feat(profile): general update.

apparmor.d/abstractions/chromium

@@ -153,6 +153,7 @@
         @{PROC}/@{pids}/statm r,
         @{PROC}/@{pids}/task/@{tid}/stat r,
         @{PROC}/@{pids}/task/@{tid}/status r,
+        @{PROC}/pressure/{memory,cpu,io} r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/vmstat r,

apparmor.d/groups/apt/apt-methods-http

@@ -31,6 +31,8 @@ profile apt-methods-http @{exec_path} {
   signal (receive) peer=unattended-upgrade,
   signal (receive) peer=update-manager,
 
+  ptrace (read),
+
   @{exec_path} mr,
 
   # apt-helper gets "no new privs" so "rix" it

apparmor.d/groups/children/child-dpkg

@@ -17,8 +17,8 @@ profile child-dpkg {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  # Needed?
+  capability dac_read_search,
-  deny capability setgid,
+  capability setgid,
 
   /{usr/,}bin/dpkg mr,
 

apparmor.d/groups/gnome/evolution-calendar-factory

@@ -42,12 +42,14 @@ profile evolution-calendar-factory @{exec_path} {
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-  owner @{user_share_dirs}/evolution/calendar/{,**} rwk,
-  owner @{user_share_dirs}/evolution/tasks/system/ w,
-  owner @{user_share_dirs}/evolution/tasks/system/tasks.ics r,
   owner @{user_cache_dirs}/evolution/calendar/{,**} rwk,
   owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
 
+  owner @{user_share_dirs}/evolution/calendar/{,**} rwk,
+  owner @{user_share_dirs}/evolution/tasks/system/ w,
+  owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/cmdline r,
 

apparmor.d/groups/gnome/gdm-session-worker

@@ -84,6 +84,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/keyring/control rw,
 
+  @{run}/cockpit/active.motd r,
   @{run}/faillock/[a-zA-z0-9]* rwk,
   @{run}/gdm{3,}/custom.conf r,
   @{run}/motd.d/{,*} r,

apparmor.d/groups/systemd/networkctl

@@ -13,10 +13,10 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dbus-strict>
 
   capability net_admin,
+  capability sys_module,
 
   # Needed? (#FIXME#)
   audit capability sys_resource,
-  audit capability sys_module,
 
   signal send peer=child-pager,
 
@@ -27,7 +27,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
   dbus send bus=system path=/org/freedesktop/network[0-9]
        interface=org.freedesktop.DBus.Properties
        member=Get
-       peer=(name=org.freedesktop.network[0-9]),
+       peer=(name=org.freedesktop.network1),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-coredump

@@ -14,6 +14,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
   include <abstractions/openssl>
   include <abstractions/systemd-common>
 
+  capability dac_override,
   capability dac_read_search,
   capability net_admin,
   capability setgid,

apparmor.d/groups/ubuntu/update-motd-updates-available

@@ -39,7 +39,7 @@ profile update-motd-updates-available @{exec_path} {
   /etc/machine-id r,
 
   /var/lib/update-notifier/{,*} rw,
-  /var/lib/ubuntu-advantage/apt-esm/var/cache/apt/pkgcache.bin* rw,
+  /var/lib/ubuntu-advantage/apt-esm/var/cache/apt/*pkgcache.bin* rw,
 
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 

apparmor.d/groups/virt/cockpit-bridge

@@ -23,6 +23,7 @@ profile cockpit-bridge @{exec_path} {
 
   signal (send) set=term peer=cockpit-pcp,
   signal (send) set=term peer=dbus-daemon,
+  signal (send) set=term peer=journalctl,
   signal (send) set=term peer=ssh-agent,
   signal (send) set=term peer=sudo,
   signal (send) set=term peer=unconfined,
@@ -36,9 +37,11 @@ profile cockpit-bridge @{exec_path} {
   /usr/share/cockpit/{,**} r,
 
   /etc/cockpit/{,**} r,
+  /etc/login.defs r,
   /etc/machine-id r,
   /etc/motd r,
   /etc/shadow r,
+  /etc/shells r,
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
 

apparmor.d/groups/virt/docker-proxy

@@ -11,10 +11,13 @@ profile docker-proxy @{exec_path} {
   include <abstractions/base>
 
   capability net_admin,
+  capability net_bind_service,
 
   network inet stream,
   network inet6 stream,
 
+  signal (receive) set=int peer=dockerd,
+
   @{exec_path} mr,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

apparmor.d/groups/virt/dockerd

@@ -47,6 +47,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=docker-*,
   ptrace (read) peer=unconfined,
 
+  signal (send) set=int peer=docker-proxy,
   signal (send) set=kill peer=docker-*,
   signal (send) set=term peer=containerd,
 

apparmor.d/groups/virt/virtinterfaced

@@ -14,6 +14,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  ptrace (read) peer=virtqemud,
+
   @{exec_path} mr,
 
   /{usr/,}lib/gconv/gconv-modules rm,
@@ -33,6 +35,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/class/net/ r,
   @{sys}/devices/pci[0-9]*/**/net/{,**} r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
   @{sys}/devices/virtual/net/{,**} r,
 
   owner @{PROC}/@{pids}/stat r,

apparmor.d/groups/virt/virtnodedevd

@@ -17,11 +17,13 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  ptrace (read) peer=virtqemud,
+
   @{exec_path} mr,
 
