From 3c41453591501202f71eb7cd7db0c6bc23f9aa8a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 27 May 2023 23:54:53 +0100
Subject: [PATCH 01/14] feat: better wayland client integration.

---
 apparmor.d/abstractions/chromium                           | 3 +--
 apparmor.d/groups/bus/ibus-extension-gtk3                  | 4 ++--
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome     | 3 +--
 apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk       | 3 +--
 apparmor.d/groups/gnome/gjs-console                        | 3 +--
 apparmor.d/groups/gnome/gnome-calculator-search-provider   | 2 +-
 apparmor.d/groups/gnome/gnome-characters-backgroudservice  | 5 ++---
 .../groups/gnome/gnome-control-center-print-renderer       | 4 ++--
 .../groups/gnome/gnome-control-center-search-provider      | 2 +-
 apparmor.d/groups/gnome/gnome-session-binary               | 6 +++---
 apparmor.d/groups/gnome/gnome-shell                        | 2 +-
 apparmor.d/groups/gnome/gnome-terminal-server              | 3 +--
 apparmor.d/groups/gnome/gsd-color                          | 3 +--
 apparmor.d/groups/gnome/gsd-keyboard                       | 3 +--
 apparmor.d/groups/gnome/gsd-media-keys                     | 3 +--
 apparmor.d/groups/gnome/gsd-power                          | 3 +--
 apparmor.d/groups/gnome/gsd-wacom                          | 7 +++----
 apparmor.d/groups/gnome/gsd-xsettings                      | 3 +--
 apparmor.d/groups/ubuntu/apport-gtk                        | 2 +-
 apparmor.d/groups/ubuntu/check-new-release-gtk             | 3 +--
 apparmor.d/groups/ubuntu/livepatch-notification            | 2 +-
 apparmor.d/groups/ubuntu/software-properties-gtk           | 1 +
 apparmor.d/groups/ubuntu/ubuntu-advantage-notification     | 3 +--
 apparmor.d/groups/ubuntu/update-manager                    | 3 +--
 apparmor.d/groups/ubuntu/update-notifier                   | 2 +-
 apparmor.d/profiles-a-f/blueman                            | 2 +-
 apparmor.d/profiles-a-f/file-roller                        | 3 +--
 apparmor.d/profiles-s-z/system-config-printer              | 2 +-
 apparmor.d/profiles-s-z/virt-manager                       | 2 +-
 29 files changed, 36 insertions(+), 51 deletions(-)

diff --git a/apparmor.d/abstractions/chromium b/apparmor.d/abstractions/chromium
index cb258cc97..fb06fabe8 100644
--- a/apparmor.d/abstractions/chromium
+++ b/apparmor.d/abstractions/chromium
@@ -29,6 +29,7 @@
   include <abstractions/user-download-strict>
   include <abstractions/user-read>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   capability setgid,
   capability setuid,
@@ -132,8 +133,6 @@
   # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
   # owner @{HOME}/.mozilla/firefox/*/logins.json r,
 
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
-
         /tmp/ r,
         /var/tmp/ r,
   owner /tmp/.@{chromium_domain}.* rw,
diff --git a/apparmor.d/groups/bus/ibus-extension-gtk3 b/apparmor.d/groups/bus/ibus-extension-gtk3
index 3300187b1..8000f6c4d 100644
--- a/apparmor.d/groups/bus/ibus-extension-gtk3
+++ b/apparmor.d/groups/bus/ibus-extension-gtk3
@@ -10,14 +10,15 @@ include <tunables/global>
 @{exec_path} += @{libexec}/ibus-extension-gtk3
 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/ibus>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=term peer=ibus-daemon,
   
@@ -74,7 +75,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
 
   /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r,
   /var/lib/gdm{3,}/.config/dconf/user r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
index 36db492f5..0e1618b5e 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome
@@ -22,6 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/user-download>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -124,8 +125,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
 
   owner @{user_share_dirs}/ r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   @{run}/mount/utab r,
diff --git a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
index 30abb79e7..e50493aeb 100644
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk
@@ -24,6 +24,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download>
   include <abstractions/user-write>
+  include <abstractions/wayland>
 
   unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
 
@@ -169,8 +170,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
         @{run}/user/@{uid}/xauth_* rl,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner @{PROC}/@{pid}/mountinfo r,
 
diff --git a/apparmor.d/groups/gnome/gjs-console b/apparmor.d/groups/gnome/gjs-console
index a09e2f405..e3d63ac5f 100644
--- a/apparmor.d/groups/gnome/gjs-console
+++ b/apparmor.d/groups/gnome/gjs-console
@@ -21,6 +21,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network netlink raw,
 
@@ -99,9 +100,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gstreamer-1.0/ rw,
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
 
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/groups/gnome/gnome-calculator-search-provider b/apparmor.d/groups/gnome/gnome-calculator-search-provider
index 2a2f65fec..59223da9c 100644
--- a/apparmor.d/groups/gnome/gnome-calculator-search-provider
+++ b/apparmor.d/groups/gnome/gnome-calculator-search-provider
@@ -17,6 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   signal (send) set=kill peer=unconfined,
 
@@ -28,7 +29,6 @@ profile gnome-calculator-search-provider @{exec_path} {
   /usr/share/icons/{,**} r,
   
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pids}/cmdline r,
diff --git a/apparmor.d/groups/gnome/gnome-characters-backgroudservice b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
index 648e83f58..488c89543 100644
--- a/apparmor.d/groups/gnome/gnome-characters-backgroudservice
+++ b/apparmor.d/groups/gnome/gnome-characters-backgroudservice
@@ -9,8 +9,9 @@ include <tunables/global>
 @{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
 profile gnome-characters-backgroudservice @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dconf-write>
   include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -24,8 +25,6 @@ profile gnome-characters-backgroudservice @{exec_path} {
 
