Merge branch 'master' into thunderbird2

2022-08-12 14:35:53 +00:00 · 2022-08-12 14:35:53 +00:00 · db8e881c06
commit db8e881c06
parent 00a1e70720 2878fa6a2e
467 changed files with 6300 additions and 2372 deletions
--- a/apparmor.d/abstractions/X-strict
+++ b/apparmor.d/abstractions/X-strict
@ -0,0 +1,33 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  # The unix socket to use to connect to the display
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
+  unix (connect, receive, send)
+       type=stream
+       peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
+  unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
+  unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
+  /tmp/.X11-unix/* rw,
+  /tmp/.ICE-unix/* rw,
+
+  # Available Xsessions
+  /usr/share/xsessions/{,*.desktop} r,
+
+  # ICEauthority files required for X authentication, per user
+  owner @{HOME}/.ICEauthority r,
+  owner @{run}/user/@{uid}/ICEauthority r,
+
+  # Xauthority files required for X connections, per user
+  owner @{HOME}/.Xauthority r,
+  owner @{run}/user/@{uid}/gdm{[1-9],}/Xauthority r,
+  owner @{run}/user/@{uid}/X11/Xauthority r,
+  owner @{run}/user/@{uid}/xauth_* r,
+
+  # Xwayland
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+
+  include if exists <abstractions/X-strict.d>
--- a/apparmor.d/abstractions/X.d/complete
+++ b/apparmor.d/abstractions/X.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  # Available Xsessions
--- a/apparmor.d/abstractions/app-launcher-root
+++ b/apparmor.d/abstractions/app-launcher-root
@ -1,13 +1,16 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,

  # Root app location
-  / r,
-  /usr/ r,
-  /{usr/,}{s,}bin/ r,
-  /{usr/,}{s,}bin/[a-z0-9]* rPUx,
+  /                                r,
+  /usr/                            r,
+  /{usr/,}{s,}bin/                 r,
+  /{usr/,}{s,}bin/[a-z0-9]*        rPUx,
+  /usr/local/{s,}bin/              r,
+  /usr/local/{s,}bin/[a-zA-Z0-9]*  rPUx,

  include if exists <abstractions/app-launcher-root.d>
--- a/apparmor.d/abstractions/app-launcher-user
+++ b/apparmor.d/abstractions/app-launcher-user
@ -1,14 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,

  # User app location
-  /                     r,
-  /usr/                 r,
-  /{usr/,}bin/          r,
-  /{usr/,}bin/[a-zA-Z0-9]* rPUx,
+  /                            r,
+  /usr/                        r,
+  /{usr/,}bin/                 r,
+  /{usr/,}bin/[a-zA-Z0-9]*     rPUx,
+  /usr/local/bin/              r,
+  /usr/local/bin/[a-zA-Z0-9]*  rPUx,

  # Firefox
  /{usr/,}lib/                 r,
--- a/apparmor.d/abstractions/audio.d/complete
+++ b/apparmor.d/abstractions/audio.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  /usr/share/sounds/ r,
--- a/apparmor.d/abstractions/base.d/complete
+++ b/apparmor.d/abstractions/base.d/complete
@ -1,20 +1,21 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  /etc/writable/localtime        r,
  /usr/share/locale/             r,

  # Allow to receive some signals
-  signal (receive)                           peer=top,
  signal (receive)                           peer=htop,
+  signal (receive)                           peer=sudo,
+  signal (receive)                           peer=top,
+  signal (receive) set=(hup)                 peer=xinit,
  signal (receive) set=(term,cont)           peer=systemd,
  signal (receive) set=(term,kill,stop,cont) peer=systemd-shutdown,
+  signal (receive) set=(term,kill)           peer=gnome-shell,
  signal (receive) set=(term,kill)           peer=openbox,
-  signal (receive) set=(hup)                 peer=xinit,
  signal (receive) set=(term,kill)           peer=su,
-  signal (receive)                           peer=sudo,

