Merge branch 'main' into akonadi

README.md

@@ -62,6 +62,9 @@ bubblewrap, toolbox...).
 This is fundamentally different from how AppArmor is usually used on Linux servers
 as it is common to only confine the applications that face the internet and/or the users.
 
+**Presentation**
+
+- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))
 
 ## Installation
 

apparmor.d/abstractions/app-launcher-user

@@ -17,13 +17,21 @@
   /opt/*/                 r,
   /opt/*/[a-zA-Z0-9]*    rPUx,
 
+  # Codium
+  /usr/share/codium/codium rPUx,
+
   # Firefox
   /{usr/,}bin/firefox{,.sh,-esr,-bin}                                            rPx,
   /{usr/,}lib{,32,64}/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}            rPx,
   /opt/firefox{,.sh,-esr,-bin}/firefox{,.sh,-esr,-bin}                           rPx,
 
+  # Thunderbird
+  /{usr/,}bin/thunderbird{,.sh,-esr,-bin}                                        rPx,
+  /{usr/,}lib{,32,64}/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin}    rPx,
+  /opt/thunderbird{,.sh,-esr,-bin}/thunderbird{,.sh,-esr,-bin}                   rPx,
+
   # Brave
-  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin}          rPx,
+  /opt/brave{-bin,.com}/brave{,-beta,-dev,-bin}/brave{,-beta,-dev,-bin,-browser} rPx,
 
   # Chromium
   /{usr/,}lib/chromium/chromium                                                  rPx,

apparmor.d/abstractions/chromium

@@ -29,6 +29,7 @@
   include <abstractions/user-download-strict>
   include <abstractions/user-read>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   capability setgid,
   capability setuid,
@@ -132,8 +133,6 @@
   # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
   # owner @{HOME}/.mozilla/firefox/*/logins.json r,
 
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
-
         /tmp/ r,
         /var/tmp/ r,
   owner /tmp/.@{chromium_domain}.* rw,

apparmor.d/groups/apt/apt-overlay

@@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019-2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/apt-overlay
+profile apt-overlay @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+  /{usr/,}bin/apt-get rPx,
+  /{usr/,}bin/ruby* mrix,
+
+  /{usr/,}sbin/apt-overlay r,
+
+  /{usr/,}lib/ruby/{,**} r,
+  /{usr/,}lib/locale/locale-archive r,
+  /{usr/,}lib/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
+
+  /usr/share/rubygems-integration/{,**} r,
+
+  / r,
+  /root/ r,
+
+  owner @{PROC}/@{pids}/loginuid r,
+  owner @{PROC}/@{pids}/maps r,
+
+  include if exists <local/apt-overlay>
+}

apparmor.d/groups/apt/apt-systemd-daily

@@ -42,6 +42,7 @@ profile apt-systemd-daily @{exec_path} {
 
   /{usr/,}bin/apt-config         rPx,
   /{usr/,}bin/apt-get            rPx,
+  /{usr/,}bin/apt-overlay        rPx,
   /{usr/,}bin/unattended-upgrade rPx,
 
   /etc/default/locale    r,

apparmor.d/groups/bus/ibus-extension-gtk3

@@ -10,14 +10,15 @@ include <tunables/global>
 @{exec_path} += @{libexec}/ibus-extension-gtk3
 profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/ibus>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=term peer=ibus-daemon,
   
@@ -74,7 +75,6 @@ profile ibus-extension-gtk3 @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
 
   /var/lib/gdm{3,}/.config/ibus/bus/*-unix{,-wayland}-[0-9]* r,
   /var/lib/gdm{3,}/.config/dconf/user r,

apparmor.d/groups/children/child-dpkg

@@ -16,6 +16,7 @@ include <tunables/global>
 profile child-dpkg {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability setgid,
@@ -26,11 +27,22 @@ profile child-dpkg {
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
   /{usr/,}bin/dpkg-query rpx,
+  /{usr/,}bin/dpkg-deb rPx,
+  /{usr/,}bin/dpkg-split rPx,
 
