Merge FSP: rewrite the systemd profiles #753

* dev: (49 commits)
  fix: use mappings/sudo in su.
  build: justfile: add group.
  tests: update sbin.list
  fix: linter check.
  fix: add gpartedbin back to sbin.list.
  tests: show error line in sbin check.
  feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin).
  tests: remove symbolic link from sbin.
  test: add some security checks.
  tests: add more check for sbin path
  tests: rewrite and expand the profile check to more files.
  feat(tunable): add the archive_path variable.
  feat(profile): update gnome profiles.
  feat(fsp): small fsp improvement.
  feat(abs): minor improvement & cosmetic.
  feat(profile): add profiles for whoopsie.
  feat(profile): add initial profile for systemd-initctl.
  feat(profile): minor fsp related improvment.
  feat(fsp): setup RBAC mapping in auth enabled profiles.
  build: ignore all rule in abi3.
  ...

Justfile

@@ -64,24 +64,34 @@ help:
 	@just --list --unsorted
 	@echo -e "\nSee https://apparmor.pujol.io/development/ for more information."
 
+[group('build')]
 [doc('Build the go programs')]
 build:
 	@go build -o {{build}}/ ./cmd/aa-log
 	@go build -o {{build}}/ ./cmd/prebuild
 
+[group('build')]
 [doc('Prebuild the profiles in enforced mode')]
 enforce: build
 	@./{{build}}/prebuild
 
+[group('build')]
 [doc('Prebuild the profiles in complain mode')]
 complain: build
 	@./{{build}}/prebuild --complain
 
+[group('build')]
 [doc('Prebuild the profiles in FSP mode')]
 fsp: build
+	@./{{build}}/prebuild --full
+
+[group('build')]
+[doc('Prebuild the profiles in FSP mode (complain)')]
+fsp-complain: build
 	@./{{build}}/prebuild --complain --full
 
-[doc('Install the profiles')]
+[group('build')]
+[doc('Install prebuild profiles')]
 install:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@@ -108,26 +118,31 @@ install:
 		install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
 	done
 
+[group('packages')]
 [doc('Build & install apparmor.d on Arch based systems')]
 pkg:
 	@makepkg --syncdeps --install --cleanbuild --force --noconfirm
 
+[group('packages')]
 [doc('Build & install apparmor.d on Debian based systems')]
 dpkg:
 	@bash dists/build.sh dpkg
 	@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
 
+[group('packages')]
 [doc('Build & install apparmor.d on OpenSUSE based systems')]
 rpm:
 	@bash dists/build.sh rpm
 	@sudo rpm -ivh --force  {{pkgdest}}/{{pkgname}}-*.rpm
 
+[group('tests')]
 [doc('Run the unit tests')]
 tests:
 	@go test ./cmd/... -v -cover -coverprofile=coverage.out
 	@go test ./pkg/... -v -cover -coverprofile=coverage.out
 	@go tool cover -func=coverage.out
 
+[group('linter')]
 [doc('Run the linters')]
 lint:
 	golangci-lint run
@@ -138,18 +153,22 @@ lint:
 		tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
 		debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
 
+[group('linter')]
 [doc('Run style checks on the profiles')]
 check:
 	@bash tests/check.sh
 
+[group('docs')]
 [doc('Generate the man pages')]
 man:
 	@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
 
+[group('docs')]
 [doc('Build the documentation')]
 docs:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
 
+[group('docs')]
 [doc('Serve the documentation')]
 serve:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
@@ -160,6 +179,7 @@ clean:
 		debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
 		{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
 
+[group('packages')]
 [doc('Build the package in a clean OCI container')]
 package dist:
 	#!/usr/bin/env bash
@@ -175,6 +195,7 @@ package dist:
 	fi
 	bash dists/docker.sh $dist $version
 
+[group('vm')]
 [doc('Build the VM image')]
 img dist flavor: (package dist)
 	@mkdir -p {{base_dir}}
@@ -192,6 +213,7 @@ img dist flavor: (package dist)
 		-var output_dir={{output_dir}} \
 		tests/packer/
 
+[group('vm')]
 [doc('Create the machine')]
 create dist flavor:
 	@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
@@ -211,33 +233,40 @@ create dist flavor:
 		--sound model=ich9 \
 		--noautoconsole
 
+[group('vm')]
 [doc('Start a machine')]
 up dist flavor:
 	@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
 
+[group('vm')]
 [doc('Stops the machine')]
 halt dist flavor:
 	@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
 
+[group('vm')]
 [doc('Reboot the machine')]
 reboot dist flavor:
 	@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
 
+[group('vm')]
 [doc('Destroy the machine')]
 destroy dist flavor:
 	@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
 	@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
 	@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
 
+[group('vm')]
 [doc('Connect to the machine')]
 ssh dist flavor:
 	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
 
+[group('vm')]
 [doc('List the machines')]
 list:
 	@echo -e '\033[1m Id   Distribution Flavor  State\033[0m'
 	@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
 
+[group('vm')]
 [doc('List the VM images')]
 images:
 	#!/usr/bin/env bash
@@ -254,6 +283,7 @@ images:
 	}
 	'
 
+[group('vm')]
 [doc('List the VM images that can be created')]
 available:
 	#!/usr/bin/env bash
@@ -270,6 +300,8 @@ available:
 	}
 	'
 
+
+[group('tests')]
 [doc('Run the integration tests on the machine')]
 integration dist flavor:
 	@ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \
@@ -280,12 +312,13 @@ integration dist flavor:
 		@bats --recursive --timing --print-output-on-failure Projects/integration/
 
 
-
+[group('internal')]
 get_ip dist flavor:
 	@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
 		head -1 | \
 		grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
 
+[group('internal')]
 get_osinfo dist:
 	#!/usr/bin/env python3
 	osinfo = {

apparmor.d/abstractions/app/kmod

@@ -7,13 +7,7 @@
 
   include <abstractions/consoles>
 
-  @{sbin}/depmod    mr,
-  @{sbin}/insmod    mr,
   @{bin}/kmod       mr,
-  @{sbin}/lsmod     mr,
-  @{sbin}/modinfo   mr,
-  @{sbin}/modprobe  mr,
-  @{sbin}/rmmod     mr,
 
   @{lib}/modprobe.d/ r,
   @{lib}/modprobe.d/*.conf r,

apparmor.d/abstractions/app/pager

@@ -12,7 +12,7 @@
   capability dac_override,
   capability dac_read_search,
 
-  signal (receive) set=(stop, cont, term, kill),
+  signal receive set=(stop, cont, term, kill),
 
   @{bin}/       r,
   @{pager_path} mrix,

apparmor.d/abstractions/app/sudo

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Minimal set of rules for sudo. Interactive sudo need more rules.
+# Minimal set of rules for sudo.
 
   abi <abi/4.0>,
 
@@ -24,8 +24,10 @@
 
   network netlink raw,   # PAM
 
-  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
+  unix type=stream addr=@@{udbus}/bus/sudo/system,
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}"
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager

apparmor.d/abstractions/attached/base

@@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-  # Do not use it manually, it is automatically included in profiles when it is required.
+  # Do not use it manually, It automatically replaces the base abstraction in a
+  # profile with the attach_disconnected flag set and the re-attached path enabled.
 
   abi <abi/4.0>,
 

apparmor.d/abstractions/attached/consoles

@@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-  # Do not use it manually, it is automatically included in profiles when it is required.
+  # Do not use it manually, It automatically replaces the consoles abstraction in a
+  # profile with the attach_disconnected flag set and the re-attached path enabled.
 
   abi <abi/4.0>,
 

apparmor.d/abstractions/base.d/complete

@@ -3,14 +3,16 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+  # Systemd: allow to receive any signal from the systemd profiles stack
+  signal receive                           peer=@{p_systemd},
+  signal receive                           peer=@{p_systemd_user},
+
   # Allow to receive some signals from new well-known profiles
   signal (receive)                           peer=btop,
   signal (receive)                           peer=htop,
   signal (receive)                           peer=sudo,
   signal (receive)                           peer=top,
   signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
-  signal (receive) set=(cont,term)           peer=@{p_systemd_user},
-  signal (receive) set=(cont,term)           peer=@{p_systemd},
   signal (receive) set=(hup term)            peer=login,
   signal (receive) set=(hup)                 peer=xinit,
   signal (receive) set=(term,kill)           peer=gnome-shell,
@@ -18,7 +20,7 @@
   signal (receive) set=(term,kill)           peer=openbox,
   signal (receive) set=(term,kill)           peer=su,
 
-  ptrace (readby) peer=systemd-coredump,
+  ptrace (readby) peer=@{p_systemd_coredump},
 
   @{etc_rw}/localtime r,
   /etc/locale.conf r,

apparmor.d/abstractions/bus/net.hadess.PowerProfiles

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon
+  #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}"
 
   include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
 

apparmor.d/abstractions/bus/net.reactivated.Fprint

@@ -4,12 +4,12 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd
+  #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
 
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
        member={GetDevices,GetDefaultDevice}
-       peer=(name="@{busname}", label=fprintd),
+       peer=(name="@{busname}", label="@{p_fprintd}"),
 
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
@@ -19,7 +19,7 @@
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
        member={GetDevices,GetDefaultDevice}
-       peer=(name=net.reactivated.Fprint, label=fprintd),
+       peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"),
 
   include if exists <abstractions/bus/net.reactivated.Fprint.d>
 

apparmor.d/abstractions/bus/org.a11y

@@ -9,27 +9,27 @@
   dbus receive bus=accessibility path=/org/a11y/atspi/registry
        interface=org.a11y.atspi.Registry
        member=EventListenerDeregistered
-       peer=(name="@{busname}", label=at-spi2-registryd),
+       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
 
   dbus send bus=accessibility path=/org/a11y/atspi/registry
        interface=org.a11y.atspi.Registry
        member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
 
   dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
        interface=org.a11y.atspi.DeviceEventController
        member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
 
   dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.freedesktop.DBus.Properties
        member=Set
-       peer=(name="@{busname}", label=at-spi2-registryd),
+       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
 
   dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
        interface=org.a11y.atspi.Socket
        member=Embed
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
 
