feat(profile): general update.

apparmor.d/groups/apt/debconf-apt-progress

@@ -13,7 +13,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
   include <abstractions/perl>
 
   @{exec_path} r,
-  @{bin}/perl r,
 
   @{bin}/apt-get          rPx,
 
@@ -21,7 +20,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
   /usr/share/debconf/frontend  rPx,
   #/usr/share/debconf/frontend rCx -> frontend,
 
-
   profile frontend flags=(complain) {
     include <abstractions/base>
     include <abstractions/consoles>
@@ -29,7 +27,6 @@ profile debconf-apt-progress @{exec_path} flags=(complain) {
     include <abstractions/nameservice-strict>
 
     /usr/share/debconf/frontend r,
-    @{bin}/perl r,
 
     @{bin}/debconf-apt-progress rPx,
 

apparmor.d/groups/apt/dpkg

@@ -39,7 +39,6 @@ profile dpkg @{exec_path} {
   # Package maintainer's scripts
   /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx,
   /var/lib/dpkg/info/*.control            r,
-
   /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx,
 
   # For shell pwd

apparmor.d/groups/cron/anacron

@@ -26,7 +26,8 @@ profile anacron @{exec_path} {
 
   @{HOME}/ r,
 
-  /tmp/file* rw,
+  @{tmp}/file@{rand6} rw,
+  /tmp/anacron-@{rand6} rw,
 
   profile run-parts {
     include <abstractions/base>
@@ -38,6 +39,7 @@ profile anacron @{exec_path} {
 
     owner @{tmp}/#@{int} rw,
     owner @{tmp}/file@{rand6} rw,
+    /tmp/anacron-@{rand6} rw,
 
     include if exists <local/anacron_run-parts>
   }

apparmor.d/groups/filesystem/lvm

@@ -49,6 +49,7 @@ profile lvm @{exec_path} flags=(attach_disconnected) {
 
   /dev/**/ r,
   /dev/mapper/control rw,
+  /dev/root r,
 
   include if exists <local/lvm>
 }

apparmor.d/groups/firewall/ufw

@@ -29,14 +29,14 @@ profile ufw @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{python_path}               rix,
   @{bin}/ r,
-  @{bin}/cat ix,
+  @{bin}/cat                   rix,
-  @{bin}/env r,
+  @{bin}/env                   r,
-  @{python_path} ix,
+  @{bin}/sysctl                rix,
-  @{bin}/sysctl ix,
+  @{bin}/xtables-legacy-multi  rix,
-  @{bin}/xtables-legacy-multi ix,
+  @{bin}/xtables-nft-multi     rix,
-  @{bin}/xtables-nft-multi ix,
+  @{lib}/ufw/ufw-init          rix,
-  @{lib}/ufw/ufw-init ix,
 
   /etc/default/ufw rw,
   /etc/ufw/ rw,

apparmor.d/groups/freedesktop/plymouthd

@@ -12,6 +12,7 @@ profile plymouthd @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/dri>
   include <abstractions/fonts>
+  include <abstractions/X-strict>
 
   capability checkpoint_restore,
   capability dac_override,

apparmor.d/groups/freedesktop/wireplumber

@@ -51,6 +51,10 @@ profile wireplumber @{exec_path} {
 
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
 
+        /dev/shm/lttng-ust-wait-@{int} r,
+  owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw,
+  owner /dev/shm/lttng-ust-wait-@{int}-@{int} rw,
+
   @{run}/systemd/users/@{uid} r,
 
   @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)

apparmor.d/groups/freedesktop/xdg-desktop-icon

@@ -39,6 +39,7 @@ profile xdg-desktop-icon @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/bus>
     include <abstractions/bus-session>
+
     include if exists <local/xdg-desktop-icon_bus>
   }
 

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -19,6 +19,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/dconf-write>
+  include <abstractions/devices-usb-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-read>

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -35,6 +35,11 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
   #aa:dbus talk bus=session name=org.gnome.Shell.Screenshot label=gnome-shell
 
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.impl.portal.Background
+       member=RunningApplicationsChanged
+       peer=(name=org.freedesktop.DBus, label=xdg-desktop-portal),
+
   @{exec_path} mr,
 
   / r,

apparmor.d/groups/freedesktop/xwayland

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path}  = @{bin}/Xwayland
+@{exec_path} = @{bin}/Xwayland
 profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/graphics>

apparmor.d/groups/gnome/epiphany-search-provider

@@ -31,8 +31,9 @@ profile epiphany-search-provider @{exec_path} {
   owner @{user_cache_dirs}/epiphany/{,**} rwk,
   owner @{user_share_dirs}/epiphany/{,**} rwk,
 