   /etc/dpkg/dpkg.cfg.d/{,*} r,
   /etc/dpkg/dpkg.cfg r,
 
+  /usr/share/doc/perl-modules-*/{,**/}*.dpkg-{new,tmp} rwl,
+  /usr/share/perl/*/{,**/}*.dpkg-{new,tmp} rwl,
+
   /var/lib/dpkg/** r,
+  /var/lib/dpkg/lock rw,
+  /var/lib/dpkg/tmp.ci/control rw,
+  /var/lib/dpkg/tmp.ci/md5sums rw,
+  /var/lib/dpkg/triggers/Lock rw,
+  /var/lib/dpkg/updates/* rw,
+  /var/log/dpkg.log ra,
 
   # file_inherit
   /tmp/#[0-9]*[0-9] rw,

apparmor.d/groups/freedesktop/pulseaudio

@@ -37,16 +37,31 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus send bus=session path=/Client0/EntryGroup[0-9]*
+  dbus send bus=session path=/Client[0-9]*/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
        member={GetState,AddService,AddServiceSubtype,Commit}
        peer=(name=org.freedesktop.Avahi),
 
-  dbus receive bus=system path=/Client0/EntryGroup[0-9]*
+  dbus receive bus=system path=/Client[0-9]*/EntryGroup[0-9]*
        interface=org.freedesktop.Avahi.EntryGroup
        member={AddService,AddServiceSubtype,Commit,GetState,StateChanged}
        peer=(name=org.freedesktop.Avahi),
 
+  dbus receive bus=system path=/Client[0-9]*/ServiceBrowser[0-9]*
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member={ItemNew,ItemRemove}
+       peer=(name=org.freedesktop.Avahi), # no peer's label
+
+  dbus receive bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Found
+       peer=(name=org.freedesktop.Avahi),
+
+  dbus send bus=system path=/Client[0-9]*/ServiceResolver[0-9]*
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi),
+
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}

apparmor.d/groups/freedesktop/xdg-dbus-proxy

@@ -9,10 +9,41 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-dbus-proxy
 profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/dbus-session-strict>
 
   @{exec_path} mr,
 
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus
+       member={AddMatch,GetNameOwner}
+       peer=(label=dbus-daemon),
+
+  dbus (send,receive) bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={AddMatch,RemoveMatch,NameHasOwner,GetNameOwner}
+       peer=(label=dbus-daemon),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager{/Devices/[0-9]*,/ActiveConnection/[0-9]*}
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member=ListConnections
+       peer=(label=NetworkManager),
+  
+  dbus (send,receive) bus=system path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(label=NetworkManager),
+
   owner @{run}/firejail/dbus/[0-9]*/[0-9]*-{system,user} rw,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -22,6 +22,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/mesa>
   include <abstractions/user-download>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -124,8 +125,6 @@ profile xdg-desktop-portal-gnome @{exec_path} {
 
   owner @{user_share_dirs}/ r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
   @{run}/mount/utab r,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -24,6 +24,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download>
   include <abstractions/user-write>
+  include <abstractions/wayland>
 
   unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/*", label=gnome-shell),
 
@@ -169,8 +170,6 @@ profile xdg-desktop-portal-gtk @{exec_path} {
         @{run}/user/@{uid}/xauth_* rl,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner @{PROC}/@{pid}/mountinfo r,
 

apparmor.d/groups/freedesktop/xdg-settings

@@ -43,8 +43,8 @@ profile xdg-settings @{exec_path} {
   /var/lib/snapd/desktop/applications/{,*} r,
 
   # freedesktop.org-strict
-  /usr/share/applications/{,*} r,
+  /usr/{,local/}share/applications/{,*} r,
-  /usr/share/ubuntu/applications/ r,
+  /usr/{,local/}share/ubuntu/applications/ r,
   owner @{user_share_dirs}/applications/ r,
   owner @{user_share_dirs}/applications/*.desktop r,
 

apparmor.d/groups/gnome/gjs-console

@@ -21,6 +21,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network netlink raw,
 
@@ -99,9 +100,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gstreamer-1.0/ rw,
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
 
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/groups/gnome/gnome-calculator-search-provider

@@ -17,6 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   signal (send) set=kill peer=unconfined,
 
@@ -28,7 +29,6 @@ profile gnome-calculator-search-provider @{exec_path} {
   /usr/share/icons/{,**} r,
   
