feat(profile): general update.

2025-08-28 21:09:09 +02:00 · 2025-08-28 21:09:09 +02:00 · 81d020173d
commit 81d020173d
parent cf96e7b1d0
40 changed files with 89 additions and 31 deletions
--- a/apparmor.d/groups/bus/dbus-accessibility
+++ b/apparmor.d/groups/bus/dbus-accessibility
@ -9,12 +9,13 @@ include <tunables/global>
@{exec_path} = @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher
 profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.gnome.SessionManager>
+  include <abstractions/consoles>
  include <abstractions/dconf-write>
+  include <abstractions/gsettings>
  include <abstractions/nameservice-strict>

  network inet dgram,
@ -39,7 +40,7 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  dbus receive bus=session
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
-       peer=(name=:*, label=gnome-shell),
+       peer=(name=@{busname}, label=gnome-shell),

  @{exec_path} mrix,

@ -53,7 +54,6 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
  /usr/share/dconf/profile/gdm r,
  /usr/share/defaults/at-spi2/{,**} r,
  /usr/share/gdm/greeter-dconf-defaults r,
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@ -18,6 +18,8 @@ profile child-open-strict flags=(attach_disconnected,mediate_deleted) {
  @{browsers_path}               Px,
  @{file_explorers_path}         Px,

+  @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop mrix,
+
  include if exists <usr/child-open-strict.d>
  include if exists <local/child-open-strict>
 }
--- a/apparmor.d/groups/gnome/gnome-software
+++ b/apparmor.d/groups/gnome/gnome-software
@ -33,7 +33,12 @@ profile gnome-software @{exec_path} {
  #aa:dbus own bus=session name=org.freedesktop.PackageKit
  #aa:dbus own bus=session name=org.gnome.Software interface+=org.freedesktop.Application

-  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/ label="@{p_packagekitd}"
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/@{int}_@{hex8} label="@{p_packagekitd}"
+
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.PolicyKit1.Authority
+       member=Changed
+       peer=(name=@{busname}, label=polkitd),

  @{exec_path} mr,

--- a/apparmor.d/groups/gnome/loupe
+++ b/apparmor.d/groups/gnome/loupe
@ -27,6 +27,8 @@ profile loupe @{exec_path} flags=(attach_disconnected) {

  signal send set=kill peer=loupe//bwrap,

+  #aa:dbus own bus=session name=org.gnome.Loupe interface+=org.freedesktop.Application
+
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

  dbus send bus=system path=/org/freedesktop/hostname1
--- a/apparmor.d/groups/gnome/nautilus
+++ b/apparmor.d/groups/gnome/nautilus
@ -35,6 +35,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
  #aa:dbus own bus=session name=org.gnome.Nautilus.SearchProvider interface+=org.gnome.Shell.SearchProvider2

  #aa:dbus talk bus=session name=org.freedesktop.Application path=/ label="*"
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.FileChooser label=xdg-desktop-portal-gnome
  #aa:dbus talk bus=session name=org.gnome.Settings label=gnome-control-center
  #aa:dbus talk bus=session name=org.gtk.MountOperationHandler label=gnome-shell
  #aa:dbus talk bus=session name=org.gtk.Notifications label=gnome-shell
--- a/apparmor.d/groups/gnome/papers
+++ b/apparmor.d/groups/gnome/papers
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/papers
-profile papers @{exec_path} {
+profile papers @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/common/gnome>
@ -16,6 +16,8 @@ profile papers @{exec_path} {
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>

+  #aa:dbus own bus=session name=org.gnome.Papers interface+=org.freedesktop.Application
+
  #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"

  @{exec_path} mr,
--- a/apparmor.d/groups/gpg/gpg
+++ b/apparmor.d/groups/gpg/gpg
@ -39,6 +39,7 @@ profile gpg @{exec_path} {
  /etc/pacman.d/gnupg/** rwkl -> /etc/pacman.d/gnupg/**,

  #aa:only apt
+        /etc/apt/trusted.gpg.d/{,*} r,
  owner /etc/apt/keyrings/ rw,
  owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,

