From 81d020173d4f0336a95cc6562c161336685abb51 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 28 Aug 2025 21:09:09 +0200
Subject: [PATCH] feat(profile): general update.

---
 apparmor.d/groups/bus/dbus-accessibility           |  6 +++---
 apparmor.d/groups/children/child-open-strict       |  2 ++
 apparmor.d/groups/gnome/gnome-software             |  7 ++++++-
 apparmor.d/groups/gnome/loupe                      |  2 ++
 apparmor.d/groups/gnome/nautilus                   |  1 +
 apparmor.d/groups/gnome/papers                     |  4 +++-
 apparmor.d/groups/gpg/gpg                          |  3 ++-
 apparmor.d/groups/pacman/paccache                  |  3 +++
 apparmor.d/groups/pacman/pacman-hook-code          |  1 +
 .../systemd-generator-user-autostart               |  3 +--
 apparmor.d/groups/systemd/systemd-sleep            |  2 ++
 apparmor.d/groups/systemd/systemd-udevd            |  1 +
 apparmor.d/groups/ubuntu/software-properties-gtk   |  2 +-
 apparmor.d/groups/usb/lsusb                        |  1 +
 apparmor.d/groups/utils/dmesg                      |  1 +
 apparmor.d/groups/utils/lsblk                      |  1 +
 apparmor.d/groups/virt/cockpit-bridge              |  5 +++++
 apparmor.d/groups/virt/cockpit-session             |  4 +++-
 apparmor.d/groups/virt/libvirt-dbus                |  5 +++++
 apparmor.d/groups/virt/libvirtd                    |  7 +++++++
 apparmor.d/profiles-a-f/borg                       |  1 +
 apparmor.d/profiles-a-f/btop                       |  2 +-
 apparmor.d/profiles-a-f/console-setup              |  2 +-
 apparmor.d/profiles-a-f/deltachat-desktop          |  6 +++---
 apparmor.d/profiles-g-l/gitstatusd                 |  4 ++--
 apparmor.d/profiles-g-l/homebank                   |  2 +-
 apparmor.d/profiles-g-l/landscape-sysinfo          |  2 +-
 apparmor.d/profiles-g-l/libreoffice                |  2 ++
 apparmor.d/profiles-g-l/linux-check-removal        |  2 ++
 apparmor.d/profiles-g-l/lsb-release                | 14 ++++++++++----
 apparmor.d/profiles-m-r/initramfs-hooks            |  1 +
 apparmor.d/profiles-m-r/mdadm                      |  2 +-
 apparmor.d/profiles-m-r/protonmail-bridge-core     |  1 +
 apparmor.d/profiles-s-z/spotify                    |  4 ++++
 apparmor.d/profiles-s-z/syncthing                  |  5 +----
 apparmor.d/profiles-s-z/tomb                       |  4 +++-
 apparmor.d/profiles-s-z/udev-fido_id               |  1 +
 apparmor.d/profiles-s-z/virt-manager               |  1 -
 apparmor.d/profiles-s-z/wemeet                     |  2 +-
 apparmor.d/profiles-s-z/which                      |  1 +
 40 files changed, 89 insertions(+), 31 deletions(-)

diff --git a/apparmor.d/groups/bus/dbus-accessibility b/apparmor.d/groups/bus/dbus-accessibility
index f876d1210..a8c13b3fd 100644
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@@ -9,12 +9,13 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
   include <abstractions/dconf-write>
+  include <abstractions/gsettings>
   include <abstractions/nameservice-strict>
 
   network inet dgram,
@@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=@{busname}, label=gnome-shell),
 
   @{exec_path} mrix,
 
@@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   /usr/share/dconf/profile/gdm r,
   /usr/share/defaults/at-spi2/{,**} r,
   /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
diff --git a/apparmor.d/groups/children/child-open-strict b/apparmor.d/groups/children/child-open-strict
index 7faf52185..4296f03af 100644
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) {
   @{browsers_path}               Px,
   @{file_explorers_path}         Px,
 
+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix,
+
   include if exists <usr/child-open-strict.d>
   include if exists <local/child-open-strict>
 }
diff --git a/apparmor.d/groups/gnome/gnome-software b/apparmor.d/groups/gnome/gnome-software
index 71141595b..f3845daef 100644
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@@ -33,7 +33,12 @@ profile gnome-software @{exec_path} {
   #aa:dbus own bus=session name=org.freedesktop.PackageKit
   #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application
 
