Merge branch 'master' into unbreaking_debian

.github/workflows/main.yml

@@ -31,3 +31,6 @@ jobs:
 
       - name: Show AppArmor log
         run: sudo aa-log
+
+      - name: Show Number of loaded profile
+        run: sudo aa-status --profiled

Makefile

@@ -0,0 +1,34 @@
+#!/usr/bin/make -f
+
+PKGNAME := apparmor.d
+
+.PHONY: install lint archlinux debian ubuntu whonix clean
+
+all:
+	@echo "Nothing to do."
+
+install:
+	@echo "Nothing to do."
+
+lint:
+	@shellcheck --shell=bash \
+		PKGBUILD configure pick dists/build/build.sh \
+		debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
+
+archlinux:
+	@bash dists/build/build.sh archlinux
+
+debian:
+	@bash dists/build/build.sh debian
+
+ubuntu:
+	@bash dists/build/build.sh ubuntu
+
+whonix:
+	@bash dists/build/build.sh whonix
+
+clean:
+	@rm -rf \
+		debian/.debhelper debian/debhelper* debian/*.debhelper \
+		${PKGNAME}-*.pkg.tar.zst.sig ${PKGNAME}-*.pkg.tar.zst \
+		${PKGNAME}_*.* .build

PKGBUILD

@@ -20,7 +20,7 @@ prepare() {
   git clone "$startdir" "$srcdir/$pkgname"
   cd "$srcdir/$pkgname"
 
-  ./configure
+  ./configure --complain
 }
 
 build() {

README.md

@@ -11,7 +11,7 @@
 
 ## Description 
 
-A set of over 1200 AppArmor profiles which aims is to confine most of Linux base
+A set of over 1400 AppArmor profiles which aims is to confine most of Linux base
 applications and processes.
 
 **Goals & Purpose**
@@ -44,6 +44,8 @@ This is fundamentally different from how AppArmor is used on Linux server as it
 
 ## Installation
 
+> **Warning**: In order to not break your system, the default package configuration install all profiles in complain mode. They can be enforced later. See [Enforce Mode](#enfore-mode)
+
 **Requirements**
 * An `apparmor` based linux distribution.
 * Base profiles and abstractions shipped with AppArmor are supposed to be
@@ -53,8 +55,10 @@ This is fundamentally different from how AppArmor is used on Linux server as it
 
 **Archlinux**
 
-Build and install the package with:
+`apparmor.d-git` is available in the [Arch User Repository][aur]:
 ```sh
+git clone https://aur.archlinux.org/apparmor.d-git.git
+cd apparmor.d-git
 makepkg -s
 sudo pacman -U apparmor.d-*.pkg.tar.zst \
   --overwrite etc/apparmor.d/tunables/global \
@@ -62,20 +66,21 @@ sudo pacman -U apparmor.d-*.pkg.tar.zst \
   --overwrite etc/apparmor.d/abstractions/trash
 ```
 
-> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
+> **Note**: The overwrite options are only required on the first install. You can use `yay` or your preferred AUR install method to update it.
+
+The `PKGBUILD` included in this repository is intended for development only.
 
 **Debian / Ubuntu**
 
 Build using standard Debian package build tools:
 ```sh
 sudo apt install apparmor-profiles build-essential config-package-dev debhelper golang-go rsync git
-git clone https://github.com/roddhjav/apparmor.d.git && cd apparmor.d
+git clone https://github.com/roddhjav/apparmor.d.git
+cd apparmor.d
 dpkg-buildpackage -b -d --no-sign
 sudo dpkg -i ../apparmor.d_*_all.deb
 ```
 
-> **Warning**: for a first install, it is recommanded to install all profiles in complain mode. See [Complain mode](#troubleshooting)
-
 **Partial install**
 
 For test purpose, you can install a specific profile with the following commands. The tool will also install required abstractions and tunables:
@@ -162,18 +167,17 @@ profile, create a file `/etc/apparmor.d/local/gnome-shell` and add your rules.
 Then, reload the apparmor rules with `sudo systemctl restart apparmor`.
 
