sys/vm/mmap_min_addr r,
     owner @{PROC}/@{pid}/task/@{tid}/comm w,

From 3324c0dc3be9e46bb645117fc4bf8179b3bfd6e3 Mon Sep 17 00:00:00 2001
From: beroal <me@beroal.in.ua>
Date: Sun, 6 Oct 2024 22:44:31 +0300
Subject: [PATCH 253/315] `xeyes` (#544)

* xeyes

* Changed the profile attachment to the variable

* ABI 4
---
 apparmor.d/profiles-s-z/xeyes | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/xeyes

diff --git a/apparmor.d/profiles-s-z/xeyes b/apparmor.d/profiles-s-z/xeyes
new file mode 100644
index 000000000..c602e7fce
--- /dev/null
+++ b/apparmor.d/profiles-s-z/xeyes
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022-2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/xeyes
+profile xeyes @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/X-strict>
+
+  @{exec_path} mr,
+
+  include if exists <local/xeyes>
+}
+
+# vim:syntax=apparmor

From ce3813133f8a20f68aa9ac4f32ed421a95bde485 Mon Sep 17 00:00:00 2001
From: beroal <me@beroal.in.ua>
Date: Sun, 6 Oct 2024 22:45:17 +0300
Subject: [PATCH 254/315] the desktop version of the Briar secure messager
 (#545)

* the desktop version of the Briar secure messager
---
 apparmor.d/profiles-a-f/briar-desktop     | 95 +++++++++++++++++++++++
 apparmor.d/profiles-a-f/briar-desktop-tor | 65 ++++++++++++++++
 2 files changed, 160 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/briar-desktop
 create mode 100644 apparmor.d/profiles-a-f/briar-desktop-tor

diff --git a/apparmor.d/profiles-a-f/briar-desktop b/apparmor.d/profiles-a-f/briar-desktop
new file mode 100644
index 000000000..a0b57a38b
--- /dev/null
+++ b/apparmor.d/profiles-a-f/briar-desktop
@@ -0,0 +1,95 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/briar-desktop
+profile briar-desktop @{exec_path} {
+  include <abstractions/audio-client>
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/gnome-strict>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+
+  ptrace read peer=briar-desktop-tor,
+  ptrace read peer=@{profile_name}//jspawnhelper,
+
+  @{exec_path} mr,
+
+  @{lib}/jvm/java*/bin/java rix,
+  @{lib}/jvm/java*/lib/** rm,
+  @{lib}/jvm/java*/lib/jspawnhelper Cx -> jspawnhelper,
+  @{sh_path} mr,
+
+  @{system_share_dirs}/java/briar-desktop.jar r,
+
+  /etc/java*/{,**} r,
+
+  owner @{HOME}/.briar/desktop/{,**} rw,
+  owner @{HOME}/.briar/desktop/db/db.mv.db k,
+
+  owner @{HOME}/.java/{,.userPrefs/{,org/}} w,
+  owner @{HOME}/.java/.userPrefs/.user.lock.@{user} wk,
+  owner @{HOME}/.java/.userPrefs/.userRootModFile.@{user} rw,
+  owner @{HOME}/.java/.userPrefs/{,org/}prefs.{xml,tmp} rw,
+  owner @{HOME}/.java/.userPrefs/org/briarproject/{,**} rw,
+
+  owner @{HOME}/.skiko/ w,
+  owner @{HOME}/.skiko/@{hex64}/{,libskiko-*.so,skiko[0-9]*} mrw,
+
+  owner @{user_pictures_dirs}/{,**} r,
+
+  owner @{user_cache_dirs}/JNA/{,**} mrw,
+
+  owner @{tmp}/hsperfdata_@{user}/ rw,
+  owner @{tmp}/hsperfdata_@{user}/@{pid} rwk,
+  owner @{tmp}/imageio@{u64}.tmp rw,
+  owner @{tmp}/jna@{u64}.tmp mrw,
+
+  @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/{cpu,memory}.max r,
+  @{sys}/kernel/mm/{hugepages/,transparent_hugepage/enabled} r,
+
+        @{PROC}/cgroups r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/coredump_filter rw,
+  owner @{PROC}/@{pid}/mountinfo r,
+        @{PROC}/@{pid}/net/if_inet6 r,
+  owner @{PROC}/@{pid}/stat r,
+
+  /dev/tty rw,
+  /dev/urandom rw,
+
+  deny @{HOME}/ r,
+
+  include if exists <local/briar-desktop>
+
+  profile jspawnhelper flags=(attach_disconnected) {
+    include <abstractions/base>
+
+    @{bin}/ldconfig ix,
+    owner @{HOME}/.briar/desktop/tor/tor Px -> briar-desktop-tor,
+
+    @{system_share_dirs}/java/briar-desktop.jar r,
+    owner @{PROC}/@{pid}/fd/ r,
+    owner @{PROC}/@{pid}/stat r,
+
+    deny owner @{HOME}/.briar/desktop/db/db.mv.db rw, # file_inherit
+    deny network inet6 stream, # file_inherit
+
+    include if exists <local/briar-desktop_jspawnhelper>
+  }
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/briar-desktop-tor b/apparmor.d/profiles-a-f/briar-desktop-tor
new file mode 100644
index 000000000..e78420e34
--- /dev/null
+++ b/apparmor.d/profiles-a-f/briar-desktop-tor
@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+profile briar-desktop-tor {
+  include <abstractions/base>
+
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  signal send set=term peer=briar-desktop-tor//obfs4proxy,
+  signal send set=term peer=briar-desktop-tor//snowflake, 
+
+  owner @{HOME}/.briar/desktop/tor/.tor/{,**} rw,
+  owner @{HOME}/.briar/desktop/tor/.tor/lock k,
+  owner @{HOME}/.briar/desktop/tor/obfs4proxy Cx -> obfs4proxy,
+  owner @{HOME}/.briar/desktop/tor/snowflake Cx -> snowflake,
+  owner @{HOME}/.briar/desktop/tor/tor r,
+  owner @{HOME}/.briar/desktop/tor/torrc r,
+
+  @{PROC}/sys/kernel/random/uuid r,
+
+  include if exists <local/briar-desktop-tor>
+
+  profile obfs4proxy {
+    include <abstractions/base>
+
+    network inet stream,
+    network inet6 stream,
+
+    signal receive set=term peer=briar-desktop-tor,
+
+    owner @{HOME}/.briar/desktop/tor/.tor/pt_state/ w,
+    owner @{HOME}/.briar/desktop/tor/obfs4proxy mr,
+    @{PROC}/sys/net/core/somaxconn r,
+
+    include if exists <local/briar-desktop-tor_obfs4proxy>
+  }
+
+  profile snowflake {
+    include <abstractions/base>
+    include <abstractions/nameservice-strict>
+    include <abstractions/ssl_certs>
+
+    network inet dgram,
+    network inet stream,
+    network inet6 dgram,
+    network inet6 stream,
+    network netlink raw,
+
+    signal receive set=term peer=briar-desktop-tor,
+
+    owner @{HOME}/.briar/desktop/tor/snowflake mr,
+    @{PROC}/sys/net/core/somaxconn r,
+
+    include if exists <local/briar-desktop-tor_snowflake>
+  }
+}
+
+# vim:syntax=apparmor

From a5cafe26ea8e664bffa606e37708dcd56f594e9b Mon Sep 17 00:00:00 2001
From: beroal <me@beroal.in.ua>
Date: Sun, 6 Oct 2024 22:46:12 +0300
Subject: [PATCH 255/315] aMule, a file sharing program; not all executables
 (#546)

* aMule, a file sharing program; not all executables

* ABI 4; document directories; amule//shell was deleted
---
 apparmor.d/abstractions/app-open |  1 +
 apparmor.d/profiles-a-f/alc      | 21 +++++++++++++++++
 apparmor.d/profiles-a-f/alcc     | 20 ++++++++++++++++
 apparmor.d/profiles-a-f/amule    | 39 ++++++++++++++++++++++++++++++++
 apparmor.d/profiles-a-f/cas      | 25 ++++++++++++++++++++
 apparmor.d/profiles-a-f/ed2k     | 22 ++++++++++++++++++
 apparmor.d/profiles-a-f/fileview | 26 +++++++++++++++++++++
 7 files changed, 154 insertions(+)
 create mode 100644 apparmor.d/profiles-a-f/alc
 create mode 100644 apparmor.d/profiles-a-f/alcc
 create mode 100644 apparmor.d/profiles-a-f/amule
 create mode 100644 apparmor.d/profiles-a-f/cas
 create mode 100644 apparmor.d/profiles-a-f/ed2k
 create mode 100644 apparmor.d/profiles-a-f/fileview

diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index 70f89d866..f0fd32206 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -26,6 +26,7 @@
   @{text_editors_path}          rPUx,
 
   # Others
+  @{bin}/amule                  rPx,
   @{bin}/blueman-tray           rPx,
   @{bin}/discord{,-ptb}         rPx,
   @{bin}/draw.io                rPUx,
diff --git a/apparmor.d/profiles-a-f/alc b/apparmor.d/profiles-a-f/alc
new file mode 100644
index 000000000..232f83860
--- /dev/null
+++ b/apparmor.d/profiles-a-f/alc
@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/alc
+profile alc @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
+
+  @{exec_path} mr,
+  @{user_torrents_dirs}/{,**} rw,
+
+  include if exists <local/alc>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/alcc b/apparmor.d/profiles-a-f/alcc
new file mode 100644
index 000000000..c1e7d0602
--- /dev/null
+++ b/apparmor.d/profiles-a-f/alcc
@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/alcc
+profile alcc @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+  @{user_torrents_dirs}/{,**} r,
+
+  include if exists <local/alcc>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/amule b/apparmor.d/profiles-a-f/amule
new file mode 100644
index 000000000..b54e62022
--- /dev/null
+++ b/apparmor.d/profiles-a-f/amule
@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/amule
+profile amule @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/gnome-strict>
+  include <abstractions/nameservice-strict>
+
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
+  network netlink raw,
+
+
+  # Previewing files isn't allowed
+  # because aMule opens viewers directly instead of via `xdg-open`.
+  # If aMule uses `xdg-open` in your time,
+  # uncomment the following line to allow previewing files.
+  # @{open_path} rPx -> child-open,
+
+  @{exec_path} mr,
+  @{bin}/uname rPx,
+  @{sh_path} rix,
+  @{system_share_dirs}/amule/{,**} r,
+  owner @{HOME}/.aMule/{,**} rwk,
+  @{user_torrents_dirs}/{,**} rw,
+
+  include if exists <local/amule>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/cas b/apparmor.d/profiles-a-f/cas
new file mode 100644
index 000000000..d843801ba
--- /dev/null
+++ b/apparmor.d/profiles-a-f/cas
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/cas
+profile cas @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{system_share_dirs}/cas/{,**} r,
+
+  owner @{HOME}/.aMule/aMule-online-sign.html w,
+  owner @{HOME}/.aMule/amulesig.dat r,
+  owner @{HOME}/.aMule/casrc rw,
+
+  include if exists <local/cas>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/ed2k b/apparmor.d/profiles-a-f/ed2k
new file mode 100644
index 000000000..f92e3b74d
--- /dev/null
+++ b/apparmor.d/profiles-a-f/ed2k
@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ed2k
+profile ed2k @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  owner @{HOME}/.aMule/ED2KLinks w,
+  owner @{HOME}/.aMule/ED2KLinks_lock wk,
+
+  include if exists <local/ed2k>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/fileview b/apparmor.d/profiles-a-f/fileview
new file mode 100644
index 000000000..9237f2a98
--- /dev/null
+++ b/apparmor.d/profiles-a-f/fileview
@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/fileview
+profile fileview @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  # This program parses aMule internal data files like "server.met".
+  # The paths to these files are given as arguments.
+  # The following directories are those that users likely want to read.
+  # However, this program is usable without the permissions below.
+  owner @{HOME}/.aMule/{,**} r,
+  @{user_torrents_dirs}/{,**} r,
+
+  include if exists <local/fileview>
+}
+
+# vim:syntax=apparmor

From 03b777340d4b17957c7533d20bc3f8fca5a6dff8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Oct 2024 22:01:39 +0100
Subject: [PATCH 256/315] tests(packer): update & cleanup tests images.

---
 tests/Makefile                                |   2 +-
 tests/packer/archlinux.pkr.hcl                |  80 +------------
 tests/packer/builds.pkr.hcl                   |  30 +++--
 tests/packer/debian.pkr.hcl                   |  86 +-------------
 .../packer/init/archlinux-xfce.user-data.yml  |  92 +++++++++++++++
 .../packer/init/opensuse-gnome.user-data.yml  |  43 +++++++
 ...ata.yml => ubuntu22-desktop.user-data.yml} |   0
 ...ata.yml => ubuntu24-desktop.user-data.yml} |  20 ++--
 ...data.yml => ubuntu24-server.user-data.yml} |   0
 tests/packer/opensuse.pkr.hcl                 |  19 ++--
 tests/packer/ubuntu.pkr.hcl                   | 106 +++---------------
 tests/packer/variables.pkr.hcl                |  16 +--
 12 files changed, 202 insertions(+), 292 deletions(-)
 create mode 100644 tests/packer/init/archlinux-xfce.user-data.yml
 create mode 100644 tests/packer/init/opensuse-gnome.user-data.yml
 rename tests/packer/init/{ubuntu-desktop.user-data.yml => ubuntu22-desktop.user-data.yml} (100%)
 rename tests/packer/init/{ubuntu-desktop24.user-data.yml => ubuntu24-desktop.user-data.yml} (76%)
 rename tests/packer/init/{ubuntu-server.user-data.yml => ubuntu24-server.user-data.yml} (100%)

diff --git a/tests/Makefile b/tests/Makefile
index de4a15f78..8bf5f6182 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -21,7 +21,7 @@ $(BASE):
 	@make --directory=../ package dist=${@}
 	@packer build -force -var version=${VERSION} \
 		-var disk_size=${disk} -var flavor="${flavor}" \
-		-only=qemu.${@}-${flavor} packer/
+		-only=qemu.${@} packer/
 
 lint:
 	@packer fmt --check packer/
diff --git a/tests/packer/archlinux.pkr.hcl b/tests/packer/archlinux.pkr.hcl
index c445b632a..41a2627d5 100644
--- a/tests/packer/archlinux.pkr.hcl
+++ b/tests/packer/archlinux.pkr.hcl
@@ -2,43 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-source "qemu" "archlinux-server" {
-  disk_image         = true
-  iso_url            = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2"
-  iso_checksum       = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256"
-  iso_target_path    = "${var.iso_dir}/archlinux-cloudimg-amd64.img"
-  cpu_model          = "host"
-  cpus               = 6
-  memory             = 4096
-  disk_size          = "10G"
-  accelerator        = "kvm"
-  headless           = true
-  ssh_username       = var.username
-  ssh_password       = var.password
-  ssh_port           = 22
-  ssh_wait_timeout   = "1000s"
-  disk_compression   = true
-  disk_detect_zeroes = "unmap"
-  disk_discard       = "unmap"
-  output_directory   = var.output
-  vm_name            = "${var.prefix}${source.name}.qcow2"
-  boot_wait          = "10s"
-  shutdown_command   = "echo ${var.password} | sudo -S shutdown -hP now"
-  cd_label           = "cidata"
-  cd_content = {
-    "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
-      {
-        username = "${var.username}"
-        password = "${var.password}"
-        ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
-      }
-    )
-  }
-}
-
-source "qemu" "archlinux-gnome" {
+source "qemu" "archlinux" {
   disk_image         = true
   iso_url            = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2"
   iso_checksum       = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256"
@@ -57,54 +21,18 @@ source "qemu" "archlinux-gnome" {
   disk_detect_zeroes = "unmap"
   disk_discard       = "unmap"
   output_directory   = var.output
-  vm_name            = "${var.prefix}${source.name}.qcow2"
+  vm_name            = "${var.prefix}${source.name}-${var.flavor}.qcow2"
   boot_wait          = "10s"
   shutdown_command   = "echo ${var.password} | sudo -S shutdown -hP now"
   cd_label           = "cidata"
   cd_content = {
     "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
+    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml",
       {
         username = "${var.username}"
         password = "${var.password}"
         ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
-      }
-    )
-  }
-}
-
-source "qemu" "archlinux-kde" {
-  disk_image         = true
-  iso_url            = "https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2"
-  iso_checksum       = "file:https://geo.mirror.pkgbuild.com/images/latest/Arch-Linux-x86_64-cloudimg.qcow2.SHA256"
-  iso_target_path    = "${var.iso_dir}/archlinux-cloudimg-amd64.img"
-  cpu_model          = "host"
-  cpus               = 6
-  memory             = 4096
-  disk_size          = var.disk_size
-  accelerator        = "kvm"
-  headless           = true
-  ssh_username       = var.username
-  ssh_password       = var.password
-  ssh_port           = 22
-  ssh_wait_timeout   = "1000s"
-  disk_compression   = true
-  disk_detect_zeroes = "unmap"
-  disk_discard       = "unmap"
-  output_directory   = var.output
-  vm_name            = "${var.prefix}${source.name}.qcow2"
-  boot_wait          = "10s"
-  shutdown_command   = "echo ${var.password} | sudo -S shutdown -hP now"
-  cd_label           = "cidata"
-  cd_content = {
-    "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
-      {
-        username = "${var.username}"
-        password = "${var.password}"
-        ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
+        hostname = "${var.prefix}${source.name}-${var.flavor}"
       }
     )
   }
diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl
index c37e768ac..33288e6b5 100644
--- a/tests/packer/builds.pkr.hcl
+++ b/tests/packer/builds.pkr.hcl
@@ -4,18 +4,12 @@
 
 build {
   sources = [
-    "source.qemu.archlinux-gnome",
-    "source.qemu.archlinux-kde",
-    "source.qemu.archlinux-server",
-    "source.qemu.debian-gnome",
-    "source.qemu.debian-kde",
-    "source.qemu.debian-server",
-    "source.qemu.opensuse-gnome",
-    "source.qemu.opensuse-kde",
-    "source.qemu.ubuntu-desktop",
-    "source.qemu.ubuntu-desktop24",
-    "source.qemu.ubuntu-server",
-    "source.qemu.ubuntu-server24",
+    "source.qemu.archlinux",
+    "source.qemu.debian",
+    "source.qemu.fedora",
+    "source.qemu.opensuse",
+    "source.qemu.ubuntu22",
+    "source.qemu.ubuntu24",
   ]
 
   # Upload local files
@@ -25,26 +19,28 @@ build {
   }
 
   provisioner "file" {
-    only        = ["qemu.archlinux-gnome", "qemu.archlinux-kde", "qemu.archlinux-server"]
+    only        = ["qemu.archlinux"]
     destination = "/tmp/src/"
-    sources     = ["${path.cwd}/../apparmor.d-${var.version}-1-x86_64.pkg.tar.zst"]
+    sources = [
+      "${path.cwd}/../apparmor.d-${var.version}-1-x86_64.pkg.tar.zst",
+    ]
   }
 
   provisioner "file" {
-    only        = ["qemu.opensuse-*"]
+    only        = ["qemu.opensuse"]
     destination = "/tmp/src/"
     sources     = ["${path.cwd}/../apparmor.d-${var.version}-1.x86_64.rpm"]
   }
 
   provisioner "file" {
-    only        = ["qemu.debian-server", "qemu.debian-gnome", "qemu.debian-kde", "qemu.ubuntu-server", "qemu.ubuntu-server24", "qemu.ubuntu-desktop", "qemu.ubuntu-desktop24"]
+    only        = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"]
     destination = "/tmp/src/"
     sources     = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"]
   }
 
   # Wait for cloud-init to finish
   provisioner "shell" {
-    except          = ["qemu.opensuse-*"]
+    except          = ["qemu.opensuse"]
     execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
     inline = [
       "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done",
diff --git a/tests/packer/debian.pkr.hcl b/tests/packer/debian.pkr.hcl
index 38f33116f..7fd176b6e 100644
--- a/tests/packer/debian.pkr.hcl
+++ b/tests/packer/debian.pkr.hcl
@@ -2,14 +2,14 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-source "qemu" "debian-server" {
+source "qemu" "debian" {
   disk_image         = true
   iso_url            = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2"
   iso_checksum       = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS"
   iso_target_path    = "${var.iso_dir}/debian-cloudimg-amd64.img"
   cpu_model          = "host"
-  cpus               = 4
-  memory             = 2048
+  cpus               = 6
+  memory             = 4096
   disk_size          = var.disk_size
   accelerator        = "kvm"
   headless           = true
@@ -20,89 +20,15 @@ source "qemu" "debian-server" {
   disk_compression   = true
   disk_detect_zeroes = "unmap"
   disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
+  output_directory   = var.output
+  vm_name            = "${var.prefix}${source.name}-${var.flavor}.qcow2"
   boot_wait          = "10s"
   firmware           = var.firmware
   shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
   cd_label           = "cidata"
   cd_content = {
     "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
-      {
-        username = "${var.username}"
-        password = "${var.password}"
-        ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
-      }
-    )
-  }
-}
-
-source "qemu" "debian-gnome" {
-  disk_image         = true
-  iso_url            = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2"
-  iso_checksum       = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS"
-  iso_target_path    = "${var.iso_dir}/debian-cloudimg-amd64.img"
-  cpu_model          = "host"
-  cpus               = 4
-  memory             = 2048
-  disk_size          = var.disk_size
-  accelerator        = "kvm"
-  headless           = true
-  ssh_username       = var.username
-  ssh_password       = var.password
-  ssh_port           = 22
-  ssh_wait_timeout   = "1000s"
-  disk_compression   = true
-  disk_detect_zeroes = "unmap"
-  disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
-  boot_wait          = "10s"
-  firmware           = var.firmware
-  shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
-  cd_label           = "cidata"
-  cd_content = {
-    "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
-      {
-        username = "${var.username}"
-        password = "${var.password}"
-        ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
-      }
-    )
-  }
-}
-
-source "qemu" "debian-kde" {
-  disk_image         = true
-  iso_url            = "https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/debian-${var.release.debian.version}-genericcloud-amd64.qcow2"
-  iso_checksum       = "file:https://cdimage.debian.org/images/cloud/${var.release.debian.codename}/latest/SHA512SUMS"
-  iso_target_path    = "${var.iso_dir}/debian-cloudimg-amd64.img"
-  cpu_model          = "host"
-  cpus               = 4
-  memory             = 2048
-  disk_size          = var.disk_size
-  accelerator        = "kvm"
-  headless           = true
-  ssh_username       = var.username
-  ssh_password       = var.password
-  ssh_port           = 22
-  ssh_wait_timeout   = "1000s"
-  disk_compression   = true
-  disk_detect_zeroes = "unmap"
-  disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
-  boot_wait          = "10s"
-  firmware           = var.firmware
-  shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
-  cd_label           = "cidata"
-  cd_content = {
-    "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
+    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml",
       {
         username = "${var.username}"
         password = "${var.password}"
diff --git a/tests/packer/init/archlinux-xfce.user-data.yml b/tests/packer/init/archlinux-xfce.user-data.yml
new file mode 100644
index 000000000..1cc18f556
--- /dev/null
+++ b/tests/packer/init/archlinux-xfce.user-data.yml
@@ -0,0 +1,92 @@
+#cloud-config
+
+hostname: ${hostname}
+locale: en_IE
+keyboard:
+  layout: ie
+
+ssh_pwauth: true
+users:
+  - name: ${username}
+    plain_text_passwd: ${password}
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${ssh_key}
+    lock_passwd: false
+    sudo: ALL=(ALL) NOPASSWD:ALL
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: false
+packages:
+  # Install core packages
+  - apparmor
+  - base-devel
+  - firewalld
+  - qemu-guest-agent
+  - rng-tools
+  - spice-vdagent
+
+  # Install usefull core packages
+  - bash-completion
+  - git
+  - htop
+  - man
+  - pass
+  - python-notify2
+  - vim
+  - wget
+
+  # Install basic services
+  - networkmanager
+  - cups
+  - cups-pdf
+  - system-config-printer
+
+  # Install Graphical Interface
+  - xfce4
+  - xfce4-goodies
+  - lightdm
+  - lightdm-gtk-greeter
+
+  # Install Applications
+  - firefox
+  - chromium
+  - terminator
+
+runcmd:
+  # Regenerate grub.cfg
+  - grub-mkconfig -o /boot/grub/grub.cfg
+
+  # Remove swapfile
+  - swapoff -a
+  - rm -rf /swap/
+  - sed -e "/swap/d" -i /etc/fstab
+
+  # Enable core services
+  - systemctl enable apparmor
+  - systemctl enable auditd
+  - systemctl enable lightdm.service 
+  - systemctl enable NetworkManager
+  - systemctl enable rngd
+  - systemctl enable avahi-daemon
+  - systemctl enable systemd-timesyncd.service
+
+write_files:
+  # Enable AppArmor in kernel parameters
+  - path: /etc/default/grub
+    append: true
+    content: |
+      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf"
+
+  # Set some bash aliases
+  - path: /etc/skel/.bashrc
+    append: true
+    content: |
+      [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases
+
+  # Setup shared directory
+  - path: /etc/fstab
+    append: true
+    content: |
+      0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d  virtiofs defaults  0  1
diff --git a/tests/packer/init/opensuse-gnome.user-data.yml b/tests/packer/init/opensuse-gnome.user-data.yml
new file mode 100644
index 000000000..b54bb458e
--- /dev/null
+++ b/tests/packer/init/opensuse-gnome.user-data.yml
@@ -0,0 +1,43 @@
+#cloud-config
+
+hostname: ${hostname}
+locale: en_IE
+keyboard:
+  layout: ie
+
+ssh_pwauth: true
+users:
+  - name: ${username}
+    plain_text_passwd: ${password}
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${ssh_key}
+    lock_passwd: false
+    sudo: ALL=(ALL) NOPASSWD:ALL
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: false
+packages:
+  - apparmor-profiles
+  - bash-completion
+  - distribution-release
+  - git
+  - golang-packaging
+  - htop
+  - make
+  - rpmbuild
+  - vim
+
+write_files:
+  # Set some bash aliases
+  - path: /home/${username}/.bashrc
+    append: true
+    content: |
+      [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases
+
+  # Setup shared directory
+  - path: /etc/fstab
+    append: true
+    content: |
+      0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d  virtiofs defaults  0  1
diff --git a/tests/packer/init/ubuntu-desktop.user-data.yml b/tests/packer/init/ubuntu22-desktop.user-data.yml
similarity index 100%
rename from tests/packer/init/ubuntu-desktop.user-data.yml
rename to tests/packer/init/ubuntu22-desktop.user-data.yml
diff --git a/tests/packer/init/ubuntu-desktop24.user-data.yml b/tests/packer/init/ubuntu24-desktop.user-data.yml
similarity index 76%
rename from tests/packer/init/ubuntu-desktop24.user-data.yml
rename to tests/packer/init/ubuntu24-desktop.user-data.yml
index 30a82279a..3c3807e29 100644
--- a/tests/packer/init/ubuntu-desktop24.user-data.yml
+++ b/tests/packer/init/ubuntu24-desktop.user-data.yml
@@ -2,6 +2,8 @@
 
 # Based on https://github.com/canonical/autoinstall-desktop
 
+# https://github.com/canonical/ubuntu-desktop-provision/blob/main/README.md
+
 hostname: ${hostname}
 locale: en_IE
 keyboard:
@@ -22,7 +24,7 @@ package_upgrade: true
 package_reboot_if_required: false
 packages:
   - ubuntu-desktop
-  - linux-generic-hwe-22.04
+  - linux-generic-hwe-24.04
   - qemu-guest-agent
   - spice-vdagent
   - terminator
@@ -49,14 +51,14 @@ runcmd:
 
   # Remove other packages present by default in Ubuntu Server but not
   # normally present in Ubuntu Desktop.
-  - >-
-    apt-get -y purge
-      ubuntu-server ubuntu-server-minimal netplan.io cloud-init
-      binutils byobu curl dmeventd finalrd gawk
-      kpartx mdadm ncurses-term needrestart open-iscsi
-      sg3-utils ssh-import-id sssd thin-provisioning-tools tmux
-      sosreport screen open-vm-tools motd-news-config lxd-agent-loader
-      landscape-common fonts-ubuntu-console ethtool
+  # - >-
+  #   apt-get -y purge
+  #     ubuntu-server ubuntu-server-minimal netplan.io cloud-init
+  #     binutils byobu curl dmeventd finalrd gawk
+  #     kpartx mdadm ncurses-term needrestart open-iscsi
+  #     sg3-utils ssh-import-id sssd thin-provisioning-tools tmux
+  #     sosreport screen open-vm-tools motd-news-config lxd-agent-loader
+  #     landscape-common fonts-ubuntu-console ethtool
 
   # Finally, remove things only installed as dependencies of other things
   # we have already removed.
diff --git a/tests/packer/init/ubuntu-server.user-data.yml b/tests/packer/init/ubuntu24-server.user-data.yml
similarity index 100%
rename from tests/packer/init/ubuntu-server.user-data.yml
rename to tests/packer/init/ubuntu24-server.user-data.yml
diff --git a/tests/packer/opensuse.pkr.hcl b/tests/packer/opensuse.pkr.hcl
index de9bafacb..49ba09f70 100644
--- a/tests/packer/opensuse.pkr.hcl
+++ b/tests/packer/opensuse.pkr.hcl
@@ -3,16 +3,13 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # TODO: Fully automate the creation of the base image
-# To save some dev time, 'base_opensuse_kde' is manually created from the opensuse iso with:
-# - KDE
-# - username/password defined in the variables
-# - cloud-init installed and enabled
 
-source "qemu" "opensuse-kde" {
+source "qemu" "opensuse" {
   disk_image         = true
-  iso_url            = "${var.iso_dir}/base_opensuse_kde.qcow2"
-  iso_checksum       = "sha256:62a174725bdf26981d15969e53461b89359f7763450cbfd3e258d4035731279b"
-  iso_target_path    = "${var.iso_dir}/base_opensuse_kde.qcow2"
+  iso_url            = "${var.base_dir}/base-tumbleweed-gnome.qcow2"
+  iso_checksum       = "sha256:223ed62160ef4f1a4f21b69c574f552a07eee6ef66cf66eef2b49c5a7c4864f4"
+  iso_target_path    = "${var.base_dir}/base-tumbleweed-gnome.qcow2"
+  cpu_model          = "host"
   cpus               = 6
   memory             = 4096
   disk_size          = var.disk_size
@@ -25,15 +22,15 @@ source "qemu" "opensuse-kde" {
   disk_compression   = true
   disk_detect_zeroes = "unmap"
   disk_discard       = "unmap"
-  output_directory   = "${var.iso_dir}/packer/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
+  output_directory   = var.output
+  vm_name            = "${var.prefix}${source.name}-${var.flavor}.qcow2"
   boot_wait          = "10s"
   firmware           = var.firmware
   shutdown_command   = "echo ${var.password} | sudo shutdown -hP now"
   cd_label           = "cidata"
   cd_content = {
     "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
+    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml",
       {
         username = "${var.username}"
         password = "${var.password}"
diff --git a/tests/packer/ubuntu.pkr.hcl b/tests/packer/ubuntu.pkr.hcl
index 344a8bf43..052b460da 100644
--- a/tests/packer/ubuntu.pkr.hcl
+++ b/tests/packer/ubuntu.pkr.hcl
@@ -2,14 +2,14 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-source "qemu" "ubuntu-server" {
+source "qemu" "ubuntu22" {
   disk_image         = true
-  iso_url            = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img"
-  iso_checksum       = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS"
-  iso_target_path    = "${var.iso_dir}/ubuntu-cloudimg-amd64.img"
+  iso_url            = "https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/${var.release.ubuntu22.codename}-server-cloudimg-amd64.img"
+  iso_checksum       = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu22.codename}/current/SHA256SUMS"
+  iso_target_path    = "${var.iso_dir}/ubuntu22-cloudimg-amd64.img"
   cpu_model          = "host"
-  cpus               = 4
-  memory             = 2048
+  cpus               = 6
+  memory             = 4096
   disk_size          = var.disk_size
   accelerator        = "kvm"
   headless           = true
@@ -20,15 +20,15 @@ source "qemu" "ubuntu-server" {
   disk_compression   = true
   disk_detect_zeroes = "unmap"
   disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
+  output_directory   = var.output
+  vm_name            = "${var.prefix}${source.name}-${var.flavor}.qcow2"
   boot_wait          = "10s"
   firmware           = var.firmware
   shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
   cd_label           = "cidata"
   cd_content = {
     "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
+    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml",
       {
         username = "${var.username}"
         password = "${var.password}"
@@ -39,14 +39,14 @@ source "qemu" "ubuntu-server" {
   }
 }
 
-source "qemu" "ubuntu-server24" {
+source "qemu" "ubuntu24" {
   disk_image         = true
   iso_url            = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img"
   iso_checksum       = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS"
-  iso_target_path    = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img"
+  iso_target_path    = "${var.iso_dir}/ubuntu24-cloudimg-amd64.img"
   cpu_model          = "host"
-  cpus               = 4
-  memory             = 2048
+  cpus               = 6
+  memory             = 4096
   disk_size          = var.disk_size
   accelerator        = "kvm"
   headless           = true
@@ -57,89 +57,15 @@ source "qemu" "ubuntu-server24" {
   disk_compression   = true
   disk_detect_zeroes = "unmap"
   disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
+  output_directory   = var.output
+  vm_name            = "${var.prefix}${source.name}-${var.flavor}.qcow2"
   boot_wait          = "10s"
   firmware           = var.firmware
   shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
   cd_label           = "cidata"
   cd_content = {
     "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/ubuntu-server.user-data.yml",
-      {
-        username = "${var.username}"
-        password = "${var.password}"
-        ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
-      }
-    )
-  }
-}
-
-source "qemu" "ubuntu-desktop" {
-  disk_image         = true
-  iso_url            = "https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/${var.release.ubuntu.codename}-server-cloudimg-amd64.img"
-  iso_checksum       = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu.codename}/current/SHA256SUMS"
-  iso_target_path    = "${var.iso_dir}/ubuntu-cloudimg-amd64.img"
-  cpu_model          = "host"
-  cpus               = 6
-  memory             = 4096
-  disk_size          = var.disk_size
-  accelerator        = "kvm"
-  headless           = true
-  ssh_username       = var.username
-  ssh_password       = var.password
-  ssh_port           = 22
-  ssh_wait_timeout   = "10000s"
-  disk_compression   = true
-  disk_detect_zeroes = "unmap"
-  disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
-  boot_wait          = "10s"
-  firmware           = var.firmware
-  shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
-  cd_label           = "cidata"
-  cd_content = {
-    "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
-      {
-        username = "${var.username}"
-        password = "${var.password}"
-        ssh_key  = file("${var.ssh_publickey}")
-        hostname = "${var.prefix}${source.name}"
-      }
-    )
-  }
-}
-
-source "qemu" "ubuntu-desktop24" {
-  disk_image         = true
-  iso_url            = "https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/${var.release.ubuntu24.codename}-server-cloudimg-amd64.img"
-  iso_checksum       = "file:https://cloud-images.ubuntu.com/${var.release.ubuntu24.codename}/current/SHA256SUMS"
-  iso_target_path    = "${var.iso_dir}/ubuntu-${var.release.ubuntu24.codename}-cloudimg-amd64.img"
-  cpu_model          = "host"
-  cpus               = 6
-  memory             = 4096
-  disk_size          = var.disk_size
-  accelerator        = "kvm"
-  headless           = false
-  ssh_username       = var.username
-  ssh_password       = var.password
-  ssh_port           = 22
-  ssh_wait_timeout   = "10000s"
-  disk_compression   = true
-  disk_detect_zeroes = "unmap"
-  disk_discard       = "unmap"
-  output_directory   = "${var.output}/"
-  vm_name            = "${var.prefix}${source.name}.qcow2"
-  boot_wait          = "10s"
-  firmware           = var.firmware
-  shutdown_command   = "echo ${var.password} | sudo -S /sbin/shutdown -hP now"
-  cd_label           = "cidata"
-  cd_content = {
-    "meta-data" = ""
-    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}.user-data.yml",
+    "user-data" = templatefile("${path.cwd}/packer/init/${source.name}-${var.flavor}.user-data.yml",
       {
         username = "${var.username}"
         password = "${var.password}"
diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl
index 5a1cc17e8..c9ca4b62c 100644
--- a/tests/packer/variables.pkr.hcl
+++ b/tests/packer/variables.pkr.hcl
@@ -22,12 +22,6 @@ variable "ssh_publickey" {
   default     = "~/.ssh/id_ed25519.pub"
 }
 
-variable "ssh_privatekey" {
-  description = "Path to the ssh private key"
-  type        = string
-  default     = "~/.ssh/id_ed25519"
-}
-
 variable "disk_size" {
   description = "Disk size of the VM to build"
   type        = string
@@ -49,7 +43,7 @@ variable "base_dir" {
 variable "firmware" {
   description = "Path to the UEFI firmware"
   type        = string
-  default     = "/usr/share/edk2-ovmf/x64/OVMF_CODE.fd"
+  default     = "/usr/share/edk2/x64/OVMF_CODE.fd"
 }
 
 variable "output" {
@@ -83,7 +77,7 @@ variable "release" {
     version  = string
   }))
   default = {
-    "ubuntu" : {
+    "ubuntu22" : {
       codename = "jammy",
       version  = "22.04.2",
     },
@@ -99,5 +93,11 @@ variable "release" {
       codename = "tumbleweed",
       version  = "",
     }
+    "fedora" : {
+      codename = "40",
+      version  = "1.14",
+    }
   }
 }
+
+}

From 31af7586394c1d849e9d4a7dc580ab9c89e7b92e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 7 Oct 2024 12:16:42 +0100
Subject: [PATCH 257/315] fix(test): packer hcl & uefi path

---
 tests/Vagrantfile              | 2 +-
 tests/packer/variables.pkr.hcl | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/tests/Vagrantfile b/tests/Vagrantfile
index fce3a3f0d..4bdaac985 100644
--- a/tests/Vagrantfile
+++ b/tests/Vagrantfile
@@ -53,7 +53,7 @@ Vagrant.configure("2") do |config|
           libvirt.redirdev :type => "spicevmc"
         end
         if instance.fetch('uefi', default['uefi'])
-          libvirt.loader = '/usr/share/edk2-ovmf/x64/OVMF_CODE.fd'
+          libvirt.loader = '/usr/share/edk2/x64/OVMF_CODE.fd'
         end
       end
 
diff --git a/tests/packer/variables.pkr.hcl b/tests/packer/variables.pkr.hcl
index c9ca4b62c..a37c89bf0 100644
--- a/tests/packer/variables.pkr.hcl
+++ b/tests/packer/variables.pkr.hcl
@@ -99,5 +99,3 @@ variable "release" {
     }
   }
 }
-
-}

From 4f861158cf94510fc6a26b1704fd54ea98f8437f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 7 Oct 2024 14:05:40 +0100
Subject: [PATCH 258/315] build: unify locally build package output directory.

---
 .gitlab-ci.yml              |  2 +-
 Makefile                    |  3 +--
 dists/build.sh              |  2 +-
 dists/docker.sh             | 10 ++++++----
 tests/packer/builds.pkr.hcl |  6 +++---
 5 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 1acf9151f..a24ac7975 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,7 +4,7 @@ include:
   - template: Security/SAST.gitlab-ci.yml
 
 variables:
-  PKGDEST: $CI_PROJECT_DIR/packages
+  PKGDEST: $CI_PROJECT_DIR/.pkg
   PACKAGER: 'Alexandre Pujol <alexandre@pujol.io>'
 
 stages:
diff --git a/Makefile b/Makefile
index 9b25bb5ec..8ee380abd 100644
--- a/Makefile
+++ b/Makefile
@@ -120,5 +120,4 @@ serve:
 clean:
 	@rm -rf \
 		debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
-		${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst coverage.out \
-		${PKGNAME}_*.* ${PKGNAME}-*.rpm ${BUILD}
+		.pkg/${PKGNAME}* ${BUILD} coverage.out
diff --git a/dists/build.sh b/dists/build.sh
index a566291bd..08d43a49a 100644
--- a/dists/build.sh
+++ b/dists/build.sh
@@ -8,7 +8,7 @@
 set -eu -o pipefail
 
 readonly COMMAND="$1"
-readonly OUTPUT="${PKGDEST:-$PWD}"
+readonly OUTPUT=".pkg"
 readonly PKGNAME=apparmor.d
 VERSION="0.$(git rev-list --count HEAD)"
 readonly VERSION
diff --git a/dists/docker.sh b/dists/docker.sh
index 500918c5f..e0cb64431 100644
--- a/dists/docker.sh
+++ b/dists/docker.sh
@@ -12,6 +12,7 @@ readonly PREFIX="builder-"
 readonly PKGNAME=apparmor.d
 readonly VOLUME=/tmp/build
 readonly BUILDIR=/home/build/tmp
+readonly OUTPUT=".pkg"
 readonly COMMAND="$1"
 VERSION="0.$(git rev-list --count HEAD)"
 PACKAGER="$(git config user.name) <$(git config user.email)>"
@@ -62,7 +63,7 @@ build_in_docker_makepkg() {
 	fi
 
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg
-	mv "$VOLUME/$PKGNAME"-*.pkg.* .
+	mv "$VOLUME/$PKGNAME"-*.pkg.* "$OUTPUT"
 }
 
 build_in_docker_dpkg() {
@@ -85,7 +86,7 @@ build_in_docker_dpkg() {
 	fi
 
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg
-	mv "$VOLUME/$PKGNAME/${PKGNAME}_${VERSION}-1"_*.* .
+	mv "$VOLUME/$PKGNAME/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT"
 }
 
 build_in_docker_rpm() {
@@ -104,14 +105,14 @@ build_in_docker_rpm() {
 	fi
 
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm
-	mv "$VOLUME/$PKGNAME/$PKGNAME-$VERSION-"*.rpm .
+	mv "$VOLUME/$PKGNAME/$PKGNAME-$VERSION-"*.rpm "$OUTPUT"
 }
 
 main() {
 	case "$COMMAND" in
 	archlinux)
 		# build_in_docker_makepkg "$COMMAND"
-		PKGDEST=. makepkg -Cf
+		PKGDEST="$OUTPUT" makepkg -Cf
 		;;
 
 	debian | ubuntu | whonix)
@@ -128,4 +129,5 @@ main() {
 	esac
 }
 
+mkdir -p "$OUTPUT"
 main "$@"
diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl
index 33288e6b5..c658a8bfd 100644
--- a/tests/packer/builds.pkr.hcl
+++ b/tests/packer/builds.pkr.hcl
@@ -22,7 +22,7 @@ build {
     only        = ["qemu.archlinux"]
     destination = "/tmp/src/"
     sources = [
-      "${path.cwd}/../apparmor.d-${var.version}-1-x86_64.pkg.tar.zst",
+      "${path.cwd}/../.pkg/apparmor.d-${var.version}-1-x86_64.pkg.tar.zst",
     ]
   }
 
@@ -61,12 +61,12 @@ build {
   }
 
   post-processor "vagrant" {
-    output = "${var.base_dir}/packer_${var.prefix}${source.name}.box"
+    output = "${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box"
   }
 
   post-processor "shell-local" {
     inline = [
-      "vagrant box add --force --name ${var.prefix}${source.name} ${var.base_dir}/packer_${var.prefix}${source.name}.box"
+      "vagrant box add --force --name ${var.prefix}${source.name}-${var.flavor} ${var.base_dir}/packer_${var.prefix}${source.name}-${var.flavor}.box"
     ]
   }
 

From 146bda8f454c4777e967ef41ff05eec1fe496933 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 7 Oct 2024 21:41:44 +0100
Subject: [PATCH 259/315] test(packer): as base image for the cosmic DE.

---
 tests/boxes.yml                               |  4 +
 .../init/archlinux-cosmic.user-data.yml       | 90 +++++++++++++++++++
 tests/packer/init/init.sh                     | 20 ++---
 3 files changed, 104 insertions(+), 10 deletions(-)
 create mode 100644 tests/packer/init/archlinux-cosmic.user-data.yml

diff --git a/tests/boxes.yml b/tests/boxes.yml
index edda41096..ef037e07f 100644
--- a/tests/boxes.yml
+++ b/tests/boxes.yml
@@ -18,6 +18,10 @@ boxes:
     box: aa-archlinux-xfce
     uefi: false
 
+  - name: arch-cosmic
+    box: aa-archlinux-cosmic
+    uefi: false
+
   - name: arch-server
     box: aa-archlinux-server
     uefi: false
diff --git a/tests/packer/init/archlinux-cosmic.user-data.yml b/tests/packer/init/archlinux-cosmic.user-data.yml
new file mode 100644
index 000000000..442c32470
--- /dev/null
+++ b/tests/packer/init/archlinux-cosmic.user-data.yml
@@ -0,0 +1,90 @@
+#cloud-config
+
+hostname: ${hostname}
+locale: en_IE
+keyboard:
+  layout: ie
+
+ssh_pwauth: true
+users:
+  - name: ${username}
+    plain_text_passwd: ${password}
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${ssh_key}
+    lock_passwd: false
+    sudo: ALL=(ALL) NOPASSWD:ALL
+
+package_update: true
+package_upgrade: true
+package_reboot_if_required: false
+packages:
+  # Install core packages
+  - apparmor
+  - audit
+  - base-devel
+  - firewalld
+  - qemu-guest-agent
+  - rng-tools
+  - spice-vdagent
+
+  # Install usefull core packages
+  - bash-completion
+  - git
+  - htop
+  - man
+  - pass
+  - python-notify2
+  - vim
+  - wget
+
+  # Install basic services
+  - networkmanager
+  - cups
+  - cups-pdf
+  - system-config-printer
+
+  # Install Graphical Interface
+  - cosmic
+
+  # Install Applications
+  - firefox
+  - chromium
+  - terminator
+
+runcmd:
+  # Regenerate grub.cfg
+  - grub-mkconfig -o /boot/grub/grub.cfg
+
+  # Remove swapfile
+  - swapoff -a
+  - rm -rf /swap/
+  - sed -e "/swap/d" -i /etc/fstab
+
+  # Enable core services
+  - systemctl enable apparmor
+  - systemctl enable auditd
+  - systemctl enable cosmic-greeter
+  - systemctl enable NetworkManager
+  - systemctl enable rngd
+  - systemctl enable avahi-daemon
+  - systemctl enable systemd-timesyncd.service
+
+write_files:
+  # Enable AppArmor in kernel parameters
+  - path: /etc/default/grub
+    append: true
+    content: |
+      GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT lsm=landlock,lockdown,yama,integrity,apparmor,bpf apparmor.debug=1"
+
+  # Set some bash aliases
+  - path: /etc/skel/.bashrc
+    append: true
+    content: |
+      [[ -f ~/.bash_aliases ]] && source ~/.bash_aliases
+
+  # Setup shared directory
+  - path: /etc/fstab
+    append: true
+    content: |
+      0a31bc478ef8e2461a4b1cc10a24cc4 /home/user/Projects/apparmor.d  virtiofs defaults  0  1
diff --git a/tests/packer/init/init.sh b/tests/packer/init/init.sh
index df300c0c4..495d2f2a5 100644
--- a/tests/packer/init/init.sh
+++ b/tests/packer/init/init.sh
@@ -15,16 +15,6 @@ readonly SRC=/tmp/src
 readonly DISTRIBUTION
 
 main() {
-	install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/"
-	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases"
-	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml"
-	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc"
-	install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local
-	install -Dm0755 $SRC/aa-update /usr/bin/aa-update
-	install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean
-	cat $SRC/parser.conf >>/etc/apparmor/parser.conf
-	chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/"
-
 	case "$DISTRIBUTION" in
 	arch)
 		pacman --noconfirm -U $SRC/*.pkg.tar.zst
@@ -45,6 +35,16 @@ main() {
 		;;
 
 	esac
+
+	install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/"
+	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases"
+	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml"
+	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc"
+	install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local
+	install -Dm0755 $SRC/aa-update /usr/bin/aa-update
+	install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean
+	cat $SRC/parser.conf >>/etc/apparmor/parser.conf
+	chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/"
 }
 
 main "$@"

From cc47d8d55783c823b46fd7bfdc17f247d8580476 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 8 Oct 2024 21:24:29 +0100
Subject: [PATCH 260/315] doc: minor improvment of dev doc.

---
 docs/development/dbus.md       | 5 +----
 docs/development/directives.md | 3 +--
 docs/development/index.md      | 4 ++--
 3 files changed, 4 insertions(+), 8 deletions(-)

diff --git a/docs/development/dbus.md b/docs/development/dbus.md
index 38e931b88..e4133e5d1 100644
--- a/docs/development/dbus.md
+++ b/docs/development/dbus.md
@@ -29,10 +29,7 @@ For more access, simply use the [`aa:dbus talk`](#dbus-directive) directive.
 There is a trade of between security and maintenance to make:
 
 - `aa:dbus talk` will generate less issue as it gives full talk access
-- `abstractions/bus/*` will provide more restriction, and possibly more issue.
-
-Ideally, these rules should be automatically generated from either the dbus interface documentation or the program call.
-
+- `abstractions/bus/*` will provide more restriction, and possibly more issue. In the future, these rules will be automatically generated from the interface documentation.
 
 ## Dbus Directive
 
diff --git a/docs/development/directives.md b/docs/development/directives.md
index 8897f9519..53c7e7dcd 100644
--- a/docs/development/directives.md
+++ b/docs/development/directives.md
@@ -118,8 +118,7 @@ The `exec` directive is useful to allow executing transitions to a profile witho
 
 **`[X]`**
 
-:   If `X` is set, the directive will conserve the `x` file rules regardless of the transition. Not enabled by default as it may conflict with the parent profile.
-
+:   If `X` is set, the directive will conserve the `x` file rules regardless of the transition. It is not enabled by default as it may conflict with the parent profile. Indeed, automatically adding `Px` and `ix` transition in a profile is a very effective way to have conflict between transitions as you can automatically add rule already present in the profile but with another transition (you would then get the AppArmor error: `profile has merged rule with conflicting x modifiers`).
 
 **Example**
 
diff --git a/docs/development/index.md b/docs/development/index.md
index 2e12a466b..f44d86aee 100644
--- a/docs/development/index.md
+++ b/docs/development/index.md
@@ -62,11 +62,11 @@ If you're looking to contribute to `apparmor.d` you can get started by going to
     your devices or for your use case.
 
 
-## Additional recommended documentation
+## Recommended documentation
 
 * [The AppArmor Core Policy Reference](https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference)
 * [The openSUSE Documentation](https://doc.opensuse.org/documentation/leap/security/html/book-security/part-apparmor.html)
-* https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html
+* [SUSE Documentation](https://documentation.suse.com/sles/12-SP5/html/SLES-all/cha-apparmor-intro.html)
 * [The AppArmor.d man page](https://man.archlinux.org/man/apparmor.d.5)
 * [F**k AppArmor](https://presentations.nordisch.org/apparmor/#/)
 * [A Brief Tour of Linux Security Modules](https://www.starlab.io/blog/a-brief-tour-of-linux-security-modules)

From 28706b2a78d82dc3efe912a8c7b2b8155253fca8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 8 Oct 2024 22:53:52 +0100
Subject: [PATCH 261/315] doc: initial preparation for re-attached path.

---
 apparmor.d/tunables/multiarch.d/system |  6 ++++--
 docs/development/internal.md           | 12 ++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 2dd715567..2218a3dd6 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -151,7 +151,9 @@
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
-# Container path given to attach_disconnected.path=@{ct}@{profile_name}
-@{ct}=/ct-
+#aa:only abi3
+# Attachment path for attach_disconnected.path flag.
+# Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
+@{att}=/
 
 # vim:syntax=apparmor
diff --git a/docs/development/internal.md b/docs/development/internal.md
index 58d66058f..459f1ad71 100644
--- a/docs/development/internal.md
+++ b/docs/development/internal.md
@@ -157,6 +157,18 @@ It is recommended to transition [in a subprofile](abstractions.md#appsystemctl)
 All common programs are tracked and labelled in the [`apparmor.d/tunables/multiarch.d/programs`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/programs) and 
 [`apparmor.d/tunables/multiarch.d/paths`](https://github.com/roddhjav/apparmor.d/blob/main/apparmor.d/tunables/multiarch.d/paths) files. They can be used in a `child-open` profile or directly in a profile. They are useful to allow opening resources using a kind of program (browsers, image viewer, text editor...), instead of allowing a given program path.
 
+## Re-attached path 
+
+The flag `attach_disconnect` control how disconnected paths are handled. It determines if pathnames resolved to be outside the namespace are attached to the root (ie. have the `/` character prepended). 
+It is a security issue as it allows disconnected paths to alias to other files that exist in the file name. Therefore, it is only provided to work around problems that can arise with sandboxed programs.
+
+AppAmor 4.0 provides the `attach_disconnect.path` flag allowing to reattach this path to a prefix that is not `/`. When used it provide an important security improvement from AppArmor 3.0.
+
+**`apparmor.d`** uses `attach_disconnect.path` by **default and automatically** on all profiles with the `attach_disconnect` flag. The attached path is set to `@{att}` a new dynamically generated variable set at build time in the preamble of all profile to be:
+
+- `@{att}=/att/<profile_name>` for profile with `attach_disconnect` flag.
+- `@{att}=/` for other profiles
+
 
 ## User Confinement [:material-police-badge-outline:{ .pg-red }](../full-system-policy.md "Only for Full System Policy (FSP)")
 

From 630e785787437d2f1935e115ecba90c782912f1b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 8 Oct 2024 22:59:50 +0100
Subject: [PATCH 262/315] feat(tunable): remove @{user_tmp_dirs} as it refers
 to different kind of temp folder.

---
 apparmor.d/groups/gpg/gpg-agent       | 12 ++++++------
 apparmor.d/tunables/home.d/apparmor.d |  1 -
 docs/variables.md                     |  1 -
 3 files changed, 6 insertions(+), 8 deletions(-)

diff --git a/apparmor.d/groups/gpg/gpg-agent b/apparmor.d/groups/gpg/gpg-agent
index 17e360d09..75bb7583f 100644
--- a/apparmor.d/groups/gpg/gpg-agent
+++ b/apparmor.d/groups/gpg/gpg-agent
@@ -53,12 +53,12 @@ profile gpg-agent @{exec_path} {
   owner @{run}/user/@{uid}/gnupg/S.gpg-agent{,.ssh,.browser,.extra} rw,
   owner @{run}/user/@{uid}/gnupg/sshcontrol r,
 
-  owner @{user_tmp_dirs}/**/{.,}gnupg/ rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/*.conf r,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/ rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
-  owner @{user_tmp_dirs}/**/{.,}gnupg/sshcontrol r,
+  owner @{tmp}/**/{.,}gnupg/ rw,
+  owner @{tmp}/**/{.,}gnupg/*.conf r,
+  owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/ rw,
+  owner @{tmp}/**/{.,}gnupg/private-keys-v1.d/@{hex}.key{,.tmp} rw,
+  owner @{tmp}/**/{.,}gnupg/{,d.@{rand}/}S.gpg-agent{,.ssh,.browser,.extra} rw,
+  owner @{tmp}/**/{.,}gnupg/sshcontrol r,
 
   #aa:only pacman
   owner /etc/pacman.d/gnupg/ rw,
diff --git a/apparmor.d/tunables/home.d/apparmor.d b/apparmor.d/tunables/home.d/apparmor.d
index c23a8d956..f1be9acbe 100644
--- a/apparmor.d/tunables/home.d/apparmor.d
+++ b/apparmor.d/tunables/home.d/apparmor.d
@@ -52,7 +52,6 @@
 # User build directories and output
 @{user_build_dirs}="/tmp/build/"
 @{user_pkg_dirs}="/tmp/pkg/"
-@{user_tmp_dirs}=@{run}/user/@{uid} /tmp/
 @{user_img_dirs}=@{HOME}/@{XDG_IMG_DIR} @{MOUNTS}/@{XDG_IMG_DIR}
 
 # Other user directories
diff --git a/docs/variables.md b/docs/variables.md
index b413e61f2..ef2533c0f 100644
--- a/docs/variables.md
+++ b/docs/variables.md
@@ -68,7 +68,6 @@ title: Variables References
 | State | `@{user_state_dirs}` | ` @{HOME}/@{XDG_STATE_DIR}` |
 | Build | `@{user_build_dirs}` | `/tmp/build/` |
 | Packages | `@{user_pkg_dirs}` | `/tmp/pkg/` |
-| Tmp | `@{user_tmp_dirs}` | `@{run}/user/@{uid} /tmp/` |
 
 </figure>
 

From 94703681d98e2df45f7ace037ff135eb287a8984 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 8 Oct 2024 23:44:13 +0100
Subject: [PATCH 263/315] build: build tasks: dev -> hotfix.

---
 cmd/prebuild/main.go                       |  2 +-
 pkg/prebuild/builder/{dev.go => hotfix.go} | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)
 rename pkg/prebuild/builder/{dev.go => hotfix.go} (60%)

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 25e422cfd..2002999a6 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -32,7 +32,7 @@ func init() {
 	// Build tasks applied by default
 	builder.Register(
 		"userspace", // Resolve variable in the userspace profile
-		"dev",       // Temporary fix for #74, #80 & #235
+		"hotfix",    // Temporary fix for #74, #80 & #235
 	)
 
 	// Compatibility with AppArmor 3
diff --git a/pkg/prebuild/builder/dev.go b/pkg/prebuild/builder/hotfix.go
similarity index 60%
rename from pkg/prebuild/builder/dev.go
rename to pkg/prebuild/builder/hotfix.go
index 19fbe409d..f7e6143b1 100644
--- a/pkg/prebuild/builder/dev.go
+++ b/pkg/prebuild/builder/hotfix.go
@@ -10,7 +10,7 @@ import (
 )
 
 var (
-	regDev = util.ToRegexRepl([]string{
+	regHotfix = util.ToRegexRepl([]string{
 		`Cx`, `cx`,
 		`PUx`, `pux`,
 		`Px`, `px`,
@@ -18,19 +18,19 @@ var (
 	})
 )
 
-type Dev struct {
+type Hotfix struct {
 	prebuild.Base
 }
 
 func init() {
-	RegisterBuilder(&Dev{
+	RegisterBuilder(&Hotfix{
 		Base: prebuild.Base{
-			Keyword: "dev",
-			Msg:     "Apply test development changes",
+			Keyword: "hotfix",
+			Msg:     "Temporary fix for #74, #80 & #235",
 		},
 	})
 }
 
-func (b Dev) Apply(opt *Option, profile string) (string, error) {
-	return regDev.Replace(profile), nil
+func (b Hotfix) Apply(opt *Option, profile string) (string, error) {
+	return regHotfix.Replace(profile), nil
 }

From 6afcfa85ec30a917bf698dd5c567af26fa60659f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 13:31:57 +0100
Subject: [PATCH 264/315] fix(ci): ensure output build directory exist.

---
 Makefile       | 2 +-
 dists/build.sh | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 8ee380abd..9c8ae3eae 100644
--- a/Makefile
+++ b/Makefile
@@ -5,7 +5,7 @@
 
 DESTDIR ?= /
 BUILD ?= .build
-PKGDEST ?= /tmp/pkg
+PKGDEST ?= ${PWD}/.pkg
 PKGNAME := apparmor.d
 P = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
 
diff --git a/dists/build.sh b/dists/build.sh
index 08d43a49a..523bf8ca4 100644
--- a/dists/build.sh
+++ b/dists/build.sh
@@ -8,7 +8,7 @@
 set -eu -o pipefail
 
 readonly COMMAND="$1"
-readonly OUTPUT=".pkg"
+readonly OUTPUT="$PWD/.pkg"
 readonly PKGNAME=apparmor.d
 VERSION="0.$(git rev-list --count HEAD)"
 readonly VERSION

From e17b682e51f361aab58d98f4bfd63a8aba536756 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 13:56:27 +0100
Subject: [PATCH 265/315] feat(profile): minor profile improvments.

