update apparmor profiles

apparmor.d/abstractions/X

@@ -22,11 +22,12 @@
   # .Xauthority files required for X connections, per user
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/.local/share/sddm/.Xauthority r,
-  owner /{,var/}run/gdm{,3}/*/database r,
-  owner /{,var/}run/lightdm/authority/[0-9]* r,
-  owner /{,var/}run/lightdm/*/xauthority r,
-  owner /{,var/}run/user/*/gdm/Xauthority r,
-  owner /{,var/}run/user/*/X11/Xauthority r,
+  owner @{run}/gdm{,3}/*/database r,
+  owner @{run}/lightdm/authority/[0-9]* r,
+  owner @{run}/lightdm/*/xauthority r,
+  owner @{run}/user/*/gdm/Xauthority r,
+  owner @{run}/user/*/X11/Xauthority r,
+  owner @{run}/user/*/xauth_* r,
 
   # the unix socket to use to connect to the display
   /tmp/.X11-unix/* rw,

apparmor.d/abstractions/dbus-network-manager-strict

@@ -0,0 +1,45 @@
+# vim:syntax=apparmor
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager
+       interface=org.freedesktop.NetworkManager
+       member=GetDevices
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Devices/[0-9]*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings
+       interface=org.freedesktop.NetworkManager.Settings
+       member={GetDevices,ListConnections}
+       peer=(name=org.freedesktop.NetworkManager),
+
+  dbus send
+       bus=system
+       path=/org/freedesktop/NetworkManager/Settings/[0-9]*
+       interface=org.freedesktop.NetworkManager.Settings.Connection
+       member=GetSettings
+       peer=(name=org.freedesktop.NetworkManager),
+
+  #include if exists <abstractions/dbus-network-manager-strict.d>

apparmor.d/abstractions/deny-dconf

@@ -16,7 +16,7 @@
   # When this is blocked, expect lots of the following errors:
   #  dconf-CRITICAL **: unable to create file '/run/user/1000/dconf/user': Permission denied.
   #  dconf will not work properly.
-  deny owner /{var/,}run/user/[0-9]*/dconf/{,**} rw,
+  deny owner @{run}/user/[0-9]*/dconf/{,**} rw,
 
   deny owner @{HOME}/.config/dconf/{,**} rw,
   deny owner @{HOME}/.cache/dconf/{,**} rw,

apparmor.d/abstractions/disks-read

@@ -60,27 +60,27 @@
   # changes, it's better to allow the whole range (240-254) instead of the single major numbers
   # visible in the /proc/devices file.
   # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
 
-  /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
-  /{var/,}run/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  /{var/,}run/udev/data/b8:[0-9]*   r, # for /dev/sd*
-  /{var/,}run/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
+  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
+  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
 
-  /{var/,}run/udev/data/+usb:*      r, # for ?
+  @{run}/udev/data/+usb:*      r, # for ?

apparmor.d/abstractions/disks-write

@@ -60,27 +60,27 @@
   # changes, it's better to allow the whole range (240-254) instead of the single major numbers
   # visible in the /proc/devices file.
   # [1]: https://raw.githubusercontent.com/torvalds/linux/master/Documentation/admin-guide/devices.txt
-  /{var/,}run/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
-  /{var/,}run/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b254:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b253:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b252:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b251:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b250:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b249:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b248:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b247:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b246:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b245:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b244:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b243:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b242:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b241:[0-9]* r, # for dynamic kernel assignment of block devices
+  @{run}/udev/data/b240:[0-9]* r, # for dynamic kernel assignment of block devices
 
-  /{var/,}run/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
-  /{var/,}run/udev/data/b11:[0-9]*  r, # for /dev/sr*
-  /{var/,}run/udev/data/b8:[0-9]*   r, # for /dev/sd*
-  /{var/,}run/udev/data/b7:[0-9]*   r, # for /dev/loop*
+  @{run}/udev/data/b179:[0-9]* r, # for /dev/mmcblk*
+  @{run}/udev/data/b11:[0-9]*  r, # for /dev/sr*
+  @{run}/udev/data/b8:[0-9]*   r, # for /dev/sd*
+  @{run}/udev/data/b7:[0-9]*   r, # for /dev/loop*
 
-  /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
+  @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/**
 
-  /{var/,}run/udev/data/+usb:*      r, # for ?
+  @{run}/udev/data/+usb:*      r, # for ?

