Merge FSP: rewrite the systemd profiles #753

* dev: (49 commits) fix: use mappings/sudo in su. build: justfile: add group. tests: update sbin.list fix: linter check. fix: add gpartedbin back to sbin.list. tests: show error line in sbin check. feat(profile): update sbin list and ensure the profiles use the good variable (sbin or bin). tests: remove symbolic link from sbin. test: add some security checks. tests: add more check for sbin path tests: rewrite and expand the profile check to more files. feat(tunable): add the archive_path variable. feat(profile): update gnome profiles. feat(fsp): small fsp improvement. feat(abs): minor improvement & cosmetic. feat(profile): add profiles for whoopsie. feat(profile): add initial profile for systemd-initctl. feat(profile): minor fsp related improvment. feat(fsp): setup RBAC mapping in auth enabled profiles. build: ignore all rule in abi3. ...
2025-06-16 21:41:08 +02:00 · 2025-06-16 21:41:08 +02:00 · 5e14271f76
commit 5e14271f76
parent 1f7e019500 3291d9a370
326 changed files with 2692 additions and 1532 deletions
--- a/37
+++ b/37
@ -64,24 +64,34 @@ help:
 	@just --list --unsorted
 	@echo -e "\nSee https://apparmor.pujol.io/development/ for more information."
 [group('build')]
 [doc('Build the go programs')]
 build:
 	@go build -o {{build}}/ ./cmd/aa-log
 	@go build -o {{build}}/ ./cmd/prebuild
 [group('build')]
 [doc('Prebuild the profiles in enforced mode')]
 enforce: build
 	@./{{build}}/prebuild
 [group('build')]
 [doc('Prebuild the profiles in complain mode')]
 complain: build
 	@./{{build}}/prebuild --complain
 [group('build')]
 [doc('Prebuild the profiles in FSP mode')]
 fsp: build
 	@./{{build}}/prebuild --full
 [group('build')]
 [doc('Prebuild the profiles in FSP mode (complain)')]
 fsp-complain: build
 	@./{{build}}/prebuild --complain --full
-[doc('Install the profiles')]
+[group('build')]
 [doc('Install prebuild profiles')]
 install:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@ -108,26 +118,31 @@ install:
 		install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
 	done
 [group('packages')]
 [doc('Build & install apparmor.d on Arch based systems')]
 pkg:
 	@makepkg --syncdeps --install --cleanbuild --force --noconfirm
 [group('packages')]
 [doc('Build & install apparmor.d on Debian based systems')]
 dpkg:
 	@bash dists/build.sh dpkg
 	@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
 [group('packages')]
 [doc('Build & install apparmor.d on OpenSUSE based systems')]
 rpm:
 	@bash dists/build.sh rpm
 	@sudo rpm -ivh --force  {{pkgdest}}/{{pkgname}}-*.rpm
 [group('tests')]
 [doc('Run the unit tests')]
 tests:
 	@go test ./cmd/... -v -cover -coverprofile=coverage.out
 	@go test ./pkg/... -v -cover -coverprofile=coverage.out
 	@go tool cover -func=coverage.out
 [group('linter')]
 [doc('Run the linters')]
 lint:
 	golangci-lint run
@ -138,18 +153,22 @@ lint:
 		tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
 		debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
 [group('linter')]
 [doc('Run style checks on the profiles')]
 check:
 	@bash tests/check.sh
 [group('docs')]
 [doc('Generate the man pages')]
 man:
 	@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
 [group('docs')]
 [doc('Build the documentation')]
 docs:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
 [group('docs')]
 [doc('Serve the documentation')]
 serve:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
@ -160,6 +179,7 @@ clean:
 		debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
 		{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
 [group('packages')]
 [doc('Build the package in a clean OCI container')]
 package dist:
 	#!/usr/bin/env bash
@ -175,6 +195,7 @@ package dist:
 	fi
 	bash dists/docker.sh $dist $version
 [group('vm')]
 [doc('Build the VM image')]
 img dist flavor: (package dist)
 	@mkdir -p {{base_dir}}
@ -192,6 +213,7 @@ img dist flavor: (package dist)
 		-var output_dir={{output_dir}} \
 		tests/packer/
 [group('vm')]
 [doc('Create the machine')]
 create dist flavor:
 	@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
@ -211,33 +233,40 @@ create dist flavor:
 		--sound model=ich9 \
 		--noautoconsole
 [group('vm')]
 [doc('Start a machine')]
 up dist flavor:
 	@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
 [group('vm')]
 [doc('Stops the machine')]
 halt dist flavor:
 	@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
 [group('vm')]
 [doc('Reboot the machine')]
 reboot dist flavor:
 	@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
 [group('vm')]
 [doc('Destroy the machine')]
 destroy dist flavor:
 	@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
 	@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
 	@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
 [group('vm')]
 [doc('Connect to the machine')]
 ssh dist flavor:
 	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
 [group('vm')]
 [doc('List the machines')]
 list:
 	@echo -e '\033[1m Id   Distribution Flavor  State\033[0m'
 	@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
 [group('vm')]
 [doc('List the VM images')]
 images:
 	#!/usr/bin/env bash
@ -254,6 +283,7 @@ images:
 	}
 	'
 [group('vm')]
 [doc('List the VM images that can be created')]
 available:
 	#!/usr/bin/env bash
@ -270,6 +300,8 @@ available:
 	}
 	'
 [group('tests')]
 [doc('Run the integration tests on the machine')]
 integration dist flavor:
 	@ssh {{sshopt}} user@`just get_ip {{dist}} {{flavor}}` \
@ -280,12 +312,13 @@ integration dist flavor:
 		@bats --recursive --timing --print-output-on-failure Projects/integration/
-
+[group('internal')]
 get_ip dist flavor:
 	@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
 		head -1 | \
 		grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
 [group('internal')]
 get_osinfo dist:
 	#!/usr/bin/env python3
 	osinfo = {
--- a/apparmor.d/abstractions/app/kmod
+++ b/apparmor.d/abstractions/app/kmod
@ -7,13 +7,7 @@
  include <abstractions/consoles>
  @{sbin}/depmod    mr,
  @{sbin}/insmod    mr,
  @{bin}/kmod       mr,
  @{sbin}/lsmod     mr,
  @{sbin}/modinfo   mr,
  @{sbin}/modprobe  mr,
  @{sbin}/rmmod     mr,
  @{lib}/modprobe.d/ r,
  @{lib}/modprobe.d/*.conf r,
--- a/apparmor.d/abstractions/app/pager
+++ b/apparmor.d/abstractions/app/pager
@ -12,7 +12,7 @@
  capability dac_override,
  capability dac_read_search,
-  signal (receive) set=(stop, cont, term, kill),
+  signal receive set=(stop, cont, term, kill),
  @{bin}/       r,
  @{pager_path} mrix,
--- a/apparmor.d/abstractions/app/sudo
+++ b/apparmor.d/abstractions/app/sudo
@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
-# Minimal set of rules for sudo. Interactive sudo need more rules.
+# Minimal set of rules for sudo.
  abi <abi/4.0>,
@ -24,8 +24,10 @@
  network netlink raw,   # PAM
-  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
+  unix type=stream addr=@@{udbus}/bus/sudo/system,
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+
  #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}"
  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
  dbus (send receive) bus=session path=/org/freedesktop/systemd1
         interface=org.freedesktop.systemd.Manager
--- a/apparmor.d/abstractions/attached/base
+++ b/apparmor.d/abstractions/attached/base
@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
-  # Do not use it manually, it is automatically included in profiles when it is required.
+  # Do not use it manually, It automatically replaces the base abstraction in a
  # profile with the attach_disconnected flag set and the re-attached path enabled.
  abi <abi/4.0>,
--- a/apparmor.d/abstractions/attached/consoles
+++ b/apparmor.d/abstractions/attached/consoles
@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
-  # Do not use it manually, it is automatically included in profiles when it is required.
+  # Do not use it manually, It automatically replaces the consoles abstraction in a
  # profile with the attach_disconnected flag set and the re-attached path enabled.
  abi <abi/4.0>,
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -3,14 +3,16 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  # Systemd: allow to receive any signal from the systemd profiles stack
  signal receive                           peer=@{p_systemd},
  signal receive                           peer=@{p_systemd_user},
  # Allow to receive some signals from new well-known profiles
  signal (receive)                           peer=btop,
  signal (receive)                           peer=htop,
  signal (receive)                           peer=sudo,
  signal (receive)                           peer=top,
  signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
  signal (receive) set=(cont,term)           peer=@{p_systemd_user},
  signal (receive) set=(cont,term)           peer=@{p_systemd},
  signal (receive) set=(hup term)            peer=login,
  signal (receive) set=(hup)                 peer=xinit,
  signal (receive) set=(term,kill)           peer=gnome-shell,
@ -18,7 +20,7 @@
  signal (receive) set=(term,kill)           peer=openbox,
  signal (receive) set=(term,kill)           peer=su,
-  ptrace (readby) peer=systemd-coredump,
+  ptrace (readby) peer=@{p_systemd_coredump},
  @{etc_rw}/localtime r,
  /etc/locale.conf r,
--- a/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
+++ b/apparmor.d/abstractions/bus/net.hadess.PowerProfiles
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=net.hadess.PowerProfiles label=power-profiles-daemon
+  #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}"
  include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
--- a/apparmor.d/abstractions/bus/net.reactivated.Fprint
+++ b/apparmor.d/abstractions/bus/net.reactivated.Fprint
@ -4,12 +4,12 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=net.reactivated.Fprint label=fprintd
+  #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
  dbus send bus=system path=/net/reactivated/Fprint/Manager
       interface=net.reactivated.Fprint.Manager
       member={GetDevices,GetDefaultDevice}
-       peer=(name="@{busname}", label=fprintd),
+       peer=(name="@{busname}", label="@{p_fprintd}"),
  dbus send bus=system path=/net/reactivated/Fprint/Manager
       interface=net.reactivated.Fprint.Manager
@ -19,7 +19,7 @@
  dbus send bus=system path=/net/reactivated/Fprint/Manager
       interface=net.reactivated.Fprint.Manager
       member={GetDevices,GetDefaultDevice}
-       peer=(name=net.reactivated.Fprint, label=fprintd),
+       peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"),
  include if exists <abstractions/bus/net.reactivated.Fprint.d>
--- a/apparmor.d/abstractions/bus/org.a11y
+++ b/apparmor.d/abstractions/bus/org.a11y
@ -9,27 +9,27 @@
  dbus receive bus=accessibility path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry
       member=EventListenerDeregistered
-       peer=(name="@{busname}", label=at-spi2-registryd),
+       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
  dbus send bus=accessibility path=/org/a11y/atspi/registry
       interface=org.a11y.atspi.Registry
       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
       interface=org.a11y.atspi.DeviceEventController
       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.freedesktop.DBus.Properties
       member=Set
-       peer=(name="@{busname}", label=at-spi2-registryd),
+       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
       interface=org.a11y.atspi.Socket
       member=Embed
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
  # Session bus
--- a/apparmor.d/abstractions/bus/org.bluez
+++ b/apparmor.d/abstractions/bus/org.bluez
@ -4,37 +4,37 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.bluez label=bluetoothd
+  #aa:dbus common bus=system name=org.bluez label="@{p_bluetoothd}"
  dbus receive bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=InterfacesRemoved
-       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
-       peer=(name="{@{busname},org.bluez}", label=bluetoothd),
+       peer=(name="{@{busname},org.bluez}", label="@{p_bluetoothd}"),
  dbus send bus=system path=/org/bluez
       interface=org.bluez.AgentManager@{int}
       member={RegisterAgent,RequestDefaultAgent,UnregisterAgent}
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
  dbus send bus=system path=/org/bluez
       interface=org.bluez.ProfileManager@{int}
       member=RegisterProfile
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
  dbus send bus=system path=/org/bluez/hci@{int}
       interface=org.bluez.BatteryProviderManager@{int}
       member=RegisterProfile
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
  dbus send bus=system path=/org/bluez/hci@{int}
       interface=org.bluez.Media@{int}
       member=RegisterApplication
-       peer=(name=org.bluez, label=bluetoothd),
+       peer=(name=org.bluez, label="@{p_bluetoothd}"),
  include if exists <abstractions/bus/org.bluez.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.Accounts
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Accounts
@ -4,27 +4,27 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
  dbus send bus=system path=/org/freedesktop/Accounts
       interface=org.freedesktop.Accounts
       member={FindUserByName,ListCachedUsers}
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
  dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
       interface=org.freedesktop.Accounts.User
       member=*Changed
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
  dbus receive bus=system path=/org/freedesktop/Accounts
       interface=org.freedesktop.Accounts
       member=UserAdded