   # Session bus
 

apparmor.d/abstractions/bus/org.bluez

@@ -4,37 +4,37 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.bluez label=bluetoothd
+  #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}"
 
   dbus receive bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesRemoved
-       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
 
   dbus send bus=system path=/org/bluez
        interface=org.bluez.AgentManager@{int}
        member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
 
   dbus send bus=system path=/org/bluez
        interface=org.bluez.ProfileManager@{int}
        member=RegisterProfile
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
 
   dbus send bus=system path=/org/bluez/hci@{int}
        interface=org.bluez.BatteryProviderManager@{int}
        member=RegisterProfile
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
 
   dbus send bus=system path=/org/bluez/hci@{int}
        interface=org.bluez.Media@{int}
        member=RegisterApplication
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
 
   include if exists <abstractions/bus/org.bluez.d>
 

apparmor.d/abstractions/bus/org.freedesktop.Accounts

@@ -4,27 +4,27 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
 
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
        member={FindUserByName,ListCachedUsers}
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.Accounts.User
        member=*Changed
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
        member=UserAdded
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.DBus.Properties
        member=*Changed
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   include if exists <abstractions/bus/org.freedesktop.Accounts.d>
 

apparmor.d/abstractions/bus/org.freedesktop.Avahi

@@ -4,27 +4,27 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon
+  #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Peer
        member=Ping
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi),
 
   dbus send bus=system path=/
        interface=org.freedesktop.Avahi.Server
        member={GetAPIVersion,GetState,Service*New}
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
 
   dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
        member=Free
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
 
   dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
        member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name="@{busname}", label=avahi-daemon),
+       peer=(name="@{busname}", label="@{p_avahi_daemon}"),
 
   include if exists <abstractions/bus/org.freedesktop.Avahi.d>
 

apparmor.d/abstractions/bus/org.freedesktop.ColorManager

@@ -4,22 +4,22 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
 
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member=GetDevices
-       peer=(name="@{busname}", label=colord),
+       peer=(name="@{busname}", label="@{p_colord}"),
 
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member=CreateDevice
-       peer=(name="@{busname}", label=colord),
+       peer=(name="@{busname}", label="@{p_colord}"),
 
   dbus receive bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member={DeviceAdded,DeviceRemoved}
-       peer=(name="@{busname}", label=colord),
+       peer=(name="@{busname}", label="@{p_colord}"),
 
   include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
 

apparmor.d/abstractions/bus/org.freedesktop.GeoClue2

@@ -4,26 +4,26 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue
+  #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
   dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=org.freedesktop.DBus, label=geoclue),
+       peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"),
 
   dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
 
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
 
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.GeoClue2.Manager
        member=AddAgent
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
 
   include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
 

apparmor.d/abstractions/bus/org.freedesktop.ModemManager1

@@ -4,17 +4,17 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager
+  #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
 
   dbus send bus=system path=/org/freedesktop/ModemManager1
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
+       peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"),
 
   dbus send bus=system path=/org/freedesktop/ModemManager1
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name="@{busname}", label=ModemManager),
+       peer=(name="@{busname}", label="@{p_ModemManager}"),
 
   include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1

@@ -4,22 +4,22 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
 
   dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=Changed
-       peer=(name="@{busname}", label=polkitd),
+       peer=(name="@{busname}", label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization
-       peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
+       peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization
-       peer=(name="@{busname}", label=polkitd),
+       peer=(name="@{busname}", label="@{p_polkitd}"),
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization

apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1

@@ -6,7 +6,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon
+  #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.DBus.Properties
        member=Get
@@ -15,12 +15,12 @@
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.RealtimeKit1
        member={MakeThreadHighPriority,MakeThreadRealtime}
-       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon),
+       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
 
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.RealtimeKit1
        member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID}
-       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon),
+       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
 
   include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.UPower

@@ -4,22 +4,22 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd
+  #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
 
   dbus send bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
        member=EnumerateDevices
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
 
   dbus send bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.DBus.Properties
        member=GetDisplayDevice
-       peer=(name=org.freedesktop.UPower, label=upowerd),
+       peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
 
   dbus receive bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
        member=DeviceAdded
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
 
   include if exists <abstractions/bus/org.freedesktop.UPower.d>
 

apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
+  #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
 
   include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>
 

apparmor.d/abstractions/bus/org.freedesktop.hostname1

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
+  #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
        member=Get

apparmor.d/abstractions/bus/org.freedesktop.locale1

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed
+  #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
   dbus send bus=system path=/org/freedesktop/locale1
        interface=org.freedesktop.DBus.Properties
        member=GetAll

apparmor.d/abstractions/bus/org.freedesktop.login1

@@ -4,22 +4,22 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   dbus receive bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member=PauseDeviceComplete
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   include if exists <abstractions/bus/org.freedesktop.login1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.login1.Session

@@ -4,22 +4,22 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=GetSession
-       peer=(name="@{busname}", label=systemd-logind),
+       peer=(name="@{busname}", label="@{p_systemd_logind}"),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   dbus receive bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={PauseDevice,Unlock}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
 

apparmor.d/abstractions/bus/org.freedesktop.network1

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd
+  #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
 
   include if exists <abstractions/bus/org.freedesktop.network1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.resolve1

@@ -4,12 +4,12 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved
+  #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
 
   dbus send bus=system path=/org/freedesktop/resolve1
        interface=org.freedesktop.resolve1.Manager
        member={SetLink*,ResolveHostname}
-       peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
+       peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
 
   include if exists <abstractions/bus/org.freedesktop.resolve1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.timedate1

@@ -4,7 +4,7 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated
+  #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}"
 
   include if exists <abstractions/bus/org.freedesktop.timedate1.d>
 

apparmor.d/abstractions/bus/org.gnome.ArchiveManager1

@@ -4,12 +4,12 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller
+  #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}"
 
   dbus send bus=session path=/org/gnome/ArchiveManager1
        interface=org.gnome.ArchiveManager1
        member=GetSupportedTypes
-       peer=(name="@{busname}", label=file-roller),
+       peer=(name="@{busname}", label="@{p_file_roller}"),
 
   include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
 

apparmor.d/abstractions/bus/own-accessibility

@@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Do not use it manually, it is automatically included in a profile when it is required.
+# Do not use it manually, It is automatically included in a profile by the
+# `aa:dbus own` directive.
 
 # Allow owning a name on DBus public bus
 

apparmor.d/abstractions/bus/own-session

@@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Do not use it manually, it is automatically included in a profile when it is required.
+# Do not use it manually, It is automatically included in a profile by the
+# `aa:dbus own` directive.
 
 # Allow owning a name on DBus public bus
 

apparmor.d/abstractions/bus/own-system

@@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Do not use it manually, it is automatically included in a profile when it is required.
+# Do not use it manually, It is automatically included in a profile by the
+# `aa:dbus own` directive.
 
 # Allow owning a name on DBus public bus
 

apparmor.d/abstractions/mapping/login

@@ -25,7 +25,7 @@
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=ReleaseSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   @{etc_ro}/security/group.conf r,
   @{etc_ro}/security/limits.conf r,

apparmor.d/abstractions/mapping/sshd

@@ -28,7 +28,7 @@
   network inet6 stream,
   network netlink raw,
 
-  signal receive set=exists peer=systemd-journald,
+  signal receive set=exists peer=@{p_systemd_journald},
   signal receive set=hup peer=@{p_systemd},
 
   unix bind type=stream addr=@@{udbus}/bus/sshd/system,
@@ -36,7 +36,7 @@
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   /etc/motd r,
   /etc/locale.conf r,

apparmor.d/abstractions/vulkan.d/complete

@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   /etc/glvnd/egl_vendor.d/{,*.json} r,

apparmor.d/abstractions/webkit

@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Minimal set of rules for webkit UI.
+# Minimal set of rules for webkit GTK UI.
 
   abi <abi/4.0>,
 

apparmor.d/abstractions/zsh

@@ -12,6 +12,7 @@
 
   /usr/local/share/zsh/{,**} r,
   /usr/share/oh-my-zsh/{,**} r,
+  /usr/share/zsh-theme-*/{,**} r,
   /usr/share/zsh/{,**} r,
 
   /etc/zsh/* r,

apparmor.d/groups/_full/bwrap

@@ -1,56 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Default profile for bwrap.
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/bwrap
-profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
-  include <abstractions/base>
-  include <abstractions/common/bwrap>
-  include <abstractions/common/app>
-  include <abstractions/dbus>
-  include <abstractions/fontconfig-cache-write>
-
-  capability dac_override,
-  capability dac_read_search,
-  capability sys_resource,
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-
-  ptrace peer=bwrap//&bwrap-app,
-
-  signal peer=bwrap//&bwrap-app,
-  signal (receive) set=(kill),
-
-  @{bin}/**                         rm,
-  @{lib}/**                         rm,
-  /opt/*/**                         rm,
-  /usr/share/*/*                    rm,
-
-  @{bin}/**                         Px -> bwrap//&bwrap-app,
-  @{bin}/xdg-dbus-proxy             Px -> bwrap//&xdg-dbus-proxy,
-  # @{lib}/**                         Px -> bwrap//&bwrap-app,
-  /opt/*/**                         Px -> bwrap//&bwrap-app,
-  /usr/share/*/*                    Px -> bwrap//&bwrap-app,
-
-  /usr/.ref rk,
-
-  /bindfile@{rand6} rw,
-
-  owner /var/cache/ w,
-
-  owner @{run}/ld-so-cache-dir/* rw,
-
-  include if exists <usr/bwrap.d>
-  include if exists <local/bwrap>
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/_full/bwrap-app

@@ -1,36 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Default profile for user sandboxed application
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
-  include <abstractions/base>
-  include <abstractions/common/app>
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink raw,
-
-  ptrace peer=bwrap//&bwrap-app,
-
-  signal peer=bwrap//&bwrap-app,
-
-  @{bin}/**                       rmix,
-  @{lib}/**                       rmix,
-  /opt/*/**                       rmix,
-  /usr/share/*/*                  rmix,
-
-  owner /var/cache/ w,
-
-  include if exists <usr/bwrap-app.d>
-  include if exists <local/bwrap-app>
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/_full/default