apparmor.d/abstractions/exo-open

@@ -65,7 +65,10 @@
   /usr/share/{xfce{,4},xubuntu}/applications/{,*.list} r,
 
   # User files
-  owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{HOME}/.config/xfce4/helpers.rc r,
+  owner @{HOME}/.local/share/xfce4/helpers/*.desktop r,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/exo-open.d>

apparmor.d/abstractions/fonts

@@ -14,8 +14,7 @@
 
   /usr/lib/xorg/modules/fonts/**.so*    mr,
 
-  /usr/share/fonts/                     r,
-  /usr/share/fonts/**                   r,
+  /usr/share/fonts/{,**}                r,
   /usr/share/fonts-*/{,**}              r,
 
   /etc/fonts/**                         r,

apparmor.d/abstractions/gio-open

@@ -52,3 +52,6 @@
   owner @{HOME}/.config/mimeapps.list r,
   owner @{HOME}/.local/share/applications/{,*.desktop} r,
   owner @{PROC}/@{pid}/fd/ r,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/gio-open.d>

apparmor.d/abstractions/gnome

@@ -26,6 +26,7 @@
   /usr/lib/@{multiarch}/gtk-[0-9]*/** mr,
   /usr/share/themes/              r,
   /usr/share/themes/**            r,
+  /usr/share/gtk-3.0/settings.ini r,
 
   # for gnome 1 applications
   /etc/orbitrc                    r,
@@ -87,6 +88,7 @@
   /usr/share/gvfs/remote-volume-monitors/  r,
   /usr/share/gvfs/remote-volume-monitors/* r,
   @{PROC}/@{pid}/mounts                    r,
+  /run/mount/utab                          r,
 
   # printing
   /etc/papersize                   r,

apparmor.d/abstractions/gvfs-open

@@ -40,3 +40,6 @@
 
   /usr/bin/gvfs-open r,
   /{,usr/}bin/dash mr,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/gvfs-open.d>

apparmor.d/abstractions/hosts_access

@@ -0,0 +1,13 @@
+# vim:syntax=apparmor
+# ------------------------------------------------------------------
+#
+#    Copyright (C) 2020 Canonical Ltd.
+#
+#    This program is free software; you can redistribute it and/or
+#    modify it under the terms of version 2 of the GNU General Public
+#    License published by the Free Software Foundation.
+#
+# ------------------------------------------------------------------
+
+  /etc/hosts.deny r,
+  /etc/hosts.allow r,

apparmor.d/abstractions/kde-open5

@@ -33,7 +33,7 @@
 #
 #   # Add if audio support for message box is
 #   # considered as required.
-#   include if exists <abstractions/gstreamer>
+#   #include if exists <abstractions/gstreamer>
 #
 #   # < add additional allowed applications here >
 # }
@@ -100,3 +100,5 @@
   owner /{,var/}run/user/[0-9]*/kioclient*slave-socket lrw -> /{,var/}/run/user/[0-9]/#[0-9]*, # for KIO::Slave::holdSlave(QString const&, QUrl const&) () from libKF5KIOCore.so (not 100% sure)
   owner @{HOME}/.cache/kio_http/ rw,
 
+  # Include additions to the abstraction
+  #include if exists <abstractions/kde-open5.d>

apparmor.d/abstractions/kde5-plasma5

@@ -28,8 +28,8 @@
   # includes this abstraction)
   #owner @{HOME}/.config/#[0-9]*[0-9] rwk,
   #owner @{HOME}/.config/@{KDE_APP_NAME}rc* rwlk -> @{HOME}/.config/#[0-9]*[0-9],
-  #owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
-  #owner /{var/,}run/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
+  #owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
+  #owner @{run}/user/[0-9]*/@{KDE_APP_NAME}*.slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
 
   # Common KDE config files
   #owner @{HOME}/.config/#[0-9]*[0-9] rw,
@@ -57,9 +57,9 @@
   #deny @{sys}/bus/ r,
   #deny @{sys}/bus/usb/devices/ r,
   #deny @{sys}/class/ r,
-  #deny /{var/,}run/udev/data/b8:[0-9]* r,   # for /dev/sda1 , etc.
-  #deny /{var/,}run/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
-  #deny /{var/,}run/udev/data/+usb:* r,      #
+  #deny @{run}/udev/data/b8:[0-9]* r,   # for /dev/sda1 , etc.
+  #deny @{run}/udev/data/c189:[0-9]* r, # for /dev/bus/usb/001/001 , etc.
+  #deny @{run}/udev/data/+usb:* r,      #
   #/etc/exports r,
   #/etc/xdg/menus/ r,
   #/usr/share/mime/ r,

apparmor.d/abstractions/mdns

@@ -9,5 +9,6 @@
 # ------------------------------------------------------------------
 