+  owner @{tmp}/ContentRuleList-@{rand6} rw,
   owner @{tmp}/ContentRuleList@{rand6} rw,
-  owner @{tmp}/Serialized* rw,
+  owner @{tmp}/SerializedNFA-@{rand6} rw,
 
         @{sys}/devices/virtual/dmi/id/chassis_type r,
         @{sys}/firmware/acpi/pm_profile r,

apparmor.d/groups/gnome/gdm-session-worker

@@ -31,25 +31,26 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
   network unix stream,
 
-  signal (receive) set=term peer=gdm,
+  signal receive set=term peer=gdm,
-  signal (send) set=(hup term) peer=gdm-session,
+  signal send set=(hup term) peer=gdm-session,
-  signal (send) set=hup peer=at-spi*,
+  signal send set=hup peer=at-spi*,
-  signal (send) set=hup peer=dbus-accessibility,
+  signal send set=hup peer=dbus-accessibility,
-  signal (send) set=hup peer=dbus-session,
+  signal send set=hup peer=dbus-session,
-  signal (send) set=hup peer=dconf-service,
+  signal send set=hup peer=dconf-service,
-  signal (send) set=hup peer=gjs-console,
+  signal send set=hup peer=gjs-console,
-  signal (send) set=hup peer=gnome-*,
+  signal send set=hup peer=gnome-*,
-  signal (send) set=hup peer=gsd-*,
+  signal send set=hup peer=gsd-*,
-  signal (send) set=hup peer=ibus-*,
+  signal send set=hup peer=ibus-*,
-  signal (send) set=hup peer=mutter-x11-frames,
+  signal send set=hup peer=mutter-x11-frames,
-  signal (send) set=hup peer=tracker-miner,
+  signal send set=hup peer=tracker-miner,
-  signal (send) set=hup peer=xdg-*,
+  signal send set=hup peer=xdg-*,
-  signal (send) set=hup peer=xorg,
+  signal send set=hup peer=xorg,
-  signal (send) set=hup peer=xwayland,
+  signal send set=hup peer=xwayland,
 
   unix (bind) type=stream addr=@@{udbus}/bus/gdm-session-wor/system,
 
   #aa:dbus talk bus=system name=org.freedesktop.Accounts label=accounts-daemon
+  #aa:dbus talk bus=system name=org.freedesktop.home1.Manager label=systemd-homed
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager

apparmor.d/groups/gnome/gjs-console

@@ -82,6 +82,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/ r,

apparmor.d/groups/gnome/gnome-control-center

@@ -32,8 +32,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
-  signal (send) set=(kill) peer=unconfined,
+  signal send set=kill peer=unconfined,
-  signal (send) set=(kill) peer=passwd,
+  signal send set=kill peer=passwd,
 
   unix (send, receive, connect) type=stream peer=(addr="@/home/*/.cache/ibus/dbus-????????", label=ibus-daemon),
 
@@ -113,6 +113,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
   owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
+  owner @{user_cache_dirs}/thumbnails/fail/gnome-thumbnail-factory/@{hex32}.png.@{rand6} rw,
 
   owner @{user_config_dirs}/background rw,
   owner @{user_config_dirs}/gnome-control-center/{,**} rw,
@@ -195,6 +196,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   profile pkexec {
     include <abstractions/base>
     include <abstractions/app/pkexec>
+
     include if exists <local/gnome-control-center_pkexec>
   }
 

apparmor.d/groups/gnome/gnome-remote-desktop-daemon

@@ -17,8 +17,11 @@ profile gnome-remote-desktop-daemon @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
+  network inet dgram,
   network inet stream,
+  network inet6 dgram,
   network inet6 stream,
+  network netlink raw,
 
   #aa:dbus own bus=system name=org.gnome.RemoteDesktop
   #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm

apparmor.d/groups/gnome/localsearch

@@ -47,6 +47,7 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
 
   owner /var/tmp/etilqs_@{hex15} rw,
   owner /var/tmp/etilqs_@{hex16} rw,
+  owner @{tmp}/etilqs_@{hex12}@{hex2} rw,
   owner @{tmp}/etilqs_@{hex15} rw,
   owner @{tmp}/etilqs_@{hex16} rw,
 

apparmor.d/groups/gnome/tracker-extract

@@ -30,11 +30,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus talk bus=session name=org.freedesktop.Tracker3 label=tracker-miner interface+=org.freedesktop.DBus.Peer
 
-  dbus send bus=session path=/org/gtk/vfs/metadata
-       interface=org.gtk.vfs.Metadata
-       member={GetTreeFromDevice,Remove}
-       peer=(name=:*, label=gvfsd-metadata),
-
   @{exec_path} mr,
 
