From 6db83003c7fdafd251c37892d1532fc5494792c7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 12 Sep 2023 22:59:07 +0100
Subject: [PATCH] feat(profiles): general update.

---
 apparmor.d/groups/browsers/firefox-glxtest    |  2 ++
 apparmor.d/groups/browsers/firefox-pingsender |  3 +++
 apparmor.d/groups/children/child-open         |  3 ++-
 apparmor.d/groups/freedesktop/pipewire        |  6 ++++--
 .../freedesktop/xdg-desktop-portal-gnome      |  1 +
 apparmor.d/groups/gnome/gdm-wayland-session   |  1 +
 apparmor.d/groups/gnome/gnome-software        |  4 +++-
 apparmor.d/groups/gnome/kgx                   |  4 +++-
 apparmor.d/groups/gnome/mutter-x11-frames     |  8 ++++++-
 apparmor.d/groups/gnome/nautilus              |  1 +
 apparmor.d/groups/gnome/tracker-extract       | 10 +++------
 apparmor.d/groups/kde/dolphin                 |  5 +++--
 apparmor.d/groups/kde/kioslave5               |  1 +
 apparmor.d/groups/kde/sddm                    |  5 +++--
 apparmor.d/groups/network/NetworkManager      |  5 +++++
 apparmor.d/groups/pacman/mkinitcpio           |  7 +++++--
 apparmor.d/groups/pacman/pacman-hook-code     |  3 ++-
 apparmor.d/groups/systemd/systemd-detect-virt |  1 +
 .../groups/systemd/systemd-modules-load       |  3 ++-
 apparmor.d/groups/systemd/systemd-sysctl      | 13 ++++++------
 apparmor.d/profiles-a-f/aa-enforce            |  2 +-
 apparmor.d/profiles-a-f/boltd                 |  5 +++++
 apparmor.d/profiles-a-f/chpasswd              | 15 ++++++-------
 apparmor.d/profiles-a-f/dkms                  |  2 +-
 apparmor.d/profiles-g-l/groups                |  5 +++++
 apparmor.d/profiles-g-l/lspci                 |  2 +-
 apparmor.d/profiles-s-z/smartctl              |  2 +-
 apparmor.d/profiles-s-z/spotify               |  1 +
 apparmor.d/profiles-s-z/thermald              | 21 +++++++++----------
 apparmor.d/profiles-s-z/thunderbird-glxtest   |  4 ++--
 apparmor.d/profiles-s-z/thunderbird-vaapitest |  4 ++--
 apparmor.d/profiles-s-z/udisksd               |  2 --
 apparmor.d/profiles-s-z/wpa-supplicant        |  3 ++-
 33 files changed, 98 insertions(+), 56 deletions(-)

diff --git a/apparmor.d/groups/browsers/firefox-glxtest b/apparmor.d/groups/browsers/firefox-glxtest
index 7db351c1b..4a637efeb 100644
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@@ -30,5 +30,7 @@ profile firefox-glxtest @{exec_path} {
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/@{pci}/class r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+
   include if exists <local/firefox-glxtest>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/browsers/firefox-pingsender b/apparmor.d/groups/browsers/firefox-pingsender
index 398e2d12d..9fa705aff 100644
--- a/apparmor.d/groups/browsers/firefox-pingsender
+++ b/apparmor.d/groups/browsers/firefox-pingsender
@@ -18,6 +18,9 @@ profile firefox-pingsender @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
+  network inet stream,
+  network inet6 stream,
+
   signal (receive) set=(term, kill) peer=firefox,
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/children/child-open b/apparmor.d/groups/children/child-open
index 1d06f5c62..63aebdce6 100644
--- a/apparmor.d/groups/children/child-open
+++ b/apparmor.d/groups/children/child-open
@@ -63,6 +63,7 @@ profile child-open {
 