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
  dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
       interface=org.freedesktop.DBus.Properties
       member=*Changed
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
  include if exists <abstractions/bus/org.freedesktop.Accounts.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.Avahi
+++ b/apparmor.d/abstractions/bus/org.freedesktop.Avahi
@ -4,27 +4,27 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.Avahi label=avahi-daemon
+  #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.Peer
       member=Ping
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi),
  dbus send bus=system path=/
       interface=org.freedesktop.Avahi.Server
       member={GetAPIVersion,GetState,Service*New}
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
  dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
       interface=org.freedesktop.Avahi.ServiceBrowser
       member=Free
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
  dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
       interface=org.freedesktop.Avahi.ServiceBrowser
       member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name="@{busname}", label=avahi-daemon),
+       peer=(name="@{busname}", label="@{p_avahi_daemon}"),
  include if exists <abstractions/bus/org.freedesktop.Avahi.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ColorManager
@ -4,22 +4,22 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
  dbus send bus=system path=/org/freedesktop/ColorManager
       interface=org.freedesktop.ColorManager
       member=GetDevices
-       peer=(name="@{busname}", label=colord),
+       peer=(name="@{busname}", label="@{p_colord}"),
  dbus send bus=system path=/org/freedesktop/ColorManager
       interface=org.freedesktop.ColorManager
       member=CreateDevice
-       peer=(name="@{busname}", label=colord),
+       peer=(name="@{busname}", label="@{p_colord}"),
  dbus receive bus=system path=/org/freedesktop/ColorManager
       interface=org.freedesktop.ColorManager
       member={DeviceAdded,DeviceRemoved}
-       peer=(name="@{busname}", label=colord),
+       peer=(name="@{busname}", label="@{p_colord}"),
  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
+++ b/apparmor.d/abstractions/bus/org.freedesktop.GeoClue2
@ -4,26 +4,26 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label=geoclue
+  #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
  dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
       interface=org.freedesktop.DBus.Properties
       member=PropertiesChanged
-       peer=(name=org.freedesktop.DBus, label=geoclue),
+       peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"),
  dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
  dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
       interface=org.freedesktop.DBus.Properties
       member=GetAll
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
  dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
       interface=org.freedesktop.GeoClue2.Manager
       member=AddAgent
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
  include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.ModemManager1
@ -4,17 +4,17 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label=ModemManager
+  #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
  dbus send bus=system path=/org/freedesktop/ModemManager1
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
-       peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
+       peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"),
  dbus send bus=system path=/org/freedesktop/ModemManager1
       interface=org.freedesktop.DBus.ObjectManager
       member=GetManagedObjects
-       peer=(name="@{busname}", label=ModemManager),
+       peer=(name="@{busname}", label="@{p_ModemManager}"),
  include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1
@ -4,22 +4,22 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=Changed
-       peer=(name="@{busname}", label=polkitd),
+       peer=(name="@{busname}", label="@{p_polkitd}"),
  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=CheckAuthorization
-       peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
+       peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"),
  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=CheckAuthorization
-       peer=(name="@{busname}", label=polkitd),
+       peer=(name="@{busname}", label="@{p_polkitd}"),
  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=CheckAuthorization
--- a/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1
@ -6,7 +6,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label=rtkit-daemon
+  #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.DBus.Properties
       member=Get
@ -15,12 +15,12 @@
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
       member={MakeThreadHighPriority,MakeThreadRealtime}
-       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon),
+       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
  dbus send bus=system path=/org/freedesktop/RealtimeKit1
       interface=org.freedesktop.RealtimeKit1
       member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID}
-       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label=rtkit-daemon),
+       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
  include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower
@ -4,22 +4,22 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.UPower label=upowerd
+  #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
  dbus send bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.UPower
       member=EnumerateDevices
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
  dbus send bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.DBus.Properties
       member=GetDisplayDevice
-       peer=(name=org.freedesktop.UPower, label=upowerd),
+       peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
  dbus receive bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.UPower
       member=DeviceAdded
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
+       peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
  include if exists <abstractions/bus/org.freedesktop.UPower.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles
+++ b/apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
+  #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
  include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.hostname1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.hostname1
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
+  #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
  dbus send bus=system path=/org/freedesktop/hostname1
       interface=org.freedesktop.DBus.Properties
       member=Get
--- a/apparmor.d/abstractions/bus/org.freedesktop.locale1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.locale1
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.locale1 label=systemd-localed
+  #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
  dbus send bus=system path=/org/freedesktop/locale1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1
@ -4,22 +4,22 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
  dbus receive bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
  dbus send bus=system path=/org/freedesktop/login1/session/*
       interface=org.freedesktop.login1.Session
       member=PauseDeviceComplete
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
  include if exists <abstractions/bus/org.freedesktop.login1.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
+++ b/apparmor.d/abstractions/bus/org.freedesktop.login1.Session
@ -4,22 +4,22 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=GetSession
-       peer=(name="@{busname}", label=systemd-logind),
+       peer=(name="@{busname}", label="@{p_systemd_logind}"),
  dbus send bus=system path=/org/freedesktop/login1/session/*
       interface=org.freedesktop.login1.Session
       member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
  dbus receive bus=system path=/org/freedesktop/login1/session/*
       interface=org.freedesktop.login1.Session
       member={PauseDevice,Unlock}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
  include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.network1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.network1
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.network1 label=systemd-networkd
+  #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
  include if exists <abstractions/bus/org.freedesktop.network1.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.resolve1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.resolve1
@ -4,12 +4,12 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.resolve1 label=systemd-resolved
+  #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
  dbus send bus=system path=/org/freedesktop/resolve1
       interface=org.freedesktop.resolve1.Manager
       member={SetLink*,ResolveHostname}
-       peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
+       peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
  include if exists <abstractions/bus/org.freedesktop.resolve1.d>
--- a/apparmor.d/abstractions/bus/org.freedesktop.timedate1
+++ b/apparmor.d/abstractions/bus/org.freedesktop.timedate1
@ -4,7 +4,7 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=system name=org.freedesktop.timedate1 label=systemd-timedated
+  #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}"
  include if exists <abstractions/bus/org.freedesktop.timedate1.d>
--- a/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
+++ b/apparmor.d/abstractions/bus/org.gnome.ArchiveManager1
@ -4,12 +4,12 @@
  abi <abi/4.0>,
-  #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label=file-roller
+  #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}"
  dbus send bus=session path=/org/gnome/ArchiveManager1
       interface=org.gnome.ArchiveManager1
       member=GetSupportedTypes
-       peer=(name="@{busname}", label=file-roller),
+       peer=(name="@{busname}", label="@{p_file_roller}"),
  include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
--- a/apparmor.d/abstractions/bus/own-accessibility
+++ b/apparmor.d/abstractions/bus/own-accessibility
@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
-# Do not use it manually, it is automatically included in a profile when it is required.
+# Do not use it manually, It is automatically included in a profile by the
 # `aa:dbus own` directive.
 # Allow owning a name on DBus public bus
--- a/apparmor.d/abstractions/bus/own-session
+++ b/apparmor.d/abstractions/bus/own-session
@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
-# Do not use it manually, it is automatically included in a profile when it is required.
+# Do not use it manually, It is automatically included in a profile by the
 # `aa:dbus own` directive.
 # Allow owning a name on DBus public bus
--- a/apparmor.d/abstractions/bus/own-system
+++ b/apparmor.d/abstractions/bus/own-system
@ -3,7 +3,8 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
-# Do not use it manually, it is automatically included in a profile when it is required.
+# Do not use it manually, It is automatically included in a profile by the
 # `aa:dbus own` directive.
 # Allow owning a name on DBus public bus
--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@ -16,7 +16,7 @@
  /opt/*/**.{desktop,png} r,
  /etc/gnome/defaults.list r,
-  /etc/xfce4/defaults.list r,  
+  /etc/xfce4/defaults.list r,
  /var/lib/snapd/desktop/applications/{,**} r,
  /var/lib/snapd/desktop/icons/{,**} r,
--- a/apparmor.d/abstractions/gnome.d/complete
+++ b/apparmor.d/abstractions/gnome.d/complete
@ -6,7 +6,7 @@
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect 
+       member=Introspect
       peer=(name=@{busname}, label=gnome-shell),
  /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
--- a/apparmor.d/abstractions/mapping/login
+++ b/apparmor.d/abstractions/mapping/login
@ -25,7 +25,7 @@
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=ReleaseSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
  @{etc_ro}/security/group.conf r,
  @{etc_ro}/security/limits.conf r,
--- a/apparmor.d/abstractions/mapping/sshd
+++ b/apparmor.d/abstractions/mapping/sshd
@ -28,7 +28,7 @@
  network inet6 stream,
  network netlink raw,
-  signal receive set=exists peer=systemd-journald,
+  signal receive set=exists peer=@{p_systemd_journald},
  signal receive set=hup peer=@{p_systemd},
  unix bind type=stream addr=@@{udbus}/bus/sshd/system,
@ -36,7 +36,7 @@
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={CreateSession,ReleaseSession,CreateSessionWithPIDFD}
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
  /etc/motd r,
  /etc/locale.conf r,
--- a/apparmor.d/abstractions/vulkan.d/complete
+++ b/apparmor.d/abstractions/vulkan.d/complete
@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
  /etc/glvnd/egl_vendor.d/{,*.json} r,
--- a/apparmor.d/abstractions/webkit
+++ b/apparmor.d/abstractions/webkit
@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-# Minimal set of rules for webkit UI.
+# Minimal set of rules for webkit GTK UI.
  abi <abi/4.0>,
--- a/apparmor.d/abstractions/zsh
+++ b/apparmor.d/abstractions/zsh
@ -12,6 +12,7 @@
  /usr/local/share/zsh/{,**} r,
  /usr/share/oh-my-zsh/{,**} r,
  /usr/share/zsh-theme-*/{,**} r,
  /usr/share/zsh/{,**} r,
  /etc/zsh/* r,
--- a/apparmor.d/groups/_full/bwrap
+++ b/apparmor.d/groups/_full/bwrap
@ -1,56 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for bwrap.
