feat(profiles): general update.

2022-09-24 18:06:06 +01:00 · 2022-09-24 18:06:06 +01:00 · f2989321eb
commit f2989321eb
parent ae6cecde52
37 changed files with 120 additions and 32 deletions
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -11,19 +12,23 @@ include <tunables/global>
@{exec_path} += /{usr/,}lib/command-not-found
 profile command-not-found @{exec_path} {
  include <abstractions/base>
  include <abstractions/python>
  include <abstractions/nameservice-strict>
  include <abstractions/apt-common>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/python>
  @{exec_path} r,
  /{usr/,}bin/python3.[0-9]* r,
  /{usr/,}bin/lsb_release rPx -> lsb_release,
  /{usr/,}bin/snap rPx,
  /var/lib/command-not-found/commands.db rwk,
  /usr/share/command-not-found/{,**} r,
  owner @{PROC}/@{pid}/fd/ r,
  # Silencer
  deny /usr/lib/ r,
--- a/apparmor.d/groups/browsers/firefox
+++ b/apparmor.d/groups/browsers/firefox
@ -251,10 +251,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
       owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
       owner @{PROC}/@{pid}/mountinfo r,
       owner @{PROC}/@{pid}/mounts r,
       owner @{PROC}/@{pid}/oom_score_adj w,
       owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
       owner @{PROC}/@{pid}/task/ r,
       owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
       owner @{PROC}/@{pid}/task/@{tid}/comm rw,
       owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
  deny owner @{PROC}/@{pid}/smaps r,
  deny owner @{PROC}/@{pid}/stat r,
  deny owner @{PROC}/@{pid}/statm r,
--- a/apparmor.d/groups/freedesktop/polkitd
+++ b/apparmor.d/groups/freedesktop/polkitd
@ -22,8 +22,8 @@ profile polkitd @{exec_path} {
  ptrace (read),
-  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
+  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/*
-       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members
  dbus (send) bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
@ -31,7 +31,7 @@ profile polkitd @{exec_path} {
       peer=(name=org.freedesktop.DBus),
  dbus (bind) bus=system
-       name=org.freedesktop.PolicyKit[0-9],
+       name=org.freedesktop.PolicyKit1,
  @{exec_path} mr,
--- a/apparmor.d/groups/freedesktop/xdg-desktop-portal
+++ b/apparmor.d/groups/freedesktop/xdg-desktop-portal
@ -49,6 +49,7 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
  # Allowed apps to open
  /{usr/,}bin/firefox rPx -> firefox,
  /{usr/,}bin/nautilus rPx,
  / r,
  /.flatpak-info r,
--- a/apparmor.d/groups/freedesktop/xdg-email
+++ b/apparmor.d/groups/freedesktop/xdg-email
@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) {
  @{exec_path}  r,
  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/gio         rPx,
  /{usr/,}bin/{,e}grep    rix,
  /{usr/,}bin/basename    rix,
  /{usr/,}bin/gio         rPx,
  /{usr/,}bin/readlink    rix,
  /{usr/,}bin/sed         rix,
  /{usr/,}bin/which       rix,
  /{usr/,}bin/xdg-mime    rPx,
--- a/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
+++ b/apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update
@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} {
  @{exec_path} mr,
  owner @{user_config_dirs}/gtk-3.0/bookmarks* rw,
  owner @{user_config_dirs}/user-dirs.dirs r,
  owner @{user_config_dirs}/user-dirs.locale r,
--- a/apparmor.d/groups/gnome/gio-launch-desktop
+++ b/apparmor.d/groups/gnome/gio-launch-desktop
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
--- a/apparmor.d/groups/gnome/gnome-control-center
+++ b/apparmor.d/groups/gnome/gnome-control-center
@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
  /{usr/,}bin/bwrap                                  rPUx,
  /{usr/,}bin/openvpn                                 rPx,
  /{usr/,}bin/passwd                                  rPx,
  /{usr/,}bin/software-properties-gtk                 rPx,
  /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
