Merge branch 'roddhjav:main' into patch-thunar

2024-06-16 17:02:51 +03:00 · 2024-06-16 17:02:51 +03:00 · 56d2007b99
commit 56d2007b99
parent c22a77300a a2c6580725
960 changed files with 3408 additions and 1516 deletions
--- a/README.md
+++ b/README.md
@ -20,18 +20,18 @@
  `polkit`, `NetworkManager`, `OpenVPN`, `GDM`, `rtkit`, `colord`
 - Confine all Desktop environments
 - Confine all user services such as `Pipewire`, `Gvfsd`, `dbus`, `xdg`, `xwayland`
- Confine some *"special"* user applications: web browser, file browser...
+- Confine some *"special"* user applications: web browsers, file managers, etc
 - Should not break a normal usage of the confined software

 **Goals**

 - Target both desktops and servers
 - Support all distributions that support AppArmor:
-    * Archlinux
+    * Arch Linux
    * Ubuntu 22.04
    * Debian 12
    * OpenSUSE Tumbleweed
- Support major desktop environments:
+- Support for all major desktop environments:
    * Gnome
    * KDE
    * XFCE *(work in progress)*
@ -54,7 +54,7 @@ This is fundamentally different from how AppArmor is usually used on Linux serve

 **Presentations**

-Building large set of AppArmor profiles:
+Building the largest set of AppArmor profiles:

 - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
 - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -29,3 +29,5 @@
  owner @{run}/user/@{uid}/xauth_@{rand6} rl -> @{run}/user/@{uid}/#@{int},

  include if exists <abstractions/X-strict.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/X.d/complete
+++ b/apparmor.d/abstractions/X.d/complete
@ -5,3 +5,5 @@

  # Available Xsessions
  /usr/share/xsessions/{,*.desktop} r,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -12,3 +12,5 @@
  /usr/local/{s,}bin/           r,

  include if exists <abstractions/app-launcher-root.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -22,3 +22,5 @@
  /usr/local/bin/               r,

  include if exists <abstractions/app-launcher-user.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app-open
+++ b/apparmor.d/abstractions/app-open
@ -51,3 +51,5 @@


  include if exists <abstractions/app-open.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/chromium
+++ b/apparmor.d/abstractions/app/chromium
@ -70,7 +70,6 @@

  @{lib_dirs}/{,**} r,
  @{lib_dirs}/*.so* mr,
-  @{lib_dirs}/chrome_crashpad_handler  rPx,
  @{lib_dirs}/chrome-sandbox           rPx,

  # Desktop integration
@ -111,8 +110,7 @@

  /etc/@{name}/{,**} r,
  /etc/fstab r,
-  /etc/opensc.conf r,
-  /etc/opensc/opensc.conf r, # Debian ubication
+  /etc/{,opensc/}opensc.conf r,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,
@ -152,10 +150,10 @@
  owner @{tmp}/.@{domain}.* rw,
  owner @{tmp}/.@{domain}*/{,**} rw,
  owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
-  owner @{tmp}/scoped_dir*/{,**} rw,
-  owner @{tmp}/tmp.* rw,
-  owner @{tmp}/tmp.*/ rw,
-  owner @{tmp}/tmp.*/** rwk,
+  audit owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
+  owner @{tmp}/tmp.@{rand6} rw,
+  owner @{tmp}/tmp.@{rand6}/ rw,
+  owner @{tmp}/tmp.@{rand6}/** rwk,

  owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
  owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
@ -211,3 +209,5 @@
  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <abstractions/app/chromium.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/editor
+++ b/apparmor.d/abstractions/app/editor
@ -26,3 +26,5 @@
  owner @{user_config_dirs}/vim/{,**} r,

  include if exists <abstractions/app/editor.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@ -17,6 +17,7 @@
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/cups-client>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/enchant>
@ -69,12 +70,10 @@
  /usr/share/xul-ext/kwallet5/* r,