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pids}/cmdline r,

apparmor.d/groups/gnome/gnome-characters-backgroudservice

@@ -9,8 +9,9 @@ include <tunables/global>
 @{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
 profile gnome-characters-backgroudservice @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dconf-write>
   include <abstractions/dbus-session-strict>
+  include <abstractions/dconf-write>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -24,8 +25,6 @@ profile gnome-characters-backgroudservice @{exec_path} {
 
   /etc/gtk-3.0/settings.ini r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,

apparmor.d/groups/gnome/gnome-control-center-print-renderer

@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-control-center-print-renderer
 profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
@@ -20,6 +20,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   dbus send bus=session path=/org/a11y/bus
        interface=org.a11y.Bus
@@ -44,7 +45,6 @@ profile gnome-control-center-print-renderer @{exec_path} {
   owner @{user_share_dirs}/icons/{,**} r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,

apparmor.d/groups/gnome/gnome-control-center-search-provider

@@ -18,6 +18,7 @@ profile gnome-control-center-search-provider @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -26,7 +27,6 @@ profile gnome-control-center-search-provider @{exec_path} {
   /var/cache/gio-[0-9]*.[0-9]*/gnome-mimeapps.list r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   include if exists <local/gnome-control-center-search-provider>
 }

apparmor.d/groups/gnome/gnome-session-binary

@@ -9,17 +9,18 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gnome-session-binary
 profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
-  include <abstractions/dbus-accessibility-strict>
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
-  include <abstractions/vulkan>
   include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/wayland>
   include <abstractions/X-strict>
 
   network inet stream,
@@ -230,7 +231,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
   owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
   owner @{run}/user/@{uid}/systemd/notify w,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{sys}/devices/**/{vendor,device} r,
 

apparmor.d/groups/gnome/gnome-shell

@@ -32,6 +32,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/video>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
   include <abstractions/X-strict>
 
   capability sys_nice,
@@ -589,7 +590,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
   owner @{run}/user/@{uid}/snap.snap*/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
-  owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
 
   owner /dev/shm/.org.chromium.Chromium.* rw,
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -15,6 +15,7 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
+  include <abstractions/wayland>
 
   signal (send) set=(term hup kill) peer=unconfined,
   ptrace (read) peer=unconfined,
@@ -47,8 +48,6 @@ profile gnome-terminal-server @{exec_path} {
   owner @{user_config_dirs}/*xdg-terminals.list* rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /tmp/#[0-9]* rw,
 

apparmor.d/groups/gnome/gsd-color

@@ -17,6 +17,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -134,8 +135,6 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/icc/edid-*.icc rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /dev/tty[0-9]* rw,
 

apparmor.d/groups/gnome/gsd-keyboard

@@ -17,6 +17,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -108,8 +109,6 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /dev/tty[0-9]* rw,
 

apparmor.d/groups/gnome/gsd-media-keys

@@ -19,6 +19,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -183,8 +184,6 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
         @{run}/systemd/inhibit/[0-9]*.ref rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner /dev/tty[0-9]* rw,
 

apparmor.d/groups/gnome/gsd-power

@@ -18,6 +18,7 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   network netlink raw,
 
@@ -183,8 +184,6 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   @{run}/udev/data/+backlight:* r,
   @{run}/udev/data/+leds:*backlight* r,

apparmor.d/groups/gnome/gsd-wacom

@@ -9,13 +9,14 @@ include <tunables/global>
 @{exec_path} = @{libexec}/gsd-wacom
 profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
-  include <abstractions/dbus-session-strict>
   include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/gtk>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wayland>
 
   signal (receive) set=(term, hup) peer=gdm*,
 
@@ -107,8 +108,6 @@ profile gsd-wacom @{exec_path} flags=(attach_disconnected) {
   /usr/share/mime/mime.cache r,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   /var/lib/gdm{3,}/.config/dconf/user r,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,

apparmor.d/groups/gnome/gsd-xsettings

@@ -20,6 +20,7 @@ profile gsd-xsettings @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -143,8 +144,6 @@ profile gsd-xsettings @{exec_path} {
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/users/@{uid} r,
 

apparmor.d/groups/kde/kde-powerdevil

@@ -39,6 +39,11 @@ profile kde-powerdevil @{exec_path} flags=(attach_disconnected) {
   @{PROC}/sys/kernel/core_pattern r,
   @{PROC}/@{pid}/mounts r,
   
