Merge branch 'master' into unbreaking_debian

2022-10-09 14:09:33 +00:00 · 2022-10-09 14:09:33 +00:00 · 4b13be5b48
commit 4b13be5b48
parent 10a25889b2 eddf6bfc4f
35 changed files with 292 additions and 153 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -31,6 +31,12 @@ golangci-lint:
  script:
    - golangci-lint run

+hadolint:
+  stage: lint
+  image: hadolint/hadolint:latest-alpine
+  script:
+    - hadolint dists/build/*/Dockerfile
+
 sast:
  stage: lint

--- a/6
+++ b/6
@ -1,6 +1,9 @@
 # Maintainer: Alexandre Pujol <alexandre@pujol.io>
 # shellcheck disable=SC2034,SC2154,SC2164

+# Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git
+# for production use.
+
 pkgname=apparmor.d
 pkgver=0.001
 pkgrel=1
@ -10,6 +13,7 @@ url="https://github.com/roddhjav/$pkgname"
 license=('GPL2')
 depends=('apparmor')
 makedepends=('go' 'git' 'rsync' 'lsb-release')
+conflicts=("$pkgname-git")

 pkgver() {
  cd "$srcdir/$pkgname"
@ -17,7 +21,7 @@ pkgver() {
 }

 prepare() {
-  git clone "$startdir" "$srcdir/$pkgname"
+  rsync -a --delete "$startdir" "$srcdir"
  cd "$srcdir/$pkgname"

  ./configure --complain
--- a/README.md
+++ b/README.md
@ -170,12 +170,18 @@ Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
 ## Enfore Mode

 The default package configuration installs all profile in *complain* mode.
-You can easily switch to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual:
+Once you tested them and it works fine, you can easily switch to *enforce* mode.
+To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove 
+the `--complain` option to the configure script. Then build the package as usual:
 ```diff
 -  ./configure --complain
 +  ./configure
 ```

+Do not worry, the profiles that are not considered stable are kept in complain mode.
+They can be tracked in the `dists/flags` directory.
+
+
 ## Troubleshooting

 **AppArmor messages**
--- a/apparmor.d/abstractions/totem
+++ b/apparmor.d/abstractions/totem
@ -40,7 +40,6 @@
  owner @{user_config_dirs}/totem/** rwk,
  owner @{user_share_dirs}/grilo-plugins/ rwk,
  owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_share_dirs}/totem/ rwk,
  owner @{user_share_dirs}/tracker/data/tracker-store.journal rwk,

@ -50,6 +49,8 @@
  @{run}/udev/data/+drm:card* r,
  @{run}/udev/data/+usb* r,

-  /sys/devices/system/node/*/meminfo r,
+  @{sys}/devices/system/node/*/meminfo r,
+
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <abstractions/totem.d>
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -28,18 +29,13 @@ profile dpkg @{exec_path} {
  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/cat         rix,
  /{usr/,}bin/rm          rix,

-  # Do not strip env to avoid errors like the following:
-  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
-  #  shared object file): ignored.
-  /{usr/,}bin/dpkg-query  rpx,
  /{usr/,}bin/dpkg-deb    rpx,
-  #
+  /{usr/,}bin/dpkg-query  rpx,
  /{usr/,}bin/dpkg-split  rPx,
-
  /{usr/,}lib/needrestart/dpkg-status rPx,
-
  /usr/share/debian-security-support/check-support-status.hook rPx,

  /{usr/,}bin/pager       rCx -> diff,
@ -47,6 +43,9 @@ profile dpkg @{exec_path} {
  /{usr/,}bin/more        rCx -> diff,
  /{usr/,}bin/diff        rCx -> diff,

+  /etc/dpkg/dpkg.cfg.d/{,*} r,
+  /etc/dpkg/dpkg.cfg r,
+
  # Run the package maintainer's scripts
  # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
  # Move it to a child profile once more transitions will be available
@ -67,19 +66,9 @@ profile dpkg @{exec_path} {
  #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
  #/var/lib/dpkg/tmp.ci/{prerm,postrm}     rCx -> scripts,

-  /etc/dpkg/dpkg.cfg.d/{,*} r,
-  /etc/dpkg/dpkg.cfg r,
-
-  owner @{PROC}/@{pid}/fd/ r,
-        @{PROC}/sys/kernel/random/boot_id r,
-
-  owner /tmp/apt-dpkg-install-*/ r,
-
  /var/log/dpkg.log w,
  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,