  /etc/@{name}/{,**} r,
-  /etc/cups/client.conf r,
  /etc/fstab r,
  /etc/mailcap r,
  /etc/mime.types r,
-  /etc/opensc.conf r,
-  /etc/opensc/opensc.conf r,
+  /etc/{,opensc/}opensc.conf r,
  /etc/sysconfig/proxy r,
  /etc/xdg/* r,
  /etc/xul-ext/kwallet5.js r,
@ -82,7 +81,6 @@
  /var/lib/nscd/services r,

  owner @{HOME}/ r,
-  owner @{HOME}/.cups/lpoptions r,

  owner @{config_dirs}/ rw,
  owner @{config_dirs}/** rwk,
@ -160,3 +158,5 @@
  deny @{run}/user/@{uid}/gnome-shell-disable-extensions w,

  include if exists <abstractions/app/firefox.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/open
+++ b/apparmor.d/abstractions/app/open
@ -13,3 +13,5 @@
  /dev/tty rw,

  include if exists <abstractions/app/open.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/pgrep
+++ b/apparmor.d/abstractions/app/pgrep
@ -23,3 +23,5 @@
  @{PROC}/uptime r,

  include if exists <abstractions/app/pgrep.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -68,3 +68,5 @@
  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <abstractions/app/sudo.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/systemctl
+++ b/apparmor.d/abstractions/app/systemctl
@ -26,3 +26,5 @@
    owner @{PROC}/@{pid}/stat r,

  include if exists <abstractions/app/systemctl.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/app/udevadm
+++ b/apparmor.d/abstractions/app/udevadm
@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  ptrace read peer=@{p_systemd},
+
+  @{bin}/udevadm mr,
+
+  /etc/udev/udev.conf r,
+
+  @{run}/udev/data/* r,
+
+  @{sys}/** r,
+
+        @{PROC}/1/cgroup r,
+        @{PROC}/1/environ r,
+        @{PROC}/1/sched r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/osrelease r,
+        @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/stat r,
+
+  include if exists <abstractions/app/udevadm.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/audio-client
+++ b/apparmor.d/abstractions/audio-client
@ -41,6 +41,9 @@
  owner @{user_config_dirs}/pulse/client.conf.d/{,*.conf} r,
  owner @{user_config_dirs}/pulse/cookie rwk,

+  owner @{user_config_dirs}/pipewire/ rw,
+  owner @{user_config_dirs}/pipewire/client.conf r,
+
  owner @{user_share_dirs}/openal/hrtf/{,**} r,
  owner @{user_share_dirs}/sounds/__custom/index.theme r,

@ -55,3 +58,5 @@
  owner /dev/shm/pulse-shm-@{int} rw,

  include if exists <abstractions/audio-client.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/audio-server
+++ b/apparmor.d/abstractions/audio-server
@ -43,3 +43,5 @@
  /dev/sound/*    rw,

  include if exists <abstractions/audio-server.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/audio.d/complete
+++ b/apparmor.d/abstractions/audio.d/complete
@ -11,3 +11,5 @@

  @{sys}/class/ r,
  @{sys}/class/sound/ r,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/authentication.d/complete
+++ b/apparmor.d/abstractions/authentication.d/complete
@ -1,3 +1,6 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only

  @{bin}/pam-tmpdir-helper rPx,

@ -8,3 +11,5 @@
  @{lib}/security-misc/pam_faillock_not_if_x rPx,
  @{lib}/security-misc/pam-abort-on-locked-password rPx,
  @{lib}/security-misc/pam-info rPx,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -4,6 +4,7 @@
 # SPDX-License-Identifier: GPL-2.0-only