   # mdnsd
+  /etc/mdns.allow r,
   /etc/nss_mdns.conf r,
   /{,var/}run/mdnsd w,

apparmor.d/abstractions/nameservice

@@ -30,8 +30,8 @@
   /var/lib/extrausers/passwd r,
 
   # NSS records from systemd-userdbd.service
-  /{,var/}run/systemd/userdb/ r,
-  /{,var/}run/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
+  @{run}/systemd/userdb/ r,
+  @{run}/systemd/userdb/io.systemd.{NameServiceSwitch,Multiplexer,DynamicUser,Home} r,
   @{PROC}/sys/kernel/random/boot_id r,
 
   # When using sssd, the passwd and group files are stored in an alternate path

apparmor.d/abstractions/postfix-common

@@ -1,7 +1,8 @@
 # ------------------------------------------------------------------
 #
 #    Copyright (C) 2002-2005 Novell/SUSE
-#    Copyright (C) 2015 Canonical, Ltd.
+#    Copyright (C) 2015-2018 Canonical, Ltd.
+#    Copyright (C) 2020 Christian Boltz
 #
 #    This program is free software; you can redistribute it and/or
 #    modify it under the terms of version 2 of the GNU General Public
@@ -31,6 +32,7 @@
   /usr/lib{,32,64}/sasl2/     r,
   /usr/lib/@{multiarch}/sasl2/*      mr,
   /usr/lib/@{multiarch}/sasl2/       r,
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
 
   /var/spool/postfix/etc/*        r,
   /var/spool/postfix/lib/lib*.so* mr,

apparmor.d/abstractions/trash

@@ -16,8 +16,8 @@
   owner @{HOME}/.config/#[0-9]*[0-9] rwk,
   owner @{HOME}/.config/trashrc.* rwl -> @{HOME}/.config/#[0-9]*[0-9],
 
-  owner /{var/,}run/user/[0-9]*/#[0-9]*[0-9] rw,
-  owner /{var/,}run/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> /{var/,}run/user/[0-9]*/#[0-9]*[0-9],
+  owner @{run}/user/[0-9]*/#[0-9]*[0-9] rw,
+  owner @{run}/user/[0-9]*/trash.so*.[0-9].slave-socket rwl -> @{run}/user/[0-9]*/#[0-9]*[0-9],
 
   # Home trash location
   owner @{HOME}/.local/share/Trash/ rw,

apparmor.d/abstractions/vulkan

@@ -3,10 +3,15 @@
 
   # System files
   /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
+  /etc/glvnd/egl_vendor.d/{*,.json} r,
   /etc/vulkan/icd.d/{,*.json} r,
   /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
   # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
   @{sys}/devices/pci[0-9]*/*/drm/ r,
+  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
+  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
   /usr/share/vulkan/icd.d/{,*.json} r,
   /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
 

apparmor.d/abstractions/wayland

@@ -12,6 +12,6 @@
 
   #abi <abi/3.0>,
 
-  owner /{,var/}run/user/[0-9]*/weston-shared-* rw,
-  owner /{,var/}run/user/[0-9]*/wayland-[0-9]* rw,
-  owner /{,var/}run/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,
+  owner @{run}/user/[0-9]*/weston-shared-* rw,
+  owner @{run}/user/[0-9]*/wayland-[0-9]* rw,
+  owner @{run}/user/[0-9]*/{mesa,mutter,sdl,wayland-cursor,weston,xwayland}-shared-* rw,

apparmor.d/abstractions/xdg-open

@@ -24,7 +24,7 @@
 #
 #   # Enable gstreamer support if considered required by
 #   # profile author for (rare) error message boxes.
-#   include if exists <abstractions/gstreamer>
+#   #include if exists <abstractions/gstreamer>
 #
 #   # needed for ubuntu-* abstractions
 #   #include <abstractions/ubuntu-helpers>
@@ -79,3 +79,6 @@
   # Usr files
 
   owner @{HOME}/.local/share/applications/{,*.desktop} r,
+
+  # Include additions to the abstraction
+  #include if exists <abstractions/xdg-open.d>