-  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}"
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}"
+
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.PolicyKit1.Authority
+       member=Changed
+       peer=(name=@{busname}, label=polkitd),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/gnome/loupe b/apparmor.d/groups/gnome/loupe
index 398b2b679..cabcca062 100644
--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
 
   signal send set=kill peer=loupe//bwrap,
 
+  #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application
+
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
   dbus send bus=system path=/org/freedesktop/hostname1
diff --git a/apparmor.d/groups/gnome/nautilus b/apparmor.d/groups/gnome/nautilus
index 5ad6bb7b5..d8e7c3341 100644
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2
 
   #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*"
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome
   #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center
   #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
   #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
diff --git a/apparmor.d/groups/gnome/papers b/apparmor.d/groups/gnome/papers
index 9a22e3de8..0318c7265 100644
--- a/apparmor.d/groups/gnome/papers
+++ b/apparmor.d/groups/gnome/papers
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/papers
-profile papers @{exec_path} {
+profile papers @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/common/gnome>
@@ -16,6 +16,8 @@ profile papers @{exec_path} {
   include <abstractions/user-read-strict>
   include <abstractions/user-write-strict>
 
+  #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application
+
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/gpg/gpg b/apparmor.d/groups/gpg/gpg
index b65823520..40c23b660 100644
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@@ -29,7 +29,7 @@ profile gpg @{exec_path} {
   @{lib}/{,gnupg/}scdaemon rPx,
 
   /usr/share/terminfo/** r,
-  /usr/share/keyrings/** rw,  #aa:only apt
+  /usr/share/keyrings/** rw,        #aa:only apt
   /usr/share/pacman/keyrings/** r,  #aa:only pacman
 
   /etc/inputrc r,
@@ -39,6 +39,7 @@ profile gpg @{exec_path} {
   /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**,
 
   #aa:only apt
+        /etc/apt/trusted.gpg.d/{,*} r,
   owner /etc/apt/keyrings/ rw,
   owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
 
diff --git a/apparmor.d/groups/pacman/paccache b/apparmor.d/groups/pacman/paccache
index 8331951e7..d68c0b832 100644
--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) {
   /var/cache/pacman/pkg/{,*} rw,
   /var/lib/pacman/{,**} r,
 
+  @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
+  @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   /dev/tty rw,
diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code
index ee23781f4..3e916efe3 100644
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} {
   @{python_path} rix,
 
   @{lib}/code/product.json rw,
+  @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w,
 
   /usr/share/code-{features,marketplace}{,-insiders}/{,*} r,
   /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw,
diff --git a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
index 8e3ebb6b3..ff4c74664 100644
--- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
@@ -10,14 +10,13 @@ include <tunables/global>
 profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
+  include <abstractions/desktop-files>
   include <abstractions/nameservice-strict>
 
   capability net_admin,
 
   @{exec_path} mr,
 
-  @{system_share_dirs}/applications/*.desktop r,
-
   @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   owner @{user_config_dirs}/autostart/{,*.desktop} r,
diff --git a/apparmor.d/groups/systemd/systemd-sleep b/apparmor.d/groups/systemd/systemd-sleep
index d7c61e336..a55bf752d 100644
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{sh_path} mr,
+
   @{lib}/systemd/system-sleep/grub2.sleep          rPx,
   @{lib}/systemd/system-sleep/hdparm               rPx,
   @{lib}/systemd/system-sleep/nvidia               rPx,
diff --git a/apparmor.d/groups/systemd/systemd-udevd b/apparmor.d/groups/systemd/systemd-udevd
index 62bada2a8..640e48f3f 100644
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/network/ r,
   @{run}/systemd/network/*.link rw,
   @{run}/systemd/notify rw,
+  @{run}/systemd/private rw,
   @{run}/systemd/seats/seat@{int} r,
 
   @{att}/@{run}/systemd/notify w,
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 440ef4117..af91c7eaa 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) {
 
         /dev/shm/ r,
   owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6},
-  owner /dev/shm/sem.mp-@{rand8} rw,
+  owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6},
 