-  @{run}/systemd/userdb/ r,
-
  # For shell pwd
  /root/ r,

@ -120,9 +109,14 @@ profile dpkg @{exec_path} {
  /var/*.dpkg-new/ rw,
  /var/*/ rw,

-  # file_inherit
-  owner /dev/tty[0-9]* rw,
+  owner /tmp/apt-dpkg-install-*/ r,

+  @{run}/systemd/userdb/ r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/sys/kernel/random/boot_id r,
+
+  owner /dev/tty[0-9]* rw,

  profile diff {
    include <abstractions/base>
@ -134,19 +128,19 @@ profile dpkg @{exec_path} {
    /{usr/,}bin/more  mr,
    /{usr/,}bin/diff  mr,

+    /etc/** r,  # Diff changed config files
+    /root/ r,   # For shell pwd
+
    owner @{HOME}/.lesshs* rw,

-    # Diff changed config files
-    /etc/** r,
-
-    # For shell pwd
-    /root/ r,
-
  }

  profile scripts {
    include <abstractions/base>

+    /{usr/,}{s,}bin/    r,
+    /{usr/,}{s,}bin/*   rPUx,
+
    /var/lib/dpkg/info/*.config             r,
    /var/lib/dpkg/info/*.{preinst,postinst} r,
    /var/lib/dpkg/info/*.{prerm,postrm}     r,
@ -154,11 +148,6 @@ profile dpkg @{exec_path} {
    /var/lib/dpkg/tmp.ci/{preinst,postinst} r,
    /var/lib/dpkg/tmp.ci/{prerm,postrm}     r,

-    /{usr/,}bin/    r,
-    /{usr/,}bin/*   rPUx,
-    /{usr/,}sbin/   r,
-    /{usr/,}sbin/*  rPUx,
-
  }

  include if exists <local/dpkg>
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -81,14 +81,17 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
+  /etc/default/grub.d/* r,
  /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/grub.d/* r,
  /etc/issue{.net,} r,
+  /etc/kernel/*.d/*grub* r,
  /etc/legal r,
  /etc/lsb-release r,
  /etc/profile.d/* r,
-  /etc/update-motd.d/* r,
  /etc/update-manager/{,**} r,
  /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
+  /etc/update-motd.d/* r,

  /etc/machine-id r,

--- a/apparmor.d/groups/bus/ibus-engine-table
+++ b/apparmor.d/groups/bus/ibus-engine-table
@ -13,7 +13,5 @@ profile ibus-engine-table @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/python3.[0-9]* rix,
-
  include if exists <local/ibus-engine-table>
 }
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@ -39,15 +39,18 @@ profile pipewire @{exec_path} {

  @{exec_path} mr,

-  /{usr/,}bin/pipewire-media-session rPx,
+  /{usr/,}bin/pactl                   rPx,
+  /{usr/,}bin/pipewire-media-session  rPx,

-  /usr/share/pipewire/pipewire.conf r,
+  /usr/share/pipewire/pipewire*.conf r,

  /etc/pipewire/client.conf r,
  /etc/pipewire/pipewire-pulse.conf.d/{,*} r,
  /etc/pipewire/pipewire.conf r,
  /etc/pipewire/pipewire.conf.d/{,*} r,

+  / r,
+
  owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,

  @{sys}/devices/virtual/dmi/id/product_name r,
@ -55,8 +58,6 @@ profile pipewire @{exec_path} {
  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,

-  / r,
-
  /dev/video[0-9]* rw,

  include if exists <local/pipewire>
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@ -33,6 +33,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm{3,}/.config/pulse/cookie rwk,

  owner @{run}/user/@{uid}/pulse/pid w,
+  owner /tmp/librnnoise-[0-9]*.so rm,

  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
--- a/apparmor.d/groups/freedesktop/update-desktop-database
+++ b/apparmor.d/groups/freedesktop/update-desktop-database
@ -24,10 +24,10 @@ profile update-desktop-database @{exec_path} flags=(attach_disconnected) {

  /usr/share/*/*.desktop r,

-  /var/lib/flatpak/{app/**/,}exports/share/applications/{,**/} r,
-  /var/lib/flatpak/{app/**/,}exports/share/applications/**.desktop r,
-  /var/lib/flatpak/{app/**/,}exports/share/applications/.mimeinfo.cache.* rw,
-  /var/lib/flatpak/{app/**/,}exports/share/applications/mimeinfo.cache w,
+  /var/lib/flatpak/{app/**/,}export/share/applications/{,**/} r,
+  /var/lib/flatpak/{app/**/,}export/share/applications/**.desktop r,
+  /var/lib/flatpak/{app/**/,}export/share/applications/.mimeinfo.cache.* rw,
+  /var/lib/flatpak/{app/**/,}export/share/applications/mimeinfo.cache w,

