feat(profiles): add the dconf-write abstraction.

2022-06-09 21:55:55 +01:00 · 2022-06-09 21:55:55 +01:00 · 5d45b8e7a7
commit 5d45b8e7a7
parent 583d7a15f0
104 changed files with 124 additions and 371 deletions
--- a/apparmor.d/groups/apps/atom
+++ b/apparmor.d/groups/apps/atom
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/atom{,-beta,-nightly,-dev}/atom /{usr/,}bin/atom
 profile atom @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -94,10 +95,6 @@ profile atom @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or atom gets crash with the following error:
--- a/apparmor.d/groups/apps/code
+++ b/apparmor.d/groups/apps/code
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/code/{bin/,}code /{usr/,}bin/code
 profile code @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -71,10 +72,6 @@ profile code @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or code gets crash with the following error:
--- a/apparmor.d/groups/apps/freetube
+++ b/apparmor.d/groups/apps/freetube
@ -15,6 +15,7 @@ include <tunables/global>
 profile freetube @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/freedesktop.org>
  include <abstractions/fonts>
@ -67,10 +68,6 @@ profile freetube @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{user_share_dirs} r,
--- a/apparmor.d/groups/apps/thunderbird
+++ b/apparmor.d/groups/apps/thunderbird
@ -18,6 +18,7 @@ include <tunables/global>
 profile thunderbird @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/fonts>
@ -91,10 +92,6 @@ profile thunderbird @{exec_path} {
  owner @{HOME}/Mail/ rw,
  owner @{HOME}/Mail/** rwl -> @{HOME}/Mail/**,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # Fix error in libglib while saving files as
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/reportbug
 profile reportbug @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/wayland>
  include <abstractions/consoles>
  include <abstractions/fonts>
@ -63,10 +64,6 @@ profile reportbug @{exec_path} {
  /{usr/,}bin/run-parts        rCx -> run-parts,
  /{usr/,}bin/gpg              rCx -> gpg,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # For sending additional information
  /etc/** r,

--- a/apparmor.d/groups/browsers/brave
+++ b/apparmor.d/groups/browsers/brave
@ -14,6 +14,7 @@ include <tunables/global>
 profile brave @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -105,10 +106,6 @@ profile brave @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or Brave crash with the following error:
--- a/apparmor.d/groups/browsers/chrome-gnome-shell
+++ b/apparmor.d/groups/browsers/chrome-gnome-shell
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/chrome-gnome-shell
 profile chrome-gnome-shell @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
@ -26,9 +26,6 @@ profile chrome-gnome-shell @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/mounts r,

  deny @{HOME}/.* r,
--- a/apparmor.d/groups/browsers/chromium-chromium
+++ b/apparmor.d/groups/browsers/chromium-chromium
@ -14,7 +14,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/chromium-common>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -106,9 +106,6 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
  # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
  # owner @{HOME}/.mozilla/firefox/*/logins.json r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner /tmp/tmp.*/ rw,
  owner /tmp/tmp.*/** rwk,
  owner /tmp/scoped_dir*/{,**} rw,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -15,7 +15,7 @@ include <tunables/global>
 profile firefox @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
@ -131,9 +131,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml rw,
  owner @{user_share_dirs}/mime/packages/user-extension-{htm,html,xht,xhtml,shtml}.xml.* rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
    /var/tmp/ r,
        /tmp/ r,
  owner /tmp/* rw,
--- a/apparmor.d/groups/browsers/firefox-crashreporter
+++ b/apparmor.d/groups/browsers/firefox-crashreporter
@ -12,7 +12,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/firefox/crashreporter
 profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -51,9 +51,6 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {

  owner @{user_cache_dirs}/mozilla/firefox/*.*/** r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
        /tmp/ r,
    /var/tmp/ r,
  owner /tmp/[0-9a-f]*.{dmp,extra} rw,
--- a/apparmor.d/groups/browsers/opera
+++ b/apparmor.d/groups/browsers/opera
@ -13,6 +13,7 @@ include <tunables/global>
@{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
 profile opera @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/opencl-intel>
  include <abstractions/gtk>
  include <abstractions/freedesktop.org>
@ -83,10 +84,6 @@ profile opera @{exec_path} {