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
 
diff --git a/apparmor.d/groups/usb/lsusb b/apparmor.d/groups/usb/lsusb
index b5a24940d..a10659292 100644
--- a/apparmor.d/groups/usb/lsusb
+++ b/apparmor.d/groups/usb/lsusb
@@ -14,6 +14,7 @@ profile lsusb @{exec_path} {
   include <abstractions/devices-usb-read>
 
   capability net_admin,
+  capability sys_admin,
 
   network netlink raw,
 
diff --git a/apparmor.d/groups/utils/dmesg b/apparmor.d/groups/utils/dmesg
index 14ace0dea..2976d1316 100644
--- a/apparmor.d/groups/utils/dmesg
+++ b/apparmor.d/groups/utils/dmesg
@@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
 
   capability dac_read_search,
+  capability sys_admin,
   capability syslog,
 
   @{exec_path} mr,
diff --git a/apparmor.d/groups/utils/lsblk b/apparmor.d/groups/utils/lsblk
index 7559e4e48..6fc1d5bb2 100644
--- a/apparmor.d/groups/utils/lsblk
+++ b/apparmor.d/groups/utils/lsblk
@@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) {
   # File Inherit
   deny network inet stream,
   deny network inet6 stream,
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   include if exists <local/lsblk>
 }
diff --git a/apparmor.d/groups/virt/cockpit-bridge b/apparmor.d/groups/virt/cockpit-bridge
index bf3d48204..d8c71803d 100644
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.freedesktop.timedate1>
   include <abstractions/consoles>
+  include <abstractions/icons>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
@@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} {
 
   #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus
   #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/**  label=packagekitd
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd}
+  #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/virt/cockpit-session b/apparmor.d/groups/virt/cockpit-session
index 3fbefadb7..ba51fc8a5 100644
--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@@ -10,6 +10,7 @@ include <tunables/global>
 profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
+  include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
   include <abstractions/shells>
 
@@ -28,7 +29,8 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
   @{shells_path}         rix,
   @{bin}/cockpit-bridge  rPx,
   @{lib}/cockpit/cockpit-pcp  rPx,
-  @{bin}/ssh-agent rPx,
+  @{bin}/ssh-agent       rPx,
+  @{bin}/ssh-add         rix,
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*.conf} r,
diff --git a/apparmor.d/groups/virt/libvirt-dbus b/apparmor.d/groups/virt/libvirt-dbus
index f3bbaf019..971cdf55e 100644
--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} {
   #aa:dbus own bus=session name=org.libvirt
   #aa:dbus own bus=system name=org.libvirt
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   @{sbin}/libvirtd  rPx,
diff --git a/apparmor.d/groups/virt/libvirtd b/apparmor.d/groups/virt/libvirtd
index 44d6962f5..f10da1798 100644
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   # Allow changing to our UUID-based named profiles
   change_profile -> libvirt-@{uuid},
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   @{lib}/libvirt/libvirt_iohelper                   rix,
@@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{user_vm_dirs}/{,**} rwk,
   @{user_publicshare_dirs}/{,**} rwk,
 
+  owner @{user_config_dirs}/libvirt/{,**} rwk,
+
   owner @{run}/user/@{uid}/libvirt/ rw,
   owner @{run}/user/@{uid}/libvirt/** rwk,
 
diff --git a/apparmor.d/profiles-a-f/borg b/apparmor.d/profiles-a-f/borg
index 6d2683ade..544be3be0 100644
--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@@ -33,6 +33,7 @@ profile borg @{exec_path} {
   @{bin}/cat                    rix,
   @{sbin}/ldconfig              rix,
   @{bin}/uname                  rix,
+  @{bin}/ip                     rix,
 
   @{bin}/ccache                 rCx -> ccache,
   @{bin}/fusermount{,3}         rCx -> fusermount,
diff --git a/apparmor.d/profiles-a-f/btop b/apparmor.d/profiles-a-f/btop
index 4910629ce..bac8aea75 100644
--- a/apparmor.d/profiles-a-f/btop
+++ b/apparmor.d/profiles-a-f/btop
@@ -48,7 +48,7 @@ profile btop @{exec_path} {
   @{sys}/devices/system/node/node@{int}/cpumap r,
   @{sys}/devices/virtual/block/dm-@{int}/stat r,
   @{sys}/devices/virtual/net/{,**} r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r,
 
   @{PROC} r,
   @{PROC}/@{pids}/cmdline r,
diff --git a/apparmor.d/profiles-a-f/console-setup b/apparmor.d/profiles-a-f/console-setup
index 7a11e407f..aa0a56648 100644
--- a/apparmor.d/profiles-a-f/console-setup
+++ b/apparmor.d/profiles-a-f/console-setup
@@ -13,7 +13,7 @@ profile console-setup @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path} r,
-  @{bin}/uname rPx,
+  @{bin}/uname rix,
   @{bin}/mkdir rix,
 