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/bwrap
 profile bwrap @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/common/bwrap>
  include <abstractions/common/app>
  include <abstractions/dbus>
  include <abstractions/fontconfig-cache-write>
  capability dac_override,
  capability dac_read_search,
  capability sys_resource,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  ptrace peer=bwrap//&bwrap-app,
  signal peer=bwrap//&bwrap-app,
  signal (receive) set=(kill),
  @{bin}/**                         rm,
  @{lib}/**                         rm,
  /opt/*/**                         rm,
  /usr/share/*/*                    rm,
  @{bin}/**                         Px -> bwrap//&bwrap-app,
  @{bin}/xdg-dbus-proxy             Px -> bwrap//&xdg-dbus-proxy,
  # @{lib}/**                         Px -> bwrap//&bwrap-app,
  /opt/*/**                         Px -> bwrap//&bwrap-app,
  /usr/share/*/*                    Px -> bwrap//&bwrap-app,
  /usr/.ref rk,
  /bindfile@{rand6} rw,
  owner /var/cache/ w,
  owner @{run}/ld-so-cache-dir/* rw,
  include if exists <usr/bwrap.d>
  include if exists <local/bwrap>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/bwrap-app
+++ b/apparmor.d/groups/_full/bwrap-app
@ -1,36 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for user sandboxed application
 abi <abi/4.0>,
 include <tunables/global>
 profile bwrap-app flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/common/app>
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  ptrace peer=bwrap//&bwrap-app,
  signal peer=bwrap//&bwrap-app,
  @{bin}/**                       rmix,
  @{lib}/**                       rmix,
  /opt/*/**                       rmix,
  /usr/share/*/*                  rmix,
  owner /var/cache/ w,
  include if exists <usr/bwrap-app.d>
  include if exists <local/bwrap-app>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/default
+++ b/apparmor.d/groups/_full/default
@ -1,122 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for unconfined programs
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = /**
 profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/consoles>
  include <abstractions/dbus-session>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/devices-usb>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/p11-kit>
  include <abstractions/shells>
  include <abstractions/ssl_certs>
  include <abstractions/video>
  capability dac_override,
  capability dac_read_search,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,
  signal receive set=hup,
  @{bin}/bwrap           rPx -> bwrap,
  @{bin}/pipewire-pulse  rPx -> systemd//&pipewire-pulse,
  @{bin}/pulseaudio      rPx -> systemd//&pulseaudio,
  @{bin}/su              rPx -> default-sudo,
  @{bin}/sudo            rPx -> default-sudo,
  @{bin}/systemctl       rix,
  @{coreutils_path}      rix,
  @{shells_path}         rix,
  @{pager_path}          rPx -> child-pager,
 #   @{open_path}           rPx -> child-open,
  audit @{bin}/**        Pix,
  audit @{lib}/**        Pix,
  audit /opt/*/**        Pix,
  audit /usr/share/*/*   Pix,
  @{bin}/{,**} r,
  @{lib}/{,**} r,
  /usr/share/** r,
  /etc/xdg/** r,
  # Full access to user's data
  / r,
  /*/ r,
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/** rwl,
  owner @{HOME}/{,**} rwlk,
  owner @{run}/user/@{uid}/{,**} rw,
  owner @{tmp}/{,**} rwk,
  owner @{run}/user/@{uid}/{,**} rwlk,
  @{run}/motd.dynamic.new rw,
  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
  @{sys}/ r,
  @{sys}/bus/ r,
  @{sys}/bus/pci/devices/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/hidraw/ r,
  @{sys}/class/input/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/devices/**/input@{int}/ r,
  @{sys}/devices/**/input@{int}/capabilities/* r,
  @{sys}/devices/**/input/input@{int}/ r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/dmi/id/chassis_type r,
  @{sys}/firmware/acpi/pm_profile r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/zoneinfo r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/gid_map w,
  owner @{PROC}/@{pid}/limits r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/mem r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/oom_{,score_}adj rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/environ r,
  owner @{PROC}/@{pids}/task/ r,
        /dev/ r,
        /dev/ptmx rwk,
        /dev/tty rwk,
  owner /dev/tty@{int} rw,
  include if exists <usr/default.d>
  include if exists <local/default>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/default-sudo
+++ b/apparmor.d/groups/_full/default-sudo
@ -1,42 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/4.0>,
 include <tunables/global>
 profile default-sudo {
  include <abstractions/base>
  include <abstractions/app/sudo>
  capability chown,
  capability mknod,
  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
  ptrace (read),
  @{bin}/su       mr,
  @{bin}/**       Px,
  @{lib}/**       Px,
  /opt/*/**       Px,
        /var/db/sudo/lectured/ r,
        /var/lib/extrausers/shadow r,
        /var/lib/sudo/lectured/ r,
  owner /var/db/sudo/lectured/@{uid} rw,
  owner /var/lib/sudo/lectured/* rw,
  owner @{HOME}/.sudo_as_admin_successful rw,
  @{run}/ r,
  @{run}/systemd/sessions/* r,
  include if exists <local/default-sudo>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/sd
+++ b/apparmor.d/groups/_full/sd
@ -0,0 +1,265 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Part of the systemd (as PID 1) profile.
 # sd is a profile for SystemD-executor run as root, it is used to run all services
 # files and to encapsulate stacked services profiles (hence the short name).
 # It aims at reducing the size of the systemd profile.
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.
 # Distributions and other programs can add rules in the usr/sd.d directory
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/systemd-executor
 profile sd flags=(attach_disconnected,mediate_deleted,complain) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/consoles>
  include <abstractions/devices-usb>
  include <abstractions/disks-write>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
  userns,
  capability audit_control,
  capability audit_write,
  capability bpf,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability kill,
  capability linux_immutable,
  capability mknod,
  capability net_admin,
  capability net_bind_service,
  capability net_raw,
  capability perfmon,
  capability setfcap,
  capability setgid,
  capability setpcap,
  capability setuid,
  capability sys_admin,
  capability sys_nice,
  capability sys_ptrace,
  capability sys_rawio,
  capability sys_resource,
  capability sys_time,
  capability sys_tty_config,
  capability syslog,
  network alg seqpacket,
  network bluetooth,
  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 raw,
  network inet6 stream,
  network netlink raw,
  network packet dgram,
  network packet raw,
  network qipcrtr dgram,
  mount                                                                         -> @{run}/systemd/mount-rootfs/{,**},
  mount                                                                         -> @{run}/systemd/namespace-@{rand6}/{,**},
  mount              options=(rw move)                                /dev/shm/ -> @{run}/credentials/*/,
  mount              options=(rw rshared)                                       -> /,
  mount              options=(rw rslave)                                        -> /,
  mount              options=(rw rslave)                                        -> /dev/,
  mount              options=(rw slave)                                         -> @{run}/systemd/incoming/,
  mount fstype=tmpfs options=(rw nodev noexec nosuid nosymfollow)         tmpfs -> /dev/shm/,
  mount fstype=tmpfs options=(rw nodev strictatime)                       tmpfs -> @{run}/systemd/unit-private-tmp/,
  remount /dev/shm/,
  remount @{run}/systemd/mount-rootfs/{,**},
  umount /,
  umount /dev/shm/,
  umount @{run}/systemd/mount-rootfs/{,**},
  # mount tmpfs -> @{run}/lock/,
  # mount tmpfs -> @{sys}/fs/cgroup/,
  # mount cgroup -> @{sys}/fs/cgroup/systemd/,
  # audit mount                                                             /dev/** -> /boot/{,efi/},
  # audit mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
  # audit mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
  # audit remount                                        @{run}/systemd/unit-root/{,**},
  # audit remount options=(ro noexec noatime bind)       /var/snap/{,**},
  # audit remount options=(ro nosuid nodev bind)         /var/,
  # audit remount options=(ro nosuid nodev noexec bind)  /boot/,
  # audit umount @{PROC}/sys/fs/binfmt_misc/,
  # audit umount @{run}/systemd/namespace-@{rand6}/{,**},
  # audit umount @{run}/systemd/unit-root/{,**},
  pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
  change_profile,
  mqueue (read getattr) type=posix /,
  signal         peer=sd//&*,
  signal receive peer=@{p_systemd},
  signal send,
  ptrace read,
  unix type=dgram peer=(label=@{p_systemd}),
  unix type=dgram peer=(label=systemd-timesyncd),
  unix type=stream,
  dbus bus=system,
  @{exec_path} mr,
  @{bin}/**                                       mPx,
  @{sbin}/**                                      mPx,
  @{lib}/**                                        Px,
  /etc/cron.*/*                                    Px,
  /etc/init.d/*                                    Px,
  /etc/update-motd.d/*                             Px,
  /usr/share/*/**                                  Px,
  # Systemd user: systemd --user
  @{lib}/systemd/systemd                           px -> systemd-user,
  # Mount operations from services and systemd
  @{bin}/mount                                     Px -> sd-mount,
  @{bin}/umount                                    Px -> sd-umount,
  # Unit services using systemctl
  @{bin}/systemctl                                 Cx -> systemctl,
  # Unit services
  @{bin}/kill                                      Cx -> kill,
  # Used by very basic services, ideally should be replaced by a unit profiles
  @{sh_path}                                       ix,
  @{bin}/false                                     ix,
  @{bin}/true                                      ix,
  # Required due to stacked profiles
  @{sbin}/grpck                                    ix,
  @{bin}/gzip                                      ix,
  @{bin}/install                                   ix,
  @{sbin}/pwck                                     ix,
  @{bin}/readlink                                  ix,
  @{lib}/colord-sane                               ix,
  @{lib}/systemd/systemd-nsresourcework            ix,
  @{lib}/systemd/systemd-userwork                  ix,
  / r,
  @{att}/ r,
  @{bin}/{,**} r,
  @{lib}/{,**} r,
  @{sbin}/{,*} r,
  /usr/share/** r,
  /etc/** rk,
  /home/ r,
  @{efi}/ r,
  @{efi}/** rw,
  @{att}/var/lib/systemd/*/ r,
  /var/cache/*/ rw,
  /var/cache/*/** rwk,
  /var/lib/*/ rw,
  /var/lib/*/** rwk,
  /var/lib/systemd/*/ r,
  /var/log/** rw,
  /var/log/journal/** rwl -> /var/log/journal/**,
  @{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
  @{user_share_dirs}/icc/edid-@{hex32}.icc r,
  @{att}/@{run}/systemd/io.systemd.ManagedOOM rw,
  @{att}/@{run}/systemd/notify rw,
  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
  @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
  @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
        @{run}/ rw,
        @{run}/* rw,
        @{run}/*/ rw,
        @{run}/*/* rw,
        @{run}/systemd/{,**} rw,
  owner @{run}/*/** rw,
  @{run}/udev/**/ r,
  @{run}/udev/data/* r,
  @{sys}/** r,
  @{sys}/fs/bpf/systemd/{,**} w,
  @{sys}/firmware/efi/efivars/** w,
  @{sys}/fs/cgroup/{,**} w,
  @{PROC}/@{pid}/attr/apparmor/exec w,
  @{PROC}/@{pid}/attr/current r,
  @{PROC}/@{pid}/cgroup r,
  @{PROC}/@{pid}/cmdline r,
  @{PROC}/@{pid}/comm r,
  @{PROC}/@{pid}/environ r,
  @{PROC}/@{pid}/fd/ r,
  @{PROC}/@{pid}/fdinfo/@{int} r,
  @{PROC}/@{pid}/gid_map w,
  @{PROC}/@{pid}/limits r,
  @{PROC}/@{pid}/loginuid rw,
  @{PROC}/@{pid}/mountinfo r,
  @{PROC}/@{pid}/oom_score_adj rw,
  @{PROC}/@{pid}/sessionid r,
  @{PROC}/@{pid}/setgroups r,
  @{PROC}/@{pid}/setgroups w,
  @{PROC}/@{pid}/stat r,
  @{PROC}/@{pid}/uid_map r,
  @{PROC}/@{pid}/uid_map w,
  @{PROC}/cmdline r,
  @{PROC}/interrupts r,
  @{PROC}/irq/@{int}/node r,
  @{PROC}/irq/@{int}/smp_affinity r,
  @{PROC}/kmsg r,
  @{PROC}/modules r,
  @{PROC}/pressure/* r,
  @{PROC}/swaps r,
  @{PROC}/sys/** r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
  @{PROC}/sys/net/ipv{4,6}/** rw,
  @{PROC}/sysvipc/* r,
  @{PROC}/version_signature r,
  /dev/** rwk,
  profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/app/systemctl>
    include if exists <usr/sd_systemctl.d>
    include if exists <local/sd_systemctl>
  }
  profile kill flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    signal send,
    @{bin}/kill mr,
    include if exists <local/sd_kill>
  }
  include if exists <usr/sd.d>
  include if exists <local/sd>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/sd-mount
+++ b/apparmor.d/groups/_full/sd-mount
@ -0,0 +1,71 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Part of the systemd (as PID 1) profile.