 
-## Troubleshooting
+## Enfore Mode
 
-**Complain mode**
+The default package configuration installs all profile in *complain* mode.
-
+You can easily switch to *enforce* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules` on Debian and remove the `--complain` option to the configure script. Then build the package as usual:
-On first install and for test purposes, it is recommended to pass all profiles
+```diff
-in *complain* mode. To do this, edit `PKGBUILD` on Archlinux or `debian/rules`
+-  ./configure --complain
-on Debian and add the `--complain` option to the configure script. Then build
++  ./configure
-the package as usual:
-```sh
-./configure --complain 
 ```
 
+## Troubleshooting
+
 **AppArmor messages**
 
 Ensure that `auditd` is installed and running on your system in order to read
@@ -208,7 +212,7 @@ is the process to recover your system on Archlinux:
 
 A full test suite to ensure compatibility across distributions and softwares is still a work in progress.
 
-Here an overview of the current CI jobs:
+Here is an overview of the current CI jobs:
 
 **On Gitlab CI**
 - Package build for all supported distribution
@@ -256,6 +260,7 @@ with this program; if not, write to the Free Software Foundation, Inc.,
 [quality]: https://img.shields.io/badge/go%20report-A+-brightgreen.svg?style=flat-square
 [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
 
+[aur]: https://aur.archlinux.org/packages/apparmor.d-git
 [android_model]: https://arxiv.org/pdf/1904.05572
 [clipos]: https://clip-os.org/en/
 [Speed up AppArmor Start]: https://wiki.archlinux.org/title/AppArmor#Speed-up_AppArmor_start_by_caching_profiles

apparmor.d/abstractions/app-launcher-user

@@ -13,6 +13,10 @@
   /usr/local/bin/              r,
   /usr/local/bin/[a-zA-Z0-9]*  rPUx,
 
+  # All apps in opt
+  /opt/*/                 r,
+  /opt/*/[a-zA-Z0-9]*    rPUx,
+
   # Firefox
   /{usr/,}lib/                 r,
   /{usr/,}lib/firefox/         r,
@@ -34,10 +38,4 @@
   /usr/share/discord/        r,
   /usr/share/discord/Discord rPx,
 
-  # FreeTube
-  /opt/FreeTube/                 r,
-  /opt/FreeTube/freetube         rPx,
-  /opt/FreeTube-Vue/             r,
-  /opt/FreeTube-Vue/freetube-vue rPx,
-
   include if exists <abstractions/app-launcher-user.d>

apparmor.d/abstractions/base.d/complete

@@ -19,6 +19,3 @@
 
   ptrace (readby) peer=systemd-coredump,
 
-  # Allow to write a user defined fifo log devices
-  owner /dev/log-xsession w,
-  owner /dev/log-gnupg w,

apparmor.d/abstractions/dbus-gtk

@@ -44,3 +44,6 @@
        interface=org.a11y.atspi.DeviceEventController
        member={GetKeystrokeListeners,GetDeviceEventListeners}
        peer=(name=org.a11y.atspi.Registry),
+
+  # Include additions to the abstraction
+  include if exists <abstractions/dbus-gtk.d>

apparmor.d/abstractions/deny-sensitive-home

@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# DO NOT USE IT WITHOUT EXPLICIT AUTHORISATION FROM THE PROJECT MAINTAINER
+
+# Per the first rule of this project:
+# As these are mandatory access control policies only what it explicitly required
+# should be authorized. Meaning, you should not allow everything (or a large area)
+# and blacklist some sub area.
+
+# Use in this project: file browser and search engine
+
+  deny @{HOME}/.*_history            rwlk,
+  deny @{HOME}/.*age*{,/{,**}}       rwlk,
+  deny @{HOME}/.*cert*{,/{,**}}      rwlk,
+  deny @{HOME}/.*key*{,/{,**}}       rwlk,
+  deny @{HOME}/.*pass*{,/{,**}}      rwlk,
+  deny @{HOME}/.*pki*{,/{,**}}       rwlk,
+  deny @{HOME}/.*private*{,/{,**}}   rwlk,
+  deny @{HOME}/.*secret*{,/{,**}}    rwlk,
+  deny @{HOME}/.*yubi*{,/{,**}}      rwlk,
+  deny @{HOME}/.lesshst*             rwlk,
+  deny @{HOME}/.wget-hsts            rwlk,
+  deny @{HOME}/@{XDG_GPG_DIR}/{,**}  rwlk,
+  deny @{HOME}/@{XDG_SSH_DIR}/{,**}  rwlk,
+
+  # Deny executable mapping in writable space as allowed in abstractions/fonts
+  deny @{HOME}/.{,cache/}fontconfig/ rw,
+  deny @{HOME}/.{,cache/}fontconfig/** mrwl,
+
+  # Deny executable mapping in writable space as allowed in abstractions/base for ecryptfs
+  deny @{HOME}/.Private/** mrxwlk,
+  deny @{HOMEDIRS}/.ecryptfs/*/.Private/** mrxwlk,
+
+  include if exists <abstractions/deny-sensitive-home.d>

apparmor.d/abstractions/fontconfig-cache-write

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/3.0>,
@@ -26,7 +27,8 @@
         /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  r,
   deny  /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  w,
 
-  owner /var/cache/fontconfig/{,**} rw,
+        /var/cache/fontconfig/ rw,
+  owner /var/cache/fontconfig/** rw,
   owner /var/cache/fontconfig/*.cache-[0-9]* rwk,
   owner /var/cache/fontconfig/*.cache-[0-9]*.LCK rwl,
   owner /var/cache/fontconfig/CACHEDIR.TAG.LCK rwl,

apparmor.d/abstractions/lxc/container-base

@@ -1,225 +0,0 @@
-  network,
-  capability,
-  file,
-  umount,
-
-  # dbus, signal, ptrace and unix are only supported by recent apparmor
-  # versions. Comment them if the apparmor parser doesn't recognize them.
-
-  # This also needs additional rules to reach outside of the container via
-  # DBus, so just let all of DBus within the container.
-  dbus,
-
-  # Allow us to receive signals from anywhere. Note: if per-container profiles