---
 apparmor.d/groups/systemd/systemd-inhibit           | 2 ++
 apparmor.d/groups/systemd/systemd-network-generator | 2 ++
 apparmor.d/groups/virt/dockerd                      | 2 +-
 apparmor.d/profiles-a-f/alsactl                     | 3 +++
 apparmor.d/profiles-m-r/mission-control             | 1 +
 apparmor.d/profiles-m-r/packagekitd                 | 1 +
 apparmor.d/tunables/multiarch.d/profiles            | 2 +-
 7 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit
index 2051a5b19..9938015d3 100644
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@@ -14,6 +14,8 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
   capability net_admin,
   capability sys_resource,
 
+  signal receive set=term peer=packagekitd,
+
   @{exec_path} mr,
 
   @{bin}/cat rix,
diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator
index c65980901..e22d89629 100644
--- a/apparmor.d/groups/systemd/systemd-network-generator
+++ b/apparmor.d/groups/systemd/systemd-network-generator
@@ -17,6 +17,8 @@ profile systemd-network-generator @{exec_path} {
 
   owner @{run}/systemd/network/{,**} rw,
 
+  @{run}/credentials/systemd-network-generator.service/ r,
+
   include if exists <local/systemd-network-generator>
 }
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 91d7baf3e..6b1616e94 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -89,7 +89,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
 
   owner @{lib}/containerd/** w,
   owner @{lib}/docker/overlay2/*/work/{,**} rw,
-  owner /var/lib/containerd/** w,
+  owner /var/lib/containerd/** rw,
   owner /var/lib/docker/{,**} rwk,
   owner /var/lib/docker/tmp/qemu-check@{int}/check rix,
 
diff --git a/apparmor.d/profiles-a-f/alsactl b/apparmor.d/profiles-a-f/alsactl
index b881e27e1..b2b97a62a 100644
--- a/apparmor.d/profiles-a-f/alsactl
+++ b/apparmor.d/profiles-a-f/alsactl
@@ -22,6 +22,9 @@ profile alsactl @{exec_path} {
         @{run}/lock/card@{int}.lock rwk,
   owner @{run}/alsa/{,**} rw,
 
+  @{sys}/devices/@{pci}/subsystem_device r,
+  @{sys}/devices/@{pci}/subsystem_vendor r,
+
   include if exists <local/alsactl>
 }
 
diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control
index a908feb57..efe44ebc2 100644
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@@ -23,6 +23,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected)  {
   owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw,
 
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
+  owner @{user_cache_dirs}/.mc_connections rw,
 
   @{run}/systemd/inhibit/@{int}.ref rw,
 
diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd
index 267ce1dbe..3eb16caad 100644
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@@ -36,6 +36,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   signal send set=int peer=apt-methods-*,
+  signal send set=term peer=systemd-inhibit,
 
   #aa:dbus own bus=system name=org.freedesktop.PackageKit
 
diff --git a/apparmor.d/tunables/multiarch.d/profiles b/apparmor.d/tunables/multiarch.d/profiles
index dd9386b09..a24cefc01 100644
--- a/apparmor.d/tunables/multiarch.d/profiles
+++ b/apparmor.d/tunables/multiarch.d/profiles
@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Define some variables for some commonly used profile. They may be used in 
+# Define some variables for some commonly used profile. They may be used in
 # other profiles peer label.
 
 # All variables that refer to a profile name should be prefixed with `p_`

From 68127c385998dbd72b62a201a5a6bbeb69174a4b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 14:03:54 +0100
Subject: [PATCH 266/315] build: allow to run prebuild outside of this project.

---
 cmd/prebuild/main.go              | 2 +-
 pkg/prebuild/builder/userspace.go | 2 +-
 pkg/prebuild/cli/cli.go           | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/cmd/prebuild/main.go b/cmd/prebuild/main.go
index 2002999a6..91f77e2e0 100644
--- a/cmd/prebuild/main.go
+++ b/cmd/prebuild/main.go
@@ -31,7 +31,7 @@ func init() {
 
 	// Build tasks applied by default
 	builder.Register(
-		"userspace", // Resolve variable in the userspace profile
+		"userspace", // Resolve variable in profile attachments
 		"hotfix",    // Temporary fix for #74, #80 & #235
 	)
 
diff --git a/pkg/prebuild/builder/userspace.go b/pkg/prebuild/builder/userspace.go
index be5886cbd..d62cad522 100644
--- a/pkg/prebuild/builder/userspace.go
+++ b/pkg/prebuild/builder/userspace.go
@@ -27,7 +27,7 @@ func init() {
 	RegisterBuilder(&Userspace{
 		Base: prebuild.Base{
 			Keyword: "userspace",
-			Msg:     "Bypass userspace tools restriction",
+			Msg:     "Resolve variable in profile attachments",
 		},
 	})
 }
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index 329729e94..7c91d8281 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -73,10 +73,10 @@ func Prebuild() {
 		return
 	}
 
-	if full {
+	if full && paths.New("apparmor.d/groups/_full").Exist() {
 		prepare.Register("fsp")
 		builder.Register("fsp")
-	} else {
+	} else if prebuild.SystemdDir.Exist() {
 		prepare.Register("systemd-early")
 	}
 

From c923cc7ccffb9c49c3b54adaf2918092631247e9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 21:37:26 +0100
Subject: [PATCH 267/315] feat(abs): use nss-systemd in nameservice-strict.

---
 apparmor.d/abstractions/nameservice-strict | 21 +++------------------
 1 file changed, 3 insertions(+), 18 deletions(-)

diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict
index b1d474717..0cac5a1a2 100644
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@@ -6,6 +6,8 @@
 # Many programs wish to perform nameservice-like operations, such as looking up
 # users by name or id, groups by name or id, hosts by name or IP, etc.
 
+  include <abstractions/nss-systemd>
+
   @{etc_ro}/default/nss r,
   @{etc_ro}/gai.conf r,
   @{etc_ro}/group r,
@@ -31,23 +33,6 @@
   @{run}/systemd/resolve/resolv.conf r,
   @{run}/systemd/resolve/stub-resolv.conf r,
 
-  # NSS records from systemd-userdbd.service
-  #
-  # Allow User/Group lookups via common VarLink socket APIs. Applications need
-  # to either consult all of them or the io.systemd.Multiplexer frontend.
-  #
-  #   https://systemd.io/USER_GROUP_API/
-  #   https://systemd.io/USER_RECORD/
-  #   https://www.freedesktop.org/software/systemd/man/nss-systemd.html
-  #
-  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
-  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
-  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
-  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
-  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
-  @{PROC}/sys/kernel/random/boot_id r,
-
-  include if exists <abstractions/nameservice-strict.d>
+  include if exists <abstractions/nameservice-strict.d> 
 
 # vim:syntax=apparmor

From fc43400c268cef7db07f01d97eb860343f17bd76 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 22:19:01 +0100
Subject: [PATCH 268/315] feat(abs): add abi reference to all abstractions.

---
 apparmor.d/abstractions/X-strict                              | 3 +++
 apparmor.d/abstractions/app-launcher-root                     | 2 ++
 apparmor.d/abstractions/app-launcher-user                     | 2 ++
 apparmor.d/abstractions/app-open                              | 2 ++
 apparmor.d/abstractions/app/bus                               | 2 ++
 apparmor.d/abstractions/app/chromium                          | 2 ++
 apparmor.d/abstractions/app/editor                            | 2 ++
 apparmor.d/abstractions/app/firefox                           | 2 ++
 apparmor.d/abstractions/app/kmod                              | 2 ++
 apparmor.d/abstractions/app/open                              | 2 ++
 apparmor.d/abstractions/app/pgrep                             | 2 ++
 apparmor.d/abstractions/app/pkexec                            | 2 ++
 apparmor.d/abstractions/app/sudo                              | 2 ++
 apparmor.d/abstractions/app/systemctl                         | 2 ++
 apparmor.d/abstractions/app/udevadm                           | 2 ++
 apparmor.d/abstractions/audio-client                          | 2 ++
 apparmor.d/abstractions/audio-server                          | 2 ++
 apparmor.d/abstractions/bash-strict                           | 2 ++
 apparmor.d/abstractions/bus-accessibility                     | 2 ++
 apparmor.d/abstractions/bus-session                           | 2 ++
 apparmor.d/abstractions/bus-system                            | 2 ++
 apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry | 2 ++
 apparmor.d/abstractions/bus/com.canonical.dbusmenu            | 2 ++
 apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1             | 2 ++
 apparmor.d/abstractions/bus/net.hadess.PowerProfiles          | 2 ++
 apparmor.d/abstractions/bus/net.hadess.SwitcherooControl      | 2 ++
 apparmor.d/abstractions/bus/net.reactivated.Fprint            | 2 ++
 apparmor.d/abstractions/bus/org.a11y                          | 2 ++
 apparmor.d/abstractions/bus/org.bluez                         | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.Accounts          | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.Avahi             | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.ColorManager      | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.FileManager1      | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.GeoClue2          | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.ModemManager1     | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.NetworkManager    | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.Notifications     | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.PackageKit        | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1        | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1      | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver       | 2 ++
 .../abstractions/bus/org.freedesktop.Tracker3.Miner.Files     | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.UDisks2           | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.UPower            | 2 ++
 .../abstractions/bus/org.freedesktop.background.Monitor       | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.hostname1         | 2 ++
 .../bus/org.freedesktop.impl.portal.PermissionStore           | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.locale1           | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.login1            | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.login1.Session    | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.network1          | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop    | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.resolve1          | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.secrets           | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.systemd1          | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.systemd1-session  | 2 ++
 apparmor.d/abstractions/bus/org.freedesktop.timedate1         | 2 ++
 apparmor.d/abstractions/bus/org.gnome.ArchiveManager1         | 2 ++
 apparmor.d/abstractions/bus/org.gnome.DisplayManager          | 2 ++
 apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig    | 2 ++
 apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor      | 2 ++
 .../abstractions/bus/org.gnome.Nautilus.FileOperations2       | 2 ++
 apparmor.d/abstractions/bus/org.gnome.ScreenSaver             | 2 ++
 apparmor.d/abstractions/bus/org.gnome.SessionManager          | 2 ++
 apparmor.d/abstractions/bus/org.gnome.Shell.Introspect        | 2 ++
 .../abstractions/bus/org.gtk.Private.RemoteVolumeMonitor      | 2 ++
 apparmor.d/abstractions/bus/org.gtk.vfs.Daemon                | 2 ++
 apparmor.d/abstractions/bus/org.gtk.vfs.Metadata              | 2 ++
 apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker          | 2 ++
 apparmor.d/abstractions/bus/org.kde.StatusNotifierItem        | 1 +
 apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher     | 2 ++
 apparmor.d/abstractions/bus/org.kde.kwalletd                  | 2 ++
 apparmor.d/abstractions/common/app                            | 2 ++
 apparmor.d/abstractions/common/apt                            | 2 ++
 apparmor.d/abstractions/common/bwrap                          | 2 ++
 apparmor.d/abstractions/common/chromium                       | 2 ++
 apparmor.d/abstractions/common/electron                       | 2 ++
 apparmor.d/abstractions/common/game                           | 2 ++
 apparmor.d/abstractions/common/gnome                          | 2 ++
 apparmor.d/abstractions/common/steam-game                     | 2 ++
 apparmor.d/abstractions/common/systemd                        | 2 ++
 apparmor.d/abstractions/dconf-write                           | 2 ++
 apparmor.d/abstractions/deny-sensitive-home                   | 2 ++
 apparmor.d/abstractions/desktop                               | 2 ++
 apparmor.d/abstractions/devices-usb                           | 2 ++
 apparmor.d/abstractions/disks-read                            | 2 ++
 apparmor.d/abstractions/disks-write                           | 2 ++
 apparmor.d/abstractions/dri                                   | 2 ++
 apparmor.d/abstractions/fish                                  | 2 ++
 apparmor.d/abstractions/fontconfig-cache-read                 | 2 ++
 apparmor.d/abstractions/fontconfig-cache-write                | 2 ++
 apparmor.d/abstractions/glfw                                  | 2 ++
 apparmor.d/abstractions/gnome-strict                          | 2 ++
 apparmor.d/abstractions/graphics                              | 2 ++
 apparmor.d/abstractions/graphics-full                         | 2 ++
 apparmor.d/abstractions/gstreamer                             | 2 ++
 apparmor.d/abstractions/kde-strict                            | 2 ++
 apparmor.d/abstractions/nameservice-strict                    | 4 +++-
 apparmor.d/abstractions/nvidia-strict                         | 2 ++
 apparmor.d/abstractions/qt5-shader-cache                      | 2 ++
 apparmor.d/abstractions/shells                                | 2 ++
 apparmor.d/abstractions/thumbnails-cache-read                 | 2 ++
 apparmor.d/abstractions/thumbnails-cache-write                | 2 ++
 apparmor.d/abstractions/trash-strict                          | 2 ++
 apparmor.d/abstractions/uim                                   | 2 ++
 apparmor.d/abstractions/user-download-strict                  | 2 ++
 apparmor.d/abstractions/user-read                             | 2 ++
 apparmor.d/abstractions/user-read-strict                      | 2 ++
 apparmor.d/abstractions/user-write-strict                     | 2 ++
 apparmor.d/abstractions/vulkan-strict                         | 2 ++
 apparmor.d/abstractions/xfce                                  | 2 ++
 apparmor.d/abstractions/zsh                                   | 2 ++
 112 files changed, 225 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/abstractions/X-strict b/apparmor.d/abstractions/X-strict
index 6a29d1764..4c506da69 100644
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@@ -2,6 +2,9 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
+
   # The unix socket to use to connect to the display
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
   unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
diff --git a/apparmor.d/abstractions/app-launcher-root b/apparmor.d/abstractions/app-launcher-root
index 2aaecbd21..5d2f74363 100644
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@@ -3,6 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   @{bin}/**                     PUx,
   /usr/local/{s,}bin/**         PUx,
 
diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index 04b20e84d..800de5106 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -3,6 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   @{bin}/**                     PUx,
   /opt/*/**                     PUx,
   /usr/share/**                 PUx,
diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index f0fd32206..900fdc3c8 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -8,6 +8,8 @@
 # Ultimately, only sandbox manager such as like bwrap, snap, flatpak, firejail
 # should be present here. Until this day, this profile will be a controlled mess.
 
+  abi <abi/4.0>,
+
   # Sandbox managers
   @{bin}/bwrap                  rPUx,
   @{bin}/firejail               rPUx,
diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus
index d1d0d8cb7..d1bd606a6 100644
--- a/apparmor.d/abstractions/app/bus
+++ b/apparmor.d/abstractions/app/bus
@@ -4,6 +4,8 @@
 
 # Minimal set of rules for dbus-send/dbus-launch.
 
+  abi <abi/4.0>,
+
   include <abstractions/nameservice-strict>
 
   @{bin}/dbus-launch  mix,
diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index 81d37113d..6bf3f26ed 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -16,6 +16,8 @@
 # or abstractions/common/electron instead.
 #
 
+  abi <abi/4.0>,
+
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor
index d6e346f36..9daec6ad1 100644
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@@ -3,6 +3,8 @@
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/nameservice-strict>
   include <abstractions/consoles>
 
diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index c94ef8476..2f9c93937 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -12,6 +12,8 @@
 # @{cache_dirs} = @{user_cache_dirs}/mozilla/
 #
 
+  abi <abi/4.0>,
+
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod
index ae10dbbfc..ad02acc54 100644
--- a/apparmor.d/abstractions/app/kmod
+++ b/apparmor.d/abstractions/app/kmod
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/consoles>
 
   @{bin}/depmod    mr,
diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open
index f21a2a7de..9ae49c4bd 100644
--- a/apparmor.d/abstractions/app/open
+++ b/apparmor.d/abstractions/app/open
@@ -4,6 +4,8 @@
 
 # Full set of rules for child-open-* profiles.
 
+  abi <abi/4.0>,
+
   include <abstractions/desktop>
 
   @{open_path} mrix,
diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep
index aaf14d859..13ebcd390 100644
--- a/apparmor.d/abstractions/app/pgrep
+++ b/apparmor.d/abstractions/app/pgrep
@@ -4,6 +4,8 @@
 
 # Minimal set of rules for pgrep/pkill.
 
+  abi <abi/4.0>,
+
   include <abstractions/consoles>
 
   capability sys_ptrace,
diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec
index 2c3669bcc..5b9197957 100644
--- a/apparmor.d/abstractions/app/pkexec
+++ b/apparmor.d/abstractions/app/pkexec
@@ -4,6 +4,8 @@
 
 # Minimal set of rules for pkexec.
 
+  abi <abi/4.0>,
+
   include <abstractions/authentication>
   include <abstractions/bus-system>
   include <abstractions/consoles>
diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index b10c66c68..0149cc883 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -4,6 +4,8 @@
 
 # Minimal set of rules for sudo. Interactive sudo need more rules.
 
+  abi <abi/4.0>,
+
   include <abstractions/authentication>
   include <abstractions/bus-system>
   include <abstractions/consoles>
diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl
index 62b4aafdf..9f0da659b 100644
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/bus-system>
   include <abstractions/consoles>
 
diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm
index 72fb4c61b..cba83e1ff 100644
--- a/apparmor.d/abstractions/app/udevadm
+++ b/apparmor.d/abstractions/app/udevadm
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   ptrace read peer=@{p_systemd},
 
   @{bin}/udevadm mr,
diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client
index 7ed4d6b80..45028f488 100644
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@@ -5,6 +5,8 @@
 # Most programs do not need access to audio devices, audio-client only includes
 # configuration files to be used by client applications.
 
+  abi <abi/4.0>,
+
   /usr/share/alsa/{,**} r,
   /usr/share/openal/hrtf/{,**} r,
   /usr/share/pipewire/client-rt.conf r,
diff --git a/apparmor.d/abstractions/audio-server b/apparmor.d/abstractions/audio-server
index ef69d2d54..97850305b 100644
--- a/apparmor.d/abstractions/audio-server
+++ b/apparmor.d/abstractions/audio-server
@@ -5,6 +5,8 @@
 # Provide access to audio devices. It should only be used by audio servers that
 # need direct access to them. 
 
+  abi <abi/4.0>,
+
   include <abstractions/audio-client>
 
   @{run}/udev/data/+sound:card@{int} r,   # for sound card
diff --git a/apparmor.d/abstractions/bash-strict b/apparmor.d/abstractions/bash-strict
index 832f2add6..9ea35f8c2 100644
--- a/apparmor.d/abstractions/bash-strict
+++ b/apparmor.d/abstractions/bash-strict
@@ -5,6 +5,8 @@
 # This abstraction is only required when an interactive shell is started.
 # Classic shell scripts do not need it.
 
+  abi <abi/4.0>,
+
   /usr/share/bash-completion/{,**} r,
   /usr/share/terminfo/{,**} r,
 
diff --git a/apparmor.d/abstractions/bus-accessibility b/apparmor.d/abstractions/bus-accessibility
index f032f842b..ee0a16b99 100644
--- a/apparmor.d/abstractions/bus-accessibility
+++ b/apparmor.d/abstractions/bus-accessibility
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
diff --git a/apparmor.d/abstractions/bus-session b/apparmor.d/abstractions/bus-session
index d5ca957e8..811787bad 100644
--- a/apparmor.d/abstractions/bus-session
+++ b/apparmor.d/abstractions/bus-session
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   unix (bind, listen) type=stream addr="@/tmp/dbus-*",
   unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
   unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
diff --git a/apparmor.d/abstractions/bus-system b/apparmor.d/abstractions/bus-system
index 0148d0711..0bfe96818 100644
--- a/apparmor.d/abstractions/bus-system
+++ b/apparmor.d/abstractions/bus-system
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
diff --git a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
index 7aa5e7f75..9363bb757 100644
--- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
+++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
@@ -4,6 +4,8 @@
 
 # Access required for connecting to/communicating with the Unity Launcher
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/com/canonical/unity/launcherentry/@{int}
        interface=com.canonical.Unity.LauncherEntry
        member=Update
diff --git a/apparmor.d/abstractions/bus/com.canonical.dbusmenu b/apparmor.d/abstractions/bus/com.canonical.dbusmenu
index 290a86de8..c5f74a6de 100644
--- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu
+++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
 
   include if exists <abstractions/bus/com.canonical.dbusmenu.d>
 
diff --git a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1 b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
index 458d99eef..4b7d6c89d 100644
--- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
+++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/fi/w1/wpa_supplicant1
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged}
diff --git a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
index 1bee9da46..4da873247 100644
--- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
+++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/net/hadess/PowerProfiles
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
index 84422b28e..7f68d2d06 100644
--- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
+++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/net/hadess/SwitcherooControl
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/net.reactivated.Fprint b/apparmor.d/abstractions/bus/net.reactivated.Fprint
index ad16d10a2..41735f1be 100644
--- a/apparmor.d/abstractions/bus/net.reactivated.Fprint
+++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
        member={GetDevices,GetDefaultDevice}
diff --git a/apparmor.d/abstractions/bus/org.a11y b/apparmor.d/abstractions/bus/org.a11y
index deb517f1d..357c06473 100644
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   # Accessibility bus
 
   dbus receive bus=accessibility path=/org/a11y/atspi/registry
diff --git a/apparmor.d/abstractions/bus/org.bluez b/apparmor.d/abstractions/bus/org.bluez
index d6ed8922d..7b709ab9b 100644
--- a/apparmor.d/abstractions/bus/org.bluez
+++ b/apparmor.d/abstractions/bus/org.bluez
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus receive bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesRemoved
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Accounts b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
index 946189fe5..f2048c80e 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
        member={FindUserByName,ListCachedUsers}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Avahi b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
index 73ddaf14e..ccf5b30a9 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Peer
        member=Ping
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
index 6f5c7acf3..205557ad5 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member=GetDevices
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1 b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
index 36f5b405e..101e493ab 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/FileManager1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2 b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
index af34b33fe..ddbf4d1de 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1 b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
index 84ce80b6e..5c514d54c 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/ModemManager1
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
index 61f27fca5..af2b6d2b9 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Notifications b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
index 27e1e7137..eee09ffad 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/Notifications
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
index 1a6839b17..b65bc1ef5 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/PackageKit
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1 b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
index 006dcee84..ab9e373ab 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=Changed
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1 b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
index 527c1e916..ff2906932 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.DBus.Properties
        member=Get
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
index 842057a1d..43ed93af6 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/ScreenSaver
        interface=org.freedesktop.ScreenSaver
        member={Inhibit,UnInhibit}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
index 567740a35..48fa7e394 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
        interface=org.freedesktop.DBus.Peer
        member=Ping
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2 b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
index cd415f396..30abb2199 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/UDisks2
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.UPower b/apparmor.d/abstractions/bus/org.freedesktop.UPower
index 148db02d7..369448079 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
        member=EnumerateDevices
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
index ff7d57989..f6019eedb 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
+++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/background/monitor
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.hostname1 b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
index 51b0a5cec..8957c4cdd 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
index 0fabcd310..c4e4a5fbf 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
+++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.locale1 b/apparmor.d/abstractions/bus/org.freedesktop.locale1
index 74e51b1d7..50218ced3 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/locale1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1 b/apparmor.d/abstractions/bus/org.freedesktop.login1
index 595b81335..77271fe23 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
index d5b62f739..4affc3d22 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=GetSession
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.network1 b/apparmor.d/abstractions/bus/org.freedesktop.network1
index 268a21dea..56460a52b 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.network1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.network1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/network1
        interface=org.freedesktop.DBus.Properties
        member=Get
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
index 820b57ff7..1561491cc 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
+++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll,Read}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.resolve1 b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
index 7f5b6d1a4..7714a871b 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/resolve1
        interface=org.freedesktop.resolve1.Manager
        member={SetLink*,ResolveHostname}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.secrets b/apparmor.d/abstractions/bus/org.freedesktop.secrets
index bb8014fc0..0b169a04e 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.secrets
+++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/secrets{,/**}
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1 b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
index 49e4b014d..115aefd78 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/systemd1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
index 8edda758c..97db8023f 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
diff --git a/apparmor.d/abstractions/bus/org.freedesktop.timedate1 b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
index 32cc2f451..443d35eed 100644
--- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/freedesktop/timedate1
        interface=org.freedesktop.DBus.Properties
        member=Get
diff --git a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1 b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
index 078835c41..120330ac1 100644
--- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
+++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/ArchiveManager1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.gnome.DisplayManager b/apparmor.d/abstractions/bus/org.gnome.DisplayManager
index 0d76f2388..107868836 100644
--- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager
+++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=system path=/org/gnome/DisplayManager/Manager
        interface=org.gnome.DisplayManager.Manager
        member=RegisterDisplay
diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
index 1449ff4ea..605e90311 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member={GetResources,GetCrtcGamma}
diff --git a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
index 2726a7c54..68769f2c9 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
diff --git a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2 b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
index da9f7229f..185937e70 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
+++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
index 15eec0c69..ba13aa7d2 100644
--- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/ScreenSaver
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.gnome.SessionManager b/apparmor.d/abstractions/bus/org.gnome.SessionManager
index 19242d56a..c683eddac 100644
--- a/apparmor.d/abstractions/bus/org.gnome.SessionManager
+++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager
@@ -4,6 +4,8 @@
 
 # FIXME: Too large, restrict it.
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={RegisterClient,IsSessionRunning}
diff --git a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
index ed39a2533..efe53af62 100644
--- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
+++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gnome/Shell/Introspect
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
index 0ad921ed3..9060c8c15 100644
--- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
+++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gtk/Private/RemoteVolumeMonitor
        interface=org.gtk.Private.RemoteVolumeMonitor
        member={List,IsSupported,VolumeChanged,VolumeMount,MountAdded}
diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
index 3e0d95f18..e813f5c4f 100644
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gtk/vfs/Daemon
        interface=org.gtk.vfs.Daemon
        member={GetConnection,ListMonitorImplementations,ListMountableInfo}
diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
index e755faa6a..80daa4927 100644
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gtk/vfs/metadata
        interface=org.freedesktop.DBus.Properties
        member=GetAll
diff --git a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
index 575401ee6..1c80ca6ea 100644
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member=ListMountableInfo
diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
index 4fca40e84..43947d52a 100644
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
@@ -2,6 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
 
   include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
 
diff --git a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
index 67ac1fb6d..5217a50f5 100644
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/StatusNotifierWatcher
        interface=org.freedesktop.DBus.Properties
        member=Get
diff --git a/apparmor.d/abstractions/bus/org.kde.kwalletd b/apparmor.d/abstractions/bus/org.kde.kwalletd
index c0d2ecba2..1ae5a1ace 100644
--- a/apparmor.d/abstractions/bus/org.kde.kwalletd
+++ b/apparmor.d/abstractions/bus/org.kde.kwalletd
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include if exists <abstractions/bus/org.kde.kwalletd.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index 7b6a5fdda..392ea2c5f 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -9,6 +9,8 @@
 # applications (bwrap) that have no way to restrict access depending on the
 # application being confined.
 
+  abi <abi/4.0>,
+
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
diff --git a/apparmor.d/abstractions/common/apt b/apparmor.d/abstractions/common/apt
index 77c5a0b7e..5dd8b26bc 100644
--- a/apparmor.d/abstractions/common/apt
+++ b/apparmor.d/abstractions/common/apt
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
 
diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap
index 711117f6d..7f337aff3 100644
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@@ -7,6 +7,8 @@
 # - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'
 
+  abi <abi/4.0>,
+
   userns,
 
   capability net_admin,
diff --git a/apparmor.d/abstractions/common/chromium b/apparmor.d/abstractions/common/chromium
index cad07669a..9fba7b8bb 100644
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@@ -6,6 +6,8 @@
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/chromium instead.
 
+  abi <abi/4.0>,
+
   userns,
 
   capability setgid, # If kernel.unprivileged_userns_clone = 1
diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index da792131d..7bfae1ffa 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -12,6 +12,8 @@
 # @{cache_dirs} = @{user_cache_dirs}/@{name}
 #
 
+  abi <abi/4.0>,
+
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/graphics>
diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game
index 678327f09..3b4a982f1 100644
--- a/apparmor.d/abstractions/common/game
+++ b/apparmor.d/abstractions/common/game
@@ -10,6 +10,8 @@
 #   (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
 # - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
 
+  abi <abi/4.0>,
+
   include <abstractions/audio-client>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
diff --git a/apparmor.d/abstractions/common/gnome b/apparmor.d/abstractions/common/gnome
index 653221e1d..ccb5de8b3 100644
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@@ -4,6 +4,8 @@
 
 # Minimal set of rules for all gnome based UI application.
 
+  abi <abi/4.0>,
+
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
diff --git a/apparmor.d/abstractions/common/steam-game b/apparmor.d/abstractions/common/steam-game
index 4bd211f27..b3c66e035 100644
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/common/game>
 
   @{lib_dirs}/ r,
diff --git a/apparmor.d/abstractions/common/systemd b/apparmor.d/abstractions/common/systemd
index 34e9be9d7..df138bf6c 100644
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   ptrace read peer=@{p_systemd},
 
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
diff --git a/apparmor.d/abstractions/dconf-write b/apparmor.d/abstractions/dconf-write
index 41145e512..b83a585e2 100644
--- a/apparmor.d/abstractions/dconf-write
+++ b/apparmor.d/abstractions/dconf-write
@@ -5,6 +5,8 @@
 # Permissions for querying dconf settings with write access; use the dconf
 # abstraction first, and dconf-write only for specific application's profile.
 
+  abi <abi/4.0>,
+
   dbus send bus=session path=/ca/desrt/dconf/Writer/user
        interface=ca.desrt.dconf.Writer
        member=Change
diff --git a/apparmor.d/abstractions/deny-sensitive-home b/apparmor.d/abstractions/deny-sensitive-home
index 1f1047cec..4291762a4 100644
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@@ -11,6 +11,8 @@
 
 # The only legitimate use in this project is for file browser and search engine.
 
+  abi <abi/4.0>,
+
   # User defined private directories
   deny @{HOMEDIRS}/**/@{XDG_PRIVATE_DIR}/{,**}  mrxwlk,
   deny @{MOUNTS}/**/@{XDG_PRIVATE_DIR}/{,**}    mrxwlk,
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index ae585999b..a9a3665d2 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -7,6 +7,8 @@
 # When supported in apparmor, condition will be used in this abstraction to filter
 # resources specific for supported DE.
 
+  abi <abi/4.0>,
+
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
diff --git a/apparmor.d/abstractions/devices-usb b/apparmor.d/abstractions/devices-usb
index 5a2a8b742..1a85a0100 100644
--- a/apparmor.d/abstractions/devices-usb
+++ b/apparmor.d/abstractions/devices-usb
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   /dev/ r,
   /dev/bus/usb/ r,
   /dev/bus/usb/@{int}/ r,
diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read
index 10beb258d..10cf0c90b 100644
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@@ -5,6 +5,8 @@
 
   # The /sys/ entries probably should be tightened
 
+  abi <abi/4.0>,
+
   /dev/ r,
   /dev/block/ r,
   /dev/disk/{,*/} r,
diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write
index 361b60d82..bd34a6f42 100644
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@@ -5,6 +5,8 @@
 
   # The /sys/ entries probably should be tightened
 
+  abi <abi/4.0>,
+
   /dev/ r,
   /dev/block/ r,
   /dev/disk/{,*/} r,
diff --git a/apparmor.d/abstractions/dri b/apparmor.d/abstractions/dri
index a1eb1cd41..af634ff91 100644
--- a/apparmor.d/abstractions/dri
+++ b/apparmor.d/abstractions/dri
@@ -6,6 +6,8 @@
 # Linux graphics stack which allows unprivileged user-space programs to issue 
 # commands to graphics hardware without conflicting with other programs.
 
+  abi <abi/4.0>,
+
   @{lib}/dri/**                 mr,
   @{lib}/@{multiarch}/dri/**    mr,
   @{lib}/fglrx/dri/**           mr,
diff --git a/apparmor.d/abstractions/fish b/apparmor.d/abstractions/fish
index fe3cab891..2ae6ab93d 100644
--- a/apparmor.d/abstractions/fish
+++ b/apparmor.d/abstractions/fish
@@ -5,6 +5,8 @@
 # This abstraction is only required when an interactive shell is started.
 # Classic shell scripts do not need it.
 
+  abi <abi/4.0>,
+
   /usr/share/fish/{,**} r,
 
   /etc/fish/{,**} r,
diff --git a/apparmor.d/abstractions/fontconfig-cache-read b/apparmor.d/abstractions/fontconfig-cache-read
index 216075648..306787378 100644
--- a/apparmor.d/abstractions/fontconfig-cache-read
+++ b/apparmor.d/abstractions/fontconfig-cache-read
@@ -9,6 +9,8 @@
   # fontconfig cache if some cache files are missing, so if this behavior is desirable, you can use
   # the "fontconfig-cache-write" abstraction.
 
+  abi <abi/4.0>,
+
        owner @{user_cache_dirs}/fontconfig/ r,
   deny       @{user_cache_dirs}/fontconfig/ w,
   deny       @{user_cache_dirs}/fontconfig/** w,
diff --git a/apparmor.d/abstractions/fontconfig-cache-write b/apparmor.d/abstractions/fontconfig-cache-write
index 19fa7c53a..922a15a6a 100644
--- a/apparmor.d/abstractions/fontconfig-cache-write
+++ b/apparmor.d/abstractions/fontconfig-cache-write
@@ -3,6 +3,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   owner @{user_cache_dirs}/fontconfig/ rw,
   owner @{user_cache_dirs}/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
   owner @{user_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
diff --git a/apparmor.d/abstractions/glfw b/apparmor.d/abstractions/glfw
index f52fb926d..5dbda197d 100644
--- a/apparmor.d/abstractions/glfw
+++ b/apparmor.d/abstractions/glfw
@@ -2,6 +2,8 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   owner @{run}/user/@{uid}/glfw-shared-@{rand6} rw,
 
   include if exists <abstractions/glfw.d>
diff --git a/apparmor.d/abstractions/gnome-strict b/apparmor.d/abstractions/gnome-strict
index ed3f2f4c0..27d648247 100644
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@@ -2,6 +2,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics
index 9b7954f0d..101fe1b45 100644
--- a/apparmor.d/abstractions/graphics
+++ b/apparmor.d/abstractions/graphics
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/dri>
   include <abstractions/mesa>
   include <abstractions/nvidia-strict>
diff --git a/apparmor.d/abstractions/graphics-full b/apparmor.d/abstractions/graphics-full
index fe2d2001c..1f2b0ffd2 100644
--- a/apparmor.d/abstractions/graphics-full
+++ b/apparmor.d/abstractions/graphics-full
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/graphics>
 
   /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index 4a5deb7c4..b9f1cbadd 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   @{lib}/@{multiarch}/libproxy/*/modules/*.so mr,
   @{lib}/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so mr,
   @{lib}/frei0r-@{int}/*.so mr,
diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict
index 11e897aba..490cf48a1 100644
--- a/apparmor.d/abstractions/kde-strict
+++ b/apparmor.d/abstractions/kde-strict
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/qt5>
diff --git a/apparmor.d/abstractions/nameservice-strict b/apparmor.d/abstractions/nameservice-strict
index 0cac5a1a2..5f49a63d9 100644
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@@ -6,6 +6,8 @@
 # Many programs wish to perform nameservice-like operations, such as looking up
 # users by name or id, groups by name or id, hosts by name or IP, etc.
 
+  abi <abi/4.0>,
+
   include <abstractions/nss-systemd>
 
   @{etc_ro}/default/nss r,
@@ -33,6 +35,6 @@
   @{run}/systemd/resolve/resolv.conf r,
   @{run}/systemd/resolve/stub-resolv.conf r,
 
-  include if exists <abstractions/nameservice-strict.d> 
+  include if exists <abstractions/nameservice-strict.d>
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/nvidia-strict b/apparmor.d/abstractions/nvidia-strict
index 6521c9840..6069ddd9a 100644
--- a/apparmor.d/abstractions/nvidia-strict
+++ b/apparmor.d/abstractions/nvidia-strict
@@ -2,6 +2,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia,
 
   /usr/share/nvidia/nvidia-application-profiles-* r,
diff --git a/apparmor.d/abstractions/qt5-shader-cache b/apparmor.d/abstractions/qt5-shader-cache
index e43ca64e1..d40aa3766 100644
--- a/apparmor.d/abstractions/qt5-shader-cache
+++ b/apparmor.d/abstractions/qt5-shader-cache
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   owner @{user_cache_dirs}/ w,
   owner @{user_cache_dirs}/qtshadercache/ rw,
   owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
diff --git a/apparmor.d/abstractions/shells b/apparmor.d/abstractions/shells
index b269f2335..35d3a580a 100644
--- a/apparmor.d/abstractions/shells
+++ b/apparmor.d/abstractions/shells
@@ -5,6 +5,8 @@
 # This abstraction is only required when an interactive shell is started.
 # Classic shell scripts do not need it.
 
+  abi <abi/4.0>,
+
   include <abstractions/bash-strict>
   include <abstractions/fish>
   include <abstractions/zsh>
diff --git a/apparmor.d/abstractions/thumbnails-cache-read b/apparmor.d/abstractions/thumbnails-cache-read
index dc164c6ba..adb80dd4d 100644
--- a/apparmor.d/abstractions/thumbnails-cache-read
+++ b/apparmor.d/abstractions/thumbnails-cache-read
@@ -3,6 +3,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   owner @{user_cache_dirs}/thumbnails/ r,
   owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ r,
   owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ r,
diff --git a/apparmor.d/abstractions/thumbnails-cache-write b/apparmor.d/abstractions/thumbnails-cache-write
index 01de0407e..5a31de221 100644
--- a/apparmor.d/abstractions/thumbnails-cache-write
+++ b/apparmor.d/abstractions/thumbnails-cache-write
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   owner @{user_cache_dirs}/thumbnails/ rw,
   owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/ rw,
   owner @{user_cache_dirs}/thumbnails/{fail,*large,normal}/gnome-thumbnail-factory/ rw,
diff --git a/apparmor.d/abstractions/trash-strict b/apparmor.d/abstractions/trash-strict
index 1f4202818..a2b024d3e 100644
--- a/apparmor.d/abstractions/trash-strict
+++ b/apparmor.d/abstractions/trash-strict
@@ -9,6 +9,8 @@
 # There is no 'owner' rule on expunged folders because some internally sandboxed
 # app (using bwrap) run on a different private user.
 
+  abi <abi/4.0>,
+
   owner @{user_config_dirs}/#@{int} rwk,
   owner @{user_config_dirs}/trashrc rw,
   owner @{user_config_dirs}/trashrc.* rwl,
diff --git a/apparmor.d/abstractions/uim b/apparmor.d/abstractions/uim
index 03ae9e3e8..88d75ec15 100644
--- a/apparmor.d/abstractions/uim
+++ b/apparmor.d/abstractions/uim
@@ -3,6 +3,8 @@
 # Copyright (C) 2024 Jeroen Rijken <jeroen.rijken@xs4all.nl>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   /usr/share/uim/* r,
   
   /var/lib/uim/* r,
diff --git a/apparmor.d/abstractions/user-download-strict b/apparmor.d/abstractions/user-download-strict
index 3feed5cd8..ab0e05f0a 100644
--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@@ -3,6 +3,8 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   owner @{HOME}/@{XDG_DESKTOP_DIR}/ w,
   owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ w,
 
diff --git a/apparmor.d/abstractions/user-read b/apparmor.d/abstractions/user-read
index 4187ab9e2..bd350186b 100644
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@@ -4,6 +4,8 @@
 
 # Warning: This abstraction gives unrestricted read access on all non hidden user directories.
 
+  abi <abi/4.0>,
+
   owner @{HOME}/ r,
   owner @{MOUNTS}/ r,
 
diff --git a/apparmor.d/abstractions/user-read-strict b/apparmor.d/abstractions/user-read-strict
index 5211b0345..f7eb186b5 100644
--- a/apparmor.d/abstractions/user-read-strict
+++ b/apparmor.d/abstractions/user-read-strict
@@ -5,6 +5,8 @@
 # This abstraction gives read access on all defined user directories. It should
 # only be used if access to **ALL** folders is required.
 
+  abi <abi/4.0>,
+
   owner @{HOME}/ r,
   owner @{MOUNTS}/ r,
 
diff --git a/apparmor.d/abstractions/user-write-strict b/apparmor.d/abstractions/user-write-strict
index 223fc660a..026825b27 100644
--- a/apparmor.d/abstractions/user-write-strict
+++ b/apparmor.d/abstractions/user-write-strict
@@ -5,6 +5,8 @@
 # This abstraction gives write only access on all defined user directories. It should
 # only be used if access to **ALL** folders is required.
 
+  abi <abi/4.0>,
+
   owner @{HOME}/ r,
   owner @{MOUNTS}/ r,
 
diff --git a/apparmor.d/abstractions/vulkan-strict b/apparmor.d/abstractions/vulkan-strict
index 7dbb8f424..edb258288 100644
--- a/apparmor.d/abstractions/vulkan-strict
+++ b/apparmor.d/abstractions/vulkan-strict
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   /usr/share/egl/egl_external_platform.d/{,*.json} r,
   /usr/share/glvnd/egl_vendor.d/{,*.json} r,
   /usr/share/libdrm/*.ids r,
diff --git a/apparmor.d/abstractions/xfce b/apparmor.d/abstractions/xfce
index 067de9148..0d510a3fe 100644
--- a/apparmor.d/abstractions/xfce
+++ b/apparmor.d/abstractions/xfce
@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  abi <abi/4.0>,
+
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
diff --git a/apparmor.d/abstractions/zsh b/apparmor.d/abstractions/zsh
index 15711713c..a22895c91 100644
--- a/apparmor.d/abstractions/zsh
+++ b/apparmor.d/abstractions/zsh
@@ -6,6 +6,8 @@
 # This abstraction is only required when an interactive shell is started.
 # Classic shell scripts do not need it.
 
+  abi <abi/4.0>,
+
   @{lib}/@{multiarch}/zsh/@{int}/zsh/*.so mr,
 
   /usr/share/zsh/{,**} r,

From 55857738025124039b5b60de3082a7b443244351 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 22:21:52 +0100
Subject: [PATCH 269/315] chore(profile): add missing vim:syntax=apparmor in
 some profiles.

---
 apparmor.d/profiles-a-f/cmus             | 2 ++
 apparmor.d/profiles-g-l/linuxqq          | 1 +
 apparmor.d/profiles-m-r/ouch             | 2 ++
 apparmor.d/profiles-m-r/protonmail       | 2 ++
 apparmor.d/profiles-s-z/wechat-universal | 2 ++
 5 files changed, 9 insertions(+)

diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus
index 1cff2fb63..a7cd77658 100644
--- a/apparmor.d/profiles-a-f/cmus
+++ b/apparmor.d/profiles-a-f/cmus
@@ -29,3 +29,5 @@ profile cmus @{exec_path} {
 
   include if exists <local/cmus>
 }
+
+# vim:syntax=apparmor
\ No newline at end of file
diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 9efceaa7a..497595e39 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -47,3 +47,4 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
     include if exists <local/linuxqq>
 }
 
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch
index fb71c8ece..6e8596dd2 100644
--- a/apparmor.d/profiles-m-r/ouch
+++ b/apparmor.d/profiles-m-r/ouch
@@ -24,3 +24,5 @@ profile ouch @{exec_path} {
 
   include if exists <local/ouch>
 }
+
+# vim:syntax=apparmor
\ No newline at end of file
diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
index b4d806a9f..de7a2158a 100644
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -40,3 +40,5 @@ profile protonmail @{exec_path} flags=(complain) {
   include if exists <local/protonmail>
 
 }
+
+# vim:syntax=apparmor
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
index 493a940af..1b2fe62db 100644
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -56,3 +56,5 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
 
     include if exists <local/wechat-universal>
 }
+
+# vim:syntax=apparmor
\ No newline at end of file

From 75f2c0c7b80f9b12314ce9b7cdc4efea4be59c05 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 22:26:11 +0100
Subject: [PATCH 270/315] tests: ensure vim syntax and abi are set on all
 profile/abs.

---
 tests/check.sh | 51 +++++++++++++++++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 17 deletions(-)

diff --git a/tests/check.sh b/tests/check.sh
index 5704ebfba..a46d38e30 100644
--- a/tests/check.sh
+++ b/tests/check.sh
@@ -10,12 +10,38 @@ set -eu -o pipefail
 
 readonly APPARMORD="apparmor.d"
 
+_ensure_include() {
+    local file="$1"
+    local include="$2"
+    if ! grep -q "^  *${include}$" "$file"; then
+        echo "$file does not contain '$include'"
+        exit 1
+    fi
+}
+
+_ensure_abi() {
+    local file="$1"
+    if ! grep -q "^ *abi <abi/4.0>," "$file"; then
+        echo "$file does not contain 'abi <abi/4.0>,'"
+        exit 1
+    fi
+}
+
+_ensure_vim() {
+    local file="$1"
+    if ! grep -q "^# vim:syntax=apparmor" "$file"; then
+        echo "$file does not contain '# vim:syntax=apparmor'"
+        exit 1
+    fi
+}
+
 check_profiles() {
     echo "⋅ Checking if all profiles contain:"
     echo "    - 'abi <abi/4.0>,'"
-    echo "    - 'profile *profile_name* {'"
+    echo "    - 'profile <profile_name>'"
     echo "    - 'include if exists <local/*>'"
     echo "    - include if exists local for subprofiles"
+    echo "    - vim:syntax=apparmor"
     directories=("$APPARMORD/groups/*" "$APPARMORD/profiles-*-*")
     # shellcheck disable=SC2068
     for dir in ${directories[@]}; do
@@ -24,14 +50,9 @@ check_profiles() {
             name="$(basename "$file")"
             name="${name/.apparmor.d/}"
             include="include if exists <local/$name>"
-            if ! grep -q "^  *${include}$" "$file"; then
-                echo "$name does not contain '$include'"
-                exit 1
-            fi
-            if ! grep -q "^ *abi <abi/4.0>," "$file"; then
-                echo "$name does not contain 'abi <abi/4.0>,'"
-                exit 1
-            fi
+            _ensure_include "$file" "$include"
+            _ensure_abi "$file"
+            _ensure_vim "$file"
             if ! grep -q "^profile $name" "$file"; then
                 echo "$name does not contain 'profile $name'"
                 exit 1
@@ -52,6 +73,7 @@ check_abstractions() {
     echo "⋅ Checking if all abstractions contain:"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'include if exists <abstractions/*.d>'"
+    echo "    - vim:syntax=apparmor"
     directories=(
         "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"
         "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"
@@ -61,14 +83,9 @@ check_abstractions() {
             name="$(basename "$file")"
             root="${dir/${APPARMORD}\/abstractions\//}"
             include="include if exists <abstractions/${root}${name}.d>"
-            if ! grep -q "^  *${include}$" "$file"; then
-                echo "$file does not contain '$include'"
-                exit 1
-            fi
-            # if ! grep -q "^ *abi <abi/4.0>," "$file"; then
-            # 	echo "$file does not contain 'abi <abi/4.0>,'"
-            # 	exit 1
-            # fi
+            _ensure_include "$file" "$include"
+            _ensure_abi "$file"
+            _ensure_vim "$file"
         done
     done
 

From 5bf8c6ef0fca9a58a830b9c574ad5d602e3cbc11 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 9 Oct 2024 22:38:22 +0100
Subject: [PATCH 271/315] fix: add vim syntaxt some profiles.

---
 apparmor.d/profiles-a-f/baobab           | 4 +++-
 apparmor.d/profiles-a-f/cmus             | 2 +-
 apparmor.d/profiles-m-r/ouch             | 2 +-
 apparmor.d/profiles-m-r/protonmail       | 2 +-
 apparmor.d/profiles-s-z/wechat-universal | 2 +-
 5 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/profiles-a-f/baobab b/apparmor.d/profiles-a-f/baobab
index e66d8d66a..1f9f14dc1 100644
--- a/apparmor.d/profiles-a-f/baobab
+++ b/apparmor.d/profiles-a-f/baobab
@@ -26,4 +26,6 @@ profile baobab @{exec_path} {
   deny /boot/{,**} r,
 
   include if exists <local/baobab>
-}
\ No newline at end of file
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-a-f/cmus b/apparmor.d/profiles-a-f/cmus
index a7cd77658..c3916890f 100644
--- a/apparmor.d/profiles-a-f/cmus
+++ b/apparmor.d/profiles-a-f/cmus
@@ -30,4 +30,4 @@ profile cmus @{exec_path} {
   include if exists <local/cmus>
 }
 
-# vim:syntax=apparmor
\ No newline at end of file
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/ouch b/apparmor.d/profiles-m-r/ouch
index 6e8596dd2..d0b75aae7 100644
--- a/apparmor.d/profiles-m-r/ouch
+++ b/apparmor.d/profiles-m-r/ouch
@@ -25,4 +25,4 @@ profile ouch @{exec_path} {
   include if exists <local/ouch>
 }
 
-# vim:syntax=apparmor
\ No newline at end of file
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/protonmail b/apparmor.d/profiles-m-r/protonmail
index de7a2158a..c6d309a94 100644
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@@ -41,4 +41,4 @@ profile protonmail @{exec_path} flags=(complain) {
 
 }
 
-# vim:syntax=apparmor
\ No newline at end of file
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
index 1b2fe62db..55d4a555d 100644
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -57,4 +57,4 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
     include if exists <local/wechat-universal>
 }
 
-# vim:syntax=apparmor
\ No newline at end of file
+# vim:syntax=apparmor

From 61a27bc336c79ad171da6a5dc6b0414a326e6fe6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 11 Oct 2024 14:13:17 +0100
Subject: [PATCH 272/315] feat(profile): initial integration with attached
 path.

The feature is not yet enabled.

See https://apparmor.pujol.io/development/internal/#re-attached-path
---
 apparmor.d/abstractions/attached/base            | 14 ++++++++++++++
 apparmor.d/abstractions/attached/consoles        | 13 +++++++++++++
 apparmor.d/abstractions/common/app               |  3 ++-
 apparmor.d/abstractions/common/bwrap             | 13 +++++++------
 apparmor.d/groups/apt/apt                        |  4 ++--
 apparmor.d/groups/apt/unattended-upgrade         |  2 +-
 .../groups/apt/unattended-upgrade-shutdown       |  2 +-
 apparmor.d/groups/browsers/epiphany              |  2 +-
 apparmor.d/groups/bus/at-spi2-registryd          |  3 +--
 apparmor.d/groups/bus/dbus-accessibility         |  3 +--
 apparmor.d/groups/bus/dbus-system                | 16 ++++++++--------
 apparmor.d/groups/children/child-modprobe-nvidia |  2 --
 apparmor.d/groups/freedesktop/colord             |  4 ++--
 apparmor.d/groups/freedesktop/pipewire           |  5 +++--
 apparmor.d/groups/freedesktop/pipewire-pulse     |  4 ++--
 apparmor.d/groups/freedesktop/upowerd            |  2 +-
 apparmor.d/groups/freedesktop/xdg-dbus-proxy     |  4 ++--
 apparmor.d/groups/freedesktop/xdg-desktop-portal |  5 +++--
 .../groups/freedesktop/xdg-desktop-portal-gnome  |  3 +--
 .../groups/freedesktop/xdg-document-portal       |  8 ++++----
 .../groups/freedesktop/xdg-permission-store      |  3 +--
 apparmor.d/groups/freedesktop/xkbcomp            |  2 +-
 apparmor.d/groups/freedesktop/xwayland           |  2 +-
 apparmor.d/groups/gnome/gdm-session-worker       |  2 +-
 apparmor.d/groups/gnome/gjs-console              |  2 +-
 apparmor.d/groups/gnome/gnome-keyring-daemon     |  1 +
 apparmor.d/groups/gnome/gnome-music              |  2 +-
 apparmor.d/groups/gnome/gnome-session-binary     |  7 ++++---
 apparmor.d/groups/gnome/gnome-shell              | 15 +++++++++------
 apparmor.d/groups/gnome/gnome-software           |  2 +-
 apparmor.d/groups/gnome/gsd-a11y-settings        |  3 +--
 apparmor.d/groups/gnome/gsd-color                |  3 +--
 apparmor.d/groups/gnome/gsd-datetime             |  3 +--
 apparmor.d/groups/gnome/gsd-housekeeping         |  3 +--
 apparmor.d/groups/gnome/gsd-keyboard             |  3 +--
 apparmor.d/groups/gnome/gsd-media-keys           |  5 ++---
 apparmor.d/groups/gnome/gsd-power                |  5 ++---
 apparmor.d/groups/gnome/gsd-print-notifications  |  3 +--
 apparmor.d/groups/gnome/gsd-printer              |  3 +--
 apparmor.d/groups/gnome/gsd-rfkill               |  3 +--
 apparmor.d/groups/gnome/gsd-screensaver-proxy    |  3 +--
 apparmor.d/groups/gnome/gsd-sharing              |  3 +--
 apparmor.d/groups/gnome/gsd-smartcard            |  3 +--
 apparmor.d/groups/gnome/gsd-sound                |  3 +--
 apparmor.d/groups/gnome/gsd-wacom                |  3 +--
 apparmor.d/groups/gnome/mutter-x11-frames        |  3 +--
 apparmor.d/groups/kde/kde-powerdevil             |  2 +-
 apparmor.d/groups/kde/ksmserver                  |  2 +-
 apparmor.d/groups/kde/kwin_wayland               |  2 +-
 apparmor.d/groups/network/ModemManager           |  2 +-
 apparmor.d/groups/network/NetworkManager         |  6 ++++--
 apparmor.d/groups/network/mullvad-gui            |  2 +-
 apparmor.d/groups/ssh/sshd                       |  3 ++-
 apparmor.d/groups/systemd/systemd-inhibit        |  2 +-
 apparmor.d/groups/systemd/systemd-networkd       |  4 ++--
 apparmor.d/groups/ubuntu/update-manager          |  2 +-
 apparmor.d/groups/virt/dockerd                   |  4 ++--
 apparmor.d/groups/virt/libvirtd                  |  3 ++-
 apparmor.d/groups/virt/virtinterfaced            |  2 +-
 apparmor.d/groups/virt/virtlogd                  |  3 ++-
 apparmor.d/groups/virt/virtnetworkd              |  3 ++-
 apparmor.d/groups/virt/virtnodedevd              |  3 ++-
 apparmor.d/groups/virt/virtsecretd               |  3 ++-
 apparmor.d/groups/virt/virtstoraged              |  3 ++-
 apparmor.d/groups/xfce/xfce-power-manager        |  2 +-
 apparmor.d/groups/xfce/xfce-screensaver          |  2 +-
 apparmor.d/profiles-a-f/flatpak-portal           |  4 ++--
 apparmor.d/profiles-a-f/foliate                  |  2 +-
 apparmor.d/profiles-a-f/fprintd                  |  3 ++-
 apparmor.d/profiles-a-f/fwupd                    |  3 ++-
 apparmor.d/profiles-g-l/linuxqq                  |  2 +-
 apparmor.d/profiles-m-r/mission-control          |  2 +-
 apparmor.d/profiles-m-r/nvtop                    |  3 ++-
 apparmor.d/profiles-m-r/packagekitd              |  3 ++-
 apparmor.d/profiles-m-r/psi                      |  2 +-
 apparmor.d/profiles-m-r/psi-plus                 |  2 +-
 apparmor.d/profiles-s-z/signal-desktop           |  2 +-
 apparmor.d/profiles-s-z/spice-vdagent            |  3 +--
 apparmor.d/profiles-s-z/steam                    |  2 +-
 apparmor.d/profiles-s-z/superproductivity        |  2 +-
 apparmor.d/profiles-s-z/udisksd                  |  3 ++-
 apparmor.d/profiles-s-z/uname                    |  2 +-
 apparmor.d/profiles-s-z/wechat-universal         |  2 +-
 apparmor.d/profiles-s-z/xbrlapi                  |  3 +--
 apparmor.d/tunables/multiarch.d/system           |  1 -
 85 files changed, 164 insertions(+), 139 deletions(-)
 create mode 100644 apparmor.d/abstractions/attached/base
 create mode 100644 apparmor.d/abstractions/attached/consoles

diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
new file mode 100644
index 000000000..65c163317
--- /dev/null
+++ b/apparmor.d/abstractions/attached/base
@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+  # Do not use it manually, it is automatically included in profiles when it is required.
+
+  abi <abi/4.0>,
+
+  @{att}/apparmor/.null rw,
+
+  include if exists <abstractions/attached/base.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles
new file mode 100644
index 000000000..6959bc407
--- /dev/null
+++ b/apparmor.d/abstractions/attached/consoles
@@ -0,0 +1,13 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+  abi <abi/4.0>,
+
+  owner @{att}/dev/pts/@{int} rw,
+  owner @{att}/dev/tty@{int} rw,
+
+  include if exists <abstractions/attached/consoles.d>
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index 392ea2c5f..4cb47c9d2 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -67,10 +67,11 @@
   owner @{tmp}/** rmwk,
   owner /dev/shm/** rwlk -> /dev/shm/**,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
   @{run}/host/{,**} r,
   @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/utmp rk,
 
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
diff --git a/apparmor.d/abstractions/common/bwrap b/apparmor.d/abstractions/common/bwrap
index 7f337aff3..3a2b0c591 100644
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@@ -44,15 +44,16 @@
   owner /tmp/newroot/ w,
   owner /tmp/oldroot/ w,
 
+        @{att}/@{PROC}/sys/user/max_user_namespaces rw,
+  owner @{att}/@{PROC}/@{pid}/cgroup r,
+  owner @{att}/@{PROC}/@{pid}/gid_map rw,
+  owner @{att}/@{PROC}/@{pid}/mountinfo r,
+  owner @{att}/@{PROC}/@{pid}/setgroups rw,
+  owner @{att}/@{PROC}/@{pid}/uid_map rw,
+
         @{PROC}/sys/kernel/overflowgid r,
         @{PROC}/sys/kernel/overflowuid r,
-        @{PROC}/sys/user/max_user_namespaces rw,
-  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/gid_map rw,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/setgroups rw,
-  owner @{PROC}/@{pid}/uid_map rw,
 
   include if exists <abstractions/common/bwrap.d>
 
diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index 5b362f123..19f187cc3 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -141,6 +141,8 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/apt.conf.* rw,
   owner @{tmp}/apt.data.* rw,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/mountinfo r,
   owner @{PROC}/@{pid}/fd/ r,
@@ -148,8 +150,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {
 
   /dev/ptmx rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
-
   profile editor flags=(complain) {
     include <abstractions/base>
     include <abstractions/app/editor>
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index c528fb984..e4f6b61ea 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -100,7 +100,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /var/log/apt/{term,history}.log w,
   /var/log/apt/eipp.log.xz w,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/unattended-upgrades.lock rwk,
   owner @{run}/unattended-upgrades.pid rw,
   owner @{run}/unattended-upgrades.progress rw,
diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown
index 673775006..cd35bb5ae 100644
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@@ -24,8 +24,8 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
 
   owner /var/log/unattended-upgrades/*.log* rw,
 
+  owner @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/unattended-upgrades.lock rwk,
-  owner @{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{PROC}/@{pid}/mounts r,
 
diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany
index a64850f1a..dd01a36a8 100644
--- a/apparmor.d/groups/browsers/epiphany
+++ b/apparmor.d/groups/browsers/epiphany
@@ -39,7 +39,7 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
   @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
 
   owner /bindfile@{rand6} rw,
-  owner /.flatpak-info r,
+  owner @{att}/.flatpak-info r,
 
   owner @{user_config_dirs}/glib-2.0/ w,
   owner @{user_config_dirs}/glib-2.0/settings/ w,
diff --git a/apparmor.d/groups/bus/at-spi2-registryd b/apparmor.d/groups/bus/at-spi2-registryd
index 6c4bf4c69..8ead7a4e0 100644
--- a/apparmor.d/groups/bus/at-spi2-registryd
+++ b/apparmor.d/groups/bus/at-spi2-registryd
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi2-registryd
 profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
@@ -27,8 +28,6 @@ profile at-spi2-registryd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/at-spi2-registryd>
 }
 
diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index 054af7202..1a4b83e2e 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
@@ -72,8 +73,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_score_adj r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/dbus-accessibility>
 }
 
diff --git a/apparmor.d/groups/bus/dbus-system b/apparmor.d/groups/bus/dbus-system
index ed2f931cd..3b8a1e143 100644
--- a/apparmor.d/groups/bus/dbus-system
+++ b/apparmor.d/groups/bus/dbus-system
@@ -49,17 +49,17 @@ profile dbus-system flags=(attach_disconnected) {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  @{desktop_share_dirs}/icc/ r,
-  @{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
-  @{user_share_dirs}/icc/ r,
-  @{user_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{desktop_share_dirs}/icc/ r,
+  @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{att}/@{user_share_dirs}/icc/ r,
+  @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,
 
   # Dbus can receive any user files
   @{HOME}/** r,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
   @{run}/systemd/notify w,
-  @{run}/systemd/sessions/*.ref rw,
   @{run}/systemd/users/@{int} r,
 
   @{sys}/kernel/security/apparmor/.access rw,
@@ -77,8 +77,8 @@ profile dbus-system flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
 
