feat(profiles): general update.

apparmor.d/groups/apt/unattended-upgrade

@@ -82,18 +82,20 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/apt/apt.conf.d/{,**} r,
   /etc/debian_version r,
   /etc/default/grub.d/* r,
-  /etc/dpkg/origins/{debian,ubuntu,} r,
+  /etc/dpkg/origins/{,debian,ubuntu} r,
+  /etc/fwupd/{,**} r,
   /etc/grub.d/* r,
   /etc/issue{.net,} r,
   /etc/kernel/*.d/*grub* r,
   /etc/legal r,
   /etc/lsb-release r,
-  /etc/profile.d/* r,
-  /etc/update-manager/{,**} r,
-  /etc/update-motd.d/{91-release-upgrade,92-unattended-upgrades} r,
-  /etc/update-motd.d/* r,
-
   /etc/machine-id r,
+  /etc/pki/fwupd-metadata/{,**} r,
+  /etc/pki/fwupd/{,**} r,
+  /etc/profile.d/* r,
+  /etc/security/capability.conf r,
+  /etc/update-manager/{,**} r,
+  /etc/update-motd.d/* r,
 
   /var/log/unattended-upgrades/{,**} rw,
 

apparmor.d/groups/browsers/firefox

@@ -164,22 +164,24 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   # As a temporary solution - see issue #128
   @{bin}/keepassxc-proxy     rix,
 
+  /usr/share/@{firefox_name}/{,**} r,
   /usr/share/doc/{,**} r,
   /usr/share/egl/{,**} r,
-  /usr/share/@{firefox_name}/{,**} r,
+  /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/libdrm/*.ids r,
   /usr/share/mozilla/extensions/{,**} r,
   /usr/share/webext/{,**} r,
   /usr/share/xul-ext/kwallet5/* r,
 
   /etc/@{firefox_name}/{,**} r,
-  /etc/fstab r,
   /etc/cups/client.conf r,
+  /etc/fstab r,
   /etc/igfx_user_feature{,_next}.txt w,
   /etc/libva.conf r,
   /etc/mailcap r,
   /etc/mime.types r,
   /etc/opensc.conf r,
+  /etc/xdg/* r,
   /etc/xul-ext/kwallet5.js r,
 
   /var/lib/nscd/services r,
@@ -193,6 +195,9 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/gtk-{3,4}.0/assets/*.svg r,
   owner @{user_config_dirs}/ibus/bus/ r,
   owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+  owner @{user_config_dirs}/kdedefaults/kdeglobals r,
+  owner @{user_config_dirs}/kdeglobals r,
+  owner @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/mimeapps.list{,.@{rand6}} rw,
 
   owner @{user_share_dirs}/ r,

apparmor.d/groups/browsers/firefox-vaapitest

@@ -18,13 +18,16 @@ profile firefox-vaapitest @{exec_path} {
   include <abstractions/nvidia>
   include <abstractions/vulkan>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
   /etc/igfx_user_feature{,_next}.txt w,
   /etc/libva.conf r,
 
-  owner @{firefox_config_dirs}/firefox/*/.parentlock rw,
-  owner @{firefox_config_dirs}/firefox/*/startupCache/*Cache* r,
+  deny owner @{firefox_config_dirs}/firefox/*/.parentlock rw,
+  deny owner @{firefox_config_dirs}/firefox/*/startupCache/** r,
+  deny owner @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
 
   owner /tmp/firefox/.parentlock rw,
 

apparmor.d/groups/freedesktop/plymouth-set-default-theme

@@ -9,13 +9,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/plymouth-set-default-theme
 profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
+  @{bin}/{,ba,da}sh  rix,
   @{bin}/{m,g,}awk   rix,
   @{bin}/grep        rix,
   @{bin}/plymouth    rPx,
-  @{bin}/{,ba,da}sh  rix,
 
   /etc/plymouth/{,*} r,
 

apparmor.d/groups/freedesktop/polkit-kde-authentication-agent

@@ -50,9 +50,13 @@ profile polkit-kde-authentication-agent @{exec_path} {
 
   owner /tmp/#@{int} rw,
   owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
+  owner /tmp/xauth_@{rand6} r,
 
   @{run}/systemd/users/@{uid} r,
 
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/@{pid}/cmdline r,
   @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/freedesktop/xorg

