Merge branch 'main' into feat/update

apparmor.d/groups/freedesktop/accounts-daemon

@@ -75,7 +75,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
   # wtmp.d ?
   /var/log/wtmp r,
 
-  owner /tmp/gnome-control-center-user-icon-@{rand6} rw,
+  owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
 
   include if exists <local/accounts-daemon>
 }

apparmor.d/groups/freedesktop/dconf-service

@@ -14,7 +14,7 @@ profile dconf-service @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
 
   signal (receive) set=(term kill hup) peer=dbus-session,
-  signal (receive) set=(term hup) peer=gdm,
+  signal (receive) set=(term hup) peer=gdm{,-session-worker},
 
   #aa:dbus own bus=session name=ca.desrt.dconf
 

apparmor.d/groups/freedesktop/pipewire

@@ -49,7 +49,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
 
   owner @{user_config_dirs}/pipewire/{,**} r,
 
-  owner /tmp/librnnoise-@{int}.so rm,
+  owner @{tmp}/librnnoise-@{int}.so rm,
 
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
   owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,

apparmor.d/groups/freedesktop/pipewire-pulse

@@ -32,7 +32,7 @@ profile pipewire-pulse @{exec_path} flags=(attach_disconnected) {
   /.flatpak-info r,
 
   owner @{run}/user/@{uid}/pulse/pid w,
-  owner /tmp/librnnoise-@{int}.so rm,
+  owner @{tmp}/librnnoise-@{int}.so rm,
 
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,

apparmor.d/groups/freedesktop/plymouthd

@@ -10,7 +10,8 @@ include <tunables/global>
 profile plymouthd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/dri-common>
+  include <abstractions/dri>
+  include <abstractions/fonts>
 
   capability checkpoint_restore,
   capability dac_override,
@@ -52,7 +53,6 @@ profile plymouthd @{exec_path} {
   @{sys}/class/ r,
   @{sys}/class/drm/ r,
   @{sys}/class/graphics/ r,
-  @{sys}/devices/@{pci}/{,uevent,vendor,device} r,
   @{sys}/devices/virtual/graphics/fbcon/uevent r,
   @{sys}/devices/virtual/tty/console/active r,
   @{sys}/firmware/acpi/bgrt/{,*} r,

apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent

@@ -12,7 +12,6 @@ include <tunables/global>
 @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1
 profile polkit-gnome-authentication-agent @{exec_path} {
   include <abstractions/base>
-  include <abstractions/graphics>
   include <abstractions/gnome-strict>
 
   @{exec_path} mr,

apparmor.d/groups/freedesktop/polkit-kde-authentication-agent

@@ -37,8 +37,8 @@ profile polkit-kde-authentication-agent @{exec_path} flags=(attach_disconnected)
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
-  owner /tmp/#@{int} rw,
-  owner /tmp/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
+  owner @{tmp}/#@{int} rw,
+  owner @{tmp}/polkit-kde-authentication-agent-[0-9].* rwl -> /tmp/#@{int},
   # owner /tmp/xauth_@{rand6} r,
 
   /dev/shm/#@{int} rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -78,12 +78,9 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/gdm{,3}/greeter-dconf-defaults r,
 
-  /var/lib/flatpak/exports/share/mime/mime.cache r,
-  /var/lib/flatpak/exports/share/applications/{**,} r,
-
   @{user_config_dirs}/kioslaverc r,
 
-  owner /tmp/icon* rw,
+  owner @{tmp}/icon* rw,
 
   owner @{run}/user/@{uid}/.flatpak/{,*/*} r,
   owner @{run}/user/@{uid}/pipewire-@{int} rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -72,8 +72,8 @@ profile xdg-desktop-portal-gnome @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/*/{,**} rw,
 
-  owner /tmp/.goutputstream-@{rand6} rw,
-  owner /tmp/@{rand6} rw,
+  owner @{tmp}/.goutputstream-@{rand6} rw,
+  owner @{tmp}/@{rand6} rw,
 
   @{run}/mount/utab r,
 

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -62,12 +62,9 @@ profile xdg-desktop-portal-gtk @{exec_path} {
   owner @{HOME}/.icons/{,**} r,
   owner @{HOME}/@{XDG_DATA_DIR}/ r,
 
-  owner /tmp/runtime-*/xauth_@{rand6} r,
+  owner @{tmp}/runtime-*/xauth_@{rand6} r,
 
-        @{run}/mount/utab r,
-        @{run}/user/@{uid}/xauth_@{rand6} rl,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  @{run}/mount/utab r,
 
   owner @{PROC}/@{pid}/mountinfo r,
 

apparmor.d/groups/freedesktop/xdg-icon-resource

@@ -33,7 +33,7 @@ profile xdg-icon-resource @{exec_path} flags=(attach_disconnected) {
   /usr/share/icons/*/.xdg-icon-resource-dummy rw,
   /usr/share/terminfo/** r,
 