--- a/apparmor.d/groups/pacman/paccache
+++ b/apparmor.d/groups/pacman/paccache
@ -41,6 +41,9 @@ profile paccache @{exec_path} flags=(attach_disconnected) {
  /var/cache/pacman/pkg/{,*} rw,
  /var/lib/pacman/{,**} r,

+  @{HOME}/@{XDG_GPG_DIR}/gpg.conf r,
+  @{HOME}/@{XDG_GPG_DIR}/gpgsm.conf r,
+
  owner @{PROC}/@{pid}/fd/ r,

  /dev/tty rw,
--- a/apparmor.d/groups/pacman/pacman-hook-code
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@ -19,6 +19,7 @@ profile pacman-hook-code @{exec_path} {
  @{python_path} rix,

  @{lib}/code/product.json rw,
+  @{lib}/code/out/vs/code/electron-utility/sharedProcess/sharedProcessMain.js w,

  /usr/share/code-{features,marketplace}{,-insiders}/{,*} r,
  /usr/share/code-{features,marketplace}{,-insiders}/cache.json rw,
--- a/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
+++ b/apparmor.d/groups/systemd-generators/systemd-generator-user-autostart
@ -10,14 +10,13 @@ include <tunables/global>
 profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/systemd>
+  include <abstractions/desktop-files>
  include <abstractions/nameservice-strict>

  capability net_admin,

  @{exec_path} mr,

-  @{system_share_dirs}/applications/*.desktop r,
-
  @{etc_ro}/xdg/autostart/{,*.desktop} r,

  owner @{user_config_dirs}/autostart/{,*.desktop} r,
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -19,6 +19,8 @@ profile systemd-sleep @{exec_path} flags=(attach_disconnected) {

  @{exec_path} mr,

+  @{sh_path} mr,
+
  @{lib}/systemd/system-sleep/grub2.sleep          rPx,
  @{lib}/systemd/system-sleep/hdparm               rPx,
  @{lib}/systemd/system-sleep/nvidia               rPx,
--- a/apparmor.d/groups/systemd/systemd-udevd
+++ b/apparmor.d/groups/systemd/systemd-udevd
@ -98,6 +98,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected) {
  @{run}/systemd/network/ r,
  @{run}/systemd/network/*.link rw,
  @{run}/systemd/notify rw,
+  @{run}/systemd/private rw,
  @{run}/systemd/seats/seat@{int} r,

  @{att}/@{run}/systemd/notify w,
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@ -64,7 +64,7 @@ profile software-properties-gtk @{exec_path} flags=(attach_disconnected) {

        /dev/shm/ r,
  owner /dev/shm/sem.@{rand6} rwl -> /dev/shm/sem.@{rand6},
-  owner /dev/shm/sem.mp-@{rand8} rw,
+  owner /dev/shm/sem.mp-@{rand8} rwl -> /dev/shm/sem.@{rand6},

  owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,

--- a/apparmor.d/groups/usb/lsusb
+++ b/apparmor.d/groups/usb/lsusb
@ -14,6 +14,7 @@ profile lsusb @{exec_path} {
  include <abstractions/devices-usb-read>

  capability net_admin,
+  capability sys_admin,

  network netlink raw,

--- a/apparmor.d/groups/utils/dmesg
+++ b/apparmor.d/groups/utils/dmesg
@ -13,6 +13,7 @@ profile dmesg @{exec_path} flags=(attach_disconnected) {
  include <abstractions/consoles>

  capability dac_read_search,
+  capability sys_admin,
  capability syslog,

  @{exec_path} mr,
--- a/apparmor.d/groups/utils/lsblk
+++ b/apparmor.d/groups/utils/lsblk
@ -27,6 +27,7 @@ profile lsblk @{exec_path} flags=(attach_disconnected) {
  # File Inherit
  deny network inet stream,
  deny network inet6 stream,
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,

  include if exists <local/lsblk>
 }
--- a/apparmor.d/groups/virt/cockpit-bridge
+++ b/apparmor.d/groups/virt/cockpit-bridge
@ -11,7 +11,10 @@ profile cockpit-bridge @{exec_path} {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.freedesktop.timedate1>
  include <abstractions/consoles>
+  include <abstractions/icons>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