   @{run}/console-setup/ rw,
diff --git a/apparmor.d/profiles-a-f/deltachat-desktop b/apparmor.d/profiles-a-f/deltachat-desktop
index 87c2bbaba..2e7723995 100644
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@@ -13,16 +13,16 @@ include <tunables/global>
 @{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop
 profile deltachat-desktop @{exec_path} {
   include <abstractions/base>
+  include <abstractions/common/chromium>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
   include <abstractions/user-download-strict>
-  include <abstractions/common/chromium>
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-g-l/gitstatusd b/apparmor.d/profiles-g-l/gitstatusd
index 579536674..aabde9cef 100644
--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} {
   include <abstractions/consoles>
 
   signal receive set=term peer=*//shell,
-  signal receive set=term peer=vscode,
+  signal receive set=term peer={,vs}code,
 
   @{exec_path} mr,
 
   owner @{user_projects_dirs}/{,**} r,
-  owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw,
+  owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw,
 
   owner @{HOME}/.gitconfig r,
   owner @{user_config_dirs}/git/{,*} r,
diff --git a/apparmor.d/profiles-g-l/homebank b/apparmor.d/profiles-g-l/homebank
index cb459919f..7fbe74040 100644
--- a/apparmor.d/profiles-g-l/homebank
+++ b/apparmor.d/profiles-g-l/homebank
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/homebank
-profile homebank @{exec_path} {
+profile homebank @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/desktop>
   include <abstractions/dconf-write>
diff --git a/apparmor.d/profiles-g-l/landscape-sysinfo b/apparmor.d/profiles-g-l/landscape-sysinfo
index 2370271ec..47cbb22a2 100644
--- a/apparmor.d/profiles-g-l/landscape-sysinfo
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} {
 
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r,
 
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
diff --git a/apparmor.d/profiles-g-l/libreoffice b/apparmor.d/profiles-g-l/libreoffice
index 0a9e6dfc2..dfb9361f3 100644
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@@ -27,6 +27,7 @@ profile libreoffice @{exec_path} {
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
+  include <abstractions/java>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5-settings-write>
   include <abstractions/ssl_certs>
@@ -107,6 +108,7 @@ profile libreoffice @{exec_path} {
   owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw,
 
   owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
 
         @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
         @{sys}/devices/virtual/block/**/queue/rotational r,
diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal
index 04d2f0330..f2895299f 100644
--- a/apparmor.d/profiles-g-l/linux-check-removal
+++ b/apparmor.d/profiles-g-l/linux-check-removal
@@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} {
 
   @{bin}/stty       rix,
 
+  /etc/shadow r,
+
   include if exists <local/linux-check-removal>
 }
 
diff --git a/apparmor.d/profiles-g-l/lsb-release b/apparmor.d/profiles-g-l/lsb-release
index d2d52d362..5214632dc 100644
--- a/apparmor.d/profiles-g-l/lsb-release
+++ b/apparmor.d/profiles-g-l/lsb-release
@@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) {
   #aa:only apt
   @{bin}/dpkg-query  px,
 
-  /etc/ r,
-  /etc/*-release r,
-  /etc/lsb-release r,
-  /etc/lsb-release.d/{,*} r,
+  @{etc_ro}/ r,
+  @{etc_ro}/*-release r,
+  @{etc_ro}/lsb-release r,
+  @{etc_ro}/lsb-release.d/{,*} r,
+
+  # file_inherit
+  deny /opt/*/** r,
+  deny owner @{user_config_dirs}/*/** r,
+  deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
 
   include if exists <local/lsb-release>
 }
diff --git a/apparmor.d/profiles-m-r/initramfs-hooks b/apparmor.d/profiles-m-r/initramfs-hooks
index cae5c1c3d..136536764 100644
--- a/apparmor.d/profiles-m-r/initramfs-hooks
+++ b/apparmor.d/profiles-m-r/initramfs-hooks
@@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} {
   owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
   owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
   owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,
 
   @{sys}/firmware/efi/efivars/ r,
 
diff --git a/apparmor.d/profiles-m-r/mdadm b/apparmor.d/profiles-m-r/mdadm
index 15adcb9e6..4cc5fc9fb 100644
--- a/apparmor.d/profiles-m-r/mdadm
+++ b/apparmor.d/profiles-m-r/mdadm
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{sbin}/mdadm
-profile mdadm @{exec_path} {
+profile mdadm @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-write>
diff --git a/apparmor.d/profiles-m-r/protonmail-bridge-core b/apparmor.d/profiles-m-r/protonmail-bridge-core
index ca9680aea..a9bd819e3 100644
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) {
 
