From 7dd860f2770ea0f7668e891ac7c59e2dc4808cee Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 16 Jun 2025 23:15:07 +0200
Subject: [PATCH] feat(profile): minor update & cosmetic.

---
 apparmor.d/abstractions/app/firefox                |  4 +++-
 apparmor.d/abstractions/common/game                |  4 ++--
 apparmor.d/groups/apparmor/aa-log                  |  2 --
 apparmor.d/groups/apparmor/aa-status               |  4 ++--
 apparmor.d/groups/bluetooth/bluetoothd             |  3 ++-
 apparmor.d/groups/bluetooth/obexd                  |  2 ++
 apparmor.d/groups/gnome/evolution-calendar-factory |  4 ++--
 apparmor.d/groups/gnome/gnome-initial-setup        |  2 +-
 apparmor.d/groups/gnome/gsd-color                  |  2 +-
 .../groups/gnome/org.gnome.NautilusPreviewer       |  1 +
 apparmor.d/groups/grub/grub-mkconfig               |  2 +-
 apparmor.d/groups/kde/ksmserver-logout-greeter     |  1 -
 apparmor.d/groups/ssh/sshd                         |  8 +++++---
 .../systemd-generators/systemd-generator-ssh       |  4 ++++
 .../systemd-generators/systemd-generator-tpm2      |  1 +
 apparmor.d/groups/systemd/systemd-localed          |  1 +
 apparmor.d/groups/utils/lspci                      |  4 ----
 apparmor.d/profiles-a-f/fwupd                      |  1 +
 apparmor.d/profiles-g-l/haveged                    |  7 +++----
 apparmor.d/profiles-g-l/linuxqq                    |  2 +-
 apparmor.d/profiles-m-r/mandb                      |  8 ++++----
 apparmor.d/profiles-m-r/mimetype                   |  1 -
 apparmor.d/profiles-m-r/needrestart-notify         |  2 +-
 apparmor.d/profiles-m-r/pam-auth-update            |  3 ++-
 apparmor.d/profiles-m-r/pcscd                      | 14 +++++++-------
 25 files changed, 47 insertions(+), 40 deletions(-)

diff --git a/apparmor.d/abstractions/app/firefox b/apparmor.d/abstractions/app/firefox
index 1ea0c3b86..d988f608c 100644
--- a/apparmor.d/abstractions/app/firefox
+++ b/apparmor.d/abstractions/app/firefox
@@ -26,7 +26,7 @@
   include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics-full>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
@@ -126,6 +126,8 @@
         @{sys}/devices/**/uevent r,
         @{sys}/devices/power/events/energy-* r,
         @{sys}/devices/power/type r,
+        @{sys}/devices/virtual/dmi/id/product_name r,
+        @{sys}/devices/virtual/dmi/id/product_sku r,
         @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
diff --git a/apparmor.d/abstractions/common/game b/apparmor.d/abstractions/common/game
index 3b4a982f1..6b97b014c 100644
--- a/apparmor.d/abstractions/common/game
+++ b/apparmor.d/abstractions/common/game
@@ -6,9 +6,9 @@
 # wine, proton, game launchers should use this abstraction.
 
 # This abstraction uses the following tunables:
-# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
+# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories
 #   (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
-# - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
+# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir)
 
   abi <abi/4.0>,
 
diff --git a/apparmor.d/groups/apparmor/aa-log b/apparmor.d/groups/apparmor/aa-log
index 03352e8bf..1a3e0aeff 100644
--- a/apparmor.d/groups/apparmor/aa-log
+++ b/apparmor.d/groups/apparmor/aa-log
@@ -21,8 +21,6 @@ profile aa-log @{exec_path} {
   /var/log/audit/* r,
   /var/log/syslog* r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   /dev/tty@{int} rw,
 