  /var/lib/snapd/desktop/applications/{,**/} r,
  /var/lib/snapd/desktop/applications/**.desktop r,
--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -25,14 +25,13 @@ profile evolution-source-registry @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

+  owner @{user_cache_dirs}/evolution/{,**} rwk,
  owner @{user_config_dirs}/evolution/sources/{,*} rw,
  owner @{user_share_dirs}/evolution/{,**} r,
-  owner @{user_cache_dirs}/evolution/{,**} rwk,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/cmdline r,

-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
  include if exists <local/evolution-source-registry>
 }
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -9,7 +9,6 @@ include <tunables/global>

@{exec_path}  = /{usr/,}bin/gio
@{exec_path} += /{usr/,}bin/gio-launch-desktop
-@{exec_path} += /{usr/,}lib/gio-launch-desktop
@{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
@ -21,6 +20,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  /{usr/,}lib/gio-launch-desktop rix,
+
  # System files
  /etc/gnome/defaults.list r,
  /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -531,8 +531,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/.var/app/**/icons/**.png r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,

  owner @{user_music_dirs}/**/*.jpg r,

@ -543,6 +544,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+  owner @{user_share_dirs}/sounds/__custom/index.theme r,

  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
@ -629,9 +632,5 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  /dev/input/event[0-9]* rw,
  /dev/tty[0-9]* rw,

-  owner @{user_share_dirs}/sounds/__custom/index.theme r,
-
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
  include if exists <local/gnome-shell>
-}
+}
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2022 Jeroen Rijken
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,10 +12,17 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>

+  capability dac_override,
  capability dac_read_search,

  @{exec_path}                     mr,
-  /etc/grub.d/{**,}                rix,
+
+  /{usr/,}{local/,}{s,}bin/zfs     rPx,
+  /{usr/,}{local/,}{s,}bin/zpool   rPx,
+  /{usr/,}{s,}bin/dmsetup          rPUx,
+  /{usr/,}{s,}bin/grub-probe       rPx,
+  /{usr/,}bin/{,ba,da}sh           rix,
+  /{usr/,}bin/{e,f,}grep           rix,
  /{usr/,}bin/{m,g,}awk            rix,
  /{usr/,}bin/basename             rix,
  /{usr/,}bin/cat                  rix,
@ -26,22 +34,21 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
  /{usr/,}bin/find                 rix,
  /{usr/,}bin/findmnt              rPx,
  /{usr/,}bin/gettext              rix,
-  /{usr/,}bin/{e,f,}grep           rix,
-  /{usr/,}bin/lsb_release          rPx -> lsb_release,
  /{usr/,}bin/grub-mkrelpath       rPx,
  /{usr/,}bin/grub-script-check    rPx,
  /{usr/,}bin/head                 rix,
  /{usr/,}bin/id                   rPx,
  /{usr/,}bin/ls                   rix,
+  /{usr/,}bin/lsb_release          rPx -> lsb_release,
  /{usr/,}bin/mktemp               rix,
  /{usr/,}bin/mount                rPx,
  /{usr/,}bin/mountpoint           rix,
+  /{usr/,}bin/os-prober            rPx,
  /{usr/,}bin/paste                rix,
  /{usr/,}bin/readlink             rix,
  /{usr/,}bin/rm                   rix,
  /{usr/,}bin/rmdir                rix,
  /{usr/,}bin/sed                  rix,
-  /{usr/,}bin/{,ba,da}sh           rix,
  /{usr/,}bin/sort                 rix,
  /{usr/,}bin/stat                 rix,
  /{usr/,}bin/tail                 rix,
@ -49,10 +56,7 @@ profile grub-mkconfig @{exec_path} flags=(complain) {
  /{usr/,}bin/umount               rPx,
  /{usr/,}bin/uname                rix,
  /{usr/,}bin/which{.debianutils,} rix,
-  /{usr/,}{s,}bin/dmsetup          rPUx,
-  /{usr/,}{s,}bin/grub-probe       rPx,
-  /{usr/,}{local/,}{s,}bin/zfs     rPx,
-  /{usr/,}{local/,}{s,}bin/zpool   rPx,
+  /etc/grub.d/{**,}                rix,