@@ -1,122 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Default profile for unconfined programs
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /**
-profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
-  include <abstractions/base>
-  include <abstractions/audio-client>
-  include <abstractions/consoles>
-  include <abstractions/dbus-session>
-  include <abstractions/dconf-write>
-  include <abstractions/desktop>
-  include <abstractions/devices-usb>
-  include <abstractions/graphics>
-  include <abstractions/nameservice-strict>
-  include <abstractions/p11-kit>
-  include <abstractions/shells>
-  include <abstractions/ssl_certs>
-  include <abstractions/video>
-
-  capability dac_override,
-  capability dac_read_search,
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink dgram,
-  network netlink raw,
-
-  signal receive set=hup,
-
-  @{bin}/bwrap           rPx -> bwrap,
-  @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
-  @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
-  @{bin}/su              rPx -> default-sudo,
-  @{bin}/sudo            rPx -> default-sudo,
-  @{bin}/systemctl       rix,
-  @{coreutils_path}      rix,
-  @{shells_path}         rix,
-
-  @{pager_path}          rPx -> child-pager,
-
-#   @{open_path}           rPx -> child-open,
-
-  audit @{bin}/**        Pix,
-  audit @{lib}/**        Pix,
-  audit /opt/*/**        Pix,
-  audit /usr/share/*/*   Pix,
-
-  @{bin}/{,**} r,
-  @{lib}/{,**} r,
-  /usr/share/** r,
-
-  /etc/xdg/** r,
-
-  # Full access to user's data
-  / r,
-  /*/ r,
-  @{MOUNTDIRS}/ r,
-  @{MOUNTS}/ r,
-  @{MOUNTS}/** rwl,
-  owner @{HOME}/{,**} rwlk,
-  owner @{run}/user/@{uid}/{,**} rw,
-  owner @{tmp}/{,**} rwk,
-  owner @{run}/user/@{uid}/{,**} rwlk,
-
-  @{run}/motd.dynamic.new rw,
-
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-
-  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
-
-  @{sys}/ r,
-  @{sys}/bus/ r,
-  @{sys}/bus/pci/devices/ r,
-  @{sys}/class/ r,
-  @{sys}/class/drm/ r,
-  @{sys}/class/hidraw/ r,
-  @{sys}/class/input/ r,
-  @{sys}/class/power_supply/ r,
-  @{sys}/devices/**/input@{int}/ r,
-  @{sys}/devices/**/input@{int}/capabilities/* r,
-  @{sys}/devices/**/input/input@{int}/ r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/dmi/id/chassis_type r,
-  @{sys}/firmware/acpi/pm_profile r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
-
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/seccomp/actions_avail r,
-        @{PROC}/zoneinfo r,
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/limits r,
-  owner @{PROC}/@{pid}/loginuid r,
-  owner @{PROC}/@{pid}/mem r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-  owner @{PROC}/@{pids}/cmdline r,
-  owner @{PROC}/@{pids}/environ r,
-  owner @{PROC}/@{pids}/task/ r,
-
-        /dev/ r,
-        /dev/ptmx rwk,
-        /dev/tty rwk,
-  owner /dev/tty@{int} rw,
-
-  include if exists <usr/default.d>
-  include if exists <local/default>
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/_full/default-sudo

@@ -1,42 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-profile default-sudo {
-  include <abstractions/base>
-  include <abstractions/app/sudo>
-
-  capability chown,
-  capability mknod,
-  capability sys_ptrace,
-
-  network inet dgram,
-  network inet6 dgram,
-
-  ptrace (read),
-
-  @{bin}/su       mr,
-
-  @{bin}/**       Px,
-  @{lib}/**       Px,
-  /opt/*/**       Px,
-
-        /var/db/sudo/lectured/ r,
-        /var/lib/extrausers/shadow r,
-        /var/lib/sudo/lectured/ r,
-  owner /var/db/sudo/lectured/@{uid} rw,
-  owner /var/lib/sudo/lectured/* rw,
-
-  owner @{HOME}/.sudo_as_admin_successful rw,
-
-  @{run}/ r,
-  @{run}/systemd/sessions/* r,
-
-  include if exists <local/default-sudo>
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/_full/sd

@@ -0,0 +1,265 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Part of the systemd (as PID 1) profile.
+
+# sd is a profile for SystemD-executor run as root, it is used to run all services
+# files and to encapsulate stacked services profiles (hence the short name).
+# It aims at reducing the size of the systemd profile.
+
+# Only use this profile with a fully configured system. Otherwise it **WILL**
+# break your computer. See https://apparmor.pujol.io/full-system-policy/.
+
+# Distributions and other programs can add rules in the usr/sd.d directory
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/systemd-executor
+profile sd flags=(attach_disconnected,mediate_deleted,complain) {
+  include <abstractions/base>
+  include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
+  include <abstractions/devices-usb>
+  include <abstractions/disks-write>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>
+
+  userns,
+
+  capability audit_control,
+  capability audit_write,
+  capability bpf,
+  capability chown,
+  capability dac_override,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability kill,
+  capability linux_immutable,
+  capability mknod,
+  capability net_admin,
+  capability net_bind_service,
+  capability net_raw,
+  capability perfmon,
+  capability setfcap,
+  capability setgid,
+  capability setpcap,
+  capability setuid,
+  capability sys_admin,
+  capability sys_nice,
+  capability sys_ptrace,
+  capability sys_rawio,
+  capability sys_resource,
+  capability sys_time,
+  capability sys_tty_config,
+  capability syslog,
+
+  network alg seqpacket,
+  network bluetooth,
+  network inet dgram,
+  network inet stream,
+  network inet6 dgram,
+  network inet6 raw,
+  network inet6 stream,
+  network netlink raw,
+  network packet dgram,
+  network packet raw,
+  network qipcrtr dgram,
+
+  mount                                                                         -> @{run}/systemd/mount-rootfs/{,**},
+  mount                                                                         -> @{run}/systemd/namespace-@{rand6}/{,**},
+  mount              options=(rw move)                                /dev/shm/ -> @{run}/credentials/*/,
+  mount              options=(rw rshared)                                       -> /,
+  mount              options=(rw rslave)                                        -> /,
+  mount              options=(rw rslave)                                        -> /dev/,
+  mount              options=(rw slave)                                         -> @{run}/systemd/incoming/,
+  mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow)         tmpfs -> /dev/shm/,
+  mount fstype=tmpfs options=(rw nodev strictatime)                       tmpfs -> @{run}/systemd/unit-private-tmp/,
+
+  remount /dev/shm/,
+  remount @{run}/systemd/mount-rootfs/{,**},
+
+  umount /,
+  umount /dev/shm/,
+  umount @{run}/systemd/mount-rootfs/{,**},
+
+  # mount tmpfs -> @{run}/lock/,
+  # mount tmpfs -> @{sys}/fs/cgroup/,
+  # mount cgroup -> @{sys}/fs/cgroup/systemd/,
+  # audit mount                                                             /dev/** -> /boot/{,efi/},
+  # audit mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
+  # audit mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
+
+  # audit remount                                        @{run}/systemd/unit-root/{,**},
+  # audit remount options=(ro noexec noatime bind)       /var/snap/{,**},
+  # audit remount options=(ro nosuid nodev bind)         /var/,
+  # audit remount options=(ro nosuid nodev noexec bind)  /boot/,
+
+  # audit umount @{PROC}/sys/fs/binfmt_misc/,
+  # audit umount @{run}/systemd/namespace-@{rand6}/{,**},
+  # audit umount @{run}/systemd/unit-root/{,**},
+
+  pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
+
+  change_profile,
+
+  mqueue (read getattr) type=posix /,
+
+  signal         peer=sd//&*,
+  signal receive peer=@{p_systemd},
+  signal send,
+
+  ptrace read,
+
+  unix type=dgram peer=(label=@{p_systemd}),
+  unix type=dgram peer=(label=systemd-timesyncd),
+  unix type=stream,
+
+  dbus bus=system,
+
+  @{exec_path} mr,
+
+  @{bin}/**                                       mPx,
+  @{sbin}/**                                      mPx,
+  @{lib}/**                                        Px,
+  /etc/cron.*/*                                    Px,
+  /etc/init.d/*                                    Px,
+  /etc/update-motd.d/*                             Px,
+  /usr/share/*/**                                  Px,
+
+  # Systemd user: systemd --user
+  @{lib}/systemd/systemd                           px -> systemd-user,
+
+  # Mount operations from services and systemd
+  @{bin}/mount                                     Px -> sd-mount,
+  @{bin}/umount                                    Px -> sd-umount,
+
+  # Unit services using systemctl
+  @{bin}/systemctl                                 Cx -> systemctl,
+
+  # Unit services
+  @{bin}/kill                                      Cx -> kill,
+
+  # Used by very basic services, ideally should be replaced by a unit profiles
+  @{sh_path}                                       ix,
+  @{bin}/false                                     ix,
+  @{bin}/true                                      ix,
+
+  # Required due to stacked profiles
+  @{sbin}/grpck                                    ix,
+  @{bin}/gzip                                      ix,
+  @{bin}/install                                   ix,
+  @{sbin}/pwck                                     ix,
+  @{bin}/readlink                                  ix,
+  @{lib}/colord-sane                               ix,
+  @{lib}/systemd/systemd-nsresourcework            ix,
+  @{lib}/systemd/systemd-userwork                  ix,
+
+  / r,
+  @{att}/ r,
+  @{bin}/{,**} r,
+  @{lib}/{,**} r,
+  @{sbin}/{,*} r,
+  /usr/share/** r,
+  /etc/** rk,
+  /home/ r,
+
+  @{efi}/ r,
+  @{efi}/** rw,
+
+  @{att}/var/lib/systemd/*/ r,
+
+  /var/cache/*/ rw,
+  /var/cache/*/** rwk,
+  /var/lib/*/ rw,
+  /var/lib/*/** rwk,
+  /var/lib/systemd/*/ r,
+  /var/log/** rw,
+  /var/log/journal/** rwl -> /var/log/journal/**,
+
+  @{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
+  @{user_share_dirs}/icc/edid-@{hex32}.icc r,
+
+  @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
+  @{att}/@{run}/systemd/notify rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
+
+        @{run}/ rw,
+        @{run}/* rw,
+        @{run}/*/ rw,
+        @{run}/*/* rw,
+        @{run}/systemd/{,**} rw,
+  owner @{run}/*/** rw,
+
+  @{run}/udev/**/ r,
+  @{run}/udev/data/* r,
+
+  @{sys}/** r,
+  @{sys}/fs/bpf/systemd/{,**} w,
+  @{sys}/firmware/efi/efivars/** w,
+  @{sys}/fs/cgroup/{,**} w,
+
+  @{PROC}/@{pid}/attr/apparmor/exec w,
+  @{PROC}/@{pid}/attr/current r,
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pid}/cmdline r,
+  @{PROC}/@{pid}/comm r,
+  @{PROC}/@{pid}/environ r,
+  @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/fdinfo/@{int} r,
+  @{PROC}/@{pid}/gid_map w,
+  @{PROC}/@{pid}/limits r,
+  @{PROC}/@{pid}/loginuid rw,
+  @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/oom_score_adj rw,
+  @{PROC}/@{pid}/sessionid r,
+  @{PROC}/@{pid}/setgroups r,
+  @{PROC}/@{pid}/setgroups w,
+  @{PROC}/@{pid}/stat r,
+  @{PROC}/@{pid}/uid_map r,
+  @{PROC}/@{pid}/uid_map w,
+  @{PROC}/cmdline r,
+  @{PROC}/interrupts r,
+  @{PROC}/irq/@{int}/node r,
+  @{PROC}/irq/@{int}/smp_affinity r,
+  @{PROC}/kmsg r,
+  @{PROC}/modules r,
+  @{PROC}/pressure/* r,
+  @{PROC}/swaps r,
+  @{PROC}/sys/** r,
+  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
+  @{PROC}/sys/net/ipv{4,6}/** rw,
+  @{PROC}/sysvipc/* r,
+  @{PROC}/version_signature r,
+
+  /dev/** rwk,
+
+  profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <usr/sd_systemctl.d>
+    include if exists <local/sd_systemctl>
+  }
+
+  profile kill flags=(attach_disconnected,mediate_deleted,complain) {
+    include <abstractions/base>
+
+    signal send,
+
+    @{bin}/kill mr,
+
+    include if exists <local/sd_kill>
+  }
+
+  include if exists <usr/sd.d>
+  include if exists <local/sd>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/_full/sd-mount