 # sd-mount is a subprofile of sd responsible to handle mounting operation.
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.
 # Distributions and other programs can add rules in the usr/sd-mount.d directory
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/mount
 profile sd-mount flags=(complain) {
  include <abstractions/base>
  include <abstractions/disks-write>
  capability dac_read_search,
  capability sys_admin,
  mount                                                                         -> @{efi}/,
  mount                                                                         -> @{HOME}/{,**},
  mount                                                                         -> @{HOMEDIRS}/,
  mount                                                                         -> @{MOUNTDIRS}/,
  mount                                                                         -> @{MOUNTS}/{,**},
  mount fstype=binfmt_misc options=(rw nodev noexec nosuid)         binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
  mount fstype=configfs    options=(rw nodev noexec nosuid)            configfs -> @{sys}/kernel/config/,
  mount fstype=debugfs     options=(rw nodev noexec nosuid)             debugfs -> @{sys}/kernel/debug/,
  mount fstype=fusectl     options=(rw nodev noexec nosuid)             fusectl -> @{sys}/fs/fuse/connections/,
  mount fstype=hugetlbfs   options=(rw nosuid nodev)                  hugetlbfs -> /dev/hugepages/,
  mount fstype=mqueue      options=(rw nodev noexec nosuid)                     -> /dev/mqueue/,
  mount fstype=squashfs    options=(ro nodev)                   /dev/loop@{int} -> /snap/*/@{int}/,
  mount fstype=tmpfs       options=(rw nodev noexec nosuid)               tmpfs -> @{run}/lock/,
  mount fstype=tmpfs       options=(rw nodev nosuid strictatime)          tmpfs -> /tmp/,
  mount fstype=tracefs     options=(rw nodev noexec nosuid)             tracefs -> @{sys}/kernel/tracing/,
  mount options=(rw move)                                                       -> @{efi},
  mount options=(rw move)                                                       -> @{HOME}/{,**},
  mount options=(rw move)                                                       -> @{HOMEDIRS}/,
  mount options=(rw move)                                                       -> @{MOUNTDIRS}/,
  mount options=(rw move)                                                       -> @{MOUNTS}/{,**},
  mount options=(rw move)                                                       -> @{sys}/fs/fuse/connections/,
  mount options=(rw move)                                                       -> @{sys}/kernel/config/,
  mount options=(rw move)                                                       -> @{sys}/kernel/debug/,
  mount options=(rw move)                                                       -> @{sys}/kernel/tracing/,
  mount options=(rw move)                                                       -> /dev/hugepages/,
  mount options=(rw move)                                                       -> /dev/mqueue/,
  mount options=(rw move)                                                       -> /tmp/,
  @{exec_path} mr,
  /var/lib/snapd/snaps/*.snap r,
        @{run}/ r,
  owner @{run}/mount/ rw,
  owner @{run}/mount/utab{,.*} rwk,
  @{PROC}/@{pid}/mountinfo r,
  /dev/loop-control rw,
  include if exists <usr/sd-mount.d>
  include if exists <local/sd-mount>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/sdu
+++ b/apparmor.d/groups/_full/sdu
@ -0,0 +1,124 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Part of the systemd-user profile.
 # sdu is a profile for SystemD-executor run as User, it is used to run all services
 # files and to encapsulate stacked services profiles (hence the short name).
 # It aims at reducing the size of the systemd-user profile.
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.
 # Distributions and other programs can add rules in the usr/sdu.d directory
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{bin}/systemd-executor
 profile sdu flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/audio-server>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
  network netlink raw,
  change_profile,
  ptrace read,
  unix type=dgram peer=(label=@{p_systemd_user}),
  dbus bus=session,
  @{exec_path} mr,
  @{bin}/**                                       mPx,
  @{sbin}/**                                      mPx,
  @{lib}/**                                        Px,
  /etc/cron.*/*                                    Px,
  /opt/*/**                                        Px,
  /usr/share/*/**                                  Px,
  # Unit services using systemctl
  @{bin}/systemctl                                 Cx -> systemctl,
  # Shell based user unit services
  @{sh_path}                                       Cx -> shell,
  # Dbus needs to be started without environment scrubbing
  @{bin}/dbus-broker                               px -> dbus-session,
  @{bin}/dbus-broker-launch                        px -> dbus-session,
  @{bin}/dbus-daemon                               px -> dbus-session,
  @{lib}/dbus-1.0/dbus-daemon-launch-helper        px -> dbus-session,
  / r,
  @{bin}/* r,
  @{sbin}/* r,
  /usr/share/** r,
  owner @{desktop_local_dirs}/ w,
  owner @{desktop_local_dirs}/state/ w,
  owner @{desktop_local_dirs}/state/wireplumber/{,**} rw,
  owner @{run}/user/@{uid}/pipewire-@{int} rw,
  owner @{run}/user/@{uid}/pipewire-@{int}-manager rw,
  owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
  owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
  owner @{run}/user/@{uid}/pulse/pid rw,
  owner @{user_state_dirs}/wireplumber/ r,
  owner @{user_state_dirs}/wireplumber/stream-properties rw,
  owner @{user_state_dirs}/wireplumber/stream-properties.@{rand6} rw,
  @{run}/systemd/users/@{uid} r,
  @{run}/systemd/users/@{int} r,
  @{run}/udev/data/c116:@{int} r,         # for ALSA
  @{sys}/bus/ r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/sound/seq/uevent r,
  @{sys}/devices/virtual/sound/timer/uevent r,
        @{sys}/module/apparmor/parameters/enabled r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
        @{PROC}/pressure/* r,
        @{PROC}/sys/fs/nr_open r,
  owner @{PROC}/@{pid}/attr/apparmor/exec w,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  profile shell flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    @{sh_path}         mr,
    @{bin}/systemctl   Px -> sdu//systemctl,
    include if exists <local/sdu_shell>
  }
  profile systemctl flags=(attach_disconnected,mediate_deleted,complain) {
    include <abstractions/base>
    include <abstractions/app/systemctl>
    audit capability net_admin,
    owner @{run}/user/@{uid}/systemd/private rw,
    include if exists <usr/sdu_systemctl.d>
    include if exists <local/sdu_systemctl>
  }
  include if exists <usr/sdu.d>
  include if exists <local/sdu>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@ -11,24 +11,47 @@
 # Distributions and other programs can add rules in the usr/systemd.d directory
-# TODO: rework this to get a controlled environment: (cf security model)
+# Overall architecture of the systemd profiles:
 # systemd                                # PID 1, entrypoint, requires "Early policy"
 # ├── systemd                            # To restart itself
 # ├── systemd-generators-*               # Systemd system and environment generators
 # └── sd                                 # Internal service starter and config handler, handles all services
 #     ├── Px or px,                      # Any service with profile
 #     ├── Px ->                          # Any service without profile defined in the unit file (see systemd/full/systemd)
 #     ├── &*                             # Stacked service as defined in the unit file (see systemd/full/systemd)
 #     ├── sd-mount                       # Handles all mounts from services
 #     ├── sd//systemctl                  # Internal system systemctl
 #     └── systemd-user                   # Profile for 'systemd --user'
 #         ├── systemd-user               # To restart itself
 #         ├── systemd-user-generators-*  # Systemd user and environment generators
 #         └── sdu                        # Handles all user services
 #             ├── Px or px,              # Any user service with profile
 #             ├── Px ->                  # Any user service without profile defined in the unit file (see systemd/full/systemd)