  # Allow to receive some signals from new well-known profiles
+  signal (receive)                           peer=btop,
  signal (receive)                           peer=htop,
  signal (receive)                           peer=sudo,
  signal (receive)                           peer=top,
@ -28,3 +29,5 @@
  @{PROC}/sys/kernel/core_pattern r,

  deny /apparmor/.null rw,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bash-strict
+++ b/apparmor.d/abstractions/bash-strict
@ -33,3 +33,5 @@
  owner @{PROC}/@{pid}/mounts r,

  include if exists <abstractions/bash-strict.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bash.d/complete
+++ b/apparmor.d/abstractions/bash.d/complete
@ -9,3 +9,5 @@

  owner @{HOME}/.alias r,
  owner @{HOME}/.i18n r,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus-accessibility
+++ b/apparmor.d/abstractions/bus-accessibility
@ -17,3 +17,5 @@
  owner @{run}/user/@{uid}/at-spi/bus_@{int} rw,

  include if exists <abstractions/bus-accessibility.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus-session
+++ b/apparmor.d/abstractions/bus-session
@ -25,3 +25,5 @@
  owner @{run}/user/@{uid}/bus rw,

  include if exists <abstractions/bus-session.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus-system
+++ b/apparmor.d/abstractions/bus-system
@ -15,3 +15,5 @@
  @{run}/dbus/system_bus_socket rw,

  include if exists <abstractions/bus-system.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
+++ b/apparmor.d/abstractions/bus/com.canonical.Unity.LauncherEntry
@ -20,3 +20,5 @@
       peer=(name=:*, label=gnome-shell),

  include if exists <abstractions/bus/com.canonical.Unity.LauncherEntry.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/com.canonical.dbusmenu
+++ b/apparmor.d/abstractions/bus/com.canonical.dbusmenu
@ -4,3 +4,5 @@


  include if exists <abstractions/bus/com.canonical.dbusmenu.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
+++ b/apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1
@ -48,3 +48,5 @@
       peer=(name=:*, label=wpa-supplicant),

  include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
+++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
@ -8,3 +8,5 @@
       peer=(name=:*, label=power-profiles-daemon),

  include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
+++ b/apparmor.d/abstractions/bus/net.hadess.SwitcherooControl
@ -8,3 +8,5 @@
       peer=(name=:*, label=switcheroo-control),

  include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/net.reactivated.Fprint
+++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint
@ -18,3 +18,5 @@
       peer=(name=net.reactivated.Fprint, label=fprintd),

  include if exists <abstractions/bus/net.reactivated.Fprint.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@ -42,3 +42,5 @@
       peer=(name=org.a11y.Bus),

  include if exists <abstractions/bus/org.a11y.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.bluez
+++ b/apparmor.d/abstractions/bus/org.bluez
@ -43,3 +43,5 @@
       peer=(name=org.bluez, label=bluetoothd),

  include if exists <abstractions/bus/org.bluez.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
@ -28,3 +28,5 @@
       peer=(name=:*, label=accounts-daemon),

  include if exists <abstractions/bus/org.freedesktop.Accounts.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
@ -23,3 +23,5 @@
       peer=(name=:*, label=avahi-daemon),

  include if exists <abstractions/bus/org.freedesktop.Avahi.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
@ -23,3 +23,5 @@
       peer=(name=:*, label=colord),

  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.FileManager1
@ -13,3 +13,5 @@
       peer=(name=:*, label=nautilus),

  include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@ -33,3 +33,5 @@
       peer=(name=:*, label=geoclue),

  include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
@ -18,3 +18,5 @@
       peer=(name=:*, label=ModemManager),

  include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.NetworkManager
@ -73,3 +73,5 @@
       peer=(name="{:*,org.freedesktop.NetworkManager}", label=NetworkManager),

  include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.Notifications
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Notifications
@ -23,3 +23,5 @@
       peer=(name=org.freedesktop.DBus, label=gjs-console),

  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PackageKit
@ -22,3 +22,5 @@
       peer=(name=org.freedesktop.PackageKit, label=packagekitd),

  include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
@ -32,3 +32,5 @@
       peer=(name=:*, label=polkitd),

  include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@ -28,3 +28,5 @@
       peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),

  include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver
@ -8,3 +8,5 @@
       peer=(name=org.freedesktop.ScreenSaver),

  include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files
@ -13,3 +13,5 @@
       peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),

  include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UDisks2
@ -53,3 +53,5 @@
       peer=(name="{:*,org.freedesktop.UDisks2}", label=udisksd),

