feat(profile): update and enforce a few profiles.

apparmor.d/groups/filesystem/mke2fs

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{sbin}/mke2fs @{sbin}/mkfs.ext2 @{sbin}/mkfs.ext3 @{sbin}/mkfs.ext4
 profile mke2fs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/user-download-strict>
 

apparmor.d/groups/gnome/gnome-session-binary

@@ -103,7 +103,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   profile open flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/consoles>
-    include <abstractions/consoles>
     include <abstractions/desktop>
 
     @{bin}/env rix,

apparmor.d/groups/gnome/gnome-software

@@ -9,10 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-software
 profile gnome-software @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dconf-write>
+  include <abstractions/common/gnome>
   include <abstractions/fontconfig-cache-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
@@ -71,15 +69,11 @@ profile gnome-software @{exec_path} {
   /var/tmp/flatpak-cache-*/** rwkl,
   /var/tmp/#@{int} rw,
 
-  / r,
-
   owner @{HOME}/.var/app/{,**} rw,
 
   owner @{user_download_dirs}/*.flatpakref r,
 
   owner @{user_cache_dirs}/flatpak/{,**} rwl,
-  owner @{user_cache_dirs}/gnome-software/ rw,
-  owner @{user_cache_dirs}/gnome-software/** rwlk -> @{user_cache_dirs}/gnome-software/**,
 
   owner @{user_config_dirs}/flatpak/{,**} r,
   owner @{user_config_dirs}/pulse/*.conf r,
@@ -94,7 +88,6 @@ profile gnome-software @{exec_path} {
   owner @{user_share_dirs}/flatpak/overrides/* r,
   owner @{user_share_dirs}/flatpak/repo/ rw,
   owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
-  owner @{user_share_dirs}/gnome-software/{,**} rw,
 
   owner @{tmp}/ostree-gpg-@{rand6}/ rw,
   owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
@@ -123,10 +116,7 @@ profile gnome-software @{exec_path} {
         @{PROC}/sys/fs/pipe-max-size r,
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
-  owner @{PROC}/@{pid}/stat r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/fuse rw,
 
@@ -166,6 +156,8 @@ profile gnome-software @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/fusermount>
 
+    capability setuid,
+
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 

apparmor.d/groups/gnome/gnome-system-monitor

@@ -9,10 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-system-monitor
 profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/bus-session>
+  include <abstractions/common/gnome>
-  include <abstractions/dconf-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
@@ -35,7 +32,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed    rix,
   @{bin}/tr     rix,
 
-  /usr/share/gnome-system-monitor/{,**} r,
   /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
 
   / r,
@@ -78,8 +74,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{PROC}/diskstats r,
   @{PROC}/vmstat r,
 
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
-
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   /dev/tty rw,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -19,11 +19,11 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
 
-  signal (send) set=(hup) peer=htop,
+  signal send set=(hup) peer=htop,
-  signal (send) set=(term hup kill) peer=unconfined,
+  signal send set=(term hup kill) peer=unconfined,
 
-  ptrace (read) peer=htop,
+  ptrace read peer=htop,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=unconfined,
 
   #aa:dbus own bus=session name=org.gnome.Terminal interface+=org.gtk.Actions
 
@@ -39,14 +39,14 @@ profile gnome-terminal-server @{exec_path} {
   @{exec_path} mr,
 
   # The shell is not confined on purpose.
-  @{bin}/@{shells}            rUx,
+  @{bin}/@{shells}            Ux,
 
   # Some CLI program can be launched directly from Gnome Shell
-  @{bin}/htop                 rPx,
+  @{bin}/htop                 Px,
-  @{bin}/micro               rPUx,
+  @{bin}/micro               PUx,
-  @{bin}/nvtop                rPx,
+  @{bin}/nvtop                Px,
 
-  @{open_path}                rPx -> child-open,
+  @{open_path}                Px -> child-open,
 
   /etc/shells r,
 

apparmor.d/groups/gnome/gnome-tweaks

@@ -32,7 +32,7 @@ profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_config_dirs}/autostart/ rw,
-  owner @{user_config_dirs}/autostart/*.desktop r,
+  owner @{user_config_dirs}/autostart/*.desktop rw,
   owner @{user_config_dirs}/gtk-{3,4}.0/settings.ini* rw,
   owner @{user_share_dirs}/backgrounds/{,**} r,
   owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,

apparmor.d/groups/gnome/kgx

@@ -17,7 +17,7 @@ profile kgx @{exec_path} {
 
   capability sys_ptrace,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
@@ -25,14 +25,14 @@ profile kgx @{exec_path} {
   @{bin}/@{shells}           rUx,
 