   /etc/lsb-release r,
   /etc/machine-id r,
+  /etc/os-release r,
 
   owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r,
   owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r,
diff --git a/apparmor.d/profiles-s-z/spotify b/apparmor.d/profiles-s-z/spotify
index f245e4312..ed1ccfe1c 100644
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
 
   @{open_path}     rPx -> child-open-strict,
 
+  /usr/local/lib/spotify-adblock.so mr,
+
   /etc/machine-id r,
   /etc/spotify-adblock/* r,
   /var/lib/dbus/machine-id r,
@@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
   owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
   owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,
 
+  owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
+
         @{PROC}/@{pid}/net/unix r,
         @{PROC}/pressure/* r,
   owner @{PROC}/@{pid}/clear_refs w,
diff --git a/apparmor.d/profiles-s-z/syncthing b/apparmor.d/profiles-s-z/syncthing
index 83e1b2f45..d504b0c15 100644
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@@ -11,6 +11,7 @@ include <tunables/global>
 profile syncthing @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/mime>
   include <abstractions/nameservice-strict>
   include <abstractions/sqlite>
   include <abstractions/ssl_certs>
@@ -26,10 +27,6 @@ profile syncthing @{exec_path} {
   @{open_path}     rPx -> child-open,
   @{bin}/ip        rix,
 
-  /usr/share/mime/{,**} r,
-
-  /etc/mime.types r,
-
   @{HOME}/ r,
   @{HOME}/** rwk,
 
diff --git a/apparmor.d/profiles-s-z/tomb b/apparmor.d/profiles-s-z/tomb
index 9b0912bd9..df4258b8c 100644
--- a/apparmor.d/profiles-s-z/tomb
+++ b/apparmor.d/profiles-s-z/tomb
@@ -21,6 +21,7 @@ profile tomb @{exec_path} {
   capability sys_rawio,
 
   signal send set=cont peer=gpg,
+  signal send set=cont peer=pinentry-*,
 
   ptrace read peer=@{p_systemd_user},
 
@@ -43,11 +44,11 @@ profile tomb @{exec_path} {
   @{bin}/findmnt     rix,
   @{bin}/getent      rix,
   @{bin}/gettext     rix,
+  @{bin}/head        rix,
   @{bin}/hostname    rix,
   @{bin}/id          rix,
   @{bin}/kill        rix,
   @{bin}/locate      rix,
-  @{sbin}/losetup    rix,
   @{bin}/ls          rix,
   @{bin}/lsof        rix,
   @{bin}/mkdir       rix,
@@ -64,6 +65,7 @@ profile tomb @{exec_path} {
   @{bin}/touch       rix,
   @{bin}/tr          rix,
   @{bin}/zsh         rix,
+  @{sbin}/losetup    rix,
 
   @{sbin}/btrfs            rPx,
   @{sbin}/cryptsetup       rPUx,
diff --git a/apparmor.d/profiles-s-z/udev-fido_id b/apparmor.d/profiles-s-z/udev-fido_id
index 76ec27b68..9c686b19d 100644
--- a/apparmor.d/profiles-s-z/udev-fido_id
+++ b/apparmor.d/profiles-s-z/udev-fido_id
@@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} {
   /etc/udev/udev.conf r,
 
   @{sys}/devices/@{pci}/report_descriptor r,
+  @{sys}/devices/platform/**/report_descriptor r,
   @{sys}/devices/virtual/**/report_descriptor r,
 
   include if exists <local/udev-fido_id>
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index aed85abe3..8a1b5f355 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   @{open_path}     rPx -> child-open,
 
-  /usr/share/gtksourceview-4/{,**} r,
   /usr/share/ladspa/rdf/{,ladspa.rdfs} r,
   /usr/share/misc/*.ids r,
   /usr/share/osinfo/{,**} r,
diff --git a/apparmor.d/profiles-s-z/wemeet b/apparmor.d/profiles-s-z/wemeet
index 3606533d7..0b83e44c8 100644
--- a/apparmor.d/profiles-s-z/wemeet
+++ b/apparmor.d/profiles-s-z/wemeet
@@ -13,10 +13,10 @@ include <tunables/global>
 @{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
 profile wemeet @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/audio-client>
   include <abstractions/common/bwrap>
   include <abstractions/common/chromium>
+  include <abstractions/consoles>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
diff --git a/apparmor.d/profiles-s-z/which b/apparmor.d/profiles-s-z/which
index df049741f..c4de427ff 100644
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) {
 
   owner /dev/tty@{int} rw,
 
+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/which>