feat(profile): general update.

2024-10-01 17:43:54 +01:00 · 2024-10-01 17:43:54 +01:00 · 8730c09b96
commit 8730c09b96
parent 21e8456383
47 changed files with 146 additions and 118 deletions
--- a/apparmor.d/groups/browsers/firefox-glxtest
+++ b/apparmor.d/groups/browsers/firefox-glxtest
@ -29,6 +29,8 @@ profile firefox-glxtest @{exec_path} flags=(attach_disconnected) {
  owner @{PROC}/@{pid}/cmdline r,
  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
  include if exists <local/firefox-glxtest>
 }
--- a/apparmor.d/groups/browsers/firefox-vaapitest
+++ b/apparmor.d/groups/browsers/firefox-vaapitest
@ -25,6 +25,7 @@ profile firefox-vaapitest @{exec_path} flags=(attach_disconnected) {
  deny @{config_dirs}/firefox/*/.parentlock rw,
  deny @{config_dirs}/firefox/*/startupCache/** r,
  deny @{user_cache_dirs}/mozilla/firefox/*/startupCache/* r,
  deny @{user_share_dirs}/gnome-shell/session.gvdb rw,
  include if exists <local/firefox-vaapitest>
 }
--- a/apparmor.d/groups/bus/ibus-portal
+++ b/apparmor.d/groups/bus/ibus-portal
@ -28,6 +28,7 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
--- a/apparmor.d/groups/bus/ibus-x11
+++ b/apparmor.d/groups/bus/ibus-x11
@ -33,6 +33,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  owner @{desktop_cache_dirs}/ibus/dbus-@{rand8} rw,
  owner @{desktop_config_dirs}/ibus/bus/ r,
  owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
--- a/apparmor.d/groups/children/child-open-strict
+++ b/apparmor.d/groups/children/child-open-strict
@ -15,8 +15,8 @@ profile child-open-strict {
  include <abstractions/base>
  include <abstractions/app/open>
-  @{browsers_path}              rPx,
+  @{browsers_path}               Px,
-  @{file_explorers_path}        rPx,
+  @{file_explorers_path}         Px,
  include if exists <usr/child-open-strict.d>
  include if exists <local/child-open-strict>
--- a/apparmor.d/groups/children/child-pager
+++ b/apparmor.d/groups/children/child-pager
@ -14,7 +14,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/pager @{bin}/less @{bin}/more 
-profile child-pager {
+profile child-pager flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
--- a/apparmor.d/groups/freedesktop/cpupower
+++ b/apparmor.d/groups/freedesktop/cpupower
@ -40,7 +40,6 @@ profile cpupower @{exec_path} {
  /dev/cpu/@{int}/msr r,
  profile kmod {
    include <abstractions/base>
    include <abstractions/app/kmod>
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@ -11,6 +11,7 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/bus-session>
  include <abstractions/bus-system>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.Accounts>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gnome.Shell.Introspect>
--- a/apparmor.d/groups/freedesktop/xorg
+++ b/apparmor.d/groups/freedesktop/xorg
@ -49,7 +49,7 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  @{sh_path}        rix,
  @{bin}/xkbcomp    rPx,
-  @{bin}/pkexec     rPx,
+  @{bin}/pkexec     rCx -> pkexec,
  @{lib}/xorg/ r,
  @{lib}/xorg/modules/ r,
@ -136,6 +136,13 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
  /dev/tty@{int} rw,
  /dev/vga_arbiter rw,  # Graphic card modules
  profile pkexec {
    include <abstractions/base>
    include <abstractions/app/pkexec>
    include if exists <local/xorg_pkexec>
  }
  include if exists <local/xorg>
 }
--- a/apparmor.d/groups/gnome/gdm-generate-config
+++ b/apparmor.d/groups/gnome/gdm-generate-config
@ -23,7 +23,7 @@ profile gdm-generate-config @{exec_path} {
  @{sh_path}         rix,
  @{bin}/dconf       rix,
  @{bin}/install     rix,
-  @{bin}/pgrep       rCx -> pgrep,
+  @{bin}/pgrep       rix,
  @{bin}/pkill       rix,
  @{bin}/setpriv     rix,
  @{bin}/setsid      rix,
@ -46,13 +46,6 @@ profile gdm-generate-config @{exec_path} {