@ -37,6 +40,8 @@ profile cockpit-bridge @{exec_path} {

  #aa:dbus talk bus=session name=org.libvirt label=libvirt-dbus
  #aa:dbus talk bus=system name=org.freedesktop.PackageKit path=/**  label=packagekitd
+  #aa:dbus talk bus=system name=org.freedesktop.systemd1 label=@{p_systemd}
+  #aa:dbus talk bus=system name=org.libvirt label=libvirt-dbus

  @{exec_path} mr,

--- a/apparmor.d/groups/virt/cockpit-session
+++ b/apparmor.d/groups/virt/cockpit-session
@ -10,6 +10,7 @@ include <tunables/global>
 profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/authentication>
+  include <abstractions/bus-system>
  include <abstractions/nameservice-strict>
  include <abstractions/shells>

@ -29,6 +30,7 @@ profile cockpit-session @{exec_path} flags=(attach_disconnected) {
  @{bin}/cockpit-bridge  rPx,
  @{lib}/cockpit/cockpit-pcp  rPx,
  @{bin}/ssh-agent       rPx,
+  @{bin}/ssh-add         rix,

  @{etc_ro}/environment r,
  @{etc_ro}/security/limits.d/{,*.conf} r,
--- a/apparmor.d/groups/virt/libvirt-dbus
+++ b/apparmor.d/groups/virt/libvirt-dbus
@ -16,6 +16,11 @@ profile libvirt-dbus @{exec_path} {
  #aa:dbus own bus=session name=org.libvirt
  #aa:dbus own bus=system name=org.libvirt

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  @{sbin}/libvirtd  rPx,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -92,6 +92,11 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  # Allow changing to our UUID-based named profiles
  change_profile -> libvirt-@{uuid},

+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
  @{exec_path} mr,

  @{lib}/libvirt/libvirt_iohelper                   rix,
@ -157,6 +162,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{user_vm_dirs}/{,**} rwk,
  @{user_publicshare_dirs}/{,**} rwk,

+  owner @{user_config_dirs}/libvirt/{,**} rwk,
+
  owner @{run}/user/@{uid}/libvirt/ rw,
  owner @{run}/user/@{uid}/libvirt/** rwk,

--- a/apparmor.d/profiles-a-f/borg
+++ b/apparmor.d/profiles-a-f/borg
@ -33,6 +33,7 @@ profile borg @{exec_path} {
  @{bin}/cat                    rix,
  @{sbin}/ldconfig              rix,
  @{bin}/uname                  rix,
+  @{bin}/ip                     rix,

  @{bin}/ccache                 rCx -> ccache,
  @{bin}/fusermount{,3}         rCx -> fusermount,
--- a/apparmor.d/profiles-a-f/btop
+++ b/apparmor.d/profiles-a-f/btop
@ -48,7 +48,7 @@ profile btop @{exec_path} {
  @{sys}/devices/system/node/node@{int}/cpumap r,
  @{sys}/devices/virtual/block/dm-@{int}/stat r,
  @{sys}/devices/virtual/net/{,**} r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,} r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r,

  @{PROC} r,
  @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/profiles-a-f/console-setup
+++ b/apparmor.d/profiles-a-f/console-setup
@ -13,7 +13,7 @@ profile console-setup @{exec_path} {
  @{exec_path} mr,

  @{sh_path} r,
-  @{bin}/uname rPx,
+  @{bin}/uname rix,
  @{bin}/mkdir rix,

  @{run}/console-setup/ rw,
--- a/apparmor.d/profiles-a-f/deltachat-desktop
+++ b/apparmor.d/profiles-a-f/deltachat-desktop
@ -13,16 +13,16 @@ include <tunables/global>
@{exec_path} = @{bin}/deltachat-desktop @{lib_dirs}/deltachat-desktop
 profile deltachat-desktop @{exec_path} {
  include <abstractions/base>
+  include <abstractions/common/chromium>
  include <abstractions/consoles>
  include <abstractions/dconf-write>
-  include <abstractions/gtk>
-  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
-  include <abstractions/common/chromium>

  network inet dgram,
  network inet6 dgram,
--- a/apparmor.d/profiles-g-l/gitstatusd
+++ b/apparmor.d/profiles-g-l/gitstatusd
@ -13,12 +13,12 @@ profile gitstatusd @{exec_path} {
  include <abstractions/consoles>

  signal receive set=term peer=*//shell,
-  signal receive set=term peer=vscode,
+  signal receive set=term peer={,vs}code,

