Merge branch 'master' into thunderbird2

2022-08-12 14:35:53 +00:00 · 2022-08-12 14:35:53 +00:00 · db8e881c06
commit db8e881c06
parent 00a1e70720 2878fa6a2e
467 changed files with 6300 additions and 2372 deletions
--- a/apparmor.d/profiles-m-r/man
+++ b/apparmor.d/profiles-m-r/man
@ -97,10 +97,9 @@ profile man_filter {
  # do is feed data to the invoking man process.
        /usr/** r,
  owner @{HOME}/@{XDG_DATA_HOME}/** r,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/** r,
+  owner @{user_projects_dirs}/** r,
  owner @{user_cache_dirs}/** r,
  owner @{MOUNTS}/*/@{XDG_DATA_HOME}/** r,
-  owner @{MOUNTS}/*/@{XDG_PROJECTS_DIR}/** r,

  /var/cache/man/** w,
 }
--- a/apparmor.d/profiles-m-r/mdevctl
+++ b/apparmor.d/profiles-m-r/mdevctl
@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/mdevctl
+profile mdevctl @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/mdevctl.d/{,**} r,
+
+  @{PROC}/@{pids}/maps r,
+
+  @{sys}/bus/mdev/devices/ r,
+  @{sys}/class/mdev_bus/ r,
+  @{sys}/devices/pci[0-9]*/**/mdev_supported_types/{,**} r,
+
+  include if exists <local/mdevctl>
+}
--- a/apparmor.d/profiles-m-r/mediainfo-gui
+++ b/apparmor.d/profiles-m-r/mediainfo-gui
@ -34,6 +34,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/mediainfo-gui
 profile mediainfo-gui @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
@ -56,11 +57,6 @@ profile mediainfo-gui @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
-
  profile open {
    include <abstractions/base>
    include <abstractions/xdg-open>
--- a/apparmor.d/profiles-m-r/megasync
+++ b/apparmor.d/profiles-m-r/megasync
@ -6,8 +6,6 @@ abi <abi/3.0>,

 include <tunables/global>

-@{SYNC_FOLDER}=@{MOUNTS}/*/cloud_storage
-
@{exec_path} = /{usr/,}bin/megasync
 profile megasync @{exec_path} {
  include <abstractions/base>
@ -55,11 +53,8 @@ profile megasync @{exec_path} {
  owner @{user_config_dirs}/QtProject.conf r,

  # Sync folder
-  #/ r,
-  #@{MOUNTS}/ r,
-  #@{MOUNTS}/*/ r,
-  owner @{SYNC_FOLDER}/ r,
-  owner @{SYNC_FOLDER}/** rwl -> @{SYNC_FOLDER}/**,
+  owner @{user_sync_dirs}/ r,
+  owner @{user_sync_dirs}/** rwl -> @{user_sync_dirs}/**,

  # Proc filesystem
  deny owner @{PROC}/@{pid}/cmdline r,
--- a/apparmor.d/profiles-m-r/minitube
+++ b/apparmor.d/profiles-m-r/minitube
@ -41,7 +41,7 @@ profile minitube @{exec_path} {
  owner "@{user_share_dirs}/Flavio Tordini/Minitube/*" rwk,

  # Snapshot
-  owner @{HOME}/@{XDG_PICTURES_DIR}/*.png rw,
+  owner @{user_pictures_dirs}/*.png rw,
  owner @{HOME}/vlcsnap-.png rw,

  /usr/share/minitube/{,**} r,
--- a/apparmor.d/profiles-m-r/mission-control
+++ b/apparmor.d/profiles-m-r/mission-control
@ -9,7 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/telepathy/mission-control-5
 profile mission-control @{exec_path} {
  include <abstractions/base>
-  include <abstractions/dconf>
+  include <abstractions/dconf-write>

  network netlink raw,

@ -21,7 +21,6 @@ profile mission-control @{exec_path} {

  owner @{user_share_dirs}/telepathy/mission-control/*.cfg r,

-  @{run}/user/@{uid}/dconf/user rw,
  @{run}/systemd/inhibit/[0-9]*.ref rw,

  include if exists <local/mission-control>
--- a/apparmor.d/profiles-m-r/mke2fs
+++ b/apparmor.d/profiles-m-r/mke2fs
@ -30,9 +30,9 @@ profile mke2fs @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  # For virt-resize
  owner /var/tmp/.guestfs-[0-9]*/** rwk,
--- a/apparmor.d/profiles-m-r/mkfs-btrfs
+++ b/apparmor.d/profiles-m-r/mkfs-btrfs
@ -24,9 +24,9 @@ profile mkfs-btrfs @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/mkfs-btrfs>
 }
--- a/apparmor.d/profiles-m-r/mkfs-fat
+++ b/apparmor.d/profiles-m-r/mkfs-fat
@ -18,9 +18,9 @@ profile mkfs-fat @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/mkfs-fat>
 }
--- a/apparmor.d/profiles-m-r/mkinitramfs
+++ b/apparmor.d/profiles-m-r/mkinitramfs
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -19,37 +20,36 @@ profile mkinitramfs @{exec_path} {
  @{exec_path} r,
  /{usr/,}bin/{,ba,da}sh rix,

-  /{usr/,}sbin/          r,
-  /{usr/,}bin/           r,
+  /{usr/,}{s,}bin/       r,
  /{usr/,}lib/           r,
  /{usr/,}lib64/         r,