-  # are supported, for container isolation this should be changed to something
-  # like:
-  #   signal (receive) peer=unconfined,
-  #   signal (receive) peer=/usr/bin/lxc-start,
-  signal (receive),
-
-  # Allow us to send signals to ourselves
-  signal peer=@{profile_name},
-
-  # Allow other processes to read our /proc entries, futexes, perf tracing and
-  # kcmp for now (they will need 'read' in the first place). Administrators can
-  # override with:
-  #   deny ptrace (readby) ...
-  ptrace (readby),
-
-  # Allow other processes to trace us by default (they will need 'trace' in
-  # the first place). Administrators can override with:
-  #   deny ptrace (tracedby) ...
-  ptrace (tracedby),
-
-  # Allow us to ptrace ourselves
-  ptrace peer=@{profile_name},
-
-  # Allow receive via unix sockets from anywhere. Note: if per-container
-  # profiles are supported, for container isolation this should be changed to
-  # something like:
-  #   unix (receive) peer=(label=unconfined),
-  unix (receive),
-
-  # Allow all unix in the container
-  unix peer=(label=@{profile_name}),
-
-  # ignore DENIED message on / remount
-  deny mount options=(ro, remount) -> /,
-  deny mount options=(ro, remount, silent) -> /,
-
-  # allow tmpfs mounts everywhere
-  mount fstype=tmpfs,
-
-  # allow hugetlbfs mounts everywhere
-  mount fstype=hugetlbfs,
-
-  # allow mqueue mounts everywhere
-  mount fstype=mqueue,
-
-  # allow fuse mounts everywhere
-  mount fstype=fuse,
-  mount fstype=fuse.*,
-
-  # deny access under /proc/bus to avoid e.g. messing with pci devices directly
-  deny @{PROC}/bus/** wklx,
-
-  # deny writes in /proc/sys/fs but allow binfmt_misc to be mounted
-  mount fstype=binfmt_misc -> /proc/sys/fs/binfmt_misc/,
-  deny @{PROC}/sys/fs/** wklx,
-
-  # allow efivars to be mounted, writing to it will be blocked though
-  mount fstype=efivarfs -> /sys/firmware/efi/efivars/,
-
-  # block some other dangerous paths
-  deny @{PROC}/kcore rwklx,
-  deny @{PROC}/sysrq-trigger rwklx,
-  deny @{PROC}/acpi/** rwklx,
-
-  # deny writes in /sys except for /sys/fs/cgroup, also allow
-  # fusectl, securityfs and debugfs to be mounted there (read-only)
-  mount fstype=fusectl -> /sys/fs/fuse/connections/,
-  mount fstype=securityfs -> /sys/kernel/security/,
-  mount fstype=debugfs -> /sys/kernel/debug/,
-  deny mount fstype=debugfs -> /var/lib/ureadahead/debugfs/,
-  mount fstype=proc -> /proc/,
-  mount fstype=sysfs -> /sys/,
-  mount options=(rw, nosuid, nodev, noexec, remount) -> /sys/,
-  deny /sys/firmware/efi/efivars/** rwklx,
-  deny /sys/kernel/security/** rwklx,
-  mount options=(ro, nosuid, nodev, noexec, remount, strictatime) -> /sys/fs/cgroup/,
-
-  # deny reads from debugfs
-  deny /sys/kernel/debug/{,**} rwklx,
-
-  # allow paths to be made slave, shared, private or unbindable
-  # FIXME: This currently doesn't work due to the apparmor parser treating those as allowing all mounts.
-#  mount options=(rw,make-slave) -> **,
-#  mount options=(rw,make-rslave) -> **,
-#  mount options=(rw,make-shared) -> **,
-#  mount options=(rw,make-rshared) -> **,
-#  mount options=(rw,make-private) -> **,
-#  mount options=(rw,make-rprivate) -> **,
-#  mount options=(rw,make-unbindable) -> **,
-#  mount options=(rw,make-runbindable) -> **,
-
-  # allow bind-mounts of anything except /proc, /sys and /dev
-  mount options=(rw,bind) /[^spd]*{,/**},
-  mount options=(rw,bind) /d[^e]*{,/**},
-  mount options=(rw,bind) /de[^v]*{,/**},
-  mount options=(rw,bind) /dev/.[^l]*{,/**},
-  mount options=(rw,bind) /dev/.l[^x]*{,/**},
-  mount options=(rw,bind) /dev/.lx[^c]*{,/**},
-  mount options=(rw,bind) /dev/.lxc?*{,/**},
-  mount options=(rw,bind) /dev/[^.]*{,/**},
-  mount options=(rw,bind) /dev?*{,/**},
-  mount options=(rw,bind) /p[^r]*{,/**},
-  mount options=(rw,bind) /pr[^o]*{,/**},
-  mount options=(rw,bind) /pro[^c]*{,/**},
-  mount options=(rw,bind) /proc?*{,/**},
-  mount options=(rw,bind) /s[^y]*{,/**},
-  mount options=(rw,bind) /sy[^s]*{,/**},
-  mount options=(rw,bind) /sys?*{,/**},
-
-  # allow various ro-bind-*re*-mounts
-  mount options=(ro,remount,bind),
-  mount options=(ro,remount,bind,nosuid),
-  mount options=(ro,remount,bind,noexec),
-  mount options=(ro,remount,bind,nodev),
-  mount options=(ro,remount,bind,nosuid,noexec),
-  mount options=(ro,remount,bind,noexec,nodev),
-  mount options=(ro,remount,bind,nodev,nosuid),
-  mount options=(ro,remount,bind,nosuid,noexec,nodev),
-
-  # allow moving mounts except for /proc, /sys and /dev
-  mount options=(rw,move) /[^spd]*{,/**},
-  mount options=(rw,move) /d[^e]*{,/**},
-  mount options=(rw,move) /de[^v]*{,/**},
-  mount options=(rw,move) /dev/.[^l]*{,/**},
-  mount options=(rw,move) /dev/.l[^x]*{,/**},
-  mount options=(rw,move) /dev/.lx[^c]*{,/**},
-  mount options=(rw,move) /dev/.lxc?*{,/**},
-  mount options=(rw,move) /dev/[^.]*{,/**},
-  mount options=(rw,move) /dev?*{,/**},
-  mount options=(rw,move) /p[^r]*{,/**},
-  mount options=(rw,move) /pr[^o]*{,/**},
-  mount options=(rw,move) /pro[^c]*{,/**},
-  mount options=(rw,move) /proc?*{,/**},
-  mount options=(rw,move) /s[^y]*{,/**},
-  mount options=(rw,move) /sy[^s]*{,/**},
-  mount options=(rw,move) /sys?*{,/**},
-  # generated by: lxc-generate-aa-rules.py container-rules.base