@@ -0,0 +1,71 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Part of the systemd (as PID 1) profile.
+
+# sd-mount is a subprofile of sd responsible to handle mounting operation.
+
+# Only use this profile with a fully configured system. Otherwise it **WILL**
+# break your computer. See https://apparmor.pujol.io/full-system-policy/.
+
+# Distributions and other programs can add rules in the usr/sd-mount.d directory
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/mount
+profile sd-mount flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/disks-write>
+
+  capability dac_read_search,
+  capability sys_admin,
+
+  mount                                                                         -> @{efi}/,
+  mount                                                                         -> @{HOME}/{,**},
+  mount                                                                         -> @{HOMEDIRS}/,
+  mount                                                                         -> @{MOUNTDIRS}/,
+  mount                                                                         -> @{MOUNTS}/{,**},
+  mount fstype=binfmt_misc options=(rw nodev noexec nosuid)         binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
+  mount fstype=configfs    options=(rw nodev noexec nosuid)            configfs -> @{sys}/kernel/config/,
+  mount fstype=debugfs     options=(rw nodev noexec nosuid)             debugfs -> @{sys}/kernel/debug/,
+  mount fstype=fusectl     options=(rw nodev noexec nosuid)             fusectl -> @{sys}/fs/fuse/connections/,
+  mount fstype=hugetlbfs   options=(rw nosuid nodev)                  hugetlbfs -> /dev/hugepages/,
+  mount fstype=mqueue      options=(rw nodev noexec nosuid)                     -> /dev/mqueue/,
+  mount fstype=squashfs    options=(ro nodev)                   /dev/loop@{int} -> /snap/*/@{int}/,
+  mount fstype=tmpfs       options=(rw nodev noexec nosuid)               tmpfs -> @{run}/lock/,
+  mount fstype=tmpfs       options=(rw nodev nosuid strictatime)          tmpfs -> /tmp/,
+  mount fstype=tracefs     options=(rw nodev noexec nosuid)             tracefs -> @{sys}/kernel/tracing/,
+
+  mount options=(rw move)                                                       -> @{efi},
+  mount options=(rw move)                                                       -> @{HOME}/{,**},
+  mount options=(rw move)                                                       -> @{HOMEDIRS}/,
+  mount options=(rw move)                                                       -> @{MOUNTDIRS}/,
+  mount options=(rw move)                                                       -> @{MOUNTS}/{,**},
+  mount options=(rw move)                                                       -> @{sys}/fs/fuse/connections/,
+  mount options=(rw move)                                                       -> @{sys}/kernel/config/,
+  mount options=(rw move)                                                       -> @{sys}/kernel/debug/,
+  mount options=(rw move)                                                       -> @{sys}/kernel/tracing/,
+  mount options=(rw move)                                                       -> /dev/hugepages/,
+  mount options=(rw move)                                                       -> /dev/mqueue/,
+  mount options=(rw move)                                                       -> /tmp/,
+
+  @{exec_path} mr,
+
+  /var/lib/snapd/snaps/*.snap r,
+
+        @{run}/ r,
+  owner @{run}/mount/ rw,
+  owner @{run}/mount/utab{,.*} rwk,
+
+  @{PROC}/@{pid}/mountinfo r,
+
+  /dev/loop-control rw,
+
+  include if exists <usr/sd-mount.d>
+  include if exists <local/sd-mount>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/_full/sdu

@@ -0,0 +1,124 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Part of the systemd-user profile.
+
+# sdu is a profile for SystemD-executor run as User, it is used to run all services
+# files and to encapsulate stacked services profiles (hence the short name).
+# It aims at reducing the size of the systemd-user profile.
+
+# Only use this profile with a fully configured system. Otherwise it **WILL**
+# break your computer. See https://apparmor.pujol.io/full-system-policy/.
+
+# Distributions and other programs can add rules in the usr/sdu.d directory
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/systemd-executor
+profile sdu flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/audio-server>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/nameservice-strict>
+
+  network netlink raw,
+
+  change_profile,
+
+  ptrace read,
+
+  unix type=dgram peer=(label=@{p_systemd_user}),
+
+  dbus bus=session,
+
+  @{exec_path} mr,
+
+  @{bin}/**                                       mPx,
+  @{sbin}/**                                      mPx,
+  @{lib}/**                                        Px,
+  /etc/cron.*/*                                    Px,
+  /opt/*/**                                        Px,
+  /usr/share/*/**                                  Px,
+
+  # Unit services using systemctl
+  @{bin}/systemctl                                 Cx -> systemctl,
+
+  # Shell based user unit services
+  @{sh_path}                                       Cx -> shell,
+
+  # Dbus needs to be started without environment scrubbing
+  @{bin}/dbus-broker                               px -> dbus-session,
+  @{bin}/dbus-broker-launch                        px -> dbus-session,
+  @{bin}/dbus-daemon                               px -> dbus-session,
+  @{lib}/dbus-1.0/dbus-daemon-launch-helper        px -> dbus-session,
+
+  / r,
+  @{bin}/* r,
+  @{sbin}/* r,
+  /usr/share/** r,
+
+  owner @{desktop_local_dirs}/ w,
+  owner @{desktop_local_dirs}/state/ w,
+  owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,
+
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
+  owner @{run}/user/@{uid}/pipewire-@{int}-manager rw,
+  owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
+  owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
+  owner @{run}/user/@{uid}/pulse/pid rw,
+
+  owner @{user_state_dirs}/wireplumber/ r,
+  owner @{user_state_dirs}/wireplumber/stream-properties rw,
+  owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw,
+
+  @{run}/systemd/users/@{uid} r,
+  @{run}/systemd/users/@{int} r,
+
+  @{run}/udev/data/c116:@{int} r,         # for ALSA
+
+  @{sys}/bus/ r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/virtual/sound/seq/uevent r,
+  @{sys}/devices/virtual/sound/timer/uevent r,
+
+        @{sys}/module/apparmor/parameters/enabled r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
+
+        @{PROC}/pressure/* r,
+        @{PROC}/sys/fs/nr_open r,
+  owner @{PROC}/@{pid}/attr/apparmor/exec w,
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/oom_score_adj rw,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  profile shell flags=(attach_disconnected,mediate_deleted,complain) {
+    include <abstractions/base>
+
+    @{sh_path}         mr,
+    @{bin}/systemctl   Px -> sdu//systemctl,
+
+    include if exists <local/sdu_shell>
+  }
+
+  profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    audit capability net_admin,
+
+    owner @{run}/user/@{uid}/systemd/private rw,
+
+    include if exists <usr/sdu_systemctl.d>
+    include if exists <local/sdu_systemctl>
+  }
+
+  include if exists <usr/sdu.d>
+  include if exists <local/sdu>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/_full/systemd

@@ -11,24 +11,47 @@
 
 # Distributions and other programs can add rules in the usr/systemd.d directory
 
-# TODO: rework this to get a controlled environment: (cf security model)
+# Overall architecture of the systemd profiles:
+# systemd                                # PID 1, entrypoint, requires "Early policy"
+# ├── systemd                            # To restart itself
+# ├── systemd-generators-*               # Systemd system and environment generators
+# └── sd                                 # Internal service starter and config handler, handles all services
+#     ├── Px or px,                      # Any service with profile
+#     ├── Px ->                          # Any service without profile defined in the unit file (see systemd/full/systemd)
+#     ├── &*                             # Stacked service as defined in the unit file (see systemd/full/systemd)
+#     ├── sd-mount                       # Handles all mounts from services
+#     ├── sd//systemctl                  # Internal system systemctl
+#     └── systemd-user                   # Profile for 'systemd --user'
+#         ├── systemd-user               # To restart itself
+#         ├── systemd-user-generators-*  # Systemd user and environment generators
+#         └── sdu                        # Handles all user services
+#             ├── Px or px,              # Any user service with profile
+#             ├── Px ->                  # Any user service without profile defined in the unit file (see systemd/full/systemd)
+#             ├── &*                     # Stacked user service as defined in the unit file (see systemd/full/systemd)
+#             └── sdu//systemctl         # Internal user systemctl
+
+# Advantages:
+# - Differentiate systemd (PID 1) and `system --user`
+# - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles.
+# - Allow the executor profiles to handled stacked profiles.
+# - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`.
+# - Dedicated `sd-mount` profile for most mount from the unit services.
+
+
+# TODO: rework this to get a controlled environment:
 # - No global allow anymore: in high security environments, we must manage the list
 #   of program/service that can be started by systemd and ensure that they are all
 #   listed and confined. Programs not listed will not be able to start.
 # - Outside common systemd service, the list may have to be automatically
 #   generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec`
-# - Stop disabling nnp flags in systemd dropin files.
-# - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo)
-#   need they own profile, profile name configured as a dropin unit file.
-# - When this is done: the fallback profile as root will not be needed.
 