+  @{sys}/class/ r,
+  @{sys}/class/drm/ r,
+  @{sys}/bus/ r,
+  @{sys}/devices/pci[0-9]*/[0-9]*/drm/card[0-9]*/*/status r,
+
   /dev/tty rw,
   /dev/rfkill r,
 

apparmor.d/groups/kde/kded5

@@ -84,6 +84,8 @@ profile kded5 @{exec_path} {
   owner @{user_share_dirs}/kded5/{,**} r,
   owner @{user_share_dirs}/kscreen/{,**} rw,
   owner @{user_share_dirs}/ktp/cache.db rwk,
+  owner @{user_share_dirs}/kcookiejar/#@{hex}* rw,
+  owner @{user_share_dirs}/kcookiejar/cookies.* rwkl,
 
   owner @{run}/user/@{uid}/#[0-9]* rw,
   owner @{run}/user/@{uid}/kded5*kioworker.socket rwl,

apparmor.d/groups/kde/plasmashell

@@ -12,6 +12,7 @@ profile plasmashell @{exec_path} {
   include <abstractions/app-launcher-user>
   include <abstractions/audio>
   include <abstractions/consoles>
+  include <abstractions/dbus-session-strict>
   include <abstractions/disks-read>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
@@ -32,6 +33,11 @@ profile plasmashell @{exec_path} {
 
   signal (send),
 
+  dbus (send,receive) bus=system path=/org/freedesktop/UPower/devices/{,DisplayDevice,battery_BAT[0-9]*,mouse_hidpp_battery_[0-9]*}
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,PropertiesChanged}
+       peer=(label=upowerd),
+
   @{exec_path} mr,
 
   @{libexec}/libheif/            r,

apparmor.d/groups/network/mullvad-daemon

@@ -47,8 +47,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
 
   /var/cache/mullvad-vpn/{,*} rw,
   /var/log/mullvad-vpn/{,*} rw,
-  owner /var/log/private/mullvad-vpn/daemon.log rw,
+  owner /var/log/private/mullvad-vpn/*.log rw,
-  owner /var/log/private/mullvad-vpn/daemon.old.log w,
   
   @{run}/mullvad-vpn rw,
   @{run}/NetworkManager/resolv.conf r,
@@ -62,6 +61,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   owner /tmp/talpid-openvpn-@{uuid} rw,
 
   owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
 
   /dev/net/tun rw,

apparmor.d/groups/pacman/pacman

@@ -57,6 +57,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/cat                         rix,
   /{usr/,}bin/chgrp                       rix,
   /{usr/,}bin/chmod                       rix,
+  /{usr/,}bin/cp                          rix,
   /{usr/,}bin/dot                         rix,
   /{usr/,}bin/env                         rix,
   /{usr/,}bin/filecap                     rix,
@@ -72,7 +73,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/ln                          rix,
   /{usr/,}bin/perl                        rix,
   /{usr/,}bin/pkill                       rix,
-  /{usr/,}bin/cp                          rix,
+  /{usr/,}bin/pwd                         rix,
   /{usr/,}bin/rm                          rix,
   /{usr/,}bin/sed                         rix,
   /{usr/,}bin/setcap                      rix,
@@ -88,6 +89,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/dconf                       rPx,
   /{usr/,}bin/fc-cache{,-32}              rPx,
   /{usr/,}bin/gdk-pixbuf-query-loaders    rPx,
+  /{usr/,}bin/gio-querymodules            rPx,
   /{usr/,}bin/glib-compile-schemas        rPx,
   /{usr/,}bin/groupadd                    rPx,
   /{usr/,}bin/gtk-query-immodules-{2,3}.0 rPx,
@@ -107,7 +109,10 @@ profile pacman @{exec_path} {
   /{usr/,}bin/update-mime-database        rPx,
   /{usr/,}lib/systemd/systemd-*           rPx,
   /{usr/,}lib/vlc/vlc-cache-gen           rPx,
+  /opt/Mullvad*/resources/mullvad-setup   rPx,
+  /usr/share/code-features/patch.sh       rPx,
   /usr/share/libalpm/scripts/*           rPUx,
+  /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx,
 