   # Others
   @{bin}/*Foliate         rPUx,
+  @{bin}/blueman-tray      rPx,
   @{bin}/discord{,-ptb}    rPx,
   @{bin}/draw.io          rPUx,
   @{bin}/dropbox           rPx,
@@ -90,7 +91,7 @@ profile child-open {
   @{bin}/viewnior         rPUx,
   @{bin}/vlc              rPUx,
   @{bin}/xarchiver         rPx,
-  @{bin}/xbrlapi 	   rPx,
+  @{bin}/xbrlapi 	         rPx,
   @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
 
   include if exists <usr/child-open.d>
diff --git a/apparmor.d/groups/freedesktop/pipewire b/apparmor.d/groups/freedesktop/pipewire
index a4b4fad63..3d6a9c145 100644
--- a/apparmor.d/groups/freedesktop/pipewire
+++ b/apparmor.d/groups/freedesktop/pipewire
@@ -64,7 +64,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/pipewire/pipewire.conf r,
 
   owner /tmp/librnnoise-[0-9]*.so rm,
-  owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
+  owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
 
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
   @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
@@ -79,11 +80,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/devices/**/device:*/**/path r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor} r,
+  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/media@{int} rw,
+  /dev/video@{int} rw,
 
   include if exists <local/pipewire>
 }
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index ad2be3548..dae6ecece 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -141,6 +141,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/ r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/@{tid}/ r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,
diff --git a/apparmor.d/groups/gnome/gdm-wayland-session b/apparmor.d/groups/gnome/gdm-wayland-session
index 8510c600e..44402f4f0 100644
--- a/apparmor.d/groups/gnome/gdm-wayland-session
+++ b/apparmor.d/groups/gnome/gdm-wayland-session
@@ -70,6 +70,7 @@ profile gdm-wayland-session @{exec_path} {
   /usr/share/gdm/gdm.schemas r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/im-config/{,**} r,
+  /usr/share/libdebuginfod-common/debuginfod.sh r,
   /usr/share/xsessions/gnome.desktop r,
 
   @{etc_ro}/profile.d/{,*} r,
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 3af4a84b0..55695aee5 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -46,7 +46,7 @@ profile gnome-software @{exec_path} {
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/{,**} r,
   /usr/share/metainfo/{,**} r,
-  /usr/share/swcatalog/xml/{,**} r,
+  /usr/share/swcatalog/{,**} r,
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,
 
@@ -110,6 +110,8 @@ profile gnome-software @{exec_path} {
         @{PROC}/@{pids}/mounts r,
         @{PROC}/sys/fs/pipe-max-size r,
         @{PROC}/sys/kernel/random/boot_id r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/stat r,
 
   /dev/fuse rw,
diff --git a/apparmor.d/groups/gnome/kgx b/apparmor.d/groups/gnome/kgx
index fae7c2229..dbaeda050 100644
--- a/apparmor.d/groups/gnome/kgx
+++ b/apparmor.d/groups/gnome/kgx
@@ -12,12 +12,15 @@ profile kgx @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/nvidia>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   capability sys_ptrace,
 
@@ -38,7 +41,6 @@ profile kgx @{exec_path} {
   @{lib}/gio-launch-desktop                          rPx -> child-open,
 
   /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
 
   owner /tmp/#@{int} rw,
 
diff --git a/apparmor.d/groups/gnome/mutter-x11-frames b/apparmor.d/groups/gnome/mutter-x11-frames
index 690fa6c64..63148ea6c 100644
--- a/apparmor.d/groups/gnome/mutter-x11-frames
+++ b/apparmor.d/groups/gnome/mutter-x11-frames
@@ -20,10 +20,16 @@ profile mutter-x11-frames @{exec_path} {
   include <abstractions/nvidia>
   include <abstractions/vulkan>
   include <abstractions/wayland>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
+  /usr/share/dconf/profile/gdm r,
+  /usr/share/gdm/greeter-dconf-defaults r,
+
+  /var/lib/gdm/.config/dconf/user r,
+
+  owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/mutter-x11-frames>
 }
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index bf9e7ee69..0c9d59a3b 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -98,6 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/@{pids}/net/wireless r,
         @{PROC}/sys/dev/i915/perf_stream_paranoid r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 
diff --git a/apparmor.d/groups/gnome/tracker-extract b/apparmor.d/groups/gnome/tracker-extract
index d6f7cc4ea..11e5b64e8 100644
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
+  include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>
@@ -82,6 +83,8 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /usr/share/dconf/profile/gdm r,
+  /usr/share/drirc.d/{,*.conf} r,
+  /usr/share/gvfs/remote-volume-monitors/{,*} r,
   /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,**} r,
   /usr/share/mime/mime.cache r,
@@ -89,15 +92,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   /usr/share/poppler/{,**} r,
   /usr/share/tracker3-miners/{,**} r,
   /usr/share/tracker3/{,**} r,
-  /usr/share/gvfs/remote-volume-monitors/{,*} r,
 