-  deny /proc/sys/[^kn]*{,/**} wklx,
-  deny /proc/sys/k[^e]*{,/**} wklx,
-  deny /proc/sys/ke[^r]*{,/**} wklx,
-  deny /proc/sys/ker[^n]*{,/**} wklx,
-  deny /proc/sys/kern[^e]*{,/**} wklx,
-  deny /proc/sys/kerne[^l]*{,/**} wklx,
-  deny /proc/sys/kernel/[^smhd]*{,/**} wklx,
-  deny /proc/sys/kernel/d[^o]*{,/**} wklx,
-  deny /proc/sys/kernel/do[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/dom[^a]*{,/**} wklx,
-  deny /proc/sys/kernel/doma[^i]*{,/**} wklx,
-  deny /proc/sys/kernel/domai[^n]*{,/**} wklx,
-  deny /proc/sys/kernel/domain[^n]*{,/**} wklx,
-  deny /proc/sys/kernel/domainn[^a]*{,/**} wklx,
-  deny /proc/sys/kernel/domainna[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/domainnam[^e]*{,/**} wklx,
-  deny /proc/sys/kernel/domainname?*{,/**} wklx,
-  deny /proc/sys/kernel/h[^o]*{,/**} wklx,
-  deny /proc/sys/kernel/ho[^s]*{,/**} wklx,
-  deny /proc/sys/kernel/hos[^t]*{,/**} wklx,
-  deny /proc/sys/kernel/host[^n]*{,/**} wklx,
-  deny /proc/sys/kernel/hostn[^a]*{,/**} wklx,
-  deny /proc/sys/kernel/hostna[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/hostnam[^e]*{,/**} wklx,
-  deny /proc/sys/kernel/hostname?*{,/**} wklx,
-  deny /proc/sys/kernel/m[^s]*{,/**} wklx,
-  deny /proc/sys/kernel/ms[^g]*{,/**} wklx,
-  deny /proc/sys/kernel/msg*/** wklx,
-  deny /proc/sys/kernel/s[^he]*{,/**} wklx,
-  deny /proc/sys/kernel/se[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/sem*/** wklx,
-  deny /proc/sys/kernel/sh[^m]*{,/**} wklx,
-  deny /proc/sys/kernel/shm*/** wklx,
-  deny /proc/sys/kernel?*{,/**} wklx,
-  deny /proc/sys/n[^e]*{,/**} wklx,
-  deny /proc/sys/ne[^t]*{,/**} wklx,
-  deny /proc/sys/net?*{,/**} wklx,
-  deny /sys/[^fdc]*{,/**} wklx,
-  deny /sys/c[^l]*{,/**} wklx,
-  deny /sys/cl[^a]*{,/**} wklx,
-  deny /sys/cla[^s]*{,/**} wklx,
-  deny /sys/clas[^s]*{,/**} wklx,
-  deny /sys/class/[^n]*{,/**} wklx,
-  deny /sys/class/n[^e]*{,/**} wklx,
-  deny /sys/class/ne[^t]*{,/**} wklx,
-  deny /sys/class/net?*{,/**} wklx,
-  deny /sys/class?*{,/**} wklx,
-  deny /sys/d[^e]*{,/**} wklx,
-  deny /sys/de[^v]*{,/**} wklx,
-  deny /sys/dev[^i]*{,/**} wklx,
-  deny /sys/devi[^c]*{,/**} wklx,
-  deny /sys/devic[^e]*{,/**} wklx,
-  deny /sys/device[^s]*{,/**} wklx,
-  deny /sys/devices/[^v]*{,/**} wklx,
-  deny /sys/devices/v[^i]*{,/**} wklx,
-  deny /sys/devices/vi[^r]*{,/**} wklx,
-  deny /sys/devices/vir[^t]*{,/**} wklx,
-  deny /sys/devices/virt[^u]*{,/**} wklx,
-  deny /sys/devices/virtu[^a]*{,/**} wklx,
-  deny /sys/devices/virtua[^l]*{,/**} wklx,
-  deny /sys/devices/virtual/[^n]*{,/**} wklx,
-  deny /sys/devices/virtual/n[^e]*{,/**} wklx,
-  deny /sys/devices/virtual/ne[^t]*{,/**} wklx,
-  deny /sys/devices/virtual/net?*{,/**} wklx,
-  deny /sys/devices/virtual?*{,/**} wklx,
-  deny /sys/devices?*{,/**} wklx,
-  deny /sys/f[^s]*{,/**} wklx,
-  deny /sys/fs/[^c]*{,/**} wklx,
-  deny /sys/fs/c[^g]*{,/**} wklx,
-  deny /sys/fs/cg[^r]*{,/**} wklx,
-  deny /sys/fs/cgr[^o]*{,/**} wklx,
-  deny /sys/fs/cgro[^u]*{,/**} wklx,
-  deny /sys/fs/cgrou[^p]*{,/**} wklx,
-  deny /sys/fs/cgroup?*{,/**} wklx,
-  deny /sys/fs?*{,/**} wklx,

apparmor.d/abstractions/lxc/start-container

@@ -1,50 +0,0 @@
-  network,
-  capability,
-  file,
-
-  # The following 3 entries are only supported by recent apparmor versions.
-  # Comment them if the apparmor parser doesn't recognize them.
-  dbus,
-  signal,
-  ptrace,
-
-  # currently blocked by apparmor bug
-  mount -> /usr/lib*/*/lxc/{**,},
-  mount -> /usr/lib*/lxc/{**,},
-  mount -> /usr/lib/@{multiarch}/lxc/rootfs/{,**},
-  mount fstype=devpts -> /dev/pts/,
-  mount options=bind /dev/pts/ptmx/ -> /dev/ptmx/,
-  mount options=bind /dev/pts/** -> /dev/**,
-  mount options=(rw, make-slave) -> **,
-  mount options=(rw, make-rslave) -> **,
-  mount fstype=debugfs,
-  # allow pre-mount hooks to stage mounts under /var/lib/lxc/<container>/
-  mount -> /var/lib/lxc/{**,},
-
-  mount /dev/.lxc-boot-id -> /proc/sys/kernel/random/boot_id,
-  mount options=(ro, nosuid, nodev, noexec, remount, bind) -> /proc/sys/kernel/random/boot_id,
-
-  # required for some pre-mount hooks
-  mount fstype=overlayfs,
-  mount fstype=aufs,
-  mount fstype=ecryptfs,
-
-  # all umounts are under the original root's /mnt, but right now we
-  # can't allow those umounts after pivot_root.  So allow all umounts
-  # right now.  They'll be restricted for the container at least.
-  umount,
-  #umount /mnt/{**,},
-
-  # This may look a bit redundant, however it appears we need all of
-  # them if we want things to work properly on all combinations of kernel
-  # and userspace parser...
-  pivot_root /usr/lib*/lxc/,
-  pivot_root /usr/lib*/*/lxc/,
-  pivot_root /usr/lib*/lxc/**,
-  pivot_root /usr/lib*/*/lxc/**,
-  pivot_root /usr/lib/x86_64-linux-gnu/lxc/rootfs/{,**},
-
-  change_profile -> lxc-*,
-  change_profile -> lxc-**,
-  change_profile -> unconfined,
-  change_profile -> :lxc-*:unconfined,

apparmor.d/abstractions/systemd-common

@@ -1,18 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/3.0>,
 
   ptrace (read),
 
-  owner @{PROC}/@{pid}/stat r,
+        @{PROC}/1/cgroup r,
         @{PROC}/1/environ r,
         @{PROC}/1/sched r,
-        @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/stat r,
 
   /dev/kmsg w,
 

apparmor.d/abstractions/user-download-strict