  @{exec_path} mr,

  owner @{user_projects_dirs}/{,**} r,
-  owner @{user_projects_dirs}/**/.git/.gitstatus.@{rand6}/{,**} rw,
+  owner @{user_projects_dirs}/**/.git/{,**/}.gitstatus.@{rand6}/{,**} rw,

  owner @{HOME}/.gitconfig r,
  owner @{user_config_dirs}/git/{,*} r,
--- a/apparmor.d/profiles-g-l/homebank
+++ b/apparmor.d/profiles-g-l/homebank
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{bin}/homebank
-profile homebank @{exec_path} {
+profile homebank @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/desktop>
  include <abstractions/dconf-write>
--- a/apparmor.d/profiles-g-l/landscape-sysinfo
+++ b/apparmor.d/profiles-g-l/landscape-sysinfo
@ -38,7 +38,7 @@ profile landscape-sysinfo @{exec_path} {

  @{sys}/class/hwmon/ r,
  @{sys}/class/thermal/ r,
-  @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/{,*} r,

        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline r,
--- a/apparmor.d/profiles-g-l/libreoffice
+++ b/apparmor.d/profiles-g-l/libreoffice
@ -27,6 +27,7 @@ profile libreoffice @{exec_path} {
  include <abstractions/enchant>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
+  include <abstractions/java>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5-settings-write>
  include <abstractions/ssl_certs>
@ -107,6 +108,7 @@ profile libreoffice @{exec_path} {
  owner @{tmp}/OSL_PIPE_@{uid}_SingleOfficeIPC_@{hex} rw,

  owner @{run}/user/@{uid}/#@{int} rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,

        @{sys}/devices/system/cpu/cpu@{int}/microcode/version r,
        @{sys}/devices/virtual/block/**/queue/rotational r,
--- a/apparmor.d/profiles-g-l/linux-check-removal
+++ b/apparmor.d/profiles-g-l/linux-check-removal
@ -16,6 +16,8 @@ profile linux-check-removal @{exec_path} {

  @{bin}/stty       rix,

+  /etc/shadow r,
+
  include if exists <local/linux-check-removal>
 }

--- a/apparmor.d/profiles-g-l/lsb-release
+++ b/apparmor.d/profiles-g-l/lsb-release
@ -30,10 +30,16 @@ profile lsb-release @{exec_path} flags=(attach_disconnected) {
  #aa:only apt
  @{bin}/dpkg-query  px,

-  /etc/ r,
-  /etc/*-release r,
-  /etc/lsb-release r,
-  /etc/lsb-release.d/{,*} r,
+  @{etc_ro}/ r,
+  @{etc_ro}/*-release r,
+  @{etc_ro}/lsb-release r,
+  @{etc_ro}/lsb-release.d/{,*} r,
+
+  # file_inherit
+  deny /opt/*/** r,
+  deny owner @{user_config_dirs}/*/** r,
+  deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,

  include if exists <local/lsb-release>
 }
--- a/apparmor.d/profiles-m-r/initramfs-hooks
+++ b/apparmor.d/profiles-m-r/initramfs-hooks
@ -68,6 +68,7 @@ profile initramfs-hooks @{exec_path} {
  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,

  @{sys}/firmware/efi/efivars/ r,

--- a/apparmor.d/profiles-m-r/mdadm
+++ b/apparmor.d/profiles-m-r/mdadm
@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>

@{exec_path} = @{sbin}/mdadm
-profile mdadm @{exec_path} {
+profile mdadm @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-write>
--- a/apparmor.d/profiles-m-r/protonmail-bridge-core
+++ b/apparmor.d/profiles-m-r/protonmail-bridge-core
@ -33,6 +33,7 @@ profile protonmail-bridge-core @{exec_path} flags=(attach_disconnected) {

  /etc/lsb-release r,
  /etc/machine-id r,
+  /etc/os-release r,

  owner @{user_passwordstore_dirs}/docker-credential-helpers/{,**} r,
  owner @{user_passwordstore_dirs}/protonmail-credentials/{,**} r,
--- a/apparmor.d/profiles-s-z/spotify
+++ b/apparmor.d/profiles-s-z/spotify
@ -57,6 +57,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) {