  /boot/{**,} r,
  /boot/grub/{**,} rw,
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@ -89,6 +89,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {

  /{usr/,}bin/{,ba,da}sh rix,

+  /{usr/,}bin/dnsmasq                            rPx,
  /{usr/,}bin/resolvconf                         rPx,
  /{usr/,}bin/systemctl                          rPx -> child-systemctl,
  /{usr/,}lib/nm-dhcp-helper                     rPx,
--- a/apparmor.d/groups/network/iwd
+++ b/apparmor.d/groups/network/iwd
@ -0,0 +1,43 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}lib/iwd/iwd
+profile iwd @{exec_path} {
+  include <abstractions/base>
+
+  capability net_admin,
+  capability net_raw,
+  capability net_bind_service,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+  network netlink dgram,
+  network alg seqpacket,
+
+   @{exec_path} mr,
+
+  /etc/iwd/{,**} r,
+  /var/lib/iwd/{,**} rw,
+
+  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/* r,
+  @{sys}/devices/pci[0-9]*/**/modalias r,
+
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan[0-9]*/arp_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan[0-9]*/drop_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan[0-9]*/ndisc_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw,
+
+  /dev/rfkill rw,
+
+  include if exists <local/iwd>
+}
--- a/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
+++ b/apparmor.d/groups/pacman/archlinux-keyring-wkd-sync
@ -22,9 +22,9 @@ profile archlinux-keyring-wkd-sync @{exec_path} {

  /{usr/,}bin/{m,g,}awk    rix,
  /{usr/,}bin/bash         rix,
+  /{usr/,}bin/dirmngr      rix,
  /{usr/,}bin/gpg          rix,
  /{usr/,}bin/pacman-conf  rix,
-  /{usr/,}bin/dirmngr rix,

  /etc/pacman.conf r,
  /etc/pacman.d/*-mirrorlist r,
@ -35,5 +35,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,

+  /dev/tty rw,
+
  include if exists <local/archlinux-keyring-wkd-sync>
 }
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -104,13 +104,13 @@ profile pacman @{exec_path} {

  # Install/update packages
  / r,
-  /*/ rwl,
-  /boot/{,**} rwl,
-  /etc/{,**} rwl,
-  /opt/{,**} rwl,
-  /srv/{,**} rwl,
-  /usr/{,**} rwlk,
-  /var/{,**} rwlk,
+  /*/ rw,
+  /boot/** rwl -> /boot/**,
+  /etc/** rwl -> /etc/**,
+  /opt/** rwl -> /opt/**,
+  /srv/** rwl -> /srv/**,
+  /usr/** rwlk -> /usr/**,
+  /var/** rwlk -> /var/**,

  @{PROC}/ r,
  @{run}/ r,
--- a/apparmor.d/groups/systemd/journalctl
+++ b/apparmor.d/groups/systemd/journalctl
@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}bin/journalctl
-profile journalctl @{exec_path} {
+profile journalctl @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
@ -47,5 +47,7 @@ profile journalctl @{exec_path} {

  owner @{PROC}/@{pid}/cgroup r,

+  deny /apparmor/.null rw,
+
  include if exists <local/systemd-journalctl>
 }
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@ -17,5 +17,7 @@ profile systemd-machine-id-setup @{exec_path} {

  /etc/machine-id rw,

+  owner @{PROC}/@{pid}/stat r,
+
  include if exists <local/systemd-machine-id-setup>
 }
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@ -21,5 +21,7 @@ profile systemd-mount @{exec_path} {
  @{sys}/bus/ r,
  @{sys}/class/ r,

+  owner @{PROC}/@{pid}/mountinfo r,
+
  include if exists <local/systemd-mount>
 }
--- a/apparmor.d/groups/systemd/userdbctl
+++ b/apparmor.d/groups/systemd/userdbctl
@ -16,7 +16,9 @@ profile userdbctl @{exec_path} {

  @{exec_path} mr,
  
-  /{usr/,}bin/less rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,

  /etc/shadow r,
  /etc/gshadow r,
--- a/apparmor.d/profiles-a-f/code-git-editor
+++ b/apparmor.d/profiles-a-f/code-git-editor
@ -15,5 +15,7 @@ profile code-git-editor @{exec_path} {
  /{usr/,}bin/{,ba,da}sh               rix,
  /{usr/,}lib/electron[0-9]*/electron  rUx,