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/3.0>,
@@ -10,8 +11,4 @@
   owner @{user_download_dirs}/ r,
   owner @{user_download_dirs}/** rwkl -> @{user_download_dirs}/**,
 
-  # For SSHFS mounts (without owner as files in such mounts can be owned by different users)
-        @{HOME}/mount-sshfs/ r,
-        @{HOME}/mount-sshfs/** rwl,
-
   include if exists <abstractions/user-download-strict.d>

apparmor.d/groups/apps/android-studio

@@ -264,7 +264,7 @@ profile android-studio @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/atom

@@ -47,7 +47,7 @@ profile atom @{exec_path} {
   #/{usr/,}bin/rmdir      rix,
   #/{usr/,}bin/{,e}grep   rix,
   #/{usr/,}bin/ls         rix,
-  #/{usr/,}bin/gawk       rix,
+  #/{usr/,}bin/{m,g,}awk  rix,
   #/{usr/,}bin/tty        rix,
   #/{usr/,}bin/dircolors  rix,
   #/{usr/,}bin/cut        rix,
@@ -168,7 +168,7 @@ profile atom @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/calibre

@@ -152,7 +152,7 @@ profile calibre @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/discord

@@ -125,7 +125,7 @@ profile discord @{exec_path} {
     /{usr/,}bin/xdg-mime mr,
 
     /{usr/,}bin/{,ba,da}sh rix,
-    /{usr/,}bin/gawk       rix,
+    /{usr/,}bin/{m,g,}awk  rix,
     /{usr/,}bin/cut        rix,
     /{usr/,}bin/{,e}grep   rix,
     /{usr/,}bin/head       rix,
@@ -175,7 +175,7 @@ profile discord @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/dropbox

@@ -129,7 +129,7 @@ profile dropbox @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/flameshot

@@ -76,7 +76,7 @@ profile flameshot @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/freetube

@@ -105,7 +105,7 @@ profile freetube @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/okular

@@ -103,7 +103,7 @@ profile okular @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apps/telegram-desktop

@@ -101,7 +101,7 @@ profile telegram-desktop @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apt/apt-methods-gpgv

@@ -46,7 +46,7 @@ profile apt-methods-gpgv @{exec_path} {
   /{usr/,}bin/sed       rix,
   /{usr/,}bin/sort      rix,
   /{usr/,}bin/touch     rix,
-  /{usr/,}bin/gawk      rix,
+  /{usr/,}bin/{m,g,}awk rix,
   /{usr/,}bin/base64    rix,
 
   # For shell pwd

apparmor.d/groups/apt/command-not-found

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -11,10 +12,10 @@ include <tunables/global>
 @{exec_path} += /{usr/,}lib/command-not-found
 profile command-not-found @{exec_path} {
   include <abstractions/base>
-  include <abstractions/python>
+  include <abstractions/apt-common>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
-  include <abstractions/apt-common>
+  include <abstractions/python>
 
   @{exec_path} r,
   /{usr/,}bin/python3.[0-9]* r,

apparmor.d/groups/apt/debsums

@@ -17,7 +17,7 @@ profile debsums @{exec_path} {
   @{exec_path} r,
 
   /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/gawk       rix,
+  /{usr/,}bin/{m,g,}awk  rix,
 
   /etc/dpkg/dpkg.cfg.d/{,*} r,
   /etc/dpkg/dpkg.cfg r,

apparmor.d/groups/apt/querybts

@@ -66,7 +66,7 @@ profile querybts @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/apt/reportbug

@@ -130,7 +130,7 @@ profile reportbug @{exec_path} {
     /{usr/,}bin/xdg-open mr,
 
     /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
+    /{usr/,}bin/{m,g,}awk       rix,
     /{usr/,}bin/readlink        rix,
     /{usr/,}bin/basename        rix,
 

apparmor.d/groups/avahi/avahi-autoipd

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{s,}bin/avahi-autoipd
-profile avahi-autoipd @{exec_path} flags=(complain) {
+profile avahi-autoipd @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 

apparmor.d/groups/avahi/avahi-browse

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/avahi-browse /{usr/,}bin/avahi-browse-domains
-profile avahi-browse @{exec_path} flags=(complain) {
+profile avahi-browse @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>

apparmor.d/groups/avahi/avahi-daemon

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/avahi-daemon
-profile avahi-daemon @{exec_path} flags=(complain) {
+profile avahi-daemon @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 

apparmor.d/groups/avahi/avahi-publish

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/avahi-publish /{usr/,}bin/avahi-publish-address /{usr/,}bin/avahi-publish-service
-profile avahi-publish @{exec_path} flags=(complain) {
+profile avahi-publish @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 

apparmor.d/groups/avahi/avahi-resolve

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/avahi-resolve /{usr/,}bin/avahi-resolve-address /{usr/,}bin/avahi-resolve-host-name
-profile avahi-resolve @{exec_path} flags=(complain) {
+profile avahi-resolve @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>

apparmor.d/groups/avahi/avahi-set-host-name

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/avahi-set-host-name
-profile avahi-set-host-name @{exec_path} flags=(complain) {
+profile avahi-set-host-name @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 

apparmor.d/groups/browsers/brave

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,19 +14,19 @@ include <tunables/global>
 @{exec_path} = @{BRAVE_INSTALLDIR}/brave{,-beta,-dev}
 profile brave @{exec_path} {
