feat(profile): general update.

apparmor.d/groups/gnome/epiphany-search-provider

@@ -36,6 +36,7 @@ profile epiphany-search-provider @{exec_path} {
   owner /tmp/Serialized* rw,
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/firmware/acpi/pm_profile r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.Epiphany.SearchProvider.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 
@@ -46,6 +47,8 @@ profile epiphany-search-provider @{exec_path} {
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/statm r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
 

apparmor.d/groups/gnome/gio-launch-desktop

@@ -16,6 +16,7 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/deny-sensitive-home>
   include <abstractions/gnome-strict>
+  include <abstractions/nameservice-strict>
   include <abstractions/trash>
 
   @{exec_path} mr,
@@ -25,6 +26,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/{,**} rw,
 
+  owner /tmp/wl-copy-buffer-@{rand6}/stdin r,
+
   @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/gnome/gnome-characters

@@ -18,7 +18,7 @@ profile gnome-characters @{exec_path} {
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
 
-  dbus bind bus=session name=org.gnome.Characters,
+  # dbus: own bus=session name=org.gnome.Characters
   dbus receive bus=session path=/org/gnome/Characters/SearchProvider
        interface=org.gnome.Shell.SearchProvider2
        peer=(name=:*, label=gnome-shell),

apparmor.d/groups/gnome/gnome-music

@@ -30,7 +30,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   @{bin}/ r,
   @{bin}/env r,
   @{bin}/python3.@{int} rix,
-  @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,
+  @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw,
 
   /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
   /usr/share/org.gnome.Music/{,**} r,
@@ -45,8 +45,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
 
-        @{run}/systemd/inhibit/[0-9]*.ref rw,
-  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
   owner /var/tmp/etilqs_@{hex} rw,

apparmor.d/groups/gnome/gnome-shell

@@ -288,6 +288,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_music_dirs}/**.{png,jpg,svg} r,
 
   owner @{user_config_dirs}/.goutputstream{,-@{rand6}} rw,
+  owner @{user_config_dirs}/background r,
   owner @{user_config_dirs}/ibus/ w,
   owner @{user_config_dirs}/monitors.xml{,~} rwl,
   owner @{user_config_dirs}/pulse/ rw,

apparmor.d/groups/gnome/gnome-software

@@ -91,8 +91,8 @@ profile gnome-software @{exec_path} {
   owner /tmp/#@{int} rw,
 
   owner @{run}/user/@{uid}/.dbus-proxy/ rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-[0-9A-Z]* rw,
-  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/a11y-bus-proxy-@{rand6} rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/session-bus-proxy-@{rand6} rw,
   owner @{run}/user/@{uid}/.flatpak-cache rw,
   owner @{run}/user/@{uid}/.flatpak/{,**} rw,
   owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,

apparmor.d/groups/kde/konsole

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Jeroen Rijken
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,9 +14,8 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
   include <abstractions/consoles>
-  include <abstractions/dri>
+  include <abstractions/graphics>
   include <abstractions/kde-strict>
-  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
 
   ptrace (read),
@@ -25,10 +25,13 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   @{exec_path}                          mr,
   @{bin}/@{shells}                      rUx,
   @{browsers_path}                      rPx,
-  @{lib}/@{multiarch}/utempter/utempter rPUx,
+
+  @{lib}/{,@{multiarch}/}utempter/utempter  rPx,
 
   /usr/share/color-schemes/{,**} r,
+  /usr/share/knotifications5/plasma_workspace.notifyrc r,
   /usr/share/konsole/{,**} r,
+  /usr/share/sounds/** r,
 
   /etc/xdg/konsolerc r,
   /etc/xdg/ui/ui_standards.rc r,
@@ -36,31 +39,25 @@ profile konsole @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/@{XDG_SSH_DIR}/config r,
 
   owner @{user_config_dirs}/#@{int} rwl,
-  owner @{user_config_dirs}/konsolerc{,**} rw,
+  owner @{user_config_dirs}/konsolerc rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
-  owner @{user_config_dirs}/konsolerc.lock rwlk,
-  owner @{user_config_dirs}/konsolesshconfig rw,
+  owner @{user_config_dirs}/konsolerc.lock rwk,
+  owner @{user_config_dirs}/konsolesshconfig rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.@{rand6} rwl -> @{user_config_dirs}/#@{int},
   owner @{user_config_dirs}/konsolesshconfig.lock rwk,
-  owner @{user_config_dirs}/konsolerc.@{rand6} rwl -> @{user_config_dirs}/#@{int},
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
   owner @{user_share_dirs}/konsole/{,**} rw,
 