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2017-2021 Mikhail Morfikov
-# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,

apparmor.d/groups/freedesktop/xrdb

@@ -12,6 +12,8 @@ profile xrdb @{exec_path} {
   include <abstractions/base>
   include <abstractions/X-strict>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   @{bin}/{,*-}cpp-[0-9]*               rix,

apparmor.d/groups/freedesktop/xsetroot

@@ -19,10 +19,14 @@ profile xsetroot @{exec_path} {
 
   /etc/X11/cursors/*.theme r,
 
+  owner @{HOME}/.icons/** r,
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.xsession-errors w,
+
   owner @{user_share_dirs}/sddm/xorg-session.log w,
 
+  owner /tmp/xauth_@{rand6} r,
+
   @{run}/sddm/\{@{uuid}\} r,
   @{run}/user/@{uid}/xauth_@{rand6} rl,
   @{run}/sddm/xauth_@{rand6} r,

apparmor.d/groups/freedesktop/xwayland

@@ -15,13 +15,13 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   signal (receive) set=(term hup) peer=gdm*,
   signal (receive) set=(term hup) peer=gnome-shell,
   signal (receive) set=(term hup) peer=kwin_wayland,
   signal (receive) set=(term hup) peer=login,
 
-  unix (send,receive) type=stream addr="@/tmp/.X11-unix/X[0-9]*",
   unix (send,receive) type=stream addr=none peer=(label=gnome-shell),
 
   @{exec_path} mrix,
@@ -33,7 +33,6 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   /usr/share/fonts/{,**} r,
   /usr/share/ghostscript/fonts/{,**} r,
   /usr/share/libdrm/*.ids r,
-  /usr/share/X11/xkb/rules/evdev r,
 
   owner /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
 

apparmor.d/groups/gnome/gnome-music

@@ -55,6 +55,7 @@ profile gnome-music @{exec_path} {
 
   owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
 
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mounts r,
 

apparmor.d/groups/gnome/gnome-shell

@@ -19,6 +19,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-write>
+  include <abstractions/freedesktop.org>
   include <abstractions/gnome>
   include <abstractions/gstreamer>
   include <abstractions/ibus>
@@ -478,6 +479,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /opt/*/**/*.png r,
   /snap/*/@{uid}/**.png r,
   /usr/share/{,zoneinfo-}icu/{,**} r,
+  /usr/share/**.{png,jpg,svg} r,
   /usr/share/app-info/icons/{,**} r,
   /usr/share/backgrounds/{,**} r,
   /usr/share/byobu/desktop/byobu* r,
@@ -498,15 +500,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /usr/share/libinput*/libinput/ r,
   /usr/share/libwacom/{,*.stylus,*.tablet} r,
   /usr/share/pipewire/client.conf r,
-  /usr/share/plymouth/*.png r,
   /usr/share/wallpapers/** r,
   /usr/share/wayland-sessions/{,*.desktop} r,
   /usr/share/xml/iso-codes/iso_[0-9]*-[0-9]*.xml r,
 
-  # freedesktop.org-strict
-  /usr/share/*ubuntu/applications/{,**} r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
   /.flatpak-info r,
   /etc/fstab r,
   /etc/udev/hwdb.bin r,
@@ -547,12 +544,12 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.mozilla/firefox/firefox-mpris/{,*} r,
   owner @{HOME}/.var/app/**/ r,
-  owner @{HOME}/.var/app/**.{png,jpg} r,
+  owner @{HOME}/.var/app/**.{png,jpg,svg} r,
   owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} rw,
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
 
-  owner @{user_games_dirs}/**/*.{png,jpg} r,
-  owner @{user_music_dirs}/**/*.{png,jpg} r,
+  owner @{user_games_dirs}/**.{png,jpg,svg} r,
+  owner @{user_music_dirs}/**.{png,jpg,svg} r,
 
   owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
   owner @{user_config_dirs}/ibus/ w,
@@ -627,9 +624,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/**/power_supply/{,**} r,
   @{sys}/devices/pci[0-9]*/**/boot_vga r,
   @{sys}/devices/pci[0-9]*/**/drm/ r,
-  @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
+  @{sys}/devices/pci[0-9]*/**/input@{int}/{properties,name} r,
   @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
-  @{sys}/devices/platform/**/input[0-9]*/{properties,name} r,
+  @{sys}/devices/platform/**/input@{int}/{properties,name} r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
   @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
 

apparmor.d/groups/gnome/gsd-media-keys

@@ -185,8 +185,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/inhibit/[0-9]*.ref rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
-  owner /dev/tty@{int} rw,
-
   @{run}/udev/data/+sound:card@{int} r,   # For sound
   @{run}/udev/data/c13:@{int} r,          # for /dev/input/*
   @{run}/udev/data/c189:@{int} r,         # For /dev/bus/usb/**
@@ -199,5 +197,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
 