   /etc/gtk-3.0/settings.ini r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-print-renderer b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
index 4b07ee940..4bf642f52 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-print-renderer
+++ b/apparmor.d/groups/gnome/gnome-control-center-print-renderer
@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
@@ -20,6 +20,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus
@@ -44,7 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
   owner @{user_share_dirs}/icons/{,**} r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
diff --git a/apparmor.d/groups/gnome/gnome-control-center-search-provider b/apparmor.d/groups/gnome/gnome-control-center-search-provider
index 5b515a08d..1de8082bd 100644
--- a/apparmor.d/groups/gnome/gnome-control-center-search-provider
+++ b/apparmor.d/groups/gnome/gnome-control-center-search-provider
@@ -18,6 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -26,7 +27,6 @@ profile gnome-control-center-search-provider @{exec_path} {
   /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   include if exists <local/gnome-control-center-search-provider>
 }
diff --git a/apparmor.d/groups/gnome/gnome-session-binary b/apparmor.d/groups/gnome/gnome-session-binary
index f20249b6b..6a1f6465b 100644
--- a/apparmor.d/groups/gnome/gnome-session-binary
+++ b/apparmor.d/groups/gnome/gnome-session-binary
@@ -9,17 +9,18 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
-  include <abstractions/vulkan>
   include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/wayland>
   include <abstractions/X-strict>
 
   network inet stream,
@@ -230,7 +231,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
   owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
   owner @{run}/user/@{uid}/systemd/notify w,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{sys}/devices/**/{vendor,device} r,
 
diff --git a/apparmor.d/groups/gnome/gnome-shell b/apparmor.d/groups/gnome/gnome-shell
index 297b429f6..731dbc039 100644
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@@ -32,6 +32,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/video>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
   include <abstractions/X-strict>
 
   capability sys_nice,
@@ -589,7 +590,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
-  owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
 
   owner /dev/shm/.org.chromium.Chromium.* rw,
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
diff --git a/apparmor.d/groups/gnome/gnome-terminal-server b/apparmor.d/groups/gnome/gnome-terminal-server
index d4b6b7d57..5141bbd41 100644
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@@ -15,6 +15,7 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
+  include <abstractions/wayland>
 
   signal (send) set=(term hup kill) peer=unconfined,
   ptrace (read) peer=unconfined,
@@ -47,8 +48,6 @@ profile gnome-terminal-server @{exec_path} {
   owner @{user_config_dirs}/*xdg-terminals.list* rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /tmp/#[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/gsd-color b/apparmor.d/groups/gnome/gsd-color
index f7bc3a019..670566c93 100644
--- a/apparmor.d/groups/gnome/gsd-color
+++ b/apparmor.d/groups/gnome/gsd-color
@@ -17,6 +17,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -134,8 +135,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/icc/edid-*.icc rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /dev/tty[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/gsd-keyboard b/apparmor.d/groups/gnome/gsd-keyboard
index a35191165..860cb2783 100644
--- a/apparmor.d/groups/gnome/gsd-keyboard
+++ b/apparmor.d/groups/gnome/gsd-keyboard
@@ -17,6 +17,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -108,8 +109,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /dev/tty[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/gsd-media-keys b/apparmor.d/groups/gnome/gsd-media-keys
index 3906e6dc5..032c26257 100644
--- a/apparmor.d/groups/gnome/gsd-media-keys
+++ b/apparmor.d/groups/gnome/gsd-media-keys
@@ -19,6 +19,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -183,8 +184,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
         @{run}/systemd/inhibit/[0-9]*.ref rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /dev/tty[0-9]* rw,
 
diff --git a/apparmor.d/groups/gnome/gsd-power b/apparmor.d/groups/gnome/gsd-power
index 299de5cd2..3a5c81751 100644
--- a/apparmor.d/groups/gnome/gsd-power
+++ b/apparmor.d/groups/gnome/gsd-power
@@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   network netlink raw,
 
@@ -183,8 +184,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   @{run}/udev/data/+backlight:* r,
   @{run}/udev/data/+leds:*backlight* r,
diff --git a/apparmor.d/groups/gnome/gsd-wacom b/apparmor.d/groups/gnome/gsd-wacom
index b8508e47e..3ccb5aad4 100644
--- a/apparmor.d/groups/gnome/gsd-wacom
+++ b/apparmor.d/groups/gnome/gsd-wacom
@@ -9,13 +9,14 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -107,8 +108,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   /usr/share/mime/mime.cache r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   /var/lib/gdm{3,}/.config/dconf/user r,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
diff --git a/apparmor.d/groups/gnome/gsd-xsettings b/apparmor.d/groups/gnome/gsd-xsettings
index c0a29be6f..145817156 100644
--- a/apparmor.d/groups/gnome/gsd-xsettings
+++ b/apparmor.d/groups/gnome/gsd-xsettings
@@ -20,6 +20,7 @@ profile gsd-xsettings @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -143,8 +144,6 @@ profile gsd-xsettings @{exec_path} {
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/users/@{uid} r,
 
diff --git a/apparmor.d/groups/ubuntu/apport-gtk b/apparmor.d/groups/ubuntu/apport-gtk
index 5c517599a..52849f6cd 100644
--- a/apparmor.d/groups/ubuntu/apport-gtk
+++ b/apparmor.d/groups/ubuntu/apport-gtk
@@ -18,6 +18,7 @@ profile apport-gtk @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/wayland>
 
   capability fowner,
   capability sys_ptrace,
@@ -76,7 +77,6 @@ profile apport-gtk @{exec_path} {
   /var/log/installer/media-info r,
 
         @{run}/snapd.socket rw,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
   owner @{run}/user/.mutter-Xwaylandauth.* rw,
 
   /tmp/[a-z0-9]* rw,
diff --git a/apparmor.d/groups/ubuntu/check-new-release-gtk b/apparmor.d/groups/ubuntu/check-new-release-gtk
index 0b95a73d7..3d804216d 100644
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@@ -18,6 +18,7 @@ profile check-new-release-gtk @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/wayland>
 
   network inet dgram,
   network inet6 dgram,
@@ -53,8 +54,6 @@ profile check-new-release-gtk @{exec_path} {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-
         @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/mounts r,
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/ubuntu/livepatch-notification b/apparmor.d/groups/ubuntu/livepatch-notification
index cdbd7e90f..3529ad138 100644
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} {
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/gtk>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -21,7 +22,6 @@ profile livepatch-notification @{exec_path} {
 
   owner @{run}/user/@{uid}/at-spi/bus rw,
   owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{run}/user/@{uid}/gdm/Xauthority r,
 