  ptrace (readby) peer=systemd-coredump,

--- a/apparmor.d/abstractions/chromium-common
+++ b/apparmor.d/abstractions/chromium-common
@ -39,3 +39,5 @@
  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
+
+  include if exists <abstractions/chromium-common.d>
--- a/apparmor.d/abstractions/dbus-session-strict.d/complete
+++ b/apparmor.d/abstractions/dbus-session-strict.d/complete
@ -0,0 +1,11 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
+
+  unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+
+  owner @{run}/user/@{uid}/at-spi/ rw,
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
--- a/apparmor.d/abstractions/dconf-write
+++ b/apparmor.d/abstractions/dconf-write
@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Permissions for querying dconf settings with write access; use the dconf
+# abstraction first, and dconf-write only for specific application's profile.
+
+  /etc/dconf/** r,
+
+  owner @{user_config_dirs}/dconf/user r,
+
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
+  include if exists <abstractions/dconf-write.d>
--- a/apparmor.d/abstractions/disks-read
+++ b/apparmor.d/abstractions/disks-read
@ -7,6 +7,8 @@
  # The /sys/ entries probably should be tightened

  /dev/ r,
+  /dev/block/ r,
+  /dev/disk/{,*/} r,

  # Regular disk/partition devices
  /dev/{s,v}d[a-z]* rk,
@ -35,14 +37,46 @@

  # LUKS/LVM (device-mapper) devices
  /dev/dm-[0-9]* rk,
+  /dev/mapper/{,*} r,
  @{sys}/devices/virtual/block/dm-[0-9]*/ r,
  @{sys}/devices/virtual/block/dm-[0-9]*/** r,

+  # ZFS devices
+  /dev/zd[0-9]* rk,
+  /dev/zvol/{,*/} r,
+  /dev/*pool/ r,
+  @{sys}/devices/virtual/block/zd[0-9]*/ r,
+  @{sys}/devices/virtual/block/zd[0-9]*/** r,
+
  # ZRAM devices
  /dev/zram[0-9]* rk,
  @{sys}/devices/virtual/block/zram[0-9]*/ r,
  @{sys}/devices/virtual/block/zram[0-9]*/** r,

+  # Armbian / DietPi
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}          r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}hidden    r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}dev       r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}size      r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}ro        r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}removable r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}start     r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}uevent    r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}holders/  r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/block/mmcblk[0-9]*/{,mmcblk*/}slaves/   r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/      r,
+  @{sys}/devices/platform/{soc,*.mmc}/**/mmc[0-9]*/mmc*/type  r,
+  @{sys}/devices/virtual/block/ram[0-9]*/          r,
+  @{sys}/devices/virtual/block/ram[0-9]*/hidden    r,
+  @{sys}/devices/virtual/block/ram[0-9]*/dev       r,
+  @{sys}/devices/virtual/block/ram[0-9]*/size      r,
+  @{sys}/devices/virtual/block/ram[0-9]*/ro        r,
+  @{sys}/devices/virtual/block/ram[0-9]*/removable r,
+  @{sys}/devices/virtual/block/ram[0-9]*/holders/  r,
+  @{sys}/devices/virtual/block/ram[0-9]*/slaves/   r,
+# investigate
+#  /dev/ram[0-9]* r,
+
  # CD-ROM
  /dev/sr[0-9]* rk,

@ -57,27 +91,15 @@
  # changes, it's better to allow the whole range (240-254) instead of the single major numbers
  # visible in the /proc/devices file.
  # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b24[0-9]:[0-9]* r,
+  @{run}/udev/data/b25[0-4]:[0-9]* r,
  @{run}/udev/data/b259:[0-9]* r,

-  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
+  @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*

  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

--- a/apparmor.d/abstractions/disks-write
+++ b/apparmor.d/abstractions/disks-write
@ -39,6 +39,11 @@
  @{sys}/devices/virtual/block/dm-[0-9]*/ r,
  @{sys}/devices/virtual/block/dm-[0-9]*/** r,

+  # ZFS devices
+  /dev/zd[0-9]* rwk,
+  @{sys}/devices/virtual/block/zd[0-9]*/ r,
+  @{sys}/devices/virtual/block/zd[0-9]*/** r,
+
  # ZRAM devices
  /dev/zram[0-9]* rwk,
  @{sys}/devices/virtual/block/zram[0-9]*/ r,
@ -63,28 +68,16 @@
  # changes, it's better to allow the whole range (240-254) instead of the single major numbers
  # visible in the /proc/devices file.
  # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b24[0-9]:[0-9]* r,
+  @{run}/udev/data/b25[0-4]:[0-9]* r,
  @{run}/udev/data/b259:[0-9]* r,