   # Install/update packages
   / r,

apparmor.d/groups/pacman/pacman-hook-code

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/code-features/patch.sh
+profile pacman-hook-code @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba}sh     rix,
+  /{usr/,}bin/sed         rix,
+  /{usr/,}bin/grep        rix,
+
+  /{usr/,}lib/code/sed?????? rw,
+
+  include if exists <local/pacman-hook-code>
+}

apparmor.d/groups/ssh/ssh

@@ -40,10 +40,17 @@ profile ssh @{exec_path} {
   owner @{user_projects_dirs}/**/ssh/{,*} r,
   owner @{user_projects_dirs}/**/config r,
 
-  owner @{run}/user/@{uid}/keyring/ssh rw,
+  /etc/ssh/ssh_config r,
+  /etc/ssh/ssh_config.d/{,*} r,
+  # Needed to work for systemd-homed users
+  /etc/machine-id r,
+  @{run}/systemd/userdb/ r,
   
+  owner @{run}/user/@{uid}/keyring/ssh rw,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/fd/ r,
 
+  owner /tmp/ssh-*/{,agent.[0-9]*} rwkl,
+
   include if exists <local/ssh>
 }

apparmor.d/groups/ssh/ssh-agent

@@ -19,6 +19,7 @@ profile ssh-agent @{exec_path} {
 
   /{usr/,}bin/enlightenment_start  rPUx,
   /{usr/,}bin/gpg-agent             rPx,
+  /{usr/,}bin/im-launch            rPUx,
   /{usr/,}bin/kwalletaskpass       rPUx,
   /{usr/,}bin/openbox-session       rPx,
   /{usr/,}bin/startkde             rPUx,

apparmor.d/groups/ssh/sshfs

@@ -12,6 +12,8 @@ profile sshfs @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
+  unix (connect, send, receive) type=stream peer=(label="sshfs//fusermount",addr=none),
+
   /{usr/,}bin/ssh            rPx,
   /{usr/,}bin/fusermount{,3} rCx -> fusermount,
 
@@ -23,13 +25,15 @@ profile sshfs @{exec_path} flags=(complain) {
   @{PROC}/sys/fs/pipe-max-size r,
 
 
-  profile fusermount {
+  profile fusermount flags=(complain) {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
     # To mount anything:
     capability sys_admin,
 
+    unix (connect, send, receive) type=stream peer=(label="sshfs",addr=none),
+
     /{usr/,}bin/fusermount{,3} mr,
 
     mount fstype={fuse,fuse.sshfs} -> @{HOME}/*/,

apparmor.d/groups/systemd/systemd-fsck

@@ -19,8 +19,9 @@ profile systemd-fsck @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}{s,}bin/fsck   rPx,
   /{usr/,}{s,}bin/e2fsck rPx,
+  /{usr/,}{s,}bin/fsck   rPx,
+  /{usr/,}{s,}bin/fsck.* rPx,
 
   owner @{run}/systemd/quotacheck w,
   owner @{run}/systemd/fsck.progress rw,

apparmor.d/groups/ubuntu/apport-gtk

@@ -18,6 +18,7 @@ profile apport-gtk @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/wayland>
 
   capability fowner,
   capability sys_ptrace,
@@ -76,7 +77,6 @@ profile apport-gtk @{exec_path} {
   /var/log/installer/media-info r,
 
         @{run}/snapd.socket rw,
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
   owner @{run}/user/.mutter-Xwaylandauth.* rw,
 
   /tmp/[a-z0-9]* rw,

apparmor.d/groups/ubuntu/check-new-release-gtk

@@ -18,6 +18,7 @@ profile check-new-release-gtk @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/wayland>
 
   network inet dgram,
   network inet6 dgram,
@@ -53,8 +54,6 @@ profile check-new-release-gtk @{exec_path} {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  owner @{run}/user/@{uid}/wayland-[0-9] rw,
-
         @{PROC}/@{pids}/mountinfo r,
         @{PROC}/@{pids}/mounts r,
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/ubuntu/livepatch-notification