 abi <abi/4.0>,
 
 include <tunables/global>
 
+@{exec_path} = @{lib}/systemd/systemd
 profile systemd flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
-  include <abstractions/authentication>
   include <abstractions/bus-system>
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
@@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
-  capability mknod,
+  capability kill,
   capability net_admin,
+  capability net_bind_service,
   capability perfmon,
-  capability setfcap,
-  capability setgid,
   capability setpcap,
-  capability setuid,
   capability sys_admin,
-  capability sys_chroot,
+  capability sys_boot,
-  capability sys_nice,
   capability sys_ptrace,
   capability sys_resource,
   capability sys_tty_config,
@@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   network inet6 dgram,
   network inet6 stream,
   network netlink raw,
+  network vsock stream,
 
   mount fstype=autofs                                                 systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
-  mount fstype=autofs                                                 systemd-1 -> /efi/,
+  mount fstype=autofs                                                 systemd-1 -> @{efi}/,
-  mount fstype=binfmt_misc options=(rw nodev noexec nosuid)         binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
-  mount fstype=configfs    options=(rw nodev noexec nosuid)            configfs -> @{sys}/kernel/config/,
-  mount fstype=debugfs     options=(rw nodev noexec nosuid)             debugfs -> @{sys}/kernel/debug/,
-  mount fstype=fusectl     options=(rw nodev noexec nosuid)             fusectl -> @{sys}/fs/fuse/connections/,
-  mount fstype=hugetlbfs   options=(rw nosuid nodev)                  hugetlbfs -> /dev/hugepages/,
-  mount fstype=mqueue      options=(rw nodev noexec nosuid)                     -> /dev/mqueue/,
-  mount fstype=proc        options=(rw nosuid nodev noexec)                proc -> @{run}/systemd/namespace-@{rand6}/,
-  mount fstype=sysfs       options=(rw nosuid nodev noexec)               sysfs -> @{run}/systemd/namespace-@{rand6}/,
-  mount fstype=tmpfs                                                      tmpfs -> /dev/shm/,
   mount fstype=tmpfs                                                      tmpfs -> /tmp/,
-  mount fstype=tmpfs       options=(rw nosuid nodev noexec strictatime)   tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
-  mount fstype=tmpfs       options=(rw nosuid nodev noexec)               tmpfs -> /dev/shm/,
-  mount fstype=tmpfs       options=(rw nosuid noexec strictatime)         tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
-  mount fstype=tracefs     options=(rw nodev noexec nosuid)             tracefs -> @{sys}/kernel/tracing/,
 
-  mount                                                             /dev/** -> /boot/{,efi/},
-  mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
-  mount options=(rw bind)                                           /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
-  mount options=(rw bind)                       @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
-  mount options=(rw move)                                                   -> @{sys}/fs/fuse/connections/,
-  mount options=(rw move)                                                   -> @{sys}/kernel/config/,
-  mount options=(rw move)                                                   -> @{sys}/kernel/debug/,
-  mount options=(rw move)                                                   -> @{sys}/kernel/tracing/,
-  mount options=(rw move)                                                   -> /dev/hugepages/,
-  mount options=(rw move)                                                   -> /dev/mqueue/,
-  mount options=(rw move)                                                   -> /efi/,
-  mount options=(rw move)                                                   -> /tmp/,
-  mount options=(rw move)           @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**},
-  mount options=(rw rbind)                                                  -> @{run}/systemd/mount-rootfs/{,**},
-  mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
-  mount options=(rw rshared)                                                -> /,
   mount options=(rw rslave)                                                 -> /,
-  mount options=(rw rslave)                                                 -> /dev/,
-  mount options=(rw slave)                                                  -> @{run}/systemd/incoming/,
 
   remount                                        @{HOME}/{,**},
   remount                                        @{HOMEDIRS}/,
   remount                                        @{MOUNTDIRS}/,
   remount                                        @{MOUNTS}/{,**},
-  remount                                        @{run}/systemd/mount-rootfs/{,**},
-  remount                                        @{run}/systemd/unit-root/{,**},
-  remount                                        /,
   remount                                        /snap/{,**},
-  remount options=(ro bind)                      /boot/{,efi/},
+  remount options=(ro bind nodev noexec nosuid)  /dev/mqueue/,
-  remount options=(ro noexec noatime bind)       /var/snap/{,**},
+  remount options=(ro bind nodev nosuid)         /dev/hugepages/,
-  remount options=(ro nosuid bind)               /dev/,
+  remount options=(ro bind noexec nosuid)        /dev/pts/,
-  remount options=(ro nosuid nodev bind)         /dev/hugepages/,
+  remount options=(ro bind nosuid)               /dev/,
-  remount options=(ro nosuid nodev bind)         /var/,
+  remount options=(ro bind)                      @{efi}/,
-  remount options=(ro nosuid nodev noexec bind)  /boot/,
+  remount options=(ro bind)                      /,
-  remount options=(ro nosuid nodev noexec bind)  /dev/mqueue/,
-  remount options=(ro nosuid nodev noexec bind)  /efi/,
-  remount options=(ro nosuid noexec bind)        /dev/pts/,
 
-  umount /,
-  umount /dev/shm/,
   umount @{PROC}/sys/fs/binfmt_misc/,
-  umount @{run}/systemd/mount-rootfs/{,**},
+  umount @{run}/credentials/*/,
-  umount @{run}/systemd/namespace-@{rand6}/{,**},
-  umount @{run}/systemd/unit-root/{,**},
-
-  pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
-  pivot_root oldroot=@{run}/systemd/unit-root/    @{run}/systemd/unit-root/,
 
   mqueue (read getattr) type=posix /,
 
-  change_profile,
-
-  signal receive set=(rtmin+23) peer=plymouthd,
-  signal receive set=(term hup cont),
   signal send,
 
   ptrace (read, readby),
 
-  unix send type=dgram,
+  unix type=dgram,
-
+  unix type=stream,
-  unix receive type=dgram peer=(label=systemd-timesyncd),
-  unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd),
 
   #aa:dbus own bus=system name=org.freedesktop.systemd1
 
-  # For stacked profiles
+  @{exec_path} mrix,
-  #aa:dbus own bus=system name=org.freedesktop.network1
+  @{sh_path} mr,
-  #aa:dbus own bus=system name=org.freedesktop.oom1
-  #aa:dbus own bus=system name=org.freedesktop.resolve1
-  #aa:dbus own bus=system name=org.freedesktop.timesync1
 
-  @{bin}/**                         Px,
+  # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
-  @{sbin}/**                        Px,
+  @{lib}/systemd/systemd-executor                 mPx -> sd,
-  @{lib}/**                         Px,
-  /etc/cron.*/*                     Px,
-  /etc/init.d/*                     Px,
-  /etc/update-motd.d/*              Px,
-  /usr/share/*/**                   Px,
 
-  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  # Systemd system generators. Profiles must exist
-  @{lib}/systemd/systemd-executor   ix,
+  @{lib}/netplan/generate                         mPx,
-
+  @{lib}/systemd/system-environment-generators/*  mPx,
-  # Systemd user: systemd --user
+  @{lib}/systemd/system-generators/*              mPx,
-  @{lib}/systemd/systemd            px -> systemd-user,
-
-  # Unit services using systemctl
-  @{bin}/systemctl                  Cx -> systemctl,
-
-  # Unit services
-  @{bin}/mount                      ix,
-  @{bin}/kill                       ix,
-
-  # Shell based systemd unit services
-  # TODO: create unit profile for all of them
-  @{sbin}/ldconfig                  Px -> systemd-service,
-  @{bin}/mandb                      Px -> systemd-service,
-  @{bin}/savelog                    Px -> systemd-service,
-  @{coreutils_path}                 Px -> systemd-service,
-  @{sh_path}                        Px -> systemd-service,
-
-  # Systemd profiles that need be stacked
-  #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd
-  @{lib}/systemd/systemd-networkd   px -> systemd//&systemd-networkd,
-  @{lib}/systemd/systemd-oomd       px -> systemd//&systemd-oomd,
-  @{lib}/systemd/systemd-resolved   px -> systemd//&systemd-resolved,
-  @{lib}/systemd/systemd-timesyncd  px -> systemd//&systemd-timesyncd,
-
-  @{lib}/ r,
-  / r,
-  /*/ r,
-  /boot/efi/ r,
-  /snap/*/@{int}/ r,
-  /var/cache/*/ r,
-  /var/lib/*/ r,
-  /var/tmp/ r,
 
   @{etc_ro}/environment r,
   @{etc_ro}/environment.d/{,**} r,
-  /etc/acpi/events/{,**} r,
   /etc/binfmt.d/{,**} r,
   /etc/conf.d/{,**} r,
-  /etc/credstore.encrypted/{,**} r,
-  /etc/credstore/{,**} r,
   /etc/default/{,**} r,
-  /etc/machine-id r,
   /etc/modules-load.d/{,**} r,
   /etc/networkd-dispatcher/{,**} r,
   /etc/systemd/{,**} r,
+  /etc/systemd/system/** w,
   /etc/udev/hwdb.d/{,**} r,
-  /etc/systemd/system/multi-user.target.wants/{,*} w,
 
-        /var/log/dmesg rw,
+  #aa:only pacman
-        /var/lib/systemd/{,**} rw,
+  # It is unclear why this is needed here and not in sd
+  /etc/pacman.d/gnupg/S.dirmngr w,
+  /etc/pacman.d/gnupg/S.gpg-agent w,
+  /etc/pacman.d/gnupg/S.gpg-agent.browser w,
+  /etc/pacman.d/gnupg/S.gpg-agent.extra w,
+  /etc/pacman.d/gnupg/S.gpg-agent.ssh w,
+  /etc/pacman.d/gnupg/S.keyboxd w,
+
+  @{efi}/ r,
+  /snap/*/@{int}/ r,
+
+        /tmp/ r,
+        /var/tmp/ r,
+  owner /tmp/systemd-private-*/{,**} rw,
   owner /var/tmp/systemd-private-*/{,**} rw,
 
-  /tmp/namespace-dev-@{rand6}/{,**} rw,
-  /tmp/systemd-private-*/{,**} rw,
-
-  @{att}/@{run}/systemd/journal/socket r,
   @{att}/@{run}/systemd/journal/dev-log r,
+  @{att}/@{run}/systemd/journal/socket r,
+  @{att}/@{run}/systemd/notify r,
 
   @{run}/ rw,
   @{run}/* rw,
@@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{run}/credentials/{,**} rw,
   @{run}/systemd/{,**} rw,
 