   /etc/blkid.conf r,
   /etc/fstab r,
   /etc/libva.conf r,
 
-  # dri-common-strict
-  /usr/share/drirc.d/{,*.conf} r,
-
   /var/lib/gdm{3,}/.cache/ rw,
   /var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
@@ -134,9 +133,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   @{run}/mount/utab r,
 
-  @{sys}/devices/pci[0-9]*/*/vendor r,
-  @{sys}/devices/pci[0-9]*/*/device r,
-
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
diff --git a/apparmor.d/groups/kde/dolphin b/apparmor.d/groups/kde/dolphin
index aea1b9c11..c99127f33 100644
--- a/apparmor.d/groups/kde/dolphin
+++ b/apparmor.d/groups/kde/dolphin
@@ -10,6 +10,7 @@ include <tunables/global>
 profile dolphin @{exec_path} {
   include <abstractions/base>
   include <abstractions/deny-sensitive-home>
+  include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
@@ -30,6 +31,7 @@ profile dolphin @{exec_path} {
   /usr/share/kf5/kmoretools/{,**} r,
   /usr/share/kio/{,**} r,
   /usr/share/kservices5/{,**} r,
+  /usr/share/kservicetypes5/{,**} r,
   /usr/share/mime/ r,
 
   /etc/fstab r,
@@ -55,8 +57,7 @@ profile dolphin @{exec_path} {
   owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/dolphinrc.lock rwk,
   owner @{user_config_dirs}/kde.org/#@{int} rw,
-  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf rw,
-  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwlk -> @{user_config_dirs}/kde.org/#@{int},
+  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int},
   owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk,
 
   owner @{user_config_dirs}/session/ rw,
diff --git a/apparmor.d/groups/kde/kioslave5 b/apparmor.d/groups/kde/kioslave5
index 5f8685145..d9c5fbf00 100644
--- a/apparmor.d/groups/kde/kioslave5
+++ b/apparmor.d/groups/kde/kioslave5
@@ -66,6 +66,7 @@ profile kioslave5 @{exec_path} {
 
   # Silence non user's data
   deny /boot/{,**} r,
+  deny /etc/{,**} r,
   deny /opt/{,**} r,
   deny /root/{,**} r,
   deny /tmp/.* rw,
diff --git a/apparmor.d/groups/kde/sddm b/apparmor.d/groups/kde/sddm
index 9bd5d177b..2ab46af21 100644
--- a/apparmor.d/groups/kde/sddm
+++ b/apparmor.d/groups/kde/sddm
@@ -36,9 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   network netlink raw,
 
-  ptrace (trace) peer=@{profile_name},
+  ptrace (read) peer=kwalletd5,
   ptrace (read) peer=unconfined,
-  
+  ptrace (trace) peer=@{profile_name},
+
   signal (send) set=term peer=kwin_wayland,
   signal (send) set=(kill, term) peer=startplasma,
   signal (send) set=term peer=startplasma-wayland,
diff --git a/apparmor.d/groups/network/NetworkManager b/apparmor.d/groups/network/NetworkManager
index 1e767c58f..f50e03b87 100644
--- a/apparmor.d/groups/network/NetworkManager
+++ b/apparmor.d/groups/network/NetworkManager
@@ -80,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,
 