  @{PROC}/@{pid}/stat r,
  @{PROC}/uptime r,
  profile pgrep {
    include <abstractions/base>
    include <abstractions/app/pgrep>
    include if exists <local/gdm-generate-config_pgrep>
  }
  include if exists <local/gdm-generate-config>
 }
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -23,6 +23,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
  include <abstractions/gnome-strict>
  include <abstractions/nameservice-strict>
  include <abstractions/trash-strict>
  include <abstractions/user-read-strict>
  include <abstractions/user-write-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gnome-clocks
+++ b/apparmor.d/groups/gnome/gnome-clocks
@ -13,6 +13,8 @@ profile gnome-clocks @{exec_path} {
  include <abstractions/bus-accessibility>
  include <abstractions/bus-session>
  include <abstractions/bus/org.a11y>
  include <abstractions/bus/org.freedesktop.portal.Desktop>
  include <abstractions/bus/org.gtk.vfs.MountTracker>
  include <abstractions/common/gnome>
  include <abstractions/gstreamer>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -163,6 +163,10 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
       member=Introspect
       peer=(name=org.freedesktop.DBus, label=dbus-session),
  dbus send bus=session path=/org/gnome/*/SearchProvider
      interface=org.gnome.Shell.SearchProvider2
      peer=(name=@{busname}),
  @{exec_path} mr,
  @{bin}/unzip                  rix,
@ -280,7 +284,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
  owner @{run}/user/@{uid}/systemd/notify rw,
-  owner /dev/shm/.org.chromium.Chromium.@{rand6} r,
+  owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
  owner /dev/shm/wayland.mozilla.ipc.@{int} rw,
        /tmp/.X@{int}-lock rw,
@ -343,6 +347,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/cpu.max r,
        @{PROC}/ r,
        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cgroup r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/net/* r,
        @{PROC}/1/cgroup r,
@ -350,8 +356,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
        @{PROC}/sys/kernel/osrelease r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
        @{PROC}/vmstat r,
  owner @{PROC}/@{pid}/attr/current r,
  owner @{PROC}/@{pid}/cgroup r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/fdinfo/@{int} r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/groups/gnome/yelp
+++ b/apparmor.d/groups/gnome/yelp
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/yelp @{bin}/gnome-help
 profile yelp @{exec_path} {
  include <abstractions/base>
  include <abstractions/audio-client>
  include <abstractions/bus-accessibility>
  include <abstractions/bus/org.a11y>
  include <abstractions/common/gnome>
--- a/apparmor.d/groups/pacman/makepkg
+++ b/apparmor.d/groups/pacman/makepkg
@ -11,15 +11,15 @@ profile makepkg @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  signal send set=winch peer=pacman,
  signal send set=winch peer=pacman//systemctl,
  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,
  signal send set=winch peer=pacman,
  signal send set=winch peer=pacman//systemctl,
  file,
  @{bin}/gpg{,2}  Cx -> gpg,
@ -74,6 +74,9 @@ profile makepkg @{exec_path} {
    ptrace read,
    signal send set=winch peer=pacman,           
    signal send set=winch peer=pacman//systemctl,
    @{bin}/pacman Px,
    include if exists <local/makepkg_sudo>
--- a/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
+++ b/apparmor.d/groups/pacman/pacman-hook-gtk4-querymodules
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/libalpm/scripts/gtk4-querymodules
 profile pacman-hook-gtk4-querymodules @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
--- a/apparmor.d/groups/pacman/pacman-key
+++ b/apparmor.d/groups/pacman/pacman-key
