Merge branch 'roddhjav:main' into kerberos-utils

.github/workflows/main.yml

@@ -47,11 +47,6 @@ jobs:
           if [[ ${{ matrix.mode }} == full-system-policy ]]; then
             sed -e "s/just complain/just fsp-complain/" -i debian/rules
           fi
-          if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
-            # Test with Re-attach disconnected path
-            sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
-            sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
-          fi
           bash dists/build.sh dpkg
 
       - name: Install apparmor.d
@@ -83,7 +78,7 @@ jobs:
   tests:
     runs-on: ubuntu-24.04
     needs: build
-    if: github.ref == 'refs/heads/dev'
+    if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4

.gitignore

@@ -1,6 +1,7 @@
 # Build
 .build
 .logs
+.pkg
 tests/tldr
 tests/tldr.tar.gz
 

Justfile

@@ -5,7 +5,7 @@
 # Usage: `just`
 # See https://apparmor.pujol.io/development/ for more information.
 
-# Build setings
+# Build settings
 destdir := "/"
 build := ".build"
 pkgdest := `pwd` / ".pkg"
@@ -63,27 +63,27 @@ build:
 [group('build')]
 [doc('Prebuild the profiles in enforced mode')]
 enforce: build
-	@./{{build}}/prebuild
+	@./{{build}}/prebuild --buildir {{build}}
 
 [group('build')]
 [doc('Prebuild the profiles in complain mode')]
 complain: build
-	@./{{build}}/prebuild --complain
+	./{{build}}/prebuild --buildir {{build}} --complain
 
 [group('build')]
 [doc('Prebuild the profiles in FSP mode')]
 fsp: build
-	@./{{build}}/prebuild --full
+	@./{{build}}/prebuild --buildir {{build}} --full
 
 [group('build')]
 [doc('Prebuild the profiles in FSP mode (complain)')]
 fsp-complain: build
-	@./{{build}}/prebuild --complain --full
+	@./{{build}}/prebuild --buildir {{build}} --complain --full
 
 [group('build')]
 [doc('Prebuild the profiles in FSP mode (debug)')]
 fsp-debug: build
-	@./{{build}}/prebuild --complain --full --debug
+	@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
 
 [group('install')]
 [doc('Install prebuild profiles')]
@@ -251,7 +251,7 @@ create dist flavor:
 		--memorybacking source.type=memfd,access.mode=shared \
 		--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
 		--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
-		--os-variant "`just get_osinfo {{dist}}`" \
+		--os-variant "`just _get_osinfo {{dist}}`" \
 		--graphics spice \
 		--audio id=1,type=spice \
 		--sound model=ich9 \
@@ -282,18 +282,18 @@ destroy dist flavor:
 [group('vm')]
 [doc('Connect to the machine')]
 ssh dist flavor:
-	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}`
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
 
 [group('vm')]
 [doc('Mount the shared directory on the machine')]
 mount dist flavor:
-	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
 
 [group('vm')]
 [doc('Unmout the shared directory on the machine')]
 umount dist flavor:
-	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
 
 [group('vm')]
@@ -307,6 +307,7 @@ list:
 images:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
+	mkdir -p {{base_dir}}
 	ls -lh {{base_dir}} | awk '
 	BEGIN {
 		printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
@@ -343,19 +344,19 @@ init:
 
 [group('tests')]
 [doc('Run the integration tests')]
-integration:
+integration name="":
-	bats --recursive --timing --print-output-on-failure tests/integration
+	bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
 
 [group('tests')]
 [doc('Install dependencies for the integration tests (machine)')]
 tests-init dist flavor:
-	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
 
 [group('tests')]
 [doc('Synchronize the integration tests (machine)')]
 tests-sync dist flavor:
-	@ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
 
 [group('tests')]
@@ -367,18 +368,16 @@ tests-resync dist flavor: (mount dist flavor) \
 [group('tests')]
 [doc('Run the integration tests (machine)')]
 tests-run dist flavor name="": (tests-resync dist flavor)
-	ssh {{sshopt}} {{username}}@`just get_ip {{dist}} {{flavor}}` \
+	ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		bats --recursive --pretty --timing --print-output-on-failure \
 			/home/{{username}}/Projects/tests/integration/{{name}}
 
-[private]
+_get_ip dist flavor:
-get_ip dist flavor:
 	@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
 		head -1 | \
 		grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
 
-[private]
+_get_osinfo dist:
-get_osinfo dist:
 	#!/usr/bin/env python3
 	osinfo = {
 		"archlinux": "archlinux",

apparmor.d/abstractions/amdgpu

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Kernel Fusion Driver for AMD GPUs
+
+  abi <abi/4.0>,
+
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
+
+  @{sys}/devices/virtual/kfd/kfd/dev r,
+  @{sys}/devices/virtual/kfd/kfd/topology/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/generation_id r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/system_properties r,
+  @{sys}/devices/virtual/kfd/kfd/uevent r,
+  @{sys}/module/amdgpu/initstate r,
+
+  /dev/kfd rw,
+
+  include if exists <abstractions/amdgpu.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/app/chromium

@@ -25,20 +25,20 @@
   include <abstractions/bus/org.bluez>
   include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.Notifications>
-  include <abstractions/bus/org.freedesktop.ScreenSaver>
   include <abstractions/bus/org.freedesktop.secrets>
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
-  include <abstractions/bus/org.gnome.ScreenSaver>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.kde.kwalletd>
+  include <abstractions/common/chromium>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
+  include <abstractions/screensaver>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
@@ -46,14 +46,6 @@
   include <abstractions/user-read-strict>
   include <abstractions/video>
 
-  userns,
-
-  capability setgid,
-  capability setuid,
-  capability sys_admin,
-  capability sys_chroot,
-  capability sys_ptrace,
-
   network inet dgram,
   network inet6 dgram,
   network inet stream,
@@ -112,21 +104,12 @@
   /etc/fstab r,
   /etc/{,opensc/}opensc.conf r,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
   / r,
   owner @{HOME}/ r,
 
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
   owner @{user_config_dirs}/gtk-3.0/servers r,
-  owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
+
   owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w,
 
   owner @{config_dirs}/ rw,
@@ -151,10 +134,7 @@
 
         /tmp/ r,
         /var/tmp/ r,
-  owner @{tmp}/.@{domain}.@{rand6} rw,
-  owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
   owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
-  owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
   owner @{tmp}/tmp.@{rand10} rw,
   owner @{tmp}/tmp.@{rand6} rw,
   owner @{tmp}/tmp.@{rand6}/ rw,
@@ -163,9 +143,6 @@
   owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
 
-        /dev/shm/ r,
-  owner /dev/shm/.@{domain}.@{rand6} rw,
-
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
   @{sys}/bus/ r,
@@ -175,10 +152,7 @@
   @{sys}/devices/@{pci}/boot_vga r,
   @{sys}/devices/@{pci}/report_descriptor r,
   @{sys}/devices/**/uevent r,
-  @{sys}/devices/system/cpu/kernel_max r,
   @{sys}/devices/virtual/**/report_descriptor r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/fd/ r,
@@ -192,18 +166,15 @@
   owner @{PROC}/@{pid}/clear_refs w,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/limits r,
   owner @{PROC}/@{pid}/mem r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  owner @{PROC}/@{pid}/setgroups w,
   owner @{PROC}/@{pid}/smaps_rollup r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
-  owner @{PROC}/@{pid}/uid_map w,
 
         /dev/ r,
         /dev/hidraw@{int} rw,

apparmor.d/abstractions/app/editor

@@ -12,9 +12,10 @@
   @{sh_path}                  rix,
   @{bin}/nvim                mrix,
   @{bin}/sensible-editor       mr,
-  @{bin}/vim{,.*}            mrix,
+  @{bin}/vim*                mrix,
   @{bin}/which{,.debianutils} rix,
 