+  dbus (send eceive) bus=system path=/fi/w1/wpa_supplicant1{,/**}
+       interface={fi.w1.wpa_supplicant1.Interface,org.freedesktop.DBus.Properties}
+       member=PropertiesChanged 
+       peer=(name=:*, label=wpa-supplicant),
+
   dbus receive bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,
diff --git a/apparmor.d/groups/pacman/mkinitcpio b/apparmor.d/groups/pacman/mkinitcpio
index 12a120f72..f2d1cba72 100644
--- a/apparmor.d/groups/pacman/mkinitcpio
+++ b/apparmor.d/groups/pacman/mkinitcpio
@@ -76,6 +76,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /etc/lvm/lvm.conf r,
   /etc/mkinitcpio.conf r,
   /etc/mkinitcpio.d/{,**} r,
+  /etc/mkinitcpio.conf.d/{,**} r,
   /etc/modprobe.d/{,*} r,
   /etc/plymouth/plymouthd.conf r,
   /etc/vconsole.conf r,
@@ -96,13 +97,15 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Manage /boot
   / r,
+  /boot/ r,
   /boot/initramfs-*.img* rw,
   /boot/vmlinuz-* r,
 
   # Temp files
   owner @{run}/initramfs/{,**} rw,
-  owner @{run}/mkinitcpio.*/{,**} rw,
-  owner /tmp/mkinitcpio.*/{,**} rw,
+  owner @{run}/mkinitcpio.@{rand6}/{,**} rw,
+  owner /tmp/mkinitcpio.@{rand6} rw,
+  owner /tmp/mkinitcpio.@{rand6}/{,**} rw,
 
   @{sys}/class/block/ r,
   @{sys}/devices/{,**} r,
diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code
index 360f24d3c..fad05ca48 100644
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@@ -15,11 +15,12 @@ profile pacman-hook-code @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/env r,
   @{bin}/python3.[0-9]* rix,
 
   @{lib}/code/product.json rw,
 
-  /usr/share/code-{features,marketplace}/* r,
+  /usr/share/code-{features,marketplace}/{,*} r,
   /usr/share/code-{features,marketplace}/cache.json rw,
 
   include if exists <local/pacman-hook-code>
diff --git a/apparmor.d/groups/systemd/systemd-detect-virt b/apparmor.d/groups/systemd/systemd-detect-virt
index e606a4bbe..edd1df40e 100644
--- a/apparmor.d/groups/systemd/systemd-detect-virt
+++ b/apparmor.d/groups/systemd/systemd-detect-virt
@@ -26,6 +26,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/firmware/dmi/entries/*/raw r,
 
   # Inherit silencer
   deny /apparmor/.null rw,
diff --git a/apparmor.d/groups/systemd/systemd-modules-load b/apparmor.d/groups/systemd/systemd-modules-load
index 6b9bfcb30..6d8160834 100644
--- a/apparmor.d/groups/systemd/systemd-modules-load
+++ b/apparmor.d/groups/systemd/systemd-modules-load
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -18,9 +19,9 @@ profile systemd-modules-load @{exec_path} {
 
   @{sys}/module/*/initstate r,
 
-  /etc/modules r,
   /etc/modprobe.d/ r,
   /etc/modprobe.d/*.conf r,
+  /etc/modules r,
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 
diff --git a/apparmor.d/groups/systemd/systemd-sysctl b/apparmor.d/groups/systemd/systemd-sysctl
index 8aa2e0a54..99a70aa32 100644
--- a/apparmor.d/groups/systemd/systemd-sysctl
+++ b/apparmor.d/groups/systemd/systemd-sysctl
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,16 +18,16 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_ptrace,
   capability sys_rawio,
-  # capability sys_resource,
 
   @{exec_path} mr,
 
-  @{PROC}/sys/** rw,
-
-  /etc/sysctl.d/ r,
-  /etc/sysctl.d/*.conf r,
-
+  # Config file locations
+  @{run}/sysctl.d/{,*.conf} r,
   /etc/sysctl.conf r,
+  /etc/sysctl.d/{,*.conf} r,
+  /usr/lib/sysctl.d/{,*.conf} r,
+
+  @{PROC}/sys/** rw,
 
   # Inherit Silencer
   deny /apparmor/.null rw,
diff --git a/apparmor.d/profiles-a-f/aa-enforce b/apparmor.d/profiles-a-f/aa-enforce
index 8e83405e8..608505179 100644
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@@ -26,7 +26,7 @@ profile aa-enforce @{exec_path} {
 