-  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
-  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
  @{run}/udev/data/b2:[0-9]*   r, # for /dev/fd*
+  @{run}/udev/data/b230:[0-9]* r, # for /dev/zvol*
+  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*

  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**

--- a/apparmor.d/abstractions/freedesktop.org.d/complete
+++ b/apparmor.d/abstractions/freedesktop.org.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  owner @{HOME}/.icons/default/index.theme r,
--- a/apparmor.d/abstractions/ibus.d/complete
+++ b/apparmor.d/abstractions/ibus.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  # abstract path in ibus < 1.5.22 uses /tmp
@ -16,3 +16,7 @@
  unix (connect, receive, send)
      type=stream
      peer=(addr="@/home/*/.cache/ibus/dbus-*"),
+
+  unix (connect, send, receive, accept, bind, listen)
+       type=stream
+       addr="@/home/*/.cache/ibus/dbus-*",
--- a/apparmor.d/abstractions/libvirt-lxc
+++ b/apparmor.d/abstractions/libvirt-lxc
@ -3,7 +3,9 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

- # allow receiving signals from libvirtd
+  include <abstractions/base>
+
+  # Allow receiving signals from libvirtd
  signal (receive) peer=libvirtd,

  umount,
@ -119,4 +121,4 @@
  deny /sys/fs/cgroup?*{,/**} wklx,
  deny /sys/fs?*{,/**} wklx,

-  include if exists <local/abstractions/libvirt-lxc>
+  include if exists <abstractions/libvirt-lxc.d>
--- a/apparmor.d/abstractions/libvirt-qemu
+++ b/apparmor.d/abstractions/libvirt-qemu
@ -1,8 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) Libvirt Team
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
  # required for reading disk images
  capability dac_override,
  capability dac_read_search,
@ -251,5 +255,4 @@
  owner /var/lib/libvirt/qemu/nvram/*_VARS.fd rwk,
  owner /var/lib/libvirt/qemu/nvram/*_VARS.ms.fd rwk,

-  # Site-specific additions and overrides. See local/README for details.
-  include if exists <local/abstractions/libvirt-qemu>
+  include if exists <abstractions/libvirt-qemu.d>
--- a/apparmor.d/abstractions/lxc/start-container
+++ b/apparmor.d/abstractions/lxc/start-container
@ -11,7 +11,7 @@
  # currently blocked by apparmor bug
  mount -> /usr/lib*/*/lxc/{**,},
  mount -> /usr/lib*/lxc/{**,},
-  mount -> /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
+  mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
  mount fstype=devpts -> /dev/pts/,
  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
  mount options=bind /dev/pts/** -> /dev/**,
--- a/apparmor.d/abstractions/nameservice-strict
+++ b/apparmor.d/abstractions/nameservice-strict
@ -1,24 +1,30 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  abi <abi/3.0>,

-  /etc/hosts r,
-  /etc/host.conf r,
-  /etc/resolv.conf r,
+  @{etc_ro}/default/nss r,
+  @{etc_ro}/gai.conf r,
+  @{etc_ro}/group r,
+  @{etc_ro}/host.conf r,
+  @{etc_ro}/hosts r,
+  @{etc_ro}/nsswitch.conf r,
+  @{etc_ro}/passwd r,
+  @{etc_ro}/protocols r,
+  @{etc_ro}/resolv.conf r,
+  @{etc_ro}/services r,
+
  @{run}/systemd/resolve/stub-resolv.conf r,
-  /etc/nsswitch.conf r,
-  /etc/passwd r,
-  /etc/gai.conf r,
-  /etc/group r,
-  /etc/protocols r,
-  /etc/default/nss r,
-  /etc/services r,

  # NSS records from systemd-userdbd.service
  @{run}/systemd/userdb/ r,
-  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{run}/systemd/userdb/io.systemd.DynamicUser rw,        # systemd-exec users
+  @{run}/systemd/userdb/io.systemd.Home rw,               # systemd-home dirs
+  @{run}/systemd/userdb/io.systemd.Machine rw,            # systemd-machined
+  @{run}/systemd/userdb/io.systemd.Multiplexer rw,
+  @{run}/systemd/userdb/io.systemd.NameServiceSwitch rw,  # UNIX/glibc NSS
  @{PROC}/sys/kernel/random/boot_id r,

  include if exists <abstractions/nameservice-strict.d>
--- a/apparmor.d/abstractions/python.d/complete
+++ b/apparmor.d/abstractions/python.d/complete
@ -1,11 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