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 842e50a3c..4815a1ba9 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -17,6 +17,7 @@ profile software-properties-gtk @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/wayland>
 
   dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**}
       interface=org.freedesktop.DBus.Introspectable
diff --git a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
index 5096582a0..f125c704b 100644
--- a/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
+++ b/apparmor.d/groups/ubuntu/ubuntu-advantage-notification
@@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} {
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/gtk>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -19,7 +20,5 @@ profile ubuntu-advantage-notification @{exec_path} {
   /usr/share/icons/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   include if exists <local/ubuntu-advantage-notification>
 }
\ No newline at end of file
diff --git a/apparmor.d/groups/ubuntu/update-manager b/apparmor.d/groups/ubuntu/update-manager
index d820d7ca5..9af0533b0 100644
--- a/apparmor.d/groups/ubuntu/update-manager
+++ b/apparmor.d/groups/ubuntu/update-manager
@@ -21,6 +21,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/wayland>
 
   network inet dgram,
   network inet6 dgram,
@@ -85,8 +86,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   @{run}/systemd/inhibit/*.ref w,
 
   owner @{PROC}/@{pid}/fd/ r,
diff --git a/apparmor.d/groups/ubuntu/update-notifier b/apparmor.d/groups/ubuntu/update-notifier
index 1d6fdc796..89e68cb46 100644
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@@ -19,6 +19,7 @@ profile update-notifier @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/wayland>
 
   dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
        interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
@@ -69,7 +70,6 @@ profile update-notifier @{exec_path} {
   owner @{run}/user/@{uid}/at-spi/bus rw,
   owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/update-notifier.pid rwk,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner /tmp/#[0-9]* rw,
 
diff --git a/apparmor.d/profiles-a-f/blueman b/apparmor.d/profiles-a-f/blueman
index 620cae5e8..11c8d32e0 100644
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@@ -20,6 +20,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -58,7 +59,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/obexd/* rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
diff --git a/apparmor.d/profiles-a-f/file-roller b/apparmor.d/profiles-a-f/file-roller
index 14301316c..b86446f0e 100644
--- a/apparmor.d/profiles-a-f/file-roller
+++ b/apparmor.d/profiles-a-f/file-roller
@@ -14,6 +14,7 @@ profile file-roller @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/user-write>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -35,7 +36,5 @@ profile file-roller @{exec_path} {
 
   /etc/gtk-3.0/settings.ini r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   include if exists <local/file-roller>
 }
\ No newline at end of file
diff --git a/apparmor.d/profiles-s-z/system-config-printer b/apparmor.d/profiles-s-z/system-config-printer
index 1b198beee..20b2cb7f6 100644
--- a/apparmor.d/profiles-s-z/system-config-printer
+++ b/apparmor.d/profiles-s-z/system-config-printer
@@ -21,6 +21,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -59,7 +60,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
   owner @{HOME}/.cups/ rw,
   owner @{HOME}/.cups/lpoptions rw,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
   owner @{run}/user/@{uid}/gvfsd/socket-* rw,
         @{run}/cups/cups.sock rw,
 
diff --git a/apparmor.d/profiles-s-z/virt-manager b/apparmor.d/profiles-s-z/virt-manager
index 85ba95780..fc45ac353 100644
--- a/apparmor.d/profiles-s-z/virt-manager
+++ b/apparmor.d/profiles-s-z/virt-manager
@@ -28,6 +28,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -86,7 +87,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
   owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   @{run}/mount/utab r,
   @{run}/udev/data/c3[0-9]*:[0-9]* r,  # For dynamic assignment range 384 to 511

From 766151bfa407172e8e27f469fe8a8dd0e7b4bc69 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 13 Jun 2023 17:11:30 +0100
Subject: [PATCH 02/14] doc: add link to the presentation in LSS-NA.

---
 README.md     | 3 +++
 docs/index.md | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 97772c09a..e80b620b6 100644
--- a/README.md
+++ b/README.md
@@ -62,6 +62,9 @@ bubblewrap, toolbox...).
 This is fundamentally different from how AppArmor is usually used on Linux servers
 as it is common to only confine the applications that face the internet and/or the users.
 
+**Presentation**
+
+- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
 
 ## Installation
 
diff --git a/docs/index.md b/docs/index.md
index a8dce1bdb..9ec8c73ec 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -36,3 +36,7 @@ See the [Concepts](concepts) page for more detail on the architecture.
 - Support all major desktop environments:
     * Currently only :material-gnome: Gnome
 - Fully tested (Work in progress)
+
+**Presentation**
+
+- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
\ No newline at end of file

From a98a86600a533b414f913182c2ca23fcc81c94bc Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 13 Jun 2023 17:15:37 +0100
Subject: [PATCH 03/14] feat(profiles): general update.

---
 apparmor.d/groups/pacman/pacman               |  7 +++++-
 apparmor.d/groups/pacman/pacman-hook-code     | 24 +++++++++++++++++++
 apparmor.d/groups/systemd/systemd-fsck        |  3 ++-
 .../groups/ubuntu/software-properties-gtk     |  2 --
 apparmor.d/profiles-a-f/aa-status             |  2 +-
 apparmor.d/profiles-g-l/htop                  |  2 ++
 apparmor.d/profiles-g-l/labwc                 | 22 ++++++++---------
 apparmor.d/profiles-s-z/sysctl                |  2 ++
 apparmor.d/profiles-s-z/uname                 |  3 +--
 apparmor.d/profiles-s-z/userdel               | 21 ++++++----------
 10 files changed, 55 insertions(+), 33 deletions(-)
 create mode 100644 apparmor.d/groups/pacman/pacman-hook-code