   profile journalctl {
diff --git a/apparmor.d/groups/apparmor/aa-status b/apparmor.d/groups/apparmor/aa-status
index 17de74439..9badb78c1 100644
--- a/apparmor.d/groups/apparmor/aa-status
+++ b/apparmor.d/groups/apparmor/aa-status
@@ -22,8 +22,8 @@ profile aa-status @{exec_path} {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/ r,
-        @{PROC}/@{pids}/attr/apparmor/current r,
-        @{PROC}/@{pids}/attr/current r,
+        @{PROC}/@{pid}/attr/apparmor/current r,
+        @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/tty@{int} rw,
diff --git a/apparmor.d/groups/bluetooth/bluetoothd b/apparmor.d/groups/bluetooth/bluetoothd
index 8ca699aaf..aa84eebd9 100644
--- a/apparmor.d/groups/bluetooth/bluetoothd
+++ b/apparmor.d/groups/bluetooth/bluetoothd
@@ -45,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
 
         @{run}/sdp rw,
   owner @{run}/systemd/notify w,
-        @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
 
   @{sys}/devices/@{pci}/rfkill@{int}/name r,
   @{sys}/devices/@{pci}/**/{uevent,name} r,
diff --git a/apparmor.d/groups/bluetooth/obexd b/apparmor.d/groups/bluetooth/obexd
index 5c1a7633e..efb5f42e4 100644
--- a/apparmor.d/groups/bluetooth/obexd
+++ b/apparmor.d/groups/bluetooth/obexd
@@ -31,6 +31,8 @@ profile obexd @{exec_path} {
 
   owner @{HOME}/bluetooth/* rw,
 
+  @{run}/systemd/users/@{uid} r,
+
   include if exists <local/obexd>
 }
 
diff --git a/apparmor.d/groups/gnome/evolution-calendar-factory b/apparmor.d/groups/gnome/evolution-calendar-factory
index 25f8ecc7f..fba734ad4 100644
--- a/apparmor.d/groups/gnome/evolution-calendar-factory
+++ b/apparmor.d/groups/gnome/evolution-calendar-factory
@@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} {
   owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
 
   owner @{user_share_dirs}/evolution/calendar/{,**} rwk,
-  owner @{user_share_dirs}/evolution/tasks/system/ w,
-  owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw,
+  owner @{user_share_dirs}/evolution/memos/system/{,**} rw,
+  owner @{user_share_dirs}/evolution/tasks/system/{,**} rw,
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   @{PROC}/sys/kernel/osrelease r,
diff --git a/apparmor.d/groups/gnome/gnome-initial-setup b/apparmor.d/groups/gnome/gnome-initial-setup
index 4063fc473..40b8bc9b5 100644
--- a/apparmor.d/groups/gnome/gnome-initial-setup
+++ b/apparmor.d/groups/gnome/gnome-initial-setup
@@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} {
   @{bin}/dpkg    rPx -> child-dpkg,
   @{bin}/locale  rix,
   @{bin}/lscpu   rPx,
-  @{bin}/lspci  rPx,
+  @{bin}/lspci   rPx,
   @{bin}/xrandr  rPx,
 
   @{lib}/gnome-initial-setup-goa-helper rix,
diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
index 56445aeac..1b12a68cd 100644
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
 
   owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
diff --git a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
index db440bf4c..f084e7b12 100644
--- a/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
+++ b/apparmor.d/groups/gnome/org.gnome.NautilusPreviewer
@@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
diff --git a/apparmor.d/groups/grub/grub-mkconfig b/apparmor.d/groups/grub/grub-mkconfig
index de8643100..87c3d4104 100644
--- a/apparmor.d/groups/grub/grub-mkconfig
+++ b/apparmor.d/groups/grub/grub-mkconfig
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{sbin}/grub-mkconfig
+@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig
 profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/groups/kde/ksmserver-logout-greeter b/apparmor.d/groups/kde/ksmserver-logout-greeter
index 01fe51783..67e56c3c6 100644
--- a/apparmor.d/groups/kde/ksmserver-logout-greeter
+++ b/apparmor.d/groups/kde/ksmserver-logout-greeter
@@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/sys/dev/i915/perf_stream_paranoid r,
   owner @{PROC}/@{pid}/exe r,
-  owner @{PROC}/@{pid}/status r,
 