@ -68,6 +68,7 @@ profile pacman-key @{exec_path} {
    /dev/pts/@{int} rw,
    /dev/tty@{int} rw,
    include if exists <local/pacman-key_gpg>
  }
  include if exists <local/pacman-key>
--- a/apparmor.d/groups/pacman/reflector
+++ b/apparmor.d/groups/pacman/reflector
@ -29,9 +29,10 @@ profile reflector @{exec_path} flags=(attach_disconnected) {
  /etc/xdg/reflector/reflector.conf r,
  /etc/pacman.d/mirrorlist rw,
  owner @{user_cache_dirs}/mirrorstatus.json rw,
  /var/cache/reflector/mirrorstatus.json rw,
  owner @{user_cache_dirs}/mirrorstatus.json r,
  @{PROC}/1/environ r,
  @{PROC}/cmdline r,
  @{PROC}/sys/kernel/osrelease r,
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@ -25,8 +25,8 @@ profile ssh-agent @{exec_path} {
  owner @{HOME}/.xsession-errors w,
  owner @{user_projects_dirs}/**/ssh/{,*} r,
-  owner @{tmp}/ssh-*/ rw,
+  owner @{tmp}/ssh-@{rand12}/ rw,
-  owner @{tmp}/ssh-*/agent.* rw,
+  owner @{tmp}/ssh-@{rand12}/agent.@{int} rw,
  owner @{run}/user/@{uid}/keyring/.ssh rw,
  owner @{run}/user/@{uid}/openssh_agent rw,
--- a/apparmor.d/groups/systemd/systemd-sleep
+++ b/apparmor.d/groups/systemd/systemd-sleep
@ -31,7 +31,6 @@ profile systemd-sleep @{exec_path} {
  @{sys}/power/state rw,
  include if exists <local/systemd-sleep>
 }
--- a/apparmor.d/groups/virt/containerd
+++ b/apparmor.d/groups/virt/containerd
@ -47,7 +47,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  @{bin}/apparmor_parser          rPx,
-  @{bin}/containerd-shim-runc-v2 rPUx,
+  @{bin}/containerd-shim-runc-v2  rPx,
  @{bin}/kmod                     rPx,
  @{bin}/unpigz                  rPUx,
  /{usr/,}{local/,}{s,}bin/zfs    rPx,
@ -71,8 +71,7 @@ profile containerd @{exec_path} flags=(attach_disconnected) {
  /var/lib/cni/results/cni-loopback-@{uuid}-lo wl,
  /var/lib/cni/results/cni-loopback-[0-9a-z]*-lo wl,
  /var/lib/cni/results/k8s-pod-network-[0-9a-z]*-eth0 wl,
-  /var/lib/containerd/{,**} rwk,
+  /var/lib/containerd/{,**} rwlk,
  /var/lib/containerd/tmpmounts/containerd-mount@{int}/** l,
  /var/lib/docker/containerd/{,**} rwk,
  /var/lib/kubelet/seccomp/{,**} r,
  /var/lib/security-profiles-operator/{,**} r,
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@ -27,8 +27,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,
  network netlink raw,
@ -36,10 +36,13 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  mount                        /var/lib/docker/buildkit/**/,
  mount                        /var/lib/docker/overlay2/**/,
  mount                        /var/lib/docker/tmp/buildkit-mount@{int}/,
-  mount options=(rw, bind) -> /run/docker/netns/*,
+  mount fstype=overlay                              overlay -> /var/lib/docker/rootfs/overlayfs/@{hex64}/,
-  mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder@{int}/,
+  mount options=(rw bind)                                   -> /run/docker/netns/*,
-  mount options=(rw, rprivate) -> /.pivot_root@{int}/,
+  mount options=(rw rbind)                                  -> /var/lib/docker/tmp/docker-builder@{int}/,
-  mount options=(rw, rslave) -> /,
+  mount options=(rw rbind)     /var/lib/docker/volumes/**/- -> /var/lib/docker/rootfs/overlayfs/**/,
  mount options=(rw rprivate)                               -> /.pivot_root@{int}/,
  mount options=(rw rprivate)                               -> /var/lib/docker/rootfs/overlayfs/@{hex64}/var/lib/buildkit/,
  mount options=(rw rslave)                                 -> /,
  remount /tmp/containerd-mount@{int10}/,
  remount /var/lib/docker/tmp/buildkit-mount@{int10}/,
@ -48,18 +51,20 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
  umount /run/docker/netns/*,
  umount /tmp/containerd-mount@{int}/,
  umount /var/lib/docker/buildkit/**/,
  umount /var/lib/docker/rootfs/**/,