-  /{usr/,}bin/getopt     rix,
-  /{usr/,}bin/basename   rix,
  /{usr/,}bin/{,e}grep   rix,
-  /{usr/,}bin/touch      rix,
-  /{usr/,}bin/readlink   rix,
-  /{usr/,}bin/mktemp     rix,
-  /{usr/,}bin/chmod      rix,
-  /{usr/,}bin/ln         rix,
-  /{usr/,}bin/mkdir      rix,
-  /{usr/,}bin/cp         rix,
-  /{usr/,}bin/cat        rix,
-  /{usr/,}bin/dirname    rix,
-  /{usr/,}bin/sed        rix,
-  /{usr/,}bin/tsort      rix,
-  /{usr/,}bin/rm         rix,
-  /{usr/,}bin/id         rix,
-  /{usr/,}bin/sort       rix,
-  /{usr/,}bin/env        rix,
-  /{usr/,}bin/rmdir      rix,
-  /{usr/,}bin/tr         rix,
-
-  /{usr/,}bin/cpio       rix,
-  /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/basename   rix,
  /{usr/,}bin/bzip2      rix,
+  /{usr/,}bin/cat        rix,
+  /{usr/,}bin/chmod      rix,
+  /{usr/,}bin/cp         rix,
+  /{usr/,}bin/cpio       rix,
+  /{usr/,}bin/dirname    rix,
+  /{usr/,}bin/env        rix,
+  /{usr/,}bin/getopt     rix,
+  /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/id         rix,
+  /{usr/,}bin/ln         rix,
  /{usr/,}bin/lzma       rix,
  /{usr/,}bin/lzop       rix,
+  /{usr/,}bin/mkdir      rix,
+  /{usr/,}bin/mktemp     rix,
+  /{usr/,}bin/readlink   rix,
+  /{usr/,}bin/rm         rix,
+  /{usr/,}bin/rmdir      rix,
+  /{usr/,}bin/sed        rix,
+  /{usr/,}bin/sort       rix,
+  /{usr/,}bin/touch      rix,
+  /{usr/,}bin/tr         rix,
+  /{usr/,}bin/tsort      rix,
+  /{usr/,}bin/xargs      rix,
  /{usr/,}bin/xz         rix,
  /{usr/,}bin/zstd       rix,

@ -87,20 +87,23 @@ profile mkinitramfs @{exec_path} {
        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
  owner /var/tmp/mkinitramfs-* rw,

-  @{PROC}/modules r,
-
+  owner @{PROC}/@{uid}/fd/ r,
+        @{PROC}/cmdline r,
+        @{PROC}/modules r,

  profile ldd {
    include <abstractions/base>
    include <abstractions/consoles>
+    include <abstractions/nameservice-strict>

    /{usr/,}bin/ldd mr,

-    /{usr/,}bin/kmod mr,
    /{usr/,}bin/{,ba,da}sh rix,
+    /{usr/,}bin/kmod mr,
+    /{usr/,}lib/initramfs-tools/bin/* mr,

-    /{usr/,}lib/@{multiarch}/ld-*.so rix,
-    /{usr/,}lib{,x}32/ld-*.so        rix,
+    /{usr/,}lib/@{multiarch}/ld-*.so*  rix,
+    /{usr/,}lib{,x}32/ld-*.so          rix,

  }

@ -110,7 +113,10 @@ profile mkinitramfs @{exec_path} {

    capability sys_chroot,

-    /{usr/,}sbin/ldconfig mr,
+    /{usr/,}{s,}bin/ldconfig  mr,
+
+    /{usr/,}{s,}bin/ldconfig.real rix,
+    /{usr/,}bin/{,ba,da}sh        rix,

    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,
@ -148,11 +154,14 @@ profile mkinitramfs @{exec_path} {
  profile kmod {
    include <abstractions/base>
    include <abstractions/consoles>
+    include <abstractions/openssl>

    /{usr/,}bin/kmod mr,

    @{PROC}/cmdline r,

+    /etc/depmod.d/ r,
+    /etc/depmod.d/*.conf r,
    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,

--- a/apparmor.d/profiles-m-r/mount
+++ b/apparmor.d/profiles-m-r/mount
@ -1,12 +1,14 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}bin/mount
+@{exec_path} = /{usr/,}{s,}bin/mount
 profile mount @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
@ -25,14 +27,20 @@ profile mount @{exec_path} flags=(complain) {
  network inet stream,
  network inet6 stream,

+  ptrace (read) peer=k3s,
+
  signal (receive) set=(term, kill),

  @{exec_path} mr,

-  /{usr/,}bin/ntfs-3g        rPx,
  /{usr/,}{s,}bin/lowntfs-3g rPx,
-  /{usr/,}bin/sshfs          rPx,
  /{usr/,}{s,}bin/mount.*    rPx,
+  /{usr/,}bin/ntfs-3g        rPx,
+  /{usr/,}bin/sshfs          rPx,
+
+  /etc/fstab r,
+
+  /var/lib/snapd/snaps/*.snap r,

  # Mount points
  @{HOME}/ r,
@ -45,23 +53,22 @@ profile mount @{exec_path} flags=(complain) {

  # Mount iso/img files
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-
-  # The special /dev/loop-control file can be used to create and destroy loop devices or to find
-  # the first available loop device.
-  /dev/loop-control rw,
-
-  /etc/fstab r,
-
-  /tmp/sanity-squashfs-[0-9]* rw,
-
-  owner @{PROC}/@{pid}/mountinfo r,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  owner @{run}/mount/ rw,
  owner @{run}/mount/utab{,.*} rw,
  owner @{run}/mount/utab.lock wk,

+  /tmp/sanity-squashfs-[0-9]* rw,
+  /tmp/syscheck-squashfs-[0-9]* rw,
+
+  owner @{PROC}/@{pid}/mountinfo r,
+
+  # The special /dev/loop-control file can be used to create and destroy loop
+  # devices or to find the first available loop device.
+  /dev/loop-control rw,
+
  include if exists <local/mount>
 }
--- a/apparmor.d/profiles-m-r/mount-cifs
+++ b/apparmor.d/profiles-m-r/mount-cifs
@ -1,12 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2020-2021 Mikhail Morfikov
+# Copyright (C) 2020-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}sbin/mount.cifs
+@{exec_path} = /{usr/,}{s,}bin/mount.cifs
 profile mount-cifs @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -30,19 +31,18 @@ profile mount-cifs @{exec_path} flags=(complain) {
  owner @{HOME}/.smbcredentials r,

  # Mount points
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
-  @{MOUNTS}/*/*/ r,

  # Allow to mount smb/cifs disks only under the /media/ dirs
+  mount fstype=cifs -> @{MOUNTDIRS}/,
+  mount fstype=cifs -> @{MOUNTS}/,
  mount fstype=cifs -> @{MOUNTS}/*/,
-  mount fstype=cifs -> @{MOUNTS}/*/*/,
-  mount fstype=cifs -> /mnt/,
-  mount fstype=cifs -> /mnt/*/,

+  umount @{MOUNTDIRS}/,
+  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
-  umount @{MOUNTS}/*/*/,
-  umount /mnt/,
-  umount /mnt/*/,

  include if exists <local/mount-cifs>
 }
--- a/apparmor.d/profiles-m-r/mount-nfs
+++ b/apparmor.d/profiles-m-r/mount-nfs
@ -1,12 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}sbin/mount.nfs
+@{exec_path} = /{usr/,}{s,}bin/mount.nfs
 profile mount-nfs @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -26,11 +27,11 @@ profile mount-nfs @{exec_path} flags=(complain) {