diff --git a/apparmor.d/groups/pacman/pacman b/apparmor.d/groups/pacman/pacman
index d24a569fb..e7d180646 100644
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@@ -57,6 +57,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/cat                         rix,
   /{usr/,}bin/chgrp                       rix,
   /{usr/,}bin/chmod                       rix,
+  /{usr/,}bin/cp                          rix,
   /{usr/,}bin/dot                         rix,
   /{usr/,}bin/env                         rix,
   /{usr/,}bin/filecap                     rix,
@@ -72,7 +73,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/ln                          rix,
   /{usr/,}bin/perl                        rix,
   /{usr/,}bin/pkill                       rix,
-  /{usr/,}bin/cp                          rix,
+  /{usr/,}bin/pwd                         rix,
   /{usr/,}bin/rm                          rix,
   /{usr/,}bin/sed                         rix,
   /{usr/,}bin/setcap                      rix,
@@ -88,6 +89,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/dconf                       rPx,
   /{usr/,}bin/fc-cache{,-32}              rPx,
   /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
+  /{usr/,}bin/gio-querymodules            rPx,
   /{usr/,}bin/glib-compile-schemas        rPx,
   /{usr/,}bin/groupadd                    rPx,
   /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
@@ -107,7 +109,10 @@ profile pacman @{exec_path} {
   /{usr/,}bin/update-mime-database        rPx,
   /{usr/,}lib/systemd/systemd-*           rPx,
   /{usr/,}lib/vlc/vlc-cache-gen           rPx,
+  /opt/Mullvad*/resources/mullvad-setup   rPx,
+  /usr/share/code-features/patch.sh       rPx,
   /usr/share/libalpm/scripts/*           rPUx,
+  /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx,
 
   # Install/update packages
   / r,
diff --git a/apparmor.d/groups/pacman/pacman-hook-code b/apparmor.d/groups/pacman/pacman-hook-code
new file mode 100644
index 000000000..d3aa3c129
--- /dev/null
+++ b/apparmor.d/groups/pacman/pacman-hook-code
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/code-features/patch.sh
+profile pacman-hook-code @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba}sh     rix,
+  /{usr/,}bin/sed         rix,
+  /{usr/,}bin/grep        rix,
+
+  /{usr/,}lib/code/sed?????? rw,
+
+  include if exists <local/pacman-hook-code>
+}
\ No newline at end of file
diff --git a/apparmor.d/groups/systemd/systemd-fsck b/apparmor.d/groups/systemd/systemd-fsck
index e68e7c5b4..b01827a0f 100644
--- a/apparmor.d/groups/systemd/systemd-fsck
+++ b/apparmor.d/groups/systemd/systemd-fsck
@@ -19,8 +19,9 @@ profile systemd-fsck @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/fsck   rPx,
   /{usr/,}{s,}bin/e2fsck rPx,
+  /{usr/,}{s,}bin/fsck   rPx,
+  /{usr/,}{s,}bin/fsck.* rPx,
 
   owner @{run}/systemd/quotacheck w,
   owner @{run}/systemd/fsck.progress rw,
diff --git a/apparmor.d/groups/ubuntu/software-properties-gtk b/apparmor.d/groups/ubuntu/software-properties-gtk
index 4815a1ba9..afc25ebab 100644
--- a/apparmor.d/groups/ubuntu/software-properties-gtk
+++ b/apparmor.d/groups/ubuntu/software-properties-gtk
@@ -68,8 +68,6 @@ profile software-properties-gtk @{exec_path} {
   /var/lib/snapd/desktop/icons/ r,
   /var/lib/ubuntu-advantage/status.json r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   owner /tmp/[a-z0-9]* rw,
   owner /tmp/tmp*/{,apt.conf} rw,
 
diff --git a/apparmor.d/profiles-a-f/aa-status b/apparmor.d/profiles-a-f/aa-status
index 0526f1fec..cb85f595e 100644
--- a/apparmor.d/profiles-a-f/aa-status
+++ b/apparmor.d/profiles-a-f/aa-status
@@ -25,7 +25,7 @@ profile aa-status @{exec_path} {
         @{PROC}/@{pids}/attr/apparmor/current r,
         @{PROC}/@{pids}/attr/current r,
   owner @{PROC}/@{pid}/mounts r,
-  
+
   /dev/tty[0-9]* rw,
 
   include if exists <local/aa-status>
diff --git a/apparmor.d/profiles-g-l/htop b/apparmor.d/profiles-g-l/htop
index 5e92177da..7489aec17 100644
--- a/apparmor.d/profiles-g-l/htop
+++ b/apparmor.d/profiles-g-l/htop
@@ -25,6 +25,8 @@ profile htop @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/lsof   rix,
+
   /usr/share/terminfo/x/xterm-256color r,
 
   /etc/sensors.d/ r,
diff --git a/apparmor.d/profiles-g-l/labwc b/apparmor.d/profiles-g-l/labwc
index 0cae0773c..5bf184a47 100644
--- a/apparmor.d/profiles-g-l/labwc
+++ b/apparmor.d/profiles-g-l/labwc
@@ -9,17 +9,17 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/labwc
 profile labwc @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/wayland>
-  include <abstractions/vulkan>
   include <abstractions/consoles>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice-strict>
+  include <abstractions/devices-usb>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
   include <abstractions/mesa>
-  include <abstractions/devices-usb>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network netlink raw,
 
@@ -30,16 +30,14 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/*  rPUx,
   @{libexec}/* rPUx,
 
-  owner @{user_config_dirs}/labwc/ r,
-  owner @{user_config_dirs}/labwc/* r,
-
   /usr/share/libinput/ r,
   /usr/share/libinput/*.quirks r,
-
   /usr/share/themes/**/themerc r,
-
   /usr/share/X11/xkb/** r,
 
+  owner @{user_config_dirs}/labwc/ r,
+  owner @{user_config_dirs}/labwc/* r,
+
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
 