+  /usr/share/doc/{,**} r,
   /usr/share/nvim/{,**} r,
   /usr/share/terminfo/** r,
   /usr/share/vim/{,**} r,
@@ -24,8 +25,9 @@
   /etc/xdg/nvim/* r,
 
   owner @{HOME}/.selected_editor r,
-  owner @{HOME}/.viminf@{c}{,.tmp} rw,
   owner @{HOME}/.vim/{after/,}spell/{,**} rw,
+  owner @{HOME}/.vim/** r,
+  owner @{HOME}/.viminf@{c}{,.tmp} rw,
   owner @{HOME}/.vimrc r,
 
   owner @{HOME}/ r,

apparmor.d/abstractions/app/firefox

@@ -21,8 +21,9 @@
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.FileManager1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
-  include <abstractions/bus/org.freedesktop.timedate1>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/bus/org.freedesktop.timedate1>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
@@ -98,8 +99,12 @@
         /var/tmp/ r,
   owner @{tmp}/@{name}/ rw,
   owner @{tmp}/@{name}/* rwk,
+  owner @{tmp}/@{rand6}.tmp rw,
   owner @{tmp}/firefox/ rw,
   owner @{tmp}/firefox/* rwk,
+  owner @{tmp}/mozilla* rw,
+  owner @{tmp}/mozilla*/ rw,
+  owner @{tmp}/mozilla*/* rwk,
   owner @{tmp}/remote-settings-startup-bundle- rw,
   owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
   owner @{tmp}/Temp-@{uuid}/ rw,

apparmor.d/abstractions/app/open

@@ -7,6 +7,8 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/desktop>
 
   # We cannot use `@{open_path} mrix,` here because it includes:
@@ -30,11 +32,9 @@
 
     include <abstractions/audio-client>
     include <abstractions/bus-accessibility>
-    include <abstractions/bus-session>
     include <abstractions/bus/org.a11y>
     include <abstractions/graphics>
-
+    include <abstractions/nameservice-strict>
-    /etc/xdg/menus/ r,
 
     owner @{run}/user/@{uid}/#@{int} rw,
     owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},

apparmor.d/abstractions/app/pager

@@ -21,6 +21,8 @@
   /usr/share/file/misc/** r,
   /usr/share/nvim/{,**} r,
 
+  @{etc_ro}/lesskey.bin r,
+
   @{HOME}/.lesshst r,
 
   owner @{HOME}/ r,

apparmor.d/abstractions/app/pgrep

@@ -19,11 +19,13 @@
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
   @{PROC}/ r,
+  @{PROC}/@{pid}/status r,
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/environ r,
   @{PROC}/@{pids}/stat r,
   @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/tty/drivers r,
   @{PROC}/uptime r,
 
   include if exists <abstractions/app/pgrep.d>

apparmor.d/abstractions/app/udevadm

@@ -11,7 +11,8 @@
 
   /etc/udev/udev.conf r,
 
-  @{run}/udev/data/* r,
+  @{run}/udev/data/+*:* r,                # Identifies all subsystems
+  @{run}/udev/data/c@{int}:@{int} r,      # Identifies all character devices
 
   @{sys}/** r,
 

apparmor.d/abstractions/attached/base

@@ -8,12 +8,14 @@
 
   abi <abi/4.0>,
 
-  include <abstractions/base-strict>
+  include <abstractions/base>
 
   @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,
   @{att}/@{run}/systemd/journal/stdout rw,
 
+  @{att}/dev/null  rw,
+
   /apparmor/.null rw,
   @{att}/apparmor/.null rw,
 

apparmor.d/abstractions/base-strict

@@ -67,8 +67,9 @@
   # Allow unconfined processes to us via unix sockets
   unix receive peer=(label=unconfined),
 
-  # Allow communication to children profiles
+  # Allow communication to children and stacked profiles
   signal peer=@{profile_name}//*,
+  signal peer=@{profile_name}//&*,
   unix type=stream peer=(label=@{profile_name}//*),
 
   # Allow us to create abstract and anonymous sockets

apparmor.d/abstractions/base.d/complete

@@ -8,20 +8,20 @@
   signal receive                           peer=@{p_systemd_user},
 
   # Allow to receive some signals from new well-known profiles
-  signal (receive)                           peer=btop,
+  signal receive                           peer=btop,
-  signal (receive)                           peer=htop,
+  signal receive                           peer=htop,
-  signal (receive)                           peer=pkill,
+  signal receive                           peer=pkill,
-  signal (receive)                           peer=sudo,
+  signal receive                           peer=sudo,
-  signal (receive)                           peer=top,
+  signal receive                           peer=top,
-  signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
+  signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
-  signal (receive) set=(hup term)            peer=login,
+  signal receive set=(hup term)            peer=login,
-  signal (receive) set=(hup)                 peer=xinit,
+  signal receive set=(hup)                 peer=xinit,
-  signal (receive) set=(term,kill)           peer=gnome-shell,
+  signal receive set=(term,kill)           peer=gnome-shell,
-  signal (receive) set=(term,kill)           peer=gnome-system-monitor,
+  signal receive set=(term,kill)           peer=gnome-system-monitor,
-  signal (receive) set=(term,kill)           peer=openbox,
+  signal receive set=(term,kill)           peer=openbox,
-  signal (receive) set=(term,kill)           peer=su,
+  signal receive set=(term,kill)           peer=su,
 
-  ptrace (readby) peer=@{p_systemd_coredump},
+  ptrace readby peer=@{p_systemd_coredump},
 
   @{etc_rw}/localtime r,
   /etc/locale.conf r,
@@ -30,4 +30,6 @@
 
   @{PROC}/sys/kernel/core_pattern r,
 
+  /apparmor/.null rw,
+
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/accessibility/own

@@ -20,6 +20,6 @@
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
-  include if exists <abstractions/bus/own-accessibility.d>
+  include if exists <abstractions/bus/accessibility/own.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.a11y

@@ -31,6 +31,11 @@
        member=Embed
        peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
 
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry),
+
   # Session bus
 
   dbus send bus=session path=/org/a11y/bus
@@ -38,6 +43,11 @@
        member=GetAll
        peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
 
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus
        member=Get

apparmor.d/abstractions/bus/org.freedesktop.Accounts

@@ -8,8 +8,8 @@
 
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
-       member={FindUserByName,ListCachedUsers}
+       member={FindUserByName,ListCachedUsers,FindUserById}
-       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
+       peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.Accounts.User

apparmor.d/abstractions/bus/org.freedesktop.Avahi

@@ -23,7 +23,7 @@
 
   dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
-       member={ItemNew,AllForNow,CacheExhausted}
+       member={ItemNew,ItemRemove,AllForNow,CacheExhausted}
        peer=(name="@{busname}", label="@{p_avahi_daemon}"),
 
   dbus receive bus=system path=/

apparmor.d/abstractions/bus/org.freedesktop.ColorManager

@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow for color managed applications to communicate with colord
+
   abi <abi/4.0>,
 
   #aa:dbus common bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
@@ -21,6 +23,11 @@
        member={DeviceAdded,DeviceRemoved}
        peer=(name="@{busname}", label="@{p_colord}"),
 
+  dbus (receive, send) bus=system path=/org/freedesktop/ColorManager
+       interface=org.freedesktop.ColorManager
+       member=FindDeviceByProperty
+       peer=(name="@{busname}", label="@{p_colord}"),
+
   include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.FileManager1