   /usr/share/dconf/profile/gdm r,

apparmor.d/groups/grub/grub-probe

@@ -33,26 +33,7 @@ profile grub-probe @{exec_path} {
   @{PROC}/@{pids}/mountinfo r,
   @{PROC}/devices r,
 
-  /dev/*vg*/ r,
+  /dev/**/ r,
-  /dev/bsg/ r,
-  /dev/bus/ r,
-  /dev/bus/usb/ r,
-  /dev/bus/usb/@{int}/ r,
-  /dev/char/ r,
-  /dev/cpu/ r,
-  /dev/cpu/@{int}/ r,
-  /dev/dma_heap/ r,
-  /dev/dri/ r,
-  /dev/dri/by-path/ r,
-  /dev/hugepages/ r,
-  /dev/input/ r,
-  /dev/input/by-id/ r,
-  /dev/input/by-path/ r,
-  /dev/mapper/control rw,
-  /dev/mqueue/ r,
-  /dev/shm/ r,
-  /dev/snd/ r,
-  /dev/snd/by-path/ r,
 
   include if exists <local/grub-probe>
 }

apparmor.d/groups/hyprland/hyprlock

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/hyprlock
-profile hyprlock @{exec_path} {
+profile hyprlock @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
   include <abstractions/fonts>

apparmor.d/groups/network/netplan-generate

@@ -21,6 +21,11 @@ profile netplan-generate @{exec_path} flags=(attach_disconnected) {
 
   /etc/netplan/{,*} r,
 
+  @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf rw,
+  @{run}/NetworkManager/conf.d/@{int}-globally-managed-devices.conf.@{rand6} rw,
+  @{run}/NetworkManager/system-connections/ r,
+  @{run}/NetworkManager/system-connections/* rw,
+
   @{run}/systemd/generator/multi-user.target.wants/ w,
   @{run}/systemd/generator/multi-user.target.wants/systemd-networkd.service w,
   @{run}/systemd/generator/netplan.stamp w,

apparmor.d/groups/polkit/pkexec

@@ -27,7 +27,6 @@ profile pkexec @{exec_path} {
 
   /etc/default/locale r,
 
-        @{PROC}/@{pid}/fdinfo/@{int} r,
         @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
 

apparmor.d/groups/polkit/polkitd

@@ -51,6 +51,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
 
   @{att}/@{run}/systemd/notify w,
   @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
   @{att}/@{run}/systemd/userdb/io.systemd.Multiplexer rw,
 
   @{run}/systemd/sessions/* r,

apparmor.d/groups/procps/sysctl

@@ -24,6 +24,8 @@ profile sysctl @{exec_path} {
   /etc/sysctl.d/{,**} r,
   /usr/lib/sysctl.d/{,**} r,
 
+  /etc/ufw/sysctl.conf r, # Add support for ufw
+
   @{PROC}/sys/ r,
   @{PROC}/sys/** rw,
 
@@ -31,8 +33,6 @@ profile sysctl @{exec_path} {
   deny network inet6 stream,
   deny network inet stream,
 
-  /etc/ufw/sysctl.conf r, # Add support for ufw
-
   include if exists <local/sysctl>
 }
 

apparmor.d/groups/shadow/chpasswd

@@ -37,8 +37,10 @@ profile chpasswd @{exec_path} {
   /etc/shadow.lock w,
   /etc/shadow+ rw,
 
-  /etc/pam.d/chpasswd r,
+  /etc/pam.d/* r,
-  /etc/pam.d/common-* r,
+  /etc/security/pwquality.conf r,
+
+  @{PROC}/@{pid}/loginuid r,
 
   include if exists <local/chpasswd>
 }

apparmor.d/groups/snap/snap

@@ -14,7 +14,6 @@ profile snap @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/consoles>
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>

apparmor.d/groups/snap/snap-update-ns

@@ -43,6 +43,8 @@ profile snap-update-ns @{exec_path} {
   owner /snap/{,**} rw,
 
   owner /var/ rw,
+  owner /var/lib/ rw,
+  owner /var/lib/snapd/ rw,
   owner /var/snap/ rw,
   owner /var/snap/**/ rw,
 

apparmor.d/groups/snap/snapd

@@ -160,9 +160,9 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/system.slice/{,**/} r,
   @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
-  @{sys}/fs/cgroup/user.slice/ r,
+  @{sys}/fs/cgroup/*.slice/ r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
+  @{sys}/fs/cgroup/*.slice/*.service/{,**/} r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
+  @{sys}/fs/cgroup/*.slice/*-@{uid}.slice/*@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
   @{sys}/kernel/kexec_loaded r,
   @{sys}/kernel/security/apparmor/.notify r,
   @{sys}/kernel/security/apparmor/features/{,**} r,

apparmor.d/groups/ssh/ssh-keygen

@@ -8,7 +8,6 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/ssh-keygen
-
 profile ssh-keygen @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/systemd/localectl