  /etc/fstab r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  # Needed or opera crashes with the following error:
--- a/apparmor.d/groups/bus/dbus-run-session
+++ b/apparmor.d/groups/bus/dbus-run-session
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dbus-run-session
 profile dbus-run-session @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  signal (receive) set=(term, kill, hup) peer=gdm*,
  signal (send) set=term peer=dbus-daemon,
@ -26,8 +26,6 @@ profile dbus-run-session @{exec_path} {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/dconf/profile/gdm r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  /var/lib/gdm/.config/dconf/user r,
  /var/lib/gdm/.cache/dconf/ rw,

--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -10,7 +10,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/ibus-dconf
 profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  signal (receive) set=term peer=ibus-daemon,
@ -29,8 +29,6 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm/.config/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
  /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-[0-9]* r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  /var/lib/gdm/.cache/dconf/ w,
  /var/lib/gdm/.cache/dconf/user rw,
  /var/lib/gdm/.config/dconf/user rw,
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@ -11,7 +11,7 @@ include <tunables/global>
 profile ibus-extension-gtk3 @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
@ -42,8 +42,6 @@ profile ibus-extension-gtk3 @{exec_path} {
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  /var/lib/gdm/.config/dconf/user r,

  include if exists <local/ibus-extension-gtk3>
--- a/apparmor.d/groups/freedesktop/at-spi-bus-launcher
+++ b/apparmor.d/groups/freedesktop/at-spi-bus-launcher
@ -12,7 +12,7 @@ include <tunables/global>
 profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  signal (receive) set=(term hup kill) peer=dbus-daemon,
@ -35,8 +35,6 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.xsession-errors w,

  owner @{run}/user/@{uid}/at-spi/{,bus} rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  /var/lib/lightdm/.Xauthority r,
--- a/apparmor.d/groups/freedesktop/dconf
+++ b/apparmor.d/groups/freedesktop/dconf
@ -9,17 +9,14 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf
 profile dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dconf-write>

  capability sys_nice,

  @{exec_path} mr,

-  /etc/dconf/{,**} r,
  /etc/dconf/db/** rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{user_config_dirs}/dconf/ rw,
  owner @{user_config_dirs}/dconf/user{,.*} rw,

--- a/apparmor.d/groups/freedesktop/dconf-editor
+++ b/apparmor.d/groups/freedesktop/dconf-editor
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,16 +10,15 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/dconf-editor
 profile dconf-editor @{exec_path} {
  include <abstractions/base>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
-  include <abstractions/dconf>
+  include <abstractions/gtk>

  @{exec_path} mr,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
+  /usr/share/glib-2.0/schemas/{,*} r,

  # When GSETTINGS_BACKEND=keyfile
  owner @{user_config_dirs}/glib-2.0/ rw,
@ -26,11 +26,7 @@ profile dconf-editor @{exec_path} {
  owner @{user_config_dirs}/glib-2.0/settings/keyfile rw,
  owner @{user_config_dirs}/glib-2.0/settings/.goutputstream-* rw,

-  /usr/share/glib-2.0/schemas/{,*} r,
-
  owner @{HOME}/.Xauthority r,
-
-  # file_inherit
  owner /dev/tty[0-9]* rw,

  include if exists <local/dconf-editor>
--- a/apparmor.d/groups/freedesktop/dconf-service
+++ b/apparmor.d/groups/freedesktop/dconf-service
@ -10,15 +10,13 @@ include <tunables/global>
 profile dconf-service @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>

  signal (receive) set=(term kill hup) peer=dbus-daemon,
  signal (receive) set=(term hup) peer=gdm*,

  @{exec_path} mr,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{user_config_dirs}/dconf/ rw,
  owner @{user_config_dirs}/dconf/user{,.*} rw,