   @{sys}/class/drm/ r,
diff --git a/apparmor.d/profiles-s-z/sysctl b/apparmor.d/profiles-s-z/sysctl
index df73736b2..24cb4ddca 100644
--- a/apparmor.d/profiles-s-z/sysctl
+++ b/apparmor.d/profiles-s-z/sysctl
@@ -2,6 +2,8 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# TODO: Rethink this profile. Should not be called by another profile.
+
 abi <abi/3.0>,
 
 include <tunables/global>
diff --git a/apparmor.d/profiles-s-z/uname b/apparmor.d/profiles-s-z/uname
index 451d7d44d..869804405 100644
--- a/apparmor.d/profiles-s-z/uname
+++ b/apparmor.d/profiles-s-z/uname
@@ -13,10 +13,9 @@ profile uname @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /tmp/mktexlsr.* rw,
-
   # file_inherit
   owner @{HOME}/.xsession-errors w,
+  owner /tmp/mktexlsr.* rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
diff --git a/apparmor.d/profiles-s-z/userdel b/apparmor.d/profiles-s-z/userdel
index 751497b1e..5fc6b51c8 100644
--- a/apparmor.d/profiles-s-z/userdel
+++ b/apparmor.d/profiles-s-z/userdel
@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,21 +13,13 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # The userdel command is issued as root and its task is to delete regular user accounts. It
-  # optionally can remove user files (via --remove). Because of that, the userdel command needs the
-  # following CAPs to be able to do so.
-  capability dac_read_search,
-  capability dac_override,
-
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # To set the right permission to the files in the /etc/ dir).
   capability chown,
+  capability dac_override,
+  capability dac_read_search,
   capability fsetid,
-
-  # To prevent removing a user when it's used by some process.
   capability sys_ptrace,
+
   ptrace (read),
 
   network netlink raw,
@@ -35,9 +28,6 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
 
   /etc/login.defs r,
 
-  @{PROC}/ r,
-  @{PROC}/@{pids}/task/ r,
-
   /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
   /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
   /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
@@ -60,5 +50,8 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   /var/lib/        r,
   /var/lib/*/{,**} rw,
 
+  @{PROC}/ r,
+  @{PROC}/@{pids}/task/ r,
+
   include if exists <local/userdel>
 }

From 4deb8f135abc4ee8b12fa9a62ae45d265ca55241 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Wed, 24 May 2023 13:02:55 +0200
Subject: [PATCH 04/14] Update mount

---
 apparmor.d/profiles-m-r/mount | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount
index e39cce5d7..5d41be432 100644
--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@@ -9,11 +9,12 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/mount
-profile mount @{exec_path} {
+profile mount @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/nameservice-strict>
+  include <abstractions/user-tmp>
 
   capability chown,
   capability dac_read_search,

From 6227a51d868a4187e0d8750e7327b7c5d5d4c435 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Wed, 24 May 2023 13:10:21 +0200
Subject: [PATCH 05/14] Update kde-powerdevil

---
 apparmor.d/groups/kde/kde-powerdevil | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index 43e5e8816..c367630f8 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -38,9 +38,14 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
 
   @{PROC}/sys/kernel/core_pattern r,
   @{PROC}/@{pid}/mounts r,
+  
+  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/bus/ r,
+  @{sys}/devices/pci[0-9]*/[0-9]*/drm/card[0-9]*/*/status r
 
   /dev/tty rw,
   /dev/rfkill r,
 
   include if exists <local/kde-powerdevil>
-}
\ No newline at end of file
+}

From 0bb8937cc2abf1ba9b75028560f3c30593de433d Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Wed, 24 May 2023 13:15:24 +0200
Subject: [PATCH 06/14] Update mullvad-daemon

---
 apparmor.d/groups/network/mullvad-daemon | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/network/mullvad-daemon b/apparmor.d/groups/network/mullvad-daemon
index 527d924d4..b6581c730 100644
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@@ -47,9 +47,8 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
 
   /var/cache/mullvad-vpn/{,*} rw,
   /var/log/mullvad-vpn/{,*} rw,
-  owner /var/log/private/mullvad-vpn/daemon.log rw,
-  owner /var/log/private/mullvad-vpn/daemon.old.log w,
-
+  owner /var/log/private/mullvad-vpn/*.log rw,
+  
   @{run}/mullvad-vpn rw,
   @{run}/NetworkManager/resolv.conf r,
 
@@ -62,6 +61,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   owner /tmp/talpid-openvpn-@{uuid} rw,
 
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
 
   /dev/net/tun rw,

From a93c80fac09dd3c51511b2bc61afdd963920ba80 Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Wed, 24 May 2023 14:47:24 +0200
Subject: [PATCH 07/14] Fix kde-powerdevil

copy and paste error
---
 apparmor.d/groups/kde/kde-powerdevil | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apparmor.d/groups/kde/kde-powerdevil b/apparmor.d/groups/kde/kde-powerdevil
index c367630f8..2f8433435 100644
--- a/apparmor.d/groups/kde/kde-powerdevil
+++ b/apparmor.d/groups/kde/kde-powerdevil
@@ -42,7 +42,7 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
   @{sys}/bus/ r,
-  @{sys}/devices/pci[0-9]*/[0-9]*/drm/card[0-9]*/*/status r
+  @{sys}/devices/pci[0-9]*/[0-9]*/drm/card[0-9]*/*/status r,
 
   /dev/tty rw,
   /dev/rfkill r,

From 0a468caff2f7e1d1527781c77c00b2326e17e98d Mon Sep 17 00:00:00 2001
From: curiosityseeker <60518106+curiosityseeker@users.noreply.github.com>
Date: Sun, 11 Jun 2023 14:54:54 +0200
Subject: [PATCH 08/14] Revert adding the user-tmp abstraction

---
 apparmor.d/profiles-m-r/mount | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apparmor.d/profiles-m-r/mount b/apparmor.d/profiles-m-r/mount
index 5d41be432..3307c4d5a 100644
--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@@ -14,8 +14,7 @@ profile mount @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/disks-write>
   include <abstractions/nameservice-strict>
-  include <abstractions/user-tmp>
-
+  
   capability chown,
   capability dac_read_search,
   capability setgid,

From 5ccd92e12f624f1a12fd42b7b68643f3a8388326 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 5 Jun 2023 21:01:56 +0200
Subject: [PATCH 09/14] General update