-  /dev/dri/card@{int} rw,
-  /dev/input/event@{int} rw,
+  @{att}/dev/dri/card@{int} rw,
+  @{att}/dev/input/event@{int} rw,
 
   include if exists <local/dbus-system>
 }
diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia
index b3b0db7ff..15b9c2d9d 100644
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@@ -53,8 +53,6 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
   owner /dev/nvidia-caps/ w,
   owner /dev/nvidia-caps/nvidia-cap@{int} w,
 
-  /dev/tty@{int} rw,
-
   deny  @{HOME}/.steam/** r,
 
   profile kmod {
diff --git a/apparmor.d/groups/freedesktop/colord b/apparmor.d/groups/freedesktop/colord
index f3ab4fedb..ffdfe08a0 100644
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@@ -49,8 +49,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   owner /var/lib/snmp/mibs/{iana,ietf}/ r,
   owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
 
-  @{desktop_share_dirs}/icc/edid-*.icc r,
-  @{user_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-*.icc r,
 
   @{run}/systemd/sessions/* r,
 
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index cf98a133e..f6f4c12aa 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -44,8 +44,9 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
 
   /etc/pipewire/{,**} r,
 
-  / r,
-  /.flatpak-info r,
+              / r,
+        @{att}/ r,
+  owner @{att}/.flatpak-info r,
 
   owner @{user_config_dirs}/pipewire/{,**} r,
 
diff --git a/apparmor.d/groups/freedesktop/pipewire-pulse b/apparmor.d/groups/freedesktop/pipewire-pulse
index b5644440f..530fa97db 100644
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@@ -28,8 +28,8 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  / r,
-  /.flatpak-info r,
+        @{att}/ r,
+  owner @{att}/.flatpak-info r,
 
   owner @{run}/user/@{uid}/pulse/pid w,
   owner @{tmp}/librnnoise-@{int}.so rm,
diff --git a/apparmor.d/groups/freedesktop/upowerd b/apparmor.d/groups/freedesktop/upowerd
index e9b6f5c05..f832d285e 100644
--- a/apparmor.d/groups/freedesktop/upowerd
+++ b/apparmor.d/groups/freedesktop/upowerd
@@ -41,7 +41,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
   @{run}/udev/data/c116:@{int} r,         # for ALSA
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/hid/devices/ r,
   @{sys}/class/input/ r,
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index 6ebc28929..e51f21e1e 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -16,7 +17,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
-  include <abstractions/consoles>
   include <abstractions/user-download-strict>
 
   network unix stream,
@@ -31,7 +31,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.var/app/*/.local/share/*/logs/* rw,
   owner @{HOME}/.var/app/*/.local/share/*/**/usr/.ref rw,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/firejail/dbus/@{int}/@{int}-{system,user} rw,
   owner @{run}/flatpak/doc/** r,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-@{rand6} rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index 00cb35b62..eb450ee4e 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -10,6 +10,7 @@ include <tunables/global>
 profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-open>
+  include <abstractions/attached/consoles>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -61,8 +62,8 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   @{lib}/xdg-desktop-portal-validate-icon rPx,
   @{open_path}                            rPx -> child-open,
 
-  / r,
-  /.flatpak-info r,
+        / r,
+  @{att}/.flatpak-info r,
 
   /usr/share/dconf/profile/gdm r,
   /usr/share/xdg-desktop-portal/** r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 9cbf81bc6..944bbc205 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
@@ -65,8 +66,6 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/task/@{tid}/ r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/xdg-desktop-portal-gnome>
 }
 
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index f93a4f2b0..e9f63dc57 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-document-portal
 profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/deny-sensitive-home>
@@ -39,8 +40,8 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   @{bin}/flatpak         rPUx,
   @{bin}/fusermount{,3}  rCx -> fusermount,
 
-  / r,
-  owner /.flatpak-info r,
+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,
 
   owner @{HOME}/ r,
   owner @{HOME}/*/{,**} rw,
@@ -57,7 +58,6 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
 
         /dev/fuse rw,
-  owner /dev/tty@{int} rw,
 
   profile fusermount flags=(attach_disconnected) {
     include <abstractions/base>
@@ -83,7 +83,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
     @{PROC}/@{pids}/mounts r,
 
           /dev/fuse rw,
-    owner /dev/tty@{int} rw,
+    @{att}/dev/tty@{int} rw,
   
     include if exists <local/xdg-document-portal_fusermount>
   }
diff --git a/apparmor.d/groups/freedesktop/xdg-permission-store b/apparmor.d/groups/freedesktop/xdg-permission-store
index 057c64208..298bc059d 100644
--- a/apparmor.d/groups/freedesktop/xdg-permission-store
+++ b/apparmor.d/groups/freedesktop/xdg-permission-store
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-permission-store
 profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/nameservice-strict>
 
@@ -45,8 +46,6 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/flatpak/db/documents rw,
   owner @{user_share_dirs}/flatpak/db/notifications rw,
 
-  /dev/tty@{int} rw,
-
   include if exists <local/xdg-permission-store>
 }
 
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index 941cc8f92..9ebecf6f7 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xkbcomp
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/mesa>
   include <abstractions/X-strict>
 
@@ -37,7 +38,6 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   /dev/dri/card@{int} rw,
   /dev/fb@{int} rw,
   /dev/tty rw,
-  /dev/tty@{int} rw,
 
   deny /dev/input/event@{int} rw,
   deny /var/log/Xorg.@{int}.log w,
diff --git a/apparmor.d/groups/freedesktop/xwayland b/apparmor.d/groups/freedesktop/xwayland
index c2710eb83..05fb5a6fa 100644
--- a/apparmor.d/groups/freedesktop/xwayland
+++ b/apparmor.d/groups/freedesktop/xwayland
@@ -36,7 +36,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
 
   @{PROC}/@{pids}/cmdline r,
 
-  /dev/tty@{int} rw,
+  @{att}/dev/tty@{int} rw,
   /dev/tty rw,
 
   include if exists <local/xwayland>
diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 8f6770ec1..731d15768 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -114,13 +114,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   owner @{run}/gdm{3,}/dbus/ w,
   owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
 
+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
   @{run}/cockpit/active.motd r,
   @{run}/faillock/@{user} rwk,
   @{run}/fscrypt/ rw,
   @{run}/fscrypt/@{uid}.count rwk,
   @{run}/motd.d/{,*} r,
   @{run}/systemd/sessions/* r,
-  @{run}/systemd/sessions/*.ref rw,
   @{run}/systemd/users/@{uid} r,
   @{run}/utmp rwk,
 
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index 613be32d3..20d5e48d5 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -14,6 +14,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
@@ -85,7 +86,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
 
   /dev/ r,
   /dev/tty rw,
-  /dev/tty@{int} rw,
 
   include if exists <local/gjs-console>
 }
diff --git a/apparmor.d/groups/gnome/gnome-keyring-daemon b/apparmor.d/groups/gnome/gnome-keyring-daemon
index 905c16b89..d0b84c1be 100644
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-keyring-daemon
 profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1.Session>
diff --git a/apparmor.d/groups/gnome/gnome-music b/apparmor.d/groups/gnome/gnome-music
index 834e67037..82be211fc 100644
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@@ -48,7 +48,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{tmp}/grilo-plugin-cache-[0-9A-Z]*/ rw,
   owner /var/tmp/etilqs_@{hex15} rw,
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 0825d418f..995dbab6a 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -79,9 +79,10 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/gnome-session/ rw,
   owner @{user_config_dirs}/gnome-session/saved-session/ rw,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/sessions/{,@{l}}@{int}.ref rw,
+
         @{run}/systemd/sessions/* r,
-        @{run}/systemd/sessions/*.ref rw,
         @{run}/systemd/users/@{uid} r,
   owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
   owner @{run}/user/@{uid}/ICEauthority rw,
@@ -104,6 +105,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   profile open flags=(attach_disconnected) {
     include <abstractions/base>
+    include <abstractions/attached/consoles>
     include <abstractions/desktop>
 
     @{bin}/env rix,
@@ -119,7 +121,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
     /usr/games/**                 PUx,
 
     /dev/tty rw,
-    /dev/tty@{int} rw,
 
     include if exists <usr/gnome-session-binary_open.d>
     include if exists <local/gnome-session-binary_open>
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index b83de9bf4..227edc404 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -207,8 +207,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /usr/share/xml/iso-codes/{,**} r,
   @{system_share_dirs}/gnome-shell/{,**} r,
 
-  / r,
-  /.flatpak-info r,
   /etc/fstab r,
   /etc/timezone r,
   /etc/tpm2-tss/*.json r,
@@ -220,6 +218,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /var/lib/flatpak/app/**/gnome-shell/{,**} r,
   /var/lib/flatpak/appstream/**/icons/** r,
 
+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,
+
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_cache_dirs}/ w,
   owner @{gdm_cache_dirs}/event-sound-cache.tdb.@{hex32}.@{multiarch} rwk,
@@ -293,11 +294,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{tmp}/@{rand6}.shell-extension.zip rw,
   owner @{tmp}/gdkpixbuf-xpm-tmp.@{rand6} rw,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/systemd/users/@{uid} r,
   @{run}/systemd/seats/seat@{int} r,
   @{run}/systemd/sessions/  r,
   @{run}/systemd/sessions/* r,
-  @{run}/systemd/inhibit/@{int}.ref rw,
 
   @{run}/udev/tags/seat/ r,
 
@@ -365,9 +367,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
-  /dev/input/event@{int} rw,
-  /dev/media@{int} rw,
-  /dev/tty@{int} rw,
+        /dev/media@{int} rw,
+        /dev/tty@{int} rw,
+  @{att}/dev/dri/card@{int} rw,
+  @{att}/dev/input/event@{int} rw,
 
   profile shell flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 4726881e6..cddcb730b 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -111,7 +111,7 @@ profile gnome-software @{exec_path} {
   owner /dev/shm/flatpak-com.*/ rw,
   owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/sessions/@{int} r,
   @{run}/systemd/users/@{uid} r,
 
diff --git a/apparmor.d/groups/gnome/gsd-a11y-settings b/apparmor.d/groups/gnome/gsd-a11y-settings
index 86ca1bbf2..cfbaa6269 100644
--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-a11y-settings
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/dconf-write>
@@ -31,8 +32,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
   @{gdm_config_dirs}/dconf/user r,
   @{GDM_HOME}/greeter-dconf-defaults r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-a11y-settings>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
index 3f4895dbd..6ff47dcd1 100644
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-color
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -49,8 +50,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/edid-*.icc rw,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-color>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-datetime b/apparmor.d/groups/gnome/gsd-datetime
index b7a3e4bcb..984f7c189 100644
--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-datetime
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/dconf-write>
@@ -49,8 +50,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-datetime>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-housekeeping b/apparmor.d/groups/gnome/gsd-housekeeping
index f7d0f51ad..288c29af8 100644
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@@ -10,6 +10,7 @@ include <tunables/global>
 profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
@@ -46,8 +47,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pids}/cgroup r,
   owner @{PROC}/@{pids}/mountinfo r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-housekeeping>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard
index baac36f87..87560b6f9 100644
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-keyboard
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
@@ -39,8 +40,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
   owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-keyboard>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index 6fee16f5c..3c2ef3dac 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-media-keys
 profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
@@ -72,7 +73,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_share_dirs}/recently-used.xbel{,.*} rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   @{run}/udev/data/+sound:card@{int} r,   # For sound card
   @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
@@ -86,8 +87,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-media-keys>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 452d18afd..97b31d6c5 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-power
 profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/audio-client>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
@@ -60,7 +61,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
   @{run}/udev/data/+leds:* r,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
@@ -83,8 +84,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/osrelease r,
   owner @{PROC}/@{pid}/cgroup r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-power>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-print-notifications b/apparmor.d/groups/gnome/gsd-print-notifications
index bb047e917..2c8319bd8 100644
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-print-notifications
 profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.Avahi>
@@ -38,8 +39,6 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-print-notifications>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-printer b/apparmor.d/groups/gnome/gsd-printer
index 4c485e172..9e67c8c72 100644
--- a/apparmor.d/groups/gnome/gsd-printer
+++ b/apparmor.d/groups/gnome/gsd-printer
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-printer
 profile gsd-printer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.gnome.SessionManager>
@@ -29,8 +30,6 @@ profile gsd-printer @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/cgroup r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-printer>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-rfkill b/apparmor.d/groups/gnome/gsd-rfkill
index c7eb53e60..1fd4157ec 100644
--- a/apparmor.d/groups/gnome/gsd-rfkill
+++ b/apparmor.d/groups/gnome/gsd-rfkill
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-rfkill
 profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.hostname1>
@@ -33,8 +34,6 @@ profile gsd-rfkill @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/c10:@{int} r,          # for non-serial mice, misc features
 
-  owner /dev/tty@{int} rw,
-
   /dev/rfkill rw,
 
   include if exists <local/gsd-rfkill>
diff --git a/apparmor.d/groups/gnome/gsd-screensaver-proxy b/apparmor.d/groups/gnome/gsd-screensaver-proxy
index 8115ca01b..1ac54d0fe 100644
--- a/apparmor.d/groups/gnome/gsd-screensaver-proxy
+++ b/apparmor.d/groups/gnome/gsd-screensaver-proxy
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-screensaver-proxy
 profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
 
@@ -24,8 +25,6 @@ profile gsd-screensaver-proxy @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-screensaver-proxy>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-sharing b/apparmor.d/groups/gnome/gsd-sharing
index a2fdf107a..871e10abc 100644
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-sharing
 profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.NetworkManager>
@@ -44,8 +45,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-sharing>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-smartcard b/apparmor.d/groups/gnome/gsd-smartcard
index 9cda7f5d3..f93f0313b 100644
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-smartcard
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/dconf-write>
@@ -42,8 +43,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3{,.lock} rwk,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-smartcard>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-sound b/apparmor.d/groups/gnome/gsd-sound
index ae4844956..8c5e7891a 100644
--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-sound
 profile gsd-sound @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gnome.SessionManager>
@@ -36,8 +37,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_share_dirs}/sounds/ rw,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-sound>
 }
 
diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom
index ff0dc419c..f9c4ffb33 100644
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
@@ -32,8 +33,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{GDM_HOME}/greeter-dconf-defaults r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/gsd-wacom>
 }
 
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index 183e6cf4a..4fe3bc066 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/mutter-x11-frames
 profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
@@ -33,8 +34,6 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pid}/cmdline r,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/mutter-x11-frames>
 }
 
diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 5af21ae75..d37b53ddd 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -45,7 +45,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected mediate_deleted)
   owner @{user_config_dirs}/powermanagementprofilesrc.lock rwk,
   owner @{user_config_dirs}/powermanagementprofilesrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
         @{run}/udev/data/c189:@{int} r,       # for /dev/bus/usb/**
   owner @{run}/user/@{uid}kcrash_@{int} rw,
 
diff --git a/apparmor.d/groups/kde/ksmserver b/apparmor.d/groups/kde/ksmserver
index 3f95292f6..61cd67246 100644
--- a/apparmor.d/groups/kde/ksmserver
+++ b/apparmor.d/groups/kde/ksmserver
@@ -66,7 +66,7 @@ profile ksmserver @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{tmp}/@{rand6} rw,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/user/@{uid}/KSMserver__[0-9] rw,
 
   /dev/tty r,
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 0bd53e3a6..9922eff98 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -99,7 +99,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
diff --git a/apparmor.d/groups/network/ModemManager b/apparmor.d/groups/network/ModemManager
index 9a780107b..8ac535f16 100644
--- a/apparmor.d/groups/network/ModemManager
+++ b/apparmor.d/groups/network/ModemManager
@@ -34,7 +34,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c5:@{int} r,           # for /dev/tty, /dev/console, /dev/ptmx
   @{run}/udev/data/n@{int} r,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   @{sys}/bus/ r,
   @{sys}/bus/usb/devices/ r,
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index ff317ec94..e20ea48b3 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -95,7 +95,8 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /usr/share/gvfs/remote-volume-monitors/{,*.monitor} r,
   /usr/share/iproute2/{,**} r,
 
-  / r,
+  @{att}/ r,
+
   /etc/ r,
   /etc/iproute2/* r,
   /etc/machine-id r,
@@ -115,11 +116,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/net/rfkill/ r,
   @{sys}/class/rfkill/ r,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/network/ifstate r,
   @{run}/NetworkManager/{,**} rw,
   @{run}/nm-*.pid rw,
   @{run}/nscd/db* rwl,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/users/@{uid} r,
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+platform:* r,
diff --git a/apparmor.d/groups/network/mullvad-gui b/apparmor.d/groups/network/mullvad-gui
index b5346964c..e1c55c7e1 100644
--- a/apparmor.d/groups/network/mullvad-gui
+++ b/apparmor.d/groups/network/mullvad-gui
@@ -32,7 +32,7 @@ profile mullvad-gui @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/.org.chromium.Chromium.@{rand6}/@{name}*.png rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   /dev/tty rw,
 
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index 29cc38432..2f704fb37 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -97,12 +97,13 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
   owner @{user_cache_dirs}/{,motd*} rw,
 
+  @{att}/@{run}/systemd/sessions/@{int}.ref rw,
+
         @{run}/faillock/@{user} rwk,
         @{run}/motd.d/{,*} r,
         @{run}/motd.dynamic rw,
         @{run}/motd.dynamic.new rw,
         @{run}/systemd/notify w,
-        @{run}/systemd/sessions/*.ref rw,
   owner @{run}/sshd{,.init}.pid wl,
 
   @{sys}/fs/cgroup/*/user/*/@{int}/ rw,
diff --git a/apparmor.d/groups/systemd/systemd-inhibit b/apparmor.d/groups/systemd/systemd-inhibit
index 9938015d3..2be38e6ba 100644
--- a/apparmor.d/groups/systemd/systemd-inhibit
+++ b/apparmor.d/groups/systemd/systemd-inhibit
@@ -20,7 +20,7 @@ profile systemd-inhibit @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/cat rix,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/systemd-inhibit>
 }
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index b4d137940..f38564ae1 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -50,9 +50,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
 
   /etc/networkd-dispatcher/carrier.d/{,*} r,
 
-  / r,
+  @{att}/ r,
 
-  owner /var/lib/systemd/network/ r,
+  owner @{att}/var/lib/systemd/network/ r,
 
         @{run}/systemd/network/ r,
         @{run}/systemd/network/*.network r,
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index 8fb717323..119ac517c 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -71,7 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
         @{PROC}/@{pids}/mountinfo r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index 6b1616e94..cfbd2d7b9 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -85,9 +85,9 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
 
   /etc/docker/{,**} r,
 
-  / r,
+  @{att}/ r,
 
-  owner @{lib}/containerd/** w,
+  owner @{att}/@{lib}/containerd/** rw,
   owner @{lib}/docker/overlay2/*/work/{,**} rw,
   owner /var/lib/containerd/** rw,
   owner /var/lib/docker/{,**} rwk,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index e1aa55d57..db6d5d377 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -153,11 +153,12 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{user_vm_dirs}/{,**} rwk,
   @{user_publicshare_dirs}/{,**} rwk,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/libvirt/ rw,
   @{run}/libvirt/** rwk,
   @{run}/libvirtd.pid wk,
   @{run}/lock/LCK.._pts_@{int} rw,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/systemd/notify w,
   @{run}/utmp rk,
 
diff --git a/apparmor.d/groups/virt/virtinterfaced b/apparmor.d/groups/virt/virtinterfaced
index 8ef827a10..4737dd806 100644
--- a/apparmor.d/groups/virt/virtinterfaced
+++ b/apparmor.d/groups/virt/virtinterfaced
@@ -20,7 +20,7 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
   @{lib}/gconv/gconv-modules rm,
   @{lib}/gconv/gconv-modules.d/{,*} r,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/interface/ rw,
   owner @{run}/user/@{uid}/libvirt/interface/run/{,*} rwk,
diff --git a/apparmor.d/groups/virt/virtlogd b/apparmor.d/groups/virt/virtlogd
index 095084ef4..44bf06ba0 100644
--- a/apparmor.d/groups/virt/virtlogd
+++ b/apparmor.d/groups/virt/virtlogd
@@ -28,9 +28,10 @@ profile virtlogd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/libvirt/virtlogd.pid rwk,
   owner @{run}/user/@{uid}/libvirt/virtlogd* w,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/libvirt/common/system.token rwk,
   @{run}/libvirt/virtlogd-sock rw,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/virtlogd.pid rwk,
 
   @{sys}/devices/system/node/ r,
diff --git a/apparmor.d/groups/virt/virtnetworkd b/apparmor.d/groups/virt/virtnetworkd
index 2ed2a73fd..42e13ef64 100644
--- a/apparmor.d/groups/virt/virtnetworkd
+++ b/apparmor.d/groups/virt/virtnetworkd
@@ -24,8 +24,9 @@ profile virtnetworkd @{exec_path} flags=(attach_disconnected) {
 
   owner /var/lib/libvirt/dnsmasq/*.macs* rw,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
         @{run}/libvirt/network/default.pid r,
-        @{run}/systemd/inhibit/@{int}.ref rw,
         @{run}/utmp rk,
   owner @{run}/libvirt/common/system.token rwk,
   owner @{run}/libvirt/network/{,**} rwk,
diff --git a/apparmor.d/groups/virt/virtnodedevd b/apparmor.d/groups/virt/virtnodedevd
index c0498c6cc..0b48d63fd 100644
--- a/apparmor.d/groups/virt/virtnodedevd
+++ b/apparmor.d/groups/virt/virtnodedevd
@@ -32,7 +32,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   /etc/libvirt/*.conf r,
   /etc/mdevctl.d/{,**} r,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   owner @{run}/libvirt/common/system.token rwk,
   owner @{run}/libvirt/nodedev/ rw,
   owner @{run}/libvirt/nodedev/driver.pid wk,
diff --git a/apparmor.d/groups/virt/virtsecretd b/apparmor.d/groups/virt/virtsecretd
index 58e228d50..9b3e7dda4 100644
--- a/apparmor.d/groups/virt/virtsecretd
+++ b/apparmor.d/groups/virt/virtsecretd
@@ -20,7 +20,8 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/libvirt/secrets/ rw,
   owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/secrets/ rw,
   owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk,
diff --git a/apparmor.d/groups/virt/virtstoraged b/apparmor.d/groups/virt/virtstoraged
index 847140a50..00565fcf5 100644
--- a/apparmor.d/groups/virt/virtstoraged
+++ b/apparmor.d/groups/virt/virtstoraged
@@ -54,7 +54,8 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   owner @{run}/libvirt/storage/{,**} rwk,
   owner @{run}/virtstoraged.pid rwk,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/utmp rwk,
 
   @{sys}/devices/system/node/ r,
diff --git a/apparmor.d/groups/xfce/xfce-power-manager b/apparmor.d/groups/xfce/xfce-power-manager
index ff78b6f16..1c2a0263d 100644
--- a/apparmor.d/groups/xfce/xfce-power-manager
+++ b/apparmor.d/groups/xfce/xfce-power-manager
@@ -21,7 +21,7 @@ profile xfce-power-manager @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/stat r,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/xfce-power-manager>
 }
diff --git a/apparmor.d/groups/xfce/xfce-screensaver b/apparmor.d/groups/xfce/xfce-screensaver
index ce0a76612..e486ac6d9 100644
--- a/apparmor.d/groups/xfce/xfce-screensaver
+++ b/apparmor.d/groups/xfce/xfce-screensaver
@@ -25,7 +25,7 @@ profile xfce-screensaver @{exec_path} flags=(attach_disconnected) {
 
   /etc/xdg/menus/xfce4-screensavers.menu r,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/xfce-screensaver>
 }
diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal
index 3f3d1e28e..8a8d2b901 100644
--- a/apparmor.d/profiles-a-f/flatpak-portal
+++ b/apparmor.d/profiles-a-f/flatpak-portal
@@ -31,8 +31,8 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/flatpak/exports/share/mime/mime.cache r,
 
-  / r,
-  /.flatpak-info r,
+  owner @{att}/ r,
+  owner @{att}/.flatpak-info r,
 
   owner @{HOME}/.var/app/*/**/.ref rw,
   owner @{HOME}/.var/app/*/**/logs/* rw,
diff --git a/apparmor.d/profiles-a-f/foliate b/apparmor.d/profiles-a-f/foliate
index b1c485408..422652084 100644
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@@ -40,7 +40,7 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
   /usr/share/com.github.johnfactotum.Foliate/{,**} r,
 
   owner /bindfile@{rand6} rw,
-  owner /.flatpak-info r,
+  owner @{att}/.flatpak-info r,
 
   owner @{user_books_dirs}/{,**} r,
   owner @{user_torrents_dirs}/{,**} r,
diff --git a/apparmor.d/profiles-a-f/fprintd b/apparmor.d/profiles-a-f/fprintd
index 9a0d4058a..b3034dfef 100644
--- a/apparmor.d/profiles-a-f/fprintd
+++ b/apparmor.d/profiles-a-f/fprintd
@@ -27,8 +27,9 @@ profile fprintd @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/fprint/{,**} rw,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/systemd/journal/socket rw,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
   @{sys}/class/hidraw/ r,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 7c1f2024a..9ac0e21e6 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -94,11 +94,12 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
   @{sys}/power/mem_sleep r,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/motd.d/ r,
   @{run}/motd.d/@{int}-fwupd* rw,
   @{run}/motd.d/fwupd/{,**} rw,
   @{run}/mount/utab r,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/udev/data/* r,
 
   @{PROC}/@{pids}/fd/ r,
diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 497595e39..c4bf64d75 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -35,7 +35,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
 
     /etc/machine-id r,
 
-    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
     @{run}/utmp r,
 
     owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/profiles-m-r/mission-control b/apparmor.d/profiles-m-r/mission-control
index efe44ebc2..b8e79c0dc 100644
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@@ -25,7 +25,7 @@ profile mission-control @{exec_path} flags=(attach_disconnected)  {
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,
   owner @{user_cache_dirs}/.mc_connections rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/mission-control>
 }
diff --git a/apparmor.d/profiles-m-r/nvtop b/apparmor.d/profiles-m-r/nvtop
index aed19fa5f..88a164c00 100644
--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@@ -23,7 +23,8 @@ profile nvtop @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_config_dirs}/nvtop/{,**} rw,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/udev/data/+drm:card@{int}-* r,   # for screen outputs
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card*
diff --git a/apparmor.d/profiles-m-r/packagekitd b/apparmor.d/profiles-m-r/packagekitd
index 3eb16caad..b97c5e9a8 100644
--- a/apparmor.d/profiles-m-r/packagekitd
+++ b/apparmor.d/profiles-m-r/packagekitd
@@ -94,7 +94,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
   owner @{tmp}/packagekit* rw,
 
-        @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   owner @{run}/systemd/users/@{uid} r,
 
   #aa:only opensuse
diff --git a/apparmor.d/profiles-m-r/psi b/apparmor.d/profiles-m-r/psi
index ed6544c3f..33435fa8d 100644
--- a/apparmor.d/profiles-m-r/psi
+++ b/apparmor.d/profiles-m-r/psi
@@ -57,7 +57,7 @@ profile psi @{exec_path} {
   owner @{tmp}/etilqs_@{hex16} rw,
   owner @{tmp}/Psi.* rwl -> /tmp/#@{int},
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-m-r/psi-plus b/apparmor.d/profiles-m-r/psi-plus
index c7f310ac8..32c05e55b 100644
--- a/apparmor.d/profiles-m-r/psi-plus
+++ b/apparmor.d/profiles-m-r/psi-plus
@@ -57,7 +57,7 @@ profile psi-plus @{exec_path} {
   owner @{tmp}/etilqs_@{hex16} rw,
   owner @{tmp}/Psi+.* rwl -> /tmp/#@{int},
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-s-z/signal-desktop b/apparmor.d/profiles-s-z/signal-desktop
index 972f111f4..b905e8f3a 100644
--- a/apparmor.d/profiles-s-z/signal-desktop
+++ b/apparmor.d/profiles-s-z/signal-desktop
@@ -40,7 +40,7 @@ profile signal-desktop @{exec_path} {
   audit @{lib_dirs}/chrome-sandbox rPx,
   @{lib_dirs}/chrome_crashpad_handler rix,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
         @{sys}/fs/cgroup/user.slice/cpu.max r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
diff --git a/apparmor.d/profiles-s-z/spice-vdagent b/apparmor.d/profiles-s-z/spice-vdagent
index f0731fd64..79204827f 100644
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/spice-vdagent
 profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/audio-client>
   include <abstractions/audio-server>
   include <abstractions/bus-accessibility>
@@ -46,8 +47,6 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
-  owner /dev/tty@{int} rw,
-
   include if exists <local/spice-vdagent>
 }
 
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index 3ad53cf0a..e864663bb 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -174,12 +174,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{tmp}/steam@{rand6}/{,**} rw,
   owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
 
+  owner @{att}/dev/shm/ValveIPCSHM_@{uid} rw,
   owner /dev/shm/fossilize-*-@{int}-@{int} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
   owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
-  owner /dev/shm/ValveIPCSHM_@{uid} rw,
 
   owner @{run}/user/@{uid}/ r,
 
diff --git a/apparmor.d/profiles-s-z/superproductivity b/apparmor.d/profiles-s-z/superproductivity
index 91ceef33d..c0b940478 100644
--- a/apparmor.d/profiles-s-z/superproductivity
+++ b/apparmor.d/profiles-s-z/superproductivity
@@ -29,7 +29,7 @@ profile superproductivity @{exec_path} flags=(attach_disconnected) {
   @{bin}/speech-dispatcher rPx,
   @{open_path}             rPx -> child-open-strict,
 
-  @{run}/systemd/inhibit/@{int}.ref rw,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
   include if exists <local/superproductivity>
 }
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index af2eec34e..b89d9c72f 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -104,11 +104,12 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{MOUNTS}/ rw,
   @{MOUNTS}/*/ rw,
 
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+
   @{run}/ r,
   @{run}/mount/utab{,.*} rwk,
   @{run}/udisks2/{,**} rw,
   @{run}/systemd/seats/seat@{int} r,
-  @{run}/systemd/inhibit/@{int}.ref rw,
   @{run}/cryptsetup/ r,
   @{run}/cryptsetup/L* rwk,
 
diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname
index 7c5cb0cb1..45a864c23 100644
--- a/apparmor.d/profiles-s-z/uname
+++ b/apparmor.d/profiles-s-z/uname
@@ -14,7 +14,7 @@ profile uname @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /dev/tty@{int} rw,
+  @{att}/dev/tty@{int} rw,
 
   deny network,
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
index 55d4a555d..f29df13d0 100644
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -46,7 +46,7 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
     owner @{HOME}/.xwechat/{,**} rwk,
     owner @{HOME}/.sys1og.conf rw,
 
-    @{run}/systemd/inhibit/@{int}.ref rw,
+    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
     @{run}/utmp r,
 
     @{PROC}/@{pid}/net/route r,
diff --git a/apparmor.d/profiles-s-z/xbrlapi b/apparmor.d/profiles-s-z/xbrlapi
index 35006d46b..f40b4fa6b 100644
--- a/apparmor.d/profiles-s-z/xbrlapi
+++ b/apparmor.d/profiles-s-z/xbrlapi
@@ -9,14 +9,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/xbrlapi
 profile xbrlapi @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
 
   network inet stream,
   network inet6 stream,
 
   @{exec_path} mr,
 
-  /dev/tty@{int} rw,
-
   include if exists <local/xbrlapi>
 }
 
diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index 2218a3dd6..be37123fd 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -151,7 +151,6 @@
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511
 
-#aa:only abi3
 # Attachment path for attach_disconnected.path flag.
 # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
 @{att}=/

From 116272b8ada281178150f1c9a564aac1967121f6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 11 Oct 2024 14:21:22 +0100
Subject: [PATCH 273/315] feat(aa-log): add support for attached path.

---
 pkg/logs/logs.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/pkg/logs/logs.go b/pkg/logs/logs.go
index 246394604..194e6dc03 100644
--- a/pkg/logs/logs.go
+++ b/pkg/logs/logs.go
@@ -64,6 +64,7 @@ var (
 		`/home/[^/]+/`, `@{HOME}/`,
 
 		// Resolve system variables
+		`/att/[^/@]+`, `@{att}/`,
 		`/usr/lib(32|64|exec)`, `@{lib}`,
 		`/usr/lib`, `@{lib}`,
 		`/usr/(bin|sbin)`, `@{bin}`,
@@ -84,6 +85,7 @@ var (
 		`pci` + strings.Repeat(h, 4) + `:` + strings.Repeat(h, 2), `@{pci_bus}`,
 		`@{pci_bus}/[0-9a-f:*./]*/`, `@{pci}/`,
 		`1000`, `@{uid}`,
+		`@{att}//`, `@{att}/`,
 
 		// Some system glob
 		`:not.active.yet`, `@{busname}`, // dbus unique bus name

From ebdeef152c5ee135615a9e603101fd0593a28443 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 11 Oct 2024 22:31:06 +0100
Subject: [PATCH 274/315] build: root -> share.

---
 Makefile                                                   | 7 ++++---
 pkg/prebuild/prepare/synchronise.go                        | 4 ++--
 .../usr/share => share}/bash-completion/completions/aa-log | 0
 {root/usr/share => share}/libalpm/hooks/apparmor.hook      | 0
 {root/usr/share => share}/man/man8/aa-log.8                | 0
 {root/usr/share => share}/man/man8/aa-log.md               | 0
 {root/usr/share => share}/zsh/site-functions/_aa-log.zsh   | 0
 7 files changed, 6 insertions(+), 5 deletions(-)
 rename {root/usr/share => share}/bash-completion/completions/aa-log (100%)
 rename {root/usr/share => share}/libalpm/hooks/apparmor.hook (100%)
 rename {root/usr/share => share}/man/man8/aa-log.8 (100%)
 rename {root/usr/share => share}/man/man8/aa-log.md (100%)
 rename {root/usr/share => share}/zsh/site-functions/_aa-log.zsh (100%)

diff --git a/Makefile b/Makefile
index 9c8ae3eae..6d576f8b2 100644
--- a/Makefile
+++ b/Makefile
@@ -24,13 +24,14 @@ enforce: build
 full: build
 	@./${BUILD}/prebuild --complain --full
 
-ROOT = $(shell find "${BUILD}/root" -type f -not -name "*.md" -printf "%P\n")
+SHARE = $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n")
 PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
 DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
 install:
+	@install -Dm0755 ${BUILD}/aa ${DESTDIR}/usr/bin/aa
 	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
-	@for file in ${ROOT}; do \
-		install -Dm0644 "${BUILD}/root/$${file}" "${DESTDIR}/$${file}"; \
+	@for file in ${SHARE}; do \
+		install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
 	done;
 	@for file in ${PROFILES}; do \
 		install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go
index 741c015c4..f3ca44c42 100644
--- a/pkg/prebuild/prepare/synchronise.go
+++ b/pkg/prebuild/prepare/synchronise.go
@@ -27,14 +27,14 @@ func init() {
 
 func (p Synchronise) Apply() ([]string, error) {
 	res := []string{}
-	dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("root"), prebuild.Root.Join("systemd")}
+	dirs := paths.PathList{prebuild.RootApparmord, prebuild.Root.Join("share"), prebuild.Root.Join("systemd")}
 	for _, dir := range dirs {
 		if err := dir.RemoveAll(); err != nil {
 			return res, err
 		}
 	}
 	if p.Path == "" {
-		for _, name := range []string{"apparmor.d", "root"} {
+		for _, name := range []string{"apparmor.d", "share"} {
 			if err := util.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil {
 				return res, err
 			}
diff --git a/root/usr/share/bash-completion/completions/aa-log b/share/bash-completion/completions/aa-log
similarity index 100%
rename from root/usr/share/bash-completion/completions/aa-log
rename to share/bash-completion/completions/aa-log
diff --git a/root/usr/share/libalpm/hooks/apparmor.hook b/share/libalpm/hooks/apparmor.hook
similarity index 100%
rename from root/usr/share/libalpm/hooks/apparmor.hook
rename to share/libalpm/hooks/apparmor.hook
diff --git a/root/usr/share/man/man8/aa-log.8 b/share/man/man8/aa-log.8
similarity index 100%
rename from root/usr/share/man/man8/aa-log.8
rename to share/man/man8/aa-log.8
diff --git a/root/usr/share/man/man8/aa-log.md b/share/man/man8/aa-log.md
similarity index 100%
rename from root/usr/share/man/man8/aa-log.md
rename to share/man/man8/aa-log.md
diff --git a/root/usr/share/zsh/site-functions/_aa-log.zsh b/share/zsh/site-functions/_aa-log.zsh
similarity index 100%
rename from root/usr/share/zsh/site-functions/_aa-log.zsh
rename to share/zsh/site-functions/_aa-log.zsh

From 982c2c66aa7cca2242a9a5ba4e8638359544524f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 15:31:24 +0100
Subject: [PATCH 275/315] refractor: rename some path util function.

---
 cmd/aa/main.go                    |  1 -
 pkg/aa/apparmor_test.go           |  5 +--
 pkg/aa/parse_test.go              |  6 +--
 pkg/aa/resolve.go                 |  3 +-
 pkg/paths/paths.go                | 73 +++++++++++++++++++++++++++++++
 pkg/prebuild/cli/cli.go           |  3 +-
 pkg/prebuild/directive/exec.go    |  3 +-
 pkg/prebuild/directive/stack.go   |  2 +-
 pkg/prebuild/files.go             |  5 +--
 pkg/prebuild/prepare/flags.go     |  3 +-
 pkg/prebuild/prepare/fsp.go       |  4 +-
 pkg/prebuild/prepare/overwrite.go |  3 +-
 pkg/util/tools.go                 | 58 ------------------------
 13 files changed, 87 insertions(+), 82 deletions(-)

diff --git a/cmd/aa/main.go b/cmd/aa/main.go
index d5bc10d59..9f4070158 100644
--- a/cmd/aa/main.go
+++ b/cmd/aa/main.go
@@ -13,7 +13,6 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/aa"
 	"github.com/roddhjav/apparmor.d/pkg/logging"
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 const usage = `aa [-h] [--lint | --format | --tree] [-s] [-F file] [profiles...]
diff --git a/pkg/aa/apparmor_test.go b/pkg/aa/apparmor_test.go
index 19cfd5a42..0cc74d438 100644
--- a/pkg/aa/apparmor_test.go
+++ b/pkg/aa/apparmor_test.go
@@ -10,7 +10,6 @@ import (
 	"testing"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 var (
@@ -21,7 +20,7 @@ var (
 // mustReadProfileFile read a file and return its content as a slice of string.
 // It panics if an error occurs. It removes the last comment line.
 func mustReadProfileFile(path *paths.Path) string {
-	res := strings.Split(util.MustReadFile(path), "\n")
+	res := strings.Split(path.MustReadFileAsString(), "\n")
 	return strings.Join(res[:len(res)-2], "\n")
 }
 
@@ -108,7 +107,7 @@ func TestAppArmorProfileFile_String(t *testing.T) {
 					},
 				}},
 			},
-			want: util.MustReadFile(testData.Join("string.aa")),
+			want: testData.Join("string.aa").MustReadFileAsString(),
 		},
 	}
 	for _, tt := range tests {
diff --git a/pkg/aa/parse_test.go b/pkg/aa/parse_test.go
index 8b54487ff..71607fd32 100644
--- a/pkg/aa/parse_test.go
+++ b/pkg/aa/parse_test.go
@@ -8,8 +8,6 @@ import (
 	"reflect"
 	"strings"
 	"testing"
-
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 func Test_tokenizeRule(t *testing.T) {
@@ -919,7 +917,7 @@ var (
 		},
 		{
 			name: "string.aa",
-			raw:  util.MustReadFile(testData.Join("string.aa")),
+			raw:  testData.Join("string.aa").MustReadFileAsString(),
 			apparmor: &AppArmorProfileFile{
 				Preamble: Rules{
 					&Comment{Base: Base{Comment: " Simple test profile for the AppArmorProfileFile.String() method", IsLineRule: true}},
@@ -1017,7 +1015,7 @@ var (
 		},
 		{
 			name: "full.aa",
-			raw:  util.MustReadFile(testData.Join("full.aa")),
+			raw:  testData.Join("full.aa").MustReadFileAsString(),
 			apparmor: &AppArmorProfileFile{
 				Preamble: Rules{
 					&Comment{Base: Base{IsLineRule: true, Comment: " Simple test profile with all rules used"}},
diff --git a/pkg/aa/resolve.go b/pkg/aa/resolve.go
index 26a03691e..6ce768bc0 100644
--- a/pkg/aa/resolve.go
+++ b/pkg/aa/resolve.go
@@ -10,7 +10,6 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 var (
@@ -149,7 +148,7 @@ func (f *AppArmorProfileFile) resolveInclude(include *Include) error {
 
 		iFile := &AppArmorProfileFile{}
 		for _, file := range files {
-			raw, err := util.ReadFile(file)
+			raw, err := file.ReadFileAsString()
 			if err != nil {
 				return err
 			}
diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go
index b77adfa66..feb1e21c4 100644
--- a/pkg/paths/paths.go
+++ b/pkg/paths/paths.go
@@ -35,9 +35,12 @@ import (
 	"io/fs"
 	"os"
 	"path/filepath"
+	"slices"
 	"strings"
 	"syscall"
 	"time"
+
+	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 // Path represents a path
@@ -360,6 +363,31 @@ func (p *Path) CopyTo(dst *Path) error {
 	return nil
 }
 
+// CopyTo recursivelly copy all files from a source path to a destination path.
+func CopyTo(src *Path, dst *Path) error {
+	files, err := src.ReadDirRecursiveFiltered(nil,
+		FilterOutDirectories(),
+		FilterOutNames("README.md"),
+	)
+	if err != nil {
+		return err
+	}
+	for _, file := range files {
+		destination, err := file.RelFrom(src)
+		if err != nil {
+			return err
+		}
+		destination = dst.JoinPath(destination)
+		if err := destination.Parent().MkdirAll(); err != nil {
+			return err
+		}
+		if err := file.CopyTo(destination); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 // CopyDirTo recursively copies the directory denoted by the current path to
 // the destination path. The source directory must exist and the destination
 // directory must NOT exist (no implicit destination name allowed).
@@ -460,6 +488,24 @@ func WriteToTempFile(data []byte, dir *Path, prefix string) (res *Path, err erro
 	return New(f.Name()), nil
 }
 
+// ReadFileAsString read a file and return its content as a string.
+func (p *Path) ReadFileAsString() (string, error) {
+	content, err := p.ReadFile()
+	if err != nil {
+		return "", err
+	}
+	return string(content), nil
+}
+
+// MustReadFileAsString read a file and return its content as a string. Panic if an error occurs.
+func (p *Path) MustReadFileAsString() string {
+	content, err := p.ReadFile()
+	if err != nil {
+		panic(err)
+	}
+	return string(content)
+}
+
 // ReadFileAsLines reads the file named by filename and returns it as an
 // array of lines. This function takes care of the newline encoding
 // differences between different OS
@@ -473,6 +519,33 @@ func (p *Path) ReadFileAsLines() ([]string, error) {
 	return strings.Split(txt, "\n"), nil
 }
 
+// MustReadFileAsLines read a file and return its content as a slice of string. Panic if an error occurs.
+func (p *Path) MustReadFileAsLines() []string {
+	lines, err := p.ReadFileAsLines()
+	if err != nil {
+		panic(err)
+	}
+	return lines
+}
+
+// MustReadFilteredFileAsLines read a file and return its content as a slice of string.
+// It filter out comments and empty lines. Panic if an error occurs.
+func (p *Path) MustReadFilteredFileAsLines() []string {
+	data, err := p.ReadFile()
+	if err != nil {
+		panic(err)
+	}
+	txt := string(data)
+	txt = strings.Replace(txt, "\r\n", "\n", -1)
+	txt = util.Filter(txt)
+	res := strings.Split(txt, "\n")
+	if slices.Contains(res, "") {
+		idx := slices.Index(res, "")
+		res = slices.Delete(res, idx, idx+1)
+	}
+	return res
+}
+
 // Truncate create an empty file named by path or if the file already
 // exist it truncates it (delete all contents)
 func (p *Path) Truncate() error {
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index 7c91d8281..932851d02 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -15,7 +15,6 @@ import (
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/builder"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/directive"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild/prepare"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 const (
@@ -138,7 +137,7 @@ func Build() error {
 		if !file.Exist() {
 			continue
 		}
-		profile, err := util.ReadFile(file)
+		profile, err := file.ReadFileAsString()
 		if err != nil {
 			return err
 		}
diff --git a/pkg/prebuild/directive/exec.go b/pkg/prebuild/directive/exec.go
index c856b7268..5aee73740 100644
--- a/pkg/prebuild/directive/exec.go
+++ b/pkg/prebuild/directive/exec.go
@@ -13,7 +13,6 @@ import (
 
 	"github.com/roddhjav/apparmor.d/pkg/aa"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type Exec struct {
@@ -44,7 +43,7 @@ func (d Exec) Apply(opt *Option, profileRaw string) (string, error) {
 
 	rules := aa.Rules{}
 	for name := range opt.ArgMap {
-		profiletoTransition := util.MustReadFile(prebuild.RootApparmord.Join(name))
+		profiletoTransition := prebuild.RootApparmord.Join(name).MustReadFileAsString()
 		dstProfile := aa.DefaultTunables()
 		if _, err := dstProfile.Parse(profiletoTransition); err != nil {
 			return "", err
diff --git a/pkg/prebuild/directive/stack.go b/pkg/prebuild/directive/stack.go
index 707405362..03dd826e1 100644
--- a/pkg/prebuild/directive/stack.go
+++ b/pkg/prebuild/directive/stack.go
@@ -55,7 +55,7 @@ func (s Stack) Apply(opt *Option, profile string) (string, error) {
 
 	res := ""
 	for name := range opt.ArgMap {
-		stackedProfile := util.MustReadFile(prebuild.RootApparmord.Join(name))
+		stackedProfile := prebuild.RootApparmord.Join(name).MustReadFileAsString()
 		m := regRules.FindStringSubmatch(stackedProfile)
 		if len(m) < 2 {
 			return "", fmt.Errorf("No profile found in %s", name)
diff --git a/pkg/prebuild/files.go b/pkg/prebuild/files.go
index d275c916d..c14730960 100644
--- a/pkg/prebuild/files.go
+++ b/pkg/prebuild/files.go
@@ -8,7 +8,6 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 // Default content of debian/apparmor.d.hide. Whonix has special addition.
@@ -29,7 +28,7 @@ func (f Flagger) Read(name string) map[string][]string {
 		return res
 	}
 
-	lines := util.MustReadFileAsLines(path)
+	lines := path.MustReadFilteredFileAsLines()
 	for _, line := range lines {
 		manifest := strings.Split(line, " ")
 		profile := manifest[0]
@@ -49,7 +48,7 @@ func (i Ignorer) Read(name string) []string {
 	if !path.Exist() {
 		return []string{}
 	}
-	return util.MustReadFileAsLines(path)
+	return path.MustReadFilteredFileAsLines()
 }
 
 type DebianHider struct {
diff --git a/pkg/prebuild/prepare/flags.go b/pkg/prebuild/prepare/flags.go
index 23998d4d0..5a851cbe9 100644
--- a/pkg/prebuild/prepare/flags.go
+++ b/pkg/prebuild/prepare/flags.go
@@ -10,7 +10,6 @@ import (
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 var (
@@ -44,7 +43,7 @@ func (p SetFlags) Apply() ([]string, error) {
 			// Overwrite profile flags
 			if len(flags) > 0 {
 				flagsStr := " flags=(" + strings.Join(flags, ",") + ") {\n"
-				out, err := util.ReadFile(file)
+				out, err := file.ReadFileAsString()
 				if err != nil {
 					return res, err
 				}
diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go
index af57ed9d7..b40030d2c 100644
--- a/pkg/prebuild/prepare/fsp.go
+++ b/pkg/prebuild/prepare/fsp.go
@@ -35,7 +35,7 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 
 	// Set systemd profile name
 	path := prebuild.RootApparmord.Join("tunables/multiarch.d/system")
-	out, err := util.ReadFile(path)
+	out, err := path.ReadFileAsString()
 	if err != nil {
 		return res, err
 	}
@@ -47,7 +47,7 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 
 	// Fix conflicting x modifiers in abstractions - FIXME: Temporary solution
 	path = prebuild.RootApparmord.Join("abstractions/gstreamer")
-	out, err = util.ReadFile(path)
+	out, err = path.ReadFileAsString()
 	if err != nil {
 		return res, err
 	}
diff --git a/pkg/prebuild/prepare/overwrite.go b/pkg/prebuild/prepare/overwrite.go
index 209e8dc81..6f8951161 100644
--- a/pkg/prebuild/prepare/overwrite.go
+++ b/pkg/prebuild/prepare/overwrite.go
@@ -9,7 +9,6 @@ import (
 	"os"
 
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 const ext = ".apparmor.d"
@@ -44,7 +43,7 @@ func (p Overwrite) Apply() ([]string, error) {
 	if !path.Exist() {
 		return res, fmt.Errorf("%s not found", path)
 	}
-	for _, name := range util.MustReadFileAsLines(path) {
+	for _, name := range path.MustReadFilteredFileAsLines() {
 		origin := prebuild.RootApparmord.Join(name)
 		dest := prebuild.RootApparmord.Join(name + ext)
 		if !dest.Exist() && p.OneFile {
diff --git a/pkg/util/tools.go b/pkg/util/tools.go
index 0d3372fcc..749a97e62 100644
--- a/pkg/util/tools.go
+++ b/pkg/util/tools.go
@@ -7,10 +7,6 @@ package util
 import (
 	"encoding/hex"
 	"regexp"
-	"slices"
-	"strings"
-
-	"github.com/roddhjav/apparmor.d/pkg/paths"
 )
 
 var (
@@ -67,61 +63,7 @@ func DecodeHexInString(str string) string {
 	return str
 }
 
-// CopyTo recursivelly copy all files from a source path to a destination path.
-func CopyTo(src *paths.Path, dst *paths.Path) error {
-	files, err := src.ReadDirRecursiveFiltered(nil,
-		paths.FilterOutDirectories(),
-		paths.FilterOutNames("README.md"),
-	)
-	if err != nil {
-		return err
-	}
-	for _, file := range files {
-		destination, err := file.RelFrom(src)
-		if err != nil {
-			return err
-		}
-		destination = dst.JoinPath(destination)
-		if err := destination.Parent().MkdirAll(); err != nil {
-			return err
-		}
-		if err := file.CopyTo(destination); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
 // Filter out comments and empty line from a string
 func Filter(src string) string {
 	return regFilter.Replace(src)
 }
-
-// ReadFile read a file and return its content as a string.
-func ReadFile(path *paths.Path) (string, error) {
-	content, err := path.ReadFile()
-	if err != nil {
-		return "", err
-	}
-	return string(content), nil
-}
-
-// MustReadFile read a file and return its content as a string. Panic if an error occurs.
-func MustReadFile(path *paths.Path) string {
-	content, err := path.ReadFile()
-	if err != nil {
-		panic(err)
-	}
-	return string(content)
-}
-
-// MustReadFileAsLines read a file and return its content as a slice of string.
-// It panics if an error occurs and filter out comments and empty lines.
-func MustReadFileAsLines(path *paths.Path) []string {
-	res := strings.Split(Filter(MustReadFile(path)), "\n")
-	if slices.Contains(res, "") {
-		idx := slices.Index(res, "")
-		res = slices.Delete(res, idx, idx+1)
-	}
-	return res
-}

From e90ccd214cb781409d69a5cb00fbd65d8948a83d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 15:40:17 +0100
Subject: [PATCH 276/315] refractor: move CopyTo

Will be replaced by os.CopyFS with go 1.23
---
 pkg/prebuild/prepare/configure.go   |  6 ++--
 pkg/prebuild/prepare/fsp.go         |  4 +--
 pkg/prebuild/prepare/synchronise.go |  3 +-
 pkg/prebuild/prepare/systemd.go     |  6 ++--
 pkg/util/tools_test.go              | 43 -----------------------------
 5 files changed, 9 insertions(+), 53 deletions(-)

diff --git a/pkg/prebuild/prepare/configure.go b/pkg/prebuild/prepare/configure.go
index 9a423060f..4b8e11ec5 100644
--- a/pkg/prebuild/prepare/configure.go
+++ b/pkg/prebuild/prepare/configure.go
@@ -7,8 +7,8 @@ package prepare
 import (
 	"fmt"
 
+	"github.com/roddhjav/apparmor.d/pkg/paths"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type Configure struct {
@@ -36,7 +36,7 @@ func (p Configure) Apply() ([]string, error) {
 		}
 
 		if prebuild.ABI == 3 {
-			if err := util.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil {
+			if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil {
 				return res, err
 			}
 		}
@@ -47,7 +47,7 @@ func (p Configure) Apply() ([]string, error) {
 		}
 
 		// Copy Debian specific abstractions
-		if err := util.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil {
+		if err := paths.CopyTo(prebuild.DistDir.Join("ubuntu"), prebuild.RootApparmord); err != nil {
 			return res, err
 		}
 
diff --git a/pkg/prebuild/prepare/fsp.go b/pkg/prebuild/prepare/fsp.go
index b40030d2c..1d38ca294 100644
--- a/pkg/prebuild/prepare/fsp.go
+++ b/pkg/prebuild/prepare/fsp.go
@@ -29,7 +29,7 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 	res := []string{}
 
 	// Install full system policy profiles
-	if err := util.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil {
+	if err := paths.CopyTo(paths.New("apparmor.d/groups/_full/"), prebuild.Root.Join("apparmor.d")); err != nil {
 		return res, err
 	}
 
@@ -58,5 +58,5 @@ func (p FullSystemPolicy) Apply() ([]string, error) {
 	}
 
 	// Set systemd unit drop-in files
-	return res, util.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd"))
+	return res, paths.CopyTo(prebuild.SystemdDir.Join("full"), prebuild.Root.Join("systemd"))
 }
diff --git a/pkg/prebuild/prepare/synchronise.go b/pkg/prebuild/prepare/synchronise.go
index f3ca44c42..b272388c7 100644
--- a/pkg/prebuild/prepare/synchronise.go
+++ b/pkg/prebuild/prepare/synchronise.go
@@ -7,7 +7,6 @@ package prepare
 import (
 	"github.com/roddhjav/apparmor.d/pkg/paths"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type Synchronise struct {
@@ -35,7 +34,7 @@ func (p Synchronise) Apply() ([]string, error) {
 	}
 	if p.Path == "" {
 		for _, name := range []string{"apparmor.d", "share"} {
-			if err := util.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil {
+			if err := paths.CopyTo(paths.New(name), prebuild.Root.Join(name)); err != nil {
 				return res, err
 			}
 		}
diff --git a/pkg/prebuild/prepare/systemd.go b/pkg/prebuild/prepare/systemd.go
index cee952854..b7646e4bf 100644
--- a/pkg/prebuild/prepare/systemd.go
+++ b/pkg/prebuild/prepare/systemd.go
@@ -5,8 +5,8 @@
 package prepare
 
 import (
+	"github.com/roddhjav/apparmor.d/pkg/paths"
 	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/pkg/util"
 )
 
 type SystemdDefault struct {
@@ -33,9 +33,9 @@ func init() {
 }
 
 func (p SystemdDefault) Apply() ([]string, error) {
-	return []string{}, util.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd"))
+	return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("default"), prebuild.Root.Join("systemd"))
 }
 
 func (p SystemdEarly) Apply() ([]string, error) {
-	return []string{}, util.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd"))
+	return []string{}, paths.CopyTo(prebuild.SystemdDir.Join("early"), prebuild.Root.Join("systemd"))
 }
diff --git a/pkg/util/tools_test.go b/pkg/util/tools_test.go
index df45d92b7..e8b2bb837 100644
--- a/pkg/util/tools_test.go
+++ b/pkg/util/tools_test.go
@@ -8,8 +8,6 @@ import (
 	"reflect"
 	"regexp"
 	"testing"
-
-	"github.com/roddhjav/apparmor.d/pkg/paths"
 )
 
 func TestDecodeHexInString(t *testing.T) {
@@ -90,47 +88,6 @@ func TestRegexReplList_Replace(t *testing.T) {
 	}
 }
 
-func TestCopyTo(t *testing.T) {
-	tests := []struct {
-		name    string
-		src     *paths.Path
-		dst     *paths.Path
-		wantErr bool
-	}{
-		{
-			name:    "default",
-			src:     paths.New("../../apparmor.d/groups/_full/"),
-			dst:     paths.New("/tmp/test/apparmor.d/groups/_full/"),
-			wantErr: false,
-		},
-		{
-			name:    "issue-source",
-			src:     paths.New("../../apparmor.d/groups/nope/"),
-			dst:     paths.New("/tmp/test/apparmor.d/groups/_full/"),
-			wantErr: true,
-		},
-		// {
-		// 	name:    "issue-dest-1",
-		// 	src:     paths.New("../../apparmor.d/groups/_full/"),
-		// 	dst:     paths.New("/"),
-		// 	wantErr: true,
-		// },
-		// {
-		// 	name:    "issue-dest-2",
-		// 	src:     paths.New("../../apparmor.d/groups/_full/"),
-		// 	dst:     paths.New("/_full/"),
-		// 	wantErr: true,
-		// },
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			if err := CopyTo(tt.src, tt.dst); (err != nil) != tt.wantErr {
-				t.Errorf("CopyTo() error = %v, wantErr %v", err, tt.wantErr)
-			}
-		})
-	}
-}
-
 func Test_Filter(t *testing.T) {
 	tests := []struct {
 		name string

From 273485217c79e3931c441c109f8d822e764a1875 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 20:08:21 +0100
Subject: [PATCH 277/315] build: add the task to automatically attach
 disconnected path.

Not yet enabled on build, as the profiles still require some testing.
---
 pkg/prebuild/builder/attach.go | 65 ++++++++++++++++++++++++++++++++++
 pkg/prebuild/cli/cli.go        |  7 +++-
 2 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 pkg/prebuild/builder/attach.go

diff --git a/pkg/prebuild/builder/attach.go b/pkg/prebuild/builder/attach.go
new file mode 100644
index 000000000..6fd700291
--- /dev/null
+++ b/pkg/prebuild/builder/attach.go
@@ -0,0 +1,65 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package builder
+
+import (
+	"regexp"
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/prebuild"
+)
+
+var (
+	regProfile = regexp.MustCompile(`profile ([^ ]+)`)
+)
+
+type ReAttach struct {
+	prebuild.Base
+}
+
+func init() {
+	RegisterBuilder(&ReAttach{
+		Base: prebuild.Base{
+			Keyword: "attach",
+			Msg:     "Re-attach disconnect path",
+		},
+	})
+}
+
+// Apply will re-attach the disconnected path
+//   - Add the attach_disconnected.path flag on all frofile with the attach_disconnected flag
+//   - Add the attached/base abstraction in the profile
+//   - For compatibility, non disconnected profile will have the @{att} variable set to /
+func (b ReAttach) Apply(opt *Option, profile string) (string, error) {
+	var insert string
+	var origin = "profile " + opt.Name
+
+	if strings.Contains(profile, "attach_disconnected") {
+		insert = "@{att} = /att/" + opt.Name + "/\n"
+		profile = strings.Replace(profile,
+			"attach_disconnected",
+			"attach_disconnected,attach_disconnected.path=@{att}", -1,
+		)
+
+		old := "include if exists <local/" + opt.Name + ">"
+		new := "include <abstractions/attached/base>\n  " + old
+		profile = strings.Replace(profile, old, new, 1)
+
+		for _, match := range regProfile.FindAllStringSubmatch(profile, -1) {
+			name := match[1]
+			if name == opt.Name {
+				continue
+			}
+			old = "include if exists <local/" + opt.Name + "_" + name + ">"
+			new = "include <abstractions/attached/base>\n    " + old
+			profile = strings.Replace(profile, old, new, 1)
+		}
+
+	} else {
+		insert = "@{att} = /\n"
+	}
+
+	return strings.Replace(profile, origin, insert+origin, 1), nil
+}
diff --git a/pkg/prebuild/cli/cli.go b/pkg/prebuild/cli/cli.go
index 932851d02..2821d52c2 100644
--- a/pkg/prebuild/cli/cli.go
+++ b/pkg/prebuild/cli/cli.go
@@ -88,8 +88,13 @@ func Prebuild() {
 	if abi != nilABI {
 		prebuild.ABI = abi
 	}
-	if prebuild.ABI == 3 {
+	switch prebuild.ABI {
+	case 3:
 		builder.Register("abi3") // Convert all profiles from abi 4.0 to abi 3.0
+	case 4:
+		// builder.Register("attach") // Re-attach disconnect path
+	default:
+		logging.Fatal("Invalid ABI version: %d", prebuild.ABI)
 	}
 
 	if file != "" {

From 3ef6c4403885c47f7b9bdd73389ace79817597df Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 20:11:45 +0100
Subject: [PATCH 278/315] fix: small fix & cleaning.