  umount /var/lib/docker/overlay*/**/,
  umount /var/lib/docker/tmp/buildkit-mount@{int}/,
  pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root@{int}/               /var/lib/docker/overlay2/**/,
  pivot_root oldroot=/var/lib/docker/rootfs/overlayfs/@{hex64}/.pivot_root@{int}/ /var/lib/docker/rootfs/overlayfs/@{hex64}/,
  pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root@{int}/                    /var/lib/docker/tmp/**/,
-  ptrace (read) peer=docker-*,
+  ptrace read peer=docker-*,
-  ptrace (read) peer=unconfined,
+  ptrace read peer=unconfined,
-  signal (send) set=int peer=docker-proxy,
+  signal send set=int  peer=docker-proxy,
-  signal (send) set=kill peer=docker-*,
+  signal send set=kill peer=docker-*,
-  signal (send) set=term peer=containerd,
+  signal send set=term peer=containerd,
  @{exec_path} mrix,
--- a/apparmor.d/profiles-a-f/aa-enforce
+++ b/apparmor.d/profiles-a-f/aa-enforce
@ -33,7 +33,7 @@ profile aa-enforce @{exec_path} {
  owner @{tmp}/@{rand8} rw,
  owner @{tmp}/apparmor-bugreport-@{rand8}.txt rw,
-  @{PROC}/@{pid}/fd r,
+  @{PROC}/@{pid}/fd/ r,
  include if exists <local/aa-enforce>
 }
--- a/apparmor.d/profiles-a-f/aa-log
+++ b/apparmor.d/profiles-a-f/aa-log
@ -27,6 +27,8 @@ profile aa-log @{exec_path} {
  /{run,var}/log/journal/ r,
  /{run,var}/log/journal/@{hex32}/{,*} r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  /dev/tty@{int} rw,
  include if exists <local/aa-log>
--- a/apparmor.d/profiles-a-f/aa-notify
+++ b/apparmor.d/profiles-a-f/aa-notify
@ -18,17 +18,19 @@ profile aa-notify @{exec_path} {
  capability setuid,
  capability sys_ptrace,
-  ptrace (read),
+  ptrace read,
  @{exec_path} mr,
  @{bin}/ r,
  /etc/apparmor/*.conf r,
  /etc/inputrc r,
  /usr/etc/inputrc.keys r,
  /usr/share/terminfo/** r,
  @{etc_ro}/inputrc r,
  @{etc_ro}/inputrc.keys r,
  /etc/apparmor.d/{,**} r,
  /etc/apparmor/*.conf r,
  /var/log/audit/audit.log r,
  owner @{HOME}/.inputrc r,
--- a/apparmor.d/profiles-a-f/chronyd
+++ b/apparmor.d/profiles-a-f/chronyd
@ -36,7 +36,8 @@ profile chronyd @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mr,
  /etc/adjtime r,
-  /etc/chrony.* r,
+  /etc/chrony.conf r,
  /etc/chrony.keys r,
  /etc/chrony.d/{,*} r,
  /etc/chrony/{,**} r,
--- a/apparmor.d/profiles-a-f/discord
+++ b/apparmor.d/profiles-a-f/discord
@ -38,14 +38,17 @@ profile discord @{exec_path} {
  @{open_path}         rPx -> child-open-strict,
  /etc/lsb-release r,
  owner @{user_videos_dirs}/{,**} rwl,
  owner @{user_pictures_dirs}/{,**} rwl,
-  owner @{tmp}/net-export/ rw,
+  owner @{config_dirs}/@{version}/modules/** m,
  owner @{tmp}/discord.sock rw,
  owner "@{tmp}/Discord Crashes/" rw,
-  audit owner @{config_dirs}/*/modules/** rm,
+  owner "@{tmp}/Discord Crashes/" rw,
  owner @{tmp}/.org.chromium.Chromium.@{rand6}/** rw,
  owner @{tmp}/discord.sock rw,
  owner @{tmp}/net-export/ rw,
  owner @{run}/user/@{uid}/discord-ipc-@{int} rw,
--- a/apparmor.d/profiles-a-f/element-desktop
+++ b/apparmor.d/profiles-a-f/element-desktop
@ -32,7 +32,9 @@ profile element-desktop @{exec_path} {
  @{sh_path} r,
  @{open_path}         rPx -> child-open-strict,
-  @{bin}/xdg-settings  rPx,
+
  #aa:stack X xdg-settings
  @{bin}/xdg-settings  rPx -> element-desktop//&xdg-settings,
  /usr/share/webapps/element/{,**} r,
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@ -38,6 +38,8 @@ profile file-roller @{exec_path} {
  @{bin}/zstd          rix,
  @{lib}/p7zip/7z      rix,
  / r,
  @{run}/mount/utab r,
  owner @{PROC}/@{pid}/mountinfo r,
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@ -95,7 +95,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
  /dev/tty rw,
  /dev/tty@{int} rw,
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
  profile gpg {