+  /dev/tty rw,
+
  include if exists <local/code-git-editor>
 }
--- a/apparmor.d/profiles-g-l/losetup
+++ b/apparmor.d/profiles-g-l/losetup
--- a/apparmor.d/profiles-m-r/modprobed-db
+++ b/apparmor.d/profiles-m-r/modprobed-db
@ -0,0 +1,45 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/modprobed-db
+profile modprobed-db @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh    rix,
+  /{usr/,}bin/cat           rix,
+  /{usr/,}bin/cp            rix,
+  /{usr/,}bin/cut           rix,
+  /{usr/,}bin/gawk          rix,
+  /{usr/,}bin/getent        rix,
+  /{usr/,}bin/grep          rix,
+  /{usr/,}bin/logname       rix,
+  /{usr/,}bin/md5sum        rix,
+  /{usr/,}bin/rm            rix,
+  /{usr/,}bin/sed           rix,
+  /{usr/,}bin/sort          rix,
+  /{usr/,}bin/uniq          rix,
+  /{usr/,}bin/wc            rix,
+
+  /usr/share/terminfo/x/xterm-256color r,
+
+  owner @{user_config_dirs}/modprobed-db.conf r,
+  owner @{user_config_dirs}/modprobed.db rw,
+
+  owner /tmp/.inmem rw,
+  owner /tmp/.potential_new_db rw,
+
+        @{PROC}/modules r,
+  owner @{PROC}/@{pid}/loginuid r,
+
+  /dev/tty rw,
+
+  include if exists <local/modprobed-db>
+}
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -57,7 +57,7 @@ profile pass @{exec_path} {

  owner @{HOME}/.password-store/{,**} rw,
  owner @{user_projects_dirs}/**/*-store/{,**} rw,
-  owner @{user_config_dirs}/password-store/{,**} rw,
+  owner @{user_config_dirs}/*-store/{,**} rw,
  owner /dev/shm/pass.*/{,*} rw,

  @{PROC}/@{pids}/cmdline r,
@ -85,7 +85,7 @@ profile pass @{exec_path} {

    owner @{HOME}/.password-store/ r,
    owner @{user_projects_dirs}/**/*-store/ r,
-    owner @{user_config_dirs}/password-store/ r,
+    owner @{user_config_dirs}/*-store/ r,

    owner @{user_cache_dirs}/vim/{,**} rw,
    owner @{user_config_dirs}/vim/{,**} rw,
@ -120,8 +120,8 @@ profile pass @{exec_path} {
    owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**,
    owner @{user_projects_dirs}/**/*-store/   rw,
    owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
-    owner @{user_config_dirs}/password-store/   rw,
-    owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**,
+    owner @{user_config_dirs}/*-store/   rw,
+    owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,

  }

--- a/apparmor.d/profiles-s-z/sbctl
+++ b/apparmor.d/profiles-s-z/sbctl
@ -21,8 +21,8 @@ profile sbctl @{exec_path} {

  /{boot,efi}/{,**} r,
  /{boot,efi}/EFI/{,**} rw,
+  /{boot,efi}/vmlinuz-linux* rw,
  /{usr/,}lib/fwupd/efi/{,**} rw,
-  /boot/vmlinuz-linux* rw,

  @{sys}/firmware/efi/efivars/db-@{uuid} rw,
  @{sys}/firmware/efi/efivars/KEK-@{uuid} rw,
--- a/apparmor.d/profiles-s-z/vlc-cache-gen
+++ b/apparmor.d/profiles-s-z/vlc-cache-gen
@ -15,6 +15,8 @@ profile vlc-cache-gen @{exec_path} {

  /{usr/,}lib/vlc/plugins/{,*} rw,

+  @{sys}/devices/system/cpu/possible r,
+
  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,
--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@ -38,23 +38,20 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  /etc/wpa_supplicant/wpa_supplicant.conf rw,
+  /etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
+  /etc/libnl/{classid,pktloc} r,
+
  @{HOME}/.cat_installer/*.pem r,

  owner @{run}/wpa_supplicant/{,**} rw,

-  /etc/wpa_supplicant/wpa_supplicant.conf r,
-  /etc/libnl/{classid,pktloc} r,
-
-  /dev/rfkill r,
+  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,

  @{PROC}/sys/net/ipv[4,6]/conf/wlan[0-9]/drop_* rw,
  @{PROC}/sys/net/ipv[4,6]/conf/wlp*/drop_* rw,