-  owner /tmp/.com.google.Chrome.*/chrome-*.png r,
+  owner @{tmp}/.com.google.Chrome.*/chrome-*.png r,
 
   owner @{user_share_dirs}/icons/**/apps/chrome-*.png rw,
   owner @{user_share_dirs}/icons/**/.xdg-icon-resource-dummy rw,

apparmor.d/groups/freedesktop/xdg-screensaver

@@ -36,7 +36,7 @@ profile xdg-screensaver @{exec_path} {
 
   owner @{HOME}/ r,
   owner @{HOME}/.Xauthority r,
-  owner /tmp/xauth-@{int}-_[0-9] r,
+  owner @{tmp}/xauth-@{int}-_[0-9] r,
 
   owner @{run}/user/@{uid}/ r,
 

apparmor.d/groups/freedesktop/xkbcomp

@@ -31,7 +31,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
 
   owner @{run}/user/@{uid}/server-@{int}.xkm rwk,
 
-  owner /tmp/server-@{int}.xkm rwk,
+  owner @{tmp}/server-@{int}.xkm rwk,
 
   /dev/dri/card@{int} rw,
   /dev/fb@{int} rw,

apparmor.d/groups/freedesktop/xorg

@@ -83,10 +83,10 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
 
         /tmp/ r,
         /tmp/server-@{int}.xkm rw,
-  owner /tmp/.tX@{int}-lock rwk,
-  owner /tmp/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock,
-  owner /tmp/server-* rwk,
-  owner /tmp/serverauth.* r,
+  owner @{tmp}/.tX@{int}-lock rwk,
+  owner @{tmp}/.X@{int}-lock rwkl -> /tmp/.tX@{int}-lock,
+  owner @{tmp}/server-* rwk,
+  owner @{tmp}/serverauth.* r,
 
   @{sys}/bus/ r,
   @{sys}/bus/pci/devices/ r,

apparmor.d/groups/freedesktop/xprop

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/xprop
-profile xprop @{exec_path} {
+profile xprop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/freedesktop.org>
   include <abstractions/X-strict>

apparmor.d/groups/freedesktop/xrdb

@@ -37,12 +37,12 @@ profile xrdb @{exec_path} {
 
   owner @{user_share_dirs}/sddm/wayland-session.log w,
 
-  owner /tmp/kcminit.* r,
-  owner /tmp/kded{5,6}.@{rand6} r,
-  owner /tmp/plasma-apply-lookandfeel.* r,
-  owner /tmp/runtime-*/xauth_@{rand6} r,
-  owner /tmp/startplasma-x11.@{rand6} r,
-  owner /tmp/xauth-@{int}-_[0-9] r,
+  owner @{tmp}/kcminit.* r,
+  owner @{tmp}/kded{5,6}.@{rand6} r,
+  owner @{tmp}/plasma-apply-lookandfeel.* r,
+  owner @{tmp}/runtime-*/xauth_@{rand6} r,
+  owner @{tmp}/startplasma-x11.@{rand6} r,
+  owner @{tmp}/xauth-@{int}-_[0-9] r,
 
   @{run}/sddm/\{@{uuid}\} r,
   @{run}/sddm/xauth_@{rand6} r,

apparmor.d/groups/freedesktop/xsetroot

@@ -14,6 +14,8 @@ profile xsetroot @{exec_path} {
 
   capability dac_read_search,
 
+  signal (receive) set=(kill) peer=sddm,
+
   @{exec_path} mr,
 
   /usr/share/icons/{,**} r,
@@ -27,7 +29,7 @@ profile xsetroot @{exec_path} {
   owner @{user_share_dirs}/sddm/xorg-session.log w,
   owner @{user_share_dirs}/sddm/wayland-session.log w,
 
-  owner /tmp/xauth_@{rand6} r,
+  owner @{tmp}/xauth_@{rand6} r,
 
   @{run}/sddm/\{@{uuid}\} r,
   @{run}/user/@{uid}/xauth_@{rand6} rl,

apparmor.d/groups/freedesktop/xwayland

@@ -26,7 +26,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   /usr/share/fonts/{,**} r,
   /usr/share/ghostscript/fonts/{,**} r,
 
-  owner /tmp/server-@{int}.xkm rwk,
+  owner @{tmp}/server-@{int}.xkm rwk,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,
   owner @{run}/user/@{uid}/server-@{int}.xkm rw,
   owner @{run}/user/@{uid}/xwayland-shared-@{rand6} rw,