--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -14,6 +14,7 @@ profile pulseaudio @{exec_path} {
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gstreamer>
@ -114,18 +115,12 @@ profile pulseaudio @{exec_path} {
  owner /var/lib/lightdm/.config/pulse/{,**}  rw,
  owner /var/lib/lightdm/.config/pulse/cookie   k,

-  owner @{HOME}/.Xauthority r,
-  owner @{HOME}/.ICEauthority r,
-
  owner @{user_config_dirs}/pulse/{,**} rw,
-  owner @{user_config_dirs}/dconf/user r,

  owner @{user_cache_dirs}/gstreamer-1.0/registry.x86_64.bin r,

  owner @{run}/user/@{uid}/ rw,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
  owner @{run}/user/@{uid}/ICEauthority r,
  owner @{run}/user/@{uid}/pulse/{,*} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -11,7 +11,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>

@ -57,8 +57,6 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/exports/share/applications/{**,} r,

  owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/pipewire-[0-9]* rw,

  owner @{PROC}/@{pids}/cgroup r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -11,7 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -39,7 +39,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {

  owner @{user_share_dirs}/ r,

-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,

--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -11,7 +11,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
@ -41,7 +41,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/mount/utab r,

--- a/apparmor.d/groups/gnome/evolution-addressbook-factory
+++ b/apparmor.d/groups/gnome/evolution-addressbook-factory
@ -12,7 +12,7 @@ profile evolution-addressbook-factory @{exec_path} {
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
@ -47,9 +47,6 @@ profile evolution-addressbook-factory @{exec_path} {
  owner @{user_share_dirs}/evolution/{,**} rwk,
  owner @{user_cache_dirs}/evolution/addressbook/{,**} rwk,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/cmdline r,

--- a/apparmor.d/groups/gnome/evolution-alarm-notify
+++ b/apparmor.d/groups/gnome/evolution-alarm-notify
@ -10,7 +10,7 @@ include <tunables/global>
 profile evolution-alarm-notify @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/gnome>
  include <abstractions/nameservice-strict>
@ -25,8 +25,6 @@ profile evolution-alarm-notify @{exec_path} {
  /usr/share/zoneinfo-icu/{,**} r,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,

  include if exists <local/evolution-alarm-notify>
 }
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@ -12,7 +12,7 @@ profile evolution-calendar-factory @{exec_path} {
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
@ -37,9 +37,6 @@ profile evolution-calendar-factory @{exec_path} {
  owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
  owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/cmdline r,

--- a/apparmor.d/groups/gnome/evolution-source-registry
+++ b/apparmor.d/groups/gnome/evolution-source-registry
@ -10,7 +10,7 @@ include <tunables/global>
 profile evolution-source-registry @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -30,9 +30,6 @@ profile evolution-source-registry @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
  owner @{user_cache_dirs}/evolution/{,**} rwk,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  @{PROC}/sys/kernel/osrelease r,
  @{PROC}/cmdline r,

--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@ -12,7 +12,7 @@ profile gdm-wayland-session @{exec_path} {
  include <abstractions/bash>
  include <abstractions/consoles>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/zsh>

@ -62,8 +62,6 @@ profile gdm-wayland-session @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
        @{run}/gdm/custom.conf r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/gnome/gdm-xsession
+++ b/apparmor.d/groups/gnome/gdm-xsession
@ -11,7 +11,7 @@ profile gdm-xsession @{exec_path} {
  include <abstractions/base>
  include <abstractions/bash>
  include <abstractions/consoles>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,
@ -34,9 +34,6 @@ profile gdm-xsession @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /etc/X11/{,**} r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # file_inherit
  /dev/tty[0-9]* rw,

--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -10,7 +10,7 @@ include <tunables/global>
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
@ -46,8 +46,6 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/gstreamer-1.0/ rw,
  owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
        @{run}/user/@{uid}/wayland-cursor-shared-* rw,