-  # Required including abstractions/audio for sending notifications
-  /usr/share/knotifications5/plasma_workspace.notifyrc r,
-  /usr/share/sounds/** r,
-
   owner /tmp/#@{int} rw,
   owner /tmp/konsole.@{rand6} rw,
 
-  @{sys}/devices/system/node/ r,
-  @{sys}/devices/system/node/node@{int}/meminfo r,
-
+        @{PROC}/sys/kernel/core_pattern r,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/stat r,
-  @{PROC}/sys/kernel/core_pattern r,
+
+  /dev/ptmx rw,
 
   include if exists <local/konsole>
 }

apparmor.d/groups/kde/utempter

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/utempter/utempter
+@{exec_path} = @{lib}/{,@{multiarch}/}utempter/utempter
 profile utempter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/network/netplan.script

@@ -23,11 +23,11 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
   /etc/netplan/{,*} r,
 
   @{run}/NetworkManager/conf.d/10-globally-managed-devices.conf{,.@{rand6}} rw,
-  @{run}/NetworkManager/system-connections/ r,
+  @{run}/NetworkManager/system-connections/ rw,
   @{run}/NetworkManager/system-connections/netplan-*.nmconnection{,.@{rand6}} rw,
   @{run}/systemd/system/ r,
   @{run}/systemd/system/netplan-* rw,
-  @{run}/systemd/system/systemd-networkd.service.wants/ r,
+  @{run}/systemd/system/systemd-networkd.service.wants/ rw,
   @{run}/systemd/system/systemd-networkd.service.wants/netplan-*.service rw,
   @{run}/udev/rules.d/ r,
   @{run}/udev/rules.d/90-netplan.rules{,.@{rand6}} rw,

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -28,6 +28,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   @{bin}/sed        rix,
   @{bin}/sort       rix,
   @{bin}/stat       rix,
+  @{bin}/pacman     rCx -> pacman,
 
   /usr/share/mkinitcpio/*.preset r,
 
@@ -47,5 +48,26 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   deny network inet6 stream,
   deny network inet stream,
 
+  profile pacman {
+    include <abstractions/base>
+    include <abstractions/openssl>
+
+    capability dac_read_search,
+
+    @{bin}/pacman mr,
+  
+    @{bin}/gpg rix,
+    @{bin}/gpgconf rix,
+    @{bin}/gpgsm rix,
+  
+    /etc/pacman.conf r,
+    /etc/pacman.d/{,**} r,
+    /etc/pacman.d/gnupg/** rwkl,
+
+    /var/lib/pacman/local/{,**} r,
+
+    include if exists <local/pacman-hook-mkinitcpio_pacman>
+  }
+
   include if exists <local/pacman-hook-mkinitcpio>
 }

apparmor.d/groups/systemd/busctl

@@ -22,6 +22,8 @@ profile busctl @{exec_path} {
 
   unix (bind) type=stream addr=@@{hex}/bus/busctl/busctl,
 
+  signal (send) set=(cont) peer=child-pager,
+
   dbus eavesdrop bus=session,
   dbus eavesdrop bus=system,
 
@@ -36,12 +38,12 @@ profile busctl @{exec_path} {
   @{bin}/more  rPx -> child-pager,
   @{bin}/pager rPx -> child-pager,
 
-  owner @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/cgroup r,
+        @{PROC}/@{pid}/comm r,
+        @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/cmdline r,
-  owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/sessionid r,
-  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/busctl>
 }

apparmor.d/groups/systemd/systemd-generator-ds-identify

@@ -22,10 +22,19 @@ profile systemd-generator-ds-identify @{exec_path} flags=(attach_disconnected) {
   @{bin}/tr                      rix,
   @{bin}/uname                   rix,
 