-  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
-
-  # For wpa_gui
-  #/etc/wpa_supplicant/wpa_supplicant.conf w,
-  #/etc/wpa_supplicant/wpa_supplicant.conf.tmp rw,
+  /dev/rfkill rw,

  include if exists <local/wpa-supplicant>
 }
--- a/cmd/aa-log/main.go
+++ b/cmd/aa-log/main.go
@ -9,6 +9,7 @@ import (
 	"bytes"
 	"encoding/hex"
 	"encoding/json"
+	"errors"
 	"flag"
 	"fmt"
 	"io"
@ -22,9 +23,9 @@ import (

 // Command line options
 var (
-	dbus bool
-	help bool
-	path string
+	help    bool
+	path    string
+	systemd bool
 )

 // LogFile is the default path to the file to query
@ -94,20 +95,33 @@ func removeDuplicateLog(logs []string) []string {
 	return list
 }

-// getJournalctlDbusSessionLogs return a reader with the logs entries
-func getJournalctlDbusSessionLogs(file io.Reader, useFile bool) (io.Reader, error) {
+// getAuditLogs return a reader with the logs entries from Auditd
+func getAuditLogs(path string) (io.Reader, error) {
+	file, err := os.Open(filepath.Clean(path))
+	if err != nil {
+		return nil, err
+	}
+	return file, err
+}
+
+// getJournalctlLogs return a reader with the logs entries from Systemd
+func getJournalctlLogs(path string, user bool, useFile bool) (io.Reader, error) {
 	var logs []SystemdLog
 	var stdout bytes.Buffer
 	var value string

 	if useFile {
-		content, err := ioutil.ReadAll(file)
+		content, err := ioutil.ReadFile(filepath.Clean(path))
 		if err != nil {
 			return nil, err
 		}
 		value = string(content)
 	} else {
-		cmd := exec.Command("journalctl", "--user", "-b", "-u", "dbus.service", "-o", "json")
+		mode := "--system"
+		if user {
+			mode = "--user"
+		}
+		cmd := exec.Command("journalctl", mode, "--boot", "--unit=dbus.service", "--output=json")
 		cmd.Stdout = &stdout
 		if err := cmd.Run(); err != nil {
 			return nil, err
@ -242,29 +256,23 @@ func (aaLogs AppArmorLogs) String() string {
 	return res
 }

-func aaLog(path string, profile string, dbus bool) error {
-	file, err := os.Open(filepath.Clean(path))
+func aaLog(logger string, path string, profile string) error {
+	var err error
+	var file io.Reader
+
+	switch logger {
+	case "auditd":
+		file, err = getAuditLogs(path)
+	case "systemd":
+		file, err = getJournalctlLogs(path, true, path != LogFile)
+	default:
+		err = errors.New("Logger not supported: " + logger)
+	}
 	if err != nil {
 		return err
 	}
-	/* #nosec G307 */
-	defer func() {
-		if err := file.Close(); err != nil {
-			fmt.Println(err)
-		}
-	}()
-
-	if dbus {
-		file, err := getJournalctlDbusSessionLogs(file, path != LogFile)
-		if err != nil {
-			return err
-		}
-		aaLogs := NewApparmorLogs(file, profile)
-		fmt.Print(aaLogs.String())
-	} else {
-		aaLogs := NewApparmorLogs(file, profile)
-		fmt.Print(aaLogs.String())
-	}
+	aaLogs := NewApparmorLogs(file, profile)
+	fmt.Print(aaLogs.String())
 	return nil
 }

@ -272,7 +280,7 @@ func init() {
 	flag.BoolVar(&help, "h", false, "Show this help message and exit.")
 	flag.StringVar(&path, "f", LogFile,
 		"Set a log`file` or a suffix to the default log file.")
-	flag.BoolVar(&dbus, "d", false, "Show dbus session event.")
+	flag.BoolVar(&systemd, "s", false, "Parse systemd dbus logs.")
 }

 func main() {
@ -293,12 +301,17 @@ func main() {
 		profile = flag.Args()[0]
 	}

+	logger := "auditd"
+	if systemd {
+		logger = "systemd"
+	}
+
 	logfile := filepath.Clean(LogFile + "." + path)
 	if _, err := os.Stat(logfile); err != nil {
 		logfile = path
 	}