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/freedesktop/pulseaudio      | 19 +++++++++--
 apparmor.d/groups/freedesktop/xdg-dbus-proxy  | 31 +++++++++++++++++
 apparmor.d/groups/freedesktop/xdg-settings    |  4 +--
 apparmor.d/groups/kde/kded5                   |  4 ++-
 apparmor.d/groups/kde/plasmashell             |  6 ++++
 apparmor.d/groups/ssh/ssh                     |  9 ++++-
 apparmor.d/groups/ssh/ssh-agent               |  1 +
 .../groups/virt/containerd-shim-runc-v2       |  2 ++
 apparmor.d/groups/virt/k3s                    |  5 ++-
 apparmor.d/profiles-a-f/fwupd                 | 19 ++++++++++-
 apparmor.d/profiles-a-f/fwupdmgr              |  2 ++
 apparmor.d/profiles-s-z/thermald              | 33 ++++++++++++++-----
 apparmor.d/profiles-s-z/udisksd               |  8 +++++
 13 files changed, 127 insertions(+), 16 deletions(-)

diff --git a/apparmor.d/groups/freedesktop/pulseaudio b/apparmor.d/groups/freedesktop/pulseaudio
index bdd917cda..5904a6c7d 100644
--- a/apparmor.d/groups/freedesktop/pulseaudio
+++ b/apparmor.d/groups/freedesktop/pulseaudio
@@ -37,16 +37,31 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus send bus=session path=/Client0/EntryGroup[0-9]*
+  dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
        member={GetState,AddService,AddServiceSubtype,Commit}
        peer=(name=org.freedesktop.Avahi),
 
-  dbus receive bus=system path=/Client0/EntryGroup[0-9]*
+  dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
        member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
        peer=(name=org.freedesktop.Avahi),
 
+  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member={ItemNew,ItemRemove}
+       peer=(name=org.freedesktop.Avahi), # no peer's label
+
+  dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Found
+       peer=(name=org.freedesktop.Avahi),
+
+  dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi),
+
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
diff --git a/apparmor.d/groups/freedesktop/xdg-dbus-proxy b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
index 38cb02d2b..263a01374 100644
--- a/apparmor.d/groups/freedesktop/xdg-dbus-proxy
+++ b/apparmor.d/groups/freedesktop/xdg-dbus-proxy
@@ -9,10 +9,41 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/dbus-session-strict>
 
   @{exec_path} mr,
 
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner}
+       peer=(label=dbus-daemon),
+
+  dbus (send,receive) bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
+       peer=(label=dbus-daemon),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member=ListConnections
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(label=NetworkManager),
+
   owner @{run}/firejail/dbus/[0-9]*/[0-9]*-{system,user} rw,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
diff --git a/apparmor.d/groups/freedesktop/xdg-settings b/apparmor.d/groups/freedesktop/xdg-settings
index 6dd8e228b..823151ca1 100644
--- a/apparmor.d/groups/freedesktop/xdg-settings
+++ b/apparmor.d/groups/freedesktop/xdg-settings
@@ -43,8 +43,8 @@ profile xdg-settings @{exec_path} {
   /var/lib/snapd/desktop/applications/{,*} r,
 
   # freedesktop.org-strict
-  /usr/share/applications/{,*} r,
-  /usr/share/ubuntu/applications/ r,
+  /usr/{,local/}share/applications/{,*} r,
+  /usr/{,local/}share/ubuntu/applications/ r,
   owner @{user_share_dirs}/applications/ r,
   owner @{user_share_dirs}/applications/*.desktop r,
 
diff --git a/apparmor.d/groups/kde/kded5 b/apparmor.d/groups/kde/kded5
index 38ea4b428..00ee263f7 100644
--- a/apparmor.d/groups/kde/kded5
+++ b/apparmor.d/groups/kde/kded5
@@ -84,6 +84,8 @@ profile kded5 @{exec_path} {
   owner @{user_share_dirs}/kded5/{,**} r,
   owner @{user_share_dirs}/kscreen/{,**} rw,
   owner @{user_share_dirs}/ktp/cache.db rwk,
+  owner @{user_share_dirs}/kcookiejar/#@{hex}* rw,
+  owner @{user_share_dirs}/kcookiejar/cookies.* rwkl,
 
   owner @{run}/user/@{uid}/#[0-9]* rw,
   owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,
@@ -120,4 +122,4 @@ profile kded5 @{exec_path} {
   }
 
   include if exists <local/kded5>
-}
\ No newline at end of file
+}
diff --git a/apparmor.d/groups/kde/plasmashell b/apparmor.d/groups/kde/plasmashell
index 2dc7446c3..ace3ea45f 100644
--- a/apparmor.d/groups/kde/plasmashell
+++ b/apparmor.d/groups/kde/plasmashell
@@ -10,6 +10,7 @@ include <tunables/global>
 profile plasmashell @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
+  include <abstractions/dbus-session-strict>
   include <abstractions/disks-read>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
@@ -30,6 +31,11 @@ profile plasmashell @{exec_path} {
 
   signal (send),
 
+  dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,PropertiesChanged}
+       peer=(label=upowerd),
+
   @{exec_path} mr,
 
   @{libexec}/libheif/            r,
diff --git a/apparmor.d/groups/ssh/ssh b/apparmor.d/groups/ssh/ssh
index 6ce12f565..8eb1ef4a6 100644
--- a/apparmor.d/groups/ssh/ssh
+++ b/apparmor.d/groups/ssh/ssh
@@ -40,10 +40,17 @@ profile ssh @{exec_path} {
   owner @{user_projects_dirs}/**/ssh/{,*} r,
   owner @{user_projects_dirs}/**/config r,
 
+  /etc/ssh/ssh_config r,
+  /etc/ssh/ssh_config.d/{,*} r,
+  # Needed to work for systemd-homed users
+  /etc/machine-id r,
+  @{run}/systemd/userdb/ r,
+  
   owner @{run}/user/@{uid}/keyring/ssh rw,
-
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
+
   include if exists <local/ssh>
 }
diff --git a/apparmor.d/groups/ssh/ssh-agent b/apparmor.d/groups/ssh/ssh-agent
index dcf31faa6..7c0f9067a 100644
--- a/apparmor.d/groups/ssh/ssh-agent
+++ b/apparmor.d/groups/ssh/ssh-agent
@@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} {
 