@@ -6,6 +6,11 @@
 
   #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
 
+  dbus send bus=session path=/org/freedesktop/FileManager1
+       interface=org.freedesktop.FileManager1
+       member=ShowItems
+       peer=(name=org.freedesktop.FileManager1, label=nautilus),
+
   include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.Notifications

@@ -1,26 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
-
-  dbus send bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={GetCapabilities,GetServerInformation,Notify}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={NotificationClosed,CloseNotification}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member=Notify
-       peer=(name=org.freedesktop.DBus, label=gjs-console),
-
-  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver

@@ -1,14 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/ScreenSaver
-       interface=org.freedesktop.ScreenSaver
-       member={Inhibit,UnInhibit}
-       peer=(name=org.freedesktop.ScreenSaver),
-
-  include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.UPower

@@ -2,10 +2,13 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Can query UPower for power devices, history and statistics.
+
   abi <abi/4.0>,
 
   #aa:dbus common bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
 
+  # Find all devices monitored by UPower
   dbus send bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.UPower
        member=EnumerateDevices
@@ -13,7 +16,12 @@
 
   dbus send bus=system path=/org/freedesktop/UPower
        interface=org.freedesktop.DBus.Properties
-       member=GetDisplayDevice
+       member={GetDisplayDevice,GetCriticalAction}
+       peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
+
+  dbus send bus=system path=/org/freedesktop/UPower/devices/**
+       interface=org.freedesktop.UPower.Device
+       member={GetHistory,Refresh}
        peer=(name=org.freedesktop.UPower, label="@{p_upowerd}"),
 
   dbus receive bus=system path=/org/freedesktop/UPower

apparmor.d/abstractions/bus/org.freedesktop.hostname1

@@ -5,6 +5,7 @@
   abi <abi/4.0>,
 
   #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
+
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
        member=Get

apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop

@@ -11,31 +11,51 @@
        member=Read
        peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
 
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Settings
        member={Read,ReadAll}
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Settings
        member=SettingChanged
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
-  dbus receive bus=session path=/org/freedesktop/portal/desktop
+  dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**}
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.impl.portal.Settings
        member={Read,ReadAll}
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.host.portal.Registry
        member=Register
        peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
 
+  dbus receive bus=session path=/org/freedesktop/portal/desktop/**
+       interface=org.freedesktop.portal.Request
+       member=Response
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  dbus receive bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Inhibit
+       member={StateChanged,CreateMonitor}
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
+       interface=org.freedesktop.impl.portal.Session
+       member=Close
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
   include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.resolve1

@@ -4,12 +4,12 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
+  #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
 
   dbus send bus=system path=/org/freedesktop/resolve1
        interface=org.freedesktop.resolve1.Manager
-       member={SetLink*,ResolveHostname}
+       member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService}
-       peer=(name="{@{busname},org.freedesktop.resolve1}", label="@{p_systemd_resolved}"),
+       peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"),
 
   include if exists <abstractions/bus/org.freedesktop.resolve1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.secrets

@@ -8,8 +8,8 @@
 
   dbus send bus=session path=/org/freedesktop/secrets
        interface=org.freedesktop.Secret.Service
-       member={OpenSession,GetSecrets,SearchItems,ReadAlias}
+       member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias}
-       peer=(name="@{busname}", label=gnome-keyring-daemon),
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
 
   dbus send bus=session path=/org/freedesktop/secrets/aliases/default
        interface=org.freedesktop.Secret.Collection

apparmor.d/abstractions/bus/org.freedesktop.systemd1

@@ -6,7 +6,7 @@
 
   #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
 
-  dbus send bus=session path=/org/freedesktop/systemd1
+  dbus send bus=system path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),

apparmor.d/abstractions/bus/org.freedesktop.systemd1-session

@@ -1,16 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
-
-  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.systemd1.Manager
-       member=GetUnit
-       peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
-
-  include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor

@@ -13,8 +13,8 @@
 
   dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
        interface=org.gnome.Mutter.IdleMonitor
-       member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
+       member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime}
-       peer=(name="@{busname}", label=gnome-shell),
+       peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
        interface=org.gnome.Mutter.IdleMonitor

apparmor.d/abstractions/bus/org.gnome.SessionManager

@@ -13,6 +13,11 @@
        member={RegisterClient,IsSessionRunning}
        peer=(name="@{busname}", label=gnome-session-binary),
 
+  dbus send bus=session path=/org/gnome/SessionManager
+       interface=org.gnome.SessionManager
+       member={Inhibit,Uninhibit}
+       peer=(name="@{busname}", label=gnome-session-binary),
+
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={Setenv,IsSessionRunning}

apparmor.d/abstractions/bus/org.gnome.SettingsDaemon.MediaKeys

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow requesting interest in receiving media key events. This tells Gnome
+# settings that our application should be notified when key events we are
+# interested in are pressed, and allows us to receive those events.
+
+  abi <abi/4.0>,
+
+  # DBus.Properties: read all properties from the interface
+  dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
+
+  dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys
+       interface=org.gnome.SettingsDaemon.MediaKeys
+       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
+
+  include if exists <abstractions/bus/org.gnome.SettingsDaemon.MediaKeys.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2

@@ -6,6 +6,16 @@
 
   #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
 
+  dbus receive bus=session path=/org/gnome/Characters/SearchProvider
+       interface=org.gnome.Shell.SearchProvider2
+       member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
+       peer=(name=@{busname}, label=gnome-shell),
+
+    dbus receive bus=session path=/org/gnome/Characters/SearchProvider
+       interface=org.gnome.Shell.SearchProvider2
+       member=*Cancel
+       peer=(name=@{busname}, label=gnome-shell),
+
   include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow accessing the GNOME crypto services prompt APIs as used by
+# applications using libgcr (such as pinentry-gnome3) for secure pin
+# entry to unlock GPG keys etc. See:
+# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
+# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
+# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/gnome/keyring/Prompter
+       interface=org.gnome.keyring.internal.Prompter
+       member={BeginPrompting,PerformPrompt,StopPrompting}
+       peer=(name=@{busname}, label=pinentry-*),
+
+  dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
+       interface=org.gnome.keyring.internal.Prompter.Callback
+       member={PromptReady,PromptDone}
+       peer=(name=@{busname}, label=pinentry-*),
+
+  include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gtk.vfs.Daemon

@@ -7,7 +7,7 @@
   dbus send bus=session path=/org/gtk/vfs/Daemon
        interface=org.gtk.vfs.Daemon
        member={GetConnection,ListMonitorImplementations,ListMountableInfo}
-       peer=(name="@{busname}", label=gvfsd),
+       peer=(name=@{busname}, label=gvfsd),
 
   dbus receive bus=session path=/org/gtk/vfs/Daemon
        interface=org.gtk.vfs.Daemon

apparmor.d/abstractions/bus/org.gtk.vfs.MountTracker

@@ -21,7 +21,7 @@
 
   dbus receive bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
-       member=Mounted
+       member={Mounted,Unmounted}
        peer=(name="@{busname}", label=gvfsd),
 
   include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>

apparmor.d/abstractions/bus/org.kde.StatusNotifierItem

@@ -4,6 +4,30 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/bus/session/own>
+
+  dbus bind bus=session name=org.kde.StatusNotifierItem-@{int},
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.kde.StatusNotifierWatcher
+       member=RegisterStatusNotifierItem
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/{StatusNotifierItem,org/ayatana/NotificationItem/*}
+       interface=org.kde.StatusNotifierItem
+       member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip}
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
+
   include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher

@@ -2,14 +2,52 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow to display Status Notifier Items in the KDE Plasma systray
+
   abi <abi/4.0>,
 