  @{exec_path} mr,

-  /{usr/,}bin/{,ba,da}sh      rix,
-  /{usr/,}sbin/start-statd    rix,
-  /{usr/,}bin/flock           rix,
+  /{usr/,}{s,}bin/start-statd  rix,
+  /{usr/,}bin/{,ba,da}sh       rix,
+  /{usr/,}bin/flock            rix,

-  /usr/bin/systemctl          rPx -> child-systemctl,
+  /usr/bin/systemctl           rPx -> child-systemctl,

  /etc/fstab r,
  /etc/netconfig r,
@ -45,21 +46,20 @@ profile mount-nfs @{exec_path} flags=(complain) {
  owner @{run}/rpc.statd.lock wk,

  # Mount points
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
  @{MOUNTS}/*/ r,
-  @{MOUNTS}/*/*/ r,

  # Allow to mount smb/cifs disks only under the /media/ dirs
+  mount fstype=nfs -> @{MOUNTDIRS}/,
+  mount fstype=nfs -> @{MOUNTS}/,
  mount fstype=nfs -> @{MOUNTS}/*/,
-  mount fstype=nfs -> @{MOUNTS}/*/*/,
-  mount fstype=nfs -> /mnt/,
-  mount fstype=nfs -> /mnt/*/,
  mount fstype=nfs -> /,
  mount fstype=nfs -> /*/,

+  umount @{MOUNTDIRS}/,
+  umount @{MOUNTS}/,
  umount @{MOUNTS}/*/,
-  umount @{MOUNTS}/*/*/,
-  umount /mnt/,
-  umount /mnt/*/,
  umount /,
  umount /*/,

--- a/apparmor.d/profiles-m-r/mount-zfs
+++ b/apparmor.d/profiles-m-r/mount-zfs
@ -0,0 +1,45 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/mount.zfs
+profile mount-zfs @{exec_path} flags=(complain) {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  capability sys_admin,  # To mount anything.
+
+  @{exec_path} mr,
+
+  /dev/pts/[0-9]* rw,
+
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/*/ r,
+
+  mount fstype=zfs -> @{MOUNTDIRS}/,
+  mount fstype=zfs -> @{MOUNTS}/,
+  mount fstype=zfs -> @{MOUNTS}/*/,
+  mount fstype=zfs -> /,
+  mount fstype=zfs -> /*/,
+  mount fstype=zfs -> /tmp/zfsmnt.*/,
+  mount fstype=zfs -> /tmp/zfsmnt.*/*/,
+
+  umount @{MOUNTDIRS}/,
+  umount @{MOUNTS}/,
+  umount @{MOUNTS}/*/,
+  umount /,
+  umount /*/,
+  umount /tmp/zfsmnt.*/,
+  umount /tmp/zfsmnt.*/*/,
+
+  @{PROC}/@{pids}/mounts r,
+
+  /dev/zfs rw,
+
+  include if exists <local/mount-zfs>
+}
--- a/apparmor.d/profiles-m-r/mtools
+++ b/apparmor.d/profiles-m-r/mtools
@ -25,9 +25,9 @@ profile mtools @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/mtools>
 }
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@ -7,28 +7,55 @@ abi <abi/3.0>,
 include <tunables/global>

@{exec_path} = /{usr/,}{s,}bin/needrestart
-profile needrestart @{exec_path} {
+profile needrestart @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
  include <abstractions/perl>
+  include <abstractions/python>
  include <abstractions/wutmp>

+  capability checkpoint_restore,
+  capability dac_read_search,
  capability sys_ptrace,

  ptrace (read),

-  @{exec_path} mr,
+  @{exec_path} mrix,

-  /{usr/,}bin/systemd-detect-virt  rPx,
-  /{usr/,}bin/who                  rix,
-  /usr/share/debconf/frontend      rix,
+  /{usr/,}bin/{,ba,da}sh                        rix,
+  /{usr/,}bin/dpkg-query                        rpx,
+  /{usr/,}bin/fail2ban-server                   rPx,
+  /{usr/,}bin/locale                            rix,
+  /{usr/,}bin/python3.[0-9]*                    rix,
+  /{usr/,}bin/sed                               rix,
+  /{usr/,}bin/stty                              rix,
+  /{usr/,}bin/systemctl                         rPx,
+  /{usr/,}bin/systemd-detect-virt               rPx,
+  /{usr/,}bin/udevadm                           rPx,
+  /{usr/,}bin/whiptail                          rPx,
+  /{usr/,}bin/who                               rix,
+  /{usr/,}lib/needrestart/iucode-scan-versions  rPx,
+  /usr/share/debconf/frontend                   rix,

+  /{usr/,}bin/gettext.sh r,
+  /usr/share/needrestart/{,**} r,
+  /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
+
+  /etc/debconf.conf r,
  /etc/needrestart/{,**} r,
+  /etc/needrestart/*.d/* rix,
+  /etc/shadow r,

-  @{PROC}/ r,
-  @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pids}/environ r,
-  @{PROC}/@{pids}/stat r,
+  owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
+
+  owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/ r,
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/environ r,
+        @{PROC}/@{pids}/maps r,
+        @{PROC}/@{pids}/stat r,

  /dev/ r,
  /dev/**/ r,
--- a/apparmor.d/profiles-m-r/netstat
+++ b/apparmor.d/profiles-m-r/netstat
@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2002-2005 Novell/SUSE
+# Copyright (C) 2017 Christian Boltz
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/netstat
+profile netstat @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice>
+
+  capability dac_read_search,
+  capability sys_ptrace,
+  capability syslog,
+
+  ptrace (trace,read),
+
+  @{exec_path} rmix,
+
+  /etc/networks r,
+
+        @{PROC} r,
+        @{PROC}/@{pids}/cmdline r,
+        @{PROC}/@{pids}/fd/ r,
+        @{PROC}/@{pids}/net/dev r,
+        @{PROC}/@{pids}/net/netstat r,
+        @{PROC}/@{pids}/net/raw r,
+        @{PROC}/@{pids}/net/raw6 r,
+        @{PROC}/@{pids}/net/snmp r,
+        @{PROC}/@{pids}/net/tcp r,
+        @{PROC}/@{pids}/net/tcp6 r,
+        @{PROC}/@{pids}/net/udp r,
+        @{PROC}/@{pids}/net/udp6 r,
+        @{PROC}/@{pids}/net/udplite r,
+        @{PROC}/@{pids}/net/udplite6 r,
+        @{PROC}/@{pids}/net/unix r,
+        @{PROC}/net r,
+        @{PROC}/net/* r,
+        @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
+  owner @{PROC}/@{pid}/attr/current r,
+
+  include if exists <local/netstat>
+}
--- a/apparmor.d/profiles-m-r/newgidmap
+++ b/apparmor.d/profiles-m-r/newgidmap
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,6 +12,7 @@ profile newgidmap @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  capability dac_override,
  capability setgid,
  capability sys_admin,