   include <abstractions/base>
+  include <abstractions/audio>
+  include <abstractions/chromium-common>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
-  include <abstractions/opencl-intel>
-  include <abstractions/gtk>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
   include <abstractions/mesa>
-  include <abstractions/audio>
-  include <abstractions/user-download-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
   include <abstractions/thumbnails-cache-read>
-  include <abstractions/chromium-common>
+  include <abstractions/user-download-strict>
 
   capability sys_ptrace,
 
@@ -40,44 +41,41 @@ profile brave @{exec_path} {
   @{BRAVE_INSTALLDIR}/swiftshader/libEGL.so mr,
 
   # When installing/removing extensions
-  /{usr/,}bin/basename rix,
-  /{usr/,}bin/cut      rix,
-  /{usr/,}bin/sed      rix,
-  /{usr/,}bin/mkdir    rix,
-  /{usr/,}bin/touch    rix,
-  /{usr/,}bin/rm       rix,
-  /{usr/,}bin/mktemp   rix,
-  /{usr/,}bin/cat      rix,
   /{usr/,}bin/{,e}grep rix,
-
+  /{usr/,}bin/basename rix,
-       /etc/opt/chrome/ r,
+  /{usr/,}bin/cat      rix,
-  deny /etc/opt/chrome/ w,
+  /{usr/,}bin/cut      rix,
-
+  /{usr/,}bin/mkdir    rix,
-  # For "brave --help"
+  /{usr/,}bin/mktemp   rix,
-  /{usr/,}bin/man               rPUx,
+  /{usr/,}bin/rm       rix,
+  /{usr/,}bin/sed      rix,
+  /{usr/,}bin/touch    rix,
 
   # For storing passwords externally
   /{usr/,}bin/keepassxc-proxy   rPUx,
+  /{usr/,}bin/browserpass       rPx,
 
-  /{usr/,}bin/lsb_release        rPx -> lsb_release,
+  /{usr/,}bin/man               rPUx,
-
+  /{usr/,}bin/lsb_release       rPx -> lsb_release,
-  # no new privs
+  /{usr/,}bin/xdg-open          rPx -> child-open,
-  #deny /{usr/,}bin/xdg-desktop-menu  rx,
-
-  /{usr/,}bin/xdg-open           rCx -> open,
   /{usr/,}bin/xdg-settings      rPx,
   /{usr/,}bin/xdg-mime          rPx,
 
   /usr/share/chromium/extensions/ r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  /etc/fstab r,
+  /etc/opt/chrome/ r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
 
   owner @{HOME}/ r,
   owner @{user_config_dirs}/BraveSoftware/ w,
   owner @{BRAVE_HOMEDIR}/ rw,
   owner @{BRAVE_HOMEDIR}/** rwk,
-  # For Widevine plugin
   owner @{BRAVE_HOMEDIR}/WidevineCdm/libwidevinecdm.so mrw,
 
-  # Cache files
   owner @{user_cache_dirs}/ rw,
   owner @{user_cache_dirs}/BraveSoftware/ rw,
   owner @{BRAVE_CACHEDIR}/{,**/} rw,
@@ -85,43 +83,36 @@ profile brave @{exec_path} {
   owner @{BRAVE_CACHEDIR}/*/**/[a-f0-9]*_? rw,
   owner @{BRAVE_CACHEDIR}/*/**/todelete_* rw,
 
-  # For importing data (bookmarks, cookies, etc) from Firefox
-  owner @{HOME}/.mozilla/firefox/profiles.ini r,
-  owner @{HOME}/.mozilla/firefox/*/ r,
-  owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
-  owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
-  owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
-  owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
-  owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
-  owner @{HOME}/.mozilla/firefox/*/logins.json r,
-  # For importing data from Chromium
-  owner "@{user_config_dirs}/chromium/Local State" r,
-  owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
-  owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
-  owner @{user_config_dirs}/chromium/*/ r,
-  owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
-
   owner @{user_config_dirs}/menus/applications-merged/ r,
   owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
 
-  /etc/fstab r,
+  # For importing data (bookmarks, cookies, etc) from Firefox
+  # owner @{HOME}/.mozilla/firefox/profiles.ini r,
+  # owner @{HOME}/.mozilla/firefox/*/ r,
+  # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
+  # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
+  # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
+  # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
+  # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
+  # owner @{HOME}/.mozilla/firefox/*/logins.json r,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  # For importing data (bookmarks, cookies, etc) from Chromium
+  # owner "@{user_config_dirs}/chromium/Local State" r,
+  # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
+  # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
+  # owner @{user_config_dirs}/chromium/*/ r,
+  # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
+
+  owner /tmp/net-export/ rw,  # For brave://net-export/
 
-  # Needed or Brave crash with the following error:
-  #  illegal hardware instruction
              @{PROC}/ r,
-  #
   deny       @{PROC}/vmstat r,
   deny       @{PROC}/stat r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
              @{PROC}/@{pid}/fd/ r,
   deny       @{PROC}/@{pids}/stat r,
   deny       @{PROC}/@{pids}/statm r,
-  # To remove the following error:
+       owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  #  Failed to adjust OOM score of renderer with pid : Permission denied
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  #
   deny       @{PROC}/@{pids}/cmdline r,
        owner @{PROC}/@{pids}/task/ r,
              @{PROC}/@{pids}/task/@{tid}/status r,
@@ -130,63 +121,27 @@ profile brave @{exec_path} {
        owner @{PROC}/@{pid}/mounts r,
        owner @{PROC}/@{pid}/clear_refs w,