  /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
  /usr/share/language-tools/language2locale           rix,
--- a/apparmor.d/groups/gnome/gnome-extension-ding
+++ b/apparmor.d/groups/gnome/gnome-extension-ding
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
 profile gnome-extension-ding @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
--- a/apparmor.d/groups/gnome/gnome-shell
+++ b/apparmor.d/groups/gnome/gnome-shell
@ -164,13 +164,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{run}/udev/data/c226:[0-9]* r,   # for /dev/dri/card* 
  @{run}/udev/data/n[0-9]* r,
  @{sys}/**/uevent r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/hwmon/ r,
  @{sys}/class/input/ r,
  @{sys}/class/net/ r,
  @{sys}/class/power_supply/ r,
  @{sys}/**/uevent r,
  @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
  @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@ -180,6 +180,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
  @{sys}/devices/pci[0-9]*/**/drm/ r,
  @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
  @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
  @{sys}/devices/system/cpu/possible r,
  @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
--- a/apparmor.d/groups/gnome/gnome-terminal-server
+++ b/apparmor.d/groups/gnome/gnome-terminal-server
@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} {
  include <abstractions/gtk>
  signal (send) set=(term hup kill) peer=unconfined,
  ptrace (read) peer=unconfined,
  @{exec_path} mr,
--- a/apparmor.d/groups/gnome/gsd-print-notifications
+++ b/apparmor.d/groups/gnome/gsd-print-notifications
@ -38,6 +38,12 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.Avahi.Server
       member=StateChanged,
  dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*}
       interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager},
  dbus bind bus=session
       name=org.gnome.SettingsDaemon.PrintNotifications,
  @{exec_path} mr,
  @{libexec}/gsd-printer rPx,
--- a/apparmor.d/groups/gnome/gsd-sharing
+++ b/apparmor.d/groups/gnome/gsd-sharing
@ -36,6 +36,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
       interface=org.freedesktop.NetworkManager
       member=CheckPermissions,
  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
       interface=org.freedesktop.NetworkManager.Connection.Active
       member=StateChanged,
  @{exec_path} mr,
  /usr/share/dconf/profile/gdm r,
--- a/apparmor.d/groups/gnome/tracker-extract
+++ b/apparmor.d/groups/gnome/tracker-extract
@ -59,6 +59,8 @@ profile tracker-extract @{exec_path} {
  @{run}/udev/data/c51[0-9]:[0-9]* r,
  @{run}/mount/utab r,
  @{sys}/devices/system/cpu/possible r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mountinfo r,
@ -67,5 +69,7 @@ profile tracker-extract @{exec_path} {
  /dev/media[0-9]* r,
  /dev/video[0-9]* rw,
  deny owner @{user_share_dirs}/gvfs-metadata/** r,
  include if exists <local/tracker-extract>
 }
--- a/apparmor.d/groups/gvfs/gvfsd
+++ b/apparmor.d/groups/gvfs/gvfsd
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  @{exec_path} mr,
--- a/apparmor.d/groups/gvfs/gvfsd-fuse
+++ b/apparmor.d/groups/gvfs/gvfsd-fuse
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),
--- a/apparmor.d/groups/gvfs/gvfsd-metadata
+++ b/apparmor.d/groups/gvfs/gvfsd-metadata
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-metadata
 profile gvfsd-metadata @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/disks-read>
--- a/apparmor.d/groups/gvfs/gvfsd-trash
+++ b/apparmor.d/groups/gvfs/gvfsd-trash
@ -11,6 +11,7 @@ include <tunables/global>
@{exec_path} += @{libexec}/gvfsd-trash
 profile gvfsd-trash @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-gtk>
  include <abstractions/dbus-session-strict>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/groups/network/mullvad-daemon
+++ b/apparmor.d/groups/network/mullvad-daemon
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon"