--- a/apparmor.d/profiles-m-r/newuidmap
+++ b/apparmor.d/profiles-m-r/newuidmap
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,6 +12,7 @@ profile newuidmap @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

+  capability dac_override,
  capability setuid,
  capability sys_admin,

--- a/apparmor.d/profiles-m-r/nologin
+++ b/apparmor.d/profiles-m-r/nologin
@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}{s,}bin/nologin
+profile nologin @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/nologin>
+}
--- a/apparmor.d/profiles-m-r/nslookup
+++ b/apparmor.d/profiles-m-r/nslookup
@ -8,6 +8,7 @@ include <tunables/global>
@{exec_path} = /{,usr/}bin/nslookup
 profile nslookup @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/openssl>
  include <abstractions/nameservice-strict>

@ -16,7 +17,7 @@ profile nslookup @{exec_path} {
  network inet stream,
  network inet6 stream,

-  @{exec_path} r,
+  @{exec_path} mr,

  owner @{PROC}/@{pids}/task/@{tid}/comm rw,

--- a/apparmor.d/profiles-m-r/ntfs-3g
+++ b/apparmor.d/profiles-m-r/ntfs-3g
@ -23,36 +23,35 @@ profile ntfs-3g @{exec_path} {

  @{exec_path} mr,

-        @{PROC}/@{pids}/task/@{tid}/status r,
-  owner @{PROC}/@{pid}/mounts r,
+  /{usr/,}bin/kmod rPx,  # To load the fuse kernel module
+
+  # Mount points
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
+  @{MOUNTS}/*/ r,
+
+  # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
+  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTDIRS},
+  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/,
+  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
+  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/,
+  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
+
+  # Allow to mount encrypted partition
+  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTDIRS}/,
+  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/,
+  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
+
+  umount @{MOUNTDIRS}/,
+  umount @{MOUNTS}/,
+  umount @{MOUNTS}/*/,
+
        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/task/@{tid}/status r,
        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,

  /dev/fuse rw,

-  # Mount points
-  @{MOUNTS}/*/ r,
-  @{MOUNTS}/*/*/ r,
-
-  # Allow to mount ntfs disks only under the /media/, /run/media, and /mnt/ dirs
-  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/,
-  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> @{MOUNTS}/*/*/,
-  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/,
-  mount fstype=fuseblk /dev/{s,v}d[a-z]*[0-9]* -> /mnt/*/,
-  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/,
-  mount fstype=fuseblk /dev/mmcblk[0-9]*p[0-9]* -> @{MOUNTS}/*/*/,
-
-  # Allow to mount encrypted partition
-  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/,
-  mount fstype=fuseblk /dev/dm-[0-9]* -> @{MOUNTS}/*/*/,
-  mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/,
-  mount fstype=fuseblk /dev/dm-[0-9]* -> /mnt/*/,
-
-  umount @{MOUNTS}/*/,
-  umount /mnt/*/,
-
-  # kmod is used to load the fuse kernel module
-  /{usr/,}bin/kmod rPx,
-
  include if exists <local/ntfs-3g>
 }
--- a/apparmor.d/profiles-m-r/ntfsclone
+++ b/apparmor.d/profiles-m-r/ntfsclone
@ -21,7 +21,7 @@ profile ntfsclone @{exec_path} {

  # A place for backups
  @{HOME}/* rwk,
-  @{MOUNTS}/*/** rwk,
+  @{MOUNTS}/** rwk,

  include if exists <local/ntfsclone>
 }
--- a/apparmor.d/profiles-m-r/ntfscp
+++ b/apparmor.d/profiles-m-r/ntfscp
@ -17,10 +17,10 @@ profile ntfscp @{exec_path} {

  # For writing files owned by users other than root, since ntfscp has to be started as root.
  capability dac_read_search,
-  @{HOME}/@{XDG_DOWNLOAD_DIR}/ r,
-  @{HOME}/@{XDG_DOWNLOAD_DIR}/** rwl -> @{HOME}/@{XDG_DOWNLOAD_DIR}/**,
  @{HOME}/@{XDG_DESKTOP_DIR}/ r,
-  @{HOME}/@{XDG_DESKTOP_DIR}/** rwl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
+  @{HOME}/@{XDG_DESKTOP_DIR}/** rwkl -> @{HOME}/@{XDG_DESKTOP_DIR}/**,
+  @{user_download_dirs}/ r,
+  @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,

  owner @{PROC}/@{pid}/mounts r,

--- a/apparmor.d/profiles-m-r/nvtop
+++ b/apparmor.d/profiles-m-r/nvtop
@ -10,6 +10,7 @@ include <tunables/global>
 profile nvtop @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
+  include <abstractions/dri-enumerate>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl-nvidia>

@ -25,6 +26,7 @@ profile nvtop @{exec_path} {
  @{PROC}/@{pids}/stat r,
  @{PROC}/driver/nvidia/capabilities/mig/{config,monitor}  r,

+  /dev/dri/ r,
  /dev/nvidia-caps/{,nvidia-cap[0-9]*} rw,

  include if exists <local/nvtop>
--- a/apparmor.d/profiles-m-r/obconf
+++ b/apparmor.d/profiles-m-r/obconf
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/obconf
 profile obconf @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
@ -33,10 +34,6 @@ profile obconf @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # file_inherit
  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/profiles-m-r/obex-folder-listing
+++ b/apparmor.d/profiles-m-r/obex-folder-listing
@ -16,8 +16,8 @@ profile obex-folder-listing @{exec_path} {

  owner @{HOME}/ r,
  owner @{HOME}/**/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{MOUNTS}/*/**/ r,
+  owner @{MOUNTS}/ r,
+  owner @{MOUNTS}/**/ r,

  include if exists <local/obex-folder-listing>
 }
--- a/apparmor.d/profiles-m-r/parted
+++ b/apparmor.d/profiles-m-r/parted
@ -70,9 +70,9 @@ profile parted @{exec_path} {
    # file_inherit
    include <abstractions/disks-write>  # lots of files in this abstraction get inherited
    owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-    owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+    owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
    owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-    owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+    owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  }