   /etc/inputrc r,
 
-  owner /snap/core[0-9]*/@{int}/etc/apparmor.d/{,**} rw,
+  owner /snap/core@{int}/@{int}/etc/apparmor.d/{,**} rw,
   owner /var/lib/snapd/apparmor/{,**} rw,
 
   owner @{PROC}/@{pid}/fd r,
diff --git a/apparmor.d/profiles-a-f/boltd b/apparmor.d/profiles-a-f/boltd
index c31abbca0..2a882d993 100644
--- a/apparmor.d/profiles-a-f/boltd
+++ b/apparmor.d/profiles-a-f/boltd
@@ -28,6 +28,11 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
   
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+      interface=org.freedesktop.PolicyKit1.Authority
+      member=Changed 
+      peer=(name=:*, label=polkitd),
+
   dbus receive bus=system path=/org/freedesktop/bolt
       interface=org.freedesktop.bolt1.Manager
       member=ListDevices,
diff --git a/apparmor.d/profiles-a-f/chpasswd b/apparmor.d/profiles-a-f/chpasswd
index d72cfc5f6..4b45126ac 100644
--- a/apparmor.d/profiles-a-f/chpasswd
+++ b/apparmor.d/profiles-a-f/chpasswd
@@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 include <tunables/global>
@@ -17,16 +18,16 @@ profile chpasswd @{exec_path} {
 
   /etc/.pwd.lock wk,
   /etc/login.defs r,
-  /etc/shadow rw,
-  /etc/shadow.@{int} w,
-  /etc/shadow.lock w,  # change to 'd'
-  /etc/shadow.lock l -> /etc/shadow.@{int},
-  /etc/shadow- w,
-  /etc/shadow+ rw,
   /etc/passwd rw,
   /etc/passwd.@{int} w,
-  /etc/passwd.lock w,  # change to 'd'
   /etc/passwd.lock l -> /etc/passwd.@{int},
+  /etc/passwd.lock w,
+  /etc/shadow rw,
+  /etc/shadow- w,
+  /etc/shadow.@{int} w,
+  /etc/shadow.lock l -> /etc/shadow.@{int},
+  /etc/shadow.lock w,
+  /etc/shadow+ rw,
 
   include if exists <local/chpasswd>
 }
diff --git a/apparmor.d/profiles-a-f/dkms b/apparmor.d/profiles-a-f/dkms
index b38c9213c..971d587e0 100644
--- a/apparmor.d/profiles-a-f/dkms
+++ b/apparmor.d/profiles-a-f/dkms
@@ -56,7 +56,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{bin}/{,g,m}awk  rix,
   @{bin}/update-secureboot-policy rPUx,
 
-  @{lib}/gcc/@{multiarch}/@{int}/*             rix,
+  @{lib}/gcc/@{multiarch}/@{int}*/*             rix,
   @{lib}/linux-kbuild-*/scripts/**             rix,
   @{lib}/linux-kbuild-*/tools/objtool/objtool  rix,
   @{lib}/llvm-[0-9]*/bin/clang                 rix,
diff --git a/apparmor.d/profiles-g-l/groups b/apparmor.d/profiles-g-l/groups
index ea6ef03be..8c1ca9131 100644
--- a/apparmor.d/profiles-g-l/groups
+++ b/apparmor.d/profiles-g-l/groups
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -16,6 +17,10 @@ profile groups @{exec_path} {
   /etc/group r,
   /etc/nsswitch.conf r,
 
+  @{run}/systemd/userdb r,
+
+  @{PROC}/sys/kernel/random/boot_id r,
+
   /dev/tty@{int} rw,
 
   include if exists <local/groups>
diff --git a/apparmor.d/profiles-g-l/lspci b/apparmor.d/profiles-g-l/lspci
index f29be7921..0d726ca11 100644
--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@@ -32,7 +32,7 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/bus/pci/slots/ r,
-  @{sys}/bus/pci/slots/@{int}/address r,
+  @{sys}/bus/pci/slots/@{int}-@{int}/address r,
   @{sys}/devices/pci[0-9]*/** r,
 