@@ -16,6 +16,7 @@ profile localectl @{exec_path} {
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,
+  @{bin}/pkttyagent rPx,
 
   /usr/share/kbd/keymaps/{,**} r,
 

apparmor.d/groups/systemd/loginctl

@@ -23,6 +23,7 @@ profile loginctl @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,
+  @{bin}/ssh    rPx,
 
         @{PROC}/sys/fs/nr_open r,
   owner @{PROC}/@{pid}/cgroup r,

apparmor.d/groups/systemd/systemd-homed

@@ -41,7 +41,7 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{lib}/systemd/systemd-homework rPx,
+  @{lib}/systemd/systemd-homework rPx -> systemd-homed//&systemd-homework,
   @{bin}/mkfs.btrfs rPx,
   @{bin}/mkfs.fat   rPx,
   @{bin}/mke2fs     rPx,

apparmor.d/groups/systemd/systemd-logind

@@ -141,6 +141,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
         /dev/input/event@{int} rw,  # Input devices (keyboard, mouse, etc)
         /dev/mqueue/ r,
         /dev/tty@{int} rw,
+  owner @{att}/dev/tty@{int} rw,
   owner /dev/shm/{,**/} rw,
 
   include if exists <local/systemd-logind>

apparmor.d/groups/systemd/systemd-machine-id-setup

@@ -25,6 +25,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{att}/ r,
   / r,
   /etc/ r,
   /etc/machine-id rw,

apparmor.d/groups/systemd/systemd-userdbd

@@ -32,6 +32,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
 
   @{att}/@{run}/systemd/notify w,
   @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
 
   @{run}/systemd/userdb/{,**} rw,
 

apparmor.d/groups/virt/cockpit-session

@@ -38,8 +38,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
 
   @{att}/@{run}/systemd/sessions/*.ref rw,
 
-  @{run}/cockpit/active.motd r,
+  @{run}/cockpit/* r,
-  @{run}/cockpit/inactive.motd r,
   @{run}/faillock/@{user} rwk,
   @{run}/motd.d/{,*} r,
   @{run}/utmp rwk,

apparmor.d/groups/virt/cockpit-ws

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/cockpit/cockpit-ws
 profile cockpit-ws @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   @{exec_path} mr,

apparmor.d/groups/virt/docker-proxy

@@ -15,8 +15,9 @@ profile docker-proxy @{exec_path} {
 
   network inet stream,
   network inet6 stream,
+  network netlink raw,
 
-  signal (receive) set=int peer=dockerd,
+  signal receive set=int peer=dockerd,
 
   @{exec_path} mr,
 

apparmor.d/groups/virt/dockerd

@@ -66,6 +66,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   @{bin}/apparmor_parser         rPx,
   @{bin}/containerd              rPx,
   @{bin}/docker-init             rCx -> init,
+  @{lib}/docker/docker-init      rCx -> init,
   @{bin}/docker-proxy            rPx,
   @{bin}/git                     rCx -> git,
   @{bin}/kmod                    rPx,
@@ -129,6 +130,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
 
     @{bin}/docker-init mr,
+    @{lib}/docker/docker-init mr,
 
     include if exists <local/dockerd_init>
   }

apparmor.d/profiles-a-f/appstreamcli

@@ -24,6 +24,7 @@ profile appstreamcli @{exec_path} flags=(complain) {
 
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/ r,
+  /usr/share/byobu/desktop/{,**} r,
   /usr/share/gvfs/remote-volume-monitors/{,**} r,
   /usr/share/metainfo/ r,
   /usr/share/metainfo/*.{metainfo,appdata}.xml r,

apparmor.d/profiles-a-f/auditd

@@ -27,6 +27,8 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
 
   /var/log/audit/{,**} rw,
 
+  @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
+
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
 

apparmor.d/profiles-a-f/exim4

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/exim4
-profile exim4 @{exec_path} {
+profile exim4 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/consoles>

apparmor.d/profiles-a-f/freetube

@@ -22,6 +22,7 @@ profile freetube @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/electron>
   include <abstractions/consoles>
   include <abstractions/user-download-strict>
+  include <abstractions/video>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-a-f/fwupdmgr