-  #aa:dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
+  #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(label="@{pp_app_indicator}"),
+
+
+  dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
+       interface=com.canonical.dbusmenu
+       member={LayoutUpdated,ItemsPropertiesUpdated}
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
+       interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
+       member={Get*,AboutTo*,Event*}
+       peer=(label="@{pp_app_indicator}"),
 
   dbus send bus=session path=/StatusNotifierWatcher
        interface=org.kde.StatusNotifierWatcher
        member=RegisterStatusNotifierItem
-       peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/StatusNotifierItem
+       interface=org.kde.StatusNotifierItem
+       member={ProvideXdgActivationToken,Activate}
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus receive bus=session  path=/MenuBar
+       interface=com.canonical.dbusmenu
+       member={AboutToShow,GetLayout,Event}
+       peer=(label="@{pp_app_indicator}"),
 
   include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
 

apparmor.d/abstractions/bus/org.mpris.MediaPlayer2.Player

@@ -4,27 +4,34 @@
 
   abi <abi/4.0>,
 
-  #aa-dbus common bus=session name=org.mpris.MediaPlayer2.Player label=unconfined
+  # DBus.Properties: read all properties from the interface
+  dbus send bus=system path=/org/mpris/MediaPlayer2
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name=@{busname}),
 
+  # DBus.Properties: receive property changed events
   dbus receive bus=session path=/org/mpris/MediaPlayer2
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
        peer=(name=@{busname}),
 
+  # DBus.Introspectable: allow clients to introspect the service
+  dbus send bus=system path=/org/mpris/MediaPlayer2
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}),
+
   dbus receive bus=session path=/org/mpris/MediaPlayer2
+       interface=org.mpris.MediaPlayer2.Player
+       member={Seeked,Next,PlayPause}
+       peer=(name=@{busname}),
+
+  # https://specifications.freedesktop.org/mpris-spec/latest/Player_Interface.html#Signal:Seeked
+  dbus send bus=session path=/org/mpris/MediaPlayer2
        interface=org.mpris.MediaPlayer2.Player
        member=Seeked
-       peer=(name=@{busname}),
+       peer=(name=org.freedesktop.DBus),
-
-  dbus send bus=session path=/org/mpris/MediaPlayer2
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=@{busname}),
-
-  dbus send bus=session path=/org/mpris/MediaPlayer2
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=@{busname}),
 
   include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>
 

apparmor.d/abstractions/bus/session/org.freedesktop.Notifications

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
+
+  dbus send bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={ActionInvoked,NotificationClosed,NotificationReplied}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.Notifications.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow checking status, activating and locking the screensaver
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={Inhibit,UnInhibit}
+       peer=(name=org.freedesktop.ScreenSaver),
+
+  dbus send bus=session path=/{,org/freedesktop/}ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={GetActive,GetActiveTime,Lock,SetActive}
+       peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
+
+  dbus receive bus=session path=/org/freedesktop/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={ActiveChanged,WakeUpScreen}
+       peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.systemd1

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
+
+  dbus send bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=GetUnit
+       peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
+
+  dbus send bus=session path=/org/freedesktop/systemd1/unit/app_*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
+
+  dbus send bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=StartTransientUnit
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.systemd1.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver

@@ -2,20 +2,20 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow checking status, activating and locking the screensaver (GNOME version)
+
   abi <abi/4.0>,
 
-  #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console
+  dbus send bus=session path=/{,org/gnome/}ScreenSaver
-
-  dbus send bus=session path=/org/gnome/ScreenSaver
        interface=org.gnome.ScreenSaver
-       member=GetActive
+       member={GetActive,GetActiveTime,Lock,SetActive}
-       peer=(name="@{busname}", label=gjs-console),
+       peer=(name=@{busname}, label=gjs-console),
 
   dbus receive bus=session path=/org/gnome/ScreenSaver
        interface=org.gnome.ScreenSaver
        member={ActiveChanged,WakeUpScreen}
-       peer=(name="@{busname}", label=gjs-console),
+       peer=(name=@{busname}, label=gjs-console),
 
-  include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
+  include if exists <abstractions/bus/session/org.gnome.ScreenSaver.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Actions

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gnome-shell),
+
+  dbus receive bus=session
+       interface=org.gtk.Actions
+       member={Activate,DescribeAll,SetState},
+
+  dbus send bus=session
+       interface=org.gtk.Actions
+       member=Changed,
+
+  include if exists <abstractions/bus/session/org.gtk.Actions.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Notifications

@@ -8,9 +8,9 @@
 
   dbus send bus=session path=/org/gtk/Notifications
        interface=org.gtk.Notifications
-       member=RemoveNotification
+       member={AddNotification,RemoveNotification}
        peer=(name=org.gtk.Notifications, label=gnome-shell),
 
-  include if exists <abstractions/bus/org.gtk.Notifications.d>
+  include if exists <abstractions/bus/session/org.gtk.Notifications.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Settings

@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/gtk/Settings
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gsd-xsettings),
+  dbus receive bus=session path=/org/gtk/Settings
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=@{busname}, label=gsd-xsettings),
+
+  include if exists <abstractions/bus/session/org.gtk.Settings.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/own

@@ -20,6 +20,6 @@
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
-  include if exists <abstractions/bus/own-session.d>
+  include if exists <abstractions/bus/session/own.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/own

@@ -20,6 +20,6 @@
        member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
-  include if exists <abstractions/bus/own-system.d>
+  include if exists <abstractions/bus/system/own.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/common/app

@@ -28,6 +28,7 @@
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/path>
+  include <abstractions/sqlite>
   include <abstractions/ssl_certs>
   include <abstractions/video>
 
@@ -63,11 +64,10 @@
   owner @{tmp}/** rmwk,
   owner /dev/shm/** rwlk -> /dev/shm/**,
   owner /var/cache/tmp/** rwlk -> /var/cache/tmp/**,
-  owner /var/tmp/etilqs_@{sqlhex} rw,
 
   @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
-  @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
+  @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket.
   @{run}/host/{,**} r,
   @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
   @{run}/utmp rk,
@@ -114,6 +114,7 @@
         @{PROC}/sys/kernel/sched_autogroup_enabled r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/sys/net/core/bpf_jit_enable r,
+        @{PROC}/sys/net/core/somaxconn r,
         @{PROC}/uptime r,
         @{PROC}/version r,
         @{PROC}/zoneinfo r,
@@ -131,10 +132,16 @@
   owner @{PROC}/@{pid}/net/if_inet6 r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
   owner @{PROC}/@{pid}/pagemap r,
+  owner @{PROC}/@{pid}/smaps_rollup r,
   owner @{PROC}/@{pid}/statm r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+        @{att}/dev/dri/card@{int} rw,
+        @{att}/dev/dri/renderD128 rw,
+        @{att}/dev/dri/renderD129 rw,
+  owner @{att}/dev/shm/@{uuid} r,
+
   /dev/hidraw@{int} rw,
   /dev/input/ r,
   /dev/input/event@{int} rw,

apparmor.d/abstractions/common/apt

@@ -7,6 +7,7 @@
 
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
+  /usr/share/dpkg/varianttable r,
 
   /etc/apt/apt.conf r,
   /etc/apt/apt.conf.d/{,*} r,

apparmor.d/abstractions/common/bwrap

@@ -38,12 +38,14 @@
   pivot_root oldroot=/newroot/ /newroot/,
   pivot_root oldroot=/tmp/oldroot/ /tmp/,
 