--- a/apparmor.d/profiles-m-r/pass
+++ b/apparmor.d/profiles-m-r/pass
@ -56,7 +56,7 @@ profile pass @{exec_path} {
  /usr/share/terminfo/x/xterm-256color r,

  owner @{HOME}/.password-store/{,**} rw,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw,
+  owner @{user_projects_dirs}/**/*-store/{,**} rw,
  owner @{user_config_dirs}/password-store/{,**} rw,
  owner /dev/shm/pass.*/{,*} rw,

@ -84,7 +84,7 @@ profile pass @{exec_path} {
    owner @{HOME}/.viminfo{,.tmp} rw,

    owner @{HOME}/.password-store/ r,
-    owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/ r,
+    owner @{user_projects_dirs}/**/*-store/ r,
    owner @{user_config_dirs}/password-store/ r,

    owner @{user_cache_dirs}/vim/{,**} rw,
@ -118,8 +118,8 @@ profile pass @{exec_path} {

    owner @{HOME}/.password-store/   rw,
    owner @{HOME}/.password-store/** rwkl -> @{HOME}/.password-store/**,
-    owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/   rw,
-    owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/** rwkl -> @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/**,
+    owner @{user_projects_dirs}/**/*-store/   rw,
+    owner @{user_projects_dirs}/**/*-store/** rwkl -> @{user_projects_dirs}/**/*-store/**,
    owner @{user_config_dirs}/password-store/   rw,
    owner @{user_config_dirs}/password-store/** rwkl -> @{user_config_dirs}/password-store/**,

--- a/apparmor.d/profiles-m-r/pass-import
+++ b/apparmor.d/profiles-m-r/pass-import
@ -27,7 +27,7 @@ profile pass-import @{exec_path} {
  /usr/share/file/misc/magic.mgc r,

  owner @{HOME}/.password-store/{,**} rw,
-  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/*-store/{,**} rw,
+  owner @{user_projects_dirs}/**/*-store/{,**} rw,
  owner @{user_config_dirs}/password-store/{,**} rw,

  owner /tmp/[a-zA-Z0-9]* rw,
--- a/apparmor.d/profiles-m-r/passwd
+++ b/apparmor.d/profiles-m-r/passwd
@ -10,6 +10,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/passwd
 profile passwd @{exec_path} {
  include <abstractions/base>
+  include <abstractions/consoles>
  include <abstractions/authentication>
  include <abstractions/nameservice-strict>
  include <abstractions/wutmp>
--- a/apparmor.d/profiles-m-r/pkexec
+++ b/apparmor.d/profiles-m-r/pkexec
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -10,30 +11,41 @@ include <tunables/global>
 profile pkexec @{exec_path} flags=(complain) {
  include <abstractions/base>
  include <abstractions/authentication>
-  include <abstractions/wutmp>
-  include <abstractions/nameservice-strict>
  include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
+  include <abstractions/wutmp>

  signal (send) set=(term, kill) peer=polkit-agent-helper,

-  capability sys_ptrace,
  capability audit_write,
  capability dac_read_search,
-
-  # gdbus
-  capability setgid,
-  # gmain
-  capability setuid,
-
-  # Needed?
-  deny capability sys_nice,
+  capability setgid,  # gdbus
+  capability setuid,  # gmain
+  capability sys_ptrace,
+  audit deny capability sys_nice,

  ptrace (read),

  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member={EnumerateActions,CheckAuthorization},
+
  @{exec_path} mr,

+  # Apps to be run via pkexec
+  /{usr/,}{s,}bin/*            rPUx,
+  /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
+  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+  /{usr/,}lib/update-notifier/package-system-locked  rPx,
+  /usr/share/apport/apport-gtk rPx,
+
  /etc/shells r,
  /etc/environment r,
  /etc/default/locale r,
@ -42,13 +54,6 @@ profile pkexec @{exec_path} flags=(complain) {
        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pid}/fd/ r,

-  # Apps to be run via pkexec
-  /{usr/,}{s,}bin/*            rPUx,
-  /{usr/,}bin/*                rPUx,
-  /{usr/,}lib/gvfs/gvfsd-admin rPUx, #(#FIXME#)
-  /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
-  /{usr/,}lib/update-notifier/package-system-locked  rPx,
-
  # file_inherit
  owner /dev/tty[0-9]* rw,
  owner @{HOME}/.xsession-errors w,
--- a/apparmor.d/profiles-m-r/pkttyagent
+++ b/apparmor.d/profiles-m-r/pkttyagent
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -9,11 +10,30 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pkttyagent
 profile pkttyagent @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>

  capability sys_nice,
+  capability audit_write,

  ptrace (read),
-  signal (receive),
+  signal (send,receive),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=RegisterAuthenticationAgentWithOptions,
+  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/AuthenticationAgent
+       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
+       member=BeginAuthentication,
+  
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=Changed,

  @{exec_path} mr,

@ -22,4 +42,4 @@ profile pkttyagent @{exec_path} {
  /dev/tty rw,

  include if exists <local/pkttyagent>
-}
+}
--- a/apparmor.d/profiles-m-r/power-profiles-daemon
+++ b/apparmor.d/profiles-m-r/power-profiles-daemon
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/power-profiles-daemon
 profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

  capability sys_nice,
@ -16,6 +17,29 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {

  network netlink raw,

+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll,
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member=RequestName,
+
+  dbus send bus=system path=/net/hadess/PowerProfiles
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged,
+
+  dbus receive bus=system path=/net/hadess/PowerProfiles
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,Set},
+
+  dbus receive bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=Changed,
+
+  dbus bind bus=system 
+       name=net.hadess.PowerProfiles,
+
  @{exec_path} mr,

  /var/lib/power-profiles-daemon/{,**} rw,
@ -30,6 +54,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/system/cpu/cpufreq/ r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/energy_performance_preference rw,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_governor rw,
+  @{sys}/devices/system/cpu/cpu[0-9]*/power/energy_perf_bias rw,

  include if exists <local/power-profiles-daemon>
 }
--- a/apparmor.d/profiles-m-r/ps
+++ b/apparmor.d/profiles-m-r/ps
@ -52,7 +52,7 @@ profile ps @{exec_path} flags=(attach_disconnected) {
       @{PROC}/tty/drivers r,
       @{PROC}/uptime r,