-  @{run}/udev/data/+bluetooth:* r,
-  @{run}/udev/data/+backlight:* r,
-  @{run}/udev/data/+leds:*backlight* r,
-
   @{run}/udev/data/+module:configfs r,
   @{run}/udev/data/+module:fuse r,
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
@@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{run}/udev/data/n@{int} r,
   @{run}/udev/tags/systemd/ r,
 
+  @{sys}/**/uevent r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/class/sound/ r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
-  @{sys}/devices/@{pci}/** r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
-  @{sys}/devices/**/net/** r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/tty/console/active r,
   @{sys}/fs/cgroup/{,**} rw,
   @{sys}/fs/fuse/connections/ r,
   @{sys}/fs/pstore/ r,
   @{sys}/kernel/**/ r,
-  @{sys}/module/**/uevent r,
   @{sys}/module/apparmor/parameters/enabled r,
+  @{sys}/module/vt/parameters/default_utf8 r,
 
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/comm r,
-        @{PROC}/@{pid}/coredump_filter r,
-        @{PROC}/@{pid}/environ r,
         @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pid}/fdinfo/@{int} r,
-        @{PROC}/@{pid}/gid_map rw,
-        @{PROC}/@{pid}/loginuid rw,
-        @{PROC}/@{pid}/mountinfo r,
-        @{PROC}/@{pid}/setgroups rw,
         @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pid}/uid_map rw,
         @{PROC}/cmdline r,
         @{PROC}/devices r,
         @{PROC}/pressure/* r,
@@ -280,32 +205,33 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/fs/binfmt_misc/ r,
         @{PROC}/sys/fs/nr_open r,
         @{PROC}/sys/kernel/* r,
-        @{PROC}/sysvipc/{shm,sem,msg} r,
+        @{PROC}/sys/kernel/random/boot_id r,
-  owner @{PROC}/@{pid}/limits r,
+        @{PROC}/sysvipc/msg r,
-  owner @{PROC}/@{pid}/oom_score_adj rw,
+        @{PROC}/sysvipc/sem r,
+        @{PROC}/sysvipc/shm r,
+  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/1/coredump_filter r,
+  owner @{PROC}/1/fdinfo/@{int} r,
+  owner @{PROC}/1/gid_map r,
+  owner @{PROC}/1/oom_score_adj rw,
+  owner @{PROC}/1/setgroups r,
+  owner @{PROC}/1/uid_map r,
 
         /dev/autofs r,
+        /dev/dri/card@{int} rw,
+        /dev/initctl w,
         /dev/input/ r,
         /dev/kmsg w,
+        /dev/tty rw,
         /dev/tty@{int} rw,
   owner /dev/console rwk,
-  owner /dev/dri/card@{int} rw,
   owner /dev/hugepages/ rw,
-  owner /dev/initctl rw,
   owner /dev/input/event@{int} rw,
   owner /dev/mqueue/ rw,
   owner /dev/rfkill rw,
-  owner /dev/shm/ rw,
+  owner /dev/shm/ r,
   owner /dev/ttyS@{int} rwk,
 
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    include if exists <usr/systemd_systemctl.d>
-    include if exists <local/systemd_systemctl>
-  }
-
   include if exists <usr/systemd.d>
   include if exists <local/systemd>
 }

apparmor.d/groups/_full/systemd-service

@@ -1,77 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Profile for generic systemd unit services. Only used by tiny systemd services
-# that start a shell or use context specific programs.
-
-# It does not specify an attachment path because it is intended to be used only
-# via "Px -> systemd-service" exec transitions from the systemd profile.
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-profile systemd-service flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-
-  capability dac_read_search,
-  capability chown,
-  capability fsetid,
-
-  @{sbin}/ldconfig     rix,
-  @{bin}/savelog       rix,
-  @{bin}/systemctl     rix,
-  @{bin}/gzip          rix,
-  @{coreutils_path}    rix,
-  @{sh_path}          rmix,
-
-  # ifup@.service
-  @{bin}/ifup          rPx,
-
-  # shadow.service
-  @{sbin}/pwck         rPx,
-  @{sbin}/grpck        rPx,
-
-  @{bin}/grub-editenv  rPx,
-  @{bin}/ibus-daemon   rPx,
-
-  @{bin}/* r,
-  @{lib}/ r,
-
-  /var/cache/ldconfig/{,**} rw,
-
-  / r,
-
-  /boot/grub/grubenv rw,
-  /boot/grub/ w,
-
-  /var/spool/cron/atjobs/ r,
-
-  /var/log/ r,
-  /var/log/dmesg rw,
-  /var/log/dmesg.* rwl -> /var/log/dmesg,
-
-  # man-db.service
-  /usr/{,local/}share/man/{,**} r,
-  /etc/manpath.config r,
-  /var/cache/man/{,**} rwk,
-
-  # snapd.system-shutdown.service
-  @{run}/initramfs/shutdown rw,
-  @{run}/initramfs/ rw,
-
-  # cockpit.socket
-  @{run}/cockpit/@{rand8} rw,
-  @{run}/cockpit/motd w,
-
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-
-  include if exists <usr/systemd-service.d>
-  include if exists <local/systemd-service>
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/_full/systemd-user

@@ -11,8 +11,6 @@
 
 # Distributions and other programs can add rules in the usr/systemd-user.d directory
 
-# TODO: rework this to get a controlled environment. cf comments in systemd profile.
-
 abi <abi/4.0>,
 
 include <tunables/global>
@@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   network netlink raw,
 
-  signal send set=(term, cont, kill),
+  signal send,
-  signal receive set=hup peer=@{p_systemd},
 
-  ptrace read peer=@{p_systemd},
+  ptrace read,
+
+  unix type=dgram peer=(label=@{p_sdu}),
 
   unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
   unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
 
   #aa:dbus own bus=session name=org.freedesktop.systemd1
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
-  @{bin}/**                         Px,
+  # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
-  @{lib}/**                         Px,
+  @{lib}/systemd/systemd-executor                 mPx -> sdu,
-  /etc/cron.*/*                     Px,
-  /opt/*/**                         Px,
-  /usr/share/*/**                   Px,
 
-  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  # Systemd user generators. Profiles must exist
-  @{lib}/systemd/systemd-executor   ix,
+  @{lib}/systemd/user-environment-generators/*     Px,
-
+  @{lib}/systemd/user-generators/*                 Px,
-  # Unit services using systemctl
-  @{bin}/systemctl                  Cx -> systemctl,
-
-  # Shell based ystemd unit services
-  @{coreutils_path}                 Px -> systemd-user-service,
-  @{sh_path}                        Px -> systemd-user-service,
-
-  # Dbus needs to be started without environment scrubbing
-  @{bin}/dbus-broker                         px -> dbus-session,
-  @{bin}/dbus-broker-launch                  px -> dbus-session,
-  @{bin}/dbus-daemon                         px -> dbus-session,
-  @{lib}/dbus-1.0/dbus-daemon-launch-helper  px -> dbus-session,
-
-  # Audio profiles need to be stacked
-  #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber
-  @{bin}/pipewire                   Px -> systemd-user//&pipewire,
-  @{bin}/pipewire-media-session     Px -> systemd-user//&pipewire-media-session,
-  @{bin}/pipewire-pulse             Px -> systemd-user//&pipewire-pulse,
-  @{bin}/pulseaudio                 Px -> systemd-user//&pulseaudio,
-  @{bin}/wireplumber                Px -> systemd-user//&wireplumber,
-
-  /usr/ r,
-  /usr/share/defaults/**.conf r,
 
+  @{etc_ro}/environment r,
   /etc/systemd/user.conf r,
   /etc/systemd/user.conf.d/{,**} r,
   /etc/systemd/user/{,**} r,
 
-  / r,
-
-  owner @{HOME}/.local/ w,
-
   owner @{user_config_dirs}/systemd/user/{,**} rw,
 
-        @{run}/systemd/users/@{uid} r,
   owner @{run}/user/@{uid}/ rw,
   owner @{run}/user/@{uid}/** rwkl,
 
   @{run}/mount/utab r,
   @{run}/systemd/notify w,
+  @{run}/systemd/oom/io.systemd.ManagedOOM rw,
 
-  @{run}/udev/data/+backlight:* r,
-  @{run}/udev/data/+leds:*backlight* r,
   @{run}/udev/data/+module:configfs r,
   @{run}/udev/data/+module:fuse r,
-  @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
+  @{run}/udev/data/c116:@{int} r,         # for ALSA
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
   @{run}/udev/data/n@{int} r,
   @{run}/udev/tags/systemd/ r,
@@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
         @{sys}/devices/**/uevent r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
-        @{sys}/module/apparmor/parameters/enabled r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
 
-        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/cgroup r,
-        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pid}/comm r,
-        @{PROC}/@{pids}/comm r,
+        @{PROC}/@{pid}/stat r,
-        @{PROC}/@{pids}/stat r,
-        @{PROC}/1/environ r,
         @{PROC}/cmdline r,
         @{PROC}/pressure/* r,
         @{PROC}/swaps r,
@@ -124,20 +89,15 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/kernel/overflowgid r,
         @{PROC}/sys/kernel/overflowuid r,
         @{PROC}/sys/kernel/pid_max r,
+        @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/sys/kernel/threads-max r,
-  owner @{PROC}/@{pid}/coredump_filter r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/gid_map r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/uid_map r,
   owner @{PROC}/@{pids}/fd/ r,
-  owner @{PROC}/@{pids}/oom_score_adj rw,
-
-  /dev/kmsg w,
-  /dev/tty rw,
 
   deny capability bpf,
   deny capability dac_override,
@@ -149,16 +109,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   deny capability sys_boot,
   deny capability sys_resource,
 
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    deny capability net_admin,
-
-    include if exists <usr/systemd-user_systemctl.d>
-    include if exists <local/systemd-user_systemctl>
-  }
-
   include if exists <usr/systemd-user.d>
   include if exists <local/systemd-user>
 }

apparmor.d/groups/_full/systemd-user-service

@@ -1,23 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# Profile for generic systemd unit services. Only used by tiny systemd services
-# that start a shell or use context specific programs.
-
-# It does not specify an attachment path because it is intended to be used only
-# via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-profile systemd-user-service flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/consoles>
-
-  include if exists <usr/systemd-user-service.d>
-  include if exists <local/systemd-user-service>
-}
-
-# vim:syntax=apparmor

apparmor.d/groups/apt/apt-listchanges

@@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} {
 
   @{pager_path}          Cx -> pager,
   @{bin}/dpkg            Px -> child-dpkg,
-  @{bin}/exim4           Px,  # Send results using email
+  @{sbin}/exim4          Px,  # Send results using email
 