---
 cmd/aa/main.go     |  2 +-
 pkg/aa/mount.go    |  9 +++++++++
 pkg/aa/template.go | 11 ++---------
 3 files changed, 12 insertions(+), 10 deletions(-)

diff --git a/cmd/aa/main.go b/cmd/aa/main.go
index 9f4070158..5f7dd6396 100644
--- a/cmd/aa/main.go
+++ b/cmd/aa/main.go
@@ -135,7 +135,7 @@ func aaFormat(files paths.PathList) error {
 		if !file.Exist() {
 			return nil
 		}
-		profile, err := util.ReadFile(file)
+		profile, err := file.ReadFileAsString()
 		if err != nil {
 			return err
 		}
diff --git a/pkg/aa/mount.go b/pkg/aa/mount.go
index ad83801c6..a9d8dbeaf 100644
--- a/pkg/aa/mount.go
+++ b/pkg/aa/mount.go
@@ -16,6 +16,15 @@ const (
 
 func init() {
 	requirements[MOUNT] = requirement{
+		"flags_bind": {
+			"B", "bind", "R", "rbind",
+		},
+		"flags_change": {
+			"remount", "unbindable", "shared", "private", "slave", "runbindable",
+			"rshared", "rprivate", "rslave", "make-unbindable", "make-shared",
+			"make-private", "make-slave", "make-runbindable", "make-rshared",
+			"make-rprivate", "make-rslave",
+		},
 		"flags": {
 			"ro", "rw", "acl", "async", "atime", "bind", "dev", "diratime",
 			"dirsync", "exec", "iversion", "loud", "mand", "move", "noacl",
diff --git a/pkg/aa/template.go b/pkg/aa/template.go
index 92c10b46e..cb00d2f36 100644
--- a/pkg/aa/template.go
+++ b/pkg/aa/template.go
@@ -35,17 +35,10 @@ var (
 	// The apparmor templates
 	tmpl = generateTemplates([]Kind{
 		// Global templates
-		"apparmor",
-		PROFILE,
-		HAT,
-		"rules",
+		"apparmor", PROFILE, HAT, "rules",
 
 		// Preamble templates
-		ABI,
-		ALIAS,
-		INCLUDE,
-		VARIABLE,
-		COMMENT,
+		ABI, ALIAS, INCLUDE, VARIABLE, COMMENT,
 
 		// Rules templates
 		ALL, RLIMIT, USERNS, CAPABILITY, NETWORK,

From 70d472018916c27329a7dfcd0203ada207713444 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 20:55:14 +0100
Subject: [PATCH 279/315] fix(build): do not install the aa helper tool

---
 Makefile | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Makefile b/Makefile
index 6d576f8b2..3aea44a78 100644
--- a/Makefile
+++ b/Makefile
@@ -28,7 +28,6 @@ SHARE = $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n")
 PROFILES = $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n")
 DISABLES = $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n")
 install:
-	@install -Dm0755 ${BUILD}/aa ${DESTDIR}/usr/bin/aa
 	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
 	@for file in ${SHARE}; do \
 		install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \

From ffeb68af3b0b38793e687e75b8102caedce03ebf Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Oct 2024 20:58:08 +0100
Subject: [PATCH 280/315] build: update ignore files with new ignore paths.

---
 dists/ignore/debian.ignore   | 2 +-
 dists/ignore/opensuse.ignore | 2 +-
 dists/ignore/ubuntu.ignore   | 3 +--
 dists/ignore/whonix.ignore   | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/dists/ignore/debian.ignore b/dists/ignore/debian.ignore
index 9843d249a..bfd8998ae 100644
--- a/dists/ignore/debian.ignore
+++ b/dists/ignore/debian.ignore
@@ -1,6 +1,6 @@
 # Archlinux specific
 apparmor.d/groups/pacman
-root/usr/share/libalpm
+share/libalpm
 
 # Ubuntu specific definition 
 apparmor.d/groups/ubuntu
diff --git a/dists/ignore/opensuse.ignore b/dists/ignore/opensuse.ignore
index 0d393c6c1..7f79b77ef 100644
--- a/dists/ignore/opensuse.ignore
+++ b/dists/ignore/opensuse.ignore
@@ -1,6 +1,6 @@
 # Archlinux specific
 apparmor.d/groups/pacman
-root/usr/share/libalpm
+share/libalpm
 
 # Debian specific definition
 apparmor.d/groups/apt
diff --git a/dists/ignore/ubuntu.ignore b/dists/ignore/ubuntu.ignore
index 714fa3273..eb0df718f 100644
--- a/dists/ignore/ubuntu.ignore
+++ b/dists/ignore/ubuntu.ignore
@@ -1,7 +1,6 @@
 # Archlinux specific
 apparmor.d/groups/pacman
-root/etc/xdg/autostart/apparmor-notify.desktop
-root/usr/share/libalpm
+share/libalpm
 
 # OpenSUSE specific definition
 apparmor.d/groups/suse
diff --git a/dists/ignore/whonix.ignore b/dists/ignore/whonix.ignore
index 5370a0f95..959f8ce6e 100644
--- a/dists/ignore/whonix.ignore
+++ b/dists/ignore/whonix.ignore
@@ -1,6 +1,6 @@
 # Archlinux specific definition
 apparmor.d/groups/pacman
-root/usr/share/libalpm
+share/libalpm
 
 # OpenSUSE specific definition
 apparmor.d/groups/suse

From 0525e51cde5769535817d66bb2fa890a1434a926 Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Sun, 13 Oct 2024 14:19:52 +0300
Subject: [PATCH 281/315] xdg-mime xdg-open xdg-settings xprop

---
 apparmor.d/groups/freedesktop/xdg-mime     | 9 +++++++++
 apparmor.d/groups/freedesktop/xdg-open     | 8 +++++++-
 apparmor.d/groups/freedesktop/xdg-settings | 5 +++++
 apparmor.d/groups/freedesktop/xprop        | 1 +
 4 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index e2486f9fd..650d1f554 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-mime
 profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 
   @{exec_path} r,
@@ -50,14 +51,22 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   @{bin}/vendor_perl/mimetype Px,
   @{bin}/xprop                Px,
 
+  owner @{user_config_dirs}/mimeapps.list{,.new} rw,
+
   owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
 
+  @{PROC}/version r,
+
   /dev/tty rw,
 
   profile bus flags=(complain) {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
+    include <abstractions/consoles>
+
+    @{bin}/dbus-send mr,
+
     include if exists <local/xdg-mime_bus>
   }
 
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 8e90bc423..b0b44e388 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -20,6 +20,7 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
   @{bin}/basename   ix,
   @{bin}/cat        ix,
   @{bin}/cut        ix,
+  @{bin}/env        ix,
   @{bin}/readlink   ix,
   @{bin}/realpath   ix,
   @{bin}/sed        ix,
@@ -35,10 +36,15 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
   @{bin}/xdg-mime             Px,
   @{open_path}                Px -> child-open-any,
 
-  profile bus {
+  @{PROC}/version r,
+
+  profile bus flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
+    include <abstractions/consoles>
+
+    @{bin}/dbus-send mr,
 
     include if exists <local/xdg-open_bus>
   }
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index f64b879f6..2525e1462 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -28,6 +28,7 @@ profile xdg-settings @{exec_path} {
   @{bin}/realpath  rix,
   @{bin}/rm         ix,
   @{bin}/sed        ix,
+  @{bin}/sleep      ix,
   @{bin}/sort       ix,
   @{bin}/touch      ix,
   @{bin}/tr         ix,
@@ -46,6 +47,7 @@ profile xdg-settings @{exec_path} {
   @{bin}/xprop                Px,
 
   owner @{user_config_dirs}/xfce4/helpers.rc{,.@{rand6}} rw,
+  owner @{user_share_dirs}/applications/{,**} rw,
 
   @{PROC}/version r,
 
@@ -55,6 +57,9 @@ profile xdg-settings @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
+    include <abstractions/consoles>
+
+    @{bin}/dbus-send mr,
 
     include if exists <local/xdg-settings_bus>
   }
diff --git a/apparmor.d/groups/freedesktop/xprop b/apparmor.d/groups/freedesktop/xprop
index 99959fc73..f83afae61 100644
--- a/apparmor.d/groups/freedesktop/xprop
+++ b/apparmor.d/groups/freedesktop/xprop
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xprop
 profile xprop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/freedesktop.org>
   include <abstractions/X-strict>
 

From 22e5367db4e434432091ca61a51947020be3992f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 13 Oct 2024 23:24:50 +0100
Subject: [PATCH 282/315] fix(profile): torbrowser allow download.

fix #539
---
 apparmor.d/groups/browsers/torbrowser | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apparmor.d/groups/browsers/torbrowser b/apparmor.d/groups/browsers/torbrowser
index 8d8336d6d..5068886c3 100644
--- a/apparmor.d/groups/browsers/torbrowser
+++ b/apparmor.d/groups/browsers/torbrowser
@@ -42,6 +42,9 @@ profile torbrowser @{exec_path} flags=(attach_disconnected) {
   owner "@{tmp}/Tor Project*" rwk,
   owner "@{tmp}/Tor Project*/" rw,
   owner "@{tmp}/Tor Project*/**" rwk,
+  owner @{tmp}/@{rand8}.* rw,
+  owner @{tmp}/mozilla_pc@{int}/ rw,
+  owner @{tmp}/mozilla_pc@{int}/* rwk,
 
   # Due to the nature of the browser, we silence much more than for Firefox.
   deny capability sys_ptrace,

From 5b7b921fc90f4f68d1fe4751788fe685cb0b7360 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 13 Oct 2024 23:26:54 +0100
Subject: [PATCH 283/315] fix(profile): *-glxtest needs wayland.

fix #549
---
 apparmor.d/groups/browsers/firefox-glxtest    | 1 +
 apparmor.d/groups/browsers/torbrowser-glxtest | 1 +
 apparmor.d/profiles-s-z/thunderbird-glxtest   | 1 +
 3 files changed, 3 insertions(+)

diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index ad4fbb1ff..97e5645b9 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -17,6 +17,7 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/browsers/torbrowser-glxtest b/apparmor.d/groups/browsers/torbrowser-glxtest
index ab5eee07f..4939edfbf 100644
--- a/apparmor.d/groups/browsers/torbrowser-glxtest
+++ b/apparmor.d/groups/browsers/torbrowser-glxtest
@@ -18,6 +18,7 @@ profile torbrowser-glxtest @{exec_path} flags=(attach_disconnected) {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest
index a742a41fb..626896a09 100644
--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@@ -16,6 +16,7 @@ profile thunderbird-glxtest @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 

From 3586e202baeb4e21fdee77acea63781837c494ca Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Sun, 13 Oct 2024 18:55:40 +0800
Subject: [PATCH 284/315] A fix for fwupdmgr

---
 apparmor.d/profiles-a-f/fwupdmgr | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 1ec9fe657..4d53fdf57 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -50,6 +50,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
 
   /dev/i2c-@{int} rw,
   /dev/tty rw,
+  /dev/pts/@{int} rw,
 
   profile bus flags=(attach_disconnected) {
     include <abstractions/base>

From 247e84c9a96f561cf3767c81763e3be45b03b0df Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Sun, 13 Oct 2024 13:56:40 +0300
Subject: [PATCH 285/315] Vim; writing configuration files

---
 apparmor.d/groups/pacman/pacdiff | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/pacman/pacdiff b/apparmor.d/groups/pacman/pacdiff
index e2a0f2609..64a813bf4 100644
--- a/apparmor.d/groups/pacman/pacdiff
+++ b/apparmor.d/groups/pacman/pacdiff
@@ -32,10 +32,14 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   @{bin}/tput         rix,
   @{bin}/vim          rix,
 
+  owner @{HOME}/.viminfo{,.tmp} rw,
+
+  owner @{user_cache_dirs}/vim/{,**} rw,
+
   # packages files
   / r,
   /boot/{,**} r,
-  /etc/{,**} r,
+  /etc/{,**} rw,
   /opt/{,**} r,
   /srv/{,**} r,
   /usr/{,**} r,

From 0dbc42e357ce447e6eb8585ee2699adecf37fb1b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 15:56:37 +0100
Subject: [PATCH 286/315] fix(profile): ensure abi3 compatibility with
 re-attached path.

See  #559, #558 #557 #555
---
 apparmor.d/tunables/multiarch.d/system | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index be37123fd..defc53af4 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -154,5 +154,6 @@
 # Attachment path for attach_disconnected.path flag.
 # Automatically generated and set in profile preamble on ABI4. Disabled on ABI3.
 @{att}=/
+alias // -> /,
 
 # vim:syntax=apparmor

From 04e39a47899d3d23adec5630b70f8793c9d824b6 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 16:09:19 +0100
Subject: [PATCH 287/315] feat(abs): update attached abstraction.

---
 apparmor.d/abstractions/attached/base     | 2 +-
 apparmor.d/abstractions/attached/consoles | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/abstractions/attached/base b/apparmor.d/abstractions/attached/base
index 65c163317..33c422bb0 100644
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@@ -7,7 +7,7 @@
 
   abi <abi/4.0>,
 
-  @{att}/apparmor/.null rw,
+  deny @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>
 
diff --git a/apparmor.d/abstractions/attached/consoles b/apparmor.d/abstractions/attached/consoles
index 6959bc407..bf76e4a43 100644
--- a/apparmor.d/abstractions/attached/consoles
+++ b/apparmor.d/abstractions/attached/consoles
@@ -5,8 +5,8 @@
 
   abi <abi/4.0>,
 
+        @{att}/dev/tty@{int} rw,
   owner @{att}/dev/pts/@{int} rw,
-  owner @{att}/dev/tty@{int} rw,
 
   include if exists <abstractions/attached/consoles.d>
 

From 48751f75b2ba10697053832cc41069f827307d84 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 19:20:02 +0100
Subject: [PATCH 288/315] feat(profile): update kde profiles.

---
 apparmor.d/abstractions/kde-strict       |  2 +-
 apparmor.d/groups/kde/baloo              |  3 +++
 apparmor.d/groups/kde/gmenudbusmenuproxy |  1 +
 apparmor.d/groups/kde/kconf_update       |  3 +++
 apparmor.d/groups/kde/kded               | 27 ++++++------------------
 apparmor.d/groups/kde/kwin_wayland       | 22 ++++++++++++++++++-
 apparmor.d/groups/kde/plasmashell        |  1 +
 apparmor.d/groups/kde/sddm-greeter       |  2 +-
 apparmor.d/groups/kde/startplasma        |  1 +
 apparmor.d/groups/kde/xembedsniproxy     |  1 +
 10 files changed, 39 insertions(+), 24 deletions(-)

diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict
index 490cf48a1..d85e58422 100644
--- a/apparmor.d/abstractions/kde-strict
+++ b/apparmor.d/abstractions/kde-strict
@@ -27,7 +27,7 @@
 
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_??_* rwlk,
+  owner @{user_cache_dirs}/ksycoca{5,6}_??[_-]*.@{rand6} rwlk,
 
   owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/dolphinrc r,
diff --git a/apparmor.d/groups/kde/baloo b/apparmor.d/groups/kde/baloo
index aa67ba5f5..5a4f480a1 100644
--- a/apparmor.d/groups/kde/baloo
+++ b/apparmor.d/groups/kde/baloo
@@ -34,6 +34,8 @@ profile baloo @{exec_path} {
   owner @{MOUNTS}/{,**} r,
   owner @{tmp}/*/{,**} r,
 
+  owner @{user_cache_dirs}/kcrash-metadata/ w,
+
   owner @{user_config_dirs}/#@{int} rw,
   owner @{user_config_dirs}/baloofilerc rwl,
   owner @{user_config_dirs}/baloofilerc.lock rwkl,
@@ -60,6 +62,7 @@ profile baloo @{exec_path} {
   @{run}/udev/data/c29:@{int} r,          # For /dev/fb[0-9]*
   @{run}/udev/data/c89:@{int} r,          # For I2C bus interface
   @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c202:@{int} r,         # CPU model-specific registers
   @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card[0-9]*
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
diff --git a/apparmor.d/groups/kde/gmenudbusmenuproxy b/apparmor.d/groups/kde/gmenudbusmenuproxy
index 1d85b3a6b..d9879941b 100644
--- a/apparmor.d/groups/kde/gmenudbusmenuproxy
+++ b/apparmor.d/groups/kde/gmenudbusmenuproxy
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gmenudbusmenuproxy
 profile gmenudbusmenuproxy @{exec_path} {
   include <abstractions/base>
+  include <abstractions/graphics>
   include <abstractions/gtk>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/kconf_update b/apparmor.d/groups/kde/kconf_update
index d699f9d59..e152325ed 100644
--- a/apparmor.d/groups/kde/kconf_update
+++ b/apparmor.d/groups/kde/kconf_update
@@ -44,12 +44,15 @@ profile kconf_update @{exec_path} {
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
+  owner @{HOME}/.gtkrc-@{version} w,
+
   owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/*rc.lock rwk,
   owner @{user_config_dirs}/gtk-{3,4}.0/* rwlk -> @{user_config_dirs}/gtk-{3,4}.0/**,
   owner @{user_config_dirs}/sed@{rand6} rw,
   owner @{user_config_dirs}/xsettingsd/xsettingsd.conf rw,
+  owner @{user_config_dirs}/kcmfonts.lock rwk,
 
   owner @{user_share_dirs}/#@{int} rw,
   owner @{user_share_dirs}/krunnerstaterc.lock rwk,
diff --git a/apparmor.d/groups/kde/kded b/apparmor.d/groups/kde/kded
index c14ba7e98..0ff08d02f 100644
--- a/apparmor.d/groups/kde/kded
+++ b/apparmor.d/groups/kde/kded
@@ -93,34 +93,16 @@ profile kded @{exec_path} {
 
         @{user_config_dirs}/kcookiejarrc.lock rwk,
         @{user_config_dirs}/kcookiejarrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/bluedevilglobalrc.lock rwk,
-  owner @{user_config_dirs}/bluedevilglobalrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/breezerc r,
+  owner @{user_config_dirs}/*rc rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/*rc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
+  owner @{user_config_dirs}/*rc.lock rwk,
   owner @{user_config_dirs}/gtk-{3,4}.0/{,**} rwl,
   owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini.lock rk,
-  owner @{user_config_dirs}/gtkrc{,*} rwlk,
-  owner @{user_config_dirs}/kconf_updaterc rw,
-  owner @{user_config_dirs}/kconf_updaterc.lock rwk,
-  owner @{user_config_dirs}/kdebugrc r,
-  owner @{user_config_dirs}/kded{5,6}rc.lock rwk,
-  owner @{user_config_dirs}/kded{5,6}rc{,.@{rand6}} rwl,
   owner @{user_config_dirs}/kdedefaults/{,**} r,
-  owner @{user_config_dirs}/khotkeysrc.lock rwk,
-  owner @{user_config_dirs}/khotkeysrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kioslaverc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/ksmserverrc r,
-  owner @{user_config_dirs}/ktimezonedrc.lock rwk,
-  owner @{user_config_dirs}/ktimezonedrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kwalletrc r,
-  owner @{user_config_dirs}/kwinrc.lock rwk,
-  owner @{user_config_dirs}/kwinrc{,.@{rand6}} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/kxkbrc r,
   owner @{user_config_dirs}/libaccounts-glib/ rw,
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal,-journal} rwk,
   owner @{user_config_dirs}/menus/{,**} r,
-  owner @{user_config_dirs}/networkmanagement.notifyrc r,
   owner @{user_config_dirs}/plasma* r,
-  owner @{user_config_dirs}/touchpadrc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
   owner @{user_config_dirs}/xsettingsd/{,**} rw,
@@ -137,6 +119,9 @@ profile kded @{exec_path} {
   owner @{user_share_dirs}/services5/{,**} r,
   owner @{user_share_dirs}/user-places.xbel r,
 
+  owner @{user_state_dirs}/#@{int} rw,
+  owner @{user_state_dirs}/plasmashellstaterc{,*} rwlk,
+
         @{run}/mount/utab r,
         @{run}/udev/data/c189:@{int} r,                # for /dev/bus/usb/**
         @{run}/user/@{uid}/gvfs/ r,
diff --git a/apparmor.d/groups/kde/kwin_wayland b/apparmor.d/groups/kde/kwin_wayland
index 9922eff98..c02f3f87a 100644
--- a/apparmor.d/groups/kde/kwin_wayland
+++ b/apparmor.d/groups/kde/kwin_wayland
@@ -29,6 +29,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   @{exec_path} mr,
 
+  /etc/xdg/Xwayland-session.d/00-at-spi Cx -> at-spi,
   #aa:exec kscreenlocker_greet
 
   /usr/share/color-schemes/*.colors r,
@@ -47,6 +48,7 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
   /etc/xdg/menus/{,applications.menu} r,
   /etc/xdg/menus/applications-merged/ r,
   /etc/xdg/plasmarc r,
+  /etc/xdg/Xwayland-session.d/{,*} r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
@@ -127,10 +129,28 @@ profile kwin_wayland @{exec_path} flags=(attach_disconnected mediate_deleted) {
 
   @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /dev/input/event@{int} rw,
+  @{att}/dev/input/event@{int} rw,
+  @{att}/dev/dri/card@{int} rw,
+
   /dev/tty r,
   /dev/tty@{int} rw,
 
+  profile at-spi {
+    include <abstractions/base>
+
+    @{sh_path}    r,
+    @{bin}/busctl rix,
+    @{bin}/sed    rix,
+    @{bin}/xprop  rPx,
+
+    /etc/xdg/Xwayland-session.d/00-at-spi r,
+
+    /home/ r,
+    owner @{HOME}/ r,
+
+    include if exists <local/kwin_wayland_at-spi>
+  }
+
   include if exists <local/kwin_wayland>
 }
 
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index a7bde918e..0d8a5d8cb 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -76,6 +76,7 @@ profile plasmashell @{exec_path} flags=(mediate_deleted) {
   /usr/share/solid/actions/{,**} r,
   /usr/share/swcatalog/{,**} r,
   /usr/share/templates/{,*.desktop} r,
+  /usr/share/thumbnailers/{,*} r,
   /usr/share/wallpapers/{,**} r,
 
   /etc/appstream.conf r,
diff --git a/apparmor.d/groups/kde/sddm-greeter b/apparmor.d/groups/kde/sddm-greeter
index 54284f03a..f2c133cec 100644
--- a/apparmor.d/groups/kde/sddm-greeter
+++ b/apparmor.d/groups/kde/sddm-greeter
@@ -14,7 +14,7 @@ profile sddm-greeter @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.UPower>
-  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/kde/startplasma b/apparmor.d/groups/kde/startplasma
index e78464253..f10e80d7f 100644
--- a/apparmor.d/groups/kde/startplasma
+++ b/apparmor.d/groups/kde/startplasma
@@ -62,6 +62,7 @@ profile startplasma @{exec_path} {
   owner @{user_config_dirs}/startkderc r,
   owner @{user_config_dirs}/Trolltech.conf.lock rwk,
   owner @{user_config_dirs}/Trolltech.conf{,.@{rand6}} rwl,
+  owner link @{user_config_dirs}/kdeglobals -> @{user_config_dirs}/#@{int},
 
   owner @{user_share_dirs}/color-schemes/{,**} r,
   owner @{user_share_dirs}/kservices{5,6}/{,**} r,
diff --git a/apparmor.d/groups/kde/xembedsniproxy b/apparmor.d/groups/kde/xembedsniproxy
index dc6b215f2..969a82f6c 100644
--- a/apparmor.d/groups/kde/xembedsniproxy
+++ b/apparmor.d/groups/kde/xembedsniproxy
@@ -10,6 +10,7 @@ include <tunables/global>
 profile xembedsniproxy @{exec_path} {
   include <abstractions/base>
   include <abstractions/fonts>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5>
 

From 185dc96d456769a4b69abb44f4c6703277c48384 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 19:32:48 +0100
Subject: [PATCH 289/315] feat(profile): general update.

---
 apparmor.d/abstractions/audio-client          |   1 +
 apparmor.d/abstractions/common/electron       |   1 +
 apparmor.d/abstractions/desktop               |   2 +
 apparmor.d/abstractions/disks-read            |   2 +-
 apparmor.d/abstractions/disks-write           |   2 +-
 apparmor.d/abstractions/graphics              |   2 +-
 apparmor.d/abstractions/gstreamer             |   2 +
 apparmor.d/groups/_full/default               |   2 +-
 apparmor.d/groups/browsers/chrome             |   2 +-
 apparmor.d/groups/browsers/chromium           |   2 +-
 apparmor.d/groups/browsers/chromium-wrapper   |   2 +-
 apparmor.d/groups/browsers/epiphany           |   3 +
 .../groups/children/child-modprobe-nvidia     |   1 +
 .../freedesktop/update-desktop-database       |   1 +
 .../freedesktop/xdg-desktop-portal-gnome      |   1 +
 .../groups/freedesktop/xdg-document-portal    |   2 +-
 apparmor.d/groups/freedesktop/xdg-open        |   2 +
 apparmor.d/groups/freedesktop/xkbcomp         |   6 +-
 apparmor.d/groups/freedesktop/xorg            |   1 +
 apparmor.d/groups/pacman/makepkg              |   6 +
 apparmor.d/groups/pacman/pacman-hook-systemd  |   3 +-
 apparmor.d/groups/pacman/yay                  |   4 +
 apparmor.d/groups/systemd/systemd-journald    |   2 +-
 apparmor.d/groups/systemd/systemd-resolved    |   2 +-
 apparmor.d/groups/virt/dockerd                |   7 +-
 .../profiles-a-f/cc-remote-login-helper       |   1 +
 apparmor.d/profiles-a-f/file-roller           |  12 +-
 apparmor.d/profiles-a-f/flatpak               |   2 +
 apparmor.d/profiles-g-l/haveged               |   2 +-
 apparmor.d/profiles-g-l/hbbr                  |   3 +-
 apparmor.d/profiles-g-l/hbbs                  |   3 +-
 apparmor.d/profiles-g-l/issue-generator       |   3 +
 apparmor.d/profiles-m-r/rustdesk              | 131 +++++++++---------
 apparmor.d/profiles-m-r/rustdesk-utils        |   3 +-
 apparmor.d/profiles-s-z/sanoid                |  15 +-
 apparmor.d/profiles-s-z/snapshot              |   5 +-
 apparmor.d/profiles-s-z/spotify               |   2 +-
 apparmor.d/profiles-s-z/sslocal               |   3 +-
 apparmor.d/profiles-s-z/ssmanager             |   3 +-
 apparmor.d/profiles-s-z/ssserver              |   3 +-
 apparmor.d/profiles-s-z/ssservice             |   3 +-
 apparmor.d/profiles-s-z/ssurl                 |   3 +-
 apparmor.d/profiles-s-z/steam                 |   3 +
 apparmor.d/profiles-s-z/steam-game-proton     |  13 +-
 .../profiles-s-z/steam-runtime-steam-remote   |   2 +-
 apparmor.d/profiles-s-z/thermald              |   2 +-
 apparmor.d/profiles-s-z/thunderbird           |   2 +
 apparmor.d/profiles-s-z/vesktop               |   5 +
 48 files changed, 165 insertions(+), 120 deletions(-)

diff --git a/apparmor.d/abstractions/audio-client b/apparmor.d/abstractions/audio-client
index 45028f488..d847c732c 100644
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@@ -47,6 +47,7 @@
   owner @{user_config_dirs}/pipewire/client.conf r,
 
   owner @{user_share_dirs}/openal/hrtf/{,**} r,
+  owner @{user_share_dirs}/sounds/ r,
   owner @{user_share_dirs}/sounds/__custom/index.theme r,
 
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
diff --git a/apparmor.d/abstractions/common/electron b/apparmor.d/abstractions/common/electron
index 7bfae1ffa..171815256 100644
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@@ -28,6 +28,7 @@
   capability sys_chroot,
   capability sys_ptrace,
 
+  @{bin}/electron rix,
   @{bin}/electron@{int} rix,
   @{lib}/electron@{int}/{,**} r,
   @{lib}/electron@{int}/electron  rix,
diff --git a/apparmor.d/abstractions/desktop b/apparmor.d/abstractions/desktop
index a9a3665d2..19ffe647e 100644
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@@ -33,6 +33,8 @@
 
     /var/cache/gio-@{version}/gnome-mimeapps.list r,
 
+    / r, # deny?
+
     owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   # else if @{DE} == kde
diff --git a/apparmor.d/abstractions/disks-read b/apparmor.d/abstractions/disks-read
index 10cf0c90b..bf46eea1a 100644
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@@ -90,7 +90,7 @@
   @{run}/udev/data/b230:@{int} r,     # for /dev/zvol*
   @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
   @{run}/udev/data/b25[0-4]:@{int} r,
-  @{run}/udev/data/b259:@{int} r,
+  @{run}/udev/data/b259:@{int} r,     # Block Extended Major
 
   @{run}/udev/data/c189:@{int} r,     # for /dev/bus/usb/**
 
diff --git a/apparmor.d/abstractions/disks-write b/apparmor.d/abstractions/disks-write
index bd34a6f42..844a4fbeb 100644
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@@ -90,7 +90,7 @@
   @{run}/udev/data/b230:@{int} r,     # for /dev/zvol*
   @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
   @{run}/udev/data/b25[0-4]:@{int} r,
-  @{run}/udev/data/b259:@{int} r,
+  @{run}/udev/data/b259:@{int} r,     # Block Extended Major
 
   @{run}/udev/data/c189:@{int} r,     # for /dev/bus/usb/**
 
diff --git a/apparmor.d/abstractions/graphics b/apparmor.d/abstractions/graphics
index 101fe1b45..37f6be70e 100644
--- a/apparmor.d/abstractions/graphics
+++ b/apparmor.d/abstractions/graphics
@@ -9,7 +9,7 @@
   include <abstractions/nvidia-strict>
   include <abstractions/vulkan-strict>
 
-  /etc/igfx_user_feature{,_next}.txt w,
+  /etc/igfx_user_feature{,_next,_report}.txt w,
   /etc/libva.conf r,
 
   @{sys}/bus/pci/devices/ r,
diff --git a/apparmor.d/abstractions/gstreamer b/apparmor.d/abstractions/gstreamer
index b9f1cbadd..c7827b599 100644
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@@ -14,6 +14,8 @@
   @{lib}/@{multiarch}/gstreamer-1.0/gst-plugin-scanner rix,
   @{lib}/gstreamer-1.0/gst-plugin-scanner rix,
 
+  /usr/share/gstreamer-1.0/presets/Gst*Enc.prs r,
+
   /etc/openni2/OpenNI.ini r,
 
   /tmp/ r,
diff --git a/apparmor.d/groups/_full/default b/apparmor.d/groups/_full/default
index d3fd26682..acdfc0bff 100644
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@@ -34,7 +34,7 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   network netlink dgram,
   network netlink raw,
 
-  signal (receive) set=(hup),
+  signal receive set=hup,
 
   @{bin}/bwrap           rPx -> bwrap,
   @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
diff --git a/apparmor.d/groups/browsers/chrome b/apparmor.d/groups/browsers/chrome
index 5b4738408..9c11f0a4a 100644
--- a/apparmor.d/groups/browsers/chrome
+++ b/apparmor.d/groups/browsers/chrome
@@ -14,7 +14,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/google-@{name}
 
 @{exec_path} = @{lib_dirs}/@{name}
-profile chrome @{exec_path} {
+profile chrome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/chromium>
 
diff --git a/apparmor.d/groups/browsers/chromium b/apparmor.d/groups/browsers/chromium
index 04fa2c756..658dee398 100644
--- a/apparmor.d/groups/browsers/chromium
+++ b/apparmor.d/groups/browsers/chromium
@@ -14,7 +14,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{lib_dirs}/@{name}
-profile chromium @{exec_path} {
+profile chromium @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/chromium>
 
diff --git a/apparmor.d/groups/browsers/chromium-wrapper b/apparmor.d/groups/browsers/chromium-wrapper
index 40a775dba..dea35ae1a 100644
--- a/apparmor.d/groups/browsers/chromium-wrapper
+++ b/apparmor.d/groups/browsers/chromium-wrapper
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/chromium
-profile chromium-wrapper @{exec_path} {
+profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/mesa>
diff --git a/apparmor.d/groups/browsers/epiphany b/apparmor.d/groups/browsers/epiphany
index dd01a36a8..98f21f472 100644
--- a/apparmor.d/groups/browsers/epiphany
+++ b/apparmor.d/groups/browsers/epiphany
@@ -38,12 +38,15 @@ profile epiphany @{exec_path} flags=(attach_disconnected) {
   @{bin}/xdg-dbus-proxy  rix,
   @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKit{Web,Network}Process rix,
 
+  /usr/share/enchant*/{,**} r,
+
   owner /bindfile@{rand6} rw,
   owner @{att}/.flatpak-info r,
 
   owner @{user_config_dirs}/glib-2.0/ w,
   owner @{user_config_dirs}/glib-2.0/settings/ w,
 
+  owner @{tmp}/ContentRuleList@{rand6} rw,
   owner @{tmp}/epiphany-*-@{rand6}/{,**} rw,
   owner @{tmp}/Serialized@{rand9} rw,
   owner @{tmp}/WebKit-Media-@{rand6} rw,
diff --git a/apparmor.d/groups/children/child-modprobe-nvidia b/apparmor.d/groups/children/child-modprobe-nvidia
index 15b9c2d9d..315a5bf07 100644
--- a/apparmor.d/groups/children/child-modprobe-nvidia
+++ b/apparmor.d/groups/children/child-modprobe-nvidia
@@ -19,6 +19,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/nvidia-modprobe
 profile child-modprobe-nvidia flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/consoles>
 
   capability chown,
diff --git a/apparmor.d/groups/freedesktop/update-desktop-database b/apparmor.d/groups/freedesktop/update-desktop-database
index 19aa4079a..ebf0ad6a3 100644
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/update-desktop-database
 profile update-desktop-database @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/attached/consoles>
   include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 944bbc205..e9bdfde1f 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -48,6 +48,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   owner @{desktop_cache_dirs}/dconf/user r,
   owner @{desktop_cache_dirs}/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
+  owner @{desktop_config_dirs}/dconf/user r,
   owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
 
   owner @{HOME}/ r,
diff --git a/apparmor.d/groups/freedesktop/xdg-document-portal b/apparmor.d/groups/freedesktop/xdg-document-portal
index e9f63dc57..a5e27c7d1 100644
--- a/apparmor.d/groups/freedesktop/xdg-document-portal
+++ b/apparmor.d/groups/freedesktop/xdg-document-portal
@@ -57,7 +57,7 @@ profile xdg-document-portal @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
 
-        /dev/fuse rw,
+  /dev/fuse rw,
 
   profile fusermount flags=(attach_disconnected) {
     include <abstractions/base>
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 8e90bc423..3cf4066b5 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -35,6 +35,8 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
   @{bin}/xdg-mime             Px,
   @{open_path}                Px -> child-open-any,
 
+  @{PROC}/version r,
+
   profile bus {
     include <abstractions/base>
     include <abstractions/app/bus>
diff --git a/apparmor.d/groups/freedesktop/xkbcomp b/apparmor.d/groups/freedesktop/xkbcomp
index 9ebecf6f7..dde1fe8c1 100644
--- a/apparmor.d/groups/freedesktop/xkbcomp
+++ b/apparmor.d/groups/freedesktop/xkbcomp
@@ -11,6 +11,7 @@ include <tunables/global>
 profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/attached/consoles>
+  include <abstractions/consoles>
   include <abstractions/mesa>
   include <abstractions/X-strict>
 
@@ -29,6 +30,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/xorg/Xorg.@{int}.log w,
 
         /var/lib/{gdm{3,},sddm}/.local/share/xorg/Xorg.@{int}.log w,
+        /var/log/Xorg.@{int}.log w,
   owner /var/log/lightdm/x-@{int}.log w,
 
   owner @{run}/user/@{uid}/server-@{int}.xkm rwk,
@@ -38,9 +40,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   /dev/dri/card@{int} rw,
   /dev/fb@{int} rw,
   /dev/tty rw,
-
-  deny /dev/input/event@{int} rw,
-  deny /var/log/Xorg.@{int}.log w,
+  /dev/input/event@{int} rw,
 
   include if exists <local/xkbcomp>
 }
diff --git a/apparmor.d/groups/freedesktop/xorg b/apparmor.d/groups/freedesktop/xorg
index dce42dc85..0f23d583c 100644
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@@ -134,6 +134,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   /dev/shm/shmfd-* rw,
   /dev/tty rw,
   /dev/tty@{int} rw,
+  /dev/udmabuf rw,
   /dev/vga_arbiter rw,  # Graphic card modules
 
   profile pkexec {
diff --git a/apparmor.d/groups/pacman/makepkg b/apparmor.d/groups/pacman/makepkg
index 12ead7ce8..6f4672f99 100644
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@@ -10,6 +10,12 @@ include <tunables/global>
 profile makepkg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/perl>
+  include <abstractions/python>
+  include <abstractions/shells>
+  include <abstractions/ssl_certs>
+  include <abstractions/wutmp>
 
   network inet stream,
   network inet6 stream,
diff --git a/apparmor.d/groups/pacman/pacman-hook-systemd b/apparmor.d/groups/pacman/pacman-hook-systemd
index 3a4bd0eb3..2c32024a2 100644
--- a/apparmor.d/groups/pacman/pacman-hook-systemd
+++ b/apparmor.d/groups/pacman/pacman-hook-systemd
@@ -15,13 +15,14 @@ profile pacman-hook-systemd @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/bash  rix,
+  @{sh_path}   rix,
   @{bin}/touch rix,
 
   @{bin}/journalctl             rPx,
   @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
   @{bin}/systemd-hwdb           rPx,
+  @{bin}/systemd-notify         rPx,
   @{bin}/systemd-sysusers       rPx,
   @{bin}/systemd-tmpfiles       rPx,
   @{bin}/udevadm                rPx,
diff --git a/apparmor.d/groups/pacman/yay b/apparmor.d/groups/pacman/yay
index c737d4caa..e101fc06f 100644
--- a/apparmor.d/groups/pacman/yay
+++ b/apparmor.d/groups/pacman/yay
@@ -55,6 +55,10 @@ profile yay @{exec_path} {
 
     /usr/share/git{,-core}/{,**} r,
 
+    owner @{user_build_dirs}/**/.git/** r,
+    owner @{user_pkg_dirs}/**/.git/** r,
+    owner @{user_projects_dirs}/**/.git/** r,
+
     owner @{HOME}/.gitconfig r,
     owner @{user_cache_dirs}/yay/ rw,
     owner @{user_cache_dirs}/yay/** rwlk -> @{user_cache_dirs}/yay/**,
diff --git a/apparmor.d/groups/systemd/systemd-journald b/apparmor.d/groups/systemd/systemd-journald
index a50ed62e3..4f95bed40 100644
--- a/apparmor.d/groups/systemd/systemd-journald
+++ b/apparmor.d/groups/systemd/systemd-journald
@@ -61,7 +61,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+usb:*       r,
   @{run}/udev/data/+virtio:*    r,
   @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
-  @{run}/udev/data/b259:@{int} r,
+  @{run}/udev/data/b259:@{int} r,         # Block Extended Major
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
diff --git a/apparmor.d/groups/systemd/systemd-resolved b/apparmor.d/groups/systemd/systemd-resolved
index 9b6bfdd94..4f9f965f5 100644
--- a/apparmor.d/groups/systemd/systemd-resolved
+++ b/apparmor.d/groups/systemd/systemd-resolved
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-3.0-only
+# SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index cfbd2d7b9..2ea35f7b9 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -45,15 +45,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   mount options=(rw rslave)                                 -> /,
 
   remount /tmp/containerd-mount@{int10}/,
-  remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
+  remount /var/lib/docker/**/,
 
   umount /.pivot_root@{int}/,
   umount /run/docker/netns/*,
   umount /tmp/containerd-mount@{int}/,
-  umount /var/lib/docker/buildkit/**/,
-  umount /var/lib/docker/rootfs/**/,
-  umount /var/lib/docker/overlay*/**/,
-  umount /var/lib/docker/tmp/buildkit-mount@{int}/,
+  umount /var/lib/docker/**/,
 
   pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/               /var/lib/docker/overlay2/**/,
   pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
diff --git a/apparmor.d/profiles-a-f/cc-remote-login-helper b/apparmor.d/profiles-a-f/cc-remote-login-helper
index cefc60f6d..d8128da74 100644
--- a/apparmor.d/profiles-a-f/cc-remote-login-helper
+++ b/apparmor.d/profiles-a-f/cc-remote-login-helper
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index 1ea3b8e73..0c5a18e83 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -11,10 +11,8 @@ profile file-roller @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/common/gnome>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/nameservice-strict>
-  include <abstractions/user-download-strict>
-  include <abstractions/user-read-strict>
-  include <abstractions/user-write-strict>
 
   #aa:dbus own bus=session name=org.gnome.ArchiveManager1
   #aa:dbus own bus=session name=org.gnome.FileRoller
@@ -23,6 +21,9 @@ profile file-roller @{exec_path} {
 
   @{open_path}  rPx -> child-open-help,
 
+  @{bin}/mv            rix,
+  @{bin}/rm            rix,
+
   # Archivers
   @{bin}/7z            rix,
   @{bin}/7zz           rix,
@@ -38,6 +39,11 @@ profile file-roller @{exec_path} {
   @{bin}/zstd          rix,
   @{lib}/p7zip/7z      rix,
 
+  # Full access to user's data
+  @{MOUNTS}/** rw,
+  owner @{HOME}/** rw,
+  owner @{tmp}/** rw,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index b38a03537..96d78b800 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -62,6 +62,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   owner @{HOME}/.var/ w,
   owner @{HOME}/.var/app/{,**} rw,
 
+  owner @{user_documents_dirs}/ rw,
+
   owner @{user_cache_dirs}/flatpak/{,**} rw,
   owner @{user_config_dirs}/pulse/client.conf r,
   owner @{user_config_dirs}/user-dirs.dirs r,
diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged
index e61b4404b..910e9a2f0 100644
--- a/apparmor.d/profiles-g-l/haveged
+++ b/apparmor.d/profiles-g-l/haveged
@@ -3,7 +3,7 @@
 # Copyright (C) 2011-2014 Jérémy Bobbio <lunar@debian.org>;
 # Copyright (C) 2020 krathalan https://git.sr.ht/~krathalan/apparmor-profiles/
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-3.0-only
+# SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
 
diff --git a/apparmor.d/profiles-g-l/hbbr b/apparmor.d/profiles-g-l/hbbr
index 5257195f8..09b71b77f 100644
--- a/apparmor.d/profiles-g-l/hbbr
+++ b/apparmor.d/profiles-g-l/hbbr
@@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/hbbr
+@{exec_path} = @{bin}/hbbr
 profile hbbr @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-g-l/hbbs b/apparmor.d/profiles-g-l/hbbs
index fd8aa3e74..4e7532724 100644
--- a/apparmor.d/profiles-g-l/hbbs
+++ b/apparmor.d/profiles-g-l/hbbs
@@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/hbbs
+@{exec_path} = @{bin}/hbbs
 profile hbbs @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-g-l/issue-generator b/apparmor.d/profiles-g-l/issue-generator
index d358f080b..6c6d61c44 100644
--- a/apparmor.d/profiles-g-l/issue-generator
+++ b/apparmor.d/profiles-g-l/issue-generator
@@ -16,14 +16,17 @@ profile issue-generator @{exec_path} {
   @{sh_path}       r,
   @{bin}/basename  rix,
   @{bin}/cat       rix,
+  @{bin}/chmod     rix,
   @{bin}/cmp       rix,
   @{bin}/mktemp    rix,
+  @{bin}/mv        rix,
   @{bin}/rm        rix,
   @{bin}/sort      rix,
 
   /etc/issue.d/{,**} r,
   /etc/sysconfig/issue-generator r,
 
+  @{run}/agetty.reload w,
   @{run}/issue r,
   @{run}/issue.@{rand10} rw,
   @{run}/issue.d/{,**} r,
diff --git a/apparmor.d/profiles-m-r/rustdesk b/apparmor.d/profiles-m-r/rustdesk
index 7733730a6..004c29d64 100644
--- a/apparmor.d/profiles-m-r/rustdesk
+++ b/apparmor.d/profiles-m-r/rustdesk
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
@@ -34,9 +35,9 @@ profile rustdesk @{exec_path} {
   @{bin}/curl     rix,
   @{bin}/ls       rix,
 
-  @{bin}/sudo rCx           -> sudo,
-  @{bin}/python3.@{int} rPx -> rustdesk_python,
-  @{sh_path}            rPx -> rustdesk_shell,
+  @{bin}/sudo           rCx -> sudo,
+  @{bin}/python3.@{int} rCx -> python,
+  @{sh_path}            rCx -> shell,
 
   /etc/gdm{,3}/custom.conf r,
 
@@ -59,80 +60,72 @@ profile rustdesk @{exec_path} {
 
   profile sudo {
     include <abstractions/base>
-    include <abstractions/python>
     include <abstractions/app/sudo>
+    include <abstractions/python>
 
     @{bin}/rustdesk rPx,
-    @{bin}/python3.@{int}    rPx -> rustdesk_python,
+    @{bin}/python3.@{int}    rPx -> rustdesk//python,
 
     include if exists <local/rustdesk_sudo>
   }
 
+  profile python {
+    include <abstractions/base>
+    include <abstractions/python>
+
+    capability dac_read_search,
+    capability dac_override,
+
+    @{bin}/python3.@{int} r,
+
+    @{sh_path}   rix,
+    @{bin}/chmod rix,
+    @{bin}/uname rPx,
+    /usr/share/rustdesk/files/pynput_service.py rix,
+
+    /usr/share/[rR]ust[dD]esk/files/{,**} r,
+    /tmp/[rR]ust[dD]esk/ w,
+    /tmp/[rR]ust[dD]esk/pynput_service rw,
+
+    @{run}/user/@{uid}/gdm{,3}/Xauthority r,
+
+    owner @{PROC}/@{pid}/fd/ r,
+
+    # X-tiny
+    /tmp/.X11-unix/* rw,
+    owner @{HOME}/.xsession-errors w,
+    owner @{HOME}/.Xauthority r,
+
+    include if exists <local/rustdesk_python>
+  }
+
+  profile shell {
+    include <abstractions/base>
+
+    capability dac_override,
+    capability dac_read_search,
+    capability sys_ptrace,
+
+    ptrace read,
+
+    @{sh_path}        r,
+
+    @{bin}/tr       rix,
+    @{bin}/{,e}grep rix,
+    @{bin}/tail     rix,
+    @{bin}/xargs    rix,
+    @{bin}/sed      rix,
+    @{bin}/cat      rix,
+
+    @{bin}/ps rPx,
+
+          @{PROC}/@{pid}/environ r,
+    owner @{PROC}/@{pid}/fd/ r,
+
+    include if exists <local/rustdesk_shell>
+  }
+
   include if exists <local/rustdesk>
 }
 
-profile rustdesk_pynput_service /usr/share/rustdesk/files/pynput_service.py {
-  include <abstractions/base>
-
-  @{exec_path} r,
-
-  include if exists <local/rustdesk_pynput_service>
-}
-
-profile rustdesk_python {
-  include <abstractions/base>
-  include <abstractions/python>
-
-  capability dac_read_search,
-  capability dac_override,
-
-  @{bin}/python3.@{int} r,
-
-  @{sh_path}        rix,
-  @{bin}/chmod rix,
-  @{bin}/uname rPx,
-  /usr/share/rustdesk/files/pynput_service.py rPx,
-
-  /usr/share/[rR]ust[dD]esk/files/{,**} r,
-  /tmp/[rR]ust[dD]esk/ w,
-  /tmp/[rR]ust[dD]esk/pynput_service rw,
-
-  @{run}/user/@{uid}/gdm{,3}/Xauthority r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-
-  # X-tiny
-  /tmp/.X11-unix/* rw,
-  owner @{HOME}/.xsession-errors w,
-  owner @{HOME}/.Xauthority r,
-
-  include if exists <local/rustdesk_python>
-}
-
-profile rustdesk_shell {
-  include <abstractions/base>
-
-       capability sys_ptrace,
-       capability dac_read_search,
-  deny capability dac_override,
-
-  ptrace (read),
-
-  @{sh_path}        r,
-
-  @{bin}/tr       rix,
-  @{bin}/{,e}grep rix,
-  @{bin}/tail     rix,
-  @{bin}/xargs    rix,
-  @{bin}/sed      rix,
-  @{bin}/cat      rix,
-
-  @{bin}/ps rPx,
-
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pid}/environ r,
-
-  include if exists <local/rustdesk_shell>
-}
-
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/rustdesk-utils b/apparmor.d/profiles-m-r/rustdesk-utils
index d52e2b709..fc0c7d9bd 100644
--- a/apparmor.d/profiles-m-r/rustdesk-utils
+++ b/apparmor.d/profiles-m-r/rustdesk-utils
@@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/rustdesk-utils
+@{exec_path} = @{bin}/rustdesk-utils
 profile rustdesk-utils @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/sanoid b/apparmor.d/profiles-s-z/sanoid
index e9a8f8818..04ee747bf 100644
--- a/apparmor.d/profiles-s-z/sanoid
+++ b/apparmor.d/profiles-s-z/sanoid
@@ -6,26 +6,25 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{usr/,}{local/,}{s,}bin/sanoid
+@{exec_path} = @{bin}/sanoid
 profile sanoid @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/perl>
 
-  @{exec_path}                 mr,
+  @{exec_path}            mr,
   @{sh_path}              rix,
   @{bin}/perl             rix,
   @{bin}/ps               rPx,
-  /{usr/,}{local/,}{s,}bin/zfs rPx,
+  @{bin}/zfs              rPx,
 
-  /etc/sanoid/{*,} r,
+  /usr/share/sanoid/{,**} r,
 
-  /var/cache/sanoid/snapshots.txt rw,
+  /etc/sanoid/{,*} r,
 
-  /usr/share/sanoid/{**,} r,
+  /var/cache/sanoid/{,**} rw,
 
   @{run}/sanoid/ rw,
-  @{run}/sanoid/sanoid_cacheupdate.lock rwk,
-  @{run}/sanoid/sanoid_pruning.lock rwk,
+  @{run}/sanoid/** rwk,
 
   include if exists <local/sanoid>
 }
diff --git a/apparmor.d/profiles-s-z/snapshot b/apparmor.d/profiles-s-z/snapshot
index 9c5d5b9d6..91ca7cd69 100644
--- a/apparmor.d/profiles-s-z/snapshot
+++ b/apparmor.d/profiles-s-z/snapshot
@@ -8,12 +8,13 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/snapshot
-profile snapshot @{exec_path} {
+profile snapshot @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/common/gnome>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
+  include <abstractions/video>
 
   @{exec_path} mr,
 
@@ -22,6 +23,8 @@ profile snapshot @{exec_path} {
   owner @{user_pictures_dirs}/Camera/{,**} rw,
   owner @{user_videos_dirs}/Camera/{,**} rw,
 
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+
   include if exists <local/snapshot>
 }
 
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index 4bc0cb4be..8ccbbf0f1 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -13,7 +13,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
-profile spotify @{exec_path} {
+profile spotify @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/common/electron>
diff --git a/apparmor.d/profiles-s-z/sslocal b/apparmor.d/profiles-s-z/sslocal
index 0c46e5581..b71c97f55 100644
--- a/apparmor.d/profiles-s-z/sslocal
+++ b/apparmor.d/profiles-s-z/sslocal
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # shadowsocks-rust only:
@@ -8,7 +9,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/sslocal
+@{exec_path} = @{bin}/sslocal
 profile sslocal @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/ssmanager b/apparmor.d/profiles-s-z/ssmanager
index 7e6fb0906..6165d433b 100644
--- a/apparmor.d/profiles-s-z/ssmanager
+++ b/apparmor.d/profiles-s-z/ssmanager
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # shadowsocks-rust only:
@@ -8,7 +9,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/ssmanager
+@{exec_path} = @{bin}/ssmanager
 profile ssmanager @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/ssserver b/apparmor.d/profiles-s-z/ssserver
index c71fc1ea7..11ca72434 100644
--- a/apparmor.d/profiles-s-z/ssserver
+++ b/apparmor.d/profiles-s-z/ssserver
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # shadowsocks-rust only:
@@ -8,7 +9,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/ssserver
+@{exec_path} = @{bin}/ssserver
 profile ssserver @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/profiles-s-z/ssservice b/apparmor.d/profiles-s-z/ssservice
index 5157bba63..4e4642895 100644
--- a/apparmor.d/profiles-s-z/ssservice
+++ b/apparmor.d/profiles-s-z/ssservice
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # shadowsocks-rust only:
@@ -8,7 +9,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/ssservice
+@{exec_path} = @{bin}/ssservice
 profile ssservice @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-s-z/ssurl b/apparmor.d/profiles-s-z/ssurl
index a066a9df6..9555a9825 100644
--- a/apparmor.d/profiles-s-z/ssurl
+++ b/apparmor.d/profiles-s-z/ssurl
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # shadowsocks-rust only:
@@ -8,7 +9,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/ssurl
+@{exec_path} = @{bin}/ssurl
 profile ssurl @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/profiles-s-z/steam b/apparmor.d/profiles-s-z/steam
index e864663bb..252c89869 100644
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@@ -107,6 +107,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-system-info                          rix,
   @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-urlopen                              rix,
   @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-*                  rix,
+  @{runtime_dirs}/@{lib}/steam-runtime-tools-@{int}/srt-logger                      rix,
   @{runtime_dirs}/pressure-vessel/@{bin}/pressure-vessel-*                          rix,
   @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-*  rix,
   @{runtime_dirs}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap       rcx -> web,
@@ -182,6 +183,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
 
   owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/srt-fifo.@{rand6}/{,*} rw,
 
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
 
@@ -366,6 +368,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/common/bwrap>
     include <abstractions/nameservice-strict>
 
+    capability dac_override,
     capability dac_read_search,
 
     unix receive type=stream,
diff --git a/apparmor.d/profiles-s-z/steam-game-proton b/apparmor.d/profiles-s-z/steam-game-proton
index bad85a84b..dfa8b84da 100644
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@@ -13,7 +13,7 @@ include <tunables/global>
 @{app_dirs} = @{share_dirs}/steamapps/common/
 
 @{exec_path} = @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap
-profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
+profile steam-game-proton @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
   include <abstractions/common/bwrap>
   include <abstractions/common/steam-game>
@@ -34,6 +34,8 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
   @{bin}/bwrap mrix,
 
+  @{bin}/chmod                                          rix,
+  @{bin}/fc-match                                       rix,
   @{bin}/getopt                                         rix,
   @{bin}/gzip                                           rix,
   @{bin}/ldconfig                                       rix,
@@ -44,7 +46,6 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   @{bin}/steam-runtime-system-info                      rix,
   @{bin}/steam-runtime-urlopen                          rix,
   @{bin}/true                                           rix,
-  @{bin}/chmod                                          rix,
   @{open_path}                                          rix,
 
   @{lib_dirs}/**                                         mr,
@@ -52,12 +53,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   @{lib}/pressure-vessel/from-host/@{lib}/**            rix,
   @{lib}/steam-runtime-tools-@{int}/@{multiarch}-*      rix,
 
-  @{app_dirs}/**                                         mr,
-  @{app_dirs}/pressure-vessel/@{bin}/pressure-vessel-*  rix,
-  @{app_dirs}/Proton*/files/@{bin}/*                    rix,
-  @{app_dirs}/Proton*/files/@{lib}/**                   rix,
-  @{app_dirs}/Proton*/proton                            rix,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/steam-runtime-launcher-interface-@{int} rix,
+  @{app_dirs}/**                                        mrix,
 
   @{run}/host/@{bin}/ldconfig                           rix,
   @{run}/host/@{bin}/localedef                          rix,
@@ -73,6 +69,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
   owner /var/pressure-vessel/** rw,
   owner /var/cache/ldconfig/aux-cache* rw,
 
+  owner "@{app_dirs}/Steamworks Shared/runasadmin.vdf" rw,
   owner @{app_dirs}/@{runtime}/var/tmp-@{rand6}/usr/.ref rwk,
   owner @{app_dirs}/Proton*/** rwkl,
 
diff --git a/apparmor.d/profiles-s-z/steam-runtime-steam-remote b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
index b3a36eac4..93a93e892 100644
--- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@@ -13,7 +13,7 @@ include <tunables/global>
 @{app_dirs} = @{share_dirs}/steamapps/common/
 
 @{exec_path} = @{runtime_dirs}/@{arch}/@{bin}/steam-runtime-steam-remote
-profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
+profile steam-runtime-steam-remote @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/base>
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index 6bff0f1d8..fe30e6da8 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -16,7 +16,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.UPower>
 
   capability sys_boot,
-  
+
   #aa:dbus own bus=system name=org.freedesktop.thermald
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/thunderbird b/apparmor.d/profiles-s-z/thunderbird
index e5404615c..1ee9f0941 100644
--- a/apparmor.d/profiles-s-z/thunderbird
+++ b/apparmor.d/profiles-s-z/thunderbird
@@ -56,6 +56,8 @@ profile thunderbird @{exec_path} {
   owner @{tmp}/nsma rw,
   owner @{tmp}/pid-@{pid}/{,**} w,
 
+  /dev/urandom w,
+
   # Silencer
   deny capability sys_ptrace,
   deny @{lib_dirs}/** w,
diff --git a/apparmor.d/profiles-s-z/vesktop b/apparmor.d/profiles-s-z/vesktop
index bcbb30883..a3c3f5a03 100644
--- a/apparmor.d/profiles-s-z/vesktop
+++ b/apparmor.d/profiles-s-z/vesktop
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 odomingao
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
@@ -15,6 +16,7 @@ profile vesktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/common/electron>
+  include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/user-download-strict>
   include <abstractions/video>
@@ -27,6 +29,9 @@ profile vesktop @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/speech-dispatcher rPx,
+  @{open_path}             rPx -> child-open,
+
   owner /tmp/.org.chromium.Chromium.@{rand6} mr,
   owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
 

From ebdcb94d7eb012eb9d9bfcd0e7999f77c792c066 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 19:35:37 +0100
Subject: [PATCH 290/315] feat(profile): update gnome profiles.