--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-calculator-search-provider
 profile gnome-calculator-search-provider @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gtk>
  include <abstractions/fonts>

@ -22,8 +22,6 @@ profile gnome-calculator-search-provider @{exec_path} {
  /usr/share/X11/xkb/{,**} r,
  /usr/share/icons/{,**} r,
  
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-calendar
 profile gnome-calendar @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gnome>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
@ -26,8 +26,6 @@ profile gnome-calendar @{exec_path} {
  /usr/share/libgweather/Locations.xml r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  include if exists <local/gnome-calendar>
--- a/apparmor.d/groups/gnome/gnome-contacts
+++ b/apparmor.d/groups/gnome/gnome-contacts
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-contacts
 profile gnome-contacts @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome>
@ -32,8 +32,5 @@ profile gnome-contacts @{exec_path} {
  owner @{user_config_dirs}/gnome-contacts/{,**} rw,
  owner @{user_share_dirs}/folks/relationships.ini r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  include if exists <local/gnome-contacts>
 }
--- a/apparmor.d/groups/gnome/gnome-contacts-search-provider
+++ b/apparmor.d/groups/gnome/gnome-contacts-search-provider
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-contacts-search-provider
 profile gnome-contacts-search-provider @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/opencl>
  include <abstractions/openssl>

@ -22,9 +22,6 @@ profile gnome-contacts-search-provider @{exec_path} {

  owner @{user_share_dirs}/folks/relationships.ini r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/cmdline r,

  include if exists <local/gnome-contacts-search-provider>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -10,7 +10,7 @@ include <tunables/global>
 profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome>
@ -78,8 +78,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/webkitgtk/databases/indexeddb/* rw,
  owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
  owner @{run}/user/@{uid}/webkitgtk/{,**} rw,
        @{run}/systemd/users/@{uid} r,
--- a/apparmor.d/groups/gnome/gnome-control-center-goa-helper
+++ b/apparmor.d/groups/gnome/gnome-control-center-goa-helper
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/gnome-control-center-goa-helper
 profile gnome-control-center-goa-helper @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gnome>
@ -43,7 +43,6 @@ profile gnome-control-center-goa-helper @{exec_path} {
  owner @{user_share_dirs}/webkitgtk/{,**} rw,
  owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,

-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/webkitgtk/{,**} rw,

  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-org.gnome.Settings-[0-9]*.scope/memory.* r,
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fonts>
@ -33,8 +33,6 @@ profile gnome-control-center-print-renderer @{exec_path} {

  owner @{user_share_dirs}/icons/{,**} r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/gnome-control-center-search-provider
 profile gnome-control-center-search-provider @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/fonts>
@ -18,9 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,
-  
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
+
  owner @{run}/user/@{uid}/gdm/Xauthority r,

  include if exists <local/gnome-control-center-search-provider>
--- a/apparmor.d/groups/gnome/gnome-disk-image-mounter
+++ b/apparmor.d/groups/gnome/gnome-disk-image-mounter
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-disk-image-mounter
 profile gnome-disk-image-mounter @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
@ -24,9 +24,6 @@ profile gnome-disk-image-mounter @{exec_path} {
  owner @{MOUNTS}/*/{,**} r,
  owner /tmp/*/{,**} r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/mountinfo r,

  @{run}/mount/utab r,
--- a/apparmor.d/groups/gnome/gnome-disks
+++ b/apparmor.d/groups/gnome/gnome-disks
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/gnome-disks
 profile gnome-disks @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gnome>

  @{exec_path} mr,
@ -17,9 +17,6 @@ profile gnome-disks @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/X11/xkb/{,**} r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/cgroup r,
        @{PROC}/1/cgroup r,

--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -11,7 +11,7 @@ profile gnome-extension-ding @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
@ -54,8 +54,6 @@ profile gnome-extension-ding @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/home-*.log r,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,