 #             ├── &*                     # Stacked user service as defined in the unit file (see systemd/full/systemd)
 #             └── sdu//systemctl         # Internal user systemctl
 # Advantages:
 # - Differentiate systemd (PID 1) and `system --user`
 # - Keep `systemd` and systemd-user as mininal as possible, and transition to less privileged profiles.
 # - Allow the executor profiles to handled stacked profiles.
 # - Most additions need to be done in the `sd`/`sdu` profile, not in `systemd`/`systemd-user`.
 # - Dedicated `sd-mount` profile for most mount from the unit services.
 # TODO: rework this to get a controlled environment:
 # - No global allow anymore: in high security environments, we must manage the list
 #   of program/service that can be started by systemd and ensure that they are all
 #   listed and confined. Programs not listed will not be able to start.
 # - Outside common systemd service, the list may have to be automatically
 #   generated at install time, in `/etc/apparmor.d/usr/systemd.d/exec`
 # - Stop disabling nnp flags in systemd dropin files.
 # - Each systemd services in `systemd-service` (when the service is more complex than foo.service -> Exec=/usr/bin/foo)
 #   need they own profile, profile name configured as a dropin unit file.
 # - When this is done: the fallback profile as root will not be needed.
 abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{lib}/systemd/systemd
 profile systemd flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/disks-read>
  include <abstractions/nameservice-strict>
@ -43,16 +66,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  capability dac_read_search,
  capability fowner,
  capability fsetid,
-  capability mknod,
+  capability kill,
  capability net_admin,
  capability net_bind_service,
  capability perfmon,
  capability setfcap,
  capability setgid,
  capability setpcap,
  capability setuid,
  capability sys_admin,
-  capability sys_chroot,
+  capability sys_boot,
  capability sys_nice,
  capability sys_ptrace,
  capability sys_resource,
  capability sys_tty_config,
@ -62,164 +82,82 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
  network vsock stream,
  mount fstype=autofs                                                 systemd-1 -> @{PROC}/sys/fs/binfmt_misc/,
-  mount fstype=autofs                                                 systemd-1 -> /efi/,
+  mount fstype=autofs                                                 systemd-1 -> @{efi}/,
  mount fstype=binfmt_misc options=(rw nodev noexec nosuid)         binfmt_misc -> @{PROC}/sys/fs/binfmt_misc/,
  mount fstype=configfs    options=(rw nodev noexec nosuid)            configfs -> @{sys}/kernel/config/,
  mount fstype=debugfs     options=(rw nodev noexec nosuid)             debugfs -> @{sys}/kernel/debug/,
  mount fstype=fusectl     options=(rw nodev noexec nosuid)             fusectl -> @{sys}/fs/fuse/connections/,
  mount fstype=hugetlbfs   options=(rw nosuid nodev)                  hugetlbfs -> /dev/hugepages/,
  mount fstype=mqueue      options=(rw nodev noexec nosuid)                     -> /dev/mqueue/,
  mount fstype=proc        options=(rw nosuid nodev noexec)                proc -> @{run}/systemd/namespace-@{rand6}/,
  mount fstype=sysfs       options=(rw nosuid nodev noexec)               sysfs -> @{run}/systemd/namespace-@{rand6}/,
  mount fstype=tmpfs                                                      tmpfs -> /dev/shm/,
  mount fstype=tmpfs                                                      tmpfs -> /tmp/,
  mount fstype=tmpfs       options=(rw nosuid nodev noexec strictatime)   tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
  mount fstype=tmpfs       options=(rw nosuid nodev noexec)               tmpfs -> /dev/shm/,
  mount fstype=tmpfs       options=(rw nosuid noexec strictatime)         tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
  mount fstype=tracefs     options=(rw nodev noexec nosuid)             tracefs -> @{sys}/kernel/tracing/,
  mount                                                             /dev/** -> /boot/{,efi/},
  mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
  mount options=(rw bind)                                           /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
  mount options=(rw bind)                       @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
  mount options=(rw move)                                                   -> @{sys}/fs/fuse/connections/,
  mount options=(rw move)                                                   -> @{sys}/kernel/config/,
  mount options=(rw move)                                                   -> @{sys}/kernel/debug/,
  mount options=(rw move)                                                   -> @{sys}/kernel/tracing/,
  mount options=(rw move)                                                   -> /dev/hugepages/,
  mount options=(rw move)                                                   -> /dev/mqueue/,
  mount options=(rw move)                                                   -> /efi/,
  mount options=(rw move)                                                   -> /tmp/,
  mount options=(rw move)           @{run}/systemd/namespace-@{rand6}/{,**} -> @{run}/systemd/mount-rootfs/{,**},
  mount options=(rw rbind)                                                  -> @{run}/systemd/mount-rootfs/{,**},
  mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
  mount options=(rw rshared)                                                -> /,
  mount options=(rw rslave)                                                 -> /,
  mount options=(rw rslave)                                                 -> /dev/,
  mount options=(rw slave)                                                  -> @{run}/systemd/incoming/,
  remount                                        @{HOME}/{,**},
  remount                                        @{HOMEDIRS}/,
  remount                                        @{MOUNTDIRS}/,
  remount                                        @{MOUNTS}/{,**},
  remount                                        @{run}/systemd/mount-rootfs/{,**},
  remount                                        @{run}/systemd/unit-root/{,**},
  remount                                        /,
  remount                                        /snap/{,**},
-  remount options=(ro bind)                      /boot/{,efi/},
+  remount options=(ro bind nodev noexec nosuid)  /dev/mqueue/,
-  remount options=(ro noexec noatime bind)       /var/snap/{,**},
+  remount options=(ro bind nodev nosuid)         /dev/hugepages/,
-  remount options=(ro nosuid bind)               /dev/,
+  remount options=(ro bind noexec nosuid)        /dev/pts/,
-  remount options=(ro nosuid nodev bind)         /dev/hugepages/,
+  remount options=(ro bind nosuid)               /dev/,
-  remount options=(ro nosuid nodev bind)         /var/,
+  remount options=(ro bind)                      @{efi}/,
-  remount options=(ro nosuid nodev noexec bind)  /boot/,
+  remount options=(ro bind)                      /,
  remount options=(ro nosuid nodev noexec bind)  /dev/mqueue/,
  remount options=(ro nosuid nodev noexec bind)  /efi/,
  remount options=(ro nosuid noexec bind)        /dev/pts/,
  umount /,
  umount /dev/shm/,
  umount @{PROC}/sys/fs/binfmt_misc/,
-  umount @{run}/systemd/mount-rootfs/{,**},
+  umount @{run}/credentials/*/,
  umount @{run}/systemd/namespace-@{rand6}/{,**},
  umount @{run}/systemd/unit-root/{,**},
  pivot_root oldroot=@{run}/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
  pivot_root oldroot=@{run}/systemd/unit-root/    @{run}/systemd/unit-root/,
  mqueue (read getattr) type=posix /,
  change_profile,
  signal receive set=(rtmin+23) peer=plymouthd,
  signal receive set=(term hup cont),
  signal send,
  ptrace (read, readby),
-  unix send type=dgram,
+  unix type=dgram,
-
+  unix type=stream,
  unix receive type=dgram peer=(label=systemd-timesyncd),
  unix (send, receive, connect) type=stream peer=(label=plymouthd, addr=@/org/freedesktop/plymouthd),
  #aa:dbus own bus=system name=org.freedesktop.systemd1
-  # For stacked profiles
+  @{exec_path} mrix,
-  #aa:dbus own bus=system name=org.freedesktop.network1
+  @{sh_path} mr,
  #aa:dbus own bus=system name=org.freedesktop.oom1
  #aa:dbus own bus=system name=org.freedesktop.resolve1
  #aa:dbus own bus=system name=org.freedesktop.timesync1
-  @{bin}/**                         Px,
+  # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
-  @{sbin}/**                        Px,
+  @{lib}/systemd/systemd-executor                 mPx -> sd,
  @{lib}/**                         Px,
  /etc/cron.*/*                     Px,
  /etc/init.d/*                     Px,
  /etc/update-motd.d/*              Px,
  /usr/share/*/**                   Px,
-  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  # Systemd system generators. Profiles must exist
-  @{lib}/systemd/systemd-executor   ix,
+  @{lib}/netplan/generate                         mPx,
-
+  @{lib}/systemd/system-environment-generators/*  mPx,
-  # Systemd user: systemd --user
+  @{lib}/systemd/system-generators/*              mPx,
  @{lib}/systemd/systemd            px -> systemd-user,
  # Unit services using systemctl
  @{bin}/systemctl                  Cx -> systemctl,
  # Unit services
  @{bin}/mount                      ix,
  @{bin}/kill                       ix,
  # Shell based systemd unit services
  # TODO: create unit profile for all of them
  @{sbin}/ldconfig                  Px -> systemd-service,
  @{bin}/mandb                      Px -> systemd-service,
  @{bin}/savelog                    Px -> systemd-service,
  @{coreutils_path}                 Px -> systemd-service,
  @{sh_path}                        Px -> systemd-service,
  # Systemd profiles that need be stacked
  #aa:stack systemd-networkd systemd-oomd systemd-resolved systemd-timesyncd
  @{lib}/systemd/systemd-networkd   px -> systemd//&systemd-networkd,
  @{lib}/systemd/systemd-oomd       px -> systemd//&systemd-oomd,
  @{lib}/systemd/systemd-resolved   px -> systemd//&systemd-resolved,
  @{lib}/systemd/systemd-timesyncd  px -> systemd//&systemd-timesyncd,
  @{lib}/ r,
  / r,
  /*/ r,
  /boot/efi/ r,
  /snap/*/@{int}/ r,
  /var/cache/*/ r,
  /var/lib/*/ r,
  /var/tmp/ r,
  @{etc_ro}/environment r,
  @{etc_ro}/environment.d/{,**} r,
  /etc/acpi/events/{,**} r,
  /etc/binfmt.d/{,**} r,
  /etc/conf.d/{,**} r,
  /etc/credstore.encrypted/{,**} r,
  /etc/credstore/{,**} r,
  /etc/default/{,**} r,
  /etc/machine-id r,
  /etc/modules-load.d/{,**} r,
  /etc/networkd-dispatcher/{,**} r,
  /etc/systemd/{,**} r,
  /etc/systemd/system/** w,
  /etc/udev/hwdb.d/{,**} r,
  /etc/systemd/system/multi-user.target.wants/{,*} w,
-        /var/log/dmesg rw,
+  #aa:only pacman
-        /var/lib/systemd/{,**} rw,
+  # It is unclear why this is needed here and not in sd
  /etc/pacman.d/gnupg/S.dirmngr w,
  /etc/pacman.d/gnupg/S.gpg-agent w,
  /etc/pacman.d/gnupg/S.gpg-agent.browser w,
  /etc/pacman.d/gnupg/S.gpg-agent.extra w,
  /etc/pacman.d/gnupg/S.gpg-agent.ssh w,
  /etc/pacman.d/gnupg/S.keyboxd w,
  @{efi}/ r,
  /snap/*/@{int}/ r,
        /tmp/ r,
        /var/tmp/ r,
  owner /tmp/systemd-private-*/{,**} rw,
  owner /var/tmp/systemd-private-*/{,**} rw,
  /tmp/namespace-dev-@{rand6}/{,**} rw,
  /tmp/systemd-private-*/{,**} rw,
  @{att}/@{run}/systemd/journal/socket r,
  @{att}/@{run}/systemd/journal/dev-log r,
  @{att}/@{run}/systemd/journal/socket r,
  @{att}/@{run}/systemd/notify r,
  @{run}/ rw,
  @{run}/* rw,
@ -228,10 +166,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  @{run}/credentials/{,**} rw,
  @{run}/systemd/{,**} rw,
  @{run}/udev/data/+bluetooth:* r,
  @{run}/udev/data/+backlight:* r,
  @{run}/udev/data/+leds:*backlight* r,
  @{run}/udev/data/+module:configfs r,
  @{run}/udev/data/+module:fuse r,
  @{run}/udev/data/c4:@{int} r,           # For TTY devices
@ -242,37 +176,28 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
  @{run}/udev/data/n@{int} r,
  @{run}/udev/tags/systemd/ r,
  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/power_supply/ r,
-  @{sys}/class/sound/ r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
-  @{sys}/devices/@{pci}/** r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/**/net/** r,
  @{sys}/devices/**/uevent r,
  @{sys}/devices/virtual/dmi/id/{sys,board,bios}_vendor r,
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/product_version r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/tty/console/active r,
  @{sys}/fs/cgroup/{,**} rw,
  @{sys}/fs/fuse/connections/ r,
  @{sys}/fs/pstore/ r,
  @{sys}/kernel/**/ r,
  @{sys}/module/**/uevent r,
  @{sys}/module/apparmor/parameters/enabled r,
  @{sys}/module/vt/parameters/default_utf8 r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/comm r,
        @{PROC}/@{pid}/coredump_filter r,
        @{PROC}/@{pid}/environ r,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/@{pid}/fdinfo/@{int} r,
        @{PROC}/@{pid}/gid_map rw,
        @{PROC}/@{pid}/loginuid rw,
        @{PROC}/@{pid}/mountinfo r,
        @{PROC}/@{pid}/setgroups rw,
        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pid}/uid_map rw,
        @{PROC}/cmdline r,
        @{PROC}/devices r,
        @{PROC}/pressure/* r,
@ -280,32 +205,33 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/sys/fs/binfmt_misc/ r,
        @{PROC}/sys/fs/nr_open r,
        @{PROC}/sys/kernel/* r,
-        @{PROC}/sysvipc/{shm,sem,msg} r,
+        @{PROC}/sys/kernel/random/boot_id r,
-  owner @{PROC}/@{pid}/limits r,
+        @{PROC}/sysvipc/msg r,
-  owner @{PROC}/@{pid}/oom_score_adj rw,
+        @{PROC}/sysvipc/sem r,
        @{PROC}/sysvipc/shm r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/1/coredump_filter r,
  owner @{PROC}/1/fdinfo/@{int} r,
  owner @{PROC}/1/gid_map r,
  owner @{PROC}/1/oom_score_adj rw,
  owner @{PROC}/1/setgroups r,
  owner @{PROC}/1/uid_map r,
        /dev/autofs r,
        /dev/dri/card@{int} rw,
        /dev/initctl w,
        /dev/input/ r,
        /dev/kmsg w,
        /dev/tty rw,
        /dev/tty@{int} rw,
  owner /dev/console rwk,
  owner /dev/dri/card@{int} rw,
  owner /dev/hugepages/ rw,
  owner /dev/initctl rw,
  owner /dev/input/event@{int} rw,
  owner /dev/mqueue/ rw,
  owner /dev/rfkill rw,
-  owner /dev/shm/ rw,
+  owner /dev/shm/ r,
  owner /dev/ttyS@{int} rwk,
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
    include if exists <usr/systemd_systemctl.d>
    include if exists <local/systemd_systemctl>
  }
  include if exists <usr/systemd.d>
  include if exists <local/systemd>
 }
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@ -1,77 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Profile for generic systemd unit services. Only used by tiny systemd services