   include if exists <local/ksmserver-logout-greeter>
 }
diff --git a/apparmor.d/groups/ssh/sshd b/apparmor.d/groups/ssh/sshd
index cc12a9eec..a514e7c99 100644
--- a/apparmor.d/groups/ssh/sshd
+++ b/apparmor.d/groups/ssh/sshd
@@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   capability audit_write,
   capability chown,
-  capability dac_read_search,
   capability dac_override,
+  capability dac_read_search,
   capability fowner,
   capability kill,
   capability net_bind_service,
@@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
-  signal (receive) set=(hup) peer=@{p_systemd},
+  unix type=stream peer=(label=sshd-session),
 
-  ptrace (read,trace) peer=@{p_systemd},
+  signal receive set=hup peer=@{p_systemd},
+
+  ptrace (read trace) peer=@{p_systemd},
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-ssh b/apparmor.d/groups/systemd-generators/systemd-generator-ssh
index efb56468e..0f6aa11d9 100644
--- a/apparmor.d/groups/systemd-generators/systemd-generator-ssh
+++ b/apparmor.d/groups/systemd-generators/systemd-generator-ssh
@@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/system/ r,
   @{run}/systemd/transient/ r,
 
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/firmware/dmi/entries/*/raw r,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/cgroup r,
diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2 b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2
index 4d601d0f9..ee5d924cc 100644
--- a/apparmor.d/groups/systemd-generators/systemd-generator-tpm2
+++ b/apparmor.d/groups/systemd-generators/systemd-generator-tpm2
@@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sys}/class/tpmrm/ r,
+  @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/cgroup r,
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index 75d382c40..104a141ce 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /usr/share/kbd/keymaps/{,**} r,
+  /usr/share/xkeyboard-config-2/{,**} r,
   /usr/share/systemd/*-map r,
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xkeyboard-config-2/{,**} r,
diff --git a/apparmor.d/groups/utils/lspci b/apparmor.d/groups/utils/lspci
index b390346bb..0ae22a03a 100644
--- a/apparmor.d/groups/utils/lspci
+++ b/apparmor.d/groups/utils/lspci
@@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  capability sys_admin,
-
   @{exec_path} mr,
 
-  /app/lib/libzypak-preload-host*.so rm,
-
   /usr/share/hwdata/pci.ids r,
   /usr/share/misc/pci.ids r,
   /usr/share/misc/pci.ids.gz r,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 5fb948234..961b55c97 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -52,6 +52,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /usr/share/hwdata/* r,
   /usr/share/libdrm/*.ids r,
   /usr/share/mime/mime.cache r,
+  /usr/share/misc/*.ids r,
 
   /etc/fwupd/{,**} rw,
   /etc/lsb-release r,
diff --git a/apparmor.d/profiles-g-l/haveged b/apparmor.d/profiles-g-l/haveged
index 5773a73fb..527629202 100644
--- a/apparmor.d/profiles-g-l/haveged
+++ b/apparmor.d/profiles-g-l/haveged
@@ -20,10 +20,9 @@ profile haveged @{exec_path} {
   @{sys}/devices/system/cpu/cpu@{int}/cache/ r,
   @{sys}/devices/system/cpu/cpu@{int}/cache/index*/{type,size,level} r,
 
-        @{PROC}/sys/kernel/osrelease r,
-        @{PROC}/sys/kernel/random/poolsize r,
-        @{PROC}/sys/kernel/random/write_wakeup_threshold w,
-  owner @{PROC}/@{pid}/status r,
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/sys/kernel/random/poolsize r,
+  @{PROC}/sys/kernel/random/write_wakeup_threshold w,
 