  include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@ -42,3 +42,5 @@
       peer=(name="{:*,org.freedesktop.UPower}", label=upowerd),

  include if exists <abstractions/bus/org.freedesktop.UPower.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
+++ b/apparmor.d/abstractions/bus/org.freedesktop.background.Monitor
@ -13,3 +13,5 @@
       peer=(name=:*, label=xdg-desktop-portal),

  include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@ -13,3 +13,5 @@
       peer=(name=org.freedesktop.hostname1),

  include if exists <abstractions/bus/org.freedesktop.hostname1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
+++ b/apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore
@ -13,3 +13,5 @@
       peer=(name=:*, label=xdg-permission-store),

  include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@ -12,3 +12,5 @@
       peer=(name=org.freedesktop.locale1),

  include if exists <abstractions/bus/org.freedesktop.locale1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1
@ -33,3 +33,5 @@
       peer=(name=org.freedesktop.login1, label=systemd-logind),

  include if exists <abstractions/bus/org.freedesktop.login1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
@ -38,3 +38,5 @@
       peer=(name="{:*,org.freedesktop.login1}", label=systemd-logind),

  include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.network1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.network1
@ -8,3 +8,5 @@
       peer=(name=org.freedesktop.network1, label=systemd-networkd),

  include if exists <abstractions/bus/org.freedesktop.network1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
+++ b/apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop
@ -28,3 +28,5 @@
       peer=(name=:*, label=xdg-desktop-portal),

  include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@ -8,3 +8,5 @@
       peer=(name="{:*,org.freedesktop.resolve1}", label=systemd-resolved),

  include if exists <abstractions/bus/org.freedesktop.resolve1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.secrets
+++ b/apparmor.d/abstractions/bus/org.freedesktop.secrets
@ -28,3 +28,5 @@
       peer=(name=:*, label=gnome-keyring-daemon),

  include if exists <abstractions/bus/org.freedesktop.secrets.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1
@ -18,3 +18,5 @@
       peer=(name=org.freedesktop.systemd1),

  include if exists <abstractions/bus/org.freedesktop.systemd1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.systemd1-session
@ -18,3 +18,5 @@
       peer=(name="{:*,org.freedesktop.systemd1}", label="@{p_systemd_user}"),

  include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
@ -19,3 +19,5 @@
       peer=(name=:*, label=systemd-timedated),

  include if exists <abstractions/bus/org.freedesktop.timedate1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
+++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
@ -13,3 +13,5 @@
       peer=(name=:*, label=file-roller),

  include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.DisplayManager
+++ b/apparmor.d/abstractions/bus/org.gnome.DisplayManager
@ -8,3 +8,5 @@
       peer=(name=:*, label=gdm),

  include if exists <abstractions/bus/org.gnome.DisplayManager.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig
@ -28,3 +28,5 @@
       peer=(name=:*, label=gnome-shell),

  include if exists <abstractions/bus/org.gnome.Mutter.DisplayConfig.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
+++ b/apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor
@ -18,3 +18,5 @@
       peer=(name=:*, label=gnome-shell),

  include if exists <abstractions/bus/org.gnome.Mutter.IdleMonitor.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
+++ b/apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2
@ -18,3 +18,5 @@
       peer=(name=:*, label=nautilus),

  include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
+++ b/apparmor.d/abstractions/bus/org.gnome.ScreenSaver
@ -18,3 +18,5 @@
       peer=(name=:*, label=gjs-console),

  include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.SessionManager
+++ b/apparmor.d/abstractions/bus/org.gnome.SessionManager
@ -60,3 +60,5 @@
       peer=(name=org.gnome.SessionManager, label=gnome-session-binary),

  include if exists <abstractions/bus/org.gnome.SessionManager.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
+++ b/apparmor.d/abstractions/bus/org.gnome.Shell.Introspect
@ -28,3 +28,5 @@
       peer=(name=:*, label=gnome-shell),

  include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
+++ b/apparmor.d/abstractions/bus/org.gtk.Private.RemoteVolumeMonitor
@ -18,3 +18,5 @@
       peer=(name=:*, label=gvfs-*-volume-monitor),