   /usr/share/apt-listchanges/{,**} r,
 

apparmor.d/groups/apt/apt-methods-http

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/apt/methods/http{,s}
-profile apt-methods-http @{exec_path} {
+profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal receive peer=@{p_apt_news},
+  signal receive peer=@{p_packagekitd},
   signal receive peer=apt-get,
   signal receive peer=apt,
   signal receive peer=aptitude,
-  signal receive peer=@{p_packagekitd},
   signal receive peer=role_*,
   signal receive peer=synaptic,
   signal receive peer=ubuntu-advantage,

apparmor.d/groups/apt/debsecan

@@ -27,7 +27,7 @@ profile debsecan @{exec_path} {
   @{sh_path}        rix,
 
   # Send results using email
-  @{bin}/exim4  rPx,
+  @{sbin}/exim4  rPx,
 
   /etc/apt/apt.conf.d/{,*} r,
   /etc/apt/apt.conf r,

apparmor.d/groups/apt/dpkg-script-apparmor

@@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} {
   /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
 
   /var/lib/dpkg/info/*.list r,
+  /var/lib/dpkg/info/format r,
   /var/lib/dpkg/status r,
   /var/lib/dpkg/triggers/File r,
   /var/lib/dpkg/triggers/Unincorp r,

apparmor.d/groups/apt/dpkg-script-systemd

@@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} {
   /etc/systemd/system/*.wants/ rw,
   /etc/systemd/system/*.wants/* rw,
 
+  /etc/pam.d/sed@{rand6} rw,
+  /etc/pam.d/common-password  rw,
+
   /var/lib/systemd/{,*} rw,
   /var/log/journal/ rw,
 

apparmor.d/groups/apt/dpkg-scripts

@@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} {
   @{sbin}/update-rc.d                             Cx -> rc,
 
   # Maintainer scripts can legitimately start/restart anything
+  # PU is only used as a safety fallback.
   @{bin}/**                                       PUx,
   @{sbin}/**                                      PUx,
   @{lib}/**                                       PUx,
@@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
     include <abstractions/app/bus>
     include <abstractions/bus-system>
 
+    capability dac_read_search,
+
     dbus send bus=system path=/
          interface=org.freedesktop.DBus
          member=ReloadConfig

apparmor.d/groups/apt/reportbug

@@ -40,7 +40,7 @@ profile reportbug @{exec_path} {
   @{bin}/stty             rix,
   /usr/share/reportbug/handle_bugscript rix,
 
-  @{bin}/exim4            rPx,
+  @{sbin}/exim4           rPx,
   @{bin}/apt-cache        rPx,
   @{bin}/debconf-show     rPx,
   @{bin}/debsums          rPx,

apparmor.d/groups/apt/unattended-upgrade

@@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   capability setuid,
   capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
   network netlink raw,
 
   signal send peer=apt-methods-http,

apparmor.d/groups/avahi/avahi-browse

@@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} {
   dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceTypeBrowser
        member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/avahi/avahi-resolve

@@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} {
   dbus send bus=system path=/Client@{int}/AddressResolver@{int}
        interface=org.freedesktop.Avahi.AddressResolver
        member={Free,HostNameResolverNew}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
 
   dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
        interface=org.freedesktop.Avahi.AddressResolver
        member={Failure,Found}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/bluetooth/bluetoothctl

@@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} {
 
   network bluetooth raw,
 
-  #aa:dbus talk bus=system name=org.bluez label=bluetoothd
+  #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}"
 
   @{exec_path} mr,
 

apparmor.d/groups/bluetooth/obexd

@@ -22,7 +22,7 @@ profile obexd @{exec_path} {
   dbus receive bus=system path=/org/bluez/obex/@{uuid}
        interface=org.bluez.Profile1
        member=Release
-       peer=(name=:*, label=bluetoothd),
+       peer=(name=:*, label="@{p_bluetoothd}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/bus/ibus-dconf

@@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/nameservice-strict>
 
+  signal receive set=kill peer=@{p_systemd_user},
   signal receive set=term peer=ibus-daemon,
 
   dbus receive bus=session

apparmor.d/groups/cron/anacron

@@ -17,7 +17,7 @@ profile anacron @{exec_path} {
 
   @{sh_path}         rix,
   @{bin}/run-parts   rCx -> run-parts,
-  @{bin}/exim4       rPx,
+  @{sbin}/exim4      rPx,
 
   / r,
   /etc/anacrontab r,

apparmor.d/groups/cron/cron

@@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sh_path}                 rix,
-  @{bin}/exim4               rPx,
+  @{sbin}/exim4              rPx,
   @{bin}/ionice              rix,
   @{bin}/nice                rix,
   @{bin}/run-parts           rCx -> run-parts,

apparmor.d/groups/cron/cron-apt

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{sbin}/cron-apt
+@{exec_path} = @{bin}/cron-apt
 profile cron-apt @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -46,7 +46,7 @@ profile cron-apt @{exec_path} {
   @{bin}/apt-get     rPx,
   @{bin}/apt-file    rPx,
   @{bin}/aptitude{,-curses} rPx,
-  @{bin}/exim4      rPx,
+  @{sbin}/exim4      rPx,
 
   /usr/share/cron-apt/{,*} r,
 

apparmor.d/groups/cron/cron-exim4-base

@@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} {
   @{bin}/hostname   rix,
   @{bin}/xargs      rix,
   @{bin}/find       rix,
-  @{bin}/eximstats rix,
+  @{sbin}/eximstats rix,
 
-  @{bin}/exim4     rPx,
+  @{sbin}/exim4             rPx,
-  @{bin}/exim_tidydb       rix,
+  @{sbin}/exim_tidydb       rix,
 
   @{sbin}/start-stop-daemon rix,
   @{sbin}/runuser           rix,

apparmor.d/groups/cron/crontab

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{sbin}/crontab
+@{exec_path} = @{bin}/crontab
 profile crontab @{exec_path} {
   include <abstractions/base>
   include <abstractions/authentication>

apparmor.d/groups/cups/cups-browsed

@@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} {
   dbus receive bus=system path=/
        interface=org.freedesktop.Avahi.Server
        member=StateChanged
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
        interface=org.freedesktop.NetworkManager

apparmor.d/groups/cups/cupsd

@@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
   @{bin}/gs                  rix,
   @{bin}/gsc                 rix,
   @{bin}/hostname            rix,
-  @{sbin}/ippfind            rix,
+  @{bin}/ippfind             rix,
   @{bin}/mktemp              rix,
   @{bin}/printenv            rix,
   @{python_path}             rix,

apparmor.d/groups/filesystem/btrfs-find-root

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/btrfs-find-root
+@{exec_path} = @{sbin}/btrfs-find-root
 profile btrfs-find-root @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-read>

apparmor.d/groups/filesystem/udisksd

@@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   signal receive set=int peer=@{p_systemd},
 
   #aa:dbus own bus=system name=org.freedesktop.UDisks2
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
 
   @{exec_path} mr,
 

apparmor.d/groups/firewall/firewalld

@@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   @{bin}/alts                      ix,
   @{bin}/false                     ix,
   @{bin}/kmod                      Cx -> kmod,
-  @{sbin}/ebtables-legacy          ix,
+  @{bin}/ebtables-legacy           ix,
-  @{sbin}/ebtables-legacy-restore  ix,
+  @{bin}/ebtables-legacy-restore   ix,
   @{sbin}/ipset                    ix,
   @{sbin}/xtables-legacy-multi     ix,
   @{sbin}/xtables-nft-multi       mix,

apparmor.d/groups/flatpak/flatpak

@@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   signal send peer=flatpak-app,
 
   #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
 
   dbus send bus=session path=/org/freedesktop/portal/documents
        interface=org.freedesktop.portal.Documents

apparmor.d/groups/flatpak/flatpak-app

@@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
 
   @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
   @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
-  @{sbin}/update-mime-database         rPx -> flatpak-app//&update-mime-database,
+  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
   @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,
 
   @{lib}/kf5/kioslave5                 rPx,

apparmor.d/groups/freedesktop/colord

@@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=system name=org.freedesktop.ColorManager
 
   @{exec_path} mrix,
+  @{lib}/colord-sane ix,
 
   /etc/machine-id r,
   /etc/sane.d/{,**} r,
@@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   owner /var/lib/snmp/mibs/{iana,ietf}/ r,
   owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
 
-  @{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
-  @{att}/@{user_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,
 
   @{run}/systemd/sessions/* r,
 

apparmor.d/groups/freedesktop/pipewire-pulse

@@ -11,15 +11,18 @@ include <tunables/global>
 profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
   @{bin}/pactl rix,
+  @{bin}/pipewire mr,
 
   /usr/share/pipewire/{,**} r,
 
@@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/module/apparmor/parameters/enabled r,
+
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   include if exists <local/pipewire-pulse>
 }

apparmor.d/groups/freedesktop/pulseaudio

@@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} {
   dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
        interface=org.freedesktop.Avahi.ServiceResolver
        member=Found
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
 
   dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
        member=ItemRemove
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
 
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.ObjectManager
@@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} {
   dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
        interface=org.freedesktop.Avahi.ServiceResolver
        member={Found,Free}
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
 
   @{exec_path} mrix,
 

apparmor.d/groups/freedesktop/upower

@@ -13,7 +13,7 @@ profile upower @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/consoles>
 
-  #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd
+  #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/wireplumber

@@ -75,6 +75,10 @@ profile wireplumber @{exec_path} {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
+        @{PROC}/1/cgroup r,
+        @{PROC}/1/cmdline r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/media@{int} rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -9,7 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.a11y>
@@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.Shell.Introspect>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/fontconfig-cache-write>
@@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   network unix stream,
 
-  signal (receive) set=term peer=gdm,
+  signal receive set=term peer=gdm,
-  signal (receive) set=(hup term) peer=gdm-session-worker,
+  signal receive set=(hup term) peer=gdm-session-worker,
 
   #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome
   #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal
@@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
        member=RunningApplicationsChanged
        peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
 
+  dbus send bus=session path=/org/gtk/Notifications
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=:*, label=gnome-shell),
+
   @{exec_path} mr,
 
   / r,
@@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/@{rand6} rw,
+  owner @{tmp}/gtkprint_ppd_@{rand6} rw,
+  owner @{tmp}/gtkprint@{rand6} r,
+  owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw,
 
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/ r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/status r,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
        member=GetAll
        peer=(name=:*, label=gnome-shell),
 