-  owner / r,
   owner /newroot/{,**} w,
 
   owner /tmp/newroot/ w,
   owner /tmp/oldroot/ w,
 
+  @{att}/ r,
+  @{att}/@{run}/.userns r,
+
         @{PROC}/sys/kernel/overflowgid r,
         @{PROC}/sys/kernel/overflowuid r,
         @{PROC}/sys/user/max_user_namespaces r,

apparmor.d/abstractions/common/chromium

@@ -4,7 +4,13 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # This abstraction is for chromium based application. Chromium based browsers
-# need to use abstractions/chromium instead.
+# need to use abstractions/app/chromium instead.
+
+# It works as a *function* and requires a variable to be provided as *arguments*
+# and set in the header of the calling profile. Example:
+#
+# @{domain} = org.chromium.Chromium
+#
 
   abi <abi/4.0>,
 
@@ -22,19 +28,24 @@
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
   owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
 
-  owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
+  owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
 
-        /tmp/ r,
+  owner @{tmp}/.@{domain}.@{rand6} rw,
-        /var/tmp/ r,
+  owner @{tmp}/.@{domain}.@{rand6}/ rw,
-  owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+  owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w,
-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/{,**} rw,
+  owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w,
   owner @{tmp}/scoped_dir@{rand6}/ rw,
   owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
   owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
   owner @{tmp}/scoped_dir@{rand6}/SS w,
 
         /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+  owner /dev/shm/.@{domain}.@{rand6} rw,
+
+  @{sys}/devices/system/cpu/kernel_max r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
   # If kernel.unprivileged_userns_clone = 1
   owner @{PROC}/@{pid}/setgroups w,

apparmor.d/abstractions/common/electron

@@ -7,27 +7,22 @@
 # in the header of the calling profile. Example:
 #
 # @{name} = spotify
-# @{lib_dirs} = /opt/@{name}
+# @{domain} = org.chromium.chromium
+# @{lib_dirs} = /opt/@{name}/ /usr/share/@{name}/
 # @{config_dirs} = @{user_config_dirs}/@{name}
 # @{cache_dirs} = @{user_cache_dirs}/@{name}
 #
 
   abi <abi/4.0>,
 
+  include <abstractions/common/chromium>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
-  userns,
-
-  capability setgid, # If kernel.unprivileged_userns_clone = 1
-  capability setuid, # If kernel.unprivileged_userns_clone = 1
-  capability sys_admin,
-  capability sys_chroot,
-  capability sys_ptrace,
-
   @{bin}/electron rix,
   @{bin}/electron@{int} rix,
   @{lib}/electron@{int}/{,**} r,
@@ -47,31 +42,14 @@
   owner @{cache_dirs}/ rw,
   owner @{cache_dirs}/** rwlk -> @{cache_dirs}/**,
 
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
   owner @{user_config_dirs}/electron-flags.conf r,
-  owner @{user_share_dirs}/.org.chromium.Chromium.@{rand6} rw,
 
-  owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+        @{sys}/fs/cgroup/user.slice/cpu.max r,
-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/ rw,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonCookie w,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.high r,
-  owner @{tmp}/.org.chromium.Chromium.@{rand6}/SingletonSocket w,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.max r,
-  owner @{tmp}/scoped_dir@{rand6}/ rw,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
-  owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
-  owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
-  owner @{tmp}/scoped_dir@{rand6}/SS w,
-
-        /dev/shm/ r,
-  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
-
-  @{sys}/devices/system/cpu/kernel_max r,
-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/stat r,
@@ -81,15 +59,12 @@
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
-  owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/statm r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
-  owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 

apparmor.d/abstractions/common/gnome

@@ -9,6 +9,8 @@
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>

apparmor.d/abstractions/desktop

@@ -9,10 +9,15 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/desktop-files>
   include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gschemas>
   include <abstractions/gtk>
+  include <abstractions/icons>
+  include <abstractions/mime>
   include <abstractions/qt5>
+  include <abstractions/recently-used>
+  include <abstractions/user-dirs>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>
@@ -24,16 +29,11 @@
          member=Introspect
          peer=(name=@{busname}, label=gnome-shell),
 
-    /usr/{local/,}share/ r,
+    @{system_share_dirs}/gvfs/remote-volume-monitors/{,*}  r,
-    /usr/{local/,}share/glib-@{version}/schemas/** r,
-    /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,
 
     /etc/gnome/* r,
-    /etc/xdg/{,*-}mimeapps.list r,
 
-    /var/cache/gio-@{version}/gnome-mimeapps.list r,
+    / r,
-
-    / r, # deny?
 
     owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
@@ -63,6 +63,9 @@
     owner @{user_config_dirs}/kdedefaults/kwinrc r,
     owner @{user_config_dirs}/kdeglobals r,
     owner @{user_config_dirs}/kwinrc r,
+    owner @{user_config_dirs}/session/ rw,
+    owner @{user_config_dirs}/session/@{profile_name}* rwlk,
+    owner @{user_config_dirs}/session/#@{int} rw,
     owner @{user_config_dirs}/trashrc r,
 
   # else if @{DE} == xfce
@@ -75,7 +78,7 @@
   # end
 
   /usr/share/desktop-base/{,**} r,
-  /usr/share/hwdata/*.ids r,
+  /usr/share/hwdata/*.ids r, # FIXME: a bit too wide
   /usr/share/icu/@{int}.@{int}/*.dat r,
 
   include if exists <abstractions/desktop.d>

apparmor.d/abstractions/desktop-files

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2009 Canonical Ltd.
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  @{system_share_dirs}/applications/{,**} r,
+  @{system_share_dirs}/*ubuntu/applications/{,**} r,
+  @{system_share_dirs}/gnome/applications/{,**} r,
+  @{system_share_dirs}/xfce4/applications/{,**} r,
+
+  /etc/gnome/defaults.list r,
+  /etc/xfce4/defaults.list r,
+  /etc/xdg/menus/ r,
+  /etc/xdg/menus/applications-merged/{,**} r,
+
+  /var/lib/snapd/desktop/applications/{,**} r,
+
+  owner @{user_share_dirs}/applications/{,**} r,
+
+  owner @{user_config_dirs}/menus/ r,
+  owner @{user_config_dirs}/menus/applications-merged/{,**} r,
+
+  include if exists <abstractions/desktop-files.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/devices-usb-read

@@ -20,9 +20,9 @@
   @{sys}/devices/**/usb@{int}/{,**} r,
 
   # Udev data about usb devices (~equal to content of lsusb -v)
-  @{run}/udev/data/+usb:* r,
+  @{run}/udev/data/+usb:* r,              # Identifies all USB devices
-  @{run}/udev/data/c16[6,7]:@{int} r,   # USB modems
+  @{run}/udev/data/c16[6,7]:@{int} r,     # USB modems
-  @{run}/udev/data/c18[0,8,9]:@{int} r, # USB devices & USB serial converters
+  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
 
   include if exists <abstractions/devices-usb-read.d>
 

apparmor.d/abstractions/disks-read

@@ -101,13 +101,13 @@
   @{run}/udev/data/b43:@{int} r,      # for /dev/nbd*
   @{run}/udev/data/b179:@{int} r,     # for /dev/mmcblk*
   @{run}/udev/data/b230:@{int} r,     # for /dev/zvol*
-  @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240 to 254
+  @{run}/udev/data/b24[0-9]:@{int} r, # for dynamic assignment range 240
-  @{run}/udev/data/b25[0-4]:@{int} r,
+  @{run}/udev/data/b25[0-4]:@{int} r, #                           to 254
   @{run}/udev/data/b259:@{int} r,     # Block Extended Major
 