              @{PROC}/sys/fs/inotify/max_user_watches r,
-  deny       @{PROC}filesystems r,
+  deny       @{PROC}/filesystems r,
 
-  owner /dev/shm/org.chromium.Chromium.shmem.[A-F0-9]*._service_shmem rw,
+  @{run}/udev/data/* r,
+
+  @{sys}/bus/ r,
+  @{sys}/bus/**/devices/ r,
+  @{sys}/class/ r,
+  @{sys}/class/**/ r,
+  @{sys}/devices/**/uevent r,
+  @{sys}/devices/pci[0-9]*/**/irq r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
+  @{sys}/devices/system/cpu/online r,
+  @{sys}/devices/virtual/tty/tty[0-9]/active r,
 
   /dev/bus/usb/[0-9]*/[0-9]* rw,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  # Udev enumeration
-  @{sys}/bus/ r,
-  @{sys}/bus/**/devices/ r,
-  @{sys}/devices/**/uevent r,
-  @{sys}/class/ r,
-  @{sys}/class/**/ r,
-  @{run}/udev/data/* r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
-
-  @{sys}/devices/virtual/tty/tty[0-9]/active r,
-  @{sys}/devices/system/cpu/online r,
-
-  # To remove the following error:
-  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
-  # The irq file is needed to render pages.
-  @{sys}/devices/pci[0-9]*/**/irq r,
-
-  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-
-  # For brave://net-export/
-  owner /tmp/net-export/ rw,
-
   # Silencer
   deny @{BRAVE_INSTALLDIR}/** w,
-
+  deny /etc/opt/chrome/ w,
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    /{usr/,}bin/xdg-open mr,
-
-    /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
-    /{usr/,}bin/readlink        rix,
-    /{usr/,}bin/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
 
   include if exists <local/brave>
 }

apparmor.d/groups/browsers/brave-browser

@@ -1,23 +1,24 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
-@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
-@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
-
 abi <abi/3.0>,
 
 include <tunables/global>
 
+@{BRAVE_INSTALLDIR} = /opt/brave.com/brave{,-beta,-dev}
+@{BRAVE_HOMEDIR} = @{user_config_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
+@{BRAVE_CACHEDIR} = @{user_cache_dirs}/BraveSoftware/Brave-Browser{,-Beta,-Dev}
+
 @{exec_path} = @{BRAVE_INSTALLDIR}/brave-browser{,-beta,-dev}
 profile brave-browser @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
   @{exec_path} r,
-  /{usr/,}bin/{,ba,da}sh    rix,
 
+  /{usr/,}bin/{,ba,da}sh    rix,
   /{usr/,}bin/readlink      rix,
   /{usr/,}bin/dirname       rix,
   /{usr/,}bin/which{,.debianutils}         rix,
@@ -26,7 +27,7 @@ profile brave-browser @{exec_path} {
 
   @{BRAVE_INSTALLDIR}/brave rPx,
 
-  owner @{PROC}/@{pid}/fd/63 w,
+  owner @{PROC}/@{pid}/fd/ w,
 
   include if exists <local/brave-browser>
 }

apparmor.d/groups/browsers/chromium-chromium

@@ -63,7 +63,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/xdg-email          rPx,
   /{usr/,}bin/xdg-icon-resource  rPx,
   /{usr/,}bin/xdg-mime           rPx,
-  /{usr/,}bin/xdg-open           rCx -> open,
+  /{usr/,}bin/xdg-open           rPx -> child-open,
   /{usr/,}bin/xdg-settings       rPx,
 
   /usr/share/chromium/{,**} r,
@@ -164,29 +164,5 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   deny /{usr/,}lib/chromium/** w,
   deny @{user_share_dirs}/gvfs-metadata/* r,
 
-  profile open {
-    include <abstractions/base>
-    include <abstractions/app-launcher-user>
-    include <abstractions/xdg-open>
-
-    /{usr/,}bin/xdg-open mr,
-
-    /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
-    /{usr/,}bin/readlink        rix,
-    /{usr/,}bin/basename        rix,
-
-    # Allowed apps to open
-    /{usr/,}bin/smplayer        rPx,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/chromium-chromium>
 }

apparmor.d/groups/browsers/firefox

@@ -147,22 +147,10 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   /opt/net.downloadhelper.coapp/bin/net.downloadhelper.coapp*  rPx,
 
   # Allowed apps to open
-  /{usr/,}bin/xdg-open                                    rCx -> open,
+  /{usr/,}bin/exo-open                                    rPx -> child-open,
-  /{usr/,}bin/exo-open                                    rCx -> open,
+  /{usr/,}bin/xdg-open                                    rPx -> child-open,
-  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rCx -> open,
+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop rPx -> child-open,
-  /{usr/,}bin/engrampa         rPx,
+  /{usr/,}lib/gio-launch-desktop                          rPx -> child-open,
-  /{usr/,}bin/geany            rPx,
-  /{usr/,}bin/okular           rPx,
-  /{usr/,}bin/qbittorrent      rPx,
-  /{usr/,}bin/qpdfview         rPx,
-  /{usr/,}bin/smplayer         rPx,
-  /{usr/,}bin/spacefm          rPx,
-  /{usr/,}bin/telegram-desktop rPx,
-  /{usr/,}bin/thunderbird      rPx,
-  /{usr/,}bin/viewnior        rPUx,
-  /{usr/,}bin/vlc              rPx,
-  /{usr/,}bin/xarchiver        rPx,
-  /{usr/,}bin/evince           rPx,
 
   /{usr/,}lib/@{multiarch}/qt5/plugins/kf5/org.kde.kwindowsystem.platforms/KF5WindowSystemX11Plugin.so mr,
   /{usr/,}lib/mozilla/plugins/ r,
@@ -251,10 +239,11 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
        owner @{PROC}/@{pid}/gid_map w, # If kernel.unprivileged_userns_clone = 1
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
+       owner @{PROC}/@{pid}/oom_score_adj w,