 # that start a shell or use context specific programs.
 # It does not specify an attachment path because it is intended to be used only
 # via "Px -> systemd-service" exec transitions from the systemd profile.
 abi <abi/4.0>,
 include <tunables/global>
 profile systemd-service flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  capability dac_read_search,
  capability chown,
  capability fsetid,
  @{sbin}/ldconfig     rix,
  @{bin}/savelog       rix,
  @{bin}/systemctl     rix,
  @{bin}/gzip          rix,
  @{coreutils_path}    rix,
  @{sh_path}          rmix,
  # ifup@.service
  @{bin}/ifup          rPx,
  # shadow.service
  @{sbin}/pwck         rPx,
  @{sbin}/grpck        rPx,
  @{bin}/grub-editenv  rPx,
  @{bin}/ibus-daemon   rPx,
  @{bin}/* r,
  @{lib}/ r,
  /var/cache/ldconfig/{,**} rw,
  / r,
  /boot/grub/grubenv rw,
  /boot/grub/ w,
  /var/spool/cron/atjobs/ r,
  /var/log/ r,
  /var/log/dmesg rw,
  /var/log/dmesg.* rwl -> /var/log/dmesg,
  # man-db.service
  /usr/{,local/}share/man/{,**} r,
  /etc/manpath.config r,
  /var/cache/man/{,**} rwk,
  # snapd.system-shutdown.service
  @{run}/initramfs/shutdown rw,
  @{run}/initramfs/ rw,
  # cockpit.socket
  @{run}/cockpit/@{rand8} rw,
  @{run}/cockpit/motd w,
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,
  include if exists <usr/systemd-service.d>
  include if exists <local/systemd-service>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@ -11,8 +11,6 @@
 # Distributions and other programs can add rules in the usr/systemd-user.d directory
 # TODO: rework this to get a controlled environment. cf comments in systemd profile.
 abi <abi/4.0>,
 include <tunables/global>
@ -27,76 +25,46 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  network netlink raw,
-  signal send set=(term, cont, kill),
+  signal send,
  signal receive set=hup peer=@{p_systemd},
-  ptrace read peer=@{p_systemd},
+  ptrace read,
  unix type=dgram peer=(label=@{p_sdu}),
  unix bind type=stream addr=@@{udbus}/bus/systemd/bus-system,
  unix bind type=stream addr=@@{udbus}/bus/systemd/bus-api-user,
  #aa:dbus own bus=session name=org.freedesktop.systemd1
-  @{exec_path} mr,
+  @{exec_path} mrix,
-  @{bin}/**                         Px,
+  # Systemd internal service starter and config handler (sandboxing, namespacing, cgroup, etc.)
-  @{lib}/**                         Px,
+  @{lib}/systemd/systemd-executor                 mPx -> sdu,
  /etc/cron.*/*                     Px,
  /opt/*/**                         Px,
  /usr/share/*/**                   Px,
-  # Systemd internal service started and config handler (sandboxing, namespacing, cgroup, etc.)
+  # Systemd user generators. Profiles must exist
-  @{lib}/systemd/systemd-executor   ix,
+  @{lib}/systemd/user-environment-generators/*     Px,
-
+  @{lib}/systemd/user-generators/*                 Px,
  # Unit services using systemctl
  @{bin}/systemctl                  Cx -> systemctl,
  # Shell based ystemd unit services
  @{coreutils_path}                 Px -> systemd-user-service,
  @{sh_path}                        Px -> systemd-user-service,
  # Dbus needs to be started without environment scrubbing
  @{bin}/dbus-broker                         px -> dbus-session,
  @{bin}/dbus-broker-launch                  px -> dbus-session,
  @{bin}/dbus-daemon                         px -> dbus-session,
  @{lib}/dbus-1.0/dbus-daemon-launch-helper  px -> dbus-session,
  # Audio profiles need to be stacked
  #aa:stack pipewire pipewire-media-session pipewire-pulse pulseaudio wireplumber
  @{bin}/pipewire                   Px -> systemd-user//&pipewire,
  @{bin}/pipewire-media-session     Px -> systemd-user//&pipewire-media-session,
  @{bin}/pipewire-pulse             Px -> systemd-user//&pipewire-pulse,
  @{bin}/pulseaudio                 Px -> systemd-user//&pulseaudio,
  @{bin}/wireplumber                Px -> systemd-user//&wireplumber,
  /usr/ r,
  /usr/share/defaults/**.conf r,
  @{etc_ro}/environment r,
  /etc/systemd/user.conf r,
  /etc/systemd/user.conf.d/{,**} r,
  /etc/systemd/user/{,**} r,
  / r,
  owner @{HOME}/.local/ w,
  owner @{user_config_dirs}/systemd/user/{,**} rw,
        @{run}/systemd/users/@{uid} r,
  owner @{run}/user/@{uid}/ rw,
  owner @{run}/user/@{uid}/** rwkl,
  @{run}/mount/utab r,
  @{run}/systemd/notify w,
  @{run}/systemd/oom/io.systemd.ManagedOOM rw,
  @{run}/udev/data/+backlight:* r,
  @{run}/udev/data/+leds:*backlight* r,
  @{run}/udev/data/+module:configfs r,
  @{run}/udev/data/+module:fuse r,
  @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
  @{run}/udev/data/c4:@{int} r,           # For TTY devices
  @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
  @{run}/udev/data/c116:@{int} r,         # for ALSA
  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
  @{run}/udev/data/n@{int} r,
  @{run}/udev/tags/systemd/ r,
@ -108,14 +76,11 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
        @{sys}/devices/**/uevent r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} r,
        @{sys}/module/apparmor/parameters/enabled r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/{,**} rw,
-        @{PROC}/@{pid}/cmdline r,
+        @{PROC}/@{pid}/cgroup r,
-        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pid}/comm r,
-        @{PROC}/@{pids}/comm r,
+        @{PROC}/@{pid}/stat r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/1/environ r,
        @{PROC}/cmdline r,
        @{PROC}/pressure/* r,
        @{PROC}/swaps r,
@ -124,20 +89,15 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/sys/kernel/pid_max r,
        @{PROC}/sys/kernel/random/boot_id r,
        @{PROC}/sys/kernel/threads-max r,
-  owner @{PROC}/@{pid}/coredump_filter r,
+  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/gid_map r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/oom_score_adj rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/uid_map r,
  owner @{PROC}/@{pids}/fd/ r,
  owner @{PROC}/@{pids}/oom_score_adj rw,
  /dev/kmsg w,
  /dev/tty rw,
  deny capability bpf,
  deny capability dac_override,
@ -149,16 +109,6 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
  deny capability sys_boot,
  deny capability sys_resource,
  profile systemctl {
    include <abstractions/base>
    include <abstractions/app/systemctl>
    deny capability net_admin,
    include if exists <usr/systemd-user_systemctl.d>
    include if exists <local/systemd-user_systemctl>
  }
  include if exists <usr/systemd-user.d>
  include if exists <local/systemd-user>
 }
--- a/apparmor.d/groups/_full/systemd-user-service
+++ b/apparmor.d/groups/_full/systemd-user-service
@ -1,23 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # Profile for generic systemd unit services. Only used by tiny systemd services
 # that start a shell or use context specific programs.
 # It does not specify an attachment path because it is intended to be used only
 # via "Px -> systemd-user-service" exec transitions from the systemd-user profile.
 abi <abi/4.0>,
 include <tunables/global>
 profile systemd-user-service flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include if exists <usr/systemd-user-service.d>
  include if exists <local/systemd-user-service>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/groups/apt/apt-listchanges