   @{run}/udev/data/c189:@{int} r,     # for /dev/bus/usb/**
 
-  @{run}/udev/data/+usb:*      r,     # for disk over usb hub
+  @{run}/udev/data/+usb:* r,          # Identifies all USB devices
 
   include if exists <abstractions/disks-read.d>
 

apparmor.d/abstractions/freedesktop.org.d/complete

@@ -23,4 +23,9 @@
 
   owner @{HOME}/.icons/{,**} r,
 
+  owner @{user_share_dirs}/#@{int} rw,
+  owner @{user_share_dirs}/recently-used.xbel rw,
+  owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
+  owner @{user_share_dirs}/recently-used.xbel.lock rwk,
+
 # vim:syntax=apparmor

apparmor.d/abstractions/glibc

@@ -22,9 +22,15 @@
   @{PROC}/stat r,
 
   # Glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/auxv r,
+  owner @{PROC}/@{pid}/auxv r,
-  @{PROC}/@{pid}/maps r,
+  owner @{PROC}/@{pid}/maps r,
-  @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/status r,
+
+  # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
+  # but in a format that is simpler to manage, because it doesn't require to
+  # parse the text data inside a file, but just reading the contents of
+  # a directory.
+  owner @{PROC}/@{pid}/map_files/ r,
 
   # Glibc statvfs
   @{PROC}/filesystems r,

apparmor.d/abstractions/gnome-strict

@@ -4,9 +4,15 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/desktop-files>
   include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gschemas>
   include <abstractions/gtk>
+  include <abstractions/icons>
+  include <abstractions/mime>
+  include <abstractions/qt5>
+  include <abstractions/recently-used>
+  include <abstractions/user-dirs>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>
@@ -20,14 +26,9 @@
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
 
-  /usr/{local/,}share/ r,
+  @{system_share_dirs}/gvfs/remote-volume-monitors/{,*}  r,
-  /usr/{local/,}share/glib-@{int}.@{int}/schemas/** r,
-  /usr/{local/,}share/gvfs/remote-volume-monitors/{,*}  r,
 
   /etc/gnome/* r,
-  /etc/xdg/{,*-}mimeapps.list r,
-
-  /var/cache/gio-@{int}.@{int}/gnome-mimeapps.list r,
 
   / r,
 

apparmor.d/abstractions/graphics

@@ -14,6 +14,7 @@
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r,
+  @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r,
   @{sys}/devices/system/cpu/cpu@{int}/online r,
   @{sys}/devices/system/cpu/cpu@{int}/topology/* r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r,

apparmor.d/abstractions/graphics-full

@@ -4,7 +4,13 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/amdgpu>
   include <abstractions/graphics>
+  include <abstractions/oneapi>
+
+  @{sys}/devices/@{pci}/numa_node r,
+
+  @{PROC}/devices r,
 
   /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
   /dev/nvidia-uvm rw,

apparmor.d/abstractions/gschemas

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2009 Canonical Ltd.
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  @{system_share_dirs}/ r,
+  @{system_share_dirs}/glib-2.0/schemas/ r,
+  @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
+
+  include if exists <abstractions/gschemas.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/gstreamer

@@ -36,7 +36,7 @@
   #owner @{HOME}/orcexec.* mrw,
 
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
-  @{run}/udev/data/+usb:* r,              # For /dev/bus/usb/**
+  @{run}/udev/data/+usb:* r,              # Identifies all USB devices
 
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
   @{run}/udev/data/c189:@{int} r,         # For USB serial converters

apparmor.d/abstractions/gtk.d/complete

@@ -2,23 +2,8 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  dbus receive bus=session
+  include <abstractions/bus/session/org.gtk.Actions>
-       interface=org.gtk.Actions
+  include <abstractions/bus/session/org.gtk.Settings>
-       member={Activate,DescribeAll,SetState}
-       peer=(name=@{busname}),
-
-  dbus send bus=session
-       interface=org.gtk.Actions
-       member=Changed,
-
-  dbus send bus=session path=/org/gtk/Settings
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=@{busname}, label=gsd-xsettings),
-  dbus receive bus=session path=/org/gtk/Settings
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name=@{busname}, label=gsd-xsettings),
 
   @{lib}/{,@{multiarch}/}gtk*/** mr,
 

apparmor.d/abstractions/icons

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2009 Canonical Ltd.
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  @{system_share_dirs}/icons/{,**} r,
+  @{system_share_dirs}/pixmaps/{,**} r,
+
+  /opt/**/share/icons/{,**} r,
+  /opt/*/**.desktop r,
+  /opt/*/**/*.png r,
+
+  /var/lib/snapd/desktop/icons/{,**} r,
+
+  owner @{HOME}/.icons/{,**} r,
+
+  owner @{user_share_dirs}/icons/{,**} r,
+
+  include if exists <abstractions/icons.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/java

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  /usr/share/java/{,**} r,
+
+  /etc/java/{,**} r,
+  /etc/java-*/{,**} r,
+
+  include if exists <abstractions/java.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/kde-strict

@@ -4,10 +4,15 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/desktop-files>
   include <abstractions/fonts>
-  include <abstractions/freedesktop.org>
+  include <abstractions/gschemas>
   include <abstractions/gtk>
+  include <abstractions/icons>
+  include <abstractions/mime>
   include <abstractions/qt5>
+  include <abstractions/recently-used>
+  include <abstractions/user-dirs>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>
@@ -20,6 +25,7 @@
   /usr/share/hwdata/*.ids r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/knotifications{5,6}/*.notifyrc r,
+  /usr/share/kubuntu-default-settings/{,**} r,  #aa:only ubuntu
 
   /etc/xdg/baloofilerc r,
   /etc/xdg/kcminputrc r,
@@ -39,6 +45,9 @@
   owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kwinrc r,
+  owner @{user_config_dirs}/session/ rw,
+  owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk,
+  owner @{user_config_dirs}/session/#@{int} rw,
   owner @{user_config_dirs}/trashrc r,
 
   owner @{user_share_dirs}/#@{int} rw,

apparmor.d/abstractions/mesa.d/complete

@@ -42,4 +42,6 @@
 
   @{PROC}/sys/dev/xe/observation_paranoid r,
 
+  /dev/udmabuf rw, # In upstream, but not released yet
+
 # vim:syntax=apparmor

apparmor.d/abstractions/mime

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2009 Canonical Ltd.
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  @{system_share_dirs}/ r,
+  @{system_share_dirs}/mime/{,**} r,
+
+  /etc/mime.types r,
+  /etc/xdg/{,*-}mimeapps.list r,
+
+  /var/cache/gio-@{version}/{,*-}-mimeapps.list r,
+
+  owner @{user_config_dirs}/mimeapps.list r,
+
+  owner @{user_share_dirs}/mime/{,**} r,
+
+  include if exists <abstractions/mime.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/notifications

@@ -0,0 +1,12 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.freedesktop.Notifications>
+  include <abstractions/bus/session/org.gtk.Notifications>
+
+  include if exists <abstractions/notifications.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/nvidia-strict

@@ -35,7 +35,7 @@
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/task/@{tid}/comm r,
 
-  /dev/char/195:@{int} w,  # Nvidia graphics devices
+  /dev/char/195:@{u8} w,  # Nvidia graphics devices
   /dev/nvidia-modeset rw,
   /dev/nvidia@{int} rw,
   /dev/nvidiactl rw,

apparmor.d/abstractions/nvidia.d/complete

@@ -8,6 +8,6 @@
 
   /etc/nvidia/nvidia-application-profiles* r,
 
-  /dev/char/195:@{int} rw,  # Nvidia graphics devices
+  /dev/char/195:@{u8} rw,  # Nvidia graphics devices
 
 # vim:syntax=apparmor

apparmor.d/abstractions/oneapi

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Intel oneAPI compiler libraries
+
+  abi <abi/4.0>,
+
+  /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
+  /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
+
+  include if exists <abstractions/oneapi.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/recently-used