  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
--- a/apparmor.d/groups/gnome/gnome-music
+++ b/apparmor.d/groups/gnome/gnome-music
@ -10,7 +10,7 @@ include <tunables/global>
 profile gnome-music @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gnome>
  include <abstractions/gstreamer>
  include <abstractions/mesa>
@ -48,8 +48,6 @@ profile gnome-music @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,

  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,

  owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
--- a/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
+++ b/apparmor.d/groups/gnome/gnome-remote-desktop-daemon
@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-remote-desktop-daemon @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/vulkan>
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -11,7 +11,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/gtk>
@ -119,8 +119,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/session_migration-ubuntu r,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
  owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -13,7 +13,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
@ -171,8 +171,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/vlc/**/*.jpg r,

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
  owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
--- a/apparmor.d/groups/gnome/gnome-shell-calendar-server
+++ b/apparmor.d/groups/gnome/gnome-shell-calendar-server
@ -10,7 +10,7 @@ include <tunables/global>
 profile gnome-shell-calendar-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  @{exec_path} mr,
@ -20,8 +20,5 @@ profile gnome-shell-calendar-server @{exec_path} {

  /etc/timezone r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  include if exists <local/gnome-shell-calendar-server>
 }
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -10,7 +10,7 @@ include <tunables/global>
 profile gnome-terminal-server @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
@ -32,8 +32,6 @@ profile gnome-terminal-server @{exec_path} {

  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

--- a/apparmor.d/groups/gnome/gnome-tweaks
+++ b/apparmor.d/groups/gnome/gnome-tweaks
@ -10,7 +10,7 @@ include <tunables/global>
 profile gnome-tweaks @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gnome>
  include <abstractions/gtk>
  include <abstractions/python>
@ -37,9 +37,6 @@ profile gnome-tweaks @{exec_path} {
  owner @{user_share_dirs}/recently-used.xbel* rw,
  owner @{user_share_dirs}/sounds/ r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/gnome-tweaks>
--- a/apparmor.d/groups/gnome/goa-daemon
+++ b/apparmor.d/groups/gnome/goa-daemon
@ -12,7 +12,7 @@ profile goa-daemon @{exec_path} {
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/openssl>
@ -35,8 +35,5 @@ profile goa-daemon @{exec_path} {

  owner @{user_config_dirs}/goa-1.0/accounts.conf r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  include if exists <local/goa-daemon>
 }
--- a/apparmor.d/groups/gnome/gsd-a11y-settings
+++ b/apparmor.d/groups/gnome/gsd-a11y-settings
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  signal (receive) set=(term, hup) peer=gdm*,

@ -20,9 +20,6 @@ profile gsd-a11y-settings @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /var/lib/gdm/.config/dconf/user r,

  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -11,7 +11,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/gtk>
@ -49,8 +49,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/icc/edid-*.icc rw,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,

--- a/apparmor.d/groups/gnome/gsd-datetime
+++ b/apparmor.d/groups/gnome/gsd-datetime
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  signal (receive) set=(term, hup) peer=gdm*,

@ -20,9 +20,6 @@ profile gsd-datetime @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /var/lib/gdm{3,}/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -11,7 +11,7 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/thumbnails-cache-read>

  signal (receive) set=(term, hup) peer=gdm*,
@ -28,9 +28,6 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/thumbnails/{,**} rw,
  owner @{user_share_dirs}/applications/ rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /var/lib/gdm/.config/dconf/user r,

  owner @{PROC}/@{pids}/mountinfo r,
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@ -11,7 +11,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/gtk>
@ -33,8 +33,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/gnome-settings-daemon/ rw,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,

--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -12,7 +12,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
@ -58,8 +58,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm/.config/pulse/cookie rk,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/systemd/inhibit/[0-9]*.ref rw,
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -12,7 +12,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
@ -61,8 +61,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  /var/lib/gdm/.config/pulse/client.conf r,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,

--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -12,7 +12,7 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  signal (receive) set=(term, hup) peer=gdm*,
  