@@ -12,6 +12,7 @@ profile livepatch-notification @{exec_path} {
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/gtk>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -21,7 +22,6 @@ profile livepatch-notification @{exec_path} {
 
   owner @{run}/user/@{uid}/at-spi/bus rw,
   owner @{run}/user/@{uid}/bus rw,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{run}/user/@{uid}/gdm/Xauthority r,
 

apparmor.d/groups/ubuntu/software-properties-gtk

@@ -17,6 +17,7 @@ profile software-properties-gtk @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/wayland>
 
   dbus (send,receive) bus=system path=/com/canonical/UbuntuAdvantage/{,**}
       interface=org.freedesktop.DBus.Introspectable
@@ -67,8 +68,6 @@ profile software-properties-gtk @{exec_path} {
   /var/lib/snapd/desktop/icons/ r,
   /var/lib/ubuntu-advantage/status.json r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   owner /tmp/[a-z0-9]* rw,
   owner /tmp/tmp*/{,apt.conf} rw,
 

apparmor.d/groups/ubuntu/ubuntu-advantage-notification

@@ -12,6 +12,7 @@ profile ubuntu-advantage-notification @{exec_path} {
   include <abstractions/dbus-session-strict>
   include <abstractions/dconf-write>
   include <abstractions/gtk>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -19,7 +20,5 @@ profile ubuntu-advantage-notification @{exec_path} {
   /usr/share/icons/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   include if exists <local/ubuntu-advantage-notification>
 }

apparmor.d/groups/ubuntu/update-manager

@@ -21,6 +21,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
+  include <abstractions/wayland>
 
   network inet dgram,
   network inet6 dgram,
@@ -85,8 +86,6 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   @{run}/systemd/inhibit/*.ref w,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/ubuntu/update-notifier

@@ -19,6 +19,7 @@ profile update-notifier @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/wayland>
 
   dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
        interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
@@ -69,7 +70,6 @@ profile update-notifier @{exec_path} {
   owner @{run}/user/@{uid}/at-spi/bus rw,
   owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/update-notifier.pid rwk,
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   owner /tmp/#[0-9]* rw,
 

apparmor.d/groups/virt/containerd-shim-runc-v2

@@ -22,6 +22,8 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=containerd,
   ptrace (read) peer=unconfined,
 
+  signal (send) set=kill peer=cri-containerd.apparmor.d,
+
   mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
   umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/@{hex}/rootfs/,
 

apparmor.d/groups/virt/k3s

@@ -28,12 +28,15 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
   ptrace peer=@{profile_name},
   ptrace (read) peer={cni-calico-node,cri-containerd.apparmor.d,cni-xtables-nft,ip,kmod,kubernetes-pause,mount,unconfined},
 
-  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes
+  # k3s requires ptrace to all AppArmor profiles loaded in Kubernetes.
   # For simplification, let's assume for now all AppArmor profiles start with a predefined prefix.
   ptrace (read) peer=container-*,
   ptrace (read) peer=docker-*,
   ptrace (read) peer=k3s-*,
   ptrace (read) peer=kubernetes-*,
+  # When using ZFS as storage provider instead of the default overlay2.
+  ptrace (read) peer=zfs,
+  ptrace (read) peer=zpool,
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-a-f/blueman

@@ -20,6 +20,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -58,7 +59,6 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/obexd/* rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-a-f/file-roller

@@ -14,6 +14,7 @@ profile file-roller @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/user-write>
+  include <abstractions/wayland>
 
   @{exec_path} mr,
 
@@ -35,7 +36,5 @@ profile file-roller @{exec_path} {
 
   /etc/gtk-3.0/settings.ini r,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
-
   include if exists <local/file-roller>
 }

apparmor.d/profiles-a-f/fwupd

@@ -13,6 +13,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/disks-read>
+  include <abstractions/fonts>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
 
@@ -38,7 +39,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.DBus.Properties
-       member={Changed,GetAll},
+       member={Changed,GetAll}
+       peer=(label=polkitd),
 
   dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
        interface=org.freedesktop.DBus.Properties
@@ -52,9 +54,24 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll,
 