  include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Daemon
@ -8,3 +8,5 @@
       peer=(name=:*, label=gvfsd),

  include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.Metadata
@ -13,3 +13,5 @@
       peer=(name=:*, label=gvfsd-metadata),

  include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
+++ b/apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker
@ -18,3 +18,5 @@
       peer=(name=:*, label=gvfsd),

  include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierItem
@ -4,3 +4,5 @@


  include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
+++ b/apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher
@ -18,3 +18,5 @@
       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),

  include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/bus/org.kde.kwalletd
+++ b/apparmor.d/abstractions/bus/org.kde.kwalletd
@ -3,3 +3,5 @@
 # SPDX-License-Identifier: GPL-2.0-only

  include if exists <abstractions/bus/org.kde.kwalletd.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@ -15,10 +15,11 @@
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/consoles>
-  # include <abstractions/deny-sensitive-home>
+  include <abstractions/cups-client>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
+  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/gstreamer>
@ -63,7 +64,6 @@
  owner @{tmp}/** rmwk,
  owner /dev/shm/** rwlk -> /dev/shm/**,

-  @{run}/cups/cups.sock rw, # Allow access to cups printing socket.
  @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
  @{run}/host/{,**} r,
  @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
@ -100,13 +100,14 @@
        @{PROC}/pressure/io r,
        @{PROC}/pressure/memory r,
        @{PROC}/sys/fs/inotify/max_user_watches r,
-        @{PROC}/sys/kernel/core_pattern r,
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/kernel/pid_max r,
+        @{PROC}/sys/kernel/sched_autogroup_enabled r,
        @{PROC}/sys/kernel/yama/ptrace_scope r,
        @{PROC}/uptime r,
        @{PROC}/version r,
        @{PROC}/zoneinfo r,
+  owner @{PROC}/@{pid}/autogroup rw,
  owner @{PROC}/@{pid}/clear_refs w,
  owner @{PROC}/@{pid}/comm rw,
  owner @{PROC}/@{pid}/environ r,
@ -129,3 +130,5 @@
  /dev/tty rw,

  include if exists <abstractions/common/app.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/apt
+++ b/apparmor.d/abstractions/common/apt
@ -29,3 +29,5 @@
  owner @{tmp}/clearsigned.message.* rw,

  include if exists <abstractions/common/apt.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/bwrap
+++ b/apparmor.d/abstractions/common/bwrap
@ -2,10 +2,9 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-# Minimal set of rules for bwrap
-
+# A minimal set of rules for sandboxed programs using bwrap. 
 # A profile using this abstraction still needs to set:
-# - the attach_disconnected flag
+# - the flag: attach_disconnected
 # - bwrap execution: '@{bin}/bwrap rix,'

  # userns,
@ -31,6 +30,9 @@
  umount /,
  umount /oldroot/,

+  #aa:only debian whonix
+  mount -> /newroot/{,**}, # Debian does not support the remount rule.
+
  pivot_root oldroot=/newroot/ /newroot/,
  pivot_root oldroot=/tmp/oldroot/ /tmp/,

@ -51,3 +53,5 @@
  owner @{PROC}/@{pid}/uid_map rw,

  include if exists <abstractions/common/bwrap.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/chromium
+++ b/apparmor.d/abstractions/common/chromium
@ -20,19 +20,19 @@
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,

-  owner @{user_share_dirs}/.org.chromium.Chromium.* rw,
+  owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,

        /tmp/ r,
        /var/tmp/ r,
-  owner @{tmp}/.org.chromium.Chromium.* rw,
-  owner @{tmp}/.org.chromium.Chromium.*/{,**} rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+  owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
  owner @{tmp}/scoped_dir*/ rw,
  owner @{tmp}/scoped_dir*/SingletonCookie w,
  owner @{tmp}/scoped_dir*/SingletonSocket w,
  owner @{tmp}/scoped_dir*/SS w,

        /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.* rw,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,