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2009 Canonical Ltd.
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  owner @{HOME}/.recently-used.xbel rw,
+  owner @{HOME}/.recently-used.xbel.@{rand6} rwl,
+  owner @{HOME}/.recently-used.xbel.lock rwk,
+
+  owner @{user_share_dirs}/#@{int} rw,
+  owner @{user_share_dirs}/recently-used.xbel rw,
+  owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
+  owner @{user_share_dirs}/recently-used.xbel.lock rwk,
+
+  include if exists <abstractions/recently-used.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/screensaver

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow checking status, activating and locking the screensaver
+
+  abi <abi/4.0>,
+
+  include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver>
+  include if exists <abstractions/bus/session/org.gnome.ScreenSaver>
+
+  include if exists <abstractions/screensaver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/sqlite

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# SQlite temporary files (hexadecimal from 12 to 16 characters)
+
+  abi <abi/4.0>,
+
+  owner /var/tmp/etilqs_@{hex12} rw,
+  owner /var/tmp/etilqs_@{hex12}@{h} rw,
+  owner /var/tmp/etilqs_@{hex12}@{hex2} rw,
+  owner /var/tmp/etilqs_@{hex15} rw,
+  owner /var/tmp/etilqs_@{hex16} rw,
+
+  owner @{tmp}/etilqs_@{hex12} rw,
+  owner @{tmp}/etilqs_@{hex12}@{h} rw,
+  owner @{tmp}/etilqs_@{hex12}@{hex2} rw,
+  owner @{tmp}/etilqs_@{hex15} rw,
+  owner @{tmp}/etilqs_@{hex16} rw,
+
+  include if exists <abstractions/sqlite.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/user-dirs

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  /etc/xdg/user-dirs.conf r,
+  /etc/xdg/user-dirs.defaults r,
+
+  owner @{user_config_dirs}/user-dirs.dirs r,
+
+  include if exists <abstractions/user-dirs.d>
+
+# vim:syntax=apparmor

apparmor.d/groups/_full/sd

@@ -187,7 +187,8 @@ profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   owner @{run}/*/** rw,
 
   @{run}/udev/**/ r,
-  @{run}/udev/data/* r,
+  @{run}/udev/data/+*:* r,                # Identifies all subsystems
+  @{run}/udev/data/c@{int}:@{int} r,      # Identifies all character devices
 
   @{sys}/** r,
   @{sys}/fs/bpf/systemd/{,**} w,

apparmor.d/groups/_full/systemd

@@ -168,14 +168,13 @@ profile systemd flags=(attach_disconnected,mediate_deleted,complain) {
   @{run}/credentials/{,**} rw,
   @{run}/systemd/{,**} rw,
 
-  @{run}/udev/data/+module:configfs r,
+  @{run}/udev/data/+module:* r,           # Identifies kernel modules loaded by udev
-  @{run}/udev/data/+module:fuse r,
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c116:@{int} r,         # For ALSA
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
-  @{run}/udev/data/n@{int} r,
+  @{run}/udev/data/n@{int} r,             # For network interfaces
   @{run}/udev/tags/systemd/ r,
 
   @{sys}/**/uevent r,

apparmor.d/groups/_full/systemd-user

@@ -59,14 +59,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted,complain) {
   @{run}/systemd/notify w,
   @{run}/systemd/oom/io.systemd.ManagedOOM rw,
 
-  @{run}/udev/data/+module:configfs r,
+  @{run}/udev/data/+module:* r,           # Identifies kernel modules loaded by udev
-  @{run}/udev/data/+module:fuse r,
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c5:@{int}   r,         # for /dev/tty, /dev/console, /dev/ptmx
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c116:@{int} r,         # for ALSA
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
-  @{run}/udev/data/n@{int} r,
+  @{run}/udev/data/n@{int} r,             # For network interfaces
   @{run}/udev/tags/systemd/ r,
 
   @{sys}/devices/virtual/dmi/id/bios_vendor r,

apparmor.d/groups/apparmor/aa-enforce

@@ -31,7 +31,7 @@ profile aa-enforce @{exec_path} {
   owner /var/lib/snapd/apparmor/{,**} rw,
 
   owner @{tmp}/@{rand8} rw,
-  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+  owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
 
   @{PROC}/@{pid}/fd/ r,
 

apparmor.d/groups/apparmor/aa-notify

@@ -45,7 +45,7 @@ profile aa-notify @{exec_path} {
   owner @{HOME}/.terminfo/@{int}/dumb r,
 
   owner @{tmp}/@{word8} rw,
-  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+  owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
 
   @{PROC}/ r,
   @{PROC}/@{pid}/stat r,

apparmor.d/groups/apparmor/aa-unconfined

@@ -29,7 +29,7 @@ profile aa-unconfined @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/inputrc r,
 
   owner @{tmp}/@{rand8} rw,
-  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
+  owner @{tmp}/apparmor-bugreport-@{word8}.txt rw,
   owner /var/tmp/@{rand8} rw,
 
         @{PROC}/ r,

apparmor.d/groups/apparmor/apparmor.systemd

@@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} {
   @{bin}/sed                  rix,
   @{bin}/cat                  rix,
   @{bin}/sort                 rix,
-  @{sbin}/sysctl              rix,
+  @{sbin}/sysctl              rCx -> sysctl,
   @{bin}/systemd-detect-virt  rPx,
   @{bin}/xargs                rix,
 
@@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} {
   @{PROC}/@{pids}/maps r,
   @{PROC}/@{pids}/mounts r,
   @{PROC}/mounts r,
-  @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
 
   /dev/tty rw,
 
+  profile sysctl {
+    include <abstractions/base>
+
+    @{sbin}/sysctl mr,
+
+    @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
+
+    include if exists <local/apparmor.systemd_sysctl>
+  }
+
   include if exists <local/apparmor.systemd>
 }
 

apparmor.d/groups/apparmor/apparmor_parser

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
+@{lib_dirs} = @{lib}/ /snap/{snapd,core}/{,x}@{int}@{lib}
 
 @{exec_path} = @{sbin}/apparmor_parser @{lib_dirs}/snapd/apparmor_parser
 profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
@@ -46,7 +46,7 @@ profile apparmor_parser @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
 
   deny network netlink raw, # file_inherit
-  deny /apparmor/.null rw,
+  /opt/Mullvad*/resources/apparmor_mullvad r, # FIXME: WTF you thing you are doing mullvad?
 
   include if exists <local/apparmor_parser>
 }

apparmor.d/groups/apt/apt-overlay

@@ -30,7 +30,6 @@ profile apt-overlay @{exec_path} {
   /root/ r,
 
   owner @{PROC}/@{pids}/loginuid r,
-  owner @{PROC}/@{pids}/maps r,
 
   include if exists <local/apt-overlay>
 }

apparmor.d/groups/apt/debconf-frontend

@@ -25,7 +25,7 @@ profile debconf-frontend @{exec_path} flags=(complain) {
   @{bin}/stty                       ix,
   @{sbin}/update-secureboot-policy  Px,
 
-  # debconf apps
+  # Debconf apps
   @{bin}/adequate                     Px,
   @{bin}/debconf-apt-progress         Px,
   @{bin}/linux-check-removal          Px,
@@ -49,6 +49,8 @@ profile debconf-frontend @{exec_path} flags=(complain) {
   @{lib}/dkms/dkms-*                 rPUx,
   @{lib}/dkms/dkms_*                 rPUx,
 
