feat(profiles): general update.

apparmor.d/groups/browsers/firefox-glxtest

@@ -30,5 +30,7 @@ profile firefox-glxtest @{exec_path} {
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/@{pci}/class r,
 
+  owner @{PROC}/@{pid}/cmdline r,
+
   include if exists <local/firefox-glxtest>
 }

apparmor.d/groups/browsers/firefox-pingsender

@@ -18,6 +18,9 @@ profile firefox-pingsender @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
 
+  network inet stream,
+  network inet6 stream,
+
   signal (receive) set=(term, kill) peer=firefox,
 
   @{exec_path} mr,

apparmor.d/groups/children/child-open

@@ -63,6 +63,7 @@ profile child-open {
 
   # Others
   @{bin}/*Foliate         rPUx,
+  @{bin}/blueman-tray      rPx,
   @{bin}/discord{,-ptb}    rPx,
   @{bin}/draw.io          rPUx,
   @{bin}/dropbox           rPx,
@@ -90,7 +91,7 @@ profile child-open {
   @{bin}/viewnior         rPUx,
   @{bin}/vlc              rPUx,
   @{bin}/xarchiver         rPx,
-  @{bin}/xbrlapi 	   rPx,
+  @{bin}/xbrlapi 	         rPx,
   @{lib}/libreoffice/program/{soffice,soffice.bin,oosplash} rPUx,
 
   include if exists <usr/child-open.d>

apparmor.d/groups/freedesktop/pipewire

@@ -64,7 +64,8 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/pipewire/pipewire.conf r,
 
   owner /tmp/librnnoise-[0-9]*.so rm,
-  owner @{run}/user/@{uid}/pipewire-[0-9]*.lock rwk,
+  owner @{run}/user/@{uid}/pipewire-@{int} rw,
+  owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
 
   @{run}/udev/data/c81:@{int}  r,         # For video4linux
   @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
@@ -79,11 +80,12 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/devices/**/device:*/**/path r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{idVendor,idProduct,removable,uevent} r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor} r,
+  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/media@{int} rw,
+  /dev/video@{int} rw,
 
   include if exists <local/pipewire>
 }

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -141,6 +141,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/ r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/@{tid}/ r,
   owner @{PROC}/@{pid}/task/@{tid}/status r,

apparmor.d/groups/gnome/gdm-wayland-session

@@ -70,6 +70,7 @@ profile gdm-wayland-session @{exec_path} {
   /usr/share/gdm/gdm.schemas r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/im-config/{,**} r,
+  /usr/share/libdebuginfod-common/debuginfod.sh r,
   /usr/share/xsessions/gnome.desktop r,
 
   @{etc_ro}/profile.d/{,*} r,

apparmor.d/groups/gnome/gnome-software

@@ -46,7 +46,7 @@ profile gnome-software @{exec_path} {
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/{,**} r,
   /usr/share/metainfo/{,**} r,
-  /usr/share/swcatalog/xml/{,**} r,
+  /usr/share/swcatalog/{,**} r,
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,
 
@@ -110,6 +110,8 @@ profile gnome-software @{exec_path} {
         @{PROC}/@{pids}/mounts r,
         @{PROC}/sys/fs/pipe-max-size r,
         @{PROC}/sys/kernel/random/boot_id r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/stat r,
 
   /dev/fuse rw,

apparmor.d/groups/gnome/kgx

@@ -12,12 +12,15 @@ profile kgx @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/nvidia>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   capability sys_ptrace,
 
@@ -38,7 +41,6 @@ profile kgx @{exec_path} {
   @{lib}/gio-launch-desktop                          rPx -> child-open,
 
   /usr/share/themes/{,**} r,
-  /usr/share/X11/xkb/{,**} r,
 
   owner /tmp/#@{int} rw,
 

apparmor.d/groups/gnome/mutter-x11-frames

@@ -20,10 +20,16 @@ profile mutter-x11-frames @{exec_path} {
   include <abstractions/nvidia>
   include <abstractions/vulkan>
   include <abstractions/wayland>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
+  /usr/share/dconf/profile/gdm r,
+  /usr/share/gdm/greeter-dconf-defaults r,
+
+  /var/lib/gdm/.config/dconf/user r,
+
+  owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/mutter-x11-frames>
 }

apparmor.d/groups/gnome/nautilus

@@ -98,6 +98,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/@{pids}/net/wireless r,
         @{PROC}/sys/dev/i915/perf_stream_paranoid r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 

apparmor.d/groups/gnome/tracker-extract

@@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
+  include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>
@@ -82,6 +83,8 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /usr/share/dconf/profile/gdm r,
+  /usr/share/drirc.d/{,*.conf} r,
+  /usr/share/gvfs/remote-volume-monitors/{,*} r,
   /usr/share/hwdata/*.ids r,
   /usr/share/ladspa/rdf/{,**} r,
   /usr/share/mime/mime.cache r,
@@ -89,15 +92,11 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   /usr/share/poppler/{,**} r,
   /usr/share/tracker3-miners/{,**} r,
   /usr/share/tracker3/{,**} r,
-  /usr/share/gvfs/remote-volume-monitors/{,*} r,
 
   /etc/blkid.conf r,
   /etc/fstab r,
   /etc/libva.conf r,
 
-  # dri-common-strict
-  /usr/share/drirc.d/{,*.conf} r,
-
   /var/lib/gdm{3,}/.cache/ rw,
   /var/lib/gdm{3,}/.cache/tracker3/{,**} rw,
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
@@ -134,9 +133,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   @{run}/mount/utab r,
 