  # If kernel.unprivileged_userns_clone = 1
  owner @{PROC}/@{pid}/setgroups w,
@ -40,3 +40,5 @@
  owner @{PROC}/@{pid}/uid_map w,

  include if exists <abstractions/common/chromium.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/electron
+++ b/apparmor.d/abstractions/common/electron
@ -87,3 +87,5 @@
  owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1

  include if exists <abstractions/common/electron.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/gnome
+++ b/apparmor.d/abstractions/common/gnome
@ -25,3 +25,5 @@
  owner @{PROC}/@{pid}/cmdline r,

  include if exists <abstractions/common/gnome.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/common/steam-game
+++ b/apparmor.d/abstractions/common/steam-game
@ -0,0 +1,125 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  include <abstractions/audio-client>
+  include <abstractions/desktop>
+  include <abstractions/devices-usb>
+  include <abstractions/fontconfig-cache-write>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
+
+  @{bin}/uname          rix,
+  @{bin}/xdg-settings   rPx,
+  @{browsers_path}      rPx,
+
+  @{bin}/env r,
+
+  @{app_dirs}/ r,
+  @{lib_dirs}/ r,
+  @{lib}/ r,
+  / r,
+  /home/ r,
+  /usr/ r,
+  /usr/local/ r,
+  /usr/local/lib/ r,
+
+  /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/.steam/steam.pid r,
+  owner @{HOME}/.steam/steam.pipe r,
+
+  owner @{user_games_dirs}/ r,
+  owner @{user_games_dirs}/*/ r,
+  owner @{user_games_dirs}/*/{,**} rwkl,
+
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_config_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{user_share_dirs}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+
+  owner @{share_dirs}/ r,
+  owner @{share_dirs}/* r,
+  owner @{share_dirs}/appcache/** rk,
+  owner @{share_dirs}/config/ r,
+  owner @{share_dirs}/config/* rwk,
+  owner @{share_dirs}/logs/ rw,
+  owner @{share_dirs}/logs/* rwk,
+  owner @{share_dirs}/shader_cache_temp_dir_*/fozpipelinesv@{int}/{,**} rw,
+  owner @{share_dirs}/steamapps/ r,
+  owner @{share_dirs}/steamapps/common/ r,
+  owner @{share_dirs}/steamapps/common/[^S]*/** rwlk,
+  owner @{share_dirs}/steamapps/shadercache/{,**} rwk,
+
+        @{tmp}/ r,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/ rw,
+  owner @{tmp}/@{XDG_GAMESSTUDIO_DIR}/** rwlk,
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/CASESENSITIVETEST@{hex32} rw,
+  owner @{tmp}/crashes/ rw,
+  owner @{tmp}/crashes/** rwk,
+  owner @{tmp}/miles_image_@{rand6} mrw,
+  owner @{tmp}/runtime-info.txt.@{rand6} rw, 
+  owner @{tmp}/vdpau-drivers-@{rand6}/{,**} rw,
+
+  owner /dev/shm/mono.@{int} rw,
+  owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
+  owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
+  owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
+  owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
+  owner /dev/shm/u@{uid}-Shm_@{hex8} rw,
+  owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
+  owner /dev/shm/ValveIPCSHM_@{uid} rw,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  @{sys}/ r,
+  @{sys}/bus/ r,
+  @{sys}/class/ r,
+  @{sys}/class/hidraw/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/ r,
+  @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/devices/@{pci}/net/*/carrier r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+  @{sys}/devices/**/input/input@{int}/ r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/system/ r,
+  @{sys}/devices/system/clocksource/clocksource@{int}/current_clocksource r,
+  @{sys}/devices/system/cpu/cpu@{int}/ r,
+  @{sys}/devices/virtual/dmi/id/* r,
+  @{sys}/devices/virtual/net/*/carrier r,
+  @{sys}/kernel/ r,
+
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max  r,
+
+        @{PROC}/uptime r,
+        @{PROC}/version r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pid}/pagemap r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+
+  /dev/ r,
+  /dev/hidraw@{int} rw,
+  /dev/input/ r,
+  /dev/input/event@{int} rw,
+  /dev/tty rw,
+  /dev/uinput rw,
+
+  include if exists <abstractions/common/steam-game.d>
--- a/apparmor.d/abstractions/common/systemd
+++ b/apparmor.d/abstractions/common/systemd
@ -19,3 +19,5 @@
  /dev/kmsg w,

  include if exists <abstractions/common/systemd.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/crypto.d/complete
+++ b/apparmor.d/abstractions/crypto.d/complete
@ -6,3 +6,5 @@