---
 apparmor.d/groups/gnome/gdm-session-worker   |  2 ++
 apparmor.d/groups/gnome/gio-launch-desktop   |  2 ++
 apparmor.d/groups/gnome/gnome-control-center |  2 +-
 apparmor.d/groups/gnome/gnome-session-binary |  7 ++-----
 apparmor.d/groups/gnome/gnome-software       |  4 ++--
 apparmor.d/groups/gnome/gnome-tweaks         | 14 ++++++++------
 apparmor.d/groups/gnome/kgx                  |  1 +
 apparmor.d/groups/gnome/mutter-x11-frames    |  1 +
 apparmor.d/groups/gnome/tracker-miner        |  1 -
 apparmor.d/groups/gnome/yelp                 | 10 ++++++----
 10 files changed, 25 insertions(+), 19 deletions(-)

diff --git a/apparmor.d/groups/gnome/gdm-session-worker b/apparmor.d/groups/gnome/gdm-session-worker
index 731d15768..4ca2b21b6 100644
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@@ -105,6 +105,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.pam_environment r,
 
+  owner @{user_cache_dirs}/ w,
+
         @{run}/cockpit/inactive.motd r,
   owner @{run}/systemd/seats/seat@{int} r,
   owner @{run}/user/@{uid}/keyring/control rw,
diff --git a/apparmor.d/groups/gnome/gio-launch-desktop b/apparmor.d/groups/gnome/gio-launch-desktop
index 12473b491..5e013012e 100644
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/{,**} rw,
 
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
 
   @{run}/mount/utab r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center b/apparmor.d/groups/gnome/gnome-control-center
index 310b7a981..20aa66cfb 100644
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@@ -181,7 +181,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
-  profile bwrap {
+  profile bwrap flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/common/bwrap>
 
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index 995dbab6a..42c1265ae 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -48,11 +48,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   @{sh_path}                                     rix,
   @{bin}/tput                                    rix,
   @{bin}/session-migration                       rPx,
-
-  @{lib}/gnome-session-check-accelerated               rix,
-  @{lib}/gnome-session-check-accelerated-gl-helper     rix,
-  @{lib}/gnome-session-check-accelerated-gles-helper   rix,
-  @{lib}/gnome-session-failed                          rix,
+  @{lib}/gnome-session-check-*                   rPx,
+  @{lib}/gnome-session-failed                    rix,
 
   @{lib}/gio-launch-desktop                               rCx -> open,
   @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index cddcb730b..5ebedca69 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -64,8 +64,7 @@ profile gnome-software @{exec_path} {
 
   /var/lib/PackageKit/offline-update-competed r,
   /var/lib/PackageKit/prepared-update r,
-  /var/lib/swcatalog/icons/**.png r,
-  /var/lib/swcatalog/yaml/ r,
+  /var/lib/swcatalog/** r,
 
   /var/tmp/flatpak-cache-*/ rw,
   /var/tmp/flatpak-cache-*/** rwkl,
@@ -91,6 +90,7 @@ profile gnome-software @{exec_path} {
   owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r,
   owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r,
   owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r,
+  owner @{user_share_dirs}/flatpak/overrides/* r,
   owner @{user_share_dirs}/flatpak/repo/ rw,
   owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
   owner @{user_share_dirs}/gnome-software/{,**} rw,
diff --git a/apparmor.d/groups/gnome/gnome-tweaks b/apparmor.d/groups/gnome/gnome-tweaks
index d21e23824..d104e75c6 100644
--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@@ -7,12 +7,10 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/gnome-tweaks
-profile gnome-tweaks @{exec_path} {
+profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/dconf-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
+  include <abstractions/common/gnome>
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
 
@@ -21,6 +19,7 @@ profile gnome-tweaks @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/ r,
+  @{bin}/env r,
   @{bin}/ps rPx,
   @{bin}/python3.@{int} rix,
 
@@ -28,8 +27,6 @@ profile gnome-tweaks @{exec_path} {
 
   @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
 
-  /usr/share/gnome-tweaks/{,**} r,
-
   /etc/xdg/autostart/{,**} r,
 
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
@@ -44,7 +41,12 @@ profile gnome-tweaks @{exec_path} {
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
+  @{sys}/bus/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/**/uevent r,
+
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx
index 66a278036..c9177de5c 100644
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@@ -41,6 +41,7 @@ profile kgx @{exec_path} {
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/ptmx rw,
 
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index 4fe3bc066..8a48b97a2 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -15,6 +15,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
diff --git a/apparmor.d/groups/gnome/tracker-miner b/apparmor.d/groups/gnome/tracker-miner
index e58f9b982..e10d81bb2 100644
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@@ -21,7 +21,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
-  include <abstractions/private-files-strict>
 
   network netlink raw,
 
diff --git a/apparmor.d/groups/gnome/yelp b/apparmor.d/groups/gnome/yelp
index d9b709f99..aa459250b 100644
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@@ -28,11 +28,13 @@ profile yelp @{exec_path} {
 
   /etc/xml/{,**} r,
 
-  @{sys}/devices/virtual/dmi/id/chassis_type r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
-
+        @{sys}/devices/virtual/dmi/id/chassis_type r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
-
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r,
+  
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,

From e73176e0c76b96182784dca494dcc363647fc548 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 19:56:00 +0100
Subject: [PATCH 291/315] fix(profile): globbing fail.

---
 apparmor.d/abstractions/kde-strict | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/abstractions/kde-strict b/apparmor.d/abstractions/kde-strict
index d85e58422..282ae1974 100644
--- a/apparmor.d/abstractions/kde-strict
+++ b/apparmor.d/abstractions/kde-strict
@@ -27,7 +27,7 @@
 
   owner @{user_cache_dirs}/#@{int} rw,
   owner @{user_cache_dirs}/icon-cache.kcache rw,
-  owner @{user_cache_dirs}/ksycoca{5,6}_??[_-]*.@{rand6} rwlk,
+  owner @{user_cache_dirs}/ksycoca{5,6}_??{_,-}*.@{rand6} rwlk,
 
   owner @{user_config_dirs}/baloofilerc r,
   owner @{user_config_dirs}/dolphinrc r,

From 6c211f4d2769b1c773c7cdbc1d650013dc6f9e36 Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Mon, 14 Oct 2024 22:20:07 +0300
Subject: [PATCH 292/315] Moved dbus-send to the abstraction

---
 apparmor.d/abstractions/app/bus            | 2 +-
 apparmor.d/groups/freedesktop/xdg-mime     | 2 --
 apparmor.d/groups/freedesktop/xdg-open     | 2 --
 apparmor.d/groups/freedesktop/xdg-settings | 2 --
 4 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus
index d1bd606a6..2ead91cc1 100644
--- a/apparmor.d/abstractions/app/bus
+++ b/apparmor.d/abstractions/app/bus
@@ -9,7 +9,7 @@
   include <abstractions/nameservice-strict>
 
   @{bin}/dbus-launch  mix,
-  @{bin}/dbus-send    mix,
+  @{bin}/dbus-send    mrix,
 
   @{bin}/dbus-daemon   Px -> dbus-session,
 
diff --git a/apparmor.d/groups/freedesktop/xdg-mime b/apparmor.d/groups/freedesktop/xdg-mime
index 650d1f554..15b73a2d1 100644
--- a/apparmor.d/groups/freedesktop/xdg-mime
+++ b/apparmor.d/groups/freedesktop/xdg-mime
@@ -65,8 +65,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
     include <abstractions/bus-session>
     include <abstractions/consoles>
 
-    @{bin}/dbus-send mr,
-
     include if exists <local/xdg-mime_bus>
   }
 
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index b0b44e388..559c69304 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -44,8 +44,6 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
     include <abstractions/bus-session>
     include <abstractions/consoles>
 
-    @{bin}/dbus-send mr,
-
     include if exists <local/xdg-open_bus>
   }
 
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 2525e1462..20246f659 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -59,8 +59,6 @@ profile xdg-settings @{exec_path} {
     include <abstractions/bus-session>
     include <abstractions/consoles>
 
-    @{bin}/dbus-send mr,
-
     include if exists <local/xdg-settings_bus>
   }
 

From 1e48160292da4032c8633ccf06fa638c4a0501f0 Mon Sep 17 00:00:00 2001
From: Roman Beslik <me@beroal.in.ua>
Date: Mon, 14 Oct 2024 22:37:16 +0300
Subject: [PATCH 293/315] Added app-open to xdg-open

---
 apparmor.d/groups/freedesktop/xdg-open | 1 +
 1 file changed, 1 insertion(+)

diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 559c69304..946b9aa59 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-open
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/app-open>
   include <abstractions/consoles>
   include <abstractions/freedesktop.org>
 

From 604e71888c21fccda14cde6799253efa27bc2610 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 14 Oct 2024 20:38:27 +0100
Subject: [PATCH 294/315] feat(tunable): remove never used hci_id.

---
 apparmor.d/tunables/multiarch.d/system | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/system b/apparmor.d/tunables/multiarch.d/system
index defc53af4..0a95d1837 100644
--- a/apparmor.d/tunables/multiarch.d/system
+++ b/apparmor.d/tunables/multiarch.d/system
@@ -144,9 +144,6 @@
 @{pci_bus}=pci@{h}@{h}@{h}@{h}:@{h}@{h}
 @{pci}=@{pci_bus}/**/
 
-# hci devices
-@{hci_id}=dev_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}_@{c}@{c}
-
 # Udev data dynamic assignment ranges
 @{dynamic}=23[4-9] 24[0-9] 25[0-4]                       # range 234 to 254
 @{dynamic}+=38[4-9] 39[0-9] 4[0-9][0-9] 50[0-9] 51[0-1]  # range 384 to 511

From 04df7052725b4ac473f1bdcd1e1644b8163ff0d2 Mon Sep 17 00:00:00 2001
From: EricLin0509 <ericlin050914@gmail.com>
Date: Tue, 15 Oct 2024 10:40:47 +0800
Subject: [PATCH 295/315] Prepare for re-attached-path

---
 apparmor.d/profiles-g-l/linuxqq          | 2 +-
 apparmor.d/profiles-s-z/ufw              | 4 ++--
 apparmor.d/profiles-s-z/wechat-universal | 2 +-
 apparmor.d/profiles-s-z/wemeet           | 2 +-
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index c4bf64d75..4d579764f 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -14,6 +14,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
 profile linuxqq @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
+    include <abstractions/attached/consoles>
     include <abstractions/audio-client>
     include <abstractions/common/electron>
     include <abstractions/fontconfig-cache-read>
@@ -42,7 +43,6 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
     owner @{PROC}/@{pid}/mounts r,
 
     /dev/tty rw,
-    /dev/pts/@{int} rw,
 
     include if exists <local/linuxqq>
 }
diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 1c34b8579..2c0f5352f 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -8,9 +8,9 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/ufw
-profile ufw @{exec_path} {
+profile ufw @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
-    include <abstractions/consoles>
+    include <abstractions/attached/consoles>
     include <abstractions/nameservice-strict>
     include <abstractions/python>
 
diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
index f29df13d0..31a7f7cde 100644
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -14,6 +14,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
 profile wechat-universal @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
+    include <abstractions/attached/consoles>
     include <abstractions/audio-client>
     include <abstractions/common/electron>
     include <abstractions/common/bwrap>
@@ -52,7 +53,6 @@ profile wechat-universal @{exec_path} flags=(attach_disconnected) {
     @{PROC}/@{pid}/net/route r,
 
     /dev/tty rw,
-    /dev/pts/@{int} rw,
 
     include if exists <local/wechat-universal>
 }
diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet
index 39862913c..bbc871f6c 100644
--- a/apparmor.d/profiles-s-z/wemeet
+++ b/apparmor.d/profiles-s-z/wemeet
@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
 profile wemeet @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
+    include <abstractions/attached/consoles>
     include <abstractions/nameservice-strict>
     include <abstractions/common/bwrap>
     include <abstractions/common/chromium>
@@ -54,7 +55,6 @@ profile wemeet @{exec_path} flags=(attach_disconnected) {
     /dev/ r,
     /dev/tty rw,
     /dev/shm/ r,
-    /dev/pts/@{int} rw,
 
     include if exists <local/wemeet>
 

From 3a6844c8ceb3296370a2c1bface8cb52f70514a2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 15 Oct 2024 16:18:53 +0100
Subject: [PATCH 296/315] tests(check): also checks files header.

---
 tests/check.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/tests/check.sh b/tests/check.sh
index a46d38e30..b63524157 100644
--- a/tests/check.sh
+++ b/tests/check.sh
@@ -10,6 +10,21 @@ set -eu -o pipefail
 
 readonly APPARMORD="apparmor.d"
 
+_ensure_header() {
+    local file="$1"
+    headers=(
+        "# apparmor.d - Full set of apparmor profiles"
+        "# Copyright (C) "
+        "# SPDX-License-Identifier: GPL-2.0-only"
+    )
+    for header in "${headers[@]}"; do
+        if ! grep -q "^$header" "$file"; then
+            echo "$file does not contain '$header'"
+            exit 1
+        fi
+    done
+}
+
 _ensure_include() {
     local file="$1"
     local include="$2"
@@ -37,6 +52,7 @@ _ensure_vim() {
 
 check_profiles() {
     echo "⋅ Checking if all profiles contain:"
+    echo "    - apparmor.d header & license"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'profile <profile_name>'"
     echo "    - 'include if exists <local/*>'"
@@ -50,6 +66,7 @@ check_profiles() {
             name="$(basename "$file")"
             name="${name/.apparmor.d/}"
             include="include if exists <local/$name>"
+            _ensure_header "$file"
             _ensure_include "$file" "$include"
             _ensure_abi "$file"
             _ensure_vim "$file"
@@ -71,11 +88,13 @@ check_profiles() {
 
 check_abstractions() {
     echo "⋅ Checking if all abstractions contain:"
+    echo "    - apparmor.d header & license"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'include if exists <abstractions/*.d>'"
     echo "    - vim:syntax=apparmor"
     directories=(
         "$APPARMORD/abstractions/" "$APPARMORD/abstractions/app/"
+        "$APPARMORD/abstractions/attached/"
         "$APPARMORD/abstractions/bus/" "$APPARMORD/abstractions/common/"
     )
     for dir in "${directories[@]}"; do
@@ -83,6 +102,7 @@ check_abstractions() {
             name="$(basename "$file")"
             root="${dir/${APPARMORD}\/abstractions\//}"
             include="include if exists <abstractions/${root}${name}.d>"
+            _ensure_header "$file"
             _ensure_include "$file" "$include"
             _ensure_abi "$file"
             _ensure_vim "$file"

From 682c98b3207258ce21126bd5bf946cc6181ce584 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 15 Oct 2024 16:24:03 +0100
Subject: [PATCH 297/315] feat(profile): minor update to xdg desktop profiles.

---
 apparmor.d/abstractions/app/bus                  | 1 +
 apparmor.d/groups/freedesktop/xdg-desktop-portal | 5 ++++-
 apparmor.d/groups/freedesktop/xdg-open           | 1 -
 apparmor.d/groups/freedesktop/xdg-settings       | 1 -
 4 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus
index 2ead91cc1..4fa0c2c8b 100644
--- a/apparmor.d/abstractions/app/bus
+++ b/apparmor.d/abstractions/app/bus
@@ -6,6 +6,7 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{bin}/dbus-launch  mix,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal b/apparmor.d/groups/freedesktop/xdg-desktop-portal
index eb450ee4e..53218d821 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@@ -71,7 +71,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /etc/sysconfig/proxy r,
 
-  @{GDM_HOME}/greeter-dconf-defaults r,
+        @{GDM_HOME}/greeter-dconf-defaults r,
+  owner @{gdm_config_dirs}/dconf/user r,
+  owner @{gdm_config_dirs}/user-dirs.dirs r,
+
 
         @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/xdg-desktop-portal/* r,
diff --git a/apparmor.d/groups/freedesktop/xdg-open b/apparmor.d/groups/freedesktop/xdg-open
index 946b9aa59..7893800d1 100644
--- a/apparmor.d/groups/freedesktop/xdg-open
+++ b/apparmor.d/groups/freedesktop/xdg-open
@@ -43,7 +43,6 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
-    include <abstractions/consoles>
 
     include if exists <local/xdg-open_bus>
   }
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 20246f659..870d4cfe4 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -57,7 +57,6 @@ profile xdg-settings @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
-    include <abstractions/consoles>
 
     include if exists <local/xdg-settings_bus>
   }

From 6e2d817805659bdb1e0377f850f324244440a497 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 19:22:52 +0100
Subject: [PATCH 298/315] feat(profile): update pkexec.

---
 apparmor.d/abstractions/app/pkexec       |  4 ++--
 apparmor.d/groups/ubuntu/update-notifier |  2 --
 apparmor.d/profiles-m-r/pkexec           | 10 +++++-----
 3 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/apparmor.d/abstractions/app/pkexec b/apparmor.d/abstractions/app/pkexec
index 5b9197957..65d34ec6a 100644
--- a/apparmor.d/abstractions/app/pkexec
+++ b/apparmor.d/abstractions/app/pkexec
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Minimal set of rules for pkexec.
 
@@ -18,6 +19,7 @@
   capability net_admin,
   capability setgid,
   capability setuid,
+  capability sys_ptrace,
   capability sys_resource,
 
   network netlink raw,   # PAM
@@ -26,8 +28,6 @@
 
   @{bin}/pkexec    mr,
 
-  @{etc_ro}/environment r,
-  @{etc_ro}/security/limits.d/{,*} r,
   /etc/shells r,
 
   owner @{PROC}/@{pid}/loginuid r,
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index c75c3f83e..36fae9ce3 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -72,8 +72,6 @@ profile update-notifier @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/pkexec>
 
-    capability sys_ptrace,
-
     ptrace read peer=update-notifier,
 
     @{lib}/update-notifier/package-system-locked Px,
diff --git a/apparmor.d/profiles-m-r/pkexec b/apparmor.d/profiles-m-r/pkexec
index ce1ea9dcd..c7bfbcefa 100644
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@@ -8,15 +8,15 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pkexec
-profile pkexec @{exec_path} flags=(complain) {
+profile pkexec @{exec_path} {
   include <abstractions/base>
   include <abstractions/app/pkexec>
 
-  audit capability sys_nice,
+  capability sys_nice,
 
-  signal (send) set=(term, kill) peer=polkit-agent-helper,
+  signal send set=(term, kill) peer=polkit-agent-helper,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
@@ -28,7 +28,7 @@ profile pkexec @{exec_path} flags=(complain) {
   /etc/default/locale r,
 
         @{PROC}/@{pid}/fdinfo/@{int} r,
-        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/pkexec>

From 37bafddc8088e49f5e0d8934ee11e85814506c83 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:36:13 +0100
Subject: [PATCH 299/315] chore: enforce indentation consistency across
 profile.

---
 apparmor.d/groups/avahi/avahi-browse          |  2 +-
 apparmor.d/groups/browsers/msedge             |  2 +-
 apparmor.d/groups/bus/ibus-memconf            |  8 +-
 apparmor.d/groups/cron/cron                   |  2 +-
 apparmor.d/groups/gnome/gnome-software        |  2 +-
 apparmor.d/groups/hyprland/hyprland           |  2 +-
 apparmor.d/groups/network/iwd                 |  2 +-
 apparmor.d/groups/network/mullvad-daemon      |  4 +-
 apparmor.d/groups/ssh/ssh-agent-launch        | 12 +--
 apparmor.d/groups/systemd/bootctl             |  4 +-
 apparmor.d/groups/whonix/systemcheck-canary   |  2 +-
 apparmor.d/profiles-a-f/cups-backend-pdf      |  2 +-
 apparmor.d/profiles-a-f/cups-backend-snmp     |  2 +-
 apparmor.d/profiles-a-f/cups-notifier-dbus    |  2 +-
 apparmor.d/profiles-a-f/cups-notifier-mailto  |  2 +-
 apparmor.d/profiles-a-f/cups-notifier-rss     |  2 +-
 apparmor.d/profiles-g-l/gamemoded             | 18 ++---
 apparmor.d/profiles-g-l/ifup                  |  2 +-
 apparmor.d/profiles-g-l/linuxqq               | 48 +++++------
 apparmor.d/profiles-m-r/mutt                  |  4 +-
 .../needrestart-iucode-scan-versions          |  2 +-
 apparmor.d/profiles-m-r/qbittorrent           |  6 +-
 apparmor.d/profiles-m-r/qbittorrent-nox       |  2 +-
 apparmor.d/profiles-s-z/sensors-detect        |  2 +-
 apparmor.d/profiles-s-z/session-desktop       |  2 +-
 apparmor.d/profiles-s-z/totem                 |  2 +-
 apparmor.d/profiles-s-z/ufw                   | 76 +++++++++---------
 apparmor.d/profiles-s-z/update-pciids         |  2 +-
 apparmor.d/profiles-s-z/wechat-universal      | 66 ++++++++--------
 apparmor.d/profiles-s-z/wemeet                | 79 +++++++++----------
 30 files changed, 181 insertions(+), 182 deletions(-)

diff --git a/apparmor.d/groups/avahi/avahi-browse b/apparmor.d/groups/avahi/avahi-browse
index f04637ae3..47c22d72d 100644
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@@ -15,7 +15,7 @@ profile avahi-browse @{exec_path} {
   include <abstractions/consoles>
 
   dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
-      interface=org.freedesktop.Avahi.ServiceTypeBrowser
+       interface=org.freedesktop.Avahi.ServiceTypeBrowser
        member={ItemNew,AllForNow,CacheExhausted}
        peer=(name=:*, label=avahi-daemon),
 
diff --git a/apparmor.d/groups/browsers/msedge b/apparmor.d/groups/browsers/msedge
index fbe4288a3..f616df6c6 100644
--- a/apparmor.d/groups/browsers/msedge
+++ b/apparmor.d/groups/browsers/msedge
@@ -26,7 +26,7 @@ profile msedge @{exec_path} {
 
   @{lib_dirs}/xdg-mime       rix, #-> xdg-mime,
   @{lib_dirs}/xdg-settings   rix, #-> xdg-settings,
- 
+
   @{lib_dirs}/microsoft-edge{,beta,-dev}  rPx,
   @{lib_dirs}/chrome_crashpad_handler  rPx -> msedge//&msedge-crashpad-handler,
 
diff --git a/apparmor.d/groups/bus/ibus-memconf b/apparmor.d/groups/bus/ibus-memconf
index 7e7299bc1..0a8d7bdab 100644
--- a/apparmor.d/groups/bus/ibus-memconf
+++ b/apparmor.d/groups/bus/ibus-memconf
@@ -16,10 +16,10 @@ profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term) peer=ibus-daemon,
 
-    dbus receive bus=session
-         interface=org.freedesktop.DBus.Introspectable
-         member=Introspect 
-         peer=(name=:*, label=gnome-shell),
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect 
+       peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index 7db10924c..7c57f9468 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -74,7 +74,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
 
     owner @{tmp}/#@{int} rw,
 
-   include if exists <local/cron_run-parts>
+    include if exists <local/cron_run-parts>
   }
 
   include if exists <local/cron>
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 5ebedca69..f462894bc 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -128,7 +128,7 @@ profile gnome-software @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/fuse rw,
- 
+
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
 
   profile gpg {
diff --git a/apparmor.d/groups/hyprland/hyprland b/apparmor.d/groups/hyprland/hyprland
index 136ebabb0..9c6107f6f 100644
--- a/apparmor.d/groups/hyprland/hyprland
+++ b/apparmor.d/groups/hyprland/hyprland
@@ -39,7 +39,7 @@ profile hyprland @{exec_path} flags=(attach_disconnected) {
   owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
   @{run}/systemd/sessions/@{int} r,
- 
+
   @{run}/udev/data/+acpi:* r,             # for acpi
   @{run}/udev/data/+dmi:id r,             # for motherboard info
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
diff --git a/apparmor.d/groups/network/iwd b/apparmor.d/groups/network/iwd
index c6dda71ad..50827e77e 100644
--- a/apparmor.d/groups/network/iwd
+++ b/apparmor.d/groups/network/iwd
@@ -22,7 +22,7 @@ profile iwd @{exec_path} {
   network netlink dgram,
   network alg seqpacket,
 
-   @{exec_path} mr,
+  @{exec_path} mr,
 
   /etc/iwd/{,**} r,
   /var/lib/iwd/{,**} rw,
diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index fd43bc33b..8dc29f568 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -48,9 +48,9 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   owner /var/cache/mullvad-vpn/{,*} rw,
   owner /var/log/mullvad-vpn/{,*} rw,
   owner /var/log/private/mullvad-vpn/*.log rw,
-  
+
+        @{run}/NetworkManager/resolv.conf r,
   owner @{run}/mullvad-vpn rw,
-  @{run}/NetworkManager/resolv.conf r,
 
   @{sys}/fs/cgroup/net_cls/ w,
   @{sys}/fs/cgroup/net_cls/mullvad-exclusions/ w,
diff --git a/apparmor.d/groups/ssh/ssh-agent-launch b/apparmor.d/groups/ssh/ssh-agent-launch
index 34b1ea1dc..237a5ff76 100644
--- a/apparmor.d/groups/ssh/ssh-agent-launch
+++ b/apparmor.d/groups/ssh/ssh-agent-launch
@@ -25,14 +25,14 @@ profile ssh-agent-launch @{exec_path} {
     include <abstractions/bus-session>
 
     dbus send bus=session path=/org/freedesktop/DBus
-        interface=org.freedesktop.DBus
-        member=UpdateActivationEnvironment 
-        peer=(name=org.freedesktop.DBus, label=dbus-session),
+         interface=org.freedesktop.DBus
+         member=UpdateActivationEnvironment 
+         peer=(name=org.freedesktop.DBus, label=dbus-session),
 
     dbus send bus=session path=/org/freedesktop/systemd1
-        interface=org.freedesktop.systemd1.Manager
-        member=SetEnvironment 
-        peer=(name=org.freedesktop.systemd1),
+         interface=org.freedesktop.systemd1.Manager
+         member=SetEnvironment 
+         peer=(name=org.freedesktop.systemd1),
 
     @{bin}/dbus-update-activation-environment mr,
 
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index c59284e72..05655d308 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -67,8 +67,8 @@ profile bootctl @{exec_path} {
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
   @{sys}/firmware/efi/fw_platform_size r,
 
-       @{PROC}/sys/kernel/random/poolsize r,
- owner @{PROC}/@{pid}/cgroup r,
+        @{PROC}/sys/kernel/random/poolsize r,
+  owner @{PROC}/@{pid}/cgroup r,
 
   # Inherit silencer
   deny network inet6 stream,
diff --git a/apparmor.d/groups/whonix/systemcheck-canary b/apparmor.d/groups/whonix/systemcheck-canary
index 2a38680bd..4130d9cd9 100644
--- a/apparmor.d/groups/whonix/systemcheck-canary
+++ b/apparmor.d/groups/whonix/systemcheck-canary
@@ -12,7 +12,7 @@ profile systemcheck-canary @{exec_path} {
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
- 
+
   @{bin}/sleep rix,
   @{bin}/grep rix,
   @{bin}/whoami rix,
diff --git a/apparmor.d/profiles-a-f/cups-backend-pdf b/apparmor.d/profiles-a-f/cups-backend-pdf
index b6e6d59ad..7782ecb11 100644
--- a/apparmor.d/profiles-a-f/cups-backend-pdf
+++ b/apparmor.d/profiles-a-f/cups-backend-pdf
@@ -21,7 +21,7 @@ profile cups-backend-pdf @{exec_path} {
   unix peer=(label=cupsd),
 
   @{exec_path} mr,
- 
+
   @{sh_path}             rix,
   @{bin}/cp              rix,
   @{bin}/gs              rix,
diff --git a/apparmor.d/profiles-a-f/cups-backend-snmp b/apparmor.d/profiles-a-f/cups-backend-snmp
index 35f0392de..5badd529a 100644
--- a/apparmor.d/profiles-a-f/cups-backend-snmp
+++ b/apparmor.d/profiles-a-f/cups-backend-snmp
@@ -16,7 +16,7 @@ profile cups-backend-snmp @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
- 
+
   /etc/cups/snmp.conf r,
   /etc/papersize r,
 
diff --git a/apparmor.d/profiles-a-f/cups-notifier-dbus b/apparmor.d/profiles-a-f/cups-notifier-dbus
index e22b2f6a4..3f9b15dcc 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-dbus
+++ b/apparmor.d/profiles-a-f/cups-notifier-dbus
@@ -17,7 +17,7 @@ profile cups-notifier-dbus @{exec_path} {
   signal (receive) set=(term) peer=cupsd,
 
   @{exec_path} mr,
- 
+
   owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
 
   owner @{tmp}/cups-dbus-notifier-lockfile rwk,
diff --git a/apparmor.d/profiles-a-f/cups-notifier-mailto b/apparmor.d/profiles-a-f/cups-notifier-mailto
index 0df4984d4..e69afb072 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-mailto
+++ b/apparmor.d/profiles-a-f/cups-notifier-mailto
@@ -11,7 +11,7 @@ profile cups-notifier-mailto @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
- 
+
   include if exists <local/cups-notifier-mailto>
 }
 
diff --git a/apparmor.d/profiles-a-f/cups-notifier-rss b/apparmor.d/profiles-a-f/cups-notifier-rss
index 129cb8d6f..993392912 100644
--- a/apparmor.d/profiles-a-f/cups-notifier-rss
+++ b/apparmor.d/profiles-a-f/cups-notifier-rss
@@ -11,7 +11,7 @@ profile cups-notifier-rss @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
- 
+
   include if exists <local/cups-notifier-rss>
 }
 
diff --git a/apparmor.d/profiles-g-l/gamemoded b/apparmor.d/profiles-g-l/gamemoded
index af1f34005..8f5067b77 100644
--- a/apparmor.d/profiles-g-l/gamemoded
+++ b/apparmor.d/profiles-g-l/gamemoded
@@ -40,23 +40,23 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/authentication>
     include <abstractions/nameservice-strict>
-   
+
     capability audit_write,
     capability mknod,
     capability setgid,
     capability sys_ptrace,
-   
+
     ptrace read peer=gamemoded,
-   
+
     network netlink raw,
-   
+
     @{bin}/pkexec mr,
-   
+
     @{lib}/gamemode/{,**} r,
     @{lib}/gamemode/cpugovctl ix,
     @{lib}/gamemode/gpuclockctl ix,
     @{lib}/gamemode/procsysctl ix,
-   
+
     /etc/security/limits.d/ r,
     /etc/security/limits.d/@{int}-gamemode.conf r,
     /etc/shells r,
@@ -66,15 +66,15 @@ profile gamemoded @{exec_path} flags=(attach_disconnected) {
     @{sys}/devices/system/cpu/ r,
     @{sys}/devices/system/cpu/cpu@{int}/cpufreq r,
     @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_governor rw,
-   
+
     @{PROC}/@{pid}/fdinfo/@{int} r,
     @{PROC}/@{pid}/loginuid r,
     @{PROC}/@{pid}/stat r,
     @{PROC}/sys/kernel/split_lock_mitigate rw,
-   
+
     include if exists <local/gamemoded_pkexec>
   }
-   
+
   include if exists <local/gamemoded>
 }
 
diff --git a/apparmor.d/profiles-g-l/ifup b/apparmor.d/profiles-g-l/ifup
index c800267c7..aac25b811 100644
--- a/apparmor.d/profiles-g-l/ifup
+++ b/apparmor.d/profiles-g-l/ifup
@@ -85,7 +85,7 @@ profile ifup @{exec_path} {
 
     /etc/network/if-up.d/ r,
     /etc/network/if-up.d/*resolvconf           rPUx,
-    /etc/network/if-up.d/resolved	       rPUx,
+    /etc/network/if-up.d/resolved              rPUx,
     /etc/network/if-up.d/chrony                rPUx,
     /etc/network/if-up.d/ethtool               rPUx,
     /etc/network/if-up.d/ifenslave             rPUx,
diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 4d579764f..0e18eab1b 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -13,38 +13,38 @@ include <tunables/global>
 
 @{exec_path} = @{bin}/linuxqq @{lib_dirs}/qq
 profile linuxqq @{exec_path} flags=(attach_disconnected) {
-    include <abstractions/base>
-    include <abstractions/attached/consoles>
-    include <abstractions/audio-client>
-    include <abstractions/common/electron>
-    include <abstractions/fontconfig-cache-read>
+  include <abstractions/base>
+  include <abstractions/attached/consoles>
+  include <abstractions/audio-client>
+  include <abstractions/common/electron>
+  include <abstractions/fontconfig-cache-read>
 
-    network netlink raw,
-    network netlink dgram,
-    network inet stream,
-    network inet dgram,
-    network inet6 dgram,
-    network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
+  network inet stream,
+  network inet dgram,
+  network inet6 dgram,
+  network inet6 stream,
 
-    @{exec_path} mrix,
+  @{exec_path} mrix,
 
-	@{sh_path}  r,
-    @{bin}/grep rix,
-    @{lib_dirs}/chrome_crashpad_handler ix,
-    @{lib_dirs}/resources/app/{,**} m,
-    @{open_path} rPx -> child-open-strict,
+  @{sh_path}  r,
+  @{bin}/grep rix,
+  @{lib_dirs}/chrome_crashpad_handler ix,
+  @{lib_dirs}/resources/app/{,**} m,
+  @{open_path} rPx -> child-open-strict,
 
-    /etc/machine-id r,
+  /etc/machine-id r,
 
-    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
-    @{run}/utmp r,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+  @{run}/utmp r,
 
-    owner @{PROC}/@{pid}/loginuid r,
-    owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/loginuid r,
+  owner @{PROC}/@{pid}/mounts r,
 
-    /dev/tty rw,
+  /dev/tty rw,
 
-    include if exists <local/linuxqq>
+  include if exists <local/linuxqq>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-m-r/mutt b/apparmor.d/profiles-m-r/mutt
index 4e218a8a0..6a96796a7 100644
--- a/apparmor.d/profiles-m-r/mutt
+++ b/apparmor.d/profiles-m-r/mutt
@@ -27,14 +27,14 @@ profile mutt @{exec_path} {
   # There are countless programs that can be executed from the mailcap.
   # This profile includes only the most basic.
   @{sh_path}                      rix,
- 
+
   @{lib}/{,sendmail/}sendmail    rPUx,
   @{bin}/ispell                  rPUx, 
   @{bin}/abook                   rPUx,
   @{bin}/mutt_dotlock             rix,
   # Misc mutt scripts
   @{lib}/mutt/*                   rix,
- 
+
   @{bin}/w3m             rCx -> html-renderer,
   @{bin}/lynx            rCx -> html-renderer,
   @{editor_path}         rCx -> editor,
diff --git a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
index b60b5f488..75b150042 100644
--- a/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
+++ b/apparmor.d/profiles-m-r/needrestart-iucode-scan-versions
@@ -26,7 +26,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
 
   /boot/intel-ucode.img r,
   /boot/early_ucode.cpio r,
- 
+
   @{sys}/devices/system/cpu/cpu@{int}/microcode/processor_flags r,
 
         /dev/tty rw,
diff --git a/apparmor.d/profiles-m-r/qbittorrent b/apparmor.d/profiles-m-r/qbittorrent
index 97c81ebd4..a5fcbb91e 100644
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@@ -42,7 +42,7 @@ profile qbittorrent @{exec_path} {
        interface=org.kde.StatusNotifierItem
        member={NewToolTip,NewIcon}
        peer=(name=org.freedesktop.DBus),
-   
+
   dbus receive bus=session path=/StatusNotifierItem
        interface=org.kde.StatusNotifierItem
        member=Activate
@@ -52,12 +52,12 @@ profile qbittorrent @{exec_path} {
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(name=:*),
-   
+
   dbus send bus=session path=/MenuBar
        interface=com.canonical.dbusmenu
        member=ItemsPropertiesUpdated
        peer=(name=org.freedesktop.DBus),
-   
+
   dbus receive bus=session path=/MenuBar
        interface=com.canonical.dbusmenu
        member={GetLayout,GetGroupProperties,AboutToShow,AboutToShowGroup,EventGroup,Event}
diff --git a/apparmor.d/profiles-m-r/qbittorrent-nox b/apparmor.d/profiles-m-r/qbittorrent-nox
index 81cf43011..5129f203b 100644
--- a/apparmor.d/profiles-m-r/qbittorrent-nox
+++ b/apparmor.d/profiles-m-r/qbittorrent-nox
@@ -51,7 +51,7 @@ profile qbittorrent-nox @{exec_path} {
 
   /dev/disk/by-label/ r,
   /dev/shm/#@{int} rw,
- 
+
   deny owner @{user_share_dirs}/data/qBittorrent/ rw,  # Old dir, not recommended to use
 
   include if exists <local/qbittorrent-nox>
diff --git a/apparmor.d/profiles-s-z/sensors-detect b/apparmor.d/profiles-s-z/sensors-detect
index b781ae1d0..e3eca4e22 100644
--- a/apparmor.d/profiles-s-z/sensors-detect
+++ b/apparmor.d/profiles-s-z/sensors-detect
@@ -15,7 +15,7 @@ profile sensors-detect @{exec_path} {
   capability syslog,
 
   @{exec_path} rm,
- 
+
   @{bin}/kmod       rCx -> kmod,
   @{bin}/perl         r,
   @{bin}/systemctl  rCx -> systemctl,
diff --git a/apparmor.d/profiles-s-z/session-desktop b/apparmor.d/profiles-s-z/session-desktop
index d088bb0b1..98b194fb7 100644
--- a/apparmor.d/profiles-s-z/session-desktop
+++ b/apparmor.d/profiles-s-z/session-desktop
@@ -28,7 +28,7 @@ profile session-desktop @{exec_path} {
   network netlink raw,
 
   @{exec_path} mrix,
- 
+
   @{lib_dirs}/resources/app.asar.unpacked/ts/webworker/workers/node/**.node mr,
 
   @{open_path} rPx -> child-open-strict,
diff --git a/apparmor.d/profiles-s-z/totem b/apparmor.d/profiles-s-z/totem
index 6883e48f2..64ab228ba 100644
--- a/apparmor.d/profiles-s-z/totem
+++ b/apparmor.d/profiles-s-z/totem
@@ -83,7 +83,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
     owner @{PROC}/@{pid}/task/@{tid}/comm w,
 
     /dev/ r,
- 
+
     include if exists <local/totem_bwrap>
   }
 
diff --git a/apparmor.d/profiles-s-z/ufw b/apparmor.d/profiles-s-z/ufw
index 2c0f5352f..b7e5f0c79 100644
--- a/apparmor.d/profiles-s-z/ufw
+++ b/apparmor.d/profiles-s-z/ufw
@@ -9,54 +9,54 @@ include <tunables/global>
 
 @{exec_path} = @{bin}/ufw
 profile ufw @{exec_path} flags=(attach_disconnected) {
-    include <abstractions/base>
-    include <abstractions/attached/consoles>
-    include <abstractions/nameservice-strict>
-    include <abstractions/python>
+  include <abstractions/base>
+  include <abstractions/attached/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/python>
 
-    capability dac_read_search,
-    capability net_admin,
-    capability net_raw,
-    capability sys_ptrace,
+  capability dac_read_search,
+  capability net_admin,
+  capability net_raw,
+  capability sys_ptrace,
 
-    network inet dgram,
-    network inet raw,
-    network inet6 dgram,
-    network inet6 raw,
-    network netlink raw,
+  network inet dgram,
+  network inet raw,
+  network inet6 dgram,
+  network inet6 raw,
+  network netlink raw,
 
-    ptrace read,
+  ptrace read,
 
-    @{exec_path} mr,
+  @{exec_path} mr,
 
-    @{bin}/ r,
-    @{bin}/cat ix,
-    @{bin}/env r,
-    @{bin}/python3.@{int} ix,
-    @{bin}/sysctl ix,
-    @{bin}/xtables-legacy-multi ix,
-    @{bin}/xtables-nft-multi ix,
-    @{lib}/ufw/ufw-init ix,
+  @{bin}/ r,
+  @{bin}/cat ix,
+  @{bin}/env r,
+  @{bin}/python3.@{int} ix,
+  @{bin}/sysctl ix,
+  @{bin}/xtables-legacy-multi ix,
+  @{bin}/xtables-nft-multi ix,
+  @{lib}/ufw/ufw-init ix,
 
-    /etc/default/ufw rw,
-    /etc/ufw/ rw,
-    /etc/ufw/** rwk,
+  /etc/default/ufw rw,
+  /etc/ufw/ rw,
+  /etc/ufw/** rwk,
 
-          @{run}/xtables.lock rwk,
-    owner @{run}/ufw.lock rwk,
+        @{run}/xtables.lock rwk,
+  owner @{run}/ufw.lock rwk,
 
-    owner @{tmp}/@{word8} rw,
-    owner @{tmp}/tmp@{word8} rw,
-    owner /var/tmp/@{word8} rw,
-    owner /var/tmp/tmp@{word8} rw,
+  owner @{tmp}/@{word8} rw,
+  owner @{tmp}/tmp@{word8} rw,
+  owner /var/tmp/@{word8} rw,
+  owner /var/tmp/tmp@{word8} rw,
 
-    @{PROC}/@{pid}/fd/ r,
-    @{PROC}/@{pid}/net/ip_tables_names r,
-    @{PROC}/@{pid}/stat r,
-    @{PROC}/sys/net/ipv{4,6}/** rw,
-    @{PROC}/sys/kernel/modprobe r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/net/ip_tables_names r,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/sys/net/ipv{4,6}/** rw,
+  @{PROC}/sys/kernel/modprobe r,
 
-    include if exists <local/ufw>
+  include if exists <local/ufw>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/update-pciids b/apparmor.d/profiles-s-z/update-pciids
index 3d07f75d9..d2e36ead0 100644
--- a/apparmor.d/profiles-s-z/update-pciids
+++ b/apparmor.d/profiles-s-z/update-pciids
@@ -38,7 +38,7 @@ profile update-pciids @{exec_path} {
   /usr/share/misc/ r,
   /usr/share/misc/* rwl -> /usr/share/misc/*,
 
-   # For shell pwd
+  # For shell pwd
   /root/ r,
 
 
diff --git a/apparmor.d/profiles-s-z/wechat-universal b/apparmor.d/profiles-s-z/wechat-universal
index 31a7f7cde..9d563111a 100644
--- a/apparmor.d/profiles-s-z/wechat-universal
+++ b/apparmor.d/profiles-s-z/wechat-universal
@@ -13,48 +13,48 @@ include <tunables/global>
 
 @{exec_path} = @{bin}/wechat-universal @{lib_dirs}/wechat
 profile wechat-universal @{exec_path} flags=(attach_disconnected) {
-    include <abstractions/base>
-    include <abstractions/attached/consoles>
-    include <abstractions/audio-client>
-    include <abstractions/common/electron>
-    include <abstractions/common/bwrap>
-    include <abstractions/fontconfig-cache-read>
-    include <abstractions/app/bus>
+  include <abstractions/base>
+  include <abstractions/attached/consoles>
+  include <abstractions/audio-client>
+  include <abstractions/common/electron>
+  include <abstractions/common/bwrap>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/app/bus>
 
-    network netlink raw,
-    network netlink dgram,
-    network inet stream,
-    network inet dgram,
-    network inet6 dgram,
-    network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
+  network inet stream,
+  network inet dgram,
+  network inet6 dgram,
+  network inet6 stream,
 
-    @{exec_path} mrix,
+  @{exec_path} mrix,
 
-	@{sh_path}  rix,
-    @{lib}/wechat-universal/common.sh ix,
-    @{bin}/sed ix,
-    @{bin}/ln ix,
-    @{bin}/mkdir ix,
-    @{bin}/lsblk Px,
-    @{bin}/bwrap rix,
-    @{bin}/xdg-user-dir rix,
-    @{lib_dirs}/crashpad_handler ix,
-    @{open_path} rPx -> child-open-strict,
+  @{sh_path}  rix,
+  @{lib}/wechat-universal/common.sh ix,
+  @{bin}/sed ix,
+  @{bin}/ln ix,
+  @{bin}/mkdir ix,
+  @{bin}/lsblk Px,
+  @{bin}/bwrap rix,
+  @{bin}/xdg-user-dir rix,
+  @{lib_dirs}/crashpad_handler ix,
+  @{open_path} rPx -> child-open-strict,
 
-    /etc/lsb-release r,
+  /etc/lsb-release r,
 
-    owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
-    owner @{HOME}/.xwechat/{,**} rwk,
-    owner @{HOME}/.sys1og.conf rw,
+  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/WeChat_Data/{,**} rwk,
+  owner @{HOME}/.xwechat/{,**} rwk,
+  owner @{HOME}/.sys1og.conf rw,
 
-    @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
-    @{run}/utmp r,
+  @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
+  @{run}/utmp r,
 
-    @{PROC}/@{pid}/net/route r,
+  @{PROC}/@{pid}/net/route r,
 
-    /dev/tty rw,
+  /dev/tty rw,
 
-    include if exists <local/wechat-universal>
+  include if exists <local/wechat-universal>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet
index bbc871f6c..861908a6b 100644
--- a/apparmor.d/profiles-s-z/wemeet
+++ b/apparmor.d/profiles-s-z/wemeet
@@ -10,54 +10,53 @@ include <tunables/global>
 @{exec_path} += /opt/wemeet/bin/wemeetapp
 @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
 profile wemeet @{exec_path} flags=(attach_disconnected) {
-    include <abstractions/base>
-    include <abstractions/attached/consoles>
-    include <abstractions/nameservice-strict>
-    include <abstractions/common/bwrap>
-    include <abstractions/common/chromium>
-    include <abstractions/graphics>
-    include <abstractions/desktop>
-    include <abstractions/ssl_certs>
-    include <abstractions/fontconfig-cache-read>
-    include <abstractions/audio-client>
+  include <abstractions/base>
+  include <abstractions/attached/consoles>
+  include <abstractions/audio-client>
+  include <abstractions/common/bwrap>
+  include <abstractions/common/chromium>
+  include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
-    network netlink raw,
-    network netlink dgram,
-    network inet stream,
-    network inet dgram,
-    network inet6 dgram,
-    network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
+  network inet stream,
+  network inet dgram,
+  network inet6 dgram,
+  network inet6 stream,
 
-    @{exec_path} mr,
+  @{exec_path} mr,
 
-    @{sh_path} r,
-    @{bin}/basename rix,
-    @{bin}/bwrap rix,
-    @{bin}/id rix,
-    @{bin}/mkdir rix,
-    /opt/wemeet/bin/** rix,
+  @{sh_path} r,
+  @{bin}/basename rix,
+  @{bin}/bwrap rix,
+  @{bin}/id rix,
+  @{bin}/mkdir rix,
+  /opt/wemeet/bin/** rix,
 
-    /etc/machine-id r,
-    /var/cache/ w,
+  /etc/machine-id r,
+  /var/cache/ w,
 
-    owner @{user_share_dirs}/wemeetapp/ rw,
-    owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
+  owner @{user_share_dirs}/wemeetapp/ rw,
+  owner @{user_share_dirs}/wemeetapp/** rwlk -> @{user_share_dirs}/wemeetapp/**,
 
-    @{PROC}/ r,
-    @{PROC}/asound/ r,
-    @{PROC}/@{pid}/net/route r,
-    @{PROC}/@{pid}/net/wireless r,
-    @{PROC}/@{pid}/stat r,
-    @{PROC}/@{pid}/statm r,
-    @{PROC}/sys/fs/inotify/max_user_watches r,
-    owner @{PROC}/@{pid}/cmdline r,
+        @{PROC}/ r,
+        @{PROC}/asound/ r,
+        @{PROC}/@{pid}/net/route r,
+        @{PROC}/@{pid}/net/wireless r,
+        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/statm r,
+        @{PROC}/sys/fs/inotify/max_user_watches r,
+  owner @{PROC}/@{pid}/cmdline r,
 
-    /dev/ r,
-    /dev/tty rw,
-    /dev/shm/ r,
-
-    include if exists <local/wemeet>
+  /dev/ r,
+  /dev/tty rw,
+  /dev/shm/ r,
 
+  include if exists <local/wemeet>
 }
 
 # vim:syntax=apparmor

From d793858d2611700b53fdaecd6ededa26e93d0200 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:38:04 +0100
Subject: [PATCH 300/315] tests(check): also checks indentation.

---
 tests/check.sh | 96 +++++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 75 insertions(+), 21 deletions(-)

diff --git a/tests/check.sh b/tests/check.sh
index b63524157..71fc244ab 100644
--- a/tests/check.sh
+++ b/tests/check.sh
@@ -9,50 +9,104 @@
 set -eu -o pipefail
 
 readonly APPARMORD="apparmor.d"
+readonly HEADERS=(
+    "# apparmor.d - Full set of apparmor profiles"
+    "# Copyright (C) "
+    "# SPDX-License-Identifier: GPL-2.0-only"
+)
+
+_die() {
+    echo " ✗ $*"
+    exit 1
+}
 
 _ensure_header() {
     local file="$1"
-    headers=(
-        "# apparmor.d - Full set of apparmor profiles"
-        "# Copyright (C) "
-        "# SPDX-License-Identifier: GPL-2.0-only"
-    )
-    for header in "${headers[@]}"; do
+    for header in "${HEADERS[@]}"; do
         if ! grep -q "^$header" "$file"; then
-            echo "$file does not contain '$header'"
-            exit 1
+            _die "$file does not contain '$header'"
         fi
     done
 }
 
+_ensure_indentation() {
+    local file="$1"
+    local in_profile=false
+    local first_line_after_profile=true
+    local line_number=0
+
+    while IFS= read -r line; do
+        line_number=$((line_number + 1))
+
+        if [[ "$line" =~ $'\t' ]]; then
+            _die "$file:$line_number: tabs are not allowed."
+        fi
+
+        if [[ "$line" =~ ^profile ]]; then
+            in_profile=true
+            first_line_after_profile=true
+
+        elif $in_profile; then
+            if $first_line_after_profile; then
+                local leading_spaces="${line%%[! ]*}"
+                local num_spaces=${#leading_spaces}
+                if ((num_spaces != 2)); then
+                    _die "$file: profile must have a two-space indentation."
+                fi
+                first_line_after_profile=false
+
+            else
+                local leading_spaces="${line%%[! ]*}"
+                local num_spaces=${#leading_spaces}
+
+                if ((num_spaces % 2 != 0)); then
+                    ok=false
+                    for offset in 5 11; do
+                        num_spaces=$((num_spaces - offset))
+                        if ((num_spaces < 0)); then
+                            break
+                        fi
+                        if ((num_spaces % 2 == 0)); then
+                            ok=true
+                            break
+                        fi
+                    done
+
+                    if ! $ok; then
+                        _die "$file:$line_number: invalid indentation."
+                    fi
+                fi
+            fi
+        fi
+    done <"$file"
+}
+
 _ensure_include() {
     local file="$1"
     local include="$2"
     if ! grep -q "^  *${include}$" "$file"; then
-        echo "$file does not contain '$include'"
-        exit 1
+        _die "$file does not contain '$include'"
     fi
 }
 
 _ensure_abi() {
     local file="$1"
     if ! grep -q "^ *abi <abi/4.0>," "$file"; then
-        echo "$file does not contain 'abi <abi/4.0>,'"
-        exit 1
+        _die "$file does not contain 'abi <abi/4.0>,'"
     fi
 }
 
 _ensure_vim() {
     local file="$1"
     if ! grep -q "^# vim:syntax=apparmor" "$file"; then
-        echo "$file does not contain '# vim:syntax=apparmor'"
-        exit 1
+        _die "$file does not contain '# vim:syntax=apparmor'"
     fi
 }
 
 check_profiles() {
-    echo "⋅ Checking if all profiles contain:"
+    echo " ⋅ Checking if all profiles contain:"
     echo "    - apparmor.d header & license"
+    echo "    - Check indentation: 2 spaces"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'profile <profile_name>'"
     echo "    - 'include if exists <local/*>'"
@@ -67,19 +121,18 @@ check_profiles() {
             name="${name/.apparmor.d/}"
             include="include if exists <local/$name>"
             _ensure_header "$file"
+            _ensure_indentation "$file"
             _ensure_include "$file" "$include"
             _ensure_abi "$file"
             _ensure_vim "$file"
             if ! grep -q "^profile $name" "$file"; then
-                echo "$name does not contain 'profile $name'"
-                exit 1
+                _die "$name does not contain 'profile $name'"
             fi
             mapfile -t subrofiles < <(grep "^  *profile*" "$file" | awk '{print $2}')
             for subprofile in "${subrofiles[@]}"; do
                 include="include if exists <local/${name}_${subprofile}>"
                 if ! grep -q "^  *${include}$" "$file"; then
-                    echo "$name: $name//$subprofile does not contain '$include'"
-                    exit 1
+                    _die "$name: $name//$subprofile does not contain '$include'"
                 fi
             done
         done
@@ -87,8 +140,9 @@ check_profiles() {
 }
 
 check_abstractions() {
-    echo "⋅ Checking if all abstractions contain:"
+    echo " ⋅ Checking if all abstractions contain:"
     echo "    - apparmor.d header & license"
+    echo "    - Check indentation: 2 spaces"
     echo "    - 'abi <abi/4.0>,'"
     echo "    - 'include if exists <abstractions/*.d>'"
     echo "    - vim:syntax=apparmor"
@@ -103,12 +157,12 @@ check_abstractions() {
             root="${dir/${APPARMORD}\/abstractions\//}"
             include="include if exists <abstractions/${root}${name}.d>"
             _ensure_header "$file"
+            _ensure_indentation "$file"
             _ensure_include "$file" "$include"
             _ensure_abi "$file"
             _ensure_vim "$file"
         done
     done
-
 }
 
 check_profiles

From 49d10c94e450b2701726fed9d8df353b52836e15 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:40:28 +0100
Subject: [PATCH 301/315] chore: ensure app abstraction are not proposed by
 logprof.

---
 apparmor.d/abstractions/app/bus       | 1 +
 apparmor.d/abstractions/app/chromium  | 1 +
 apparmor.d/abstractions/app/editor    | 1 +
 apparmor.d/abstractions/app/firefox   | 1 +
 apparmor.d/abstractions/app/kmod      | 1 +
 apparmor.d/abstractions/app/open      | 1 +
 apparmor.d/abstractions/app/pgrep     | 1 +
 apparmor.d/abstractions/app/sudo      | 1 +
 apparmor.d/abstractions/app/systemctl | 1 +
 apparmor.d/abstractions/app/udevadm   | 1 +
 10 files changed, 10 insertions(+)

diff --git a/apparmor.d/abstractions/app/bus b/apparmor.d/abstractions/app/bus
index 4fa0c2c8b..8c7e6e98b 100644
--- a/apparmor.d/abstractions/app/bus
+++ b/apparmor.d/abstractions/app/bus
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Minimal set of rules for dbus-send/dbus-launch.
 
diff --git a/apparmor.d/abstractions/app/chromium b/apparmor.d/abstractions/app/chromium
index 6bf3f26ed..0bae4e0d2 100644
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Full set of rules for all chromium based browsers. It works as a *function*
 # and requires some variables to be provided as *arguments* and set in the
diff --git a/apparmor.d/abstractions/app/editor b/apparmor.d/abstractions/app/editor
index 9daec6ad1..9816e7907 100644
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@@ -2,6 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
   abi <abi/4.0>,
 
diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 2f9c93937..2a2f612b7 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Full set of rules for all firefox based browsers. It works as a *function*
 # and requires some variables to be provided as *arguments* and set in the
diff --git a/apparmor.d/abstractions/app/kmod b/apparmor.d/abstractions/app/kmod
index ad02acc54..25a0c0c38 100644
--- a/apparmor.d/abstractions/app/kmod
+++ b/apparmor.d/abstractions/app/kmod
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
   abi <abi/4.0>,
 
diff --git a/apparmor.d/abstractions/app/open b/apparmor.d/abstractions/app/open
index 9ae49c4bd..256eb5a6d 100644
--- a/apparmor.d/abstractions/app/open
+++ b/apparmor.d/abstractions/app/open
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Full set of rules for child-open-* profiles.
 
diff --git a/apparmor.d/abstractions/app/pgrep b/apparmor.d/abstractions/app/pgrep
index 13ebcd390..211c2710d 100644
--- a/apparmor.d/abstractions/app/pgrep
+++ b/apparmor.d/abstractions/app/pgrep
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Minimal set of rules for pgrep/pkill.
 
diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index 0149cc883..53bb50f31 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
 # Minimal set of rules for sudo. Interactive sudo need more rules.
 
diff --git a/apparmor.d/abstractions/app/systemctl b/apparmor.d/abstractions/app/systemctl
index 9f0da659b..38126c968 100644
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
   abi <abi/4.0>,
 
diff --git a/apparmor.d/abstractions/app/udevadm b/apparmor.d/abstractions/app/udevadm
index cba83e1ff..e8414d026 100644
--- a/apparmor.d/abstractions/app/udevadm
+++ b/apparmor.d/abstractions/app/udevadm
@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
 
   abi <abi/4.0>,
 

From a41f85e87b75d7618bab68296e9d4f3cfac63bbc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:48:12 +0100
Subject: [PATCH 302/315] chore: fix indentation requirment.

---
 apparmor.d/abstractions/app-open           | 80 +++++++++++-----------
 apparmor.d/groups/children/user_unconfined |  1 -
 2 files changed, 41 insertions(+), 40 deletions(-)

diff --git a/apparmor.d/abstractions/app-open b/apparmor.d/abstractions/app-open
index 900fdc3c8..d257797eb 100644
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@@ -11,52 +11,54 @@
   abi <abi/4.0>,
 
   # Sandbox managers
-  @{bin}/bwrap                  rPUx,
-  @{bin}/firejail               rPUx,
-  @{bin}/flatpak                rPx,
-  @{bin}/snap                   rPx,
+  @{bin}/bwrap                  PUx,
+  @{bin}/firejail               PUx,
+  @{bin}/flatpak                Px,
+  @{bin}/snap                   Px,
 
   # Labeled programs
-  @{archive_viewers_path}       rPUx,
-  @{browsers_path}              rPx,
-  @{document_viewers_path}      rPUx,
-  @{emails_path}                rPUx,
-  @{file_explorers_path}        rPx,
-  @{help_path}                  rPx,
-  @{image_viewers_path}         rPUx,
-  @{offices_path}               rPUx,
-  @{text_editors_path}          rPUx,
+  @{archive_viewers_path}       PUx,
+  @{browsers_path}              Px,
+  @{document_viewers_path}      PUx,
+  @{emails_path}                PUx,
+  @{file_explorers_path}        Px,
+  @{help_path}                  Px,
+  @{image_viewers_path}         PUx,
+  @{offices_path}               PUx,
+  @{text_editors_path}          PUx,
 
   # Others
-  @{bin}/amule                  rPx,
-  @{bin}/blueman-tray           rPx,
-  @{bin}/discord{,-ptb}         rPx,
-  @{bin}/draw.io                rPUx,
-  @{bin}/dropbox                rPx,
-  @{bin}/element-desktop        rPx,
-  @{bin}/extension-manager      rPx,
-  @{bin}/filezilla              rPx,
-  @{bin}/flameshot              rPx,
-  @{bin}/gimp*                  rPUx,
-  @{bin}/gnome-calculator       rPUx,
-  @{bin}/gnome-disk-image-mounter rPx,
-  @{bin}/gnome-disks            rPx,
-  @{bin}/gnome-software         rPx,
-  @{bin}/gwenview               rPUx,
-  @{bin}/kgx                    rPx,
-  @{bin}/qbittorrent            rPx,
-  @{bin}/qpdfview               rPx,
-  @{bin}/smplayer               rPx,
-  @{bin}/steam-runtime          rPUx,
-  @{bin}/telegram-desktop       rPx,
-  @{bin}/transmission-gtk       rPx,
-  @{bin}/viewnior               rPUx,
-  @{bin}/vlc                    rPUx,
-  @{bin}/xbrlapi 	              rPx,
+  @{bin}/amule                  Px,
+  @{bin}/blueman-tray           Px,
+  @{bin}/discord{,-ptb}         Px,
+  @{bin}/draw.io                PUx,
+  @{bin}/dropbox                Px,
+  @{bin}/element-desktop        Px,
+  @{bin}/extension-manager      Px,
+  @{bin}/filezilla              Px,
+  @{bin}/flameshot              Px,
+  @{bin}/gimp*                  PUx,
+  @{bin}/gnome-calculator       PUx,
+  @{bin}/gnome-disk-image-mounter Px,
+  @{bin}/gnome-disks            Px,
+  @{bin}/gnome-software         Px,
+  @{bin}/gwenview               PUx,
+  @{bin}/kgx                    Px,
+  @{bin}/qbittorrent            Px,
+  @{bin}/qpdfview               Px,
+  @{bin}/smplayer               Px,
+  @{bin}/steam-runtime          PUx,
+  @{bin}/telegram-desktop       Px,
+  @{bin}/transmission-gtk       Px,
+  @{bin}/viewnior               PUx,
+  @{bin}/vlc                    PUx,
+  @{bin}/xbrlapi                Px,
 
   #aa:only opensuse
-  @{lib}/YaST2/** rPUx,
+  @{lib}/YaST2/**               PUx,
 
+  # Backup
+  @{lib}/deja-dup/deja-dup-monitor PUx,
 
   include if exists <abstractions/app-open.d>
 
diff --git a/apparmor.d/groups/children/user_unconfined b/apparmor.d/groups/children/user_unconfined
index f6e4e835e..db410d6a2 100644
--- a/apparmor.d/groups/children/user_unconfined
+++ b/apparmor.d/groups/children/user_unconfined
@@ -7,7 +7,6 @@ abi <abi/4.0>,
 include <tunables/global>
 
 profile user_unconfined flags=(attach_disconnected,mediate_deleted) {
-
   capability,
   network,
   mount,

From c90d2fea94d1f9a8f27c31c7afc9707e28eca765 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:50:16 +0100
Subject: [PATCH 303/315] feat(profile): update some ctl tools.