+  dbus send bus=system path=/
+       interface=org.freedesktop.fwupd
+       member=Changed
+       peer=(label=fwupdmgr),
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus
+       member=Changed
+       peer=(label=fwupdmgr),
+
   dbus receive bus=system path=/
        interface=org.freedesktop.fwupd,
 
+  dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
+       interface=org.freedesktop.DBus.Properties
+       member={Changed,GetAll}
+       peer=(label=polkitd),
+
   dbus receive bus=system path=/
        interface=org.freedesktop.DBus.Properties
        member={GetAll,SetHints,GetPlugins,GetRemotes}

apparmor.d/profiles-a-f/fwupdmgr

@@ -63,6 +63,8 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
   owner @{user_cache_dirs}/fwupd/ rw,
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz{,.*} rw,
 
+  owner @{run}/systemd/.cache/ rw,
+
   owner @{PROC}/@{pid}/fd/ r,
 
   /dev/tty rw,

apparmor.d/profiles-g-l/htop

@@ -25,6 +25,8 @@ profile htop @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/lsof   rix,
+
   /usr/share/terminfo/x/xterm-256color r,
 
   /etc/sensors.d/ r,

apparmor.d/profiles-g-l/labwc

@@ -9,17 +9,17 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/labwc
 profile labwc @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/wayland>
-  include <abstractions/vulkan>
   include <abstractions/consoles>
-  include <abstractions/fonts>
+  include <abstractions/devices-usb>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/freedesktop.org>
-  include <abstractions/nameservice-strict>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
   include <abstractions/mesa>
-  include <abstractions/devices-usb>
+  include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network netlink raw,
 
@@ -30,16 +30,14 @@ profile labwc @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/*  rPUx,
   @{libexec}/* rPUx,
 
-  owner @{user_config_dirs}/labwc/ r,
-  owner @{user_config_dirs}/labwc/* r,
-
   /usr/share/libinput/ r,
   /usr/share/libinput/*.quirks r,
-
   /usr/share/themes/**/themerc r,
-
   /usr/share/X11/xkb/** r,
 
+  owner @{user_config_dirs}/labwc/ r,
+  owner @{user_config_dirs}/labwc/* r,
+
   owner /dev/shm/wayland.mozilla.ipc.[0-9]* rw,
 
   @{sys}/class/drm/ r,

apparmor.d/profiles-m-r/mount

@@ -9,7 +9,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/mount
-profile mount @{exec_path} {
+profile mount @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-write>

apparmor.d/profiles-s-z/sysctl

@@ -2,6 +2,8 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# TODO: Rethink this profile. Should not be called by another profile.
+
 abi <abi/3.0>,
 
 include <tunables/global>

apparmor.d/profiles-s-z/system-config-printer

@@ -21,6 +21,7 @@ profile system-config-printer @{exec_path} flags=(complain) {
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
   include <abstractions/python>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -59,7 +60,6 @@ profile system-config-printer @{exec_path} flags=(complain) {
   owner @{HOME}/.cups/ rw,
   owner @{HOME}/.cups/lpoptions rw,
 
-  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
   owner @{run}/user/@{uid}/gvfsd/socket-* rw,
         @{run}/cups/cups.sock rw,
 

apparmor.d/profiles-s-z/thermald

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}sbin/thermald
-profile thermald @{exec_path} {
+profile thermald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 
@@ -39,16 +39,25 @@ profile thermald @{exec_path} {
 
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/{,*} r,
+  @{sys}/devices/platform/**/path r,
+  @{sys}/devices/platform/**/available_uuids r,
+  @{sys}/devices/platform/**/current_uuid rw,
 
   @{sys}/devices/system/cpu/present r,
-  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct r,
+  @{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
+  @{sys}/devices/system/cpu/intel_pstate/no_turbo rw,
   @{sys}/devices/system/cpu/intel_pstate/status r,
 
   @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
 
   @{sys}/devices/**/hwmon[0-9]*/name r,
   @{sys}/devices/**/hwmon[0-9]*/temp[0-9]*_{max,crit} r,
+  @{sys}/devices/**/path r,
 