  @{etc_ro}/gnutls/config r,
  @{etc_ro}/gnutls/pkcs11.conf r,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/dconf-write
+++ b/apparmor.d/abstractions/dconf-write
@ -25,3 +25,5 @@
  owner @{run}/user/@{uid}/dconf/user rw,

  include if exists <abstractions/dconf-write.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/deny-sensitive-home
+++ b/apparmor.d/abstractions/deny-sensitive-home
@ -49,3 +49,5 @@
  deny @{HOME}/.{,cache/}fontconfig/** mrwl,

  include if exists <abstractions/deny-sensitive-home.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/desktop
+++ b/apparmor.d/abstractions/desktop
@ -63,3 +63,5 @@
  owner @{user_share_dirs}/ rw,

  include if exists <abstractions/desktop.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/devices-usb
+++ b/apparmor.d/abstractions/devices-usb
@ -23,3 +23,5 @@
  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters

  include if exists <abstractions/devices-usb.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -95,3 +95,5 @@
  @{run}/udev/data/+usb:*      r,     # for disk over usb hub

  include if exists <abstractions/disks-read.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@ -95,3 +95,5 @@
  @{run}/udev/data/+usb:*      r,     # for disk over usb hub

  include if exists <abstractions/disks-write.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/dri
+++ b/apparmor.d/abstractions/dri
@ -32,3 +32,5 @@
  /dev/dri/renderD129 rw,

  include if exists <abstractions/dri.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/fish
+++ b/apparmor.d/abstractions/fish
@ -12,3 +12,5 @@
  owner @{user_config_dirs}/fish/{,**} r,

  include if exists <abstractions/fish.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/fontconfig-cache-read
+++ b/apparmor.d/abstractions/fontconfig-cache-read
@ -46,3 +46,5 @@
  deny       "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,

  include if exists <abstractions/fontconfig-cache-read.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/fontconfig-cache-write
+++ b/apparmor.d/abstractions/fontconfig-cache-write
@ -39,3 +39,5 @@
   link @{user_share_dirs}/fonts/**/.uuid.LCK -> @{user_share_dirs}/fonts/**/.uuid.TMP-*,

  include if exists <abstractions/fontconfig-cache-write.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@ -22,3 +22,5 @@
  /var/lib/snapd/desktop/icons/{,**} r,

  owner @{HOME}/.icons/{,**} r,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/gnome-strict
+++ b/apparmor.d/abstractions/gnome-strict
@ -28,3 +28,5 @@
  owner @{user_share_dirs}/ rw,

  include if exists <abstractions/gnome-strict.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/gnome.d/complete
+++ b/apparmor.d/abstractions/gnome.d/complete
@ -10,3 +10,5 @@
       peer=(name=:*, label=gnome-shell),

  /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/graphics
+++ b/apparmor.d/abstractions/graphics
@ -20,3 +20,5 @@
  @{sys}/devices/system/node/node@{int}/meminfo r,

  include if exists <abstractions/graphics.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/graphics-full
+++ b/apparmor.d/abstractions/graphics-full
@ -9,3 +9,5 @@
  /dev/nvidia-uvm-tools rw,

  include if exists <abstractions/graphics-full.d>
+
+# vim:syntax=apparmor
--- a/apparmor.d/abstractions/gstreamer
+++ b/apparmor.d/abstractions/gstreamer
@ -54,3 +54,5 @@
  /dev/dri/ r,

  include if exists <abstractions/gstreamer.d>
+
+# vim:syntax=apparmor
--- a/Show more
+++ b/Show more