-profile mullvad-daemon @{exec_path} {
+profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} {
  @{exec_path} mr,
  /{usr/,}bin/ip  rix,
  "/opt/Mullvad VPN/resources/openvpn" rix,
  "/opt/Mullvad VPN/resources/*" r,
  /etc/mullvad-vpn/{,*} r,
@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} {
  @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  owner /tmp/@{uuid} rw,
  owner /tmp/talpid-openvpn-@{uuid} rw,
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
  /dev/net/tun rw,
  include if exists <local/mullvad-daemon>
 }
--- a/apparmor.d/groups/network/tailscaled
+++ b/apparmor.d/groups/network/tailscaled
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}{,s}bin/tailscaled
-profile tailscaled @{exec_path} {
+profile tailscaled @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
@ -22,6 +22,8 @@ profile tailscaled @{exec_path} {
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network inet raw,
  network inet6 raw,
  network netlink raw,
  ptrace (read),
@ -39,8 +41,9 @@ profile tailscaled @{exec_path} {
  /etc/resolv.conf rw,
  /etc/resolv.conf.*.tmp rw,
  owner /var/lib/tailscale/{,**} rw,
  owner @{run}/tailscale/{,**} rw,
  owner /var/cache/{,**} rw,
  owner /var/lib/tailscale/{,**} rw,
  @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
--- a/apparmor.d/groups/pacman/pacman
+++ b/apparmor.d/groups/pacman/pacman
@ -91,6 +91,7 @@ profile pacman @{exec_path} {
  /{usr/,}bin/mkinitcpio                  rPx,
  /{usr/,}bin/pacdiff                     rPx,
  /{usr/,}bin/pacman-key                  rPx,
  /{usr/,}bin/sbctl                       rPx,
  /{usr/,}bin/sysctl                      rPx,
  /{usr/,}bin/systemctl                   rPx -> child-systemctl,
  /{usr/,}bin/systemd-*                   rPx,
@ -121,7 +122,7 @@ profile pacman @{exec_path} {
  owner /var/lib/pacman/{,**} rwl,
  owner /tmp/alpm_*/{,**} rw,
-  owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw,
+  owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
  owner /tmp/checkup-db-[0-9]*/db.lck rw,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/check-new-release-gtk
+++ b/apparmor.d/groups/ubuntu/check-new-release-gtk
@ -12,6 +12,7 @@ profile check-new-release-gtk @{exec_path} {
  include <abstractions/apt-common>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
--- a/apparmor.d/groups/ubuntu/livepatch-notification
+++ b/apparmor.d/groups/ubuntu/livepatch-notification
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = /{usr/,}lib/update-notifier/livepatch-notification
 profile livepatch-notification @{exec_path} {
  include <abstractions/base>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/gtk>
--- a/apparmor.d/groups/ubuntu/software-properties-dbus
+++ b/apparmor.d/groups/ubuntu/software-properties-dbus
@ -42,6 +42,7 @@ profile software-properties-dbus @{exec_path} {
  /usr/share/xml/iso-codes/{,**} r,
  owner /tmp/[a-z0-9]* rw,
  owner /tmp/_[a-z0-9]* rw,
  owner /tmp/tmp*/{,apt.conf} rw,
  owner @{PROC}/@{pid}/fd/ r,
--- a/apparmor.d/groups/ubuntu/update-notifier
+++ b/apparmor.d/groups/ubuntu/update-notifier
@ -11,6 +11,7 @@ profile update-notifier @{exec_path} {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/audio>
  include <abstractions/dbus-session-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/gtk>
@ -18,6 +19,9 @@ profile update-notifier @{exec_path} {
  include <abstractions/openssl>
  include <abstractions/python>
  dbus receive bus=session path=/org/ayatana/NotificationItem/*
       member={GetLayout,GetGroupProperties,GetAll,AboutToShow},
  @{exec_path} mr,
  /{usr/,}bin/{,ba,da}sh                              rix,
--- a/apparmor.d/groups/virt/libvirtd
+++ b/apparmor.d/groups/virt/libvirtd
@ -3,11 +3,13 @@
 # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
-# Based on Libvirt Apparmor profile, it is largelly restricted from th
+# Based on Libvirt Apparmor profile, it is largelly restricted from it.