@ -26,9 +26,6 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /var/lib/gdm/.config/dconf/user r,

  owner /dev/tty[0-9]* rw,
--- a/apparmor.d/groups/gnome/gsd-smartcard
+++ b/apparmor.d/groups/gnome/gsd-smartcard
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/p11-kit>

  signal (receive) set=(term, hup) peer=gdm*,
@ -21,9 +21,6 @@ profile gsd-smartcard @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter-dconf-defaults r,
  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  /var/lib/gdm/.config/dconf/user r,
  /var/lib/gdm{3,}/greeter-dconf-defaults r,

--- a/apparmor.d/groups/gnome/gsd-sound
+++ b/apparmor.d/groups/gnome/gsd-sound
@ -11,7 +11,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  signal (receive) set=(term, hup) peer=gdm*,

@ -29,9 +29,6 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {

  owner @{user_share_dirs}/sounds/ rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner /dev/tty[0-9]* rw,

  include if exists <local/gsd-sound>
--- a/apparmor.d/groups/gnome/gsd-usb-protection
+++ b/apparmor.d/groups/gnome/gsd-usb-protection
@ -9,14 +9,11 @@ include <tunables/global>
@{exec_path} = @{libexec}/gsd-usb-protection
 profile gsd-usb-protection @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  include if exists <local/gsd-usb-protection>
 }
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@ -10,7 +10,7 @@ include <tunables/global>
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
@ -30,8 +30,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
  /etc/machine-id r,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,

--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -11,7 +11,7 @@ profile gsd-xsettings @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
@ -60,8 +60,6 @@ profile gsd-xsettings @{exec_path} {

  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gdm/Xauthority r,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
        @{run}/systemd/sessions/* r,
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -11,7 +11,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/app-launcher-user>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gnome>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -50,9 +50,6 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {

  owner @{user_share_dirs}/nautilus/{,**} rwk,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  @{run}/mount/utab r,

  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
--- a/apparmor.d/groups/gnome/seahorse
+++ b/apparmor.d/groups/gnome/seahorse
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/seahorse
 profile seahorse @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gnome>
  include <abstractions/p11-kit>
  include <abstractions/ssl_certs>
@ -25,9 +25,6 @@ profile seahorse @{exec_path} {
  # Seahorse and SSH keys
  owner @{HOME}/@{XDG_SSH_DIR}/{,**} r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  owner @{PROC}/@{pid}/fd/ r,

  include if exists <local/seahorse>
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/tracker-extract-3
 profile tracker-extract @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/disks-read>
  include <abstractions/fonts>
  include <abstractions/gstreamer>
@ -48,8 +48,6 @@ profile tracker-extract @{exec_path} {
  owner @{user_share_dirs}/gvfs-metadata/** r,
  
  owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
        @{run}/blkid/blkid.tab r,

  @{run}/udev/data/c235:* r,
--- a/apparmor.d/groups/gnome/tracker-miner
+++ b/apparmor.d/groups/gnome/tracker-miner
@ -11,7 +11,7 @@ profile tracker-miner @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/disks-read>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
@ -54,8 +54,6 @@ profile tracker-miner @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/sys/fs/inotify/max_user_watches r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
        @{run}/blkid/blkid.tab r,

  @{run}/mount/utab r,
--- a/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
+++ b/apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor
@ -13,7 +13,7 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/devices-usb>
  include <abstractions/disks-read>
  include <abstractions/freedesktop.org>
@ -48,9 +48,6 @@ profile gvfs-udisks2-volume-monitor @{exec_path} {
  owner @{MOUNTS}/**/ r,
  owner @{HOME}/**/ r,

-  owner @{run}/user/@{uid}/dconf/ w,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  @{run}/mount/utab r,
  @{run}/systemd/sessions/* r,