---
 apparmor.d/groups/systemd/busctl    |  1 +
 apparmor.d/groups/systemd/loginctl  | 10 ++++++++--
 apparmor.d/groups/systemd/userdbctl |  2 +-
 3 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index d251e9b26..dcb60493e 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -43,6 +43,7 @@ profile busctl @{exec_path} {
         @{PROC}/@{pid}/comm r,
         @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/sessionid r,
 
diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl
index 681d1438e..5386662c0 100644
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@@ -9,18 +9,24 @@ include <tunables/global>
 @{exec_path} = @{bin}/loginctl
 profile loginctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.login1.Session>
-  include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/common/systemd>
 
   capability net_admin,
   capability sys_resource,
 
+  signal send set=cont peer=child-pager,
+
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,
 
+        @{PROC}/sys/fs/nr_open r,
+  owner @{PROC}/@{pid}/cgroup r,
+
   include if exists <local/loginctl>
 }
 
diff --git a/apparmor.d/groups/systemd/userdbctl b/apparmor.d/groups/systemd/userdbctl
index db1a3dda8..0e3a99ba8 100644
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@@ -21,7 +21,7 @@ profile userdbctl @{exec_path} {
   /etc/shadow r,
   /etc/gshadow r,
 
-  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/1/cgroup r,
 
   include if exists <local/userdbctl>
 }

From f993db64b9302ee0d41bde36d66bc5fc949ee65f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:50:46 +0100
Subject: [PATCH 304/315] feat(profile): update fwupd to last release.

---
 apparmor.d/profiles-a-f/fwupd | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 9ac0e21e6..b6ef68b0a 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -31,6 +31,10 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   capability sys_rawio,
   capability syslog,
 
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 stream,
   network netlink raw,
 
   #aa:dbus own bus=system name=org.freedesktop.fwupd path=/
@@ -54,6 +58,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   @{bin}/gpgsm       rCx -> gpg,
 
   /usr/share/fwupd/{,**} r,
+  /usr/share/hwdata/*.ids r,
   /usr/share/mime/mime.cache r,
 
   /etc/fwupd/{,**} rw,
@@ -83,15 +88,20 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/**/ r,
   @{sys}/devices/** r,
 
+  @{sys}/bus/hid/drivers/*/uevent r,
+  @{sys}/bus/usb/drivers/usbhid/uevent r,
   @{sys}/firmware/acpi/** r,
   @{sys}/firmware/dmi/tables/DMI r,
   @{sys}/firmware/dmi/tables/smbios_entry_point r,
   @{sys}/firmware/efi/** r,
-  @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
   @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
   @{sys}/firmware/efi/efivars/fwupd-* rw,
   @{sys}/kernel/security/lockdown r,
-  @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,
+  @{sys}/kernel/security/tpm@{int}/binary_bios_measurements r,
+  @{sys}/module/*/uevent r,
+  @{sys}/module/uhid/uevent r,
+  @{sys}/module/usbhid/uevent r,
   @{sys}/power/mem_sleep r,
 
   @{att}/@{run}/systemd/inhibit/@{int}.ref rw,

From 4797026e28bac93c0f040cb11e8820aa157e92a2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:53:14 +0100
Subject: [PATCH 305/315] feat(profile): update some ui profiles.

---
 apparmor.d/profiles-s-z/terminator   |  2 ++
 apparmor.d/profiles-s-z/transmission | 12 ++++++++++++
 apparmor.d/profiles-s-z/vlc          |  7 +++++++
 3 files changed, 21 insertions(+)

diff --git a/apparmor.d/profiles-s-z/terminator b/apparmor.d/profiles-s-z/terminator
index e72588420..e5a8f80d9 100644
--- a/apparmor.d/profiles-s-z/terminator
+++ b/apparmor.d/profiles-s-z/terminator
@@ -23,6 +23,8 @@ profile terminator @{exec_path} flags=(attach_disconnected) {
 
   ptrace,
 
+  signal send set=hup peer=unconfined,
+
   #aa:dbus own bus=session name=net.tenshu.Terminator@{hex}
 
   @{exec_path} mr,
diff --git a/apparmor.d/profiles-s-z/transmission b/apparmor.d/profiles-s-z/transmission
index ff3373a2c..a6ccb7e2d 100644
--- a/apparmor.d/profiles-s-z/transmission
+++ b/apparmor.d/profiles-s-z/transmission
@@ -9,6 +9,11 @@ include <tunables/global>
 @{exec_path} = @{bin}/transmission-{gtk,qt}
 profile transmission @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.Notifications>
+  include <abstractions/bus/org.kde.StatusNotifierWatcher>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/graphics>
@@ -23,12 +28,18 @@ profile transmission @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=com.transmissionbt.Transmission
+  #aa:dbus own bus=session name=com.transmissionbt.transmission_*
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
   @{exec_path} mr,
 
   @{open_path}         rPx -> child-open,
 
   /usr/share/transmission/{,**} r,
 
+  owner @{HOME}/ r,
+
   owner @{user_torrents_dirs}/ r,
   owner @{user_torrents_dirs}/** rw,
 
@@ -48,6 +59,7 @@ profile transmission @{exec_path} {
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/profiles-s-z/vlc b/apparmor.d/profiles-s-z/vlc
index fabde247b..d572ce9b8 100644
--- a/apparmor.d/profiles-s-z/vlc
+++ b/apparmor.d/profiles-s-z/vlc
@@ -75,6 +75,13 @@ profile vlc @{exec_path} {
 
   @{run}/mount/utab r,
 
+  @{sys}/devices/virtual/dmi/id/board_name r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_version r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
         /dev/shm/#@{int} rw,
         /dev/snd/ r,
         /dev/tty r,

From d406596124d53c552dc8e093ebf14b95ed8c7aaa Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 16 Oct 2024 23:58:48 +0100
Subject: [PATCH 306/315] tests: small fixes on builders scripts.

---
 dists/docker.sh             |  9 +++++----
 tests/packer/builds.pkr.hcl |  5 ++---
 tests/packer/init/init.sh   | 20 ++++++++++----------
 tests/packer/src/aa-update  |  6 ++++--
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/dists/docker.sh b/dists/docker.sh
index e0cb64431..4dd958759 100644
--- a/dists/docker.sh
+++ b/dists/docker.sh
@@ -12,7 +12,8 @@ readonly PREFIX="builder-"
 readonly PKGNAME=apparmor.d
 readonly VOLUME=/tmp/build
 readonly BUILDIR=/home/build/tmp
-readonly OUTPUT=".pkg"
+readonly OUTDIR=".pkg"
+readonly OUTPUT="$PWD/$OUTDIR"
 readonly COMMAND="$1"
 VERSION="0.$(git rev-list --count HEAD)"
 PACKAGER="$(git config user.name) <$(git config user.email)>"
@@ -63,7 +64,7 @@ build_in_docker_makepkg() {
 	fi
 
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh pkg
-	mv "$VOLUME/$PKGNAME"-*.pkg.* "$OUTPUT"
+	mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME"-*.pkg.* "$OUTPUT"
 }
 
 build_in_docker_dpkg() {
@@ -86,7 +87,7 @@ build_in_docker_dpkg() {
 	fi
 
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh dpkg
-	mv "$VOLUME/$PKGNAME/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT"
+	mv "$VOLUME/$PKGNAME/$OUTDIR/${PKGNAME}_${VERSION}-1"_*.* "$OUTPUT"
 }
 
 build_in_docker_rpm() {
@@ -105,7 +106,7 @@ build_in_docker_rpm() {
 	fi
 
 	docker exec --workdir="$BUILDIR/$PKGNAME" "$img" bash dists/build.sh rpm
-	mv "$VOLUME/$PKGNAME/$PKGNAME-$VERSION-"*.rpm "$OUTPUT"
+	mv "$VOLUME/$PKGNAME/$OUTDIR/$PKGNAME-$VERSION-"*.rpm "$OUTPUT"
 }
 
 main() {
diff --git a/tests/packer/builds.pkr.hcl b/tests/packer/builds.pkr.hcl
index c658a8bfd..1c16a6b84 100644
--- a/tests/packer/builds.pkr.hcl
+++ b/tests/packer/builds.pkr.hcl
@@ -29,18 +29,17 @@ build {
   provisioner "file" {
     only        = ["qemu.opensuse"]
     destination = "/tmp/src/"
-    sources     = ["${path.cwd}/../apparmor.d-${var.version}-1.x86_64.rpm"]
+    sources     = ["${path.cwd}/../.pkg/apparmor.d-${var.version}-1.x86_64.rpm"]
   }
 
   provisioner "file" {
     only        = ["qemu.debian", "qemu.ubuntu22", "qemu.ubuntu24"]
     destination = "/tmp/src/"
-    sources     = ["${path.cwd}/../apparmor.d_${var.version}-1_amd64.deb"]
+    sources     = ["${path.cwd}/../.pkg/apparmor.d_${var.version}-1_amd64.deb"]
   }
 
   # Wait for cloud-init to finish
   provisioner "shell" {
-    except          = ["qemu.opensuse"]
     execute_command = "echo '${var.password}' | sudo -S sh -c '{{ .Vars }} {{ .Path }}'"
     inline = [
       "while [ ! -f /var/lib/cloud/instance/boot-finished ]; do echo 'Waiting for Cloud-Init...'; sleep 20; done",
diff --git a/tests/packer/init/init.sh b/tests/packer/init/init.sh
index 495d2f2a5..df300c0c4 100644
--- a/tests/packer/init/init.sh
+++ b/tests/packer/init/init.sh
@@ -15,6 +15,16 @@ readonly SRC=/tmp/src
 readonly DISTRIBUTION
 
 main() {
+	install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/"
+	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases"
+	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml"
+	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc"
+	install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local
+	install -Dm0755 $SRC/aa-update /usr/bin/aa-update
+	install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean
+	cat $SRC/parser.conf >>/etc/apparmor/parser.conf
+	chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/"
+
 	case "$DISTRIBUTION" in
 	arch)
 		pacman --noconfirm -U $SRC/*.pkg.tar.zst
@@ -35,16 +45,6 @@ main() {
 		;;
 
 	esac
-
-	install -dm0750 -o "$SUDO_USER" -g "$SUDO_USER" "/home/$SUDO_USER/Projects/" "/home/$SUDO_USER/Projects/apparmor.d" "/home/$SUDO_USER/.config/"
-	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/.bash_aliases "/home/$SUDO_USER/.bash_aliases"
-	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/monitors.xml "/home/$SUDO_USER/.config/monitors.xml"
-	install -Dm0644 -o "$SUDO_USER" -g "$SUDO_USER" $SRC/htoprc "/home/$SUDO_USER/.config/htop/htoprc"
-	install -Dm0644 $SRC/site.local /etc/apparmor.d/tunables/multiarch.d/site.local
-	install -Dm0755 $SRC/aa-update /usr/bin/aa-update
-	install -Dm0755 $SRC/aa-log-clean /usr/bin/aa-log-clean
-	cat $SRC/parser.conf >>/etc/apparmor/parser.conf
-	chown -R "$SUDO_USER:$SUDO_USER" "/home/$SUDO_USER/.config/"
 }
 
 main "$@"
diff --git a/tests/packer/src/aa-update b/tests/packer/src/aa-update
index 747d0101b..9a326305d 100644
--- a/tests/packer/src/aa-update
+++ b/tests/packer/src/aa-update
@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -eu
 
-export BUILDDIR=/tmp/build/ PKGDEST=/tmp/pkg
+export BUILDDIR=/tmp/build/
 
 # shellcheck source=/dev/null
 _lsb_release() {
@@ -20,6 +20,8 @@ debian | ubuntu | whonix)
 	make dpkg
 	sudo rm -rf debian/.debhelper/
 	;;
-opensuse*) make rpm ;;
+opensuse*)
+	make rpm
+	;;
 *) ;;
 esac

From b8c052201b1bbbe3c27e4cfbb0dafba6e672fb74 Mon Sep 17 00:00:00 2001
From: Grimmauld <Grimmauld@grimmauld.de>
Date: Thu, 17 Oct 2024 22:33:54 +0200
Subject: [PATCH 307/315] YubiKey support for sudo - the yubikey is a u2f usb
 device, so usb abstraction is required - the authentication with yubikey
 against sudo happens as challenge response, which is why rw on the challenge
 file is required - the elevator first checks whether a .yubico folder exists,
 which is why reading the folder (but not the files within) is required

---
 apparmor.d/abstractions/app/sudo | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/apparmor.d/abstractions/app/sudo b/apparmor.d/abstractions/app/sudo
index 53bb50f31..b83c2d166 100644
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@@ -12,6 +12,7 @@
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
+  include <abstractions/devices-usb>
 
   capability audit_write,
   capability dac_override,
@@ -51,6 +52,10 @@
 
   owner @{HOME}/.sudo_as_admin_successful rw,
 
+  # yubikey support
+  owner @{HOME}/.yubico/challenge-* rw,
+        @{HOME}/.yubico/ r,
+
         @{run}/faillock/ rw,
         @{run}/faillock/@{user} rwk,
   owner @{run}/sudo/ rw,

From 2f968f4221e134b2335a088a77d9bf6972e25050 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Wed, 2 Oct 2024 11:15:43 -0300
Subject: [PATCH 308/315] Create extensions

---
 apparmor.d/tunables/multiarch.d/extensions | 25 ++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 apparmor.d/tunables/multiarch.d/extensions

diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions
new file mode 100644
index 000000000..5f83f0a5e
--- /dev/null
+++ b/apparmor.d/tunables/multiarch.d/extensions
@@ -0,0 +1,25 @@
+@{package_ext} = abb apk appx appxbundle emsix emsixbundle msix msixbundle deb crx jar msi pacman pkg mpkg pkg.tar pkg.tar.zst tgz rpm 
+
+@{diskimage_ext} = adf adz bwt cif cue cdi b5t b6t daa dmg dms dsk d64 img iso img ima nrg mdf mds mdx partimg sdi wim swm esd
+
+@{archive_ext} = ?q? ?z? ??_ 7z s7z a ar aar ace afa alz arc arj bar b1 b6z ba bh br bz2 cab car cdx cfs cpio dar dgc ear gca gz genozip ha hki io kgb lz lzma lzo ice lbr lha lzh lzx mar pak paq@{int} lpaq@{int} par par2 pax pea phar pim pit pka pma pst qda rar r@{int} rk run rz sbx sda sea sen sfark sfx shar shk sit sitx sqs sz tar tar.z tar.bz2 tar.gz tgz tar.lz tar.lzma tlz tar.xz txz tar.zst uc uc0 uc2 ucn ur2 ue2 uca uha war xar xp3 xz yz1 z zip zipx zpaq zoo zst zz @{diskimage_ext} @{package_ext}
+
+@{audio_ext} = adts aac ass ac3 amr awb acn aal atx at3 aa3 omg au snd dls evc evb enw evw lbc l16 mhas mxmf m4a mp3 mpga mp1 mp2 oga ogg opus spx sid psid qcp smv sofa loas xhe koz uva uvva eol mlp dts dtshd plj lvp pya vbk ecelp4800 ecelp7470 ecelp9600 multitrack rip smp3 smp s1m mid midi kar aif aiff aifc axa flac mka mod ult uni m15 mtm 669 med m3u wax wma ram rm ra s3m stm wav
+
+@{lyrics_ext} = lrc lyric
+
+@{video_ext} = 3gp 3gpp 3g2 3gpp2 m4s mj2 mjp2 mp4 mpg4 m4v mpeg mpg mpe m1v m2v ogv mov qt uvh uvvh uvm uvvm uvu uvvu uvp uvvp uvs uvvs uvv uvvv dvb fvt mxu m4u pyv nim bik bk2 smk smpg s11 s14 sswf ssw smov smo s1q yt viv webm axv flv fxm mkv mk3d asx wm wmv wmx wvx avi movie
+
+@{subtitles_ext} = aqt ass gsub usf pac pjs psb rt sbv smi srt ssa ssf stl sub ttml ttxt vtt 
+
+@{image_ext} = exr avci avcs avif hif bmp dib cgm drle dpx emf fits fit fts heic heics heif heifs hej2 hsj2 gif ief jls jp2 jpg2 jph jhc jpg jpeg jpe jfif jpm jpgm jpx jpf jxl jxr jxra jxrs jxs jxsc jxsi jxss ktx ktx2 png btif btf pti svg svgz t38 tiff tif tfx psd psdc azv uvi uvvi uvg uvvg djvu djv dwg dxf fbs fpx fst mmr rlc pgb ico apng mdi b16 hdr rgbe xyze spng spn s1n sgif sgi s1g sjpg sjp s1j tap vtf wbmp xif pcx wmf webp ras pnm pbm pgm ppm rgb tga xcf xbm xpm xwd 
+
+@{model_ext} = glb gltf jt igs iges msh mesh silo mtl obj stpx stpxz stl u3d bary cld dae dwf gld gsm win dor lmp rsm msm ism gtw moml mts ogex x_b xmt_bin x_t xmt_txt pyo pyox vds usda usdz bsp vtu wrl vrml x3db x3dv x3dvz
+
+@{font_ext} = ttc ttf otf woff woff2
+
+@{document_ext} = adx cdf doc docm docx dot dotx fni fodg fodp fods fodt info mdi odb odc odf odg odi odm odp ods odt otc otf otg oth oti otp ots ott oxt pages pdf stc std sti stw sxc sxd sxgsxi sxm sxw xps xodt xott xodp xotp xods xots pptx ppts xls xlsb xlsm xlsx tex texinfo texi latex
+
+@{text_ext} = appcache manifest ics ifb cql css csv csvs soa zone gff3 html htm js mjs cnd markdown md miz n3 txt asc text pm el c h cc hh cxx hxx f90 conf log provn rst tag dsc rtx sgml sgm shaclc shc shex spdx tsv t tr roff ttl uris uri vcf vcard a abc ascii copyright dms sub jtd vfk ged flt fly flx gv dot hans hgl 3dml 3dm spot spo mpf ccc mc2 uric jad sos ts si sl wml wmls vtt wgsl xml xsd rng ent sandboxed pod etx
+
+# vim:syntax=apparmor

From 7f83fe45be842569ece3b569ac89c980d9c00963 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 6 Oct 2024 22:25:59 -0300
Subject: [PATCH 309/315] Add capital letters

---
 apparmor.d/tunables/multiarch.d/extensions | 48 ++++++++++++++++------
 1 file changed, 36 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions
index 5f83f0a5e..85a6e8b5e 100644
--- a/apparmor.d/tunables/multiarch.d/extensions
+++ b/apparmor.d/tunables/multiarch.d/extensions
@@ -1,25 +1,49 @@
-@{package_ext} = abb apk appx appxbundle emsix emsixbundle msix msixbundle deb crx jar msi pacman pkg mpkg pkg.tar pkg.tar.zst tgz rpm 
+# abb apk appx appxbundle emsix emsixbundle msix msixbundle deb crx jar msi pacman pkg mpkg pkg.tar pkg.tar.zst tgz rpm 
 
-@{diskimage_ext} = adf adz bwt cif cue cdi b5t b6t daa dmg dms dsk d64 img iso img ima nrg mdf mds mdx partimg sdi wim swm esd
+@{package_ext} = [aA][aA][bB][bB] [aA][pP][kK] [aA][pP][pP][xX] [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] [eE][mM][sS][iI][xX] [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [mM][sS][iI][xX] [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [dD][eE][bB] [cC][rR][xX] [jJ][aA][rR] [mM][sS][iI] [pP][aA][cC][mM][aA][nN] [pP][kK][gG] [mM][pP][kK][gG] [pP][kK][gG].[tT][aA][rR] [pP][kK][gG].[tT][aA][rR].[zZ][sS][tT] [tT][gG][zZ] [rR][pP][mM] 
 
-@{archive_ext} = ?q? ?z? ??_ 7z s7z a ar aar ace afa alz arc arj bar b1 b6z ba bh br bz2 cab car cdx cfs cpio dar dgc ear gca gz genozip ha hki io kgb lz lzma lzo ice lbr lha lzh lzx mar pak paq@{int} lpaq@{int} par par2 pax pea phar pim pit pka pma pst qda rar r@{int} rk run rz sbx sda sea sen sfark sfx shar shk sit sitx sqs sz tar tar.z tar.bz2 tar.gz tgz tar.lz tar.lzma tlz tar.xz txz tar.zst uc uc0 uc2 ucn ur2 ue2 uca uha war xar xp3 xz yz1 z zip zipx zpaq zoo zst zz @{diskimage_ext} @{package_ext}
+# adf adz bwt cif cue cdi b5t b6t daa dmg dms dsk d64 iso img ima nrg mdf mds mdx partimg sdi wim swm esd
 
-@{audio_ext} = adts aac ass ac3 amr awb acn aal atx at3 aa3 omg au snd dls evc evb enw evw lbc l16 mhas mxmf m4a mp3 mpga mp1 mp2 oga ogg opus spx sid psid qcp smv sofa loas xhe koz uva uvva eol mlp dts dtshd plj lvp pya vbk ecelp4800 ecelp7470 ecelp9600 multitrack rip smp3 smp s1m mid midi kar aif aiff aifc axa flac mka mod ult uni m15 mtm 669 med m3u wax wma ram rm ra s3m stm wav
+@{diskimage_ext} = [aA][dD][fF] [aA][dD][zZ] [bB][wW][tT] [cC][iI][fF] [cC][uU][eE] [cC][dD][iI] [bB]5[tT] [bB]6[tT] [dD][aA][aA] [dD][mM][gG] [dD][mM][sS] [dD][sS][kK] [dD]64 [iI][sS][oO] [iI][mM][gG] [iI][mM][aA] [nN][rR][gG] [mM][dD][fF] [mM][dD][sS] [mM][dD][xX] [pP][aA][rR][tT][iI][mM][gG] [sS][dD][iI] [wW][iI][mM] [sS][wW][mM] [eE][sS][dD] 
 
-@{lyrics_ext} = lrc lyric
+# ?q? ?z? ??_ 7z s7z a ar aar ace afa alz arc arj bar b1 b6z ba bh br bz2 cab car cdx cfs cpio dar dgc ear gca gz genozip ha hki io kgb lz lzma lzo ice lbr lha lzh lzx mar pak paq@{int} lpaq@{int} par par2 pax pea phar pim pit pka pma pst qda rar r@{int} rk run rz sbx sda sea sen sfark sfx shar shk sit sitx sqs sz tar tar.z tar.bz2 tar.gz tgz tar.lz tar.lzma tlz tar.xz txz tar.zst uc uc0 uc2 ucn ur2 ue2 uca uha war xar xp3 xz yz1 z zip zipx zpaq zoo zst zz @{diskimage_ext} @{package_ext}
 
-@{video_ext} = 3gp 3gpp 3g2 3gpp2 m4s mj2 mjp2 mp4 mpg4 m4v mpeg mpg mpe m1v m2v ogv mov qt uvh uvvh uvm uvvm uvu uvvu uvp uvvp uvs uvvs uvv uvvv dvb fvt mxu m4u pyv nim bik bk2 smk smpg s11 s14 sswf ssw smov smo s1q yt viv webm axv flv fxm mkv mk3d asx wm wmv wmx wvx avi movie
+@{archive_ext} = ?[qQ]? ?[zZ]? ??_ 7[zZ] [sS]7[zZ] [aA] [aA][rR] [aA][aA][rR] [aA][cC][eE] [aA][fF][aA] [aA][lL][zZ] [aA][rR][cC] [aA][rR][jJ] [bB][aA][rR] [bB]1 [bB]6[zZ] [bB][aA][hH] [bB][rR] [bB][zZ]2 [cC][aA][bB] [cC][aA][rR] [cC][dD][xX] [cC][fF][sS] [cC][pP][iI][oO] [dD][aA][rR] [dD][gG][cC] [eE][aA][rR] [gG][cC][aA] [gG][zZ] [gG][eE][nN][oO][zZ][iI][pP] [hH][aA] [hH][kK][iI] [iI][oO] [kK][gG][bB] [lL][zZ] [lL][zZ][mM][aA] [lL][zZ][oO] [iI][cC][eE] [lL][bB][rR] [lL][hH][aA] [lL][zZ][hH] [lL][zZ][xX] [mM][aA][rR] [pP][aA][kK] [pP][aA][qQ]@{int} [lL][pP][aA][qQ]@{int} [pP][aA][rR] [pP][aA][rR]2 [pP][aA][xX] [pP][eE][aA] [pP][hH][aA][rR] [pP][iI][mM] [pP][iI][tT] [pP][kK][aA] [pP][mM][aA] [pP][sS][tT] [qQ][dD][aA] [rR][aA][rR] [rR]@{int} [rR][kK] [rR][uU][nN] [rR][zZ] [sS][bB][xX] [sS][dD][aA] [sS][eE][aA] [sS][eE][nN] [sS][fF][aA][rR][kK] [sS][fF][xX] [sS][hH][aA][rR] [sS][hH][kK] [sS][iI][tT] [sS][iI][tT][xX] [sS][qQ][sS] [sS][zZ] [tT][aA][rR] [tT][aA][rR].[zZ] [tT][aA][rR].[bB][zZ]2 [tT][aA][rR].[gG][zZ] [tT][gG][zZ] [tT][aA][rR].[lL][zZ] [tT][aA][rR].[lL][zZ][mM][aA] [tT][lL][zZ] [tT][aA][rR].[xX][zZ] [tT][xX][zZ] [tT][aA][rR].[zZ][sS][tT] [uU][cC] [uU][cC]0 [uU][cC]2 [uU][cC][nN] [uU][rR]2 [uU][eE]2 [uU][cC][aA] [uU][hH][aA] [wW][aA][rR] [xX][aA][rR] [xX][pP]3 [xX][zZ] [yY][zZ]1 [zZ][iI][pP] [zZ][iI][pP][xX] [zZ][pP][aA][qQ] [zZ][oO][oO] [zZ][sS][tT] [zZ][zZ] @{diskimage_ext} @{package_ext}
 
-@{subtitles_ext} = aqt ass gsub usf pac pjs psb rt sbv smi srt ssa ssf stl sub ttml ttxt vtt 
+# alac adts aac ass ac3 amr awb acn aal atx at3 aa3 omg au snd dls evc evb enw evw lbc l16 mhas mxmf m4a mp3 mpga mp1 mp2 oga ogg opus spx sid psid qcp smv sofa loas xhe koz uva uvva eol mlp dts dtshd plj lvp pya vbk ecelp4800 ecelp7470 ecelp9600 multitrack rip smp3 smp s1m mid midi kar aif aiff aifc axa flac mka mod ult uni m15 mtm 669 med m3u wax wma ram rm ra s3m stm wav
 
-@{image_ext} = exr avci avcs avif hif bmp dib cgm drle dpx emf fits fit fts heic heics heif heifs hej2 hsj2 gif ief jls jp2 jpg2 jph jhc jpg jpeg jpe jfif jpm jpgm jpx jpf jxl jxr jxra jxrs jxs jxsc jxsi jxss ktx ktx2 png btif btf pti svg svgz t38 tiff tif tfx psd psdc azv uvi uvvi uvg uvvg djvu djv dwg dxf fbs fpx fst mmr rlc pgb ico apng mdi b16 hdr rgbe xyze spng spn s1n sgif sgi s1g sjpg sjp s1j tap vtf wbmp xif pcx wmf webp ras pnm pbm pgm ppm rgb tga xcf xbm xpm xwd 
+@{audio_ext} = [aA][lL][aA][cC] [aA][dD][tT][sS] [aA][aA][cC] [aA][sS][sS] [aA][cC]3 [aA][mM][rR] [aA][wW][bB] [aA][cC][nN] [aA][aA][lL] [aA][tT][xX] [aA][aA]3 [oO][mM][gG] [aA][uU] [sS][nN][dD] [dD][lL][sS] [eE][vV][cC] [eE][vV][bB] [eE][nN][wW] [eE][vV][wW] [lL][bB][cC] [lL]16 [mM][hH][aA][sS] [mM][xX][mM][fF] [mM]4[aA] [mM][pP]3 [mM][pP][gG][aA] [mM][pP]1 [mM][pP]2 [oO][gG][aA] [oO][gG] [oO][pP][uU][sS] [sS][pP][xX] [sS][iI][dD] [pP][sS][iI][dD] [qQ][cC][pP] [sS][mM][vV] [sS][oO][fF][aA] [lL][oO][aA][sS] [xX][hH][eE] [kK][oO][zZ] [uU][vV][aA] [uU][vV][vV][aA] [eE][oO][lL] [mM][lL][pP] [dD][tT][sS] [dD][tT][sS][hH][dD] [pP][lL][jJ] [lL][vV][pP] [pP][yY][aA] [vV][bB][kK] [eE][cC][eE][lL][pP]4800 [eE][cC][eE][lL][pP]7470 [eE][cC][eE][lL][pP]9600 [mM][uU][lL][tT][iI][tT][rR][aA][cC][kK] [rR][iI][pP] [sS][mM][pP]3 [sS][mM][pP] [sS]1[mM] [mM][iI][dD] [mM][iI][dD][iI] [kK][aA][rR] [aA][iI][fF] [aA][iI][fF][fF] [aA][iI][fF][cC] [aA][xX][aA] [fF][lL][aA][cC] [mM][kK][aA] [mM][oO][dD] [uU][lL][tT] [uU][nN][iI] [mM]15 [mM][tT][mM] 669 [mM][eE][dD] [mM]3[uU] [wW][aA][xX] [wW][mM][aA] [rR][aA][mM] [rR][mM] [rR][aA] [sS]3[mM] [sS][tT][mM] [wW][aA][vV] 
 
-@{model_ext} = glb gltf jt igs iges msh mesh silo mtl obj stpx stpxz stl u3d bary cld dae dwf gld gsm win dor lmp rsm msm ism gtw moml mts ogex x_b xmt_bin x_t xmt_txt pyo pyox vds usda usdz bsp vtu wrl vrml x3db x3dv x3dvz
+# lrc lyric
 
-@{font_ext} = ttc ttf otf woff woff2
+@{lyrics_ext} = [lL][rR][cC] [lL][yY][rR][iI][cC]
 
-@{document_ext} = adx cdf doc docm docx dot dotx fni fodg fodp fods fodt info mdi odb odc odf odg odi odm odp ods odt otc otf otg oth oti otp ots ott oxt pages pdf stc std sti stw sxc sxd sxgsxi sxm sxw xps xodt xott xodp xotp xods xots pptx ppts xls xlsb xlsm xlsx tex texinfo texi latex
+# 3gp 3gpp 3g2 3gpp2 m4s mj2 mjp2 mp4 mpg4 m4v mpeg mpg mpe m1v m2v ogv mov qt uvh uvvh uvm uvvm uvu uvvu uvp uvvp uvs uvvs uvv uvvv dvb fvt mxu m4u pyv nim bik bk2 smk smpg s11 s14 sswf ssw smov smo s1q yt viv webm axv flv fxm mkv mk3d asx wm wmv wmx wvx avi movie
 
-@{text_ext} = appcache manifest ics ifb cql css csv csvs soa zone gff3 html htm js mjs cnd markdown md miz n3 txt asc text pm el c h cc hh cxx hxx f90 conf log provn rst tag dsc rtx sgml sgm shaclc shc shex spdx tsv t tr roff ttl uris uri vcf vcard a abc ascii copyright dms sub jtd vfk ged flt fly flx gv dot hans hgl 3dml 3dm spot spo mpf ccc mc2 uric jad sos ts si sl wml wmls vtt wgsl xml xsd rng ent sandboxed pod etx
+@{video_ext} = 3[gG][pP] 3[gG][pP][pP] 3[gG]2 3[gG][pP][pP]2 [mM]4[sS] [mM][jJ]2 [mM][jJ][pP]2 [mM][pP]4 [mM][pP][gG]4 [mM]4[vV] [mM][pP][eE][gG] [mM][pP][gG] [mM][pP][eE] [mM]1[vV] [mM]2[vV] [oO][gG][vV] [mM][oO][vV] [qQ][tT] [uU][vV][hH] [uU][vV][vV][hH] [uU][vV][mM] [uU][vV][vV][mM] [uU][vV][uU] [uU][vV][vV][uU] [uU][vV][pP] [uU][vV][vV][pP] [uU][vV][sS] [uU][vV][vV][sS] [uU][vV][vV][vV] [dD][vV][bB] [fF][vV][tT] [mM][xX][uU] [mM]4[uU] [pP][yY][vV] [nN][iI][mM] [bB][iI][kK] [bB][kK]2 [sS][mM][kK] [sS][mM][pP][gG] [sS]11 [sS]14 [sS][sS][wW][fF] [sS][sS][mM][oO][vV] [sS][mM][oO] [sS]1[qQ] [yY][tT] [vV][iI][vV] [wW][eE][bB][mM] [aA][xX][vV] [fF][lL][vV] [fF][xX][mM] [mM][kK][vV] [mM][kK]3[dD] [aA][sS][xX] [wW][mM] [wW][mM][vV] [wW][mM][xX] [wW][vV][xX] [aA][vV][iI] [mM][oO][vV][iI][eE]
+
+# aqt ass gsub usf pac pjs psb rt sbv smi srt ssa ssf stl sub ttml ttxt vtt 
+
+@{subtitles_ext} = [aA][qQ][tT] [aA][sS][sS] [gG][sS][uU][bB] [uU][sS][fF] [pP][aA][cC] [pP][jJ][sS] [pP][sS][bB] [rR][tT] [sS][bB][vV] [sS][mM][iI] [sS][rR][tT] [sS][sS][aA] [sS][sS][fF] [sS][tT][lL] [sS][uU][bB] [tT][t][mM][lL] [tT][t][xX][tT] [vV][tT][t]
+
+# exr avci avcs avif hif bmp dib cgm drle dpx emf fits fit fts heic heics heif heifs hej2 hsj2 gif ief jls jp2 jpg2 jph jhc jpg jpeg jpe jfif jpm jpgm jpx jpf jxl jxr jxra jxrs jxs jxsc jxsi jxss ktx ktx2 png btif btf pti svg svgz t38 tiff tif tfx psd psdc azv uvi uvvi uvg uvvg djvu djv dwg dxf fbs fpx fst mmr rlc pgb ico apng mdi b16 hdr rgbe xyze spng spn s1n sgif sgi s1g sjpg sjp s1j tap vtf wbmp xif pcx wmf webp ras pnm pbm pgm ppm rgb tga xcf xbm xpm xwd 
+
+@{image_ext} = [eE][xX][rR] [aA][vV][cC][iI] [aA][vV][cC][sS] [aA][vV][iI][fF] [hH][iI][fF] [bB][mM][pP] [dD][iI][bB] [cC][gG][mM] [dD][rR][lL][eE] [dD][pP][xX] [eE][mM][fF] [fF][iI][tT][sS] [fF][iI][tT] [fF][tT][sS] [hH][eE][iI][cC] [hH][eE][iI][cC][sS][hH][eE][iI][fF] [hH][eE][iI][fF][sS] [hH][eE][jJ]2 [hH][sS][jJ]2 [gG][iI][fF] [iE][eE][fF] [jJ][lL][sS] [jJ][pP]2 [jJ][pP][gG]2 [jJ][pP][hH] [jJ][hH][cC] [jJ][pP][gG] [jJ][pP][eE][gG] [jJ][fF][iI][fF] [jJ][pP][mM] [jJ][pP][gG][mM] [jJ][pP][xX] [jJ][pP][fF] [jJ][xX][lL] [jJ][xX][rR] [jJ][xX][rR][aA] [jJ][xX][rR][sS] [jJ][xX][sS][cC] [jJ][xX][sS][iI] [jJ][xX][sS][sS] [kK][tT][xX] [kK][tT][xX]2 [pP][nN][gG] [bB][tT][iI][fF] [bB][tT][fF] [pP][tT][iI] [sS][vV][gG] [sS][vV][gG][zZ] [tT]38 [tT][iI][fF][fF] [tT][iI][fF] [pP][sS][dD] [pP][sS][dD][cC] [aA][zZ][vV] [uU][vV][iI] [uU][vV][vV][iI] [uU][vV][gG] [uU][vV][vV][gG] [dD][jJ][vV][uU] [dD][jJ][vV] [dD][wW][gG] [dD][xX][fF] [fF][bB][sS] [fF][pP][xX] [fF][sS][tT] [mM][mM][rR] [rR][lL][cC] [pP][gG][bB] [iI][cC][oO] [aA][pP][nN][gG] [mM][dD][iI] [bB]16 [hH][dD][rR] [rR][gG][bB][eE] [xX][yY][zZ][eE] [sS][pP][nN][gG] [sS][pP][nN] [sS]1[nN] [sS][gG][iI] [sS][gG]1[gG] [sS][jJ][pP][gG] [sS][jJ][pP] [sS]1[jJ] [tT][aA][pP] [vV][bB][mM] [xX][iI][fF] [pP][cC][xX] [wW][mM][fF] [wW][eE][bB][pP] [rR][aA][sS] [pP][nN][mM] [pP][bB][mM] [pP][gG][mM] [pP][pP][mM] [rR][gG][bB] [tT][gG][aA] [xX][cC][fF] [xX][bB][mM] [xX][pP][mM] [xX][wW][dD]  
+
+# glb gltf jt igs iges msh mesh silo mtl obj stpx stpxz stl u3d bary cld dae dwf gld gsm win dor lmp rsm msm ism gtw moml mts ogex x_b xmt_bin x_t xmt_txt pyo pyox vds usda usdz bsp vtu wrl vrml x3db x3dv x3dvz
+
+@{model_ext} = [gG][lL][bB] [gG][lL][tT][fF] [jJ][tT] [iI][gG][sS] [iI][gG][eE][sS] [mM][sS][hH] [mM][eE][sS][hH] [sS][iI][lL][oO] [mM][tT][lL] [oO][bB][jJ] [sS][tT][pP][xX] [sS][tT][pP][xX][zZ] [sS][tT][lL] [uU]3[dD] [bB][aA][rR][yY] [cC][lL][dD] [dD][aA][eE] [dD][wW][fF] [gG][lL][dD] [gG][sS][mM] [wW][iI][nN] [dD][oO][rR] [lL][mM][pP] [rR][sS][mM] [mM][sS][mM] [iI][sS][mM] [gG][tT][wW] [mM][oO][mM][lL] [mM][tT][sS] [oO][gG][eE][xX] [xX]_[bB] [xX][mM][tT]_[bB][iI][nN] [xX]_[tT] [xX][mM][tT]_[tT][xX][tT] [pP][yY][oO] [pP][yY][oO][xX] [vV][dD][sS] [uU][sS][dD][aA] [uU][sS][dD][zZ] [bB][sS][pP] [vV][tT][uU] [wW][rR][lL] [vV][rR][mM][lL] [xX]3[dD][bB] [xX]3[dD][vV] [xX]3[dD][vV][zZ]
+
+# ttc ttf otf woff woff2
+
+@{font_ext} = [tT][tT][cC] [tT][tT][fF] [oO][tT][fF] [wW][oO][fF] [wW][oO][fF]2
+
+# adx cdf doc docm docx dot dotx fni fodg fodp fods fodt info mdi odb odc odf odg odi odm odp ods odt otc otf otg oth oti otp ots ott oxt pages pdf stc std sti stw sxc sxd sxgsxi sxm sxw xps xodt xott xodp xotp xods xots pptx ppts xls xlsb xlsm xlsx tex texinfo texi latex
+
+@{document_ext} = [aA][dD][xX] [cC][dD][fF] [dD][oO][cC] [dD][oO][cC][mM] [dD][oO][cC][xX] [dD][oO][tT] [dD][oO][tT][xX] [fF][nN][iI] [fF][oO][dD][gG] [fF][oO][dD][pP] [fF][oO][dD][sS] [fF][oO][dD][tT] [iI][nN][fF][oO] [mM][dD][iI] [oO][dD][bB] [oO][dD][cC] [oO][dD][fF] [oO][dD][gG] [oO][dD][iI] [oO][dD][mM] [oO][dD][pP] [oO][dD][sS] [oO][dD][tT] [oO][tT][cC] [oO][tT][fF] [oO][tT][gG] [oO][tT][hH] [oO][tT][iI] [oO][tT][pP] [oO][tT][sS] [oO][tT][tT] [oO][xX][tT] [pP][aA][gG][eE][sS] [pP][dD][fF] [sS][tT][cC] [sS][tT][dD] [sS][tT][iI] [sS][tT][wW] [sS][xX][cC] [sS][xX][dD] [sS][xX][gG][sS][xX][iI] [sS][xX][mM] [sS][xX][wW] [xX][pP][sS] [xX][oO][dD][tT] [xX][oO][tT][tT] [xX][oO][dD][pP] [xX][oO][tT][pP] [xX][oO][dD][sS] [xX][oO][tT][sS] [pP][pP][tT][xX] [pP][pP][tT][sS] [xX][lL][sS] [xX][lL][sS][bB] [xX][lL][sS][mM] [xX][lL][sS][xX] [tT][eE][xX] [tT][eE][xX][iI][nN][fF][oO] [tT][eE][xX][iI] [lL][aA][tT][eE][xX]
+
+# appcache manifest ics ifb cql css csv csvs soa zone gff3 html htm js mjs cnd markdown md miz n3 txt asc text pm el c h cc hh cxx hxx f90 conf log provn rst tag dsc rtx sgml sgm shaclc shc shex spdx tsv t tr roff ttl uris uri vcf vcard a abc ascii copyright dms sub jtd vfk ged flt fly flx gv dot hans hgl 3dml 3dm spot spo mpf ccc mc2 uric jad sos ts si sl wml wmls vtt wgsl xml xsd rng ent sandboxed pod etx
+
+@{text_ext} = [aA][pP][pP][cC][aA][cC][hH][eE] [mM][aA][nN][iI][fF][eE][sS][tT] [iI][cC][sS] [iI][fF][bB] [cC][qQ][lL] [cC][sS][sS] [cC][sS][vV] [cC][sS][vV][sS] [sS][oO][aA] [zZ][oO][nN][eE] [gG][fF][fF]3 [hH][tT][mM][lL] [hH][tT][mM] [jJ][sS] [mM][jJ][sS] [cC][nN][dD] [mM][aA][rR][kK][dD][oO][wW][nN] [mM][dD] [mM][iI][zZ] [nN]3 [tT][xX][tT] [aA][sS][cC] [tT][eE][xX][tT] [pP][mM] [eE][lL] [cC] [hH] [cC][cC] [hH][hH] [cC][xX][xX] [hH][xX][xX] [fF]90 [cC][oO][nN][fF] [lL][oO][gG] [pP][rR][oO][vV][nN] [rR][sS][tT] [tT][aA][gG] [dD][sS][cC] [rR][tT][xX] [sS][gG][mM][lL] [sS][gG][mM] [sS][hH][aA][cC][lL][cC] [sS][hH][cC] [sS][hH][eE][xX] [sS][pP][dD][xX] [tT][sS][vV] [tT] [tT][rR] [rR][oO][fF][fF] [tT][tT][lL] [uU][rR][iI][sS] [uU][rR][iI] [vV][cC][fF] [vV][cC][aA][rR][dD] [aA] [aA][bB][cC] [aA][sS][cC][iI][iI] [cC][oO][pP][yY][rR][iI][gG][hH][tT] [dD][mM][sS] [sS][uU][bB] [jJ][tT][dD] [vV][fF][kK] [gG][eE][dD] [fF][lL][tT] [fF][lL][yY] [fF][lL][xX] [gG][vV] [dD][oO][tT] [hH][aA][nN][sS] [hH][gG][lL] 3[dD][mM][lL] 3[dD][mM] [sS][pP][oO][tT] [sS][pP][oO] [mM][pP][fF] [cC][cC][cC] [mM][cC]2 [uU][rR][iI][cC] [jJ][aA][dD] [sS][oO][sS] [tT][sS] [sS][iI] [sS][lL] [wW][mM][lL] [wW][mM][lL][sS] [vV][tT][tT] [wW][gG][sS][lL] [xX][mM][lL] [xX][sS][dD] [rR][nN][gG] [eE][nN][tT] [sS][aA][nN][dD][bB][oO][xX][eE][dD] [pP][oO][dD] [eE][tT][xX]
 
 # vim:syntax=apparmor

From 93269e0596a8d416a9ee647146c983115da2f346 Mon Sep 17 00:00:00 2001
From: odomingao <sabadao@riseup.net>
Date: Sun, 6 Oct 2024 22:32:49 -0300
Subject: [PATCH 310/315] Small fix

---
 apparmor.d/tunables/multiarch.d/extensions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions
index 85a6e8b5e..e008b558c 100644
--- a/apparmor.d/tunables/multiarch.d/extensions
+++ b/apparmor.d/tunables/multiarch.d/extensions
@@ -1,6 +1,6 @@
 # abb apk appx appxbundle emsix emsixbundle msix msixbundle deb crx jar msi pacman pkg mpkg pkg.tar pkg.tar.zst tgz rpm 
 
-@{package_ext} = [aA][aA][bB][bB] [aA][pP][kK] [aA][pP][pP][xX] [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] [eE][mM][sS][iI][xX] [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [mM][sS][iI][xX] [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [dD][eE][bB] [cC][rR][xX] [jJ][aA][rR] [mM][sS][iI] [pP][aA][cC][mM][aA][nN] [pP][kK][gG] [mM][pP][kK][gG] [pP][kK][gG].[tT][aA][rR] [pP][kK][gG].[tT][aA][rR].[zZ][sS][tT] [tT][gG][zZ] [rR][pP][mM] 
+@{package_ext} = [aA][bB][bB] [aA][pP][kK] [aA][pP][pP][xX] [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] [eE][mM][sS][iI][xX] [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [mM][sS][iI][xX] [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [dD][eE][bB] [cC][rR][xX] [jJ][aA][rR] [mM][sS][iI] [pP][aA][cC][mM][aA][nN] [pP][kK][gG] [mM][pP][kK][gG] [pP][kK][gG].[tT][aA][rR] [pP][kK][gG].[tT][aA][rR].[zZ][sS][tT] [tT][gG][zZ] [rR][pP][mM] 
 
 # adf adz bwt cif cue cdi b5t b6t daa dmg dms dsk d64 iso img ima nrg mdf mds mdx partimg sdi wim swm esd
 

From f079792aeef4341487681acfd927d0d49814f637 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 17 Oct 2024 23:44:55 +0100
Subject: [PATCH 311/315] feat(tunable): make the extensions easier to read.

---
 apparmor.d/tunables/multiarch.d/extensions | 665 ++++++++++++++++++++-
 1 file changed, 632 insertions(+), 33 deletions(-)

diff --git a/apparmor.d/tunables/multiarch.d/extensions b/apparmor.d/tunables/multiarch.d/extensions
index e008b558c..956e8c253 100644
--- a/apparmor.d/tunables/multiarch.d/extensions
+++ b/apparmor.d/tunables/multiarch.d/extensions
@@ -1,49 +1,648 @@
-# abb apk appx appxbundle emsix emsixbundle msix msixbundle deb crx jar msi pacman pkg mpkg pkg.tar pkg.tar.zst tgz rpm 
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2024 odomingao
+# SPDX-License-Identifier: GPL-2.0-only
 
-@{package_ext} = [aA][bB][bB] [aA][pP][kK] [aA][pP][pP][xX] [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] [eE][mM][sS][iI][xX] [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [mM][sS][iI][xX] [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] [dD][eE][bB] [cC][rR][xX] [jJ][aA][rR] [mM][sS][iI] [pP][aA][cC][mM][aA][nN] [pP][kK][gG] [mM][pP][kK][gG] [pP][kK][gG].[tT][aA][rR] [pP][kK][gG].[tT][aA][rR].[zZ][sS][tT] [tT][gG][zZ] [rR][pP][mM] 
+# Define commonly used extensions
 
-# adf adz bwt cif cue cdi b5t b6t daa dmg dms dsk d64 iso img ima nrg mdf mds mdx partimg sdi wim swm esd
+# All variables that refer to an extension must have the `_ext` suffix.
 
-@{diskimage_ext} = [aA][dD][fF] [aA][dD][zZ] [bB][wW][tT] [cC][iI][fF] [cC][uU][eE] [cC][dD][iI] [bB]5[tT] [bB]6[tT] [dD][aA][aA] [dD][mM][gG] [dD][mM][sS] [dD][sS][kK] [dD]64 [iI][sS][oO] [iI][mM][gG] [iI][mM][aA] [nN][rR][gG] [mM][dD][fF] [mM][dD][sS] [mM][dD][xX] [pP][aA][rR][tT][iI][mM][gG] [sS][dD][iI] [wW][iI][mM] [sS][wW][mM] [eE][sS][dD] 
+# Packages
+@{package_ext}  = [aA][bB][bB] # abb
+@{package_ext} += [aA][pP][kK] # apk
+@{package_ext} += [aA][pP][pP][xX] # appx
+@{package_ext} += [aA][pP][pP][xX][bB][uU][nN][dD][lL][eE] # appxbundle
+@{package_ext} += [cC][rR][xX] # crx
+@{package_ext} += [dD][eE][bB] # deb
+@{package_ext} += [eE][mM][sS][iI][xX] # emsix
+@{package_ext} += [eE][mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # emsixbundle
+@{package_ext} += [jJ][aA][rR] # jar
+@{package_ext} += [mM][pP][kK][gG] # mpkg
+@{package_ext} += [mM][sS][iI] # msi
+@{package_ext} += [mM][sS][iI][xX] # msix
+@{package_ext} += [mM][sS][iI][xX][bB][uU][nN][dD][lL][eE] # msixbundle
+@{package_ext} += [pP][kK][gG] # pkg
+@{package_ext} += [pP][kK][gG].[tT][aA][rR]{,[zZ][sS][tT]} # pkg.tar{,.zst}
+@{package_ext} += [rR][pP][mM] # rpm
+@{package_ext} += [tT][gG][zZ] # tgz
 
-# ?q? ?z? ??_ 7z s7z a ar aar ace afa alz arc arj bar b1 b6z ba bh br bz2 cab car cdx cfs cpio dar dgc ear gca gz genozip ha hki io kgb lz lzma lzo ice lbr lha lzh lzx mar pak paq@{int} lpaq@{int} par par2 pax pea phar pim pit pka pma pst qda rar r@{int} rk run rz sbx sda sea sen sfark sfx shar shk sit sitx sqs sz tar tar.z tar.bz2 tar.gz tgz tar.lz tar.lzma tlz tar.xz txz tar.zst uc uc0 uc2 ucn ur2 ue2 uca uha war xar xp3 xz yz1 z zip zipx zpaq zoo zst zz @{diskimage_ext} @{package_ext}
+# Disk images
+@{diskimage_ext}  = [aA][dD][fF] # adf
+@{diskimage_ext} += [aA][dD][zZ] # adz
+@{diskimage_ext} += [bB][wW][tT] # bwt
+@{diskimage_ext} += [cC][iI][fF] # cif
+@{diskimage_ext} += [cC][uU][eE] # cue
+@{diskimage_ext} += [cC][dD][iI] # cdi
+@{diskimage_ext} += [bB]5[tT] # b5t
+@{diskimage_ext} += [bB]6[tT]  # b6t
+@{diskimage_ext} += [dD][aA][aA] # daa
+@{diskimage_ext} += [dD][mM][gG] # dmg
+@{diskimage_ext} += [dD][mM][sS] # dms
+@{diskimage_ext} += [dD][sS][kK] # dsk
+@{diskimage_ext} += [dD]64 # d64
+@{diskimage_ext} += [iI][sS][oO] # iso
+@{diskimage_ext} += [iI][mM][gG] # img
+@{diskimage_ext} += [iI][mM][aA] # ima
+@{diskimage_ext} += [nN][rR][gG] # nrg
+@{diskimage_ext} += [mM][dD][fF] # mdf
+@{diskimage_ext} += [mM][dD][sS] # mds
+@{diskimage_ext} += [mM][dD][xX] # mdx
+@{diskimage_ext} += [pP][aA][rR][tT][iI][mM][gG] # partimg
+@{diskimage_ext} += [sS][dD][iI] # sdi
+@{diskimage_ext} += [wW][iI][mM] # wim
+@{diskimage_ext} += [sS][wW][mM] # swm
+@{diskimage_ext} += [eE][sS][dD] # esd
 
-@{archive_ext} = ?[qQ]? ?[zZ]? ??_ 7[zZ] [sS]7[zZ] [aA] [aA][rR] [aA][aA][rR] [aA][cC][eE] [aA][fF][aA] [aA][lL][zZ] [aA][rR][cC] [aA][rR][jJ] [bB][aA][rR] [bB]1 [bB]6[zZ] [bB][aA][hH] [bB][rR] [bB][zZ]2 [cC][aA][bB] [cC][aA][rR] [cC][dD][xX] [cC][fF][sS] [cC][pP][iI][oO] [dD][aA][rR] [dD][gG][cC] [eE][aA][rR] [gG][cC][aA] [gG][zZ] [gG][eE][nN][oO][zZ][iI][pP] [hH][aA] [hH][kK][iI] [iI][oO] [kK][gG][bB] [lL][zZ] [lL][zZ][mM][aA] [lL][zZ][oO] [iI][cC][eE] [lL][bB][rR] [lL][hH][aA] [lL][zZ][hH] [lL][zZ][xX] [mM][aA][rR] [pP][aA][kK] [pP][aA][qQ]@{int} [lL][pP][aA][qQ]@{int} [pP][aA][rR] [pP][aA][rR]2 [pP][aA][xX] [pP][eE][aA] [pP][hH][aA][rR] [pP][iI][mM] [pP][iI][tT] [pP][kK][aA] [pP][mM][aA] [pP][sS][tT] [qQ][dD][aA] [rR][aA][rR] [rR]@{int} [rR][kK] [rR][uU][nN] [rR][zZ] [sS][bB][xX] [sS][dD][aA] [sS][eE][aA] [sS][eE][nN] [sS][fF][aA][rR][kK] [sS][fF][xX] [sS][hH][aA][rR] [sS][hH][kK] [sS][iI][tT] [sS][iI][tT][xX] [sS][qQ][sS] [sS][zZ] [tT][aA][rR] [tT][aA][rR].[zZ] [tT][aA][rR].[bB][zZ]2 [tT][aA][rR].[gG][zZ] [tT][gG][zZ] [tT][aA][rR].[lL][zZ] [tT][aA][rR].[lL][zZ][mM][aA] [tT][lL][zZ] [tT][aA][rR].[xX][zZ] [tT][xX][zZ] [tT][aA][rR].[zZ][sS][tT] [uU][cC] [uU][cC]0 [uU][cC]2 [uU][cC][nN] [uU][rR]2 [uU][eE]2 [uU][cC][aA] [uU][hH][aA] [wW][aA][rR] [xX][aA][rR] [xX][pP]3 [xX][zZ] [yY][zZ]1 [zZ][iI][pP] [zZ][iI][pP][xX] [zZ][pP][aA][qQ] [zZ][oO][oO] [zZ][sS][tT] [zZ][zZ] @{diskimage_ext} @{package_ext}
+# Archives
+@{archive_ext}  = @{diskimage_ext} @{package_ext}
+@{archive_ext} += ??_ # ??_
+@{archive_ext} += ?[qQ]? # ?q? 
+@{archive_ext} += ?[zZ]? # ?z?
+@{archive_ext} += [aA] # a
+@{archive_ext} += [aA][aA][rR] # aar
+@{archive_ext} += [aA][cC][eE] # ace
+@{archive_ext} += [aA][fF][aA] # afa
+@{archive_ext} += [aA][lL][zZ] # alz
+@{archive_ext} += [aA][rR] # ar
+@{archive_ext} += [aA][rR][cC] # arc
+@{archive_ext} += [aA][rR][jJ] # arj
+@{archive_ext} += [bB][aA][hH] # bah
+@{archive_ext} += [bB][aA][rR] # bar
+@{archive_ext} += [bB][rR] # br
+@{archive_ext} += [bB][zZ]2 # bz2
+@{archive_ext} += [bB]1 # b1
+@{archive_ext} += [bB]6[zZ] # b6z
+@{archive_ext} += [cC][aA][bB] # cab
+@{archive_ext} += [cC][aA][rR] # car
+@{archive_ext} += [cC][dD][xX] # cdx
+@{archive_ext} += [cC][fF][sS] # cfs
+@{archive_ext} += [cC][pP][iI][oO] # cpio
+@{archive_ext} += [dD][aA][rR] # dar
+@{archive_ext} += [dD][gG][cC] # dgc
+@{archive_ext} += [eE][aA][rR] # ear
+@{archive_ext} += [gG][cC][aA] # gca
+@{archive_ext} += [gG][eE][nN][oO][zZ][iI][pP] # genozip
+@{archive_ext} += [gG][zZ] # gz
+@{archive_ext} += [hH][aA] # ha
+@{archive_ext} += [hH][kK][iI] # hki
+@{archive_ext} += [iI][cC][eE] # ice
+@{archive_ext} += [iI][oO] # io
+@{archive_ext} += [kK][gG][bB] # kgb
+@{archive_ext} += [lL][bB][rR] # lbr
+@{archive_ext} += [lL][hH][aA] # lha
+@{archive_ext} += [lL][pP][aA][qQ]@{int} # lpaq@{int}
+@{archive_ext} += [lL][zZ] # lz
+@{archive_ext} += [lL][zZ][hH] # lzh
+@{archive_ext} += [lL][zZ][mM][aA] # lzma
+@{archive_ext} += [lL][zZ][oO] # lzo
+@{archive_ext} += [lL][zZ][xX] # lzx
+@{archive_ext} += [mM][aA][rR] # mar
+@{archive_ext} += [pP][aA][kK] # pak
+@{archive_ext} += [pP][aA][qQ]@{int} # paq@{int}
+@{archive_ext} += [pP][aA][rR] # par
+@{archive_ext} += [pP][aA][rR]2 # par2
+@{archive_ext} += [pP][aA][xX] # pax
+@{archive_ext} += [pP][eE][aA] # pea
+@{archive_ext} += [pP][hH][aA][rR] # phar
+@{archive_ext} += [pP][iI][mM] # pim
+@{archive_ext} += [pP][iI][tT] # pit
+@{archive_ext} += [pP][kK][aA] # pka
+@{archive_ext} += [pP][mM][aA] # pma
+@{archive_ext} += [pP][sS][tT] # pst
+@{archive_ext} += [qQ][dD][aA] # qda
+@{archive_ext} += [rR][aA][rR] # rar
+@{archive_ext} += [rR][kK] # rk
+@{archive_ext} += [rR][uU][nN] # run
+@{archive_ext} += [rR][zZ] # rz
+@{archive_ext} += [rR]@{int} # r@{int}
+@{archive_ext} += [sS][bB][xX] # sbx
+@{archive_ext} += [sS][dD][aA] # sda
+@{archive_ext} += [sS][eE][aA] # sea
+@{archive_ext} += [sS][eE][nN] # sen
+@{archive_ext} += [sS][fF][aA][rR][kK] # sfark
+@{archive_ext} += [sS][fF][xX] # sfx
+@{archive_ext} += [sS][hH][aA][rR] # shar
+@{archive_ext} += [sS][hH][kK] # shk
+@{archive_ext} += [sS][iI][tT] # sit
+@{archive_ext} += [sS][iI][tT][xX] # sitx
+@{archive_ext} += [sS][qQ][sS] # sqs
+@{archive_ext} += [sS][zZ] # sz
+@{archive_ext} += [sS]7[zZ] # s7z
+@{archive_ext} += [tT][aA][rR] # tar
+@{archive_ext} += [tT][aA][rR].[bB][zZ]2 # tar.bz2
+@{archive_ext} += [tT][aA][rR].[gG][zZ] # tar.gz
+@{archive_ext} += [tT][aA][rR].[lL][zZ] # tar.lz
+@{archive_ext} += [tT][aA][rR].[lL][zZ][mM][aA] # tar.lzma
+@{archive_ext} += [tT][aA][rR].[xX][zZ] # tar.xz
+@{archive_ext} += [tT][aA][rR].[zZ] # tar.z
+@{archive_ext} += [tT][aA][rR].[zZ][sS][tT] # tar.zst
+@{archive_ext} += [tT][gG][zZ] # tgz
+@{archive_ext} += [tT][lL][zZ] # tlz
+@{archive_ext} += [tT][xX][zZ] # txz
+@{archive_ext} += [uU][cC] # uc
+@{archive_ext} += [uU][cC][aA] # uca
+@{archive_ext} += [uU][cC][nN] # ucn
+@{archive_ext} += [uU][cC]0 # uc0
+@{archive_ext} += [uU][cC]2 # uc2
+@{archive_ext} += [uU][eE]2 # ue2
+@{archive_ext} += [uU][hH][aA] # uha
+@{archive_ext} += [uU][rR]2 # ur2
+@{archive_ext} += [wW][aA][rR] # war
+@{archive_ext} += [xX][aA][rR] # xar
+@{archive_ext} += [xX][pP]3 # xp3
+@{archive_ext} += [xX][zZ] # xz
+@{archive_ext} += [yY][zZ]1 # yz1
+@{archive_ext} += [zZ][iI][pP] # zip
+@{archive_ext} += [zZ][iI][pP][xX] # zipx
+@{archive_ext} += [zZ][oO][oO] # zoo
+@{archive_ext} += [zZ][pP][aA][qQ] # zpaq
+@{archive_ext} += [zZ][sS][tT] # zst
+@{archive_ext} += [zZ][zZ] # zz
+@{archive_ext} += 7[zZ] # 7z
 