   @{PROC}/cmdline r,
diff --git a/apparmor.d/profiles-s-z/smartctl b/apparmor.d/profiles-s-z/smartctl
index f38249f00..e79acf4f7 100644
--- a/apparmor.d/profiles-s-z/smartctl
+++ b/apparmor.d/profiles-s-z/smartctl
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index ed76236ea..de722db59 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -59,6 +59,7 @@ profile spotify @{exec_path} {
 
   owner @{cache_dirs}/ rw,
   owner @{cache_dirs}/** rwk -> @{cache_dirs}/**,
+  owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
 
   owner @{run}/user/@{uid}/pulse/ r,
 
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index 76ae1ea60..6d27c3774 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -49,10 +49,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/platform/{,*} r,
-  @{sys}/devices/platform/**/path r,
-  @{sys}/devices/platform/**/available_uuids r,
-  @{sys}/devices/platform/**/current_uuid rw,
+  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/** r,
 
   @{sys}/devices/system/cpu/present r,
   @{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
@@ -65,6 +63,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmax_us r,
   @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmin_us r,
 
+  @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/name r,
   @{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
   @{sys}/devices/**/path r,
@@ -86,13 +85,13 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
   @{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r,
 
-  @{sys}/devices/virtual/powercap/intel-rapl/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/* r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/constraint_* w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/enabled w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/**/name r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/constraint_* w,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
 
   /dev/acpi_thermal_rel rw,
   /dev/input/ r,
diff --git a/apparmor.d/profiles-s-z/thunderbird-glxtest b/apparmor.d/profiles-s-z/thunderbird-glxtest
index 9e9d9f9ca..31f4d0ae5 100644
--- a/apparmor.d/profiles-s-z/thunderbird-glxtest
+++ b/apparmor.d/profiles-s-z/thunderbird-glxtest
@@ -19,6 +19,7 @@ profile thunderbird-glxtest @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
@@ -26,11 +27,10 @@ profile thunderbird-glxtest @{exec_path} {
 
   owner /tmp/thunderbird/.parentlock rw,
 
-  owner @{run}/user/@{uid}/xauth_@{rand6} r,
-
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/pci[0-9]*/**/class r,
 
+  owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/thunderbird-glxtest>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/thunderbird-vaapitest b/apparmor.d/profiles-s-z/thunderbird-vaapitest
index aebbe30e8..41017cb65 100644
--- a/apparmor.d/profiles-s-z/thunderbird-vaapitest
+++ b/apparmor.d/profiles-s-z/thunderbird-vaapitest
@@ -25,8 +25,8 @@ profile thunderbird-vaapitest @{exec_path} {
   /etc/igfx_user_feature{,_next}.txt w,
   /etc/libva.conf r,
 
-  owner @{thunderbird_config_dirs}/*/.parentlock rw,
-  owner @{thunderbird_config_dirs}/*/startupCache/*Cache* r,
+  deny owner @{thunderbird_config_dirs}/*/.parentlock rw,
+  deny owner @{thunderbird_config_dirs}/*/startupCache/** r,
 
   owner /tmp/thunderbird/.parentlock rw,
 
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index f2be25426..703e65ee8 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -152,8 +152,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/loop-control rw,
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
   /dev/null.[0-9]* rw,
 
   include if exists <local/udisksd>
diff --git a/apparmor.d/profiles-s-z/wpa-supplicant b/apparmor.d/profiles-s-z/wpa-supplicant
index a28d61e05..02d26f95e 100644
--- a/apparmor.d/profiles-s-z/wpa-supplicant
+++ b/apparmor.d/profiles-s-z/wpa-supplicant
@@ -44,10 +44,11 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
   /var/log/wpa_supplicant.log rw,
 
   @{HOME}/.cat_installer/*.pem r,
+  @{user_config_dirs}/cat_installer/*.pem r,
 
   owner @{run}/wpa_supplicant/{,**} rw,
 
-  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
+  @{sys}/devices/pci[0-9]*/**/ieee*/phy@{int}/name r,
 
   @{PROC}/sys/net/ipv{4,6}/conf/p2p*/drop_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlan*/drop_* rw,