  @{open_path}     rPx -> child-open-strict,

+  /usr/local/lib/spotify-adblock.so mr,
+
  /etc/machine-id r,
  /etc/spotify-adblock/* r,
  /var/lib/dbus/machine-id r,
@ -70,6 +72,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
  owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
  owner @{config_dirs}/*/WidevineCdm/**/libwidevinecdm.so rm,

+  owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
+
        @{PROC}/@{pid}/net/unix r,
        @{PROC}/pressure/* r,
  owner @{PROC}/@{pid}/clear_refs w,
--- a/apparmor.d/profiles-s-z/syncthing
+++ b/apparmor.d/profiles-s-z/syncthing
@ -11,6 +11,7 @@ include <tunables/global>
 profile syncthing @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/mime>
  include <abstractions/nameservice-strict>
  include <abstractions/sqlite>
  include <abstractions/ssl_certs>
@ -26,10 +27,6 @@ profile syncthing @{exec_path} {
  @{open_path}     rPx -> child-open,
  @{bin}/ip        rix,

-  /usr/share/mime/{,**} r,
-
-  /etc/mime.types r,
-
  @{HOME}/ r,
  @{HOME}/** rwk,

--- a/apparmor.d/profiles-s-z/tomb
+++ b/apparmor.d/profiles-s-z/tomb
@ -21,6 +21,7 @@ profile tomb @{exec_path} {
  capability sys_rawio,

  signal send set=cont peer=gpg,
+  signal send set=cont peer=pinentry-*,

  ptrace read peer=@{p_systemd_user},

@ -43,11 +44,11 @@ profile tomb @{exec_path} {
  @{bin}/findmnt     rix,
  @{bin}/getent      rix,
  @{bin}/gettext     rix,
+  @{bin}/head        rix,
  @{bin}/hostname    rix,
  @{bin}/id          rix,
  @{bin}/kill        rix,
  @{bin}/locate      rix,
-  @{sbin}/losetup    rix,
  @{bin}/ls          rix,
  @{bin}/lsof        rix,
  @{bin}/mkdir       rix,
@ -64,6 +65,7 @@ profile tomb @{exec_path} {
  @{bin}/touch       rix,
  @{bin}/tr          rix,
  @{bin}/zsh         rix,
+  @{sbin}/losetup    rix,

  @{sbin}/btrfs            rPx,
  @{sbin}/cryptsetup       rPUx,
--- a/apparmor.d/profiles-s-z/udev-fido_id
+++ b/apparmor.d/profiles-s-z/udev-fido_id
@ -16,6 +16,7 @@ profile udev-fido_id @{exec_path} {
  /etc/udev/udev.conf r,

  @{sys}/devices/@{pci}/report_descriptor r,
+  @{sys}/devices/platform/**/report_descriptor r,
  @{sys}/devices/virtual/**/report_descriptor r,

  include if exists <local/udev-fido_id>
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@ -51,7 +51,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {

  @{open_path}     rPx -> child-open,

-  /usr/share/gtksourceview-4/{,**} r,
  /usr/share/ladspa/rdf/{,ladspa.rdfs} r,
  /usr/share/misc/*.ids r,
  /usr/share/osinfo/{,**} r,
--- a/apparmor.d/profiles-s-z/wemeet
+++ b/apparmor.d/profiles-s-z/wemeet
@ -13,10 +13,10 @@ include <tunables/global>
@{exec_path} += /opt/wemeet/bin/QtWebEngineProcess
 profile wemeet @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
-  include <abstractions/consoles>
  include <abstractions/audio-client>
  include <abstractions/common/bwrap>
  include <abstractions/common/chromium>
+  include <abstractions/consoles>
  include <abstractions/desktop>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
--- a/apparmor.d/profiles-s-z/which
+++ b/apparmor.d/profiles-s-z/which
@ -33,6 +33,7 @@ profile which @{exec_path} flags=(attach_disconnected) {

  owner /dev/tty@{int} rw,

+  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
  deny @{user_share_dirs}/gvfs-metadata/* r,

  include if exists <local/which>