-# alac adts aac ass ac3 amr awb acn aal atx at3 aa3 omg au snd dls evc evb enw evw lbc l16 mhas mxmf m4a mp3 mpga mp1 mp2 oga ogg opus spx sid psid qcp smv sofa loas xhe koz uva uvva eol mlp dts dtshd plj lvp pya vbk ecelp4800 ecelp7470 ecelp9600 multitrack rip smp3 smp s1m mid midi kar aif aiff aifc axa flac mka mod ult uni m15 mtm 669 med m3u wax wma ram rm ra s3m stm wav
+# Audio
+@{audio_ext}  = [aA][aA][cC] # aac
+@{audio_ext} += [aA][aA][lL] # aal
+@{audio_ext} += [aA][aA]3 # aa3
+@{audio_ext} += [aA][cC][nN] # acn
+@{audio_ext} += [aA][cC]3 # ac3
+@{audio_ext} += [aA][dD][tT][sS] # adts
+@{audio_ext} += [aA][iI][fF] # aif
+@{audio_ext} += [aA][iI][fF][cC] # aifc
+@{audio_ext} += [aA][iI][fF][fF] # aiff
+@{audio_ext} += [aA][lL][aA][cC] # alac
+@{audio_ext} += [aA][mM][rR] # amr
+@{audio_ext} += [aA][sS][sS] # ass
+@{audio_ext} += [aA][tT][xX] # atx
+@{audio_ext} += [aA][uU] # au
+@{audio_ext} += [aA][wW][bB] # awb
+@{audio_ext} += [aA][xX][aA] # axa
+@{audio_ext} += [dD][lL][sS] # dls
+@{audio_ext} += [dD][tT][sS] # dts
+@{audio_ext} += [dD][tT][sS][hH][dD] # dtshd
+@{audio_ext} += [eE][cC][eE][lL][pP]4800 # ecelp4800
+@{audio_ext} += [eE][cC][eE][lL][pP]7470 # ecelp7470
+@{audio_ext} += [eE][cC][eE][lL][pP]9600 # ecelp9600
+@{audio_ext} += [eE][nN][wW] # enw
+@{audio_ext} += [eE][oO][lL] # eol
+@{audio_ext} += [eE][vV][bB] # evb
+@{audio_ext} += [eE][vV][cC] # evc
+@{audio_ext} += [eE][vV][wW] # wvw
+@{audio_ext} += [fF][lL][aA][cC] # flac
+@{audio_ext} += [kK][aA][rR] # kar
+@{audio_ext} += [kK][oO][zZ] # koz
+@{audio_ext} += [lL][bB][cC] # lbc
+@{audio_ext} += [lL][oO][aA][sS] # loas
+@{audio_ext} += [lL][vV][pP] # lvp
+@{audio_ext} += [lL]16 # l16
+@{audio_ext} += [mM][eE][dD] # med
+@{audio_ext} += [mM][hH][aA][sS] # mhas
+@{audio_ext} += [mM][iI][dD] # mid
+@{audio_ext} += [mM][iI][dD][iI] # midi
+@{audio_ext} += [mM][kK][aA] # mka
+@{audio_ext} += [mM][lL][pP] # mlp
+@{audio_ext} += [mM][oO][dD] # mod
+@{audio_ext} += [mM][pP][gG][aA] # mpga
+@{audio_ext} += [mM][pP]1 # mp1
+@{audio_ext} += [mM][pP]2 # mp2
+@{audio_ext} += [mM][pP]3 # mp3
+@{audio_ext} += [mM][tT][mM] # mtm
+@{audio_ext} += [mM][uU][lL][tT][iI][tT][rR][aA][cC][kK] # multitrack
+@{audio_ext} += [mM][xX][mM][fF] # mxmf
+@{audio_ext} += [mM]15 # m15
+@{audio_ext} += [mM]3[uU] # m3u
+@{audio_ext} += [mM]4[aA] # m4a
+@{audio_ext} += [oO][gG] # og
+@{audio_ext} += [oO][gG][aA] # oga
+@{audio_ext} += [oO][mM][gG] # omg
+@{audio_ext} += [oO][pP][uU][sS] # opus
+@{audio_ext} += [pP][lL][jJ] # plj
+@{audio_ext} += [pP][sS][iI][dD] # psid
+@{audio_ext} += [pP][yY][aA] # pya
+@{audio_ext} += [qQ][cC][pP] # qcp
+@{audio_ext} += [rR][aA] # ra
+@{audio_ext} += [rR][aA][mM] # ram
+@{audio_ext} += [rR][iI][pP] # rip
+@{audio_ext} += [rR][mM] # rm
+@{audio_ext} += [sS][iI][dD] # sid
+@{audio_ext} += [sS][mM][pP] # smp
+@{audio_ext} += [sS][mM][pP]3 # smp3
+@{audio_ext} += [sS][mM][vV] # smv
+@{audio_ext} += [sS][nN][dD] # snd
+@{audio_ext} += [sS][oO][fF][aA] # sofa
+@{audio_ext} += [sS][pP][xX] # spx
+@{audio_ext} += [sS][tT][mM] # stm
+@{audio_ext} += [sS]1[mM] # s1m
+@{audio_ext} += [sS]3[mM] # s3m
+@{audio_ext} += [uU][lL][tT] # ult
+@{audio_ext} += [uU][nN][iI] # uni
+@{audio_ext} += [uU][vV][aA] # uva
+@{audio_ext} += [uU][vV][vV][aA] # uvva
+@{audio_ext} += [vV][bB][kK] # vbk
+@{audio_ext} += [wW][aA][vV] # wav
+@{audio_ext} += [wW][aA][xX] # wax
+@{audio_ext} += [wW][mM][aA] # wma
+@{audio_ext} += [xX][hH][eE] # xhe
+@{audio_ext} += 669 # 669
 
-@{audio_ext} = [aA][lL][aA][cC] [aA][dD][tT][sS] [aA][aA][cC] [aA][sS][sS] [aA][cC]3 [aA][mM][rR] [aA][wW][bB] [aA][cC][nN] [aA][aA][lL] [aA][tT][xX] [aA][aA]3 [oO][mM][gG] [aA][uU] [sS][nN][dD] [dD][lL][sS] [eE][vV][cC] [eE][vV][bB] [eE][nN][wW] [eE][vV][wW] [lL][bB][cC] [lL]16 [mM][hH][aA][sS] [mM][xX][mM][fF] [mM]4[aA] [mM][pP]3 [mM][pP][gG][aA] [mM][pP]1 [mM][pP]2 [oO][gG][aA] [oO][gG] [oO][pP][uU][sS] [sS][pP][xX] [sS][iI][dD] [pP][sS][iI][dD] [qQ][cC][pP] [sS][mM][vV] [sS][oO][fF][aA] [lL][oO][aA][sS] [xX][hH][eE] [kK][oO][zZ] [uU][vV][aA] [uU][vV][vV][aA] [eE][oO][lL] [mM][lL][pP] [dD][tT][sS] [dD][tT][sS][hH][dD] [pP][lL][jJ] [lL][vV][pP] [pP][yY][aA] [vV][bB][kK] [eE][cC][eE][lL][pP]4800 [eE][cC][eE][lL][pP]7470 [eE][cC][eE][lL][pP]9600 [mM][uU][lL][tT][iI][tT][rR][aA][cC][kK] [rR][iI][pP] [sS][mM][pP]3 [sS][mM][pP] [sS]1[mM] [mM][iI][dD] [mM][iI][dD][iI] [kK][aA][rR] [aA][iI][fF] [aA][iI][fF][fF] [aA][iI][fF][cC] [aA][xX][aA] [fF][lL][aA][cC] [mM][kK][aA] [mM][oO][dD] [uU][lL][tT] [uU][nN][iI] [mM]15 [mM][tT][mM] 669 [mM][eE][dD] [mM]3[uU] [wW][aA][xX] [wW][mM][aA] [rR][aA][mM] [rR][mM] [rR][aA] [sS]3[mM] [sS][tT][mM] [wW][aA][vV] 
+# Lyrics
+@{lyrics_ext}  = [lL][rR][cC] # lrc
+@{lyrics_ext} += [lL][yY][rR][iI][cC] # lyric
 
-# lrc lyric
+# Videos
+@{video_ext}  = [aA][sS][xX] # asx
+@{video_ext} += [aA][vV][iI] # avi
+@{video_ext} += [aA][xX][vV] # axv
+@{video_ext} += [bB][iI][kK] # bik
+@{video_ext} += [bB][kK]2 # bk2
+@{video_ext} += [dD][vV][bB] # dvb
+@{video_ext} += [fF][lL][vV] # flv
+@{video_ext} += [fF][vV][tT] # fvt
+@{video_ext} += [fF][xX][mM] # fxm
+@{video_ext} += [mM][jJ][pP]2 # mjp2
+@{video_ext} += [mM][jJ]2 # mj2
+@{video_ext} += [mM][kK][vV] # mkv
+@{video_ext} += [mM][kK]3[dD] # mk3d
+@{video_ext} += [mM][oO][vV] # mov
+@{video_ext} += [mM][pP][eE] # mpe
+@{video_ext} += [mM][pP][eE][gG] # mpeg
+@{video_ext} += [mM][pP][gG] # mpg
+@{video_ext} += [mM][pP][gG]4 # mpg4
+@{video_ext} += [mM][pP]4 # mp4
+@{video_ext} += [mM][xX][uU] # mxu
+@{video_ext} += [mM]1[vV] # m1v
+@{video_ext} += [mM]2[vV] # m2v
+@{video_ext} += [mM]4[sS] # m4s
+@{video_ext} += [mM]4[uU] # m4u
+@{video_ext} += [mM]4[vV] # m4v
+@{video_ext} += [nN][iI][mM] # nim
+@{video_ext} += [oO][gG][vV] # ogv
+@{video_ext} += [pP][yY][vV] # pyv
+@{video_ext} += [qQ][tT] # qt
+@{video_ext} += [sS][mM][kK] # smk
+@{video_ext} += [sS][mM][oO] # smo
+@{video_ext} += [sS][mM][pP][gG] # smpg
+@{video_ext} += [sS][sS][mM][oO][vV] # ssmov
+@{video_ext} += [sS][sS][wW][fF] # sswf
+@{video_ext} += [sS]1[qQ] # s1q
+@{video_ext} += [sS]11 # s11
+@{video_ext} += [sS]14 # s14
+@{video_ext} += [uU][vV][hH] # uvh
+@{video_ext} += [uU][vV][mM] # uvm
+@{video_ext} += [uU][vV][pP] # uvp
+@{video_ext} += [uU][vV][sS] # uvs
+@{video_ext} += [uU][vV][uU] # uvu
+@{video_ext} += [uU][vV][vV][hH] # uvvh
+@{video_ext} += [uU][vV][vV][mM] # uvvm
+@{video_ext} += [uU][vV][vV][pP] # uvvp
+@{video_ext} += [uU][vV][vV][sS] # uvvs
+@{video_ext} += [uU][vV][vV][uU] # uvvu
+@{video_ext} += [uU][vV][vV][vV] # uvv
+@{video_ext} += [vV][iI][vV] # viv
+@{video_ext} += [wW][eE][bB][mM] # webm
+@{video_ext} += [wW][mM] # wm
+@{video_ext} += [wW][mM][vV] # wmv
+@{video_ext} += [wW][mM][xX] # wmx
+@{video_ext} += [wW][vV][xX] # wvx
+@{video_ext} += [yY][tT] # yt
+@{video_ext} += 3[gG][pP] # 3gp
+@{video_ext} += 3[gG][pP][pP] # 3gpp
+@{video_ext} += 3[gG][pP][pP]2 # 3gpp2
+@{video_ext} += 3[gG]2 # 3g2
 
-@{lyrics_ext} = [lL][rR][cC] [lL][yY][rR][iI][cC]
+# Subtitles            
+@{suntitles_ext}  = [aA][qQ][tT] # aqt
+@{suntitles_ext} += [aA][sS][sS] # ass
+@{suntitles_ext} += [gG][sS][uU][bB] # gsub
+@{suntitles_ext} += [uU][sS][fF] # usf
+@{suntitles_ext} += [pP][aA][cC] # pac
+@{suntitles_ext} += [pP][jJ][sS] # pjs
+@{suntitles_ext} += [pP][sS][bB] # psb
+@{suntitles_ext} += [rR][tT] # rt
+@{suntitles_ext} += [sS][bB][vV] # sbv
+@{suntitles_ext} += [sS][mM][iI] # smi
+@{suntitles_ext} += [sS][rR][tT] # srt
+@{suntitles_ext} += [sS][sS][aA] # ssa
+@{suntitles_ext} += [sS][sS][fF] # ssf
+@{suntitles_ext} += [sS][tT][lL] # stl
+@{suntitles_ext} += [sS][uU][bB] # sub
+@{suntitles_ext} += [tT][t][mM][lL] # ttml
+@{suntitles_ext} += [tT][t][xX][tT] # ttxt
+@{suntitles_ext} += [vV][tT][t] # vtt
 
-# 3gp 3gpp 3g2 3gpp2 m4s mj2 mjp2 mp4 mpg4 m4v mpeg mpg mpe m1v m2v ogv mov qt uvh uvvh uvm uvvm uvu uvvu uvp uvvp uvs uvvs uvv uvvv dvb fvt mxu m4u pyv nim bik bk2 smk smpg s11 s14 sswf ssw smov smo s1q yt viv webm axv flv fxm mkv mk3d asx wm wmv wmx wvx avi movie
+# Images
+@{image_ext}  = [aA][pP][nN][gG] # apng
+@{image_ext} += [aA][vV][cC][iI] # avci
+@{image_ext} += [aA][vV][cC][sS] # avcs
+@{image_ext} += [aA][vV][iI][fF] # avif
+@{image_ext} += [aA][zZ][vV] # azv
+@{image_ext} += [bB][mM][pP] # bmp
+@{image_ext} += [bB][tT][fF] # btf
+@{image_ext} += [bB][tT][iI][fF] # btif
+@{image_ext} += [bB]16 # b16
+@{image_ext} += [cC][gG][mM] # cgm
+@{image_ext} += [dD][iI][bB] # dib
+@{image_ext} += [dD][jJ][vV] # djv
+@{image_ext} += [dD][jJ][vV][uU] # djvu
+@{image_ext} += [dD][pP][xX] # dpx
+@{image_ext} += [dD][rR][lL][eE] # drle
+@{image_ext} += [dD][wW][gG] # dwg
+@{image_ext} += [dD][xX][fF] # dxf
+@{image_ext} += [eE][mM][fF] # emf
+@{image_ext} += [eE][xX][rR] # exr
+@{image_ext} += [fF][bB][sS] # fbs
+@{image_ext} += [fF][iI][tT] # fit
+@{image_ext} += [fF][iI][tT][sS] # fits
+@{image_ext} += [fF][pP][xX] # fpx
+@{image_ext} += [fF][sS][tT] # fst
+@{image_ext} += [fF][tT][sS] # fts
+@{image_ext} += [gG][iI][fF] # gif
+@{image_ext} += [hH][dD][rR] # hdr
+@{image_ext} += [hH][eE][iI][cC] # heic
+@{image_ext} += [hH][eE][iI][cC][sS][hH][eE][iI][fF] # heics
+@{image_ext} += [hH][eE][iI][fF][sS] # heif
+@{image_ext} += [hH][eE][jJ]2 # heifs
+@{image_ext} += [hH][iI][fF] # hif
+@{image_ext} += [hH][sS][jJ]2 # hsj2
+@{image_ext} += [iE][eE][fF] # ief
+@{image_ext} += [iI][cC][oO] # ico
+@{image_ext} += [jJ][fF][iI][fF] # jfif
+@{image_ext} += [jJ][hH][cC] # jhc
+@{image_ext} += [jJ][lL][sS] # jls
+@{image_ext} += [jJ][pP][eE][gG] # jpeg
+@{image_ext} += [jJ][pP][fF] # jpf
+@{image_ext} += [jJ][pP][gG] # jpg
+@{image_ext} += [jJ][pP][gG][mM] # jpgm
+@{image_ext} += [jJ][pP][gG]2 # jpg2
+@{image_ext} += [jJ][pP][hH] # jph
+@{image_ext} += [jJ][pP][mM] # jpm
+@{image_ext} += [jJ][pP][xX] # jpx
+@{image_ext} += [jJ][pP]2 # jp2
+@{image_ext} += [jJ][xX][lL] # jxl
+@{image_ext} += [jJ][xX][rR] # jxr
+@{image_ext} += [jJ][xX][rR][aA] # jxra
+@{image_ext} += [jJ][xX][rR][sS] # jxrs
+@{image_ext} += [jJ][xX][sS][cC] # jxsc
+@{image_ext} += [jJ][xX][sS][iI] # jxsi
+@{image_ext} += [jJ][xX][sS][sS] # jxss
+@{image_ext} += [kK][tT][xX] # ktx
+@{image_ext} += [kK][tT][xX]2 # ktx2
+@{image_ext} += [mM][dD][iI] # mdi
+@{image_ext} += [mM][mM][rR] # mmr
+@{image_ext} += [pP][bB][mM] # pbm
+@{image_ext} += [pP][cC][xX] # pcx
+@{image_ext} += [pP][gG][bB] # pgb
+@{image_ext} += [pP][gG][mM] # pgm
+@{image_ext} += [pP][nN][gG] # png
+@{image_ext} += [pP][nN][mM] # pnm
+@{image_ext} += [pP][pP][mM] # ppm
+@{image_ext} += [pP][sS][dD] # psd
+@{image_ext} += [pP][sS][dD][cC] # psdc
+@{image_ext} += [pP][tT][iI] # pti
+@{image_ext} += [rR][aA][sS] # ras
+@{image_ext} += [rR][gG][bB] # rgb
+@{image_ext} += [rR][gG][bB][eE] # rgbe
+@{image_ext} += [rR][lL][cC] # rlc
+@{image_ext} += [sS][gG][iI] # sgi
+@{image_ext} += [sS][gG]1[gG] # s1g
+@{image_ext} += [sS][jJ][pP] # sjp
+@{image_ext} += [sS][jJ][pP][gG] # sjpg
+@{image_ext} += [sS][pP][nN] # spn
+@{image_ext} += [sS][pP][nN][gG] # spng
+@{image_ext} += [sS][vV][gG] # svg
+@{image_ext} += [sS][vV][gG][zZ] # svgz
+@{image_ext} += [sS]1[jJ] # s1j
+@{image_ext} += [sS]1[nN] # s1n
+@{image_ext} += [tT][aA][pP] # tap
+@{image_ext} += [tT][gG][aA] # tga
+@{image_ext} += [tT][iI][fF] # tif
+@{image_ext} += [tT][iI][fF][fF] # tiff
+@{image_ext} += [tT]38 # t38
+@{image_ext} += [uU][vV][gG] # uvg
+@{image_ext} += [uU][vV][iI] # uvi
+@{image_ext} += [uU][vV][vV][gG] # uvvg
+@{image_ext} += [uU][vV][vV][iI] # uvvi
+@{image_ext} += [vV][bB][mM] # vtf
+@{image_ext} += [wW][eE][bB][pP] # webp
+@{image_ext} += [wW][mM][fF] # wmf
+@{image_ext} += [xX][bB][mM] # xbm
+@{image_ext} += [xX][cC][fF] # xcf
+@{image_ext} += [xX][iI][fF] # xif
+@{image_ext} += [xX][pP][mM] # xpm
+@{image_ext} += [xX][wW][dD] # xwd
+@{image_ext} += [xX][yY][zZ][eE] # xyze
 
-@{video_ext} = 3[gG][pP] 3[gG][pP][pP] 3[gG]2 3[gG][pP][pP]2 [mM]4[sS] [mM][jJ]2 [mM][jJ][pP]2 [mM][pP]4 [mM][pP][gG]4 [mM]4[vV] [mM][pP][eE][gG] [mM][pP][gG] [mM][pP][eE] [mM]1[vV] [mM]2[vV] [oO][gG][vV] [mM][oO][vV] [qQ][tT] [uU][vV][hH] [uU][vV][vV][hH] [uU][vV][mM] [uU][vV][vV][mM] [uU][vV][uU] [uU][vV][vV][uU] [uU][vV][pP] [uU][vV][vV][pP] [uU][vV][sS] [uU][vV][vV][sS] [uU][vV][vV][vV] [dD][vV][bB] [fF][vV][tT] [mM][xX][uU] [mM]4[uU] [pP][yY][vV] [nN][iI][mM] [bB][iI][kK] [bB][kK]2 [sS][mM][kK] [sS][mM][pP][gG] [sS]11 [sS]14 [sS][sS][wW][fF] [sS][sS][mM][oO][vV] [sS][mM][oO] [sS]1[qQ] [yY][tT] [vV][iI][vV] [wW][eE][bB][mM] [aA][xX][vV] [fF][lL][vV] [fF][xX][mM] [mM][kK][vV] [mM][kK]3[dD] [aA][sS][xX] [wW][mM] [wW][mM][vV] [wW][mM][xX] [wW][vV][xX] [aA][vV][iI] [mM][oO][vV][iI][eE]
+# Models
+@{model_ext}  = [bB][aA][rR][yY] # bary
+@{model_ext} += [bB][sS][pP] # bsp
+@{model_ext} += [cC][lL][dD] # cld
+@{model_ext} += [dD][aA][eE] # dae
+@{model_ext} += [dD][oO][rR] # dor
+@{model_ext} += [dD][wW][fF] # dwf
+@{model_ext} += [gG][lL][bB] # glb
+@{model_ext} += [gG][lL][dD] # gld
+@{model_ext} += [gG][lL][tT][fF] # gltf
+@{model_ext} += [gG][sS][mM] # gsm
+@{model_ext} += [gG][tT][wW] # gtw
+@{model_ext} += [iI][gG][eE][sS] # iges
+@{model_ext} += [iI][gG][sS] # igs
+@{model_ext} += [iI][sS][mM] # ism
+@{model_ext} += [jJ][tT] # jt
+@{model_ext} += [lL][mM][pP] # lmp
+@{model_ext} += [mM][eE][sS][hH] # mesh
+@{model_ext} += [mM][oO][mM][lL] # moml
+@{model_ext} += [mM][sS][hH] # msh
+@{model_ext} += [mM][sS][mM] # msm
+@{model_ext} += [mM][tT][lL] # mtl
+@{model_ext} += [mM][tT][sS] # mts
+@{model_ext} += [oO][bB][jJ] # obj
+@{model_ext} += [oO][gG][eE][xX] # ogex
+@{model_ext} += [pP][yY][oO] # pyo
+@{model_ext} += [pP][yY][oO][xX] # pyox
+@{model_ext} += [rR][sS][mM] # rsm
+@{model_ext} += [sS][iI][lL][oO] # silo
+@{model_ext} += [sS][tT][lL] # stl
+@{model_ext} += [sS][tT][pP][xX] # stpx
+@{model_ext} += [sS][tT][pP][xX][zZ] # stpxz
+@{model_ext} += [uU][sS][dD][aA] # usda
+@{model_ext} += [uU][sS][dD][zZ] # usdz
+@{model_ext} += [uU]3[dD] # u3d
+@{model_ext} += [vV][dD][sS] # vds
+@{model_ext} += [vV][rR][mM][lL] # vrml
+@{model_ext} += [vV][tT][uU] # vtu
+@{model_ext} += [wW][iI][nN] # win
+@{model_ext} += [wW][rR][lL] # wrl
+@{model_ext} += [xX]_[bB] # x_b
+@{model_ext} += [xX]_[tT] # x_t
+@{model_ext} += [xX][mM][tT]_[bB][iI][nN] # xmt_bin
+@{model_ext} += [xX][mM][tT]_[tT][xX][tT] # xmt_txt
+@{model_ext} += [xX]3[dD][bB] # x3db
+@{model_ext} += [xX]3[dD][vV] # x3dv
+@{model_ext} += [xX]3[dD][vV][zZ] # x3dvz
 
-# aqt ass gsub usf pac pjs psb rt sbv smi srt ssa ssf stl sub ttml ttxt vtt 
+# Fonts
+@{font_ext}  = [tT][tT][cC] # ttc
+@{font_ext} += [tT][tT][fF] # ttf
+@{font_ext} += [oO][tT][fF] # otf
+@{font_ext} += [wW][oO][fF] # woff
+@{font_ext} += [wW][oO][fF]2 # woff2
 
-@{subtitles_ext} = [aA][qQ][tT] [aA][sS][sS] [gG][sS][uU][bB] [uU][sS][fF] [pP][aA][cC] [pP][jJ][sS] [pP][sS][bB] [rR][tT] [sS][bB][vV] [sS][mM][iI] [sS][rR][tT] [sS][sS][aA] [sS][sS][fF] [sS][tT][lL] [sS][uU][bB] [tT][t][mM][lL] [tT][t][xX][tT] [vV][tT][t]
+# Documents
+@{document_ext}  = [aA][dD][xX] # adx
+@{document_ext} += [cC][dD][fF] # cdf
+@{document_ext} += [dD][oO][cC] # doc
+@{document_ext} += [dD][oO][cC][mM] # docm
+@{document_ext} += [dD][oO][cC][xX] # docx
+@{document_ext} += [dD][oO][tT] # dot
+@{document_ext} += [dD][oO][tT][xX] # dotx
+@{document_ext} += [fF][nN][iI] # fni
+@{document_ext} += [fF][oO][dD][gG] # fodg
+@{document_ext} += [fF][oO][dD][pP] # fodp
+@{document_ext} += [fF][oO][dD][sS] # fods
+@{document_ext} += [fF][oO][dD][tT] # fodt
+@{document_ext} += [iI][nN][fF][oO] # info
+@{document_ext} += [lL][aA][tT][eE][xX] # latex
+@{document_ext} += [mM][dD][iI] # mdi
+@{document_ext} += [oO][dD][bB] # odb
+@{document_ext} += [oO][dD][cC] # odc
+@{document_ext} += [oO][dD][fF] # odf
+@{document_ext} += [oO][dD][gG] # odg
+@{document_ext} += [oO][dD][iI] # odi
+@{document_ext} += [oO][dD][mM] # odm
+@{document_ext} += [oO][dD][pP] # odp
+@{document_ext} += [oO][dD][sS] # ods
+@{document_ext} += [oO][dD][tT] # odt
+@{document_ext} += [oO][tT][cC] # otc
+@{document_ext} += [oO][tT][fF] # otf
+@{document_ext} += [oO][tT][gG] # otg
+@{document_ext} += [oO][tT][hH] # oth
+@{document_ext} += [oO][tT][iI] # oti
+@{document_ext} += [oO][tT][pP] # otp
+@{document_ext} += [oO][tT][sS] # ots
+@{document_ext} += [oO][tT][tT] # ott
+@{document_ext} += [oO][xX][tT] # oxt
+@{document_ext} += [pP][aA][gG][eE][sS] # pages
+@{document_ext} += [pP][dD][fF] # pdf
+@{document_ext} += [pP][pP][tT][sS] # ppts
+@{document_ext} += [pP][pP][tT][xX] # pptx
+@{document_ext} += [sS][tT][cC] # stc
+@{document_ext} += [sS][tT][dD] # std
+@{document_ext} += [sS][tT][iI] # sti
+@{document_ext} += [sS][tT][wW] # stw
+@{document_ext} += [sS][xX][cC] # sxc
+@{document_ext} += [sS][xX][dD] # sxd
+@{document_ext} += [sS][xX][gG][sS][xX][iI] # sxgsxi
+@{document_ext} += [sS][xX][mM] # sxm
+@{document_ext} += [sS][xX][wW] # sxw
+@{document_ext} += [tT][eE][xX] # tex
+@{document_ext} += [tT][eE][xX][iI] # texi
+@{document_ext} += [tT][eE][xX][iI][nN][fF][oO] # texinfo
+@{document_ext} += [xX][lL][sS] # xls
+@{document_ext} += [xX][lL][sS][bB] # xlsb
+@{document_ext} += [xX][lL][sS][mM] # xlsm
+@{document_ext} += [xX][lL][sS][xX] # xlsx
+@{document_ext} += [xX][oO][dD][pP] # xodp
+@{document_ext} += [xX][oO][dD][sS] # xods
+@{document_ext} += [xX][oO][dD][tT] # xodt
+@{document_ext} += [xX][oO][tT][pP] # xotp
+@{document_ext} += [xX][oO][tT][sS] # xots
+@{document_ext} += [xX][oO][tT][tT] # xott
+@{document_ext} += [xX][pP][sS] # xps
 
-# exr avci avcs avif hif bmp dib cgm drle dpx emf fits fit fts heic heics heif heifs hej2 hsj2 gif ief jls jp2 jpg2 jph jhc jpg jpeg jpe jfif jpm jpgm jpx jpf jxl jxr jxra jxrs jxs jxsc jxsi jxss ktx ktx2 png btif btf pti svg svgz t38 tiff tif tfx psd psdc azv uvi uvvi uvg uvvg djvu djv dwg dxf fbs fpx fst mmr rlc pgb ico apng mdi b16 hdr rgbe xyze spng spn s1n sgif sgi s1g sjpg sjp s1j tap vtf wbmp xif pcx wmf webp ras pnm pbm pgm ppm rgb tga xcf xbm xpm xwd 
-
-@{image_ext} = [eE][xX][rR] [aA][vV][cC][iI] [aA][vV][cC][sS] [aA][vV][iI][fF] [hH][iI][fF] [bB][mM][pP] [dD][iI][bB] [cC][gG][mM] [dD][rR][lL][eE] [dD][pP][xX] [eE][mM][fF] [fF][iI][tT][sS] [fF][iI][tT] [fF][tT][sS] [hH][eE][iI][cC] [hH][eE][iI][cC][sS][hH][eE][iI][fF] [hH][eE][iI][fF][sS] [hH][eE][jJ]2 [hH][sS][jJ]2 [gG][iI][fF] [iE][eE][fF] [jJ][lL][sS] [jJ][pP]2 [jJ][pP][gG]2 [jJ][pP][hH] [jJ][hH][cC] [jJ][pP][gG] [jJ][pP][eE][gG] [jJ][fF][iI][fF] [jJ][pP][mM] [jJ][pP][gG][mM] [jJ][pP][xX] [jJ][pP][fF] [jJ][xX][lL] [jJ][xX][rR] [jJ][xX][rR][aA] [jJ][xX][rR][sS] [jJ][xX][sS][cC] [jJ][xX][sS][iI] [jJ][xX][sS][sS] [kK][tT][xX] [kK][tT][xX]2 [pP][nN][gG] [bB][tT][iI][fF] [bB][tT][fF] [pP][tT][iI] [sS][vV][gG] [sS][vV][gG][zZ] [tT]38 [tT][iI][fF][fF] [tT][iI][fF] [pP][sS][dD] [pP][sS][dD][cC] [aA][zZ][vV] [uU][vV][iI] [uU][vV][vV][iI] [uU][vV][gG] [uU][vV][vV][gG] [dD][jJ][vV][uU] [dD][jJ][vV] [dD][wW][gG] [dD][xX][fF] [fF][bB][sS] [fF][pP][xX] [fF][sS][tT] [mM][mM][rR] [rR][lL][cC] [pP][gG][bB] [iI][cC][oO] [aA][pP][nN][gG] [mM][dD][iI] [bB]16 [hH][dD][rR] [rR][gG][bB][eE] [xX][yY][zZ][eE] [sS][pP][nN][gG] [sS][pP][nN] [sS]1[nN] [sS][gG][iI] [sS][gG]1[gG] [sS][jJ][pP][gG] [sS][jJ][pP] [sS]1[jJ] [tT][aA][pP] [vV][bB][mM] [xX][iI][fF] [pP][cC][xX] [wW][mM][fF] [wW][eE][bB][pP] [rR][aA][sS] [pP][nN][mM] [pP][bB][mM] [pP][gG][mM] [pP][pP][mM] [rR][gG][bB] [tT][gG][aA] [xX][cC][fF] [xX][bB][mM] [xX][pP][mM] [xX][wW][dD]  
-
-# glb gltf jt igs iges msh mesh silo mtl obj stpx stpxz stl u3d bary cld dae dwf gld gsm win dor lmp rsm msm ism gtw moml mts ogex x_b xmt_bin x_t xmt_txt pyo pyox vds usda usdz bsp vtu wrl vrml x3db x3dv x3dvz
-
-@{model_ext} = [gG][lL][bB] [gG][lL][tT][fF] [jJ][tT] [iI][gG][sS] [iI][gG][eE][sS] [mM][sS][hH] [mM][eE][sS][hH] [sS][iI][lL][oO] [mM][tT][lL] [oO][bB][jJ] [sS][tT][pP][xX] [sS][tT][pP][xX][zZ] [sS][tT][lL] [uU]3[dD] [bB][aA][rR][yY] [cC][lL][dD] [dD][aA][eE] [dD][wW][fF] [gG][lL][dD] [gG][sS][mM] [wW][iI][nN] [dD][oO][rR] [lL][mM][pP] [rR][sS][mM] [mM][sS][mM] [iI][sS][mM] [gG][tT][wW] [mM][oO][mM][lL] [mM][tT][sS] [oO][gG][eE][xX] [xX]_[bB] [xX][mM][tT]_[bB][iI][nN] [xX]_[tT] [xX][mM][tT]_[tT][xX][tT] [pP][yY][oO] [pP][yY][oO][xX] [vV][dD][sS] [uU][sS][dD][aA] [uU][sS][dD][zZ] [bB][sS][pP] [vV][tT][uU] [wW][rR][lL] [vV][rR][mM][lL] [xX]3[dD][bB] [xX]3[dD][vV] [xX]3[dD][vV][zZ]
-
-# ttc ttf otf woff woff2
-
-@{font_ext} = [tT][tT][cC] [tT][tT][fF] [oO][tT][fF] [wW][oO][fF] [wW][oO][fF]2
-
-# adx cdf doc docm docx dot dotx fni fodg fodp fods fodt info mdi odb odc odf odg odi odm odp ods odt otc otf otg oth oti otp ots ott oxt pages pdf stc std sti stw sxc sxd sxgsxi sxm sxw xps xodt xott xodp xotp xods xots pptx ppts xls xlsb xlsm xlsx tex texinfo texi latex
-
-@{document_ext} = [aA][dD][xX] [cC][dD][fF] [dD][oO][cC] [dD][oO][cC][mM] [dD][oO][cC][xX] [dD][oO][tT] [dD][oO][tT][xX] [fF][nN][iI] [fF][oO][dD][gG] [fF][oO][dD][pP] [fF][oO][dD][sS] [fF][oO][dD][tT] [iI][nN][fF][oO] [mM][dD][iI] [oO][dD][bB] [oO][dD][cC] [oO][dD][fF] [oO][dD][gG] [oO][dD][iI] [oO][dD][mM] [oO][dD][pP] [oO][dD][sS] [oO][dD][tT] [oO][tT][cC] [oO][tT][fF] [oO][tT][gG] [oO][tT][hH] [oO][tT][iI] [oO][tT][pP] [oO][tT][sS] [oO][tT][tT] [oO][xX][tT] [pP][aA][gG][eE][sS] [pP][dD][fF] [sS][tT][cC] [sS][tT][dD] [sS][tT][iI] [sS][tT][wW] [sS][xX][cC] [sS][xX][dD] [sS][xX][gG][sS][xX][iI] [sS][xX][mM] [sS][xX][wW] [xX][pP][sS] [xX][oO][dD][tT] [xX][oO][tT][tT] [xX][oO][dD][pP] [xX][oO][tT][pP] [xX][oO][dD][sS] [xX][oO][tT][sS] [pP][pP][tT][xX] [pP][pP][tT][sS] [xX][lL][sS] [xX][lL][sS][bB] [xX][lL][sS][mM] [xX][lL][sS][xX] [tT][eE][xX] [tT][eE][xX][iI][nN][fF][oO] [tT][eE][xX][iI] [lL][aA][tT][eE][xX]
-
-# appcache manifest ics ifb cql css csv csvs soa zone gff3 html htm js mjs cnd markdown md miz n3 txt asc text pm el c h cc hh cxx hxx f90 conf log provn rst tag dsc rtx sgml sgm shaclc shc shex spdx tsv t tr roff ttl uris uri vcf vcard a abc ascii copyright dms sub jtd vfk ged flt fly flx gv dot hans hgl 3dml 3dm spot spo mpf ccc mc2 uric jad sos ts si sl wml wmls vtt wgsl xml xsd rng ent sandboxed pod etx
-
-@{text_ext} = [aA][pP][pP][cC][aA][cC][hH][eE] [mM][aA][nN][iI][fF][eE][sS][tT] [iI][cC][sS] [iI][fF][bB] [cC][qQ][lL] [cC][sS][sS] [cC][sS][vV] [cC][sS][vV][sS] [sS][oO][aA] [zZ][oO][nN][eE] [gG][fF][fF]3 [hH][tT][mM][lL] [hH][tT][mM] [jJ][sS] [mM][jJ][sS] [cC][nN][dD] [mM][aA][rR][kK][dD][oO][wW][nN] [mM][dD] [mM][iI][zZ] [nN]3 [tT][xX][tT] [aA][sS][cC] [tT][eE][xX][tT] [pP][mM] [eE][lL] [cC] [hH] [cC][cC] [hH][hH] [cC][xX][xX] [hH][xX][xX] [fF]90 [cC][oO][nN][fF] [lL][oO][gG] [pP][rR][oO][vV][nN] [rR][sS][tT] [tT][aA][gG] [dD][sS][cC] [rR][tT][xX] [sS][gG][mM][lL] [sS][gG][mM] [sS][hH][aA][cC][lL][cC] [sS][hH][cC] [sS][hH][eE][xX] [sS][pP][dD][xX] [tT][sS][vV] [tT] [tT][rR] [rR][oO][fF][fF] [tT][tT][lL] [uU][rR][iI][sS] [uU][rR][iI] [vV][cC][fF] [vV][cC][aA][rR][dD] [aA] [aA][bB][cC] [aA][sS][cC][iI][iI] [cC][oO][pP][yY][rR][iI][gG][hH][tT] [dD][mM][sS] [sS][uU][bB] [jJ][tT][dD] [vV][fF][kK] [gG][eE][dD] [fF][lL][tT] [fF][lL][yY] [fF][lL][xX] [gG][vV] [dD][oO][tT] [hH][aA][nN][sS] [hH][gG][lL] 3[dD][mM][lL] 3[dD][mM] [sS][pP][oO][tT] [sS][pP][oO] [mM][pP][fF] [cC][cC][cC] [mM][cC]2 [uU][rR][iI][cC] [jJ][aA][dD] [sS][oO][sS] [tT][sS] [sS][iI] [sS][lL] [wW][mM][lL] [wW][mM][lL][sS] [vV][tT][tT] [wW][gG][sS][lL] [xX][mM][lL] [xX][sS][dD] [rR][nN][gG] [eE][nN][tT] [sS][aA][nN][dD][bB][oO][xX][eE][dD] [pP][oO][dD] [eE][tT][xX]
+# Texts
+@{text_ext}  = [aA][pP][pP][cC][aA][cC][hH][eE] # appcache
+@{text_ext} += [aA] # a
+@{text_ext} += [aA][bB][cC] # abc
+@{text_ext} += [aA][sS][cC] # asc
+@{text_ext} += [aA][sS][cC][iI][iI] # ascii
+@{text_ext} += [cC] # c
+@{text_ext} += [cC][cC] # cc
+@{text_ext} += [cC][cC][cC] # ccc
+@{text_ext} += [cC][nN][dD] # cnd
+@{text_ext} += [cC][oO][nN][fF] # conf
+@{text_ext} += [cC][oO][pP][yY][rR][iI][gG][hH][tT] # copyright
+@{text_ext} += [cC][qQ][lL] # cql
+@{text_ext} += [cC][sS][sS] # css
+@{text_ext} += [cC][sS][vV] # csv
+@{text_ext} += [cC][sS][vV][sS] # csvs
+@{text_ext} += [cC][xX][xX] # cxx
+@{text_ext} += [dD][mM][sS] # dms
+@{text_ext} += [dD][oO][tT] # dot
+@{text_ext} += [dD][sS][cC] # dsc
+@{text_ext} += [eE][lL] # el
+@{text_ext} += [eE][nN][tT] # ent
+@{text_ext} += [eE][tT][xX] # etx
+@{text_ext} += [fF][lL][tT] # flt
+@{text_ext} += [fF][lL][xX] # flx
+@{text_ext} += [fF][lL][yY] # fly
+@{text_ext} += [fF]90 # f90
+@{text_ext} += [gG][eE][dD] # ged
+@{text_ext} += [gG][fF][fF]3 # gff3
+@{text_ext} += [gG][vV] # gv
+@{text_ext} += [hH] # h
+@{text_ext} += [hH][aA][nN][sS] # hans
+@{text_ext} += [hH][gG][lL] # hgl
+@{text_ext} += [hH][hH] # hh
+@{text_ext} += [hH][tT][mM] # htm
+@{text_ext} += [hH][tT][mM][lL] # html
+@{text_ext} += [hH][xX][xX] # hxx
+@{text_ext} += [iI][cC][sS] # ics
+@{text_ext} += [iI][fF][bB] # ifb
+@{text_ext} += [jJ][aA][dD] # jad
+@{text_ext} += [jJ][sS] # js
+@{text_ext} += [jJ][tT][dD] # jtd
+@{text_ext} += [lL][oO][gG] # log
+@{text_ext} += [mM][aA][nN][iI][fF][eE][sS][tT] # manifest
+@{text_ext} += [mM][aA][rR][kK][dD][oO][wW][nN] # markdown
+@{text_ext} += [mM][cC]2 # mc2
+@{text_ext} += [mM][dD] # md
+@{text_ext} += [mM][iI][zZ] # miz
+@{text_ext} += [mM][jJ][sS] # mjs
+@{text_ext} += [mM][pP][fF] # mpf
+@{text_ext} += [nN]3 # n3
+@{text_ext} += [pP][mM] # pm
+@{text_ext} += [pP][oO][dD] # pod
+@{text_ext} += [pP][rR][oO][vV][nN] # provn
+@{text_ext} += [rR][nN][gG] # rng
+@{text_ext} += [rR][oO][fF][fF] # roff
+@{text_ext} += [rR][sS][tT] # rst
+@{text_ext} += [rR][tT][xX] # rtx
+@{text_ext} += [sS][aA][nN][dD][bB][oO][xX][eE][dD] # sandboxed
+@{text_ext} += [sS][gG][mM] # sgm
+@{text_ext} += [sS][gG][mM][lL] # sgml
+@{text_ext} += [sS][hH][aA][cC][lL][cC] # shaclc
+@{text_ext} += [sS][hH][cC] # shc
+@{text_ext} += [sS][hH][eE][xX] # shex
+@{text_ext} += [sS][iI] # si
+@{text_ext} += [sS][lL] # sl
+@{text_ext} += [sS][oO][aA] # soa
+@{text_ext} += [sS][oO][sS] # sos
+@{text_ext} += [sS][pP][dD][xX] # spdx
+@{text_ext} += [sS][pP][oO] # spo
+@{text_ext} += [sS][pP][oO][tT] # spot
+@{text_ext} += [sS][uU][bB] # sub
+@{text_ext} += [tT] # t
+@{text_ext} += [tT][aA][gG] # tag
+@{text_ext} += [tT][eE][xX][tT] # text
+@{text_ext} += [tT][rR] # tr
+@{text_ext} += [tT][sS] # ts
+@{text_ext} += [tT][sS][vV] # tsv
+@{text_ext} += [tT][tT][lL] # ttl
+@{text_ext} += [tT][xX][tT] # txt
+@{text_ext} += [uU][rR][iI] # uri
+@{text_ext} += [uU][rR][iI][cC] # uric
+@{text_ext} += [uU][rR][iI][sS] # uris
+@{text_ext} += [vV][cC][aA][rR][dD] # vcard
+@{text_ext} += [vV][cC][fF] # vcf
+@{text_ext} += [vV][fF][kK] # vfk
+@{text_ext} += [vV][tT][tT] # vtt
+@{text_ext} += [wW][gG][sS][lL] # wgsl
+@{text_ext} += [wW][mM][lL] # wml
+@{text_ext} += [wW][mM][lL][sS] # wmls
+@{text_ext} += [xX][mM][lL] # xml
+@{text_ext} += [xX][sS][dD] # xsd
+@{text_ext} += [zZ][oO][nN][eE] # zone
+@{text_ext} += 3[dD][mM] # 3dm
+@{text_ext} += 3[dD][mM][lL] # 3dml
 
 # vim:syntax=apparmor

From c59086311bf0c9f021aa0c2107c509add0f24ce2 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 19 Oct 2024 22:50:09 +0100
Subject: [PATCH 312/315] tests: rewrite the way to generate integration tests.

---
 go.mod                             |   1 -
 tests/cmd/main.go                  | 177 +++++++----------------------
 tests/cmd/tests.go                 | 111 ++++++++++++++++++
 tests/{integration => cmd}/tldr.go |  85 +++++++++++---
 tests/integration/paths.go         |  72 ------------
 tests/integration/scenario.go      | 141 -----------------------
 tests/integration/suite.go         | 114 -------------------
 7 files changed, 217 insertions(+), 484 deletions(-)
 create mode 100644 tests/cmd/tests.go
 rename tests/{integration => cmd}/tldr.go (52%)
 delete mode 100644 tests/integration/paths.go
 delete mode 100644 tests/integration/scenario.go
 delete mode 100644 tests/integration/suite.go

diff --git a/go.mod b/go.mod
index bec7213d7..085850645 100644
--- a/go.mod
+++ b/go.mod
@@ -4,7 +4,6 @@ go 1.21
 
 require (
 	github.com/stretchr/testify v1.9.0
-	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
diff --git a/tests/cmd/main.go b/tests/cmd/main.go
index b549aab34..19dd1cf0d 100644
--- a/tests/cmd/main.go
+++ b/tests/cmd/main.go
@@ -8,171 +8,76 @@ import (
 	"flag"
 	"fmt"
 	"os"
-	"os/exec"
-	"strings"
 
-	"github.com/roddhjav/apparmor.d/pkg/aa"
 	"github.com/roddhjav/apparmor.d/pkg/logging"
 	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/prebuild"
-	"github.com/roddhjav/apparmor.d/tests/integration"
 )
 
-const usage = `aa-test [-h] [--bootstrap | --run | --list]
+const usage = `aa-test [-h] --bootstrap
 
     Integration tests manager tool for apparmor.d
 
 Options:
     -h, --help         Show this help message and exit.
-    -b, --bootstrap    Bootstrap tests using tldr pages.
-    -r, --run          Run a predefined list of tests.
-    -l, --list         List the configured tests.
-    -f, --file FILE    Set a tests file. Default: tests/tests.yml
-    -d, --deps         Install tests dependencies.
-    -D, --dryrun       Do not do the action, list it.
+    -b, --bootstrap    Download tests using tldr pages and generate Bats tests.
 
 `
 
 var (
 	help      bool
 	bootstrap bool
-	run       bool
-	list      bool
-	deps      bool
-	dryRun    bool
-	cfg       Config
 )
 
-type Config struct {
-	TldrDir      *paths.Path    // Default: tests/tldr
-	ScenariosDir *paths.Path    // Default: tests
-	TldrFile     *paths.Path    // Default: tests/tldr.yml
-	TestsFile    *paths.Path    // Default: tests/tests.yml
-	SettingsFile *paths.Path    // Default: tests/settings.yml
-	Profiles     paths.PathList // List of profiles
-}
-
-func NewConfig() Config {
-	cfg := Config{
-		TldrDir:      paths.New("tests/tldr"),
-		ScenariosDir: paths.New("tests/"),
-		Profiles:     paths.PathList{},
-	}
-	cfg.TldrFile = cfg.ScenariosDir.Join("tldr.yml")
-	cfg.TestsFile = cfg.ScenariosDir.Join("tests.yml")
-	cfg.SettingsFile = cfg.ScenariosDir.Join("settings.yml")
-	return cfg
-}
-
-func LoadTestSuite() (*integration.TestSuite, error) {
-	tSuite := integration.NewTestSuite()
-	if err := tSuite.ReadTests(cfg.TestsFile); err != nil {
-		return tSuite, err
-	}
-	if err := tSuite.ReadSettings(cfg.SettingsFile); err != nil {
-		return tSuite, err
-	}
-	return tSuite, nil
-}
-
 func init() {
-	cfg = NewConfig()
-	files, _ := aa.MagicRoot.ReadDir(paths.FilterOutDirectories())
-	for _, path := range files {
-		cfg.Profiles.Add(path)
-	}
-
 	flag.BoolVar(&help, "h", false, "Show this help message and exit.")
 	flag.BoolVar(&help, "help", false, "Show this help message and exit.")
-	flag.BoolVar(&bootstrap, "b", false, "Bootstrap tests using tldr pages.")
-	flag.BoolVar(&bootstrap, "bootstrap", false, "Bootstrap tests using tldr pages.")
-	flag.BoolVar(&run, "r", false, "Run a predefined list of tests.")
-	flag.BoolVar(&run, "run", false, "Run a predefined list of tests.")
-	flag.BoolVar(&list, "l", false, "List the tests to run.")
-	flag.BoolVar(&list, "list", false, "List the tests to run.")
-	flag.BoolVar(&deps, "d", false, "Install tests dependencies.")
-	flag.BoolVar(&deps, "deps", false, "Install tests dependencies.")
-	flag.BoolVar(&dryRun, "D", false, "Do not do the action, list it.")
-	flag.BoolVar(&dryRun, "dryrun", false, "Do not do the action, list it.")
+	flag.BoolVar(&bootstrap, "b", false, "Download tests using tldr pages and generate Bats tests.")
+	flag.BoolVar(&bootstrap, "bootstrap", false, "Download tests using tldr pages and generate Bats tests.")
 }
 
-func testDownload() error {
-	tldr := integration.NewTldr(cfg.TldrDir)
+type Config struct {
+	TestsDir  *paths.Path // Default: tests
+	TldrDir   *paths.Path // Default: tests/tldr
+	TldrFile  *paths.Path // Default: tests/tldr.yml
+	TestsFile *paths.Path // Default: tests/tests.yml
+	BatsDir   *paths.Path // Default: tests/bats
+}
+
+func NewConfig() *Config {
+	testsDir := paths.New("tests")
+	cfg := Config{
+		TestsDir:  testsDir,
+		TldrDir:   testsDir.Join("tldr"),
+		TldrFile:  testsDir.Join("tldr.yml"),
+		TestsFile: testsDir.Join("tldr.yml"),
+		BatsDir:   testsDir.Join("bats_dirty"),
+	}
+	return &cfg
+}
+
+func run() error {
+	logging.Step("Bootstraping tests")
+	cfg := NewConfig()
+
+	tldr := NewTldr(cfg.TldrDir)
 	if err := tldr.Download(); err != nil {
 		return err
 	}
 
-	tSuite, err := tldr.Parse()
+	tests, err := tldr.Parse()
 	if err != nil {
 		return err
 	}
+	tests = tests.Filter()
 
-	// Default bootstraped scenarios file
-	if err := tSuite.Write(cfg.TldrFile); err != nil {
-		return err
-	}
-	logging.Bullet("Default scenarios saved: %s", cfg.TldrFile)
-	logging.Bullet("Number of tests found %d", len(tSuite.Tests))
-	return nil
-}
-
-func testDeps(dryRun bool) error {
-	tSuite, err := LoadTestSuite()
-	if err != nil {
-		return nil
-	}
-
-	deps := tSuite.GetDependencies()
-	switch prebuild.Distribution {
-	case "arch":
-		arg := []string{"pacman", "-Sy", "--noconfirm"}
-		arg = append(arg, deps...)
-		cmd := exec.Command("sudo", arg...)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		if dryRun {
-			fmt.Println(strings.Join(cmd.Args, " "))
-		} else {
-			return cmd.Run()
-		}
-	default:
-	}
-	return nil
-}
-
-func testRun(dryRun bool) error {
-	// Warning: There is no guarantee that the tests are not destructive
-	if dryRun {
-		logging.Step("List tests")
-	} else {
-		logging.Step("Run tests")
-	}
-
-	tSuite, err := LoadTestSuite()
-	if err != nil {
-		return nil
-	}
-	integration.Arguments = tSuite.Arguments
-	integration.Ignore = tSuite.Ignore
-	integration.Profiles = cfg.Profiles
-	nbCmd := 0
-	nbTest := 0
-	for _, test := range tSuite.Tests {
-		ran, nb, err := test.Run(dryRun)
-		nbTest += ran
-		nbCmd += nb
-		if err != nil {
+	for _, test := range tests {
+		if err := test.Write(cfg.BatsDir); err != nil {
 			return err
 		}
 	}
 
-	if dryRun {
-		logging.Bullet("Number of tests to run %d", nbTest)
-		logging.Bullet("Number of test commands to run %d", nbCmd)
-	} else {
-		logging.Success("Number of tests ran %d", nbTest)
-		logging.Success("Number of test command to ran %d", nbCmd)
-	}
+	logging.Bullet("Bats tests directory: %s", cfg.BatsDir)
+	logging.Bullet("Number of tests found %d", len(tests))
 	return nil
 }
 
@@ -184,18 +89,12 @@ func main() {
 		os.Exit(0)
 	}
 
-	var err error
-	if bootstrap {
-		logging.Step("Bootstraping tests")
-		err = testDownload()
-	} else if run || list {
-		err = testRun(list)
-	} else if deps {
-		err = testDeps(dryRun)
-	} else {
+	if !bootstrap {
 		flag.Usage()
 		os.Exit(1)
 	}
+
+	err := run()
 	if err != nil {
 		logging.Fatal("%s", err.Error())
 	}
diff --git a/tests/cmd/tests.go b/tests/cmd/tests.go
new file mode 100644
index 000000000..d145fbb07
--- /dev/null
+++ b/tests/cmd/tests.go
@@ -0,0 +1,111 @@
+// apparmor.d - Full set of apparmor profiles
+// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+// SPDX-License-Identifier: GPL-2.0-only
+
+package main
+
+import (
+	"html/template"
+	"os/exec"
+	"slices"
+	"strings"
+
+	"github.com/roddhjav/apparmor.d/pkg/aa"
+	"github.com/roddhjav/apparmor.d/pkg/paths"
+)
+
+const tmplTest = `#!/usr/bin/env bats
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+{{ $name := .Name -}}
+{{ range .Commands }}
+# bats test_tags={{ $name }}
+@test "{{ $name }}: {{ .Description }}" {
+    {{ .Cmd }}
+}
+{{ end }}
+`
+
+var (
+	Profiles = getProfiles() // List of profiles in apparmor.d
+	tmpl     = template.Must(template.New("bats").Parse(tmplTest))
+)
+
+type Tests []Test
+
+// Filter returns a new list of tests with only the ones that have a profile
+func (t Tests) Filter() Tests {
+	for i := len(t) - 1; i >= 0; i-- {
+		if !t[i].HasProfile() {
+			t = slices.Delete(t, i, i+1)
+		}
+	}
+	return t
+}
+
+// Test represents of a list of tests for a given program
+type Test struct {
+	Name     string
+	Commands []Command
+}
+
+// Command is a command line to run as part of a test
+type Command struct {
+	Description string
+	Cmd         string
+}
+
+func NewTest() *Test {
+	return &Test{
+		Name:     "",
+		Commands: []Command{},
+	}
+}
+
+// HasProfile returns true if the program in the scenario is profiled in apparmor.d
+func (t *Test) HasProfile() bool {
+	return slices.Contains(Profiles, t.Name)
+}
+
+// IsInstalled returns true if the program in the scenario is installed on the system
+func (t *Test) IsInstalled() bool {
+	if _, err := exec.LookPath(t.Name); err != nil {
+		return false
+	}
+	return true
+}
+
+func (t Test) Write(dir *paths.Path) error {
+	if !t.HasProfile() {
+		return nil
+	}
+
+	path := dir.Join(t.Name + ".bats")
+	content := renderBatsFile(t)
+	if err := path.WriteFile([]byte(content)); err != nil {
+		return err
+	}
+	return nil
+}
+
+func renderBatsFile(data any) string {
+	var res strings.Builder
+	err := tmpl.Execute(&res, data)
+	if err != nil {
+		panic(err)
+	}
+	return res.String()
+}
+
+func getProfiles() []string {
+	p := []string{}
+	files, err := aa.MagicRoot.ReadDir(paths.FilterOutDirectories())
+	if err != nil {
+		panic(err)
+	}
+	for _, path := range files {
+		p = append(p, path.Base())
+	}
+	return p
+}
diff --git a/tests/integration/tldr.go b/tests/cmd/tldr.go
similarity index 52%
rename from tests/integration/tldr.go
rename to tests/cmd/tldr.go
index fb879d15e..d86c80565 100644
--- a/tests/integration/tldr.go
+++ b/tests/cmd/tldr.go
@@ -2,12 +2,15 @@
 // Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 // SPDX-License-Identifier: GPL-2.0-only
 
-package integration
+package main
 
 import (
+	"archive/tar"
+	"compress/gzip"
 	"fmt"
 	"io"
 	"net/http"
+	"path/filepath"
 	"strings"
 
 	"github.com/roddhjav/apparmor.d/pkg/paths"
@@ -51,9 +54,9 @@ func (t Tldr) Download() error {
 	return extratTo(gzPath, t.Dir, pages)
 }
 