-  @{run}/systemd/sessions/[0-9]* r,
+  @{run}/systemd/sessions/* r,

  @{sys}/devices/system/node/ r,
  @{sys}/devices/system/node/node[0-9]*/meminfo r,
--- a/apparmor.d/profiles-m-r/pstree
+++ b/apparmor.d/profiles-m-r/pstree
@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{,usr/}bin/pstree
+profile pstree @{exec_path} flags=(attach_disconnected) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability sys_ptrace,
+
+  ptrace (read),
+
+  @{exec_path} mr,
+
+        @{PROC} r,
+        @{PROC}/uptime r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/task/ r,
+        @{PROC}/@{pids}/attr/current r,
+        @{PROC}/@{pids}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/cmdline r,
+
+  include if exists <local/pstree>
+}
--- a/apparmor.d/profiles-m-r/pulseeffects
+++ b/apparmor.d/profiles-m-r/pulseeffects
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}bin/pulseeffects
 profile pulseeffects @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dconf-write>
  include <abstractions/gtk>
  include <abstractions/fonts>
  include <abstractions/fontconfig-cache-read>
@ -33,10 +34,6 @@ profile pulseeffects @{exec_path} {

  /usr/share/glib-2.0/schemas/gschemas.compiled r,

-  include <abstractions/dconf>
-  owner @{run}/user/@{uid}/dconf/ rw,
-  owner @{run}/user/@{uid}/dconf/user rw,
-
  # file_inherit
  owner /dev/tty[0-9]* rw,

--- a/apparmor.d/profiles-m-r/pwck
+++ b/apparmor.d/profiles-m-r/pwck
@ -24,7 +24,5 @@ profile pwck @{exec_path} {
  /etc/shadow.[0-9]* rw,
  /etc/shadow.lock wl,

-  @{run}/systemd/userdb/ r,
-
  include if exists <local/pwck>
 }
--- a/apparmor.d/profiles-m-r/qbittorrent
+++ b/apparmor.d/profiles-m-r/qbittorrent
@ -6,8 +6,6 @@ abi <abi/3.0>,

 include <tunables/global>

-@{TORRENT_DIR} = @{MOUNTS}/*/torrent
-
@{exec_path} = /{usr/,}bin/qbittorrent
 profile qbittorrent @{exec_path} {
  include <abstractions/base>
@ -134,10 +132,8 @@ profile qbittorrent @{exec_path} {
  /usr/share/qt5ct/** r,

  # Torrent files
-        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{TORRENT_DIR}/ r,
-  owner @{TORRENT_DIR}/** rw,
+  owner @{user_torrents_dirs}/ r,
+  owner @{user_torrents_dirs}/** rw,

  # GeoIP settings
  /usr/share/GeoIP/GeoIP.dat r,
@ -228,9 +224,9 @@ profile qbittorrent @{exec_path} {
    owner @{run}/user/@{uid}/ r,

    # file_inherit
-    owner @{MOUNTS}/*/torrent/** r,
-    owner @{MOUNTS}/*/torrent/**.[0-9a-f]*.parts rw,
-    owner "@{MOUNTS}/*/torrent/**.!qB" rw,
+    owner @{MOUNTS}/torrent/** r,
+    owner @{MOUNTS}/torrent/**.[0-9a-f]*.parts rw,
+    owner "@{MOUNTS}/torrent/**.!qB" rw,

    owner @{HOME}/.xsession-errors w,

@ -265,7 +261,7 @@ profile qbittorrent @{exec_path} {
    owner /tmp/tmp* rw,

    # file_inherit
-    owner @{MOUNTS}/*/torrent/** r,
+    owner @{MOUNTS}/torrent/** r,
    deny /dev/dri/card[0-9]* rw,

    include if exists <local/qbittorrent_python3>
--- a/apparmor.d/profiles-m-r/qbittorrent-nox
+++ b/apparmor.d/profiles-m-r/qbittorrent-nox
@ -6,8 +6,6 @@ abi <abi/3.0>,

 include <tunables/global>

-@{TORRENT_DIR} = @{MOUNTS}/*/torrent
-
@{exec_path} = /{usr/,}bin/qbittorrent-nox
 profile qbittorrent-nox @{exec_path} {
  include <abstractions/base>
@ -38,10 +36,8 @@ profile qbittorrent-nox @{exec_path} {
  owner @{user_cache_dirs}/qBittorrent/{,**} rw,

  # Torrent files
-        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{TORRENT_DIR}/ r,
-  owner @{TORRENT_DIR}/** rw,
+  owner @{user_torrents_dirs}/ r,
+  owner @{user_torrents_dirs}/** rw,

  /dev/disk/by-label/ r,

--- a/apparmor.d/profiles-m-r/qemu-ga
+++ b/apparmor.d/profiles-m-r/qemu-ga
@ -10,8 +10,18 @@ include <tunables/global>
 profile qemu-ga @{exec_path} {
  include <abstractions/base>

+  capability mknod,
+  capability net_admin,
+  capability sys_ptrace,
+
+  ptrace peer=unconfined,
+
  @{exec_path} mr,

+  /{usr/,}bin/systemctl rix,
+
+  /etc/qemu/qemu-ga.conf r,
+
  owner @{run}/qga.state* rw,

  /dev/vport[0-9]*p[0-9]* rw,
--- a/apparmor.d/profiles-m-r/qnapi
+++ b/apparmor.d/profiles-m-r/qnapi
@ -74,11 +74,10 @@ profile qnapi @{exec_path} {

  # Movie dirs
        @{MOUNTS}/ r,
-  owner @{MOUNTS}/*/ r,
-  owner @{MOUNTS}/*/** r,
-  owner @{MOUNTS}/*/**#[0-9]*[0-9] rw,
-  owner @{MOUNTS}/*/**.@{qnapi_vid_ext} r,
-  owner @{MOUNTS}/*/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/*/**/#[0-9]*[0-9],
+  owner @{MOUNTS}/** r,
+  owner @{MOUNTS}/**#[0-9]*[0-9] rw,
+  owner @{MOUNTS}/**.@{qnapi_vid_ext} r,
+  owner @{MOUNTS}/**.@{qnapi_txt_ext} rwl -> @{MOUNTS}/**/#[0-9]*[0-9],

  owner @{HOME}/ r,
  owner @{user_config_dirs}/qnapi.ini rw,
--- a/apparmor.d/profiles-m-r/qtox
+++ b/apparmor.d/profiles-m-r/qtox
@ -34,7 +34,7 @@ profile qtox @{exec_path} {