+  /{usr/,}bin/ r,
+
  /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r,

-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r,

  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so}              mr,
  owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth}          r,
--- a/apparmor.d/abstractions/tor
+++ b/apparmor.d/abstractions/tor
@ -1,33 +0,0 @@
-# vim:syntax=apparmor
-
-  include <abstractions/base>
-  include <abstractions/nameservice>
-  include <abstractions/openssl>
-
-  network tcp,
-  network udp,
-
-  capability chown,
-  capability dac_read_search,
-  capability fowner,
-  capability fsetid,
-  capability setgid,
-  capability setuid,
-
-  /usr/bin/tor r,
-  /usr/sbin/tor r,
-
-  # Needed by obfs4proxy
-  /proc/sys/net/core/somaxconn r,
-
-  /proc/sys/kernel/random/uuid r,
-  /sys/devices/system/cpu/ r,
-  /sys/devices/system/cpu/** r,
-
-  /etc/tor/* r,
-  /usr/share/tor/** r,
-
-  /usr/bin/obfsproxy PUx,
-  /usr/bin/obfs4proxy Pix,
-
-  include if exists <abstractions/tor.d>
--- a/apparmor.d/abstractions/user-download-strict
+++ b/apparmor.d/abstractions/user-download-strict
@ -4,14 +4,11 @@

  abi <abi/3.0>,

-  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
-  owner @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwkl,
-
-  owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/ r,
-  owner @{MOUNTS}/*/@{XDG_DOWNLOAD_DIR}/** rwkl,
-
  owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
-  owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl,
+  owner @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
+
+  owner @{user_download_dirs}/ r,
+  owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,

  # For SSHFS mounts (without owner as files in such mounts can be owned by different users)
        @{HOME}/mount-sshfs/ r,
--- a/apparmor.d/abstractions/user-read
+++ b/apparmor.d/abstractions/user-read
@ -2,20 +2,23 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  owner @{HOME}/@{XDG_DOCUMENTS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} r,
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+# Give read access on all defined user directories. It should only be used if
+# access to ALL folders is required.

-  owner @{MOUNTS}/**/@{XDG_DOCUMENTS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_MUSIC_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_PICTURES_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_VIDEOS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_PROJECTS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_BOOKS_DIR}/{,**} r,
-  owner @{MOUNTS}/**/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+
+  owner @{user_books_dirs}/{,**} r,
+  owner @{user_documents_dirs}/{,**} r,
+  owner @{user_music_dirs}/{,**} r,
+  owner @{user_pictures_dirs}/{,**} r,
+  owner @{user_projects_dirs}/{,**} r,
+  owner @{user_publicshare_dirs}/{,**} r,
+  owner @{user_sync_dirs}/{,**} r,
+  owner @{user_templates_dirs}/{,**} r,
+  owner @{user_torrents_dirs}/{,**} r,
+  owner @{user_videos_dirs}/{,**} r,

  include if exists <abstractions/user-read.d>
--- a/apparmor.d/abstractions/user-write.d/complete
+++ b/apparmor.d/abstractions/user-write.d/complete
@ -2,17 +2,12 @@
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

-  owner @{HOME}/@{XDG_MUSIC_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_PICTURES_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_VIDEOS_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/{,**} rwl,
-  owner @{HOME}/@{XDG_BOOKS_DIR}/{,**} rwl,
  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
+  owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} rwl,

-  owner @{MOUNTS}/*/@{XDG_DOCUMENTS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_MUSIC_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_PICTURES_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_VIDEOS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_BOOKS_DIR}/{,**} rwl,
-  owner @{MOUNTS}/*/@{XDG_WALLPAPERS_DIR}/{,**} rwl,
+  owner @{user_books_dirs}/{,**} rwl,
+  owner @{user_documents_dirs}/{,**} rwl,
+  owner @{user_music_dirs}/{,**} rwl,
+  owner @{user_pictures_dirs}/{,**} rwl,
+  owner @{user_projects_dirs}/{,**} rwl,
+  owner @{user_videos_dirs}/{,**} rwl,
--- a/apparmor.d/abstractions/wayland.d/complete
+++ b/apparmor.d/abstractions/wayland.d/complete
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

  owner @{run}/user/@{uid}/wayland-[0-9]* rw,