   # Some CLI program can be launched directly from Gnome Shell
-  @{bin}/btop                rPUx,
+  @{bin}/btop                 PUx,
-  @{bin}/htop                 rPx,
+  @{bin}/htop                  Px,
-  @{bin}/micro               rPUx,
+  @{bin}/micro                PUx,
-  @{bin}/nvtop                rPx,
+  @{bin}/nvtop                 Px,
-  @{bin}/nvtop                rPx,
+  @{bin}/nvtop                 Px,
-  @{bin}/vim                  rUx,
+  @{bin}/vim                   Ux,
 
-  @{open_path}                rPx -> child-open-help,
+  @{open_path}                 Px -> child-open-help,
 
   owner @{tmp}/#@{int} rw,
 

apparmor.d/groups/network/ModemManager

@@ -14,7 +14,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/devices-usb>
-  include <abstractions/dri-enumerate>
+  include <abstractions/dri>
 
   capability net_admin,
 
@@ -47,7 +47,6 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/tty/ r,
   @{sys}/class/wwan/ r,
 
-  @{sys}/devices/@{pci}/revision r,
   @{sys}/devices/**/net/*/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/virtual/tty/*/ r,

apparmor.d/groups/polkit/pkttyagent

@@ -18,7 +18,7 @@ profile pkttyagent @{exec_path} {
   capability sys_nice,
   capability audit_write,
 
-  ptrace (read),
+  ptrace read,
   signal (send, receive),
 
   @{exec_path} mr,

apparmor.d/groups/shadow/newgidmap

@@ -18,6 +18,8 @@ profile newgidmap @{exec_path} {
 
   @{exec_path} mr,
 
+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
   /etc/subgid r,
 
   @{PROC}/@{pids}/ r,

apparmor.d/groups/shadow/newuidmap

@@ -18,6 +18,8 @@ profile newuidmap @{exec_path} {
 
   @{exec_path} mr,
 
+  @{etc_ro}/login.defs r,
+  @{etc_ro}/login.defs.d/{,*} r,
   /etc/subuid r,
 
   @{PROC}/@{pids}/ r,

apparmor.d/profiles-a-f/calibre

@@ -15,9 +15,10 @@ profile calibre @{exec_path} {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
-  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/bus/org.freedesktop.UDisks2>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/bus/org.kde.StatusNotifierWatcher>
+  include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
@@ -35,11 +36,13 @@ profile calibre @{exec_path} {
 
   capability sys_ptrace,
 
+  network inet dgram,
   network inet stream,
+  network inet6 dgram,
   network inet6 stream,
   network netlink raw,
 
-  unix (send, receive) type=stream peer=(addr=none, label=xorg),
+  # unix (send, receive) type=stream peer=(addr=none, label=xorg),
   unix (bind, listen)  type=stream addr="@*-calibre-gui.socket",
   unix (bind)          type=stream addr="@calibre-*",
 
@@ -47,9 +50,10 @@ profile calibre @{exec_path} {
 
   @{sh_path}              rix,
   @{python_path}          rix,
+  @{bin}/env                r,
   @{bin}/file             rix,
-  @{sbin}/ldconfig{,.real} rix,
   @{bin}/uname            rix,
+  @{sbin}/ldconfig{,.real} rix,
   @{lib}/{,@{multiarch}/}qt{5,6}{,/libexec/}QtWebEngineProcess rix,
 
   @{bin}/pdftoppm        rPUx, # (#FIXME#)
@@ -61,6 +65,7 @@ profile calibre @{exec_path} {
   /usr/share/calibre/{,**} r,
 
   /etc/fstab r,
+  /etc/httpd/conf/mime.types r,
   /etc/inputrc r,
   /etc/magic r,
   /etc/mime.types r,
@@ -68,10 +73,15 @@ profile calibre @{exec_path} {
   owner @{HOME}/ r,
   owner "@{HOME}/Calibre Library/{,**}" rw,
   owner "@{HOME}/Calibre Library/metadata.db" rwk,
-  owner @{user_documents_dirs}/{,**} rwl,
+
   owner @{user_books_dirs}/{,**} rwl,
+  owner @{user_books_dirs}/Calibre/** rwk,
+  owner @{user_documents_dirs}/{,**} rwl,
+  owner @{user_documents_dirs}/Calibre/** rwk,
   owner @{user_torrents_dirs}/{,**} rwl,
+  owner @{user_torrents_dirs}/Calibre/** rwk,
   owner @{user_work_dirs}/{,**} rwl,
+  owner @{user_work_dirs}/Calibre/** rwk,
 
   owner @{user_config_dirs}/calibre/ rw,
   owner @{user_config_dirs}/calibre/** rwk,
@@ -82,10 +92,11 @@ profile calibre @{exec_path} {
   owner @{user_cache_dirs}/calibre/ rw,
   owner @{user_cache_dirs}/calibre/** rwkl -> @{user_cache_dirs}/calibre/**,
 