-	err := aaLog(logfile, profile, dbus)
+	err := aaLog(logger, logfile, profile)
 	if err != nil {
 		fmt.Println(err)
 		os.Exit(1)
--- a/cmd/aa-log/main_test.go
+++ b/cmd/aa-log/main_test.go
@ -217,15 +217,17 @@ func TestNewApparmorLogs(t *testing.T) {
 	}
 }

-func Test_getJournalctlDbusSessionLogs(t *testing.T) {
+func Test_getJournalctlLogs(t *testing.T) {
 	tests := []struct {
 		name    string
 		path    string
+		user    bool
 		useFile bool
 		want    AppArmorLogs
 	}{
 		{
 			name:    "gsd-xsettings",
+			user:    true,
 			useFile: true,
 			path:    "../../tests/systemd.log",
 			want: AppArmorLogs{
@ -253,8 +255,7 @@ func Test_getJournalctlDbusSessionLogs(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			file, _ := os.Open(tt.path)
-			reader, _ := getJournalctlDbusSessionLogs(file, tt.useFile)
+			reader, _ := getJournalctlLogs(tt.path, tt.user, tt.useFile)
 			if got := NewApparmorLogs(reader, tt.name); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("NewApparmorLogs() = %v, want %v", got, tt.want)
 			}
@ -310,36 +311,43 @@ func TestAppArmorLogs_String(t *testing.T) {
 func Test_app(t *testing.T) {
 	tests := []struct {
 		name    string
+		logger  string
 		path    string
 		profile string
-		dbus    bool
 		wantErr bool
 	}{
 		{
 			name:    "Test audit.log",
+			logger:  "auditd",
 			path:    "../../tests/audit.log",
 			profile: "",
-			dbus:    false,
 			wantErr: false,
 		},
 		{
 			name:    "Test Dbus Session",
+			logger:  "systemd",
 			path:    "../../tests/systemd.log",
 			profile: "",
-			dbus:    true,
 			wantErr: false,
 		},
 		{
 			name:    "No logfile",
+			logger:  "auditd",
 			path:    "../../tests/log",
 			profile: "",
-			dbus:    false,
+			wantErr: true,
+		},
+		{
+			name:    "Logger not supported",
+			logger:  "raw",
+			path:    "../../tests/audit.log",
+			profile: "",
 			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if err := aaLog(tt.path, tt.profile, tt.dbus); (err != nil) != tt.wantErr {
+			if err := aaLog(tt.logger, tt.path, tt.profile); (err != nil) != tt.wantErr {
 				t.Errorf("aaLog() error = %v, wantErr %v", err, tt.wantErr)
 			}
 		})
--- a/dists/build/build.sh
+++ b/dists/build/build.sh
@ -8,6 +8,7 @@
 set -eu

 readonly BASEIMAGE="${BASEIMAGE:-}"
+readonly IMAGEPREFIX="builder-"
 readonly PKGNAME=apparmor.d
 readonly VOLUME=/tmp/build
 readonly BUILDIR=/home/build/tmp
@ -17,13 +18,13 @@ PACKAGER="$(git config user.name) <$(git config user.email)>"
 readonly VERSION PACKAGER

 _start() {
-    local name="$1"
-    docker start "$name"
+    local img="$1"
+    docker start "$img"
 }

 _is_running() {
-    local name="$1"
-    res="$(docker inspect -f '{{ .State.Running }}' "$name")" &>/dev/null
+    local img="$1"
+    res="$(docker inspect -f '{{ .State.Running }}' "$img")" &>/dev/null
    exist=$?
    if [[ $exist -ne 0 ]]; then
        return $exist
@ -35,8 +36,8 @@ _is_running() {
 }

 _exist() {
-    local name="$1"
-    docker inspect -f '{{ .State.Running }}' "$name" &>/dev/null
+    local img="$1"
+    docker inspect -f '{{ .State.Running }}' "$img" &>/dev/null
 }

 sync() {
@ -45,42 +46,44 @@ sync() {
 }

 build_in_docker_makepkg() {
-    local name="$1"
+    local dist="$1"
+    local img="$IMAGEPREFIX$dist"

-    if _exist "$name"; then
-        if ! _is_running "$name"; then
-            _start "$name"
+    if _exist "$img"; then
+        if ! _is_running "$img"; then
+            _start "$img"
        fi
    else
-        docker build -t "$BASEIMAGE$name" "dists/build/$name"
-        docker run -tid --name "$name" --volume "$VOLUME:$BUILDIR" \
+        docker build -t "$BASEIMAGE$img" "dists/build/$dist"
+        docker run -tid --name "$img" --volume "$PWD:$BUILDIR" \
            --env MAKEFLAGS="-j$(nproc)" --env PACKAGER="$PACKAGER" \
-            --env PKGDEST="$BUILDIR" --env DIST="$name" \
-            "$BASEIMAGE$name"
+            --env PKGDEST="$BUILDIR" --env DIST="$dist" \
+            "$BASEIMAGE$img"
    fi

