feat(profile): update and enforce a few profiles.

apparmor.d/groups/filesystem/mke2fs

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4
 profile mke2fs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/user-download-strict>
 

apparmor.d/groups/gnome/gnome-session-binary

@@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   profile open flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/consoles>
-    include <abstractions/consoles>
     include <abstractions/desktop>
 
     @{bin}/env rix,

apparmor.d/groups/gnome/gnome-software

@@ -9,10 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-software
 profile gnome-software @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dconf-write>
+  include <abstractions/common/gnome>
   include <abstractions/fontconfig-cache-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
@@ -71,15 +69,11 @@ profile gnome-software @{exec_path} {
   /var/tmp/flatpak-cache-*/** rwkl,
   /var/tmp/#@{int} rw,
 
-  / r,
-
   owner @{HOME}/.var/app/{,**} rw,
 
   owner @{user_download_dirs}/*.flatpakref r,
 
   owner @{user_cache_dirs}/flatpak/{,**} rwl,
-  owner @{user_cache_dirs}/gnome-software/ rw,
-  owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,
 
   owner @{user_config_dirs}/flatpak/{,**} r,
   owner @{user_config_dirs}/pulse/*.conf r,
@@ -94,7 +88,6 @@ profile gnome-software @{exec_path} {
   owner @{user_share_dirs}/flatpak/overrides/* r,
   owner @{user_share_dirs}/flatpak/repo/ rw,
   owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
-  owner @{user_share_dirs}/gnome-software/{,**} rw,
 
   owner @{tmp}/ostree-gpg-@{rand6}/ rw,
   owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
@@ -123,10 +116,7 @@ profile gnome-software @{exec_path} {
         @{PROC}/sys/fs/pipe-max-size r,
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/fuse rw,
 
@@ -166,6 +156,8 @@ profile gnome-software @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/fusermount>
 
+    capability setuid,
+
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 

apparmor.d/groups/gnome/gnome-system-monitor

@@ -9,10 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-system-monitor
 profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/bus-session>
-  include <abstractions/dconf-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
+  include <abstractions/common/gnome>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
@@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed    rix,
   @{bin}/tr     rix,
 
-  /usr/share/gnome-system-monitor/{,**} r,
   /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
 
   / r,
@@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{PROC}/diskstats r,
   @{PROC}/vmstat r,
 
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   /dev/tty rw,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
 
-  signal (send) set=(hup) peer=htop,
-  signal (send) set=(term hup kill) peer=unconfined,
+  signal send set=(hup) peer=htop,
+  signal send set=(term hup kill) peer=unconfined,
 
-  ptrace (read) peer=htop,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=htop,
+  ptrace read peer=unconfined,
 
   #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions
 
@@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  @{bin}/@{shells}            rUx,
+  @{bin}/@{shells}            Ux,
 
   # Some CLI program can be launched directly from Gnome Shell
-  @{bin}/htop                 rPx,
-  @{bin}/micro               rPUx,
-  @{bin}/nvtop                rPx,
+  @{bin}/htop                 Px,
+  @{bin}/micro               PUx,
+  @{bin}/nvtop                Px,
 
-  @{open_path}                rPx -> child-open,
+  @{open_path}                Px -> child-open,
 
   /etc/shells r,
 

apparmor.d/groups/gnome/gnome-tweaks

@@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_config_dirs}/autostart/ rw,
-  owner @{user_config_dirs}/autostart/*.desktop r,
+  owner @{user_config_dirs}/autostart/*.desktop rw,
   owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw,
   owner @{user_share_dirs}/backgrounds/{,**} r,
   owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,

apparmor.d/groups/gnome/kgx

@@ -17,7 +17,7 @@ profile kgx @{exec_path} {
 
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
@@ -25,14 +25,14 @@ profile kgx @{exec_path} {
   @{bin}/@{shells}           rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
-  @{bin}/btop                rPUx,
-  @{bin}/htop                 rPx,
-  @{bin}/micro               rPUx,
-  @{bin}/nvtop                rPx,
-  @{bin}/nvtop                rPx,
-  @{bin}/vim                  rUx,
+  @{bin}/btop                 PUx,
+  @{bin}/htop                  Px,
+  @{bin}/micro                PUx,
+  @{bin}/nvtop                 Px,
+  @{bin}/nvtop                 Px,
+  @{bin}/vim                   Ux,
 
-  @{open_path}                rPx -> child-open-help,
+  @{open_path}                 Px -> child-open-help,
 
   owner @{tmp}/#@{int} rw,
 

apparmor.d/groups/network/ModemManager

@@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/devices-usb>
-  include <abstractions/dri-enumerate>
+  include <abstractions/dri>
 
   capability net_admin,
 
@@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/tty/ r,
   @{sys}/class/wwan/ r,
 
-  @{sys}/devices/@{pci}/revision r,
   @{sys}/devices/**/net/*/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/virtual/tty/*/ r,

apparmor.d/groups/polkit/pkttyagent

@@ -18,8 +18,8 @@ profile pkttyagent @{exec_path} {
   capability sys_nice,
   capability audit_write,
 
-  ptrace (read),
-  signal (send,receive),
+  ptrace read,
+  signal (send, receive),
 
   @{exec_path} mr,
 

apparmor.d/groups/shadow/newgidmap

@@ -18,6 +18,8 @@ profile newgidmap @{exec_path} {
 
   @{exec_path} mr,
 
+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
   /etc/subgid r,
 
   @{PROC}/@{pids}/ r,

apparmor.d/groups/shadow/newuidmap

@@ -18,6 +18,8 @@ profile newuidmap @{exec_path} {
 
   @{exec_path} mr,
 
+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
   /etc/subuid r,
 
   @{PROC}/@{pids}/ r,