 # As upstream profile mostly focus on confining the guests. Not libvirt itself.
 # It uses a lot of profiles provided by apparmor.d
 # Source: https://gitlab.com/libvirt/libvirt/-/blob/master/src/security/apparmor/usr.sbin.libvirtd.in
 # Warning: Such a profile is limited as it gives access to a lot of resources.
 abi <abi/3.0>,
 include <tunables/global>
@ -213,9 +215,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
  @{sys}/fs/cgroup/net_cls/machine.slice/ rw,
  @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw,
-  owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/net/ip_tables_names r,
        @{PROC}/@{pid}/net/route r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/net/dev r,
@ -227,10 +227,13 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
        @{PROC}/devices r,
        @{PROC}/mtrr w,
        @{PROC}/sys/net/ipv{4,6}/** rw,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/net/ip_tables_names r,
  /dev/dri/ r,
  /dev/hugepages/{,**} w,
-  /dev/kvm r,
+  /dev/kvm rw,
  /dev/mapper/ r,
  /dev/mapper/control rw,
  /dev/net/tun rw,
@ -268,5 +271,6 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
    /dev/net/tun rw,
  }
  include if exists <usr/libvirtd>
  include if exists <local/libvirtd>
 }
--- a/apparmor.d/profiles-a-f/blueman
+++ b/apparmor.d/profiles-a-f/blueman
@ -29,7 +29,8 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
  @{exec_path} mrix,
-  /{usr/,}bin/{b,d}ash      rix,
+  /{usr/,}bin/{b,d}ash            rix,
  /{usr/,}lib/gio-launch-desktop  rix,
  /{usr/,}bin/blueman-tray  rPx,
  /{usr/,}bin/xdg-open      rCx -> open,
--- a/apparmor.d/profiles-g-l/git
+++ b/apparmor.d/profiles-g-l/git
@ -67,6 +67,7 @@ profile git @{exec_path} {
  /{usr/,}bin/man         rPx,
  /{usr/,}bin/meld       rPUx,
  /{usr/,}lib/code/extensions/git/dist/askpass.sh rPx,
  /{usr/,}lib/code/extensions/git/dist/git-editor.sh rPx,
  /usr/share/aurpublish/*.hook rPx,
  /{usr/,}bin/gpg             rCx -> gpg,
--- a/apparmor.d/profiles-g-l/glxinfo
+++ b/apparmor.d/profiles-g-l/glxinfo
@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -14,10 +15,10 @@ profile glxinfo @{exec_path} {
  include <abstractions/mesa>
  include <abstractions/nameservice-strict>
  include <abstractions/opencl>
  include <abstractions/vulkan>
  capability sys_admin,
-  # Needed?
+  audit capability sys_nice,
  deny capability sys_nice,
  @{exec_path} mr,
--- a/apparmor.d/profiles-g-l/gtk-update-icon-cache
+++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache
@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
@ -22,6 +22,10 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
  /var/lib/flatpak/exports/share/icons/hicolor/.icon-theme.cache rw,
  /var/lib/flatpak/exports/share/icons/hicolor/icon-theme.cache w,
  owner @{user_share_dirs}/** r,
  owner @{user_share_dirs}/**/.icon-theme.cache rw,
  owner @{user_share_dirs}/**/icon-theme.cache rw,
  deny /apparmor/.null rw,
  include if exists <local/gtk-update-icon-cache>
--- a/apparmor.d/profiles-g-l/lspci
+++ b/apparmor.d/profiles-g-l/lspci
@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
@{exec_path} = /{usr/,}bin/lspci
-profile lspci @{exec_path} {
+profile lspci @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
--- a/apparmor.d/profiles-m-r/mtools
+++ b/apparmor.d/profiles-m-r/mtools
@ -28,6 +28,8 @@ profile mtools @{exec_path} {
  owner @{MOUNTS}/**.{iso,img,bin,mdf,nrg} rwk,
  owner @{HOME}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
  owner @{MOUNTS}/**.{ISO,IMG,BIN,MDF,NRG} rwk,
  owner /dev/shm/*/**.{iso,img,bin,mdf,nrg} rwk,
  owner /dev/shm/*/**.{ISO,IMG,BIN,MDF,NRG} rwk,
  include if exists <local/mtools>
 }
--- a/apparmor.d/profiles-s-z/snap
+++ b/apparmor.d/profiles-s-z/snap
@ -9,9 +9,10 @@ include <tunables/global>
@{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap
 profile snap @{exec_path} {
  include <abstractions/base>
  include <abstractions/nameservice-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/consoles>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/nameservice-strict>
  @{exec_path} mrix,
--- a/apparmor.d/profiles-s-z/snap-seccomp
+++ b/apparmor.d/profiles-s-z/snap-seccomp
@ -22,9 +22,9 @@ profile snap-seccomp @{exec_path} {
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  deny @{user_share_dirs}/gvfs-metadata/* r,
  owner @{PROC}/@{pids}/mountinfo r,
  deny @{user_share_dirs}/gvfs-metadata/* r,
  include if exists <local/snap-seccomp>
 }
--- a/apparmor.d/profiles-s-z/spice-vdagent
+++ b/apparmor.d/profiles-s-z/spice-vdagent
@ -15,6 +15,15 @@ profile spice-vdagent @{exec_path} {
  include <abstractions/gtk>
  include <abstractions/X-strict>
  dbus send bus=session path=/org/a11y/bus
       interface=org.a11y.Bus
       member=GetAddress
       peer=(name=org.a11y.Bus),
  dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
       interface=org.gnome.Mutter.DisplayConfig
       member=GetCurrentState,
  @{exec_path} mr,
  /etc/pipewire/client.conf r,
--- a/apparmor.d/profiles-s-z/steam
+++ b/apparmor.d/profiles-s-z/steam
@ -81,6 +81,7 @@ profile steam @{exec_path} {
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*driverquery rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay rPx,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui rpx,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/panorama/** rm,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
@ -107,6 +108,9 @@ profile steam @{exec_path} {
  /{usr/,}lib{,32,64}/ r,
  /etc/ r,
  /home/ r,
  /run/ r,
  /usr/bin/ r,
  /var/ r,
  owner @{HOME}/ r,
  owner @{HOME}/.local/ r,
@ -115,6 +119,8 @@ profile steam @{exec_path} {
  owner @{HOME}/.steampath rw,
  owner @{HOME}/.steampid rw,
  owner @{user_games_dirs}/{,**} rwkl,
  owner @{user_config_dirs}/ r,
  owner @{user_config_dirs}/autostart/ r,
  owner @{user_config_dirs}/unity3d/{,**} rwk,
@ -136,10 +142,11 @@ profile steam @{exec_path} {
  owner /tmp/dumps/ rw,
  owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
-  owner /tmp/sh-thd.* rw,
+  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
  owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
  owner /tmp/miles_image_* mrw,
  owner /tmp/runtime-info.txt.* rw,
  owner /tmp/sh-thd.* rw,
  owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
  @{run}/udev/data/+input* r,      # for mouse, keyboard, touchpad
  @{run}/udev/data/+sound* r,
--- a/apparmor.d/profiles-s-z/steam-game
+++ b/apparmor.d/profiles-s-z/steam-game
@ -25,7 +25,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  include <abstractions/audio>
  include <abstractions/devices-usb>
  include <abstractions/dri-common>
  include <abstractions/dri-common>
  include <abstractions/dri-enumerate>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
@ -108,6 +107,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm,
  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix,
  @{user_games_dirs}/*/* mr,
  @{user_games_dirs}/*/**.dll mr,
  @{run}/host/usr/bin/ldconfig rix,
  @{run}/host/usr/lib{,32,64}/**.so* rm,
  @{run}/host/usr/bin/localedef rix,
@ -136,6 +138,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  owner @{HOME}/.steam/steam.pid r,
  owner @{HOME}/.steam/steam.pipe r,
  owner @{user_games_dirs}/{,*/} r,
  owner @{user_games_dirs}/*/{,**} rwkl,
  owner @{user_config_dirs}/ r,
  owner @{user_config_dirs}/unity3d/{,**} rwk,
@ -151,7 +156,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
  owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl,
  owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r,
-  owner @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/{,**} rwk,
+  owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk,
  owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
  owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
@ -161,6 +166,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
  owner @{run}/pressure-vessel/{,**} rw,
  owner @{run}/user/@{uid}/ r,
  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
  owner @{run}/user/@{uid}/orcexec.* mrw,  # gstreamer
  owner /dev/shm/#[0-9]* rw,
  owner /dev/shm/mono.* rw,
@ -206,12 +212,13 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/uptime r,
        @{PROC}/version r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/gid_map rw,
  owner @{PROC}/@{pid}/mountinfo r,
  owner @{PROC}/@{pid}/mounts r,
  owner @{PROC}/@{pid}/setgroups rw,
  owner @{PROC}/@{pid}/stat r,
  owner @{PROC}/@{pid}/task/ r,
  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
  owner @{PROC}/@{pid}/task/@{tid}/stat r,