    include <abstractions/base>
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@ -39,6 +39,8 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,
  /var/lib/flatpak/app/*/**/@{lib}/**  rPx -> flatpak-app,
  owner @{user_config_dirs}/mimeapps.list w,
  owner @{run}/user/@{uid}/.flatpak-helper/{,**} rw,
  owner @{run}/user/@{uid}/.flatpak-helper/pkcs11-flatpak-@{int} rw,
--- a/apparmor.d/profiles-a-f/foliate
+++ b/apparmor.d/profiles-a-f/foliate
@ -24,11 +24,14 @@ profile foliate @{exec_path} flags=(attach_disconnected) {
  network inet6 stream,
  network netlink raw,
  #aa:dbus own bus=session name=com.github.johnfactotum.Foliate
  @{exec_path} mr,
  @{bin}/bwrap           rix,
  @{bin}/gjs-console     rix,
  @{bin}/xdg-dbus-proxy  rix,
  @{bin}/speech-dispatcher rPx,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess  rix,
  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitWebProcess      rix,
--- a/apparmor.d/profiles-g-l/gajim
+++ b/apparmor.d/profiles-g-l/gajim
@ -100,15 +100,16 @@ profile gajim @{exec_path} {
    @{bin}/{,@{multiarch}-}ld.bfd     rix,
    @{lib}/gcc/@{multiarch}/@{int}/collect2 rix,
-    owner @{tmp}/cc* rw,
+    /etc/debian_version r,
    owner @{tmp}/tmp* rw,
    /media/ccache/*/** rw,
    owner @{tmp}/cc* rw,
    owner @{tmp}/tmp* rw,
    owner @{run}/user/@{uid}/ccache-tmp/ rw,
-    /etc/debian_version r,
+    include if exists <local/gajim_ccache>
  }
  profile gpg {
@ -121,8 +122,8 @@ profile gajim @{exec_path} {
    @{bin}/gpg-agent         rix,
    @{lib}/{,gnupg/}scdaemon rix,
-    owner @{run}/user/@{uid}/gnupg/d.*/ rw,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/ rw,
-    owner @{run}/user/@{uid}/gnupg/d.*/S.gpg-agent{,.extra,.browser,.ssh} w,
+    owner @{run}/user/@{uid}/gnupg/d.@{rand}/S.gpg-agent{,.extra,.browser,.ssh} w,
    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
@ -134,6 +135,7 @@ profile gajim @{exec_path} {
    @{PROC}/@{pid}/fd/ r,
    @{PROC}/@{pid}/task/@{tid}/comm rw,
    include if exists <local/gajim_gpg>
  }
  include if exists <local/gajim>
--- a/apparmor.d/profiles-g-l/gio-querymodules
+++ b/apparmor.d/profiles-g-l/gio-querymodules
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/gio-querymodules
 profile gio-querymodules @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  capability dac_read_search,
  capability mknod,
--- a/apparmor.d/profiles-g-l/keepassxc
+++ b/apparmor.d/profiles-g-l/keepassxc
@ -18,7 +18,6 @@ profile keepassxc @{exec_path} {
  include <abstractions/fontconfig-cache-read>
  include <abstractions/graphics>
  include <abstractions/nameservice-strict>
  include <abstractions/qt5>
  include <abstractions/qt5-compose-cache-write>
  include <abstractions/qt5-settings-write>
  include <abstractions/ssl_certs>
@ -93,7 +92,7 @@ profile keepassxc @{exec_path} {
        /dev/shm/#@{int} rw,
        /dev/tty rw,
-        /dev/urandom rw,
+        /dev/urandom w,
  owner /dev/tty@{int} rw,
  # Silencer
--- a/apparmor.d/profiles-m-r/ntfs-3g
+++ b/apparmor.d/profiles-m-r/ntfs-3g
@ -22,15 +22,6 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
  capability setuid,
  capability sys_admin,
  @{exec_path} mr,
  @{bin}/kmod rPx,  # To load the fuse kernel module
  # Mount points
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
  # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
@ -47,12 +38,22 @@ profile ntfs-3g @{exec_path} flags=(attach_disconnected) {
  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
  @{exec_path} mr,
  @{bin}/kmod rPx,  # To load the fuse kernel module
  # Mount points
  @{MOUNTDIRS}/ r,
  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/task/@{tid}/status r,
        @{PROC}/swaps r,
  owner @{PROC}/@{pid}/mounts r,
  /dev/fuse rw,
  /dev/tty@{int} rw,