+  owner /dev/tty@{int} rw,
+
   include if exists <local/gsd-media-keys>
 }

apparmor.d/groups/gnome/gsd-power

@@ -187,7 +187,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/+backlight:* r,
   @{run}/udev/data/+drm:card* r,
-  @{run}/udev/data/+leds:*backlight* r,
+  @{run}/udev/data/+leds:* r,
 
   @{run}/systemd/inhibit/[0-9]*.ref rw,
 

apparmor.d/groups/gnome/tracker-extract

@@ -121,12 +121,12 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
 
   @{run}/blkid/blkid.tab r,
 
-  @{run}/udev/data/c23[4-9]:[0-9]* r,   # For dynamic assignment range 234 to 254
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c25[0-4]:[0-9]* r,
-  @{run}/udev/data/c3[0-9]*:[0-9]* r,   # For dynamic assignment range 384 to 511
-  @{run}/udev/data/c4[0-9]*:[0-9]* r,
-  @{run}/udev/data/c5[0-9]*:[0-9]* r,
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,
+  @{run}/udev/data/c3[0-9]*:@{int} r,     # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:@{int} r,
+  @{run}/udev/data/c5[0-9]*:@{int} r,
 
   @{run}/mount/utab r,
 

apparmor.d/groups/network/nm-dispatcher

@@ -39,7 +39,7 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   @{bin}/nmcli              rix,
   @{bin}/readlink           rix,
   @{bin}/rm                 rix,
-  @{bin}/run-parts          rPx,
+  @{bin}/run-parts          rCx -> run-parts,
   @{bin}/sed                rix,
   @{bin}/systemctl          rPx -> child-systemctl,
   @{bin}/systemd-cat        rPx,
@@ -66,5 +66,13 @@ profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty rw,
 
+  profile run-parts {
+    include <abstractions/base>
+
+    /{usr/,}bin/run-parts mr,
+
+   include if exists <local/anacron_run_parts>
+  }
+
   include if exists <local/nm-dispatcher>
 }

apparmor.d/groups/network/tailscaled

@@ -54,6 +54,7 @@ profile tailscaled @{exec_path} flags=(attach_disconnected) {
   @{bin}/systemctl  rCx -> systemctl,
 
   /etc/iproute2/rt_tables r,
+  /etc/apt/sources.list.d/tailscale.list r,
 
   @{etc_rw}/resolv.*.conf rw,
   @{etc_rw}/resolv.conf rw,

apparmor.d/groups/pacman/pacman

@@ -49,8 +49,6 @@ profile pacman @{exec_path} {
   @{bin}/gpgconf      rCx -> gpg,
   @{bin}/gpgsm        rCx -> gpg,
   
-  @{bin}/sync                       mrix,
-
   # Pacman hooks & install scripts
   @{bin}/{,ba}sh                     rix,
   @{bin}/appstreamcli                rPx,
@@ -101,16 +99,17 @@ profile pacman @{exec_path} {
   @{bin}/sbctl                       rPx,
   @{bin}/sed                         rix,
   @{bin}/setcap                      rix,
+  @{bin}/sync                        rix,
   @{bin}/sysctl                      rPx,
   @{bin}/systemctl                   rPx -> child-systemctl,
   @{bin}/systemd-*                   rPx,
   @{bin}/touch                       rix,
   @{bin}/tput                        rix,
-  @{bin}/update-ca-trust             rPx,
   @{bin}/uname                       rPx,
+  @{bin}/update-ca-trust             rPx,
   @{bin}/update-desktop-database     rPx,
-  @{bin}/update-mime-database        rPx,
   @{bin}/update-grub                 rPx,
+  @{bin}/update-mime-database        rPx,
   @{bin}/vercmp                      rix,
   @{bin}/xmlcatalog                  rix,
   @{lib}/ghc-*/bin/ghc-pkg           rix,
@@ -189,6 +188,8 @@ profile pacman @{exec_path} {
 
     deny network inet stream,
     deny network inet6 stream,
+
+    include if exists <local/pacman_gpg>
   }
 
   include if exists <usr/pacman.d>

apparmor.d/groups/systemd/systemd-cgtop

@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/systemd-cgtop
 profile systemd-cgtop @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/systemd-common>
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-journald