-    docker exec -i --workdir="$BUILDIR/$PKGNAME" "$name" \
+    docker exec -i "$img" \
        makepkg -sfC --noconfirm --noprogressbar
    mv "$VOLUME/$PKGNAME"-*.pkg.* .
 }

 build_in_docker_dpkg() {
-    local name="$1"
+    local dist="$1"
+    local img="$IMAGEPREFIX$dist"

-    if _exist "$name"; then
-        if ! _is_running "$name"; then
-            _start "$name"
+    if _exist "$img"; then
+        if ! _is_running "$img"; then
+            _start "$img"
        fi
    else
-        docker build -t "$BASEIMAGE$name" "dists/build/$name"
-        docker run -tid --name "$name" --volume "$VOLUME:$BUILDIR" \
-            --env DEBIAN_FRONTEND=noninteractive --env DIST="$name" \
-            "$BASEIMAGE$name"
+        docker build -t "$BASEIMAGE$img" "dists/build/$dist"
+        docker run -tid --name "$img" --volume "$VOLUME:$BUILDIR" \
+            --env DEBIAN_FRONTEND=noninteractive --env DIST="$dist" \
+            "$BASEIMAGE$img"
    fi

-    docker exec --workdir="$BUILDIR/$PKGNAME" "$name" \
+    docker exec --workdir="$BUILDIR/$PKGNAME" "$img" \
        dch --newversion="$VERSION" --urgency=medium --distribution=stable --controlmaint "Release $VERSION"
-    docker exec --workdir="$BUILDIR/$PKGNAME" "$name" \
+    docker exec --workdir="$BUILDIR/$PKGNAME" "$img" \
        dpkg-buildpackage -b -d --no-sign
    mv "$VOLUME/${PKGNAME}_${VERSION}"_*.* .
 }
@ -88,7 +91,6 @@ build_in_docker_dpkg() {
 main() {
    case "$COMMAND" in
    archlinux)
-        sync
        build_in_docker_makepkg "$COMMAND"
        ;;

--- a/dists/flags/arch.flags
+++ b/dists/flags/arch.flags
@ -1,3 +1,4 @@
+archlinux-keyring-wkd-sync complain
 mkinitcpio attach_disconnected,complain
 pacman complain
 pacman-conf attach_disconnected,complain
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -53,6 +53,7 @@ evince complain
 fail2ban-client attach_disconnected,complain
 fail2ban-server attach_disconnected,complain
 fdisk complain
+file-roller complain
 flatpak-session-helper complain
 fprintd attach_disconnected,complain
 fsck-ext4 complain
@ -88,6 +89,7 @@ ibus-memconf complain
 im-launch complain
 install-info complain
 irqbalance complain
+iwd complain
 kernel-install complain
 kmod attach_disconnected,complain
 last complain
@ -108,7 +110,7 @@ mke2fs complain
 ModemManager attach_disconnected,complain
 molly-guard complain
 mount complain
-mullvad-daemon complain
+mullvad-daemon attach_disconnected,complain
 mullvad-gui complain
 nautilus complain
 needrestart attach_disconnected,complain
@ -125,7 +127,7 @@ pinentry-gnome3 complain
 pinentry-gtk-2 complain
 pkttyagent complain
 plymouth complain
-plymouth-set-default-theme complain
+plymouth-set-default-theme attach_disconnected,complain
 plymouthd complain
 power-profiles-daemon attach_disconnected,complain
 qemu-ga complain
@ -199,7 +201,7 @@ systemd-user-runtime-dir complain
 systemd-user-sessions complain
 systemd-vconsole-setup complain
 systemd-xdg-autostart-generator complain
-tailscaled complain
+tailscaled attach_disconnected,complain
 tracker-extract complain
 udisksctl complain
 udisksd attach_disconnected,complain
--- a/dists/ignore/ubuntu.ignore
+++ b/dists/ignore/ubuntu.ignore
@ -1,3 +1,4 @@
 # Archlinux specific
 apparmor.d/groups/pacman
+root/etc/xdg/autostart/apparmor-notify.desktop
 root/usr/share/libalpm