+  /etc/libpaper.d/texlive-base rPUx,
+
   /usr/share/debconf/{,**} r,
 
   /etc/inputrc r,

apparmor.d/groups/apt/dpkg-script-linux

@@ -11,6 +11,8 @@ profile dpkg-script-linux @{exec_path} {
   include <abstractions/base>
   include <abstractions/common/debconf>
 
+  capability dac_read_search,
+
   @{exec_path} mrix,
 
   @{bin}/cat         ix,

apparmor.d/groups/apt/dpkg-scripts

@@ -48,6 +48,7 @@ profile dpkg-scripts @{exec_path} {
   @{sbin}/ldconfig.real                           Cx -> ldconfig,
   @{sbin}/update-rc.d                             Cx -> rc,
 
+  #aa:lint ignore=too-wide
   # Maintainer scripts can legitimately start/restart anything
   # PU is only used as a safety fallback.
   @{bin}/**                                       PUx,
@@ -75,6 +76,7 @@ profile dpkg-scripts @{exec_path} {
   @{run}/** rw,
   @{efi}/grub/* rw,
 
+  /tmp/fmtutil.@{rand8} rw,
   /tmp/grub.@{rand10} rw,
   /tmp/sed@{rand6} rw,
   /tmp/tmp.@{rand10} rw,
@@ -167,6 +169,7 @@ profile dpkg-scripts @{exec_path} {
     /usr/local/ r,
     /usr/local/lib/ r,
 
+          /var/cache/ldconfig/ rw,
     owner /var/cache/ldconfig/aux-cache* rw,
 
     include if exists <local/dpkg-scripts_ldconfig>

apparmor.d/groups/apt/reportbug

@@ -61,8 +61,8 @@ profile reportbug @{exec_path} {
 
   /usr/share/bug/*/{control,presubj} r,
 
+  #aa:lint ignore=too-wide
   /etc/** r,
-  /etc/reportbug.conf r,
 
   owner @{HOME}/ r,  # For shell pwd
   owner @{HOME}/.reportbugrc{,~} rw,

apparmor.d/groups/apt/unattended-upgrade

@@ -52,9 +52,11 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   @{bin}/touch                     ix,
   @{bin}/uname                     ix,
 
-  @{bin}/dpkg-deb                  px,
   @{bin}/apt-listchanges           Px,
+  @{bin}/df                        Px,
+  @{bin}/dmesg                     Px,
   @{bin}/dpkg                      Px,
+  @{bin}/dpkg-deb                  px,
   @{bin}/dpkg-divert               Px,
   @{bin}/etckeeper                 Px,
   @{bin}/ischroot                  Px,
@@ -90,7 +92,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/pki/fwupd/{,**} r,
   /etc/profile.d/* r,
   /etc/ssh/moduli r,
-  /etc/ssh/ssh_config r,
+  @{etc_ro}/ssh/sshd_config r,
+  @{etc_ro}/ssh/sshd_config.d/{,*} r,
   /etc/ufw/{,**} r,
   /etc/update-manager/{,**} r,
   /etc/update-motd.d/{,**} r,
@@ -98,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/vmware-tools/{,**} r,
 
   /var/log/unattended-upgrades/{,**} rw,
-  /var/crash/*.crash w,
+  /var/crash/*.crash rw,
 
   /var/lib/apt/periodic/unattended-upgrades-stamp w,
   /var/lib/dpkg/info/{,*} r,
@@ -112,8 +115,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /var/lib/apt/lists/ rw,
   /var/lib/apt/lists/partial/ rw,
   /var/lib/apt/periodic/ w,
-  /var/log/apt/{term,history}.log w,
+  /var/log/apt/*.log* rw,
-  /var/log/apt/eipp.log.xz w,
 
         @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
   owner @{run}/unattended-upgrades.lock rwk,

apparmor.d/groups/bluetooth/blueman-mechanism

@@ -11,6 +11,7 @@ include <tunables/global>
 profile blueman-mechanism @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/fonts>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 

apparmor.d/groups/bluetooth/bluetoothd

@@ -46,7 +46,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
         @{run}/sdp rw,
   owner @{run}/systemd/notify w,
 
-  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+hid:* r,              # For Human Interface Device (mice, controllers, drawing tablets, scanners)
 
   @{sys}/devices/@{pci}/rfkill@{int}/name r,
   @{sys}/devices/@{pci}/**/{uevent,name} r,

apparmor.d/groups/bluetooth/obexd

@@ -10,8 +10,9 @@ include <tunables/global>
 @{exec_path} = @{lib}/bluetooth/obexd
 profile obexd @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus-system>
   include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/ca.desrt.dconf.Writer>
   include <abstractions/user-download-strict>
 
   network bluetooth stream,
@@ -24,6 +25,11 @@ profile obexd @{exec_path} {
        member=Release
        peer=(name=:*, label="@{p_bluetoothd}"),
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   owner @{user_cache_dirs}/ rw,

apparmor.d/groups/browsers/brave

@@ -18,7 +18,7 @@ profile brave @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app/chromium>
 
-  unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler),
+  # unix (send, receive) type=stream peer=(label=brave//&brave-crashpad-handler),
 
   signal receive peer=brave//&brave-crashpad-handler,
 

apparmor.d/groups/browsers/chromium-wrapper

@@ -45,6 +45,7 @@ profile chromium-wrapper @{exec_path} flags=(attach_disconnected) {
 
   # Silencer
   deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   include if exists <local/chromium-wrapper>
 }

apparmor.d/groups/browsers/firefox

@@ -21,6 +21,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
   signal send set=(term, kill) peer=firefox//&keepassxc-proxy,
 
+  unix type=seqpacket addr=@gecko-crash-helper-pipe.@{int},
+  unix type=seqpacket peer=(label=firefox-crashhelper),
+
   #aa:dbus own bus=session name=org.mozilla.firefox
   #aa:dbus own bus=session name=org.mpris.MediaPlayer2.firefox path=/org/mpris/MediaPlayer2
 
@@ -46,9 +49,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   @{open_path}                                       rPx -> child-open,
 
   # Common extensions
+  @{bin}/browserpass                                           rPx,
+  @{bin}/keepassxc-proxy                                       rPx -> firefox//&keepassxc-proxy,
+  @{lib}/browserpass/browserpass-native                        rPx,
   /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rPx,
-  @{bin}/browserpass         rPx,
-  @{bin}/keepassxc-proxy     rPx -> firefox//&keepassxc-proxy,
 
   owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
   owner @{user_config_dirs}/ibus/bus/ r,
@@ -64,9 +68,6 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/@{rand8}.* rw,  # file downloads (to anywhere)
   owner @{tmp}/@{uuid}.zip{,.tmp} rw,
   owner @{tmp}/Mozilla@{uuid}-cachePurge-{@{hex15},@{hex16}} rwk,
-  owner @{tmp}/mozilla* rw,
-  owner @{tmp}/mozilla*/ rw,
-  owner @{tmp}/mozilla*/* rwk,
   owner @{tmp}/Mozilla\{@{uuid}\}-cachePurge-{@{hex15},@{hex16}} rwk,
   owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/.parentlock k,
   owner @{tmp}/MozillaBackgroundTask-{@{hex15},@{hex16}}-removeDirectory/{**,} rw,

apparmor.d/groups/browsers/firefox-crashhelper

@@ -15,11 +15,16 @@ include <tunables/global>
 profile firefox-crashhelper @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
+  unix type=seqpacket peer=(label=firefox),
+
   @{exec_path} mr,
 
   owner "@{config_dirs}/firefox/Crash Reports/" rw,
   owner "@{config_dirs}/firefox/Crash Reports/crash_helper_server.log" rw,
 
+  # file_inherit
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
+
   include if exists <local/firefox-crashhelper>
 }