+  /etc/cloud/{,**} r,
+
   @{run}/cloud-init/{,.}ds-identify.* rw,
 
+  @{sys}/devices/virtual/dmi/id/chassis_asset_tag r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_serial r,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+
   @{PROC}/cmdline r,
   @{PROC}/uptime r,
+  @{PROC}/@{pid}/environ r,
 
   include if exists <local/systemd-generator-ds-identify>
 }

apparmor.d/groups/systemd/systemd-hwdb

@@ -16,7 +16,7 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{exec_path} mr,
 
   @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin[0-9a-zA-Z]* wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin@{hex} wl -> @{lib}/udev/#@{int},
   @{lib}/udev/hwdb.bin w,
 
   /etc/udev/.#hwdb.bind* rw,

apparmor.d/groups/systemd/systemd-machined

@@ -37,5 +37,10 @@ profile systemd-machined @{exec_path} {
   @{run}/systemd/userdb/io.systemd.Machine rw,
   @{run}/systemd/notify w,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/cpu r,
+  @{PROC}/pressure/io r,
+  @{PROC}/pressure/memory r,
+
   include if exists <local/systemd-machined>
 }

apparmor.d/groups/systemd/systemd-sysusers

@@ -33,17 +33,16 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   /etc/{passwd,shadow} rw,
   /etc/{passwd,shadow}- rw,
   /etc/{passwd,shadow}+ rw,
-  /etc/.#{passwd,shadow}[0-9a-zA-Z]* rw,
+  /etc/.#{passwd,shadow}@{hex} rw,
   /etc/{group,gshadow} rw,
   /etc/{group,gshadow}- rw,
   /etc/{group,gshadow}+ rw,
-  /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
+  /etc/.#{group,gshadow}@{hex} rw,
   /etc/.pwd.lock rwk,
 
         /dev/tty@{int} rw,
   owner /dev/pts/@{int} rw,
 
-
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/systemd/systemd-update-done

@@ -16,9 +16,9 @@ profile systemd-update-done @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/.#.updated[0-9a-zA-Z]* rw,
+  /etc/.#.updated@{hex} rw,
   /etc/.updated w,
-  /var/.#.updated[0-9a-zA-Z]* rw,
+  /var/.#.updated@{hex} rw,
   /var/.updated w,
 
   @{run}/host/container-manager r,

apparmor.d/groups/systemd/zram-generator

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/system-generators/zram-generator
-profile zram-generator @{exec_path} {
+profile zram-generator @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
 

apparmor.d/groups/ubuntu/apport

@@ -16,6 +16,7 @@ profile apport @{exec_path} flags=(attach_disconnected) {
   include <abstractions/openssl>
   include <abstractions/python>
 
+  capability chown,
   capability dac_read_search,
   capability fsetid,
   capability setgid,

apparmor.d/groups/ubuntu/check-new-release-gtk

@@ -32,6 +32,9 @@ profile check-new-release-gtk @{exec_path} {
   @{bin}/ischroot     rix,
   @{bin}/lsb_release  rPx -> lsb_release,
 
+  @{lib}/python3/dist-packages/UpdateManager/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+  @{lib}/python3/dist-packages/gi/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+
   /usr/share/distro-info/{,**} r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
   /usr/share/update-manager/{,**} r,

apparmor.d/groups/virt/cockpit-certificate-ensure

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-certificate-ensure
-profile cockpit-certificate-ensure @{exec_path} {
+profile cockpit-certificate-ensure @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability dac_override,

apparmor.d/groups/virt/cockpit-tls

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/cockpit/cockpit-tls
-profile cockpit-tls @{exec_path} {
+profile cockpit-tls @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   network inet stream,

apparmor.d/groups/virt/cockpit-update-motd

@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/share/cockpit/motd/update-motd
+profile cockpit-update-motd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  @{sh_path}        rix,
+  @{bin}/hostname   rix,
+  @{bin}/ip         rPx,
+  @{bin}/sed        rix,
+  @{bin}/systemctl  rCx -> systemctl,
+
+  @{run}/cockpit/active.motd rw,
+
+  owner /dev/tty rw,
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+  
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{PROC}/sys/kernel/cap_last_cap r,
+
+    include if exists <local/cockpit-update-motd_systemctl>
+  }
+
+  include if exists <local/cockpit-update-motd>
+}