+++ b/apparmor.d/groups/apt/apt-listchanges
@ -30,7 +30,7 @@ profile apt-listchanges @{exec_path} {
  @{pager_path}          Cx -> pager,
  @{bin}/dpkg            Px -> child-dpkg,
-  @{bin}/exim4           Px,  # Send results using email
+  @{sbin}/exim4          Px,  # Send results using email
  /usr/share/apt-listchanges/{,**} r,
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
@{exec_path} = @{lib}/apt/methods/http{,s}
-profile apt-methods-http @{exec_path} {
+profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} {
  network inet6 stream,
  network netlink raw,
  signal receive peer=@{p_apt_news},
  signal receive peer=@{p_packagekitd},
  signal receive peer=apt-get,
  signal receive peer=apt,
  signal receive peer=aptitude,
  signal receive peer=@{p_packagekitd},
  signal receive peer=role_*,
  signal receive peer=synaptic,
  signal receive peer=ubuntu-advantage,
--- a/apparmor.d/groups/apt/debsecan
+++ b/apparmor.d/groups/apt/debsecan
@ -27,7 +27,7 @@ profile debsecan @{exec_path} {
  @{sh_path}        rix,
  # Send results using email
-  @{bin}/exim4  rPx,
+  @{sbin}/exim4  rPx,
  /etc/apt/apt.conf.d/{,*} r,
  /etc/apt/apt.conf r,
--- a/apparmor.d/groups/apt/dpkg-script-apparmor
+++ b/apparmor.d/groups/apt/dpkg-script-apparmor
@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} {
  /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
  /var/lib/dpkg/info/*.list r,
  /var/lib/dpkg/info/format r,
  /var/lib/dpkg/status r,
  /var/lib/dpkg/triggers/File r,
  /var/lib/dpkg/triggers/Unincorp r,
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} {
  /etc/systemd/system/*.wants/ rw,
  /etc/systemd/system/*.wants/* rw,
  /etc/pam.d/sed@{rand6} rw,
  /etc/pam.d/common-password  rw,
  /var/lib/systemd/{,*} rw,
  /var/log/journal/ rw,
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} {
  @{sbin}/update-rc.d                             Cx -> rc,
  # Maintainer scripts can legitimately start/restart anything
  # PU is only used as a safety fallback.
  @{bin}/**                                       PUx,
  @{sbin}/**                                      PUx,
  @{lib}/**                                       PUx,
@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
    include <abstractions/app/bus>
    include <abstractions/bus-system>
    capability dac_read_search,
    dbus send bus=system path=/
         interface=org.freedesktop.DBus
         member=ReloadConfig
--- a/apparmor.d/groups/apt/reportbug
+++ b/apparmor.d/groups/apt/reportbug
@ -40,7 +40,7 @@ profile reportbug @{exec_path} {
  @{bin}/stty             rix,
  /usr/share/reportbug/handle_bugscript rix,
-  @{bin}/exim4            rPx,
+  @{sbin}/exim4           rPx,
  @{bin}/apt-cache        rPx,
  @{bin}/debconf-show     rPx,
  @{bin}/debsums          rPx,
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  capability setuid,
  capability sys_nice,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  signal send peer=apt-methods-http,
--- a/apparmor.d/groups/avahi/avahi-browse
+++ b/apparmor.d/groups/avahi/avahi-browse
@ -17,7 +17,7 @@ profile avahi-browse @{exec_path} {
  dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
       interface=org.freedesktop.Avahi.ServiceTypeBrowser
       member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/avahi/avahi-resolve
+++ b/apparmor.d/groups/avahi/avahi-resolve
@ -17,12 +17,12 @@ profile avahi-resolve @{exec_path} {
  dbus send bus=system path=/Client@{int}/AddressResolver@{int}
       interface=org.freedesktop.Avahi.AddressResolver
       member={Free,HostNameResolverNew}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
  dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
       interface=org.freedesktop.Avahi.AddressResolver
       member={Failure,Found}
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/bluetooth/bluetoothctl
+++ b/apparmor.d/groups/bluetooth/bluetoothctl
@ -15,7 +15,7 @@ profile bluetoothctl @{exec_path} {
  network bluetooth raw,
-  #aa:dbus talk bus=system name=org.bluez label=bluetoothd
+  #aa:dbus talk bus=system name=org.bluez label="@{p_bluetoothd}"
  @{exec_path} mr,
--- a/apparmor.d/groups/bluetooth/obexd
+++ b/apparmor.d/groups/bluetooth/obexd
@ -22,7 +22,7 @@ profile obexd @{exec_path} {
  dbus receive bus=system path=/org/bluez/obex/@{uuid}
       interface=org.bluez.Profile1
       member=Release
-       peer=(name=:*, label=bluetoothd),
+       peer=(name=:*, label="@{p_bluetoothd}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/bus/ibus-dconf
+++ b/apparmor.d/groups/bus/ibus-dconf
@ -15,6 +15,7 @@ profile ibus-dconf @{exec_path} flags=(attach_disconnected) {
  include <abstractions/dconf-write>
  include <abstractions/nameservice-strict>
  signal receive set=kill peer=@{p_systemd_user},
  signal receive set=term peer=ibus-daemon,
  dbus receive bus=session
--- a/apparmor.d/groups/cron/anacron
+++ b/apparmor.d/groups/cron/anacron
@ -17,7 +17,7 @@ profile anacron @{exec_path} {
  @{sh_path}         rix,
  @{bin}/run-parts   rCx -> run-parts,
-  @{bin}/exim4       rPx,
+  @{sbin}/exim4      rPx,
  / r,
  /etc/anacrontab r,
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@ -28,7 +28,7 @@ profile cron @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{sh_path}                 rix,
-  @{bin}/exim4               rPx,
+  @{sbin}/exim4              rPx,
  @{bin}/ionice              rix,
  @{bin}/nice                rix,
  @{bin}/run-parts           rCx -> run-parts,
--- a/apparmor.d/groups/cron/cron-apt
+++ b/apparmor.d/groups/cron/cron-apt
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{sbin}/cron-apt
+@{exec_path} = @{bin}/cron-apt
 profile cron-apt @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -46,7 +46,7 @@ profile cron-apt @{exec_path} {
  @{bin}/apt-get     rPx,
  @{bin}/apt-file    rPx,
  @{bin}/aptitude{,-curses} rPx,
-  @{bin}/exim4      rPx,
+  @{sbin}/exim4      rPx,
  /usr/share/cron-apt/{,*} r,
--- a/apparmor.d/groups/cron/cron-exim4-base
+++ b/apparmor.d/groups/cron/cron-exim4-base
@ -34,10 +34,10 @@ profile cron-exim4-base @{exec_path} {
  @{bin}/hostname   rix,
  @{bin}/xargs      rix,
  @{bin}/find       rix,
-  @{bin}/eximstats rix,
+  @{sbin}/eximstats rix,
-  @{bin}/exim4     rPx,
+  @{sbin}/exim4             rPx,
-  @{bin}/exim_tidydb       rix,
+  @{sbin}/exim_tidydb       rix,
  @{sbin}/start-stop-daemon rix,
  @{sbin}/runuser           rix,
--- a/apparmor.d/groups/cron/crontab
+++ b/apparmor.d/groups/cron/crontab
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{sbin}/crontab
+@{exec_path} = @{bin}/crontab
 profile crontab @{exec_path} {
  include <abstractions/base>
  include <abstractions/authentication>
--- a/apparmor.d/groups/cups/cups-browsed
+++ b/apparmor.d/groups/cups/cups-browsed
@ -29,7 +29,7 @@ profile cups-browsed @{exec_path} {
  dbus receive bus=system path=/
       interface=org.freedesktop.Avahi.Server
       member=StateChanged
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
--- a/apparmor.d/groups/cups/cupsd
+++ b/apparmor.d/groups/cups/cupsd
@ -54,7 +54,7 @@ profile cupsd @{exec_path} flags=(attach_disconnected) {
  @{bin}/gs                  rix,
  @{bin}/gsc                 rix,
  @{bin}/hostname            rix,
-  @{sbin}/ippfind            rix,
+  @{bin}/ippfind             rix,
  @{bin}/mktemp              rix,
  @{bin}/printenv            rix,
  @{python_path}             rix,
--- a/apparmor.d/groups/filesystem/btrfs-find-root
+++ b/apparmor.d/groups/filesystem/btrfs-find-root
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
-@{exec_path} = @{bin}/btrfs-find-root
+@{exec_path} = @{sbin}/btrfs-find-root
 profile btrfs-find-root @{exec_path} {
  include <abstractions/base>
  include <abstractions/disks-read>
--- a/apparmor.d/groups/filesystem/udisksd
+++ b/apparmor.d/groups/filesystem/udisksd
@ -65,8 +65,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
  signal receive set=int peer=@{p_systemd},
  #aa:dbus own bus=system name=org.freedesktop.UDisks2
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
  @{exec_path} mr,
--- a/apparmor.d/groups/firewall/firewalld
+++ b/apparmor.d/groups/firewall/firewalld
@ -35,8 +35,8 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
  @{bin}/alts                      ix,
  @{bin}/false                     ix,
  @{bin}/kmod                      Cx -> kmod,
-  @{sbin}/ebtables-legacy          ix,
+  @{bin}/ebtables-legacy           ix,
-  @{sbin}/ebtables-legacy-restore  ix,
+  @{bin}/ebtables-legacy-restore   ix,
  @{sbin}/ipset                    ix,
  @{sbin}/xtables-legacy-multi     ix,
  @{sbin}/xtables-nft-multi       mix,
--- a/apparmor.d/groups/flatpak/flatpak
+++ b/apparmor.d/groups/flatpak/flatpak
@ -41,8 +41,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
  signal send peer=flatpak-app,
  #aa:dbus talk bus=session name=org.freedesktop.Flatpak.SessionHelper label=flatpak-session-helper
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
  dbus send bus=session path=/org/freedesktop/portal/documents
       interface=org.freedesktop.portal.Documents
--- a/apparmor.d/groups/flatpak/flatpak-app
+++ b/apparmor.d/groups/flatpak/flatpak-app
@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
  @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
-  @{sbin}/update-mime-database         rPx -> flatpak-app//&update-mime-database,
+  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
  @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,
  @{lib}/kf5/kioslave5                 rPx,
--- a/apparmor.d/groups/freedesktop/colord
+++ b/apparmor.d/groups/freedesktop/colord
@ -23,6 +23,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=system name=org.freedesktop.ColorManager
  @{exec_path} mrix,
  @{lib}/colord-sane ix,
  /etc/machine-id r,
  /etc/sane.d/{,**} r,
@ -44,8 +45,8 @@ profile colord @{exec_path} flags=(attach_disconnected) {
  owner /var/lib/snmp/mibs/{iana,ietf}/ r,
  owner /var/lib/snmp/mibs/{iana,ietf}/[A-Z]* r,
-  @{att}/@{desktop_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{desktop_share_dirs}/icc/edid-@{hex32}.icc r,
-  @{att}/@{user_share_dirs}/icc/edid-*.icc r,
+  @{att}/@{user_share_dirs}/icc/edid-@{hex32}.icc r,
  @{run}/systemd/sessions/* r,
--- a/apparmor.d/groups/freedesktop/pipewire-pulse
+++ b/apparmor.d/groups/freedesktop/pipewire-pulse
@ -11,15 +11,18 @@ include <tunables/global>
 profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
  capability sys_ptrace,
-  ptrace (read),
+  ptrace read,
  @{exec_path} mr,
  @{bin}/pactl rix,
  @{bin}/pipewire mr,
  /usr/share/pipewire/{,**} r,
@ -38,6 +41,9 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
  @{sys}/devices/virtual/dmi/id/board_vendor r,
  @{sys}/devices/virtual/dmi/id/bios_vendor r,
  @{sys}/module/apparmor/parameters/enabled r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  include if exists <local/pipewire-pulse>
 }
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@ -50,12 +50,12 @@ profile pulseaudio @{exec_path} {
  dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
       interface=org.freedesktop.Avahi.ServiceResolver
       member=Found
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
  dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
       interface=org.freedesktop.Avahi.ServiceBrowser
       member=ItemRemove
-       peer=(name=:*, label=avahi-daemon),
+       peer=(name=:*, label="@{p_avahi_daemon}"),
  dbus send bus=system path=/
       interface=org.freedesktop.DBus.ObjectManager
@ -65,7 +65,7 @@ profile pulseaudio @{exec_path} {
  dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
       interface=org.freedesktop.Avahi.ServiceResolver
       member={Found,Free}
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
  @{exec_path} mrix,
@ -82,9 +82,9 @@ profile pulseaudio @{exec_path} {
  owner @{desktop_cache_dirs}/gstreamer-1.0/ rw,
  owner @{desktop_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
-  owner @{desktop_config_dirs}/dconf/user   r,
+  owner @{desktop_config_dirs}/dconf/user r,
-  owner @{desktop_config_dirs}/pulse/{,**}  rw,
+  owner @{desktop_config_dirs}/pulse/{,**} rw,
-  owner @{desktop_config_dirs}/pulse/cookie   k,
+  owner @{desktop_config_dirs}/pulse/cookie k,
  owner @{HOME}/.pulse/{,**} rw,
  owner @{user_config_dirs}/ w,
--- a/apparmor.d/groups/freedesktop/upower
+++ b/apparmor.d/groups/freedesktop/upower
@ -13,7 +13,7 @@ profile upower @{exec_path} {
  include <abstractions/bus-system>
  include <abstractions/consoles>
-  #aa:dbus own bus=system name=org.freedesktop.UPower label=upowerd
+  #aa:dbus own bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/wireplumber
+++ b/apparmor.d/groups/freedesktop/wireplumber
@ -75,6 +75,10 @@ profile wireplumber @{exec_path} {
  @{sys}/devices/virtual/dmi/id/product_name r,
  @{sys}/devices/virtual/dmi/id/sys_vendor r,
        @{PROC}/1/cgroup r,
        @{PROC}/1/cmdline r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  /dev/media@{int} rw,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = @{lib}/xdg-desktop-portal-gnome
 profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
@ -17,6 +17,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/deny-sensitive-home>
  include <abstractions/fontconfig-cache-write>
@ -27,8 +28,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  network unix stream,
-  signal (receive) set=term peer=gdm,
+  signal receive set=term peer=gdm,
-  signal (receive) set=(hup term) peer=gdm-session-worker,
+  signal receive set=(hup term) peer=gdm-session-worker,
  #aa:dbus own bus=session name=org.freedesktop.impl.portal.desktop.gnome
  #aa:dbus talk bus=session name=org.freedesktop.impl.portal path=/org/freedesktop/portal/desktop label=xdg-desktop-portal
@ -40,6 +41,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
       member=RunningApplicationsChanged
       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
  dbus send bus=session path=/org/gtk/Notifications
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=:*, label=gnome-shell),
  @{exec_path} mr,
  / r,
@ -63,12 +69,16 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/.goutputstream-@{rand6} rw,
  owner @{tmp}/@{rand6} rw,
  owner @{tmp}/gtkprint_ppd_@{rand6} rw,
  owner @{tmp}/gtkprint@{rand6} r,
  owner @{tmp}/xdg-desktop-portal-gnome@{rand6} rw,
  @{run}/mount/utab r,
  owner @{PROC}/@{pid}/ r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/@{tid}/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/status r,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@ -47,11 +47,6 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
       member=GetAll
       peer=(name=:*, label=gnome-shell),
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=:*, label=gnome-shell),
  @{exec_path} mr,
  /usr/share/gdm/greeter-dconf-defaults r,
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@ -9,9 +9,9 @@ include <tunables/global>
@{exec_path} = @{bin}/xdg-user-dirs-gtk-update
 profile xdg-user-dirs-gtk-update @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dbus-accessibility>
  include <abstractions/dbus-session>
  include <abstractions/gtk>
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -48,7 +48,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/login1/session/*