-  owner @{tmp}/calibre_*_tmp_*/{,**} rw,
+  owner @{tmp}/@{rand8} rw,
-  owner @{tmp}/calibre-*/{,**} rw,
+  audit owner @{tmp}/@{int}-*/ rw,
-  owner @{tmp}/@{int}-*/ rw,
+  audit owner @{tmp}/@{int}-*/** rwl,
-  owner @{tmp}/@{int}-*/** rwl,
+  audit owner @{tmp}/calibre_@{rand8}_tmp_*/{,**} rw,
+  audit owner @{tmp}/calibre-@{rand8}/{,**} rw,
 
   owner /dev/shm/#@{int} rw,
 
@@ -108,6 +119,7 @@ profile calibre @{exec_path} {
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
 
+        /dev/tty r,
   owner /dev/tty@{int} rw,
 
   include if exists <local/calibre>

apparmor.d/profiles-m-r/mdevctl

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/mdevctl
 profile mdevctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/metadata-cleaner

@@ -9,9 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/metadata-cleaner
 profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/dconf-write>
+  include <abstractions/common/gnome>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/user-read-strict>
@@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
   @{python_path} rix,
 
-  @{bin}/bwrap rCx -> bwrap,
+  @{bin}/bwrap  Cx -> bwrap,
-  @{open_path} rPx -> child-open-help,
+  @{open_path}  Px -> child-open-help,
 
-  /usr/share/metadata-cleaner/{,**} r,
   /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w,
-
   /usr/share/poppler/{,**} r,
 
   /etc/httpd/conf/mime.types r,
@@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
 
   @{run}/mount/utab r,
 
-  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
   deny owner @{user_cache_dirs}/thumbnails/** r,
@@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
     include <abstractions/common/bwrap>
     include <abstractions/perl>
 
-    signal (receive) set=(kill) peer=metadata-cleaner,
+    signal receive set=(kill) peer=metadata-cleaner,
 
     @{bin}/bwrap mr,
     @{bin}/vendor_perl/exiftool rix,

apparmor.d/profiles-s-z/totem

@@ -14,6 +14,7 @@ profile totem @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/common/gnome>
   include <abstractions/gstreamer>
+  include <abstractions/thumbnails-cache-write>
   include <abstractions/user-download-strict>
 
   network netlink raw,
@@ -67,6 +68,10 @@ profile totem @{exec_path} flags=(attach_disconnected) {
     include <abstractions/gstreamer>
 
     capability dac_override,
+    capability sys_ptrace,
+
+    network inet dgram,
+    network inet6 dgram,
 
     @{bin}/bwrap mr,
     @{bin}/totem-video-thumbnailer rix,
@@ -78,8 +83,11 @@ profile totem @{exec_path} flags=(attach_disconnected) {
     owner @{tmp}/flatpak-seccomp-@{rand6} rw,
     owner @{tmp}/gnome-desktop-file-to-thumbnail.* rw,
     owner @{tmp}/gnome-desktop-thumbnailer-@{rand6}/{,**} rw,
+    owner @{tmp}/gnome-desktop-thumbnailer.png rw,
 
           @{PROC}/sys/vm/mmap_min_addr r,
+    owner @{PROC}/@{pid}/mountinfo r,
+    owner @{PROC}/@{pid}/stat r,
     owner @{PROC}/@{pid}/task/@{tid}/comm w,
 