--- a/apparmor.d/groups/gvfs/gvfsd-dav
+++ b/apparmor.d/groups/gvfs/gvfsd-dav
@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-dav
 profile gvfsd-dav @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/p11-kit>
@ -28,8 +28,6 @@ profile gvfsd-dav @{exec_path} {
  /usr/share/glib-2.0/schemas/gschemas.compiled r,
  /usr/share/mime/mime.cache r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gvfsd/ rw,
  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,

--- a/apparmor.d/groups/gvfs/gvfsd-ftp
+++ b/apparmor.d/groups/gvfs/gvfsd-ftp
@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-ftp
 profile gvfsd-ftp @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>

@ -25,8 +25,5 @@ profile gvfsd-ftp @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  include if exists <local/gvfsd-ftp>
 }
--- a/apparmor.d/groups/gvfs/gvfsd-http
+++ b/apparmor.d/groups/gvfs/gvfsd-http
@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-http
 profile gvfsd-http @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
@ -27,8 +27,6 @@ profile gvfsd-http @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gvfsd/socket-* rw,

  include if exists <local/gvfsd-http>
--- a/apparmor.d/groups/gvfs/gvfsd-mtp
+++ b/apparmor.d/groups/gvfs/gvfsd-mtp
@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-mtp
 profile gvfsd-mtp @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/devices-usb>
  include <abstractions/freedesktop.org>
  include <abstractions/private-files-strict>
@ -26,8 +26,6 @@ profile gvfsd-mtp @{exec_path} {
  owner @{HOME}/{,**} rw,
  owner @{MOUNTS}/*/{,**} rw,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gvfsd/socket-* rw,

  include if exists <local/gvfsd-mtp>
--- a/apparmor.d/groups/gvfs/gvfsd-network
+++ b/apparmor.d/groups/gvfs/gvfsd-network
@ -11,14 +11,12 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-network
 profile gvfsd-network @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  @{exec_path} mr,

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gvfsd/ rw,
  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,

--- a/apparmor.d/groups/gvfs/gvfsd-smb
+++ b/apparmor.d/groups/gvfs/gvfsd-smb
@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-smb
 profile gvfsd-smb @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/freedesktop.org>

  network netlink raw,
@ -26,8 +26,6 @@ profile gvfsd-smb @{exec_path} {

  /etc/samba/smb.conf r,

-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,

  include if exists <local/gvfsd-smb>
--- a/apparmor.d/groups/gvfs/gvfsd-smb-browse
+++ b/apparmor.d/groups/gvfs/gvfsd-smb-browse
@ -11,7 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-smb-browse
 profile gvfsd-smb-browse @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>

  network netlink raw,
@ -27,8 +27,6 @@ profile gvfsd-smb-browse @{exec_path} {
  /etc/samba/smb.conf r,

  owner @{run}/samba/ rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,

  include if exists <local/gvfsd-smb-browse>
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@ -11,7 +11,7 @@ profile check-new-release-gtk @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/dbus-session-strict>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
@ -41,7 +41,6 @@ profile check-new-release-gtk @{exec_path} {

  owner @{user_cache_dirs}/update-manager-core/{,**} rw,

-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/wayland-[0-9] rw,

  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification
 profile livepatch-notification @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gtk>

  @{exec_path} mr,
@ -20,8 +20,6 @@ profile livepatch-notification @{exec_path} {

  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

  include if exists <local/livepatch-notification>
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@ -10,7 +10,7 @@ include <tunables/global>
 profile ubuntu-advantage-notification @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/gtk>

  @{exec_path} mr,
@ -20,8 +20,6 @@ profile ubuntu-advantage-notification @{exec_path} {
  /usr/share/X11/xkb/{,**} r,

  owner @{run}/user/@{uid}/at-spi/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,

  include if exists <local/ubuntu-advantage-notification>
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -10,7 +10,7 @@ include <tunables/global>
 profile update-notifier @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
@ -58,8 +58,6 @@ profile update-notifier @{exec_path} {

  owner @{run}/user/@{uid}/at-spi/bus rw,
  owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/update-notifier.pid rwk,
  owner @{run}/user/@{uid}/wayland-[0-9]* rw,