       interface=org.freedesktop.login1.Session
       member=ReleaseControl
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
  @{exec_path} mrix,
--- a/apparmor.d/groups/gnome/gdm
+++ b/apparmor.d/groups/gnome/gdm
@ -34,8 +34,8 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=system name=org.gnome.DisplayManager
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gdm-session-worker
+++ b/apparmor.d/groups/gnome/gdm-session-worker
@ -49,13 +49,13 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
  unix bind type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
-  #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label=systemd-homed
+  #aa:dbus talk bus=system name=org.freedesktop.home1 interface=org.freedesktop.home1.Manager label="@{p_systemd_homed}"
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member={*Session,CreateSessionWithPIDFD}
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
  @{exec_path} mrix,
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@ -14,12 +14,13 @@ include <tunables/global>
@{exec_path} = @{bin}/gjs-console
 profile gjs-console @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
+  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/gnome-strict>
@ -28,7 +29,9 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
  network netlink raw,
-  signal (receive) set=(term hup) peer=gdm*,
+  unix type=stream peer=(label=gnome-shell),
  signal receive set=(term hup) peer=gdm*,
  #aa:dbus own bus=session name=org.freedesktop.Notifications
  #aa:dbus own bus=session name=org.gnome.ScreenSaver
--- a/apparmor.d/groups/gnome/gnome-calendar
+++ b/apparmor.d/groups/gnome/gnome-calendar
@ -32,7 +32,7 @@ profile gnome-calendar @{exec_path} {
  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry
  #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
-  #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label=geoclue
+  #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
  dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
       interface=org.freedesktop.DBus.ObjectManager
--- a/apparmor.d/groups/gnome/gnome-characters
+++ b/apparmor.d/groups/gnome/gnome-characters
@ -29,7 +29,6 @@ profile gnome-characters @{exec_path} {
  /usr/share/xml/iso-codes/{,**} r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/status r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  include if exists <local/gnome-characters>
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -39,24 +39,28 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=session name=org.bluez.obex.Agent1
  #aa:dbus talk bus=session name=org.bluez.obex label=obexd
  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
  #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
  #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Power label=gsd-power
  #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
  #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
  #aa:dbus talk bus=system name=com.ubuntu.WhoopsiePreferences label=whoopsie-preferences
  #aa:dbus talk bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
-  #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label=fprintd
+  #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}"
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
  #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd
-  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label=systemd-hostnamed
+  #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label=ModemManager
+  #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
  #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
-  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label=polkitd
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
  #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
-  #aa:dbus talk bus=system name=org.freedesktop.UPower label=upowerd
+  #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
-  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-extension-gsconnect
+++ b/apparmor.d/groups/gnome/gnome-extension-gsconnect
@ -65,9 +65,10 @@ profile gnome-extension-gsconnect @{exec_path} {
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/status r,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,
  deny @{user_share_dirs}/gvfs-metadata/* r,
  include if exists <local/gnome-extension-gsconnect>
 }
--- a/apparmor.d/groups/gnome/gnome-firmware
+++ b/apparmor.d/groups/gnome/gnome-firmware
@ -20,8 +20,8 @@ profile gnome-firmware @{exec_path} {
  network inet6 stream,
  network netlink raw,
-  #aa:dbus talk bus=system name=org.freedesktop.fwupd label=fwupd path=/
+  #aa:dbus talk bus=system name=org.freedesktop.fwupd label="@{p_fwupd}" path=/
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
  @{exec_path} mr,
  @{open_path}  rPx -> child-open-help,
--- a/apparmor.d/groups/gnome/gnome-keyring-daemon
+++ b/apparmor.d/groups/gnome/gnome-keyring-daemon
@ -33,7 +33,7 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=GetSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@ -32,7 +32,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  signal (send) set=(term) peer=gsd-*,
  #aa:dbus own bus=session name=org.gnome.SessionManager
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -60,6 +60,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  /usr/share/gdm/greeter/autostart/{,*.desktop} r,
  /usr/share/gnome-session/hardware-compatibility r,
  /usr/share/gnome-session/sessions/*.session r,
  /usr/share/gnome-shell/extensions/ r,
  /usr/share/gnome-shell/extensions/*/metadata.json r,
  /usr/share/gnome/autostart/{,*.desktop} r,
@ -69,6 +70,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
  owner @{gdm_config_dirs}/dconf/user rw,
  owner @{gdm_config_dirs}/gnome-session/ rw,
  owner @{gdm_config_dirs}/gnome-session/saved-session/ rw,
  owner @{gdm_config_dirs}/user-dirs.dirs r,
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_share_dirs}/applications/{,**} r,
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -56,11 +56,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  network netlink raw,
  network unix stream,
-  ptrace (read),
+  ptrace read,
-  ptrace (readby) peer=pipewire,
+  ptrace readby peer=pipewire,
-  signal (receive) set=(term, hup) peer=gdm*,
+  signal receive set=(term, hup) peer=gdm*,
-  signal (send),
+  signal send,
  unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
  unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
@ -83,11 +83,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  # Talk with gnome-shell
-  #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
  #aa:dbus talk bus=system name=org.freedesktop.bolt label=boltd
-  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
-  #aa:dbus talk bus=system name=org.freedesktop.login1 label=systemd-logind
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
-  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=power-profiles-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
  #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
  #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
@ -103,11 +103,11 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
       interface=org.freedesktop.PolicyKit1.Authority
       member=RegisterAuthenticationAgent
-       peer=(name=:*, label=polkitd),
+       peer=(name=:*, label="@{p_polkitd}"),
  dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
       member=BeginAuthentication
-       peer=(name=:*, label=polkitd),
+       peer=(name=:*, label="@{p_polkitd}"),
  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
       interface=org.freedesktop.NetworkManager.AgentManager
@ -185,8 +185,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  /usr/share/gnome-shell/extensions/*/**               rPUx,
  /opt/**/share/icons/{,**} r,
-  /snap/*/@{uid}/**.png r,
+  /snap/*/@{uid}/**.@{image_ext} r,
-  /usr/share/**.{png,jpg,svg} r,
+  /usr/share/**.@{image_ext} r,
  /usr/share/**/icons/{,**} r,
  /usr/share/backgrounds/{,**} r,
  /usr/share/byobu/desktop/byobu* r,
@ -241,25 +241,28 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{HOME}/.face r,
  owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
-  owner @{HOME}/.mozilla/native-messaging-hosts/ r,
+  owner @{HOME}/.mozilla/native-messaging-hosts/ rw,
-  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json rw,
+  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.*.json{,.@{rand6}} rw,
  owner @{HOME}/.mozilla/native-messaging-hosts/org.gnome.shell.extensions.gsconnect.json.@{rand6} rw,
  owner @{HOME}/.tpm2_pkcs11/tpm2_pkcs11.sqlite3 rw,
-  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
+  owner @{HOME}/.var/app/**.@{image_ext} r,
  owner @{HOME}/.var/app/**/ r,
  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rw,
-  owner @{user_games_dirs}/**.{png,jpg,svg} r,
+  owner @{user_games_dirs}/**.@{image_ext} r,
-  owner @{user_music_dirs}/**.{png,jpg,svg} r,
+  owner @{user_music_dirs}/**.@{image_ext} r,
  owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
  owner @{user_config_dirs}/**/NativeMessagingHosts/ rw,
  owner @{user_config_dirs}/**/NativeMessagingHosts/org.gnome.shell.*.json{,.@{rand6}} rw,
  owner @{user_config_dirs}/background r,
  owner @{user_config_dirs}/ibus/ w,
  owner @{user_config_dirs}/monitors.xml{,~} rwl,
  owner @{user_config_dirs}/tiling-assistant/{,**} rw,
  owner @{user_share_dirs}/backgrounds/{,**} rw,
  owner @{user_share_dirs}/dbus-1/services/ r,
  owner @{user_share_dirs}/dbus-1/services/org.gnome.shell.*.service{,.@{rand6}} rw,
  owner @{user_share_dirs}/desktop-directories/{,**} r,
  owner @{user_share_dirs}/gnome-shell/{,**} rw,
  owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
@ -267,9 +270,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{user_share_dirs}/icc/ rw,
  owner @{user_share_dirs}/icc/.goutputstream-@{rand6} rw,
  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
  owner @{user_share_dirs}/icons/**/org.gnome.shell.*.svg{,.@{rand6}} w,
-  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop rw,
+  owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
  owner @{user_share_dirs}/applications/org.gnome.Shell.Extensions.GSConnect{,.Preferences}.desktop.@{rand6} w,
  owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
  owner @{user_cache_dirs}/gnome-boxes/*.png r,
  owner @{user_cache_dirs}/gnome-photos/{,**} r,
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@ -28,7 +28,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Color
-  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
+  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
  dbus receive bus=session path=/org/gtk/Settings
       interface=org.freedesktop.DBus.Properties
@ -45,10 +45,10 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
  owner @{GDM_HOME}/greeter-dconf-defaults r,
  owner @{gdm_config_dirs}/dconf/user r,
  owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-*.icc rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw,
  owner @{user_share_dirs}/icc/ rw,
-  owner @{user_share_dirs}/icc/edid-*.icc rw,
+  owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
  include if exists <local/gsd-color>
 }
--- a/apparmor.d/groups/gnome/gsd-housekeeping
+++ b/apparmor.d/groups/gnome/gsd-housekeeping
@ -24,10 +24,10 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Housekeeping
-  dbus receive bus=session
+  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.DBus.Introspectable
+       interface=org.freedesktop.systemd1.Manager
-       member=Introspect
+       member=Subscribe
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=org.freedesktop.systemd1),
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@ -38,7 +38,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/login1
       interface=org.freedesktop.login1.Manager
       member=PowerOff
-       peer=(name=:*, label=systemd-logind),
+       peer=(name=:*, label="@{p_systemd_logind}"),
  dbus send bus=session path=/
       interface=org.freedesktop.DBus
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@ -43,7 +43,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
  dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
       interface=org.freedesktop.UPower.KbdBacklight
       member=GetBrightness
-       peer=(name=:*, label=upowerd),
+       peer=(name=:*, label="@{p_upowerd}"),
  dbus receive bus=session path=/org/gtk/Settings
       interface=org.freedesktop.DBus.Properties
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@ -17,6 +17,7 @@ profile gsd-xsettings @{exec_path} {
  include <abstractions/bus/org.gnome.Mutter.DisplayConfig>
  include <abstractions/bus/org.gnome.SessionManager>
  include <abstractions/bus/org.gnome.Shell.Introspect>
  include <abstractions/bus/org.gtk.vfs.Daemon>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/dconf-write>
  include <abstractions/fontconfig-cache-read>
@ -33,21 +34,19 @@ profile gsd-xsettings @{exec_path} {
  #aa:dbus own bus=session name=org.gnome.SettingsDaemon.XSettings
  #aa:dbus own bus=session name=org.gtk.Settings
  #aa:dbus talk bus=session name=org.gnome.Mutter.X11 label=gnome-shell
  dbus send bus=system path=/org/freedesktop/Accounts/User@{uid}
       interface=org.freedesktop.Accounts.User
       member=SetInputSources
-       peer=(name=:*, label=accounts-daemon),
+       peer=(name=:*, label="@{p_accounts_daemon}"),
  dbus send bus=session path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=GetId
       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
  @{exec_path} mr,
  @{sh_path} mr,
  @{bin}/cat                   rix,
  @{bin}/sed                   rix,
-  @{bin}/which                 rix,
+  @{bin}/which{,.debianutils}  rix,
  @{bin}/busctl         rPx,
  @{bin}/pactl          rPx,
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -9,18 +9,29 @@ include <tunables/global>
@{exec_path} = @{bin}/loupe
 profile loupe @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/dconf-write>
  include <abstractions/gnome-strict>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/thumbnails-cache-write>
  include <abstractions/trash-strict>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>
  unix type=stream peer=(label=loupe//bwrap),
  signal send set=kill peer=loupe//bwrap,
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
  dbus send bus=system path=/org/freedesktop/hostname1
       interface=org.freedesktop.DBus.Properties
       member=GetAll
       peer=(name=@{busname}, label=@{p_systemd_hostnamed}),
  @{exec_path} mr,
  @{bin}/bwrap rCx -> bwrap,
@ -32,7 +43,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
  owner @{user_cache_dirs}/glycin/{,**} rw,
-  @{run}/mount/utab r,
+        @{run}/mount/utab r,
  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
  @{sys}/fs/cgroup/user.slice/cpu.max r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
@ -51,6 +63,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
    include <abstractions/base>
    include <abstractions/common/bwrap>
    unix type=stream peer=(label=loupe),
    signal receive set=kill peer=loupe,
    @{bin}/bwrap mr,
--- a/Show more
+++ b/Show more