     /dev/ r,

apparmor.d/profiles-s-z/xsane-gimp

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Roman Beslik <me@beroal.in.ua>
+# Copyright (C) 2024-2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
@@ -10,27 +11,30 @@ include <tunables/global>
 profile xsane-gimp @{exec_path} {
   include <abstractions/base>
   include <abstractions/devices-usb>
-  include <abstractions/gnome-strict>
+  include <abstractions/desktop>
-
-  signal (receive) set=(term, kill) peer=gimp,
 
   network inet dgram,
   network inet6 dgram,
   network netlink raw,
 
+  signal receive set=(term, kill) peer=gimp,
+
   @{exec_path} mr,
+
   @{system_share_dirs}/gimp/{,**} r,
   @{system_share_dirs}/sane/xsane/{,**} r,
-  @{system_share_dirs}/snmp/mibs/{,**} r, # network
+  @{system_share_dirs}/snmp/mibs/{,**} r,
+
   /etc/sane.d/{,**} r,
+
   owner @{HOME}/.sane/{,**} rw,
   owner @{tmp}/xsane-*-@{rand6} rw,
-  @{sys}/devices/@{pci}/{model,type,vendor} r,
-  @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,
 
-  # SCSI
   @{sys}/bus/scsi/devices/ r,
+  @{sys}/devices/@{pci}/{model,type,vendor} r,
+
   @{PROC}/scsi/scsi r,
+  @{PROC}/sys/dev/parport/{,parport@{int}/{base-addr,irq}} r,
 
   include if exists <local/xsane-gimp>
 }

dists/flags/main.flags

@@ -9,7 +9,6 @@ systemd attach_disconnected,mediate_deleted,complain
 systemd-service attach_disconnected,complain
 systemd-user attach_disconnected,mediate_deleted,complain
 
-aa-notify complain
 akonadi_akonotes_resource complain
 akonadi_archivemail_agent complain
 akonadi_birthdays_resource complain
@@ -106,7 +105,6 @@ filezilla complain
 finalrd complain
 firewall-applet attach_disconnected,complain
 firewall-config complain
-firewalld attach_disconnected,complain
 flameshot complain
 flatpak attach_disconnected,mediate_deleted,complain
 flatpak-app attach_disconnected,mediate_deleted,complain
@@ -117,29 +115,20 @@ flatpak-system-helper complain
 flatpak-validate-icon complain
 fstrim complain
 fuse-overlayfs complain
-fusermount complain
 gdk-pixbuf-thumbnailer complain
 gdm-generate-config complain
 gdm-runtime-config complain
 gdm-session attach_disconnected,complain
 gdm-xsession complain
-gimp complain
 gmenudbusmenuproxy complain
 gnome-browser-connector-host complain
 gnome-control-center attach_disconnected,complain
 gnome-control-center-goa-helper complain
 gnome-disk-image-mounter complain
-gnome-disks complain
 gnome-extension-gsconnect complain
 gnome-extension-manager complain
 gnome-initial-setup complain
-gnome-music attach_disconnected,complain
-gnome-photos-thumbnailer complain
 gnome-remote-desktop-daemon complain
-gnome-software complain
-gnome-system-monitor attach_disconnected,complain
-gnome-terminal-server complain
-gnome-tweaks complain
 grub-bios-setup complain
 grub-editenv complain
 grub-file complain
@@ -173,8 +162,8 @@ gsettings complain
 gvfsd-dav complain
 gvfsd-wsdd complain
 hostnamectl complain
-hyprctl complain
+hyprctl attach_disconnected,complain
-hyprlock complain
+hyprlock attach_disconnected,complain
 hyprpaper attach_disconnected,complain
 hyprpicker complain
 hyprpm complain
@@ -184,7 +173,6 @@ im-launch complain
 install-info complain
 iwctl complain
 iwd complain
-jitterentropy-rngd complain
 kaccess complain
 kactivitymanagerd complain
 kalendarac complain
@@ -202,7 +190,6 @@ kded complain
 kernel-install complain
 keyboxd complain
 kglobalacceld complain
-kgx complain
 kio_http_cache_cleaner complain
 kiod complain
 kioworker complain
@@ -238,9 +225,6 @@ lvmdump complain
 lvmpolld complain
 man complain
 mate-notification-daemon complain
-mdevctl complain
-metadata-cleaner attach_disconnected,complain
-mke2fs complain
 ModemManager attach_disconnected,complain
 mount attach_disconnected,complain
 multipath attach_disconnected,complain
@@ -357,7 +341,6 @@ systemd-network-generator complain
 systemd-nsresourced complain
 systemd-nsresourcework complain
 systemd-portabled complain
-systemd-remount-fs complain
 systemd-resolve complain
 systemd-shutdown complain
 systemd-sleep-tlp complain
@@ -408,6 +391,5 @@ xdm-xsession complain
 xembedsniproxy complain
 xfce-session attach_disconnected,complain
 xsettingsd complain
-xwaylandvideobridge complain
 zpool complain