   /dev/random w,
 
diff --git a/apparmor.d/profiles-g-l/linuxqq b/apparmor.d/profiles-g-l/linuxqq
index 3f3134400..dd653bd61 100644
--- a/apparmor.d/profiles-g-l/linuxqq
+++ b/apparmor.d/profiles-g-l/linuxqq
@@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   @{sh_path}  r,
-  @{bin}/grep rix,
+  @{bin}/{,e}grep rix,
   @{lib_dirs}/chrome_crashpad_handler ix,
   @{lib_dirs}/resources/app/{,**} m,
   @{open_path} rPx -> child-open-strict,
diff --git a/apparmor.d/profiles-m-r/mandb b/apparmor.d/profiles-m-r/mandb
index 4826337d0..cd825471d 100644
--- a/apparmor.d/profiles-m-r/mandb
+++ b/apparmor.d/profiles-m-r/mandb
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/mandb
-profile mandb @{exec_path} flags=(complain) {
+profile mandb @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) {
   /etc/man_db.conf r,
   /etc/manpath.config r,
 
-  /var/cache/man/ r,
-  /var/cache/man/** rwk,
-
   /usr/share/man/{,**} r,
   /usr/local/man/{,**} r,
   /usr/local/share/man/{,**} r,
@@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) {
 
   /usr/share/**/man/man@{u8}/*.@{int}.gz r,
 
+  owner /var/cache/man/ rw,
+  owner /var/cache/man/** rwk,
+
   owner @{user_share_dirs}/man/** rwk,
 
   include if exists <local/mandb>
diff --git a/apparmor.d/profiles-m-r/mimetype b/apparmor.d/profiles-m-r/mimetype
index d6823da9b..cf8431c7a 100644
--- a/apparmor.d/profiles-m-r/mimetype
+++ b/apparmor.d/profiles-m-r/mimetype
@@ -13,7 +13,6 @@ profile mimetype @{exec_path} {
   include <abstractions/perl>
 
   @{exec_path} r,
-  /usr/bin/perl r,
 
   /usr/share/mime/**.xml r,
   /usr/share/mime/globs r,
diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify
index 41fa96c4c..9b3525fa5 100644
--- a/apparmor.d/profiles-m-r/needrestart-notify
+++ b/apparmor.d/profiles-m-r/needrestart-notify
@@ -13,7 +13,7 @@ profile needrestart-notify @{exec_path} {
   capability dac_read_search,
   capability sys_ptrace,
 
-  ptrace read peer=unconfined,
+  ptrace read,
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update
index 90cc6a4ba..947fb2f4e 100644
--- a/apparmor.d/profiles-m-r/pam-auth-update
+++ b/apparmor.d/profiles-m-r/pam-auth-update
@@ -14,8 +14,9 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
   @{exec_path} mrix,
 
-  @{bin}/md5sum  ix,
   @{bin}/cp      ix,
+  @{bin}/md5sum  ix,
+  @{bin}/stty    ix,
 
   /usr/share/pam{,-configs}/{,*} r,
 
diff --git a/apparmor.d/profiles-m-r/pcscd b/apparmor.d/profiles-m-r/pcscd
index 67e0ee74e..d5bcc4293 100644
--- a/apparmor.d/profiles-m-r/pcscd
+++ b/apparmor.d/profiles-m-r/pcscd
@@ -16,13 +16,13 @@ profile pcscd @{exec_path} {
 
   network netlink raw,
 
-  ptrace (read) peer=@{p_systemd_user},
-  ptrace (read) peer=gsd-smartcard,
-  ptrace (read) peer=keepassxc,
-  ptrace (read) peer=pkcs11-register,
-  ptrace (read) peer=rngd,
-  ptrace (read) peer=scdaemon,
-  ptrace (read) peer=veracrypt,
+  ptrace read peer=@{p_systemd_user},
+  ptrace read peer=gsd-smartcard,
+  ptrace read peer=keepassxc,
+  ptrace read peer=pkcs11-register,
+  ptrace read peer=rngd,
+  ptrace read peer=scdaemon,
+  ptrace read peer=veracrypt,
 
   @{exec_path} mr,