  # For importing old profile
  owner @{HOME}/**.tox r,
-  owner @{MOUNTS}/*/**.tox r,
+  owner @{MOUNTS}/**.tox r,

  owner @{HOME}/ r,
  owner @{user_cache_dirs}/qTox/ rw,
--- a/apparmor.d/profiles-m-r/resize2fs
+++ b/apparmor.d/profiles-m-r/resize2fs
@ -24,9 +24,9 @@ profile resize2fs @{exec_path} {

  # A place for file images
  owner @{HOME}/**.{iso,img,bin,mdf,nrg} rwk,
-  owner @{MOUNTS}/*/**.{iso,img,bin,mdf,nrg} rwk,
+  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
-  owner @{MOUNTS}/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
+  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,

  include if exists <local/resize2fs>
 }
--- a/apparmor.d/profiles-m-r/rngd
+++ b/apparmor.d/profiles-m-r/rngd
@ -1,12 +1,13 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2022 Jeroen Rijken
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,

 include <tunables/global>

-@{exec_path} = /{usr/,}bin/rngd
+@{exec_path} = /{usr/,}{s,}bin/rngd
 profile rngd @{exec_path} {
  include <abstractions/base>
  include <abstractions/devices-usb>
@ -14,18 +15,20 @@ profile rngd @{exec_path} {

  @{exec_path} mr,

+  capability dac_read_search,
  capability sys_admin,
  capability sys_nice,
-  capability dac_read_search,

  network netlink raw,

-  /etc/opensc.conf r,
  /etc/conf.d/rngd r,
+  /etc/opensc.conf r,

  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

+  @{sys}/devices/virtual/misc/hw_random/rng_available r,
+
  @{PROC}/sys/kernel/random/poolsize r,
  @{PROC}/sys/kernel/random/write_wakeup_threshold rw,

--- a/apparmor.d/profiles-m-r/rsyslogd
+++ b/apparmor.d/profiles-m-r/rsyslogd
@ -16,19 +16,12 @@ profile rsyslogd @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice>

-  # Needed to remove the following error:
-  # rsyslogd[]: imklog: cannot open kernel log (/proc/kmsg): Operation not permitted.
+  capability chown,  # For creating new log files and changing their owner/group
+  capability net_admin,  # For remote logs
+  capability setgid,  # For downgrading privileges
+  capability setuid,
  capability syslog,
-
-  # For remote logs
-  capability net_admin,
-
-  # for creating new log files and changing their owner/group
-  capability chown,
-
-  # Needed?
-  deny capability sys_nice,
-
+  
  @{exec_path} mr,

  /{usr/,}lib/@{multiarch}/rsyslog/*.so mr,
@ -41,6 +34,7 @@ profile rsyslogd @{exec_path} {

  owner @{run}/rsyslogd.pid{,.tmp} rwk,
  owner @{run}/systemd/journal/syslog w,
+        @{run}/systemd/notify rw,

  # log files and devices
  /var/log/** rw,
@ -50,5 +44,11 @@ profile rsyslogd @{exec_path} {
  /etc/CA/*.crt r,
  /etc/CA/*.key r,

+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  @{run}/systemd/notify w,
+
  include if exists <local/rsyslogd>
 }
--- a/apparmor.d/profiles-m-r/rtkit-daemon
+++ b/apparmor.d/profiles-m-r/rtkit-daemon
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2018-2022 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only

 abi <abi/3.0>,
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} = @{libexec}/rtkit-daemon
 profile rtkit-daemon @{exec_path} {
  include <abstractions/base>
+  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
@ -20,6 +21,25 @@ profile rtkit-daemon @{exec_path} {
  capability sys_nice,
  capability sys_ptrace,

+  dbus (send,receive) bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       interface=org.freedesktop.RealtimeKit[0-9],
+
+  dbus receive bus=system path=/org/freedesktop/RealtimeKit[0-9]
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll},
+
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,GetConnectionUnixUser,GetConnectionUnixProcessID}
+       peer=(name=org.freedesktop.DBus),
+
+  dbus send bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
+       interface=org.freedesktop.PolicyKit[0-9].Authority
+       member=CheckAuthorization,
+
+  dbus bind bus=system 
+       name=org.freedesktop.RealtimeKit[0-9],
+
  @{exec_path} mr,

  # When applying policies to processes
--- a/apparmor.d/profiles-m-r/run-parts
+++ b/apparmor.d/profiles-m-r/run-parts
@ -14,58 +14,136 @@ profile run-parts @{exec_path} {

  @{exec_path} mr,

-  # This is for motd PAM module (see: /etc/pam.d/login) when "noupdate" isn't specified
+  /usr/share/update-notifier/notify-reboot-required rPx,
+
+  # Crontrab
+  /etc/cron.{hourly,daily,weekly,monthly}/                     r,
+  /etc/cron.{hourly,daily,weekly,monthly}/0anacron             rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apport               rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-compat           rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-listbugs         rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-show-versions    rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/apt-xapian-index     rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/aptitude             rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/bsdmainutils        rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/checksecurity       rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/cracklib-runtime     rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/debsums              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/debtags              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/dlocate              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/dpkg                rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/etckeeper            rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/exim4-base           rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/logrotate            rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/man-db               rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/mlocate              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/passwd              rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/plocate              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/popularity-contest   rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/spamassassin        rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/sysstat              rPx,
+  /etc/cron.{hourly,daily,weekly,monthly}/tor                 rPUx,
+  /etc/cron.{hourly,daily,weekly,monthly}/vrms                rPUx,
+
+  # Network
+  /etc/network/if-down.d/ r,
+  /etc/network/if-down.d/openvpn             rPUx,
+  /etc/network/if-down.d/resolvconf          rPUx,
+  /etc/network/if-down.d/wpasupplicant       rPUx,
+
+  /etc/hostapd/ifupdown.sh                   rPUx,
+  /etc/macchanger/ifupdown.sh                rPUx,
+  /etc/wpa_supplicant/ifupdown.sh            rPUx,
+
+  /etc/network/if-post-down.d/ r,
+  /etc/network/if-post-down.d/bridge         rPUx,
+  /etc/network/if-post-down.d/chrony         rPUx,
+  /etc/network/if-post-down.d/hostapd        rPUx,
+  /etc/network/if-post-down.d/ifenslave      rPUx,
+  /etc/network/if-post-down.d/macchanger     rPUx,
+  /etc/network/if-post-down.d/wireless-tools rPUx,
+  /etc/network/if-post-down.d/wpasupplicant  rPUx,
+
+  /etc/network/if-pre-up.d/ r,
+  /etc/network/if-pre-up.d/bridge            rPUx,
+  /etc/network/if-pre-up.d/ethtool           rPUx,
+  /etc/network/if-pre-up.d/hostapd           rPUx,
+  /etc/network/if-pre-up.d/ifenslave         rPUx,
+  /etc/network/if-pre-up.d/macchanger        rPUx,
+  /etc/network/if-pre-up.d/random-secret     rPUx,
+  /etc/network/if-pre-up.d/wireless-tools    rPUx,
+  /etc/network/if-pre-up.d/wpasupplicant     rPUx,
+
+  /etc/network/if-up.d/ r,
+  /etc/network/if-up.d/*resolvconf           rPUx,
+  /etc/network/if-up.d/avahi-autoipd         rPUx,
+  /etc/network/if-up.d/chrony                rPUx,
+  /etc/network/if-up.d/ethtool               rPUx,
+  /etc/network/if-up.d/ifenslave             rPUx,
+  /etc/network/if-up.d/openvpn               rPUx,
+  /etc/network/if-up.d/postfix               rPUx,
+  /etc/network/if-up.d/ubuntu-fan             rPx,
+  /etc/network/if-up.d/wpasupplicant         rPUx,
+
+  # Motd
  /etc/update-motd.d/ r,
  /etc/update-motd.d/[0-9]*-[a-z]* rCx -> motd,