   /{usr/,}bin/enlightenment_start  rPUx,
   /{usr/,}bin/gpg-agent             rPx,
+  /{usr/,}bin/im-launch            rPUx,
   /{usr/,}bin/kwalletaskpass       rPUx,
   /{usr/,}bin/openbox-session       rPx,
   /{usr/,}bin/startkde             rPUx,
diff --git a/apparmor.d/groups/virt/containerd-shim-runc-v2 b/apparmor.d/groups/virt/containerd-shim-runc-v2
index 2d54b7084..014305444 100644
--- a/apparmor.d/groups/virt/containerd-shim-runc-v2
+++ b/apparmor.d/groups/virt/containerd-shim-runc-v2
@@ -22,6 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=containerd,
   ptrace (read) peer=unconfined,
 
+  signal (send) set=kill peer=cri-containerd.apparmor.d,
+
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
 
diff --git a/apparmor.d/groups/virt/k3s b/apparmor.d/groups/virt/k3s
index 7e4e2803e..4a0f7d4c0 100644
--- a/apparmor.d/groups/virt/k3s
+++ b/apparmor.d/groups/virt/k3s
@@ -28,12 +28,15 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
   ptrace peer=@{profile_name},
   ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
 
-  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
+  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes.
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
   ptrace (read) peer=container-*,
   ptrace (read) peer=docker-*,
   ptrace (read) peer=k3s-*,
   ptrace (read) peer=kubernetes-*,
+  # When using ZFS as storage provider instead of the default overlay2.
+  ptrace (read) peer=zfs,
+  ptrace (read) peer=zpool,
 
   network inet dgram,
   network inet6 dgram,
diff --git a/apparmor.d/profiles-a-f/fwupd b/apparmor.d/profiles-a-f/fwupd
index 4ffcd5200..1d0a24e63 100644
--- a/apparmor.d/profiles-a-f/fwupd
+++ b/apparmor.d/profiles-a-f/fwupd
@@ -13,6 +13,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/disks-read>
+  include <abstractions/fonts>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
@@ -38,7 +39,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Properties
-       member={Changed,GetAll},
+       member={Changed,GetAll}
+       peer=(label=polkitd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
        interface=org.freedesktop.DBus.Properties
@@ -52,9 +54,24 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus send bus=system path=/
+       interface=org.freedesktop.fwupd
+       member=Changed
+       peer=(label=fwupdmgr),
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus
+       member=Changed
+       peer=(label=fwupdmgr),
+
   dbus receive bus=system path=/
        interface=org.freedesktop.fwupd,
 
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.DBus.Properties
+       member={Changed,GetAll}
+       peer=(label=polkitd),
+
   dbus receive bus=system path=/
        interface=org.freedesktop.DBus.Properties
        member={GetAll,SetHints,GetPlugins,GetRemotes}
diff --git a/apparmor.d/profiles-a-f/fwupdmgr b/apparmor.d/profiles-a-f/fwupdmgr
index 5d5c558e5..4a4e6ce4e 100644
--- a/apparmor.d/profiles-a-f/fwupdmgr
+++ b/apparmor.d/profiles-a-f/fwupdmgr
@@ -63,6 +63,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   owner @{user_cache_dirs}/fwupd/ rw,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
 
+  owner @{run}/systemd/.cache/ rw,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   /dev/tty rw,
diff --git a/apparmor.d/profiles-s-z/thermald b/apparmor.d/profiles-s-z/thermald
index b7a60564d..0348a6a09 100644
--- a/apparmor.d/profiles-s-z/thermald
+++ b/apparmor.d/profiles-s-z/thermald
@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/thermald
-profile thermald @{exec_path} {
+profile thermald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
@@ -39,16 +39,25 @@ profile thermald @{exec_path} {
 
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/{,*} r,
+  @{sys}/devices/platform/**/path r,
+  @{sys}/devices/platform/**/available_uuids r,
+  @{sys}/devices/platform/**/current_uuid rw,
 
   @{sys}/devices/system/cpu/present r,
-  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct r,
+  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
+  @{sys}/devices/system/cpu/intel_pstate/no_turbo rw,
   @{sys}/devices/system/cpu/intel_pstate/status r,
 
   @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
 
   @{sys}/devices/**/hwmon[0-9]*/name r,
   @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
+  @{sys}/devices/**/path r,
 
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_uuid r,
@@ -56,8 +65,11 @@ profile thermald @{exec_path} {
   @{sys}/devices/virtual/thermal/**/{type,temp} r,
 
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
 
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
@@ -66,11 +78,16 @@ profile thermald @{exec_path} {
 
   @{sys}/devices/virtual/powercap/intel-rapl/ r,
   @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+
+  /dev/acpi_thermal_rel rw,
+  /dev/input/ r,
+  /dev/input/event[0-9]* r,
 
   include if exists <local/thermald>
 }
diff --git a/apparmor.d/profiles-s-z/udisksd b/apparmor.d/profiles-s-z/udisksd
index 3456e9c9d..08d712e1b 100644
--- a/apparmor.d/profiles-s-z/udisksd
+++ b/apparmor.d/profiles-s-z/udisksd
@@ -54,6 +54,14 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/udisks2/temp-mount-*/,
   umount /media/cdrom[0-9]/,
 
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
   dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
        interface=org.freedesktop.{DBus*,UDisks2*},
 

From a84f0b540c77241acdd5e7a5013b7a0d1d9c5eb1 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Mon, 5 Jun 2023 21:18:32 +0200
Subject: [PATCH 10/14] Add unix domain socket

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/ssh/sshfs | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/ssh/sshfs b/apparmor.d/groups/ssh/sshfs
index 4ded53715..ff1c2b89f 100644
--- a/apparmor.d/groups/ssh/sshfs
+++ b/apparmor.d/groups/ssh/sshfs
@@ -12,6 +12,8 @@ profile sshfs @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
+  unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
+
   /{usr/,}bin/ssh            rPx,
   /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
@@ -23,13 +25,15 @@ profile sshfs @{exec_path} flags=(complain) {
   @{PROC}/sys/fs/pipe-max-size r,
 