@@ -39,6 +39,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected) {
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc}.* rw,
   owner /var/cache/private/fwupdmgr/fwupd/lvfs-metadata.xml.gz{,.asc} rw,
 
+  owner /var/lib/fwupd/.cache/ w,
+
         @{user_cache_dirs}/dconf/user rw,
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/fwupd/ rw,

apparmor.d/profiles-g-l/landscape-sysinfo

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/landscape-sysinfo
 profile landscape-sysinfo @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 

apparmor.d/profiles-g-l/landscape-sysinfo.wrapper

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/landscape/landscape-sysinfo.wrapper
 profile landscape-sysinfo.wrapper @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability dac_override,
   capability fowner,

apparmor.d/profiles-m-r/motd

@@ -10,9 +10,12 @@ include <tunables/global>
 profile motd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
+  network inet stream,
   network inet6 dgram,
+  network inet6 stream,
   network netlink raw,
 
   @{exec_path} mr,
@@ -20,8 +23,11 @@ profile motd @{exec_path} {
   @{sh_path}         rix,
   @{coreutils_path}  rix,
   @{bin}/cloud-id    rix,
+  @{bin}/systemctl   rCx -> systemctl,
   @{bin}/hostname    rPx,
   @{bin}/snap        rPx,
+  @{bin}/dpkg        rPx -> child-dpkg,
+  @{bin}/systemd-detect-virt rPx,
   @{bin}/wget        rix,
 
   @{lib}/ubuntu-release-upgrader/release-upgrade-motd            rPx,
@@ -34,20 +40,35 @@ profile motd @{exec_path} {
   /etc/default/motd-news r,
   /etc/lsb-release r,
   /etc/update-motd.d/* r,
+  /etc/cloud/cloud.cfg r,
+  /etc/cloud/cloud.cfg.d/{,*} r,
 
   /var/cache/motd-news rw,
   /var/lib/update-notifier/updates-available r,
   /var/lib/ubuntu-advantage/messages/motd-esm-announce r,
 
-  /tmp/tmp.@{rand10} w,
+  /tmp/tmp.@{rand10} rw,
 
   @{run}/motd.d/{,*} r,
   @{run}/motd.dynamic.new rw,
+  @{run}/reboot-required r,
 
   @{PROC}/@{pids}/mounts r,
 
   /dev/tty@{int} rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{run}/systemd/private rw,
+
+    include if exists <local/motd_systemctl>
+  }
+
   include if exists <local/motd>
 }
 

apparmor.d/profiles-m-r/qemu-ga

@@ -22,6 +22,8 @@ profile qemu-ga @{exec_path} {
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
+  @{PROC}/sys/vm/max_map_count r,
+
   /dev/vport@{int}p@{int} rw,
 
   profile systemctl {

apparmor.d/profiles-m-r/remmina

@@ -35,7 +35,7 @@ profile remmina @{exec_path} {
   network inet6 dgram,
   network netlink raw,
 
-  #aa:dbus own bus=session name=org.remmina.Remmina
+  #aa:dbus own bus=session name=org.remmina.Remmina interface+=org.gtk.Actions
   #aa:dbus talk bus=session name=org.ayatana.NotificationItem label=gnome-shell
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 

apparmor.d/profiles-s-z/tlp

@@ -11,22 +11,19 @@ include <tunables/global>
 profile tlp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
-  include <abstractions/disks-read>
-  include <abstractions/graphics>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/consoles>
+  include <abstractions/devices-usb-read>
+  include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
-  include <abstractions/perl>
 
   capability dac_read_search,
-  capability net_admin,
   capability sys_nice,
   capability sys_rawio,
   capability sys_tty_config,
 
   network netlink raw,
 
-  ptrace read peer=unconfined,
-
   @{exec_path} mr,
 
   @{sh_path}                    rix,
@@ -72,10 +69,16 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+platform:* r,
 
   @{sys}/bus/pci/devices/ r,
+  @{sys}/class/net/ r,
+  @{sys}/class/power_supply/ r,
   @{sys}/devices/@{pci}/ r,
   @{sys}/devices/@{pci}/{,**/}power/control w,
+  @{sys}/devices/@{pci}/**/host@{int}/**/link_power_management_policy w,
   @{sys}/devices/@{pci}/class r,
+  @{sys}/devices/**/net/**/uevent r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/net/**/uevent r,
   @{sys}/firmware/acpi/platform_profile* rw,
   @{sys}/firmware/acpi/pm_profile* rw,
   @{sys}/module/*/parameters/power_save rw,
@@ -100,6 +103,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/udevadm>
 
+    @{run}/tlp/lock_tlp rw,
+
     include if exists <local/tlp_udevadm>
   }