  include if exists <local/ntfs-3g>
 }
--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -60,7 +60,7 @@ profile pass @{exec_path} {
  /usr/share/terminfo/** r,
  owner @{user_password_store_dirs}/{,**} rw,
-  owner /dev/shm/pass.*/{,*} rw,
+  owner /dev/shm/pass.@{rand}/{,*} rw,
  @{sys}/devices/system/node/ r,
@ -90,7 +90,7 @@ profile pass @{exec_path} {
    owner @{user_password_store_dirs}/{,**/} r,
-    owner /dev/shm/pass.*/{,*} rw,
+    owner /dev/shm/pass.@{rand}/{,*} rw,
    deny owner @{HOME}/ r,
@ -124,7 +124,7 @@ profile pass @{exec_path} {
    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
    owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
-    owner /dev/shm/pass.*/.git_vtag_tmp@{rand6} rw,
+    owner /dev/shm/pass.@{rand}/.git_vtag_tmp@{rand6} rw,
    include if exists <local/pass_git>
  }
@ -144,7 +144,7 @@ profile pass @{exec_path} {
    owner @{user_password_store_dirs}/   rw,
    owner @{user_password_store_dirs}/** rwkl -> @{HOME}/.password-store/**,
-    owner /dev/shm/pass.*/{,*} rw,
+    owner /dev/shm/pass.@{rand}/* rw,
    owner @{tmp}/.git_vtag_tmp@{rand6} rw,  # For git log --show-signature
    owner /dev/pts/@{int} rw,
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@ -21,7 +21,7 @@ profile passwd @{exec_path} {
  capability net_admin,
  capability setuid,
-  signal (receive) set=(term, kill) peer=gnome-control-center,
+  signal receive set=(term kill) peer=gnome-control-center,
  network netlink raw,
--- a/apparmor.d/profiles-m-r/protonmail
+++ b/apparmor.d/profiles-m-r/protonmail
@ -1,4 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 curiosityseeker
 # SPDX-License-Identifier: GPL-2.0-only
@ -28,7 +29,7 @@ profile protonmail @{exec_path} flags=(complain) {
  @{exec_path} mrix,
  @{bin}/xdg-settings Px,
-  @{open_path}        rpx -> child-open,
+  @{open_path}        Px -> child-open,
  owner @{user_config_dirs}/ibus/bus/ r,
--- a/apparmor.d/profiles-m-r/rpi-imager
+++ b/apparmor.d/profiles-m-r/rpi-imager
@ -8,24 +8,17 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = @{bin}/rpi-imager
-profile rpi-imager @{exec_path} {
+profile rpi-imager @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/dconf-write>
  include <abstractions/desktop>
  include <abstractions/disks-write>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-read>
-  include <abstractions/fonts>
+  include <abstractions/graphics>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/qt5>
  include <abstractions/qt5-shader-cache>
  include <abstractions/ssl_certs>
  include <abstractions/user-download-strict>
  include <abstractions/vulkan>
  #capability sys_admin,
  # deny capability sys_nice,
@ -42,18 +35,15 @@ profile rpi-imager @{exec_path} {
  @{bin}/lsblk rPx,
  /etc/fstab r,
  /etc/X11/cursors/*.theme r,
  /usr/share/hwdata/pnp.ids r,
  /usr/share/X11/xkb/{,**} r,
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,
  owner "@{user_cache_dirs}/Raspberry Pi/" rw,
  owner "@{user_cache_dirs}/Raspberry Pi/**" rwl -> "@{user_cache_dirs}/Raspberry Pi/**",
-  owner "@{user_config_dirs}/Raspberry Pi/{,**}" rw,
+
-  owner @{user_cache_dirs}/ rw,
+  owner "@{user_config_dirs}/Raspberry Pi/" rw,
-  owner @{user_config_dirs}/QtProject.conf r,
+  owner "@{user_config_dirs}/Raspberry Pi/**" rwlk -> "@{user_config_dirs}/Raspberry Pi/**",
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
+++ b/apparmor.d/profiles-s-z/signal-desktop-chrome-sandbox
@ -30,5 +30,4 @@ profile signal-desktop-chrome-sandbox @{exec_path} {
  include if exists <local/signal-desktop-chrome-sandbox>
 }
 # vim:syntax=apparmor
--- a/apparmor.d/profiles-s-z/snapd
+++ b/apparmor.d/profiles-s-z/snapd
@ -28,6 +28,7 @@ profile snapd @{exec_path} {
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability mac_admin,