 
-  profile fusermount {
+  profile fusermount flags=(complain) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
     # To mount anything:
     capability sys_admin,
 
+    unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
+
     /{usr/,}bin/fusermount{,3} mr,
 
     mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,

From 83bff808dc0f5b4567875fd962ae33062e118cd0 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Wed, 7 Jun 2023 22:26:10 +0200
Subject: [PATCH 11/14] dpkg updates

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/children/child-dpkg | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg
index 174db2cc4..5252f0fd8 100644
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@@ -16,6 +16,7 @@ include <tunables/global>
 profile child-dpkg {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability setgid,
@@ -26,11 +27,22 @@ profile child-dpkg {
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
   /{usr/,}bin/dpkg-query rpx,
+  /{usr/,}bin/dpkg-deb rPx,
+  /{usr/,}bin/dpkg-split rPx,
 
   /etc/dpkg/dpkg.cfg.d/{,*} r,
   /etc/dpkg/dpkg.cfg r,
 
+  /usr/share/doc/perl-modules-*/{,**/}*.dpkg-{new,tmp} rwl,
+  /usr/share/perl/*/{,**/}*.dpkg-{new,tmp} rwl,
+
   /var/lib/dpkg/** r,
+  /var/lib/dpkg/lock rw,
+  /var/lib/dpkg/tmp.ci/control rw,
+  /var/lib/dpkg/tmp.ci/md5sums rw,
+  /var/lib/dpkg/triggers/Lock rw,
+  /var/lib/dpkg/updates/* rw,
+  /var/log/dpkg.log ra,
 
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,

From d0553ff4f74c8cbd1df38b76a9749206728be370 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Wed, 7 Jun 2023 22:45:06 +0200
Subject: [PATCH 12/14] Add apt-overlay

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/groups/apt/apt-overlay       | 33 +++++++++++++++++++++++++
 apparmor.d/groups/apt/apt-systemd-daily |  1 +
 2 files changed, 34 insertions(+)
 create mode 100644 apparmor.d/groups/apt/apt-overlay

diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay
new file mode 100644
index 000000000..8dbdcf885
--- /dev/null
+++ b/apparmor.d/groups/apt/apt-overlay
@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/apt-overlay
+profile apt-overlay @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+  /{usr/,}bin/apt-get rPx,
+  /{usr/,}bin/ruby* mrix,
+
+  /{usr/,}sbin/apt-overlay r,
+
+  /{usr/,}lib/ruby/{,**} r,
+  /{usr/,}lib/locale/locale-archive r,
+  /{usr/,}lib/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
+
+  /usr/share/rubygems-integration/{,**} r,
+
+  / r,
+  /root/ r
+
+  owner @{PROC}/@{pids}/loginuid r,
+  owner @{PROC}/@{pids}/maps r,
+
+  include if exists <local/apt-overlay>
+}
diff --git a/apparmor.d/groups/apt/apt-systemd-daily b/apparmor.d/groups/apt/apt-systemd-daily
index bbe124b42..0d7c99b5a 100644
--- a/apparmor.d/groups/apt/apt-systemd-daily
+++ b/apparmor.d/groups/apt/apt-systemd-daily
@@ -42,6 +42,7 @@ profile apt-systemd-daily @{exec_path} {
 
   /{usr/,}bin/apt-config         rPx,
   /{usr/,}bin/apt-get            rPx,
+  /{usr/,}bin/apt-overlay        rPx,
   /{usr/,}bin/unattended-upgrade rPx,
 
   /etc/default/locale    r,

From 96c79417cc4bff93e4ff2a2e20a65d6919bca3a0 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Wed, 7 Jun 2023 22:45:48 +0200
Subject: [PATCH 13/14] Add vscodium & thunderbird

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 apparmor.d/abstractions/app-launcher-user | 10 +++++++++-
 apparmor.d/groups/apt/apt-overlay         |  2 +-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/abstractions/app-launcher-user b/apparmor.d/abstractions/app-launcher-user
index 328b9d55d..4ea2be841 100644
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@@ -17,13 +17,21 @@
   /opt/*/                 r,
   /opt/*/[a-zA-Z0-9]*    rPUx,
 
+  # Codium
+  /usr/share/codium/codium rPUx,
+
   # Firefox
   /{usr/,}bin/firefox{,.sh,-esr,-bin}                                            rPx,
   /{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}            rPx,
   /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
 
+  # Thunderbird
+  /{usr/,}bin/thunderbird{,.sh,-esr,-bin}                                        rPx,
+  /{usr/,}lib{,32,64}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin}    rPx,
+  /opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin}                   rPx,
+
   # Brave
-  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin}          rPx,
+  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx,
 
   # Chromium
   /{usr/,}lib/chromium/chromium                                                  rPx,
diff --git a/apparmor.d/groups/apt/apt-overlay b/apparmor.d/groups/apt/apt-overlay
index 8dbdcf885..da13d8996 100644
--- a/apparmor.d/groups/apt/apt-overlay
+++ b/apparmor.d/groups/apt/apt-overlay
@@ -24,7 +24,7 @@ profile apt-overlay @{exec_path} {
   /usr/share/rubygems-integration/{,**} r,
 
   / r,
-  /root/ r
+  /root/ r,
 
   owner @{PROC}/@{pids}/loginuid r,
   owner @{PROC}/@{pids}/maps r,

From d4d1b949cd4cd5242e43882087414dfa57824040 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 14 Jun 2023 22:31:00 +0100
Subject: [PATCH 14/14] fix: ensure mount has the disconnected flag.

See #170
---
 dists/flags/main.flags | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 3be24a9b9..2fd360b81 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -207,7 +207,7 @@ mdevctl complain
 mke2fs complain
 ModemManager attach_disconnected,complain
 molly-guard complain
-mount complain
+mount attach_disconnected,complain
 nautilus complain
 needrestart attach_disconnected,complain
 needrestart-iucode-scan-versions complain