-  @{sys}/devices/pci[0-9]*/*/vendor r,
-  @{sys}/devices/pci[0-9]*/*/device r,
-
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,

apparmor.d/groups/kde/dolphin

@@ -10,6 +10,7 @@ include <tunables/global>
 profile dolphin @{exec_path} {
   include <abstractions/base>
   include <abstractions/deny-sensitive-home>
+  include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
@@ -30,6 +31,7 @@ profile dolphin @{exec_path} {
   /usr/share/kf5/kmoretools/{,**} r,
   /usr/share/kio/{,**} r,
   /usr/share/kservices5/{,**} r,
+  /usr/share/kservicetypes5/{,**} r,
   /usr/share/mime/ r,
 
   /etc/fstab r,
@@ -55,8 +57,7 @@ profile dolphin @{exec_path} {
   owner @{user_config_dirs}/dolphinrc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/dolphinrc.lock rwk,
   owner @{user_config_dirs}/kde.org/#@{int} rw,
-  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf rw,
-  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.@{rand6} rwlk -> @{user_config_dirs}/kde.org/#@{int},
+  owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf{,.@{rand6}} rwlk -> @{user_config_dirs}/kde.org/#@{int},
   owner @{user_config_dirs}/kde.org/UserFeedback.org.kde.dolphin.conf.lock rwk,
 
   owner @{user_config_dirs}/session/ rw,

apparmor.d/groups/kde/kioslave5

@@ -66,6 +66,7 @@ profile kioslave5 @{exec_path} {
 
   # Silence non user's data
   deny /boot/{,**} r,
+  deny /etc/{,**} r,
   deny /opt/{,**} r,
   deny /root/{,**} r,
   deny /tmp/.* rw,

apparmor.d/groups/kde/sddm

@@ -36,9 +36,10 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   network netlink raw,
 
-  ptrace (trace) peer=@{profile_name},
+  ptrace (read) peer=kwalletd5,
   ptrace (read) peer=unconfined,
-  
+  ptrace (trace) peer=@{profile_name},
+
   signal (send) set=term peer=kwin_wayland,
   signal (send) set=(kill, term) peer=startplasma,
   signal (send) set=term peer=startplasma-wayland,

apparmor.d/groups/network/NetworkManager

@@ -80,6 +80,11 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,
 
+  dbus (send eceive) bus=system path=/fi/w1/wpa_supplicant1{,/**}
+       interface={fi.w1.wpa_supplicant1.Interface,org.freedesktop.DBus.Properties}
+       member=PropertiesChanged 
+       peer=(name=:*, label=wpa-supplicant),
+
   dbus receive bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects,

apparmor.d/groups/pacman/mkinitcpio

@@ -76,6 +76,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /etc/lvm/lvm.conf r,
   /etc/mkinitcpio.conf r,
   /etc/mkinitcpio.d/{,**} r,
+  /etc/mkinitcpio.conf.d/{,**} r,
   /etc/modprobe.d/{,*} r,
   /etc/plymouth/plymouthd.conf r,
   /etc/vconsole.conf r,
@@ -96,13 +97,15 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Manage /boot
   / r,
+  /boot/ r,
   /boot/initramfs-*.img* rw,
   /boot/vmlinuz-* r,
 
   # Temp files
   owner @{run}/initramfs/{,**} rw,
-  owner @{run}/mkinitcpio.*/{,**} rw,
-  owner /tmp/mkinitcpio.*/{,**} rw,
+  owner @{run}/mkinitcpio.@{rand6}/{,**} rw,
+  owner /tmp/mkinitcpio.@{rand6} rw,
+  owner /tmp/mkinitcpio.@{rand6}/{,**} rw,
 
   @{sys}/class/block/ r,
   @{sys}/devices/{,**} r,

apparmor.d/groups/pacman/pacman-hook-code

@@ -15,11 +15,12 @@ profile pacman-hook-code @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/env r,
   @{bin}/python3.[0-9]* rix,
 
   @{lib}/code/product.json rw,
 
-  /usr/share/code-{features,marketplace}/* r,
+  /usr/share/code-{features,marketplace}/{,*} r,
   /usr/share/code-{features,marketplace}/cache.json rw,
 
   include if exists <local/pacman-hook-code>

apparmor.d/groups/systemd/systemd-detect-virt

@@ -26,6 +26,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/firmware/dmi/entries/*/raw r,
 
   # Inherit silencer
   deny /apparmor/.null rw,

apparmor.d/groups/systemd/systemd-modules-load

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -18,9 +19,9 @@ profile systemd-modules-load @{exec_path} {
 
   @{sys}/module/*/initstate r,
 
-  /etc/modules r,
   /etc/modprobe.d/ r,
   /etc/modprobe.d/*.conf r,
+  /etc/modules r,
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 

apparmor.d/groups/systemd/systemd-sysctl

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -17,16 +18,16 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_ptrace,
   capability sys_rawio,
-  # capability sys_resource,
 
   @{exec_path} mr,
 
-  @{PROC}/sys/** rw,
-
-  /etc/sysctl.d/ r,
-  /etc/sysctl.d/*.conf r,
-
+  # Config file locations
+  @{run}/sysctl.d/{,*.conf} r,
   /etc/sysctl.conf r,
+  /etc/sysctl.d/{,*.conf} r,
+  /usr/lib/sysctl.d/{,*.conf} r,
+
+  @{PROC}/sys/** rw,
 
   # Inherit Silencer
   deny /apparmor/.null rw,