-  dbus receive bus=session
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=:*, label=gnome-shell),
-
   @{exec_path} mr,
 
   /usr/share/gdm/greeter-dconf-defaults r,

apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update

@@ -9,9 +9,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/xdg-user-dirs-gtk-update
 profile xdg-user-dirs-gtk-update @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
-  include <abstractions/dbus-accessibility>
-  include <abstractions/dbus-session>
   include <abstractions/gtk>
 
   @{exec_path} mr,

apparmor.d/groups/freedesktop/xorg

@@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member=ReleaseControl
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   @{exec_path} mrix,
 

apparmor.d/groups/gnome/gdm

@@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=system name=org.gnome.DisplayManager
 
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gdm-session-worker

@@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
 
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
-  #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed
+  #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}"
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={*Session,CreateSessionWithPIDFD}
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   @{exec_path} mrix,
 

apparmor.d/groups/gnome/gjs-console

@@ -14,12 +14,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
+  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.Shell.Introspect>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
@@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  signal (receive) set=(term hup) peer=gdm*,
+  unix type=stream peer=(label=gnome-shell),
+
+  signal receive set=(term hup) peer=gdm*,
 
   #aa:dbus own bus=session name=org.freedesktop.Notifications
   #aa:dbus own bus=session name=org.gnome.ScreenSaver

apparmor.d/groups/gnome/gnome-calendar

@@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} {
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry
   #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
-  #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue
+  #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
 
   dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
        interface=org.freedesktop.DBus.ObjectManager

apparmor.d/groups/gnome/gnome-characters

@@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} {
   /usr/share/xml/iso-codes/{,**} r,
 
   owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   include if exists <local/gnome-characters>

apparmor.d/groups/gnome/gnome-control-center

@@ -39,24 +39,28 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=session name=org.bluez.obex.Agent1
 
   #aa:dbus talk bus=session name=org.bluez.obex label=obexd
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
   #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
+  #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
+  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power
+  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
   #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
 
   #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences
   #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
-  #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd
+  #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}"
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
   #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd
-  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
+  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager
+  #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
   #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
   #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
   #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
-  #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd
+  #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
-  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gnome-extension-gsconnect

@@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/status r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
   include if exists <local/gnome-extension-gsconnect>
 }
 

apparmor.d/groups/gnome/gnome-firmware

@@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
-  #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/
+  #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   @{exec_path} mr,
   @{open_path}  rPx -> child-open-help,

apparmor.d/groups/gnome/gnome-keyring-daemon

@@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=GetSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gnome-session-binary

@@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(term) peer=gsd-*,
 
   #aa:dbus own bus=session name=org.gnome.SessionManager
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /usr/share/gdm/greeter/autostart/{,*.desktop} r,
   /usr/share/gnome-session/hardware-compatibility r,
   /usr/share/gnome-session/sessions/*.session r,
+  /usr/share/gnome-shell/extensions/ r,
   /usr/share/gnome-shell/extensions/*/metadata.json r,
   /usr/share/gnome/autostart/{,*.desktop} r,
 
@@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{gdm_config_dirs}/dconf/user rw,
   owner @{gdm_config_dirs}/gnome-session/ rw,
   owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
+  owner @{gdm_config_dirs}/user-dirs.dirs r,
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_share_dirs}/applications/{,**} r,
 

apparmor.d/groups/gnome/gnome-shell

@@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   network netlink raw,
   network unix stream,
 
-  ptrace (read),
+  ptrace read,
-  ptrace (readby) peer=pipewire,
+  ptrace readby peer=pipewire,
 
-  signal (receive) set=(term, hup) peer=gdm*,
+  signal receive set=(term, hup) peer=gdm*,
-  signal (send),
+  signal send,
 
   unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
   unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
@@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   # Talk with gnome-shell
 
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
   #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
-  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
   #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
 
   #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
@@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=RegisterAuthenticationAgent
-       peer=(name=:*, label=polkitd),
+       peer=(name=:*, label="@{p_polkitd}"),
   dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
        interface=org.freedesktop.PolicyKit1.AuthenticationAgent
        member=BeginAuthentication
-       peer=(name=:*, label=polkitd),
+       peer=(name=:*, label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
        interface=org.freedesktop.NetworkManager.AgentManager
@@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /usr/share/gnome-shell/extensions/*/**               rPUx,
 
   /opt/**/share/icons/{,**} r,
-  /snap/*/@{uid}/**.png r,
+  /snap/*/@{uid}/**.@{image_ext} r,
-  /usr/share/**.{png,jpg,svg} r,
+  /usr/share/**.@{image_ext} r,
   /usr/share/**/icons/{,**} r,
   /usr/share/backgrounds/{,**} r,
   /usr/share/byobu/desktop/byobu* r,
@@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{HOME}/.face r,
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/.mozilla/native-messaging-hosts/ r,
+  owner @{HOME}/.mozilla/native-messaging-hosts/ rw,
-  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw,
+  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw,
-  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw,
   owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
-  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
+  owner @{HOME}/.var/app/**.@{image_ext} r,
   owner @{HOME}/.var/app/**/ r,
   owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,
 
-  owner @{user_games_dirs}/**.{png,jpg,svg} r,
+  owner @{user_games_dirs}/**.@{image_ext} r,
-  owner @{user_music_dirs}/**.{png,jpg,svg} r,
+  owner @{user_music_dirs}/**.@{image_ext} r,
 
   owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
+  owner @{user_config_dirs}/**/NativeMessagingHosts/ rw,
+  owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw,
   owner @{user_config_dirs}/background r,
   owner @{user_config_dirs}/ibus/ w,
   owner @{user_config_dirs}/monitors.xml{,~} rwl,
   owner @{user_config_dirs}/tiling-assistant/{,**} rw,
 
   owner @{user_share_dirs}/backgrounds/{,**} rw,
+  owner @{user_share_dirs}/dbus-1/services/ r,
+  owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw,
   owner @{user_share_dirs}/desktop-directories/{,**} r,
   owner @{user_share_dirs}/gnome-shell/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
@@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
+  owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w,
 
-  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw,
+  owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
-  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w,
   owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
   owner @{user_cache_dirs}/gnome-boxes/*.png r,
   owner @{user_cache_dirs}/gnome-photos/{,**} r,

apparmor.d/groups/gnome/gsd-color

@@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color
 
-  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
 
   dbus receive bus=session path=/org/gtk/Settings
        interface=org.freedesktop.DBus.Properties
@@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-*.icc rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw,
 
   owner @{user_share_dirs}/icc/ rw,
-  owner @{user_share_dirs}/icc/edid-*.icc rw,
+  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
 
   include if exists <local/gsd-color>
 }

apparmor.d/groups/gnome/gsd-housekeeping

@@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping
 
-  dbus receive bus=session
+  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.DBus.Introspectable
+       interface=org.freedesktop.systemd1.Manager
-       member=Introspect
+       member=Subscribe
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=org.freedesktop.systemd1),
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gsd-media-keys

@@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=PowerOff
-       peer=(name=:*, label=systemd-logind),
+       peer=(name=:*, label="@{p_systemd_logind}"),
 
   dbus send bus=session path=/
        interface=org.freedesktop.DBus

apparmor.d/groups/gnome/gsd-power

@@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
        interface=org.freedesktop.UPower.KbdBacklight
        member=GetBrightness
-       peer=(name=:*, label=upowerd),
+       peer=(name=:*, label="@{p_upowerd}"),
 
   dbus receive bus=session path=/org/gtk/Settings
        interface=org.freedesktop.DBus.Properties

apparmor.d/groups/gnome/gsd-xsettings

@@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} {
   include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gnome.Shell.Introspect>
+  include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-read>
@@ -33,21 +34,19 @@ profile gsd-xsettings @{exec_path} {
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings
   #aa:dbus own bus=session name=org.gtk.Settings
 
+  #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell
+
   dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.Accounts.User
        member=SetInputSources
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name=:*, label="@{p_accounts_daemon}"),
-
-  dbus send bus=session path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member=GetId
-       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   @{exec_path} mr,
+  @{sh_path} mr,
 
   @{bin}/cat                   rix,
   @{bin}/sed                   rix,
-  @{bin}/which                 rix,
+  @{bin}/which{,.debianutils}  rix,
 
   @{bin}/busctl         rPx,
   @{bin}/pactl          rPx,

apparmor.d/groups/gnome/loupe

@@ -9,18 +9,29 @@ include <tunables/global>
 @{exec_path} = @{bin}/loupe
 profile loupe @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-write>
   include <abstractions/trash-strict>
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
+  unix type=stream peer=(label=loupe//bwrap),
+
   signal send set=kill peer=loupe//bwrap,
 
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
+  dbus send bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=@{p_systemd_hostnamed}),
+
   @{exec_path} mr,
 
   @{bin}/bwrap rCx -> bwrap,
@@ -33,6 +44,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/glycin/{,**} rw,
 
         @{run}/mount/utab r,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
 
   @{sys}/fs/cgroup/user.slice/cpu.max r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@@ -51,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/common/bwrap>
 
+    unix type=stream peer=(label=loupe),
+
     signal receive set=kill peer=loupe,
 
     @{bin}/bwrap mr,

apparmor.d/groups/gnome/nautilus

@@ -28,13 +28,21 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   mqueue r type=posix /,
 
+  unix type=stream peer=(label=gnome-shell),
+
   #aa:dbus own bus=session name=org.freedesktop.FileManager1
   #aa:dbus own bus=session name=org.gnome.Nautilus interface+="org.gtk.{Application,Actions}"
   #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2
 
+  #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center
   #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
-  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
   #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
+  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
+
+  dbus send bus=session path=/org/gnome/Mutter/ServiceChannel
+       interface=org.gnome.Mutter.ServiceChannel
+       member=OpenWaylandServiceConnection
+       peer=(name=@{busname}, label=gnome-shell),
 
   dbus (send, receive) bus=session path=/org/gtk/Application/CommandLine
        interface=org.gtk.private.CommandLine

apparmor.d/groups/gnome/ptyxis

@@ -28,6 +28,8 @@ profile ptyxis @{exec_path} {
   owner @{user_share_dirs}/org.gnome.Ptyxis/ rw,
   owner @{user_share_dirs}/org.gnome.Ptyxis/** rwlk -> @{user_share_dirs}/org.gnome.Ptyxis/**,
 
+  owner /tmp/#@{int} w,
+
   /dev/ptmx rw,
 
   include if exists <local/ptyxis>