-  # The "/etc/kernel/" dirs are for the pre/post scripts of the linux-{header,image} packages
+  # Kernel 
  /etc/kernel/header_postinst.d/ r,
-  /etc/kernel/header_postinst.d/dkms      rCx -> kernel-pre-post,
+  /etc/kernel/header_postinst.d/dkms          rCx -> kernel,

  /etc/kernel/postinst.d/ r,
-  /etc/kernel/postinst.d/apt-auto-removal rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/dkms             rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/initramfs-tools  rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/unattended-upgrades rCx -> kernel-pre-post,
-  /etc/kernel/postinst.d/zz-update-grub   rCx -> kernel-pre-post,
+  /etc/kernel/postinst.d/apt-auto-removal     rCx -> kernel,
+  /etc/kernel/postinst.d/dkms                 rCx -> kernel,
+  /etc/kernel/postinst.d/initramfs-tools      rCx -> kernel,
+  /etc/kernel/postinst.d/unattended-upgrades  rCx -> kernel,
+  /etc/kernel/postinst.d/zz-update-grub       rCx -> kernel,
+  /etc/kernel/postinst.d/xx-update-initrd-links rCx -> kernel,

  /etc/kernel/postrm.d/ r,
-  /etc/kernel/postrm.d/initramfs-tools    rCx -> kernel-pre-post,
-  /etc/kernel/postrm.d/zz-update-grub     rCx -> kernel-pre-post,
+  /etc/kernel/postrm.d/initramfs-tools        rCx -> kernel,
+  /etc/kernel/postrm.d/zz-update-grub         rCx -> kernel,

  /etc/kernel/preinst.d/ r,
-  /etc/kernel/preinst.d/intel-microcode   rCx -> kernel-pre-post,
+  /etc/kernel/preinst.d/intel-microcode       rCx -> kernel,

  /etc/kernel/prerm.d/ r,
-  /etc/kernel/prerm.d/dkms                rCx -> kernel-pre-post,
-
-  /etc/molly-guard/run.d/ r,
-  /etc/cron.hourly/ r,
+  /etc/kernel/prerm.d/dkms                    rCx -> kernel,

  owner /tmp/#[0-9]*[0-9] rw,
-
+  owner /tmp/file* rw,

  profile motd {
    include <abstractions/base>

-    / r,
-    /etc/update-motd.d/[0-9]*-[a-z]* r,
-
    /{usr/,}bin/{,ba,da}sh rix,
    /{usr/,}bin/cat        rix,
+    /{usr/,}bin/cut        rix,
+    /{usr/,}bin/find       rix,
+    /{usr/,}bin/grep       rix,
+    /{usr/,}bin/id         rix,
    /{usr/,}bin/tr         rix,
    /{usr/,}bin/uname      rix,

+    /{usr/,}lib/ubuntu-release-upgrader/release-upgrade-motd       rPx,
+    /{usr/,}lib/update-notifier/update-motd-fsck-at-reboot         rPx,
+    /{usr/,}lib/update-notifier/update-motd-reboot-required        rix,
    /usr/share/unattended-upgrades/update-motd-unattended-upgrades rix,

+    / r,
+    /etc/lsb-release r,
+    /etc/update-motd.d/[0-9]*-[a-z]* r,
+
+    /var/lib/update-notifier/updates-available r,
+
  }

-  profile kernel-pre-post {
+  profile kernel {
    include <abstractions/base>
    include <abstractions/consoles>

-    /etc/kernel/header_postinst.d/* r,
-    /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
+    capability sys_module,

    /{usr/,}bin/{,ba,da}sh rix,
    /{usr/,}bin/{,e}grep   rix,
@ -85,17 +163,20 @@ profile run-parts @{exec_path} {
    /{usr/,}bin/uname      rix,
    /{usr/,}bin/which{,.debianutils}      rix,

+    /{usr/,}{s,}bin/dkms                 rPx,
+    /{usr/,}{s,}bin/update-grub          rPUx,
+    /{usr/,}{s,}bin/update-initramfs     rPx,
    /{usr/,}bin/apt-config               rPx,
    /{usr/,}bin/dpkg                     rPx -> child-dpkg,
    /{usr/,}bin/systemd-detect-virt      rPx,
    /{usr/,}lib/dkms/dkms_autoinstaller  rPx,
-    /{usr/,}sbin/dkms                    rPx,
-    /{usr/,}sbin/update-grub             rPUx,
-    /{usr/,}sbin/update-initramfs        rPx,

    /{usr/,}lib/modules/*/updates/ w,
    /{usr/,}lib/modules/*/updates/dkms/ w,

+    /etc/kernel/header_postinst.d/* r,
+    /etc/kernel/{postinst,postrm,preinst,prerm}.d/* r,
+
    # For shell pwd
    / r,
    /boot/ r,
@ -105,7 +186,8 @@ profile run-parts @{exec_path} {
    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,

-    @{run}/reboot-required.pkgs w,
+    @{run}/reboot-required w,
+    @{run}/reboot-required.pkgs rw,

    @{PROC}/devices r,
    @{PROC}/cmdline r,