  capability net_admin,
  capability setgid,
  capability setuid,
@ -153,6 +154,7 @@ profile snapd @{exec_path} {
  @{sys}/fs/cgroup/user.slice/ r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
  @{sys}/kernel/kexec_loaded r,
  @{sys}/kernel/security/apparmor/.notify r,
  @{sys}/kernel/security/apparmor/features/{,**} r,
  @{sys}/kernel/security/apparmor/profiles r,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -247,6 +247,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/base>
    include <abstractions/audio-client>
    include <abstractions/common/bwrap>
    include <abstractions/common/chromium>
    include <abstractions/dconf-write>
    include <abstractions/desktop>
    include <abstractions/fontconfig-cache-write>
@ -254,6 +255,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    include <abstractions/nameservice-strict>
    include <abstractions/video>
    capability dac_override,
    capability dac_read_search,
    capability sys_chroot,
@ -304,12 +306,6 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    owner /var/cache/ldconfig/aux-cache* rw,
    owner /var/pressure-vessel/ldso/* rw,
    owner @{HOME}/.pki/ rw,
    owner @{HOME}/.pki/nssdb/ rw,
    owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
    owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
    owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
    owner @{lib_dirs}/.cef-* wk,
    owner @{share_dirs}/{,**} r,
@ -320,14 +316,12 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
          @{tmp}/ r,
    owner @{tmp}/#@{int} rw,
    owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
    owner @{tmp}/dumps/ rw,
    owner @{tmp}/dumps/** rwk,
    owner @{tmp}/pressure-vessel-*-@{rand6}/ rw,
    owner @{tmp}/pressure-vessel-*-@{rand6}/** rwlk -> @{tmp}/pressure-vessel-*-@{rand6}/**,
    owner @{tmp}/steam_chrome_shmem_uid@{uid}_spid@{int} rw,
    owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex4}@{h} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex6} rw,
    owner /dev/shm/u@{uid}-Shm_@{hex6}@{h} rw,
@ -389,7 +383,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
    owner @{share_dirs}/ r,
-    @{PROC}/@{pid}/cgroup r,
+    @{PROC}/1/cgroup r,
    include if exists <local/steam_check>
  }
--- a/apparmor.d/profiles-s-z/steam-game-proton
+++ b/apparmor.d/profiles-s-z/steam-game-proton
@ -19,6 +19,7 @@ profile steam-game-proton @{exec_path} flags=(attach_disconnected) {
  include <abstractions/common/steam-game>
  include <abstractions/python>
  capability dac_override,
  capability dac_read_search,
  network inet dgram,
--- a/apparmor.d/profiles-s-z/steam-runtime
+++ b/apparmor.d/profiles-s-z/steam-runtime
@ -41,9 +41,7 @@ profile steam-runtime @{exec_path} flags=(attach_disconnected) {
  @{app_dirs}/@{runtime}/*entry-point rmix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{bin}/pressure-vessel-* rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/** mr,
-  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-capsule-capture-libs rix,
+  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-* rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-detect-* rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/@{multiarch}-inspect-library rix,
  @{app_dirs}/@{runtime}/pressure-vessel/@{lib}/steam-runtime-tools-@{int}/srt-bwrap rpx -> steam-game-proton,
  @{app_dirs}/@{runtime}/run rix,
  @{bin}/bwrap rpx -> steam-game-proton,
--- a/apparmor.d/profiles-s-z/steam-runtime-steam-remote
+++ b/apparmor.d/profiles-s-z/steam-runtime-steam-remote
@ -18,7 +18,7 @@ profile steam-runtime-steam-remote @{exec_path} flags=(complain) {
  @{exec_path} mr,
-  @{runtime_dirs}/** rm,
+  @{runtime_dirs}/** mr,
  owner @{HOME}/.steam/steam.pipe rw,