   /{usr/,}bin/mdevctl rPx,
 
-  /usr/share/hwdata/pnp.ids r,
+  /usr/share/hwdata/*.ids r,
 
   /etc/mdevctl.d/{,**} r,
 
@@ -46,7 +48,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/c1:[0-9]* r,         # For RAM disk
   @{run}/udev/data/c10:[0-9]* r,        # For non-serial mice, misc features
-  @{run}/udev/data/c13:[0-9]* r,        # for /dev/input/*
+  @{run}/udev/data/c13:[0-9]* r,        # For /dev/input/*
+  @{run}/udev/data/c29:[0-9]* r,        # For /dev/fb[0-9]*
   @{run}/udev/data/c90:[0-9]* r,        # For RAM, ROM, Flash
   @{run}/udev/data/c116:[0-9]* r,       # For ALSA
   @{run}/udev/data/c226:[0-9]* r,       # For /dev/dri/card[0-9]*
@@ -68,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/meminfo r,
-  @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date} r,
+  @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
   @{sys}/devices/virtual/net/{,**} r,
   @{sys}/kernel/iommu_groups/ r,
   @{sys}/kernel/iommu_groups/[0-9]*/devices/ r,

apparmor.d/groups/virt/virtsecretd

@@ -14,13 +14,17 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  ptrace (read) peer=virtqemud,
+
   @{exec_path} mr,
 
+  owner @{user_config_dirs}/libvirt/secrets/ rw,
+  owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk,
+
         @{run}/systemd/inhibit/*.ref rw,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/secrets/ rw,
-  owner @{run}/user/@{uid}/libvirt/secrets/run rw,
+  owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk,
-  owner @{run}/user/@{uid}/libvirt/secrets/run/* rwk,
   owner @{run}/user/@{uid}/libvirt/virtsecretd* rwk,
 
   @{run}/utmp rk,

apparmor.d/profiles-g-l/lvm

@@ -21,6 +21,8 @@ profile lvm @{exec_path} {
   capability sys_nice,
   capability sys_rawio,
 
+  ptrace (read),
+
   @{exec_path} rm,
 
   @{etc_rw}/lvm/** rwkl,

apparmor.d/profiles-m-r/packagekitd

@@ -42,7 +42,7 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
   dbus receive bus=system path=/org/freedesktop/PackageKit
        interface=org.freedesktop.{DBus.Introspectable,PackageKit}
        member={Introspect,StateHasChanged}
-       peer=(name=:*, label=apt),
+       peer=(name=:*),
 
   dbus (send,receive) bus=system path=/[0-9]*_@{hex}
        interface=org.freedesktop.{DBus.Properties,PackageKit.Transaction},

apparmor.d/profiles-s-z/steam-gameoverlayui

@@ -54,7 +54,7 @@ profile steam-gameoverlayui @{exec_path} {
   owner /tmp/miles_image_* mrw,
 
   @{sys}/ r,
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
+  @{sys}/devices/system/cpu/cpu[0-9]*/** r,
   @{sys}/kernel/ r,
 
   @{PROC}/version r,

apparmor.d/profiles-s-z/steam-reaper

@@ -29,6 +29,8 @@ profile steam-reaper @{exec_path} {
   owner /dev/shm/u@{uid}-Shm_@{hex} rw,
   owner /dev/shm/u@{uid}-ValveIPCSharedObj-Steam rwk,
 
+  @{sys}/devices/system/cpu/cpu[0-9]*/** r,
+
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/steam-reaper>

apparmor.d/profiles-s-z/sudo

@@ -80,6 +80,7 @@ profile sudo @{exec_path} {
         @{run}/ r,
         @{run}/faillock/{,*} rwk,
         @{run}/resolvconf/resolv.conf r,
+        @{run}/systemd/sessions/* r,
   owner @{run}/sudo/ rw,
   owner @{run}/sudo/ts/ rw,
   owner @{run}/sudo/ts/* rwk,

dists/flags/main.flags

@@ -63,7 +63,6 @@ fdisk complain
 file-roller complain
 firewalld complain
 flatpak-session-helper complain
-fprintd attach_disconnected,complain
 fsck-ext4 complain
 fuse-overlayfs complain
 fusermount complain
@@ -277,8 +276,8 @@ virtinterfaced attach_disconnected,complain
 virtiofsd complain,attach_disconnected
 virtlockd complain
 virtnetworkd complain
-virtnodedevd complain
+virtnodedevd attach_disconnected,complain
-virtsecretd complain
+virtsecretd attach_disconnected,complain
 virtstoraged attach_disconnected,complain
 wg complain
 wg-quick complain

dists/flags/ubuntu.flags

@@ -9,11 +9,12 @@ list-oem-metapackages complain
 livepatch-notification complain
 notify-reboot-required complain
 package-system-locked attach_disconnected,complain
+pro complain
 release-upgrade-motd complain
-software-properties-gtk
 software-properties-gtk complain
 ubuntu-advantage complain
 ubuntu-advantage-notification complain
+ubuntu-distro-info complain
 ubuntu-report complain
 update-manager attach_disconnected,complain
 update-motd-fsck-at-reboot complain