@@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+usb-serial:* r,
   @{run}/udev/data/+usb:*       r,
   @{run}/udev/data/+virtio:*    r,
+  @{run}/udev/data/b254:@{int} r,         # for /dev/zram*
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c4:@{int} r,           # For TTY devices
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features

apparmor.d/groups/systemd/systemd-logind

@@ -83,22 +83,23 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{run}/udev/static_node-tags/uaccess/ r,
 
   @{run}/udev/data/+backlight:* r,
-  @{run}/udev/data/+drm:card[0-9]-* r, # For screen outputs
-  @{run}/udev/data/+input* r,          # For mouse, keyboard, touchpad
-  @{run}/udev/data/+pci* r,
-  @{run}/udev/data/c10:[0-9]*   r,     # For non-serial mice, misc features
-  @{run}/udev/data/c13:[0-9]* r,       # For /dev/input/*
-  @{run}/udev/data/c14:[0-9]* r,       # Open Sound System (OSS)
-  @{run}/udev/data/c21:[0-9]* r,       # Generic SCSI access
-  @{run}/udev/data/c29:[0-9]* r,       # For /dev/fb[0-9]*
-  @{run}/udev/data/c116:[0-9]* r,      # For ALSA
-  @{run}/udev/data/c226:[0-9]* r,      # For /dev/dri/card*
-  @{run}/udev/data/c23[4-9]:[0-9]* r,  # For dynamic assignment range 234 to 254
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c25[0-4]:[0-9]* r,
-  @{run}/udev/data/c3[0-9]*:[0-9]* r,  # For dynamic assignment range 384 to 511
-  @{run}/udev/data/c4[0-9]*:[0-9]* r,
-  @{run}/udev/data/c5[0-9]*:[0-9]* r,
+  @{run}/udev/data/+drm:card[0-9]-* r,    # For screen outputs
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+pci:* r,
+  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
+  @{run}/udev/data/c13:@{int} r,          # For /dev/input/*
+  @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)
+  @{run}/udev/data/c21:@{int} r,          # Generic SCSI access
+  @{run}/udev/data/c29:[0-9]* r,          # For /dev/fb[0-9]*
+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c226:@{int} r,         # For /dev/dri/card*
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,
+  @{run}/udev/data/c3[0-9]*:@{int} r,     # For dynamic assignment range 384 to 511
+  @{run}/udev/data/c4[0-9]*:@{int} r,
+  @{run}/udev/data/c5[0-9]*:@{int} r,
 
   @{run}/systemd/inhibit/ rw,
   @{run}/systemd/inhibit/.#* rw,

apparmor.d/groups/systemd/systemd-portabled

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/systemd/systemd-portabled
 profile systemd-portabled @{exec_path} {
   include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability sys_ptrace,
 

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -49,6 +49,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/security/ r,
   @{sys}/kernel/security/{,**} rw,
 
+  @{sys}/class/net/ r,
   @{sys}/devices/system/cpu/microcode/reload w,
 
   @{PROC}/@{pid}/net/unix r,

apparmor.d/groups/ubuntu/apt-esm-json-hook

@@ -23,6 +23,8 @@ profile apt-esm-json-hook @{exec_path} {
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  @{run}/cloud-init/cloud-id-nocloud r,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/apt-esm-json-hook>

apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot

@@ -12,7 +12,7 @@ profile update-motd-fsck-at-reboot @{exec_path} {
 
   @{exec_path} mr,
 
-  @{bin}/dumpe2fs  rPx,
+  @{bin}/dumpe2fs      rPx,
   @{bin}/{,ba,da}sh    rix,
   @{bin}/{m,g,}awk     rix,
   @{bin}/cat           rix,

apparmor.d/groups/virt/dockerd

@@ -32,7 +32,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
-  mount fstype=overlayfs overlay -> /var/lib/docker/overlay2/*/merged/,
+  mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/,
   mount options=(rw, bind) -> /run/docker/netns/*,
   mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
   mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,