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_uuid r,
@@ -56,8 +65,11 @@ profile thermald @{exec_path} {
   @{sys}/devices/virtual/thermal/**/{type,temp} r,
 
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
+  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
 
   @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
@@ -66,11 +78,16 @@ profile thermald @{exec_path} {
 
   @{sys}/devices/virtual/powercap/intel-rapl/ r,
   @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_time_window_us w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/constraint_*_power_limit_uw w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+
+  /dev/acpi_thermal_rel rw,
+  /dev/input/ r,
+  /dev/input/event[0-9]* r,
 
   include if exists <local/thermald>
 }

apparmor.d/profiles-s-z/udisksd

@@ -54,6 +54,14 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   umount @{run}/udisks2/temp-mount-*/,
   umount /media/cdrom[0-9]/,
 
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+
+  dbus (send,receive) bus=system path=/
+       interface=org.freedesktop.DBus.Properties
+       member=Get,
+
   dbus (send,receive) bus=system path=/org/freedesktop/UDisks2{,/**}
        interface=org.freedesktop.{DBus*,UDisks2*},
 

apparmor.d/profiles-s-z/uname

@@ -13,10 +13,9 @@ profile uname @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /tmp/mktexlsr.* rw,
-
   # file_inherit
   owner @{HOME}/.xsession-errors w,
+  owner /tmp/mktexlsr.* rw,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 

apparmor.d/profiles-s-z/userdel

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,21 +13,13 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  # The userdel command is issued as root and its task is to delete regular user accounts. It
-  # optionally can remove user files (via --remove). Because of that, the userdel command needs the
-  # following CAPs to be able to do so.
-  capability dac_read_search,
-  capability dac_override,
-
-  # To write records to the kernel auditing log.
   capability audit_write,
-
-  # To set the right permission to the files in the /etc/ dir).
   capability chown,
+  capability dac_override,
+  capability dac_read_search,
   capability fsetid,
-
-  # To prevent removing a user when it's used by some process.
   capability sys_ptrace,
+
   ptrace (read),
 
   network netlink raw,
@@ -35,9 +28,6 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
 
   /etc/login.defs r,
 
-  @{PROC}/ r,
-  @{PROC}/@{pids}/task/ r,
-
   /etc/{passwd,shadow,gshadow,group,subuid,subgid} rw,
   /etc/{passwd,shadow,gshadow,group,subuid,subgid}.@{pid} w,
   /etc/{passwd,shadow,gshadow,group,subuid,subgid}- w,
@@ -60,5 +50,8 @@ profile userdel @{exec_path} flags=(attach_disconnected) {
   /var/lib/        r,
   /var/lib/*/{,**} rw,
 
+  @{PROC}/ r,
+  @{PROC}/@{pids}/task/ r,
+
   include if exists <local/userdel>
 }

apparmor.d/profiles-s-z/virt-manager

@@ -28,6 +28,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/thumbnails-cache-read>
   include <abstractions/user-download-strict>
   include <abstractions/vulkan>
+  include <abstractions/wayland>
 
   network inet stream,
   network inet6 stream,
@@ -86,7 +87,6 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
   owner @{run}/user/@{uid}/libvirt/virtqemud.lock rwk,
-  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
 
   @{run}/mount/utab r,
   @{run}/udev/data/c3[0-9]*:[0-9]* r,  # For dynamic assignment range 384 to 511

dists/flags/main.flags

@@ -207,7 +207,7 @@ mdevctl complain
 mke2fs complain
 ModemManager attach_disconnected,complain
 molly-guard complain
-mount complain
+mount attach_disconnected,complain
 nautilus complain
 needrestart attach_disconnected,complain
 needrestart-iucode-scan-versions complain

docs/index.md

@@ -36,3 +36,7 @@ See the [Concepts](concepts) page for more detail on the architecture.
 - Support all major desktop environments:
     * Currently only :material-gnome: Gnome
 - Fully tested (Work in progress)
+
+**Presentation**
+
+- [Building the largest working set of AppArmor profiles](https://www.youtube.com/watch?v=OzyalrOzxE8) *[Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/)* ([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin))