feat(profile): update gnome profiles.

apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter

@@ -11,6 +11,8 @@
 
   abi <abi/4.0>,
 
+  unix type=stream peer=(label=gnome-keyring-daemon),
+
   dbus send bus=session path=/org/gnome/keyring/Prompter
        interface=org.gnome.keyring.internal.Prompter
        member={BeginPrompting,PerformPrompt,StopPrompting}

apparmor.d/groups/gnome/evolution-addressbook-factory

@@ -27,7 +27,9 @@ profile evolution-addressbook-factory @{exec_path} {
   network netlink raw,
 
   #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBook@{int}
+  #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookCursor
   #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookFactory
+  #aa:dbus own bus=session name=org.gnome.evolution.dataserver.AddressBookView
 
   dbus (send, receive) bus=session path=/org/gnome/evolution/dataserver/**
        interface=org.gnome.evolution.dataserver.*

apparmor.d/groups/gnome/evolution-calendar-factory

@@ -12,6 +12,7 @@ profile evolution-calendar-factory @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.gtk.vfs.Metadata>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/gschemas>

apparmor.d/groups/gnome/gdm

@@ -17,6 +17,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   capability chown,
   capability dac_override,
   capability dac_read_search,
+  capability fowner,
   capability fsetid,
   capability kill,
   capability net_admin,
@@ -54,6 +55,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   /usr/share/wayland-sessions/*.desktop r,
   /usr/share/xsessions/*.desktop r,
 
+  /etc/.pwd.lock rwk,
   /etc/default/locale r,
   /etc/gdm{3,}/custom.conf r,
   /etc/gdm{3,}/daemon.conf r,
@@ -66,18 +68,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   /var/log/gdm{3,}/ rw,
 
-  owner @{GDM_HOME}/block-initial-setup rw,
+  @{GDM_HOME}/ rw,
+  @{GDM_HOME}/** rw,
 
-        @{run}/gdm{3,}/greeter/ rw,
+        @{run}/gdm{,3}/ rw,
-        @{run}/systemd/seats/seat@{int} r,
+  owner @{run}/gdm{,3}.pid rw,
-        @{run}/systemd/sessions/* r,
+  owner @{run}/gdm{,3}/dbus/ rw,
-        @{run}/systemd/users/@{uid} r,
+  owner @{run}/gdm{,3}/dbus/dbus-@{rand8} rw,
-  owner @{run}/gdm{3,}.pid rw,
+
-  owner @{run}/gdm{3,}/ rw,
+  @{run}/systemd/seats/seat@{int} r,
-  owner @{run}/gdm{3,}/custom.conf r,
+  @{run}/systemd/sessions/* r,
-  owner @{run}/gdm{3,}/dbus/ w,
+  @{run}/systemd/users/@{uid} r,
-  owner @{run}/gdm{3,}/dbus/dbus-@{rand8} w,
-  owner @{run}/gdm{3,}/gdm.pid rw,
 
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)

apparmor.d/groups/gnome/gdm-generate-config

@@ -44,8 +44,9 @@ profile gdm-generate-config @{exec_path} {
   @{PROC}/ r,
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/cmdline r,
-  @{PROC}/@{pids}/status r,
   @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/status r,
+  @{PROC}/tty/drivers r,
   @{PROC}/uptime r,
 
   profile pgrep {

apparmor.d/groups/gnome/gio-launch-desktop

@@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/gnome-terminal     rPUx,
   @{lib}/gio-launch-desktop  rix,
+  @{lib}/*/** rPx,
+  @{lib}/* rPx,
 
   owner @{HOME}/{,**} rw,
 

apparmor.d/groups/gnome/gnome-calculator

@@ -20,6 +20,8 @@ profile gnome-calculator @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.gnome.Calculator
+
   @{exec_path} mr,
 
   @{open_path}  rPx -> child-open-help,

apparmor.d/groups/gnome/gnome-calendar

@@ -24,20 +24,19 @@ profile gnome-calendar @{exec_path} {
 
   #aa:dbus own bus=session name=org.gnome.Calendar
 
+  #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
+
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.AddressBook@{int} label=evolution-addressbook-factory
+  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar path=/org/gnome/evolution/dataserver/ label=evolution-calendar-factory
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Calendar@{int} label=evolution-calendar-factory
+  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarFactory label=evolution-calendar-factory
   #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.CalendarView label=evolution-calendar-factory
-  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source label=evolution-source-registry
+  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Source path=/org/gnome/evolution/dataserver/ label=evolution-source-registry
-  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Sources@{int} label=evolution-source-registry
+  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.SourceManager label=evolution-source-registry
+  #aa:dbus talk bus=session name=org.gnome.evolution.dataserver.Subprocess label=evolution-calendar-factory
   #aa:dbus talk bus=session name=org.gnome.OnlineAccounts label=goa-daemon
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Color label=gsd-color
   #aa:dbus talk bus=session name=org.gnome.Shell.SearchProvider2 path=/org/gnome/Calendar/SearchProvider label=gnome-shell
-  #aa:dbus talk bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
-
-  dbus send bus=session path=/org/gnome/evolution/dataserver/SourceManager{,/**}
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=:*, label=evolution-source-registry),
 
   @{exec_path} mr,
   @{open_path}  rPx -> child-open-help,

apparmor.d/groups/gnome/gnome-control-center

@@ -41,10 +41,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=session name=org.gnome.Settings
   #aa:dbus own bus=session name=org.bluez.obex.Agent1
 
+  #aa:dbus talk bus=session name=org.bluez.AgentManager1 label=bluetoothd
   #aa:dbus talk bus=session name=org.bluez.obex label=obexd
   #aa:dbus talk bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
   #aa:dbus talk bus=session name=org.gnome.Mutter label=gnome-shell
-  #aa:dbus talk bus=session name=org.gnome.SessionManager label=gnome-session-binary
+  #aa:dbus talk bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}"
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label="gsd-*"
   #aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
 
@@ -53,6 +54,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=system name=net.reactivated.Fprint.Manager label="@{p_fprintd}"
   #aa:dbus talk bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
   #aa:dbus talk bus=system name=org.freedesktop.bolt1 label=boltd
+  #aa:dbus talk bus=system name=org.freedesktop.ColorManager label=colord
   #aa:dbus talk bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
   #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
   #aa:dbus talk bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
@@ -63,6 +65,11 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   #aa:dbus talk bus=system name=org.freedesktop.UPower label="@{p_upowerd}"
   #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
 
+  dbus send bus=system path=/org/freedesktop
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name=@{busname}, label=NetworkManager),
+
   @{exec_path} mr,
 
   @{bin}/@{shells}     rUx,

apparmor.d/groups/gnome/gnome-disk-image-mounter

@@ -9,10 +9,17 @@ include <tunables/global>
 @{exec_path} = @{bin}/gnome-disk-image-mounter
 profile gnome-disk-image-mounter @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/gnome-strict>
 
+  #aa:dbus talk bus=system name=org.freedesktop.UDisks2 label=udisksd
+
   @{exec_path} mr,
 
   # Allow to mount user files

apparmor.d/groups/gnome/gnome-extension-ding

@@ -58,8 +58,8 @@ profile gnome-extension-ding @{exec_path} {
   @{share_dirs}/{,**} r,
   /usr/share/thumbnailers/{,*.thumbnailer} r,
 
-  owner @{HOME}/@{XDG_TEMPLATES_DIR}/ r,
+  owner @{user_desktop_dirs}/ r,
-  owner @{HOME}/@{XDG_DESKTOP_DIR}/ r,
+  owner @{user_templates_dirs}/ r,
 
   owner @{user_share_dirs}/nautilus/scripts/ r,
 

apparmor.d/groups/gnome/gnome-extension-gsconnect

@@ -75,6 +75,7 @@ profile gnome-extension-gsconnect @{exec_path} {
 
   owner @{run}/user/@{uid}/gsconnect/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+  owner @{run}/user/@{uid}/keyring/ssh rw,
 
   @{sys}/devices/virtual/dmi/id/chassis_type r,
 

apparmor.d/groups/gnome/gnome-keyring-daemon

@@ -19,12 +19,15 @@ profile gnome-keyring-daemon @{exec_path} flags=(attach_disconnected) {
 
   capability ipc_lock,
 
-  signal (receive) set=(term) peer=gdm,
+  signal receive set=(term) peer=gdm,
-  signal (send) set=(term) peer=ssh-agent,
+  signal send set=(term) peer=ssh-agent,
+
+  unix type=stream peer=(label=snap.*),
 
   #aa:dbus own bus=session name=org.gnome.keyring
   #aa:dbus own bus=session name=org.freedesktop.{S,s}ecret{,s}
-  #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret
+  #aa:dbus own bus=session name=org.freedesktop.impl.portal.Secret path=/org/freedesktop/portal/desktop
+  #aa:dbus talk bus=session name=org.freedesktop.impl.portal.Request path=/org/freedesktop/portal/desktop/ label=xdg-desktop-portal
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/gnome/gnome-session

@@ -16,6 +16,14 @@ profile gnome-session @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/shells>
 
+  signal receive set=term peer=gdm,
+  signal receive set=term peer=gdm-session,
+
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mrix,
 
   @{shells_path}               rix,
@@ -64,6 +72,8 @@ profile gnome-session @{exec_path} {
 
   owner @{HOME}/ r,
 
+  owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
+
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,

apparmor.d/groups/gnome/gnome-shell

@@ -24,13 +24,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/bus/org.freedesktop.GeoClue2>
   include <abstractions/bus/org.freedesktop.impl.portal.PermissionStore>
   include <abstractions/bus/org.freedesktop.locale1>
-  include <abstractions/bus/org.freedesktop.login1.Session>
   include <abstractions/bus/org.freedesktop.PackageKit>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.freedesktop.RealtimeKit1>
   include <abstractions/bus/org.freedesktop.secrets>
   include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/bus/org.freedesktop.UPower>
+  include <abstractions/bus/org.gnome.keyring.internal.Prompter>
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/camera>
   include <abstractions/dconf-write>
@@ -72,6 +72,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus own bus=session name=org.gnome.Shell
 
   #aa:dbus own bus=session name=com.canonical.{U,u}nity
+  #aa:dbus own bus=session name=com.canonical.dbusmenu path=/{,com/canonical/dbusmenu}
   #aa:dbus own bus=session name=com.rastersoft.dingextension
   #aa:dbus own bus=session name=org.ayatana.NotificationItem
   #aa:dbus own bus=session name=org.freedesktop.a11y.Manager
@@ -79,6 +80,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus own bus=session name=org.gtk.MountOperationHandler
   #aa:dbus own bus=session name=org.gtk.Notifications
   #aa:dbus own bus=session name=org.kde.StatusNotifierWatcher path=/StatusNotifierWatcher
+  #aa:dbus own bus=session name=com.canonical.Shell.PermissionPrompting
 
   # Talk with gnome-shell
 
@@ -87,32 +89,19 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   #aa:dbus talk bus=system name=org.freedesktop.ColorManager label="@{p_colord}"
   #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
   #aa:dbus talk bus=system name=org.freedesktop.NetworkManager label=NetworkManager
+  #aa:dbus talk bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
   #aa:dbus talk bus=system name=org.freedesktop.UPower.PowerProfiles label="@{p_power_profiles_daemon}"
   #aa:dbus talk bus=system name=org.gnome.DisplayManager label=gdm
 
   #aa:dbus talk bus=session name=com.rastersoft.ding label=gnome-extension-ding
+  #aa:dbus talk bus=session name=org.freedesktop.Notifications label=gjs
   #aa:dbus talk bus=session name=org.gnome.* label=gnome-*
-  #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label="*"
+  #aa:dbus talk bus=session name=org.gnome.*.SearchProvider interface+=org.gnome.Shell.SearchProvider2 label=*
   #aa:dbus talk bus=session name=org.gnome.Nautilus label=nautilus
   #aa:dbus talk bus=session name=org.gnome.ScreenSaver label=gjs-console
   #aa:dbus talk bus=session name=org.gnome.SettingsDaemon.* label=gsd-*
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
-  # System bus
-
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.PolicyKit1.Authority
-       member=RegisterAuthenticationAgent
-       peer=(name=:*, label="@{p_polkitd}"),
-  dbus receive bus=system path=/org/freedesktop/PolicyKit1/AuthenticationAgent
-       interface=org.freedesktop.PolicyKit1.AuthenticationAgent
-       member=BeginAuthentication
-       peer=(name=:*, label="@{p_polkitd}"),
-
-  dbus send bus=system path=/org/freedesktop/NetworkManager/AgentManager
-       interface=org.freedesktop.NetworkManager.AgentManager
-       member={RegisterWithCapabilities,Unregister}
-       peer=(name=:*, label=NetworkManager),
 
   # Session bus
 
@@ -156,7 +145,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   dbus send bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=:*),
+       peer=(name=@{busname}),
   dbus send bus=session
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
@@ -181,8 +170,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{sh_path}                                              rCx -> shell,
   @{bin}/pkexec                                           rCx -> pkexec,
-  @{lib}/gio-launch-desktop                               rCx -> open,
   @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,
+  @{lib}/gio-launch-desktop                               rCx -> open,
+  @{python_path}                                          rCx -> python,
 
   @{user_share_dirs}/gnome-shell/extensions/*/**       rPUx,
   /usr/share/gnome-shell/extensions/*/**               rPUx,
@@ -278,15 +268,16 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,
   owner @{user_share_dirs}/icons/**/org.gnome.Shell.*.svg{,.@{rand6}} w,
 
-  owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
   owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-* r,
   owner @{user_cache_dirs}/gnome-boxes/*.png r,
   owner @{user_cache_dirs}/gnome-photos/{,**} r,
   owner @{user_cache_dirs}/gnome-screenshot/{,**} rw,
   owner @{user_cache_dirs}/gnome-software/icons/{,**} r,
+  owner @{user_cache_dirs}/gsconnect/@{hex32} r,
   owner @{user_cache_dirs}/libgweather/{,**} rw,
   owner @{user_cache_dirs}/media-art/{,**} r,
   owner @{user_cache_dirs}/vlc/**/*.jpg r,
+  owner @{user_share_dirs}/applications/org.gnome.Shell.*.desktop{,.@{rand6}} rw,
 
         @{run}/gdm{3,}/dbus/dbus-@{rand8} rw,
   owner @{run}/user/@{uid}/app/*/*.@{rand6} r,
@@ -337,7 +328,9 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/class/net/ r,
   @{sys}/class/power_supply/ r,
   @{sys}/devices/@{pci}/boot_vga r,
+  @{sys}/devices/@{pci}/gpu_busy_percent r,
   @{sys}/devices/@{pci}/input@{int}/{properties,name} r,
+  @{sys}/devices/@{pci}/mem_info_vram_* r,
   @{sys}/devices/@{pci}/net/*/statistics/collisions r,
   @{sys}/devices/@{pci}/net/*/statistics/rx_{bytes,errors,packets} r,
   @{sys}/devices/@{pci}/net/*/statistics/tx_{bytes,errors,packets} r,
@@ -351,6 +344,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/devices/**/power_supply/{,**} r,
   @{sys}/devices/platform/**/input@{int}/{properties,name} r,
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/net/*/statistics/collisions r,
   @{sys}/devices/virtual/net/*/statistics/rx_{bytes,errors,packets} r,
   @{sys}/devices/virtual/net/*/statistics/tx_{bytes,errors,packets} r,
@@ -431,6 +426,15 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     include if exists <local/gnome-shell_pkexec>
   }
 
+  profile python {
+    include <abstractions/base>
+    include <abstractions/python>
+
+    # /usr/share/gnome-shell/extensions/{,**}
+
+    include if exists <local/gnome-shell_python>
+  }
+
   profile open flags=(attach_disconnected,mediate_deleted,complain) {
     include <abstractions/base>
     include <abstractions/mesa>

apparmor.d/groups/gnome/gnome-software

@@ -45,6 +45,7 @@ profile gnome-software @{exec_path} {
   @{bin}/baobab              rPUx,
   @{bin}/bwrap               rPx -> flatpak-app,
   @{bin}/fusermount{,3}      rCx -> fusermount,
+  @{bin}/gnome-control-center rPx,
   @{bin}/gpg{,2}             rCx -> gpg,
   @{bin}/gpgconf             rCx -> gpg,
   @{bin}/gpgsm               rCx -> gpg,

apparmor.d/groups/gnome/gnome-text-editor

@@ -10,6 +10,7 @@ include <tunables/global>
 profile gnome-text-editor @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus/org.freedesktop.FileManager1>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/common/gnome>
   include <abstractions/enchant>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gnome/gsd-housekeeping

@@ -11,9 +11,9 @@ profile gsd-housekeeping @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
   include <abstractions/bus-session>
-  include <abstractions/bus/session/org.freedesktop.systemd1>
   include <abstractions/bus/org.gnome.SessionManager>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/bus/session/org.freedesktop.systemd1>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>

apparmor.d/groups/gnome/gsd-power

@@ -40,16 +40,22 @@ profile gsd-power @{exec_path} flags=(attach_disconnected) {
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Power
 
   #aa:dbus talk bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
+  #aa:dbus talk bus=session name=org.gnome.Shell.Brightness label=gnome-shell
 
   dbus send bus=system path=/org/freedesktop/UPower/KbdBacklight
        interface=org.freedesktop.UPower.KbdBacklight
        member=GetBrightness
-       peer=(name=:*, label="@{p_upowerd}"),
+       peer=(name=@{busname}, label="@{p_upowerd}"),
 
   dbus receive bus=session path=/org/gtk/Settings
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=:*, label=gsd-xsettings),
+       peer=(name=@{busname}, label=gsd-xsettings),
+
+  dbus send bus=system path=/org/freedesktop/login1
+       interface=org.freedesktop.login1.Manager
+       member=Suspend
+       peer=(name=@{busname}, label="@{p_systemd_logind}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gsd-print-notifications

@@ -30,7 +30,7 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/cups/cupsd/Notifier
        interface=org.cups.cupsd.Notifier
-       member={ServerStarted,PrinterDeleted,PrinterStopped}
+       member={ServerStarted,PrinterDeleted,PrinterStateChanged,PrinterStopped,PrinterAdded}
        peer=(name=@{busname}, label=cups-notifier-dbus),
 
   dbus receive bus=session

apparmor.d/groups/gnome/gsd-sharing

@@ -31,6 +31,11 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
        member=Introspect
        peer=(name=:*, label=gnome-shell),
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/3
+       interface=org.freedesktop.NetworkManager.VPN.Connection
+       member=VpnStateChanged
+       peer=(name=@{busname}, label=NetworkManager),
+
   @{exec_path} mr,
 
   /usr/share/dconf/profile/gdm r,

apparmor.d/groups/gnome/gsd-usb-protection

@@ -16,6 +16,11 @@ profile gsd-usb-protection @{exec_path} {
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.UsbProtection
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mr,
 
   include if exists <local/gsd-usb-protection>

apparmor.d/groups/gnome/kgx

@@ -39,6 +39,7 @@ profile kgx @{exec_path} {
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/status r,
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,

apparmor.d/groups/gnome/localsearch

@@ -47,6 +47,8 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
   /usr/share/osinfo/{,**} r,
   /usr/share/poppler/{,**} r,
 
+  /etc/fstab r,
+
   # Allow to search user files
   owner @{HOME}/ r,
   owner @{HOME}/{,**} r,
@@ -57,6 +59,11 @@ profile localsearch @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/tracker3/files/ rw,
   owner @{user_cache_dirs}/tracker3/files/** rwk,
 
+  owner @{GDM_HOME}/ r,
+  owner @{GDM_HOME}/*/ r,
+  owner @{gdm_cache_dirs}/tracker3/{,**} rwk,
+  owner @{gdm_config_dirs}/user-dirs.dirs r,
+
   @{run}/mount/utab r,
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511

apparmor.d/groups/gnome/mutter-x11-frames

@@ -29,6 +29,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   /usr/share/gdm/greeter-dconf-defaults r,
 
   owner @{GDM_HOME}/greeter-dconf-defaults r,
+  owner @{gdm_cache_dirs}//fontconfig/ rw,
   owner @{gdm_cache_dirs}/fontconfig/@{hex32}-*.cache-?{,.NEW,.LCK,.TMP-@{rand6}} rwl,
   owner @{gdm_config_dirs}/dconf/user r,
 

apparmor.d/groups/gnome/nautilus

@@ -66,6 +66,15 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
        member=NameHasOwner
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
+  dbus send bus=session
+       interface=org.freedesktop.Application
+       member=Open,
+
+  dbus send bus=session path=/org/gnome/Nautilus
+       interface=org.gtk.Application
+       member={CommandLine,DescribeAll}
+       peer=(name=org.gnome.Nautilus, label=nautilus),
+
   @{exec_path} mr,
 
   @{sh_path}                 rix,

apparmor.d/groups/gnome/papers

@@ -20,18 +20,27 @@ profile papers @{exec_path} flags=(attach_disconnected) {
 
   #aa:dbus talk bus=session name=org.gtk.vfs label="gvfsd{,-*}"
 
+  dbus send bus=session path=/org/freedesktop/portal/desktop/session/1_4509/gtk1155412026
+       interface=org.freedesktop.portal.Session
+       member=Close
+       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
+
   @{exec_path} mr,
 
   @{open_path}  Cx -> open,
 
   /usr/share/poppler/{,**} r,
 
+  /etc/passwd r,
+
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
   owner @{HOME}/.mozilla/firefox/*/pkcs11.txt rw,
   owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db-journal rw,
 
+        /tmp/ r,
+        /var/tmp/ r,
   owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/papers-@{int}/{,**} rw,
   owner @{tmp}/gtkprint_@{rand6} rw,

apparmor.d/groups/gnome/ptyxis

@@ -16,7 +16,7 @@ profile ptyxis @{exec_path} {
 
   unix type=stream peer=(label=ptyxis-agent),
 
-  #aa:dbus own bus=session name=org.gnome.Ptyxis
+  #aa:dbus own bus=session name=org.gnome.Ptyxis interface+=org.freedesktop.Application
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/ptyxis-agent

@@ -16,10 +16,12 @@ profile ptyxis-agent @{exec_path} {
   include <abstractions/gschemas>
   include <abstractions/nameservice-strict>
 
-  signal send set=hup peer=unconfined,
+  signal send set=hup peer=@{p_systemd},
 
   ptrace read,
 
+  unix type=stream peer=(label=ptyxis),
+
   @{exec_path} mr,
 
   @{bin}/podman       Px,
@@ -42,8 +44,15 @@ profile ptyxis-agent @{exec_path} {
     unix bind type=stream addr=@@{udbus}/bus/systemd-run/,
 
     @{bin}/systemd-run mr,
+
+    # The shell is not confined on purpose.
     @{bin}/@{shells}   Ux,
 
+    # Some CLI program can be launched directly from Gnome Shell
+    @{bin}/htop                 Px,
+    @{bin}/micro               PUx,
+    @{bin}/nvtop                Px,
+
     owner @{run}/user/@{uid}/systemd/private rw,
 
     include if exists <local/ptyxis-agent_shell>

apparmor.d/groups/gnome/tracker-extract

@@ -13,6 +13,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
@@ -20,6 +21,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
 
   network netlink raw,
@@ -73,9 +75,6 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-  /dev/media@{int} r,
-  /dev/video@{int} rw,
-
   # file_inherit
   owner /dev/tty@{int} rw,
 

apparmor.d/groups/gnome/tracker-miner

@@ -15,11 +15,13 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor>
   include <abstractions/bus/org.gtk.vfs.Daemon>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
+  include <abstractions/camera>
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
   include <abstractions/gnome-strict>
   include <abstractions/gstreamer>
+  include <abstractions/media-control>
   include <abstractions/nameservice-strict>
   include <abstractions/sqlite>
 
@@ -86,8 +88,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
-        /dev/media@{int} rw,
-        /dev/video@{int} rw,
   owner /dev/tty@{int} rw,
 
   include if exists <local/tracker-miner>

apparmor.d/tunables/multiarch.d/system-users

@@ -5,7 +5,7 @@
 # Define some extra paths for some commonly used system user
 
 # Full path of the GDM configuration directories
-@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/home/{,gdm-}greeter/
+@{GDM_HOME}=/var/lib/gdm{,3}/ @{run}/gdm{,3}/{,home/}{,gdm-}greeter/
 @{gdm_cache_dirs}=@{GDM_HOME}/.cache/
 @{gdm_config_dirs}=@{GDM_HOME}/.config/
 @{gdm_local_dirs}=@{GDM_HOME}/.local/