-// Parse the tldr pages and return a list of scenarios
-func (t Tldr) Parse() (*TestSuite, error) {
-	testSuite := NewTestSuite()
+// Parse the tldr pages and return a list of tests
+func (t Tldr) Parse() (Tests, error) {
+	tests := make(Tests, 0)
 	files, _ := t.Dir.ReadDirRecursiveFiltered(nil, paths.FilterOutDirectories())
 	for _, path := range files {
 		content, err := path.ReadFile()
@@ -61,29 +64,77 @@ func (t Tldr) Parse() (*TestSuite, error) {
 			return nil, err
 		}
 		raw := string(content)
-		t := &Test{
-			Name:      strings.TrimSuffix(path.Base(), ".md"),
-			Root:      false,
-			Arguments: map[string]string{},
-			Commands:  []Command{},
-		}
-		if strings.Contains(raw, "sudo") {
-			t.Root = true
+		t := Test{
+			Name:     strings.TrimSuffix(path.Base(), ".md"),
+			Commands: []Command{},
 		}
 		rawTests := strings.Split(raw, "\n-")[1:]
 		for _, test := range rawTests {
 			res := strings.Split(test, "\n")
 			dsc := strings.ReplaceAll(strings.Trim(res[0], " "), ":", "")
 			cmd := strings.Trim(strings.Trim(res[2], "`"), " ")
-			if t.Root {
-				cmd = strings.ReplaceAll(cmd, "sudo ", "")
-			}
 			t.Commands = append(t.Commands, Command{
 				Description: dsc,
 				Cmd:         cmd,
 			})
 		}
-		testSuite.Tests = append(testSuite.Tests, *t)
+		tests = append(tests, t)
 	}
-	return testSuite, nil
+	return tests, nil
+}
+
+// Either or not to extract the file
+func toExtrat(name string, subfolders []string) bool {
+	for _, subfolder := range subfolders {
+		if strings.HasPrefix(name, subfolder) {
+			return true
+		}
+	}
+	return false
+}
+
+// Extract part of an archive to a destination directory
+func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error {
+	gzIn, err := src.Open()
+	if err != nil {
+		return fmt.Errorf("opening %s: %w", src, err)
+	}
+	defer gzIn.Close()
+
+	in, err := gzip.NewReader(gzIn)
+	if err != nil {
+		return fmt.Errorf("decoding %s: %w", src, err)
+	}
+	defer in.Close()
+
+	if err := dst.MkdirAll(); err != nil {
+		return fmt.Errorf("creating %s: %w", src, err)
+	}
+
+	tarIn := tar.NewReader(in)
+	for {
+		header, err := tarIn.Next()
+		if err == io.EOF {
+			break
+		}
+		if err != nil {
+			return err
+		}
+
+		if header.Typeflag == tar.TypeReg {
+			if !toExtrat(header.Name, subfolders) {
+				continue
+			}
+			path := dst.Join(filepath.Base(header.Name))
+			file, err := path.Create()
+			if err != nil {
+				return fmt.Errorf("creating %s: %w", file.Name(), err)
+			}
+			if _, err := io.Copy(file, tarIn); err != nil {
+				return fmt.Errorf("extracting %s: %w", file.Name(), err)
+			}
+			file.Close()
+		}
+	}
+	return nil
 }
diff --git a/tests/integration/paths.go b/tests/integration/paths.go
deleted file mode 100644
index 8d4a1cc9c..000000000
--- a/tests/integration/paths.go
+++ /dev/null
@@ -1,72 +0,0 @@
-// apparmor.d - Full set of apparmor profiles
-// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-// SPDX-License-Identifier: GPL-2.0-only
-
-package integration
-
-import (
-	"archive/tar"
-	"compress/gzip"
-	"fmt"
-	"io"
-	"path/filepath"
-	"strings"
-
-	"github.com/roddhjav/apparmor.d/pkg/paths"
-)
-
-// Either or not to extract the file
-func toExtrat(name string, subfolders []string) bool {
-	for _, subfolder := range subfolders {
-		if strings.HasPrefix(name, subfolder) {
-			return true
-		}
-	}
-	return false
-}
-
-// Extract part of an archive to a destination directory
-func extratTo(src *paths.Path, dst *paths.Path, subfolders []string) error {
-	gzIn, err := src.Open()
-	if err != nil {
-		return fmt.Errorf("opening %s: %w", src, err)
-	}
-	defer gzIn.Close()
-
-	in, err := gzip.NewReader(gzIn)
-	if err != nil {
-		return fmt.Errorf("decoding %s: %w", src, err)
-	}
-	defer in.Close()
-
-	if err := dst.MkdirAll(); err != nil {
-		return fmt.Errorf("creating %s: %w", src, err)
-	}
-
-	tarIn := tar.NewReader(in)
-	for {
-		header, err := tarIn.Next()
-		if err == io.EOF {
-			break
-		}
-		if err != nil {
-			return err
-		}
-
-		if header.Typeflag == tar.TypeReg {
-			if !toExtrat(header.Name, subfolders) {
-				continue
-			}
-			path := dst.Join(filepath.Base(header.Name))
-			file, err := path.Create()
-			if err != nil {
-				return fmt.Errorf("creating %s: %w", file.Name(), err)
-			}
-			if _, err := io.Copy(file, tarIn); err != nil {
-				return fmt.Errorf("extracting %s: %w", file.Name(), err)
-			}
-			file.Close()
-		}
-	}
-	return nil
-}
diff --git a/tests/integration/scenario.go b/tests/integration/scenario.go
deleted file mode 100644
index 94e9a728f..000000000
--- a/tests/integration/scenario.go
+++ /dev/null
@@ -1,141 +0,0 @@
-// apparmor.d - Full set of apparmor profiles
-// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-// SPDX-License-Identifier: GPL-2.0-only
-
-// TODO:
-// - Finish templating
-// - Provide a large selection of resources: files, disks, http server... for automatic test on them
-// - Expand support for interactive program (stdin and Control-D)
-// - Properlly log the test result
-// - Dbus integration
-
-package integration
-
-import (
-	"bytes"
-	"fmt"
-	"io"
-	"os/exec"
-	"strings"
-
-	"github.com/roddhjav/apparmor.d/pkg/logging"
-	"github.com/roddhjav/apparmor.d/pkg/paths"
-)
-
-var (
-	Ignore    []string          // Do not run some scenarios
-	Arguments map[string]string // Common arguments used across all scenarios
-	Profiles  paths.PathList    // List of profiles in apparmor.d
-)
-
-// Test represents of a list of tests for a given program
-type Test struct {
-	Name         string            `yaml:"name"`
-	Root         bool              `yaml:"root"`      // Run the test as user or as root
-	Dependencies []string          `yaml:"require"`   // Packages required for the tests to run "$(pacman -Qqo Scenario.Name)"
-	Arguments    map[string]string `yaml:"arguments"` // Arguments to pass to the program, specific to this scenario
-	Commands     []Command         `yaml:"tests"`
-}
-
-// Command is a command line to run as part of a test
-type Command struct {
-	Description string   `yaml:"dsc"`
-	Cmd         string   `yaml:"cmd"`
-	Stdin       []string `yaml:"stdin"`
-}
-
-func NewTest() *Test {
-	return &Test{
-		Name:         "",
-		Root:         false,
-		Dependencies: []string{},
-		Arguments:    map[string]string{},
-		Commands:     []Command{},
-	}
-}
-
-// HasProfile returns true if the program in the scenario is profiled in apparmor.d
-func (t *Test) HasProfile() bool {
-	for _, path := range Profiles {
-		if t.Name == path.Base() {
-			return true
-		}
-	}
-	return false
-}
-
-// IsInstalled returns true if the program in the scenario is installed on the system
-func (t *Test) IsInstalled() bool {
-	if _, err := exec.LookPath(t.Name); err != nil {
-		return false
-	}
-	return true
-}
-
-func (t *Test) resolve(in string) string {
-	res := in
-	for key, value := range t.Arguments {
-		res = strings.ReplaceAll(res, "{{ "+key+" }}", value)
-	}
-	return res
-}
-
-// mergeArguments merge the arguments of the scenario with the global arguments
-// Test arguments have priority over global arguments
-func (t *Test) mergeArguments(args map[string]string) {
-	if len(t.Arguments) == 0 {
-		t.Arguments = map[string]string{}
-	}
-	for key, value := range args {
-		t.Arguments[key] = value
-	}
-}
-
-// Run the scenarios tests
-func (t *Test) Run(dryRun bool) (ran int, nb int, err error) {
-	nb = 0
-	if t.HasProfile() && t.IsInstalled() {
-		logging.Step("%s", t.Name)
-		t.mergeArguments(Arguments)
-		for _, test := range t.Commands {
-			cmd := t.resolve(test.Cmd)
-			if !strings.Contains(cmd, "{{") {
-				nb++
-				if dryRun {
-					logging.Bullet("%s", cmd)
-				} else {
-					cmdErr := t.run(cmd, strings.Join(test.Stdin, "\n"))
-					if cmdErr != nil {
-						logging.Error("%v", cmdErr)
-					} else {
-						logging.Success("%s", cmd)
-					}
-				}
-			}
-		}
-		return 1, nb, err
-	}
-	return 0, nb, err
-}
-
-func (t *Test) run(cmdline string, in string) error {
-	var testErr bytes.Buffer
-
-	// Running the command in a shell ensure it does not run confined under the sudo profile.
-	// The shell is run unconfined and therefore the cmdline can be confined without no-new-privs issue.
-	sufix := " &" // TODO: we need a goroutine here
-	cmd := exec.Command("sh", "-c", cmdline+sufix)
-	if t.Root {
-		cmd = exec.Command("sudo", "sh", "-c", cmdline+sufix)
-	}
-
-	stderr := io.MultiWriter(Stderr, &testErr)
-	cmd.Stdin = strings.NewReader(in)
-	cmd.Stdout = Stdout
-	cmd.Stderr = stderr
-	err := cmd.Run()
-	if testErr.Len() > 0 {
-		return fmt.Errorf("%s", testErr.String())
-	}
-	return err
-}
diff --git a/tests/integration/suite.go b/tests/integration/suite.go
deleted file mode 100644
index 26ef24994..000000000
--- a/tests/integration/suite.go
+++ /dev/null
@@ -1,114 +0,0 @@
-// apparmor.d - Full set of apparmor profiles
-// Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-// SPDX-License-Identifier: GPL-2.0-only
-
-package integration
-
-import (
-	"os"
-
-	"github.com/roddhjav/apparmor.d/pkg/logs"
-	"github.com/roddhjav/apparmor.d/pkg/paths"
-	"github.com/roddhjav/apparmor.d/pkg/util"
-	"gopkg.in/yaml.v3"
-)
-
-var (
-	// Integration tests standard output
-	Stdout *os.File
-
-	// Integration tests standard error output
-	Stderr *os.File
-
-	stdoutPath = paths.New("tests/out.log")
-	stderrPath = paths.New("tests/err.log")
-)
-
-// TestSuite is the apparmod.d integration tests to run
-type TestSuite struct {
-	Tests     []Test            // List of tests to run
-	Ignore    []string          // Do not run some tests
-	Arguments map[string]string // Common arguments used across all tests
-}
-
-// NewScenarios returns a new list of scenarios
-func NewTestSuite() *TestSuite {
-	var err error
-	Stdout, err = stdoutPath.Create()
-	if err != nil {
-		panic(err)
-	}
-	Stderr, err = stderrPath.Create()
-	if err != nil {
-		panic(err)
-	}
-	return &TestSuite{
-		Tests:     []Test{},
-		Ignore:    []string{},
-		Arguments: map[string]string{},
-	}
-}
-
-// Write export the list of scenarios to a file
-func (t *TestSuite) Write(path *paths.Path) error {
-	jsonString, err := yaml.Marshal(&t.Tests)
-	if err != nil {
-		return err
-	}
-
-	path = path.Clean()
-	file, err := path.Create()
-	if err != nil {
-		return err
-	}
-	defer file.Close()
-
-	// Cleanup a bit
-	res := string(jsonString)
-	regClean := util.ToRegexRepl([]string{
-		"- name:", "\n- name:",
-		`(?m)^.*stdin: \[\].*$`, ``,
-		`{{`, `{{ `,
-		`}}`, ` }}`,
-	})
-	res = regClean.Replace(res)
-	_, err = file.WriteString("---\n" + res)
-	return err
-}
-
-// ReadTests import the tests from a file
-func (t *TestSuite) ReadTests(path *paths.Path) error {
-	content, _ := path.ReadFile()
-	return yaml.Unmarshal(content, &t.Tests)
-}
-
-// ReadSettings import the common argument and ignore list from a file
-func (t *TestSuite) ReadSettings(path *paths.Path) error {
-	type temp struct {
-		Arguments map[string]string `yaml:"arguments"`
-		Ignore    []string          `yaml:"ignore"`
-	}
-	tmp := temp{}
-	content, _ := path.ReadFile()
-	if err := yaml.Unmarshal(content, &tmp); err != nil {
-		return err
-	}
-	t.Arguments = tmp.Arguments
-	t.Ignore = tmp.Ignore
-	return nil
-}
-
-// Results returns a sum up of the apparmor logs raised by the scenarios
-func (t *TestSuite) Results() string {
-	file, _ := logs.GetAuditLogs(logs.LogFiles[0])
-	aaLogs := logs.New(file, "")
-	return aaLogs.String()
-}
-
-func (t *TestSuite) GetDependencies() []string {
-	res := []string{}
-	for _, test := range t.Tests {
-		res = append(res, test.Dependencies...)
-	}
-	return res
-}

From 081399a160b0db3b371c593d73fe4ab607ac9cd9 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 19 Oct 2024 22:55:17 +0100
Subject: [PATCH 313/315] tests: remove tests from the vendored paths module.

---
 pkg/paths/list_test.go                        | 169 -------
 pkg/paths/paths_test.go                       | 432 ------------------
 pkg/paths/process_test.go                     |  56 ---
 pkg/paths/readdir_test.go                     | 343 --------------
 .../testdata/broken_symlink/dir_1/broken_link |   1 -
 pkg/paths/testdata/broken_symlink/dir_1/file2 |   0
 .../testdata/broken_symlink/dir_1/linked_dir  |   1 -
 .../testdata/broken_symlink/dir_1/linked_file |   1 -
 .../broken_symlink/dir_1/real_dir/file1       |   0
 pkg/paths/testdata/delay/.gitignore           |   1 -
 pkg/paths/testdata/delay/main.go              |  40 --
 pkg/paths/testdata/fileset/anotherFile        |   4 -
 pkg/paths/testdata/fileset/file               |   0
 pkg/paths/testdata/fileset/folder/.hidden     |   0
 pkg/paths/testdata/fileset/folder/file2       |   0
 pkg/paths/testdata/fileset/folder/file3       |   0
 .../testdata/fileset/folder/subfolder/file4   |   0
 pkg/paths/testdata/fileset/symlinktofolder    |   1 -
 pkg/paths/testdata/fileset/test.txt           |  20 -
 pkg/paths/testdata/fileset/test.txt.gz        | Bin 411 -> 0 bytes
 pkg/paths/testdata/loops/loop_1/dir1/loop     |   1 -
 pkg/paths/testdata/loops/loop_2/dir1/loop2    |   1 -
 pkg/paths/testdata/loops/loop_2/dir2/loop1    |   1 -
 pkg/paths/testdata/loops/loop_3/dir1/loop2    |   1 -
 .../testdata/loops/loop_3/dir2/dir3/loop2     |   1 -
 .../testdata/loops/loop_4/dir1/dir2/loop2     |   1 -
 .../loops/loop_4/dir1/dir3/dir4/loop1         |   1 -
 pkg/paths/testdata/loops/regular_1/dir1/file1 |   0
 pkg/paths/testdata/loops/regular_1/dir2       |   1 -
 pkg/paths/testdata/loops/regular_2/dir1/file1 |   0
 pkg/paths/testdata/loops/regular_2/dir2/dir1  |   1 -
 pkg/paths/testdata/loops/regular_2/dir2/file2 |   0
 pkg/paths/testdata/loops/regular_3/dir1/file1 |   0
 pkg/paths/testdata/loops/regular_3/dir2/dir1  |   1 -
 pkg/paths/testdata/loops/regular_3/dir2/file2 |   0
 pkg/paths/testdata/loops/regular_3/link       |   1 -
 .../dir1/file1                                |   0
 .../regular_4_with_permission_error/dir2/dir1 |   1 -
 .../dir2/file2                                |   0
 .../regular_4_with_permission_error/link      |   1 -
 40 files changed, 1082 deletions(-)
 delete mode 100644 pkg/paths/list_test.go
 delete mode 100644 pkg/paths/paths_test.go
 delete mode 100644 pkg/paths/process_test.go
 delete mode 100644 pkg/paths/readdir_test.go
 delete mode 120000 pkg/paths/testdata/broken_symlink/dir_1/broken_link
 delete mode 100644 pkg/paths/testdata/broken_symlink/dir_1/file2
 delete mode 120000 pkg/paths/testdata/broken_symlink/dir_1/linked_dir
 delete mode 120000 pkg/paths/testdata/broken_symlink/dir_1/linked_file
 delete mode 100644 pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1
 delete mode 100644 pkg/paths/testdata/delay/.gitignore
 delete mode 100644 pkg/paths/testdata/delay/main.go
 delete mode 100644 pkg/paths/testdata/fileset/anotherFile
 delete mode 100644 pkg/paths/testdata/fileset/file
 delete mode 100644 pkg/paths/testdata/fileset/folder/.hidden
 delete mode 100644 pkg/paths/testdata/fileset/folder/file2
 delete mode 100644 pkg/paths/testdata/fileset/folder/file3
 delete mode 100644 pkg/paths/testdata/fileset/folder/subfolder/file4
 delete mode 120000 pkg/paths/testdata/fileset/symlinktofolder
 delete mode 100644 pkg/paths/testdata/fileset/test.txt
 delete mode 100644 pkg/paths/testdata/fileset/test.txt.gz
 delete mode 120000 pkg/paths/testdata/loops/loop_1/dir1/loop
 delete mode 120000 pkg/paths/testdata/loops/loop_2/dir1/loop2
 delete mode 120000 pkg/paths/testdata/loops/loop_2/dir2/loop1
 delete mode 120000 pkg/paths/testdata/loops/loop_3/dir1/loop2
 delete mode 120000 pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2
 delete mode 120000 pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2
 delete mode 120000 pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1
 delete mode 100644 pkg/paths/testdata/loops/regular_1/dir1/file1
 delete mode 120000 pkg/paths/testdata/loops/regular_1/dir2
 delete mode 100644 pkg/paths/testdata/loops/regular_2/dir1/file1
 delete mode 120000 pkg/paths/testdata/loops/regular_2/dir2/dir1
 delete mode 100644 pkg/paths/testdata/loops/regular_2/dir2/file2
 delete mode 100644 pkg/paths/testdata/loops/regular_3/dir1/file1
 delete mode 120000 pkg/paths/testdata/loops/regular_3/dir2/dir1
 delete mode 100644 pkg/paths/testdata/loops/regular_3/dir2/file2
 delete mode 120000 pkg/paths/testdata/loops/regular_3/link
 delete mode 100644 pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1
 delete mode 120000 pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1
 delete mode 100644 pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2
 delete mode 120000 pkg/paths/testdata/loops/regular_4_with_permission_error/link

diff --git a/pkg/paths/list_test.go b/pkg/paths/list_test.go
deleted file mode 100644
index eaafc82ce..000000000
--- a/pkg/paths/list_test.go
+++ /dev/null
@@ -1,169 +0,0 @@
-/*
- * This file is part of PathsHelper library.
- *
- * Copyright 2018 Arduino AG (http://www.arduino.cc/)
- *
- * PathsHelper library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * As a special exception, you may use this file as part of a free software
- * library without restriction.  Specifically, if other files instantiate
- * templates or use macros or inline functions from this file, or you compile
- * this file and link it with other files to produce an executable, this
- * file does not by itself cause the resulting executable to be covered by
- * the GNU General Public License.  This exception does not however
- * invalidate any other reasons why the executable file might be covered by
- * the GNU General Public License.
- */
-
-package paths
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestListConstructors(t *testing.T) {
-	list0 := NewPathList()
-	require.Len(t, list0, 0)
-
-	list1 := NewPathList("test")
-	require.Len(t, list1, 1)
-	require.Equal(t, "[test]", fmt.Sprintf("%s", list1))
-
-	list3 := NewPathList("a", "b", "c")
-	require.Len(t, list3, 3)
-	require.Equal(t, "[a b c]", fmt.Sprintf("%s", list3))
-
-	require.False(t, list3.Contains(New("d")))
-	require.True(t, list3.Contains(New("a")))
-	require.False(t, list3.Contains(New("d/../a")))
-
-	require.False(t, list3.ContainsEquivalentTo(New("d")))
-	require.True(t, list3.ContainsEquivalentTo(New("a")))
-	require.True(t, list3.ContainsEquivalentTo(New("d/../a")))
-
-	list4 := list3.Clone()
-	require.Equal(t, "[a b c]", fmt.Sprintf("%s", list4))
-	list4.AddIfMissing(New("d"))
-	require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4))
-	list4.AddIfMissing(New("b"))
-	require.Equal(t, "[a b c d]", fmt.Sprintf("%s", list4))
-	list4.AddAllMissing(NewPathList("a", "e", "i", "o", "u"))
-	require.Equal(t, "[a b c d e i o u]", fmt.Sprintf("%s", list4))
-}
-
-func TestListSorting(t *testing.T) {
-	list := NewPathList(
-		"pointless",
-		"spare",
-		"carve",
-		"unwieldy",
-		"empty",
-		"bow",
-		"tub",
-		"grease",
-		"error",
-		"energetic",
-		"depend",
-		"property")
-	require.Equal(t, "[pointless spare carve unwieldy empty bow tub grease error energetic depend property]", fmt.Sprintf("%s", list))
-	list.Sort()
-	require.Equal(t, "[bow carve depend empty energetic error grease pointless property spare tub unwieldy]", fmt.Sprintf("%s", list))
-}
-
-func TestListFilters(t *testing.T) {
-	list := NewPathList(
-		"aaaa",
-		"bbbb",
-		"cccc",
-		"dddd",
-		"eeff",
-		"aaaa/bbbb",
-		"eeee/ffff",
-		"gggg/hhhh",
-	)
-
-	l1 := list.Clone()
-	l1.FilterPrefix("a")
-	require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l1))
-
-	l2 := list.Clone()
-	l2.FilterPrefix("b")
-	require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l2))
-
-	l3 := list.Clone()
-	l3.FilterOutPrefix("b")
-	require.Equal(t, "[aaaa cccc dddd eeff eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l3))
-
-	l4 := list.Clone()
-	l4.FilterPrefix("a", "b")
-	require.Equal(t, "[aaaa bbbb aaaa/bbbb]", fmt.Sprintf("%s", l4))
-
-	l5 := list.Clone()
-	l5.FilterPrefix("test")
-	require.Equal(t, "[]", fmt.Sprintf("%s", l5))
-
-	l6 := list.Clone()
-	l6.FilterOutPrefix("b", "c", "h")
-	require.Equal(t, "[aaaa dddd eeff eeee/ffff]", fmt.Sprintf("%s", l6))
-
-	l7 := list.Clone()
-	l7.FilterSuffix("a")
-	require.Equal(t, "[aaaa]", fmt.Sprintf("%s", l7))
-
-	l8 := list.Clone()
-	l8.FilterSuffix("a", "h")
-	require.Equal(t, "[aaaa gggg/hhhh]", fmt.Sprintf("%s", l8))
-
-	l9 := list.Clone()
-	l9.FilterSuffix("test")
-	require.Equal(t, "[]", fmt.Sprintf("%s", l9))
-
-	l10 := list.Clone()
-	l10.FilterOutSuffix("a")
-	require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l10))
-
-	l11 := list.Clone()
-	l11.FilterOutSuffix("a", "h")
-	require.Equal(t, "[bbbb cccc dddd eeff aaaa/bbbb eeee/ffff]", fmt.Sprintf("%s", l11))
-
-	l12 := list.Clone()
-	l12.FilterOutSuffix("test")
-	require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l12))
-
-	l13 := list.Clone()
-	l13.FilterOutSuffix()
-	require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l13))
-
-	l14 := list.Clone()
-	l14.FilterSuffix()
-	require.Equal(t, "[]", fmt.Sprintf("%s", l14))
-
-	l15 := list.Clone()
-	l15.FilterOutPrefix()
-	require.Equal(t, "[aaaa bbbb cccc dddd eeff aaaa/bbbb eeee/ffff gggg/hhhh]", fmt.Sprintf("%s", l15))
-
-	l16 := list.Clone()
-	l16.FilterPrefix()
-	require.Equal(t, "[]", fmt.Sprintf("%s", l16))
-
-	l17 := list.Clone()
-	l17.Filter(func(p *Path) bool {
-		return p.Base() == "bbbb"
-	})
-	require.Equal(t, "[bbbb aaaa/bbbb]", fmt.Sprintf("%s", l17))
-}
diff --git a/pkg/paths/paths_test.go b/pkg/paths/paths_test.go
deleted file mode 100644
index 27fde6248..000000000
--- a/pkg/paths/paths_test.go
+++ /dev/null
@@ -1,432 +0,0 @@
-/*
- * This file is part of PathsHelper library.
- *
- * Copyright 2018 Arduino AG (http://www.arduino.cc/)
- *
- * PathsHelper library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * As a special exception, you may use this file as part of a free software
- * library without restriction.  Specifically, if other files instantiate
- * templates or use macros or inline functions from this file, or you compile
- * this file and link it with other files to produce an executable, this
- * file does not by itself cause the resulting executable to be covered by
- * the GNU General Public License.  This exception does not however
- * invalidate any other reasons why the executable file might be covered by
- * the GNU General Public License.
- */
-
-package paths
-
-import (
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-)
-
-func pathEqualsTo(t *testing.T, expected string, actual *Path) {
-	require.Equal(t, expected, filepath.ToSlash(actual.String()))
-}
-
-func TestPathNew(t *testing.T) {
-	test1 := New("path")
-	require.Equal(t, "path", test1.String())
-
-	test2 := New("path", "path")
-	require.Equal(t, filepath.Join("path", "path"), test2.String())
-
-	test3 := New()
-	require.Nil(t, test3)
-
-	test4 := New("")
-	require.Nil(t, test4)
-}
-
-func TestPath(t *testing.T) {
-	testPath := New("testdata", "fileset")
-	pathEqualsTo(t, "testdata/fileset", testPath)
-	isDir, err := testPath.IsDirCheck()
-	require.True(t, isDir)
-	require.NoError(t, err)
-	require.True(t, testPath.IsDir())
-	require.False(t, testPath.IsNotDir())
-	exist, err := testPath.ExistCheck()
-	require.True(t, exist)
-	require.NoError(t, err)
-	require.True(t, testPath.Exist())
-	require.False(t, testPath.NotExist())
-
-	folderPath := testPath.Join("folder")
-	pathEqualsTo(t, "testdata/fileset/folder", folderPath)
-	isDir, err = folderPath.IsDirCheck()
-	require.True(t, isDir)
-	require.NoError(t, err)
-	require.True(t, folderPath.IsDir())
-	require.False(t, folderPath.IsNotDir())
-
-	exist, err = folderPath.ExistCheck()
-	require.True(t, exist)
-	require.NoError(t, err)
-	require.True(t, folderPath.Exist())
-	require.False(t, folderPath.NotExist())
-
-	filePath := testPath.Join("file")
-	pathEqualsTo(t, "testdata/fileset/file", filePath)
-	isDir, err = filePath.IsDirCheck()
-	require.False(t, isDir)
-	require.NoError(t, err)
-	require.False(t, filePath.IsDir())
-	require.True(t, filePath.IsNotDir())
-	exist, err = filePath.ExistCheck()
-	require.True(t, exist)
-	require.NoError(t, err)
-	require.True(t, filePath.Exist())
-	require.False(t, filePath.NotExist())
-
-	anotherFilePath := filePath.Join("notexistent")
-	pathEqualsTo(t, "testdata/fileset/file/notexistent", anotherFilePath)
-	isDir, err = anotherFilePath.IsDirCheck()
-	require.False(t, isDir)
-	require.Error(t, err)
-	require.False(t, anotherFilePath.IsDir())
-	require.False(t, anotherFilePath.IsNotDir())
-	exist, err = anotherFilePath.ExistCheck()
-	require.False(t, exist)
-	require.NoError(t, err)
-	require.False(t, anotherFilePath.Exist())
-	require.True(t, anotherFilePath.NotExist())
-
-	list, err := folderPath.ReadDir()
-	require.NoError(t, err)
-	require.Len(t, list, 4)
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0])
-	pathEqualsTo(t, "testdata/fileset/folder/file2", list[1])
-	pathEqualsTo(t, "testdata/fileset/folder/file3", list[2])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3])
-
-	list2 := list.Clone()
-	list2.FilterDirs()
-	require.Len(t, list2, 1)
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[0])
-
-	list2 = list.Clone()
-	list2.FilterOutHiddenFiles()
-	require.Len(t, list2, 3)
-	pathEqualsTo(t, "testdata/fileset/folder/file2", list2[0])
-	pathEqualsTo(t, "testdata/fileset/folder/file3", list2[1])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[2])
-
-	list2 = list.Clone()
-	list2.FilterOutPrefix("file")
-	require.Len(t, list2, 2)
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", list2[0])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list2[1])
-}
-
-func TestResetStatCacheWhenFollowingSymlink(t *testing.T) {
-	testdata := New("testdata", "fileset")
-	files, err := testdata.ReadDir()
-	require.NoError(t, err)
-	for _, file := range files {
-		if file.Base() == "symlinktofolder" {
-			err = file.FollowSymLink()
-			require.NoError(t, err)
-			isDir, err := file.IsDirCheck()
-			require.NoError(t, err)
-			require.True(t, isDir)
-			break
-		}
-	}
-}
-
-func TestIsInsideDir(t *testing.T) {
-	notInside := func(a, b *Path) {
-		isInside, err := a.IsInsideDir(b)
-		require.NoError(t, err)
-		require.False(t, isInside, "%s is inside %s", a, b)
-	}
-
-	inside := func(a, b *Path) {
-		isInside, err := a.IsInsideDir(b)
-		require.NoError(t, err)
-		require.True(t, isInside, "%s is inside %s", a, b)
-		notInside(b, a)
-	}
-
-	f1 := New("/a/b/c")
-	f2 := New("/a/b/c/d")
-	f3 := New("/a/b/c/d/e")
-
-	notInside(f1, f1)
-	notInside(f1, f2)
-	inside(f2, f1)
-	notInside(f1, f3)
-	inside(f3, f1)
-
-	r1 := New("a/b/c")
-	r2 := New("a/b/c/d")
-	r3 := New("a/b/c/d/e")
-	r4 := New("f/../a/b/c/d/e")
-	r5 := New("a/b/c/d/e/f/..")
-
-	notInside(r1, r1)
-	notInside(r1, r2)
-	inside(r2, r1)
-	notInside(r1, r3)
-	inside(r3, r1)
-	inside(r4, r1)
-	notInside(r1, r4)
-	inside(r5, r1)
-	notInside(r1, r5)
-
-	f4 := New("/home/megabug/aide/arduino-1.8.6/hardware/arduino/avr")
-	f5 := New("/home/megabug/a15/packages")
-	notInside(f5, f4)
-	notInside(f4, f5)
-
-	if runtime.GOOS == "windows" {
-		f6 := New("C:\\", "A")
-		f7 := New("C:\\", "A", "B", "C")
-		f8 := New("E:\\", "A", "B", "C")
-		inside(f7, f6)
-		notInside(f8, f6)
-	}
-}
-
-func TestReadFileAsLines(t *testing.T) {
-	lines, err := New("testdata/fileset/anotherFile").ReadFileAsLines()
-	require.NoError(t, err)
-	require.Len(t, lines, 4)
-	require.Equal(t, "line 1", lines[0])
-	require.Equal(t, "line 2", lines[1])
-	require.Equal(t, "", lines[2])
-	require.Equal(t, "line 3", lines[3])
-}
-
-func TestCanonicaTempDir(t *testing.T) {
-	require.Equal(t, TempDir().String(), TempDir().Canonical().String())
-}
-
-func TestCopyDir(t *testing.T) {
-	tmp, err := MkTempDir("", "")
-	require.NoError(t, err)
-	defer tmp.RemoveAll()
-
-	src := New("testdata", "fileset")
-	err = src.CopyDirTo(tmp.Join("dest"))
-	require.NoError(t, err, "copying dir")
-
-	exist, err := tmp.Join("dest", "folder", "subfolder", "file4").ExistCheck()
-	require.True(t, exist)
-	require.NoError(t, err)
-
-	isdir, err := tmp.Join("dest", "folder", "subfolder", "file4").IsDirCheck()
-	require.False(t, isdir)
-	require.NoError(t, err)
-
-	err = src.CopyDirTo(tmp.Join("dest"))
-	require.Error(t, err, "copying dir to already existing")
-
-	err = src.Join("file").CopyDirTo(tmp.Join("dest2"))
-	require.Error(t, err, "copying file as dir")
-}
-
-func TestParents(t *testing.T) {
-	parents := New("/a/very/long/path").Parents()
-	require.Len(t, parents, 5)
-	pathEqualsTo(t, "/a/very/long/path", parents[0])
-	pathEqualsTo(t, "/a/very/long", parents[1])
-	pathEqualsTo(t, "/a/very", parents[2])
-	pathEqualsTo(t, "/a", parents[3])
-	pathEqualsTo(t, "/", parents[4])
-
-	parents2 := New("a/very/relative/path").Parents()
-	require.Len(t, parents, 5)
-	pathEqualsTo(t, "a/very/relative/path", parents2[0])
-	pathEqualsTo(t, "a/very/relative", parents2[1])
-	pathEqualsTo(t, "a/very", parents2[2])
-	pathEqualsTo(t, "a", parents2[3])
-	pathEqualsTo(t, ".", parents2[4])
-}
-
-func TestFilterDirs(t *testing.T) {
-	testPath := New("testdata", "fileset")
-
-	list, err := testPath.ReadDir()
-	require.NoError(t, err)
-	require.Len(t, list, 6)
-
-	pathEqualsTo(t, "testdata/fileset/anotherFile", list[0])
-	pathEqualsTo(t, "testdata/fileset/file", list[1])
-	pathEqualsTo(t, "testdata/fileset/folder", list[2])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3])
-	pathEqualsTo(t, "testdata/fileset/test.txt", list[4])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5])
-
-	list.FilterDirs()
-	require.Len(t, list, 2)
-	pathEqualsTo(t, "testdata/fileset/folder", list[0])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[1])
-}
-
-func TestFilterOutDirs(t *testing.T) {
-	{
-		testPath := New("testdata", "fileset")
-
-		list, err := testPath.ReadDir()
-		require.NoError(t, err)
-		require.Len(t, list, 6)
-
-		pathEqualsTo(t, "testdata/fileset/anotherFile", list[0])
-		pathEqualsTo(t, "testdata/fileset/file", list[1])
-		pathEqualsTo(t, "testdata/fileset/folder", list[2])
-		pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[3])
-		pathEqualsTo(t, "testdata/fileset/test.txt", list[4])
-		pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[5])
-
-		list.FilterOutDirs()
-		require.Len(t, list, 4)
-		pathEqualsTo(t, "testdata/fileset/anotherFile", list[0])
-		pathEqualsTo(t, "testdata/fileset/file", list[1])
-		pathEqualsTo(t, "testdata/fileset/test.txt", list[2])
-		pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[3])
-	}
-
-	{
-		list, err := New("testdata", "broken_symlink", "dir_1").ReadDirRecursive()
-		require.NoError(t, err)
-
-		require.Len(t, list, 7)
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir", list[2])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[3])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[4])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir", list[5])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[6])
-
-		list.FilterOutDirs()
-		require.Len(t, list, 5)
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/broken_link", list[0])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/file2", list[1])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_dir/file1", list[2])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/linked_file", list[3])
-		pathEqualsTo(t, "testdata/broken_symlink/dir_1/real_dir/file1", list[4])
-	}
-}
-
-func TestEquivalentPaths(t *testing.T) {
-	wd, err := Getwd()
-	require.NoError(t, err)
-	require.True(t, New("file1").EquivalentTo(New("file1", "somethingelse", "..")))
-	require.True(t, New("file1", "abc").EquivalentTo(New("file1", "abc", "def", "..")))
-	require.True(t, wd.Join("file1").EquivalentTo(New("file1")))
-	require.True(t, wd.Join("file1").EquivalentTo(New("file1", "abc", "..")))
-
-	if runtime.GOOS == "windows" {
-		q := New("testdata", "fileset", "anotherFile")
-		r := New("testdata", "fileset", "ANOTHE~1")
-		require.True(t, q.EquivalentTo(r))
-		require.True(t, r.EquivalentTo(q))
-	}
-}
-
-func TestCanonicalize(t *testing.T) {
-	wd, err := Getwd()
-	require.NoError(t, err)
-
-	p := New("testdata", "fileset", "anotherFile").Canonical()
-	require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), p.String())
-
-	p = New("testdata", "fileset", "nonexistentFile").Canonical()
-	require.Equal(t, wd.Join("testdata", "fileset", "nonexistentFile").String(), p.String())
-
-	if runtime.GOOS == "windows" {
-		q := New("testdata", "fileset", "ANOTHE~1").Canonical()
-		require.Equal(t, wd.Join("testdata", "fileset", "anotherFile").String(), q.String())
-
-		r := New("c:\\").Canonical()
-		require.Equal(t, "C:\\", r.String())
-
-		tmp, err := MkTempDir("", "pref")
-		require.NoError(t, err)
-		require.Equal(t, tmp.String(), tmp.Canonical().String())
-	}
-}
-
-func TestRelativeTo(t *testing.T) {
-	res, err := New("/my/abs/path/123/456").RelTo(New("/my/abs/path"))
-	require.NoError(t, err)
-	pathEqualsTo(t, "../..", res)
-
-	res, err = New("/my/abs/path").RelTo(New("/my/abs/path/123/456"))
-	require.NoError(t, err)
-	pathEqualsTo(t, "123/456", res)
-
-	res, err = New("my/path").RelTo(New("/other/path"))
-	require.Error(t, err)
-	require.Nil(t, res)
-
-	res, err = New("/my/abs/path/123/456").RelFrom(New("/my/abs/path"))
-	pathEqualsTo(t, "123/456", res)
-	require.NoError(t, err)
-
-	res, err = New("/my/abs/path").RelFrom(New("/my/abs/path/123/456"))
-	require.NoError(t, err)
-	pathEqualsTo(t, "../..", res)
-
-	res, err = New("my/path").RelFrom(New("/other/path"))
-	require.Error(t, err)
-	require.Nil(t, res)
-}
-
-func TestWriteToTempFile(t *testing.T) {
-	tmpDir := New("testdata", "fileset", "tmp")
-	err := tmpDir.MkdirAll()
-	require.NoError(t, err)
-	defer tmpDir.RemoveAll()
-
-	tmpData := []byte("test")
-	tmp, err := WriteToTempFile(tmpData, tmpDir, "prefix")
-	defer tmp.Remove()
-	require.NoError(t, err)
-	require.True(t, strings.HasPrefix(tmp.Base(), "prefix"))
-	isInside, err := tmp.IsInsideDir(tmpDir)
-	require.NoError(t, err)
-	require.True(t, isInside)
-	data, err := tmp.ReadFile()
-	require.NoError(t, err)
-	require.Equal(t, tmpData, data)
-}
-
-func TestCopyToSamePath(t *testing.T) {
-	tmpDir := New(t.TempDir())
-	srcFile := tmpDir.Join("test_file")
-	dstFile := srcFile
-
-	// create the source file in tmp dir
-	err := srcFile.WriteFile([]byte("hello"))
-	require.NoError(t, err)
-	content, err := srcFile.ReadFile()
-	require.NoError(t, err)
-	require.Equal(t, []byte("hello"), content)
-
-	// cannot copy the same file
-	err = srcFile.CopyTo(dstFile)
-	require.Error(t, err)
-	require.Contains(t, err.Error(), "are the same file")
-}
diff --git a/pkg/paths/process_test.go b/pkg/paths/process_test.go
deleted file mode 100644
index 5346dda02..000000000
--- a/pkg/paths/process_test.go
+++ /dev/null
@@ -1,56 +0,0 @@
-//
-// This file is part of PathsHelper library.
-//
-// Copyright 2023 Arduino AG (http://www.arduino.cc/)
-//
-// PathsHelper library is free software; you can redistribute it and/or modify
-// it under the terms of the GNU General Public License as published by
-// the Free Software Foundation; either version 2 of the License, or
-// (at your option) any later version.
-//
-// This program is distributed in the hope that it will be useful,
-// but WITHOUT ANY WARRANTY; without even the implied warranty of
-// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-// GNU General Public License for more details.
-//
-// You should have received a copy of the GNU General Public License
-// along with this program; if not, write to the Free Software
-// Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
-//
-// As a special exception, you may use this file as part of a free software
-// library without restriction.  Specifically, if other files instantiate
-// templates or use macros or inline functions from this file, or you compile
-// this file and link it with other files to produce an executable, this
-// file does not by itself cause the resulting executable to be covered by
-// the GNU General Public License.  This exception does not however
-// invalidate any other reasons why the executable file might be covered by
-// the GNU General Public License.
-//
-
-package paths
-
-import (
-	"context"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestProcessWithinContext(t *testing.T) {
-	// Build `delay` helper inside testdata/delay
-	builder, err := NewProcess(nil, "go", "build")
-	require.NoError(t, err)
-	builder.SetDir("testdata/delay")
-	require.NoError(t, builder.Run())
-
-	// Run delay and test if the process is terminated correctly due to context
-	process, err := NewProcess(nil, "testdata/delay/delay")
-	require.NoError(t, err)
-	start := time.Now()
-	ctx, cancel := context.WithTimeout(context.Background(), 250*time.Millisecond)
-	err = process.RunWithinContext(ctx)
-	require.Error(t, err)
-	require.Less(t, time.Since(start), 500*time.Millisecond)
-	cancel()
-}
diff --git a/pkg/paths/readdir_test.go b/pkg/paths/readdir_test.go
deleted file mode 100644
index ae25ede97..000000000
--- a/pkg/paths/readdir_test.go
+++ /dev/null
@@ -1,343 +0,0 @@
-/*
- * This file is part of PathsHelper library.
- *
- * Copyright 2018-2022 Arduino AG (http://www.arduino.cc/)
- *
- * PathsHelper library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * As a special exception, you may use this file as part of a free software
- * library without restriction.  Specifically, if other files instantiate
- * templates or use macros or inline functions from this file, or you compile
- * this file and link it with other files to produce an executable, this
- * file does not by itself cause the resulting executable to be covered by
- * the GNU General Public License.  This exception does not however
- * invalidate any other reasons why the executable file might be covered by
- * the GNU General Public License.
- */
-
-package paths
-
-import (
-	"fmt"
-	"io/fs"
-	"os"
-	"runtime"
-	"testing"
-	"time"
-
-	"github.com/stretchr/testify/require"
-)
-
-func TestReadDirRecursive(t *testing.T) {
-	testPath := New("testdata", "fileset")
-
-	list, err := testPath.ReadDirRecursive()
-	require.NoError(t, err)
-	require.Len(t, list, 16)
-
-	pathEqualsTo(t, "testdata/fileset/anotherFile", list[0])
-	pathEqualsTo(t, "testdata/fileset/file", list[1])
-	pathEqualsTo(t, "testdata/fileset/folder", list[2])
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[3])
-	pathEqualsTo(t, "testdata/fileset/folder/file2", list[4])
-	pathEqualsTo(t, "testdata/fileset/folder/file3", list[5])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[6])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", list[7])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", list[8])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", list[9])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", list[10])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", list[11])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", list[12])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", list[13])
-	pathEqualsTo(t, "testdata/fileset/test.txt", list[14])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", list[15])
-}
-
-func TestReadDirRecursiveSymLinkLoop(t *testing.T) {
-	// Test symlink loop
-	tmp, err := MkTempDir("", "")
-	require.NoError(t, err)
-	defer tmp.RemoveAll()
-
-	folder := tmp.Join("folder")
-	err = os.Symlink(tmp.String(), folder.String())
-	require.NoError(t, err)
-
-	l, err := tmp.ReadDirRecursive()
-	require.Error(t, err)
-	fmt.Println(err)
-	require.Nil(t, l)
-
-	l, err = tmp.ReadDirRecursiveFiltered(nil)
-	require.Error(t, err)
-	fmt.Println(err)
-	require.Nil(t, l)
-}
-
-func TestReadDirFiltered(t *testing.T) {
-	folderPath := New("testdata/fileset/folder")
-	list, err := folderPath.ReadDir()
-	require.NoError(t, err)
-	require.Len(t, list, 4)
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0])
-	pathEqualsTo(t, "testdata/fileset/folder/file2", list[1])
-	pathEqualsTo(t, "testdata/fileset/folder/file3", list[2])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[3])
-
-	list, err = folderPath.ReadDir(FilterDirectories())
-	require.NoError(t, err)
-	require.Len(t, list, 1)
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[0])
-
-	list, err = folderPath.ReadDir(FilterOutPrefixes("file"))
-	require.NoError(t, err)
-	require.Len(t, list, 2)
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", list[0])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", list[1])
-}
-
-func TestReadDirRecursiveFiltered(t *testing.T) {
-	testdata := New("testdata", "fileset")
-	l, err := testdata.ReadDirRecursiveFiltered(nil)
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 16)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder", l[2])
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3])
-	pathEqualsTo(t, "testdata/fileset/folder/file2", l[4])
-	pathEqualsTo(t, "testdata/fileset/folder/file3", l[5])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[6])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[7])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[8])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[9])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[10])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[11])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[12])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[13])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[14])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[15])
-
-	l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories())
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 6)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder", l[2])          // <- this is listed but not traversed
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3]) // <- this is listed but not traversed
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[4])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[5])
-
-	l, err = testdata.ReadDirRecursiveFiltered(nil, FilterOutDirectories())
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 12)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2])
-	pathEqualsTo(t, "testdata/fileset/folder/file2", l[3])
-	pathEqualsTo(t, "testdata/fileset/folder/file3", l[4])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder/file4", l[5])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[6])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[7])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[8])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[9])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[10])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11])
-
-	l, err = testdata.ReadDirRecursiveFiltered(FilterOutDirectories(), FilterOutDirectories())
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 4)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[2])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[3])
-
-	l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), FilterOutSuffixes("3"))
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 12)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder", l[2])
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[3])
-	pathEqualsTo(t, "testdata/fileset/folder/file2", l[4])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[5]) // <- subfolder skipped by Prefix("sub")
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[6])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[7])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[8])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[9]) // <- subfolder skipped by Prefix("sub")
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[10])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[11])
-
-	l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil")))
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 9)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/folder", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[7])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8])
-
-	l, err = testdata.ReadDirRecursiveFiltered(FilterOutPrefixes("sub"), AndFilter(FilterOutSuffixes("3"), FilterOutPrefixes("fil"), FilterOutSuffixes(".gz")))
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 8)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/folder", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder/.hidden", l[2])
-	pathEqualsTo(t, "testdata/fileset/folder/subfolder", l[3])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[4])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[5])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[7])
-
-	l, err = testdata.ReadDirRecursiveFiltered(OrFilter(FilterPrefixes("sub"), FilterSuffixes("tofolder")))
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 11)
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder", l[2])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/.hidden", l[4])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[5])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[6])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[7])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder/file4", l[8])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[9])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[10])
-
-	l, err = testdata.ReadDirRecursiveFiltered(nil, FilterNames("folder"))
-	require.NoError(t, err)
-	l.Sort()
-	require.Len(t, l, 1)
-	pathEqualsTo(t, "testdata/fileset/folder", l[0])
-
-	l, err = testdata.ReadDirRecursiveFiltered(FilterNames("symlinktofolder"), FilterOutNames(".hidden"))
-	require.NoError(t, err)
-	require.Len(t, l, 9)
-	l.Sort()
-	pathEqualsTo(t, "testdata/fileset/anotherFile", l[0])
-	pathEqualsTo(t, "testdata/fileset/file", l[1])
-	pathEqualsTo(t, "testdata/fileset/folder", l[2])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder", l[3])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file2", l[4])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/file3", l[5])
-	pathEqualsTo(t, "testdata/fileset/symlinktofolder/subfolder", l[6])
-	pathEqualsTo(t, "testdata/fileset/test.txt", l[7])
-	pathEqualsTo(t, "testdata/fileset/test.txt.gz", l[8])
-}
-
-func TestReadDirRecursiveLoopDetection(t *testing.T) {
-	loopsPath := New("testdata", "loops")
-	unbuondedReaddir := func(testdir string) (PathList, error) {
-		var files PathList
-		var err error
-		done := make(chan bool)
-		go func() {
-			files, err = loopsPath.Join(testdir).ReadDirRecursive()
-			done <- true
-		}()
-		require.Eventually(
-			t,
-			func() bool {
-				select {
-				case <-done:
-					return true
-				default:
-					return false
-				}
-			},
-			5*time.Second,
-			10*time.Millisecond,
-			"Infinite symlink loop while loading sketch",
-		)
-		return files, err
-	}
-
-	for _, dir := range []string{"loop_1", "loop_2", "loop_3", "loop_4"} {
-		l, err := unbuondedReaddir(dir)
-		require.EqualError(t, err, "directories symlink loop detected", "loop not detected in %s", dir)
-		require.Nil(t, l)
-	}
-
-	{
-		l, err := unbuondedReaddir("regular_1")
-		require.NoError(t, err)
-		require.Len(t, l, 4)
-		l.Sort()
-		pathEqualsTo(t, "testdata/loops/regular_1/dir1", l[0])
-		pathEqualsTo(t, "testdata/loops/regular_1/dir1/file1", l[1])
-		pathEqualsTo(t, "testdata/loops/regular_1/dir2", l[2])
-		pathEqualsTo(t, "testdata/loops/regular_1/dir2/file1", l[3])
-	}
-
-	{
-		l, err := unbuondedReaddir("regular_2")
-		require.NoError(t, err)
-		require.Len(t, l, 6)
-		l.Sort()
-		pathEqualsTo(t, "testdata/loops/regular_2/dir1", l[0])
-		pathEqualsTo(t, "testdata/loops/regular_2/dir1/file1", l[1])
-		pathEqualsTo(t, "testdata/loops/regular_2/dir2", l[2])
-		pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1", l[3])
-		pathEqualsTo(t, "testdata/loops/regular_2/dir2/dir1/file1", l[4])
-		pathEqualsTo(t, "testdata/loops/regular_2/dir2/file2", l[5])
-	}
-
-	{
-		l, err := unbuondedReaddir("regular_3")
-		require.NoError(t, err)
-		require.Len(t, l, 7)
-		l.Sort()
-		pathEqualsTo(t, "testdata/loops/regular_3/dir1", l[0])
-		pathEqualsTo(t, "testdata/loops/regular_3/dir1/file1", l[1])
-		pathEqualsTo(t, "testdata/loops/regular_3/dir2", l[2])
-		pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1", l[3])
-		pathEqualsTo(t, "testdata/loops/regular_3/dir2/dir1/file1", l[4])
-		pathEqualsTo(t, "testdata/loops/regular_3/dir2/file2", l[5])
-		pathEqualsTo(t, "testdata/loops/regular_3/link", l[6]) // broken symlink is reported in files
-	}
-
-	if runtime.GOOS != "windows" {
-		dir1 := loopsPath.Join("regular_4_with_permission_error", "dir1")
-
-		l, err := unbuondedReaddir("regular_4_with_permission_error")
-		require.NoError(t, err)
-		require.NotEmpty(t, l)
-
-		dir1Stat, err := dir1.Stat()
-		require.NoError(t, err)
-		err = dir1.Chmod(fs.FileMode(0)) // Enforce permission error
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			// Restore normal permission after the test
-			dir1.Chmod(dir1Stat.Mode())
-		})
-
-		l, err = unbuondedReaddir("regular_4_with_permission_error")
-		require.Error(t, err)
-		require.Nil(t, l)
-	}
-}
diff --git a/pkg/paths/testdata/broken_symlink/dir_1/broken_link b/pkg/paths/testdata/broken_symlink/dir_1/broken_link
deleted file mode 120000
index 86a410dd1..000000000
--- a/pkg/paths/testdata/broken_symlink/dir_1/broken_link
+++ /dev/null
@@ -1 +0,0 @@
-broken
\ No newline at end of file
diff --git a/pkg/paths/testdata/broken_symlink/dir_1/file2 b/pkg/paths/testdata/broken_symlink/dir_1/file2
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir b/pkg/paths/testdata/broken_symlink/dir_1/linked_dir
deleted file mode 120000
index 4b019049f..000000000
--- a/pkg/paths/testdata/broken_symlink/dir_1/linked_dir
+++ /dev/null
@@ -1 +0,0 @@
-real_dir
\ No newline at end of file
diff --git a/pkg/paths/testdata/broken_symlink/dir_1/linked_file b/pkg/paths/testdata/broken_symlink/dir_1/linked_file
deleted file mode 120000
index 30d67d467..000000000
--- a/pkg/paths/testdata/broken_symlink/dir_1/linked_file
+++ /dev/null
@@ -1 +0,0 @@
-file2
\ No newline at end of file
diff --git a/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1 b/pkg/paths/testdata/broken_symlink/dir_1/real_dir/file1
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/delay/.gitignore b/pkg/paths/testdata/delay/.gitignore
deleted file mode 100644
index fd5812a40..000000000
--- a/pkg/paths/testdata/delay/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-delay*
diff --git a/pkg/paths/testdata/delay/main.go b/pkg/paths/testdata/delay/main.go
deleted file mode 100644
index fa6030c40..000000000
--- a/pkg/paths/testdata/delay/main.go
+++ /dev/null
@@ -1,40 +0,0 @@
-/*
- * This file is part of PathsHelper library.
- *
- * Copyright 2023 Arduino AG (http://www.arduino.cc/)
- *
- * PathsHelper library is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
- *
- * As a special exception, you may use this file as part of a free software
- * library without restriction.  Specifically, if other files instantiate
- * templates or use macros or inline functions from this file, or you compile
- * this file and link it with other files to produce an executable, this
- * file does not by itself cause the resulting executable to be covered by
- * the GNU General Public License.  This exception does not however
- * invalidate any other reasons why the executable file might be covered by
- * the GNU General Public License.
- */
-
-package main
-
-import (
-	"fmt"
-	"time"
-)
-
-func main() {
-	time.Sleep(3 * time.Second)
-	fmt.Println("Elapsed!")
-}
diff --git a/pkg/paths/testdata/fileset/anotherFile b/pkg/paths/testdata/fileset/anotherFile
deleted file mode 100644
index 27649646e..000000000
--- a/pkg/paths/testdata/fileset/anotherFile
+++ /dev/null
@@ -1,4 +0,0 @@
-line 1
-line 2
-
-line 3
\ No newline at end of file
diff --git a/pkg/paths/testdata/fileset/file b/pkg/paths/testdata/fileset/file
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/fileset/folder/.hidden b/pkg/paths/testdata/fileset/folder/.hidden
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/fileset/folder/file2 b/pkg/paths/testdata/fileset/folder/file2
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/fileset/folder/file3 b/pkg/paths/testdata/fileset/folder/file3
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/fileset/folder/subfolder/file4 b/pkg/paths/testdata/fileset/folder/subfolder/file4
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/fileset/symlinktofolder b/pkg/paths/testdata/fileset/symlinktofolder
deleted file mode 120000
index 01196353b..000000000
--- a/pkg/paths/testdata/fileset/symlinktofolder
+++ /dev/null
@@ -1 +0,0 @@
-folder
\ No newline at end of file
diff --git a/pkg/paths/testdata/fileset/test.txt b/pkg/paths/testdata/fileset/test.txt
deleted file mode 100644
index d3ded994d..000000000
--- a/pkg/paths/testdata/fileset/test.txt
+++ /dev/null
@@ -1,20 +0,0 @@
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
-Lorem Ipsum is simply dummy text of the printing and typesetting industry. Lorem Ipsum has been the industry's standard dummy text ever since the 1500s, when an unknown printer took a galley of type and scrambled it to make a type specimen book. It has survived not only five centuries, but also the leap into electronic typesetting, remaining essentially unchanged. It was popularised in the 1960s with the release of Letraset sheets containing Lorem Ipsum passages, and more recently with desktop publishing software like Aldus PageMaker including versions of Lorem Ipsum.
-
diff --git a/pkg/paths/testdata/fileset/test.txt.gz b/pkg/paths/testdata/fileset/test.txt.gz
deleted file mode 100644
index e75120aef293a5d686de117d35f37b59d821e907..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 411
zcmb2|=HOTtzAb@)xg@o?M6aZxgyHQZ!#rg}9@pP<n(mr4J`~}cV3f+henY#!WQ+R-
z7fz+8H+TLmdJ=oYH}8O7(~0xv*OzPc8r6iolw8zsB<3<(@%c*TrS@D;d3Fh05sOrg
zXQ*VmtHt?phx@$U8MpZgswPAQBq%+)_<R48=`UA*O`a{UexY|3?=y$Rzn*@rn35hL
z{@ShWT)3Y0ecp(L(~4MIxR<%yE=W&n)8^#;JSC%TMHrjp`fmmG)4deag6FLH%P`+c
z#w&k&#b!3WZ5p>9rSEo9xOPuzX7@_%gh@toR1amHo?)WOb&KoxhZ#qWBN!wq`&(Un
zRA-$&8^*!?sr8v*#nyvcugu%vdh_f(=c>wjYpykc(+hLWm|DNF`Y$=#$F)gdrGv(r
z|I2LL;sROpcfYjl$<bHav_6Ti?Tt^-)u4snG+iUV)oG^3UepTSvc_)GU*SJy6ZN~-
w&D=cU*PiP)`8{=X4xjse=J4gqCw~^!&5?h891r!Jz3v}VMtwy_gBSw?0Kr4W>i_@%

diff --git a/pkg/paths/testdata/loops/loop_1/dir1/loop b/pkg/paths/testdata/loops/loop_1/dir1/loop
deleted file mode 120000
index c9f3ab1ea..000000000
--- a/pkg/paths/testdata/loops/loop_1/dir1/loop
+++ /dev/null
@@ -1 +0,0 @@
-../dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/loop_2/dir1/loop2 b/pkg/paths/testdata/loops/loop_2/dir1/loop2
deleted file mode 120000
index d014eb492..000000000
--- a/pkg/paths/testdata/loops/loop_2/dir1/loop2
+++ /dev/null
@@ -1 +0,0 @@
-../dir2
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/loop_2/dir2/loop1 b/pkg/paths/testdata/loops/loop_2/dir2/loop1
deleted file mode 120000
index c9f3ab1ea..000000000
--- a/pkg/paths/testdata/loops/loop_2/dir2/loop1
+++ /dev/null
@@ -1 +0,0 @@
-../dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/loop_3/dir1/loop2 b/pkg/paths/testdata/loops/loop_3/dir1/loop2
deleted file mode 120000
index d014eb492..000000000
--- a/pkg/paths/testdata/loops/loop_3/dir1/loop2
+++ /dev/null
@@ -1 +0,0 @@
-../dir2
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2 b/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2
deleted file mode 120000
index 85babfdb0..000000000
--- a/pkg/paths/testdata/loops/loop_3/dir2/dir3/loop2
+++ /dev/null
@@ -1 +0,0 @@
-../../dir1/
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2 b/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2
deleted file mode 120000
index 3fd50ca46..000000000
--- a/pkg/paths/testdata/loops/loop_4/dir1/dir2/loop2
+++ /dev/null
@@ -1 +0,0 @@
-../dir3
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1 b/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1
deleted file mode 120000
index 4f388a669..000000000
--- a/pkg/paths/testdata/loops/loop_4/dir1/dir3/dir4/loop1
+++ /dev/null
@@ -1 +0,0 @@
-../../../dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/regular_1/dir1/file1 b/pkg/paths/testdata/loops/regular_1/dir1/file1
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_1/dir2 b/pkg/paths/testdata/loops/regular_1/dir2
deleted file mode 120000
index df490f837..000000000
--- a/pkg/paths/testdata/loops/regular_1/dir2
+++ /dev/null
@@ -1 +0,0 @@
-dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/regular_2/dir1/file1 b/pkg/paths/testdata/loops/regular_2/dir1/file1
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_2/dir2/dir1 b/pkg/paths/testdata/loops/regular_2/dir2/dir1
deleted file mode 120000
index c9f3ab1ea..000000000
--- a/pkg/paths/testdata/loops/regular_2/dir2/dir1
+++ /dev/null
@@ -1 +0,0 @@
-../dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/regular_2/dir2/file2 b/pkg/paths/testdata/loops/regular_2/dir2/file2
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_3/dir1/file1 b/pkg/paths/testdata/loops/regular_3/dir1/file1
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_3/dir2/dir1 b/pkg/paths/testdata/loops/regular_3/dir2/dir1
deleted file mode 120000
index c9f3ab1ea..000000000
--- a/pkg/paths/testdata/loops/regular_3/dir2/dir1
+++ /dev/null
@@ -1 +0,0 @@
-../dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/regular_3/dir2/file2 b/pkg/paths/testdata/loops/regular_3/dir2/file2
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_3/link b/pkg/paths/testdata/loops/regular_3/link
deleted file mode 120000
index 86a410dd1..000000000
--- a/pkg/paths/testdata/loops/regular_3/link
+++ /dev/null
@@ -1 +0,0 @@
-broken
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir1/file1
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1
deleted file mode 120000
index c9f3ab1ea..000000000
--- a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/dir1
+++ /dev/null
@@ -1 +0,0 @@
-../dir1
\ No newline at end of file
diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2 b/pkg/paths/testdata/loops/regular_4_with_permission_error/dir2/file2
deleted file mode 100644
index e69de29bb..000000000
diff --git a/pkg/paths/testdata/loops/regular_4_with_permission_error/link b/pkg/paths/testdata/loops/regular_4_with_permission_error/link
deleted file mode 120000
index 86a410dd1..000000000
--- a/pkg/paths/testdata/loops/regular_4_with_permission_error/link
+++ /dev/null
@@ -1 +0,0 @@
-broken
\ No newline at end of file

From 061b584b6601327c4b6d0c000253dbe5e4dcec18 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 19 Oct 2024 22:57:08 +0100
Subject: [PATCH 314/315] ci: update golangci-lint.

---
 .gitlab-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index a24ac7975..960dd2884 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -30,7 +30,7 @@ golangci-lint:
   stage: lint
   image: golangci/golangci-lint
   script:
-    - golangci-lint run --skip-dirs pkg/paths
+    - golangci-lint run --exclude-dirs pkg/paths
 
 packer:
   stage: lint

From 2bace0178314399d48d83037a85dc26b5cb4fc9e Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 19 Oct 2024 22:58:47 +0100
Subject: [PATCH 315/315] chore: all external go module have been removed.

---
 go.mod | 11 +----------
 go.sum | 10 ----------
 2 files changed, 1 insertion(+), 20 deletions(-)

diff --git a/go.mod b/go.mod
index 085850645..f98df5c19 100644
--- a/go.mod
+++ b/go.mod
@@ -1,12 +1,3 @@
 module github.com/roddhjav/apparmor.d
 
-go 1.21
-
-require (
-	github.com/stretchr/testify v1.9.0
-)
-
-require (
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-)
+go 1.22
diff --git a/go.sum b/go.sum
index 60ce688a0..e69de29bb 100644
--- a/go.sum
+++ b/go.sum
@@ -1,10 +0,0 @@
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
-github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
-github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
-gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=