        owner @{PROC}/@{pid}/setgroups w, # If kernel.unprivileged_userns_clone = 1
        owner @{PROC}/@{pid}/task/ r,
-       owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
        owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+       owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
   deny owner @{PROC}/@{pid}/smaps r,
   deny owner @{PROC}/@{pid}/stat r,
   deny owner @{PROC}/@{pid}/statm r,
@@ -279,45 +268,5 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   deny owner @{HOME}/.* r,
   deny /tmp/MozillaUpdateLock-* w,
 
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    /{usr/,}bin/xdg-open                                    mr,
-    /{usr/,}bin/exo-open                                    mr,
-    /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop mr,
-
-    /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/{,m,g}awk       rix,
-    /{usr/,}bin/readlink        rix,
-    /{usr/,}bin/basename        rix,
-
-    # Allowed apps to open
-    /{usr/,}bin/engrampa                   rPx,
-    /{usr/,}bin/evince                     rPx,
-    /{usr/,}bin/geany                      rPx,
-    /{usr/,}bin/okular                     rPx,
-    /{usr/,}bin/qbittorrent                rPx,
-    /{usr/,}bin/qpdfview                   rPx,
-    /{usr/,}bin/smplayer                   rPx,
-    /{usr/,}bin/spacefm                    rPx,
-    /{usr/,}bin/telegram-desktop           rPx,
-    /{usr/,}bin/thunderbird                rPx,
-    /{usr/,}bin/viewnior                  rPUx,
-    /{usr/,}bin/vlc                        rPx,
-    /{usr/,}bin/xarchiver                  rPx,
-    /{usr/,}bin/evince                     rPx,
-    /usr/share/xfce4/exo/exo-compose-mail  rPx,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-    include if exists <local/firefox_open>
-  }
-
   include if exists <local/firefox>
 }

apparmor.d/groups/browsers/google-chrome-chrome

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,18 +14,18 @@ include <tunables/global>
 @{exec_path} = @{CHROME_INSTALLDIR}/chrome{,-beta,-unstable}
 profile google-chrome-chrome @{exec_path} {
   include <abstractions/base>
-  include <abstractions/opencl-intel>
-  include <abstractions/gtk>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/mesa>
   include <abstractions/audio>
-  include <abstractions/user-download-strict>
-  include <abstractions/thumbnails-cache-read>
-  include <abstractions/nameservice-strict>
-  include <abstractions/ssl_certs>
   include <abstractions/chromium-common>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
+  include <abstractions/ssl_certs>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -44,23 +45,28 @@ profile google-chrome-chrome @{exec_path} {
   @{CHROME_INSTALLDIR}/nacl_helper    rix,
   @{CHROME_INSTALLDIR}/xdg-mime       rix,
   @{CHROME_INSTALLDIR}/xdg-settings   rix,
+  @{CHROME_INSTALLDIR}/libwidevinecdm.so mr,
+  @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr,
 
   # For "google-chrome --help"
   /{usr/,}bin/man               rPUx,
 
   # For storing passwords externally
   /{usr/,}bin/keepassxc-proxy   rPUx,
+  /{usr/,}bin/browserpass       rPx,
 
-  /{usr/,}bin/lsb_release        rPx -> lsb_release,
+  /{usr/,}bin/lsb_release       rPx -> lsb_release,
-  /{usr/,}bin/xdg-open           rCx -> open,
-
-  # no new privs
-  deny /{usr/,}bin/xdg-desktop-menu  rx,
-  deny /{usr/,}bin/xdg-icon-resource rx,
-
   /{usr/,}bin/xdg-mime          rPx,
+  /{usr/,}bin/xdg-open          rPx -> child-open,
   /{usr/,}bin/xdg-settings      rPx,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  /etc/fstab r,
+
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
   # Google Chrome home files
   owner @{HOME}/ r,
   owner @{CHROME_HOMEDIR}/ rw,
@@ -68,50 +74,38 @@ profile google-chrome-chrome @{exec_path} {
 
   owner @{user_share_dirs}/.com.google.Chrome.* rw,
 
-  # Cache files
   owner @{user_cache_dirs}/ rw,
   owner @{CHROME_CACHEDIR}/{,**/} rw,
   owner @{CHROME_CACHEDIR}/*/**/{*-,}index rw,
   owner @{CHROME_CACHEDIR}/*/**/[a-f0-9]*_? rw,
   owner @{CHROME_CACHEDIR}/*/**/todelete_* rw,
-
-  # To remove browser history/cache
   owner @{CHROME_CACHEDIR}/PnaclTranslationCache/index rw,
   owner @{CHROME_CACHEDIR}/PnaclTranslationCache/data_[0-9]*[0-9] rw,
 
   # For importing data (bookmarks, cookies, etc) from Firefox
-  owner @{HOME}/.mozilla/firefox/profiles.ini r,
+  # owner @{HOME}/.mozilla/firefox/profiles.ini r,
-  owner @{HOME}/.mozilla/firefox/*/ r,
+  # owner @{HOME}/.mozilla/firefox/*/ r,
-  owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
+  # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
-  owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
+  # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
-  owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
+  # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
-  owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
+  # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
-  owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
+  # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
-  owner @{HOME}/.mozilla/firefox/*/logins.json r,
+  # owner @{HOME}/.mozilla/firefox/*/logins.json r,
-  # For importing data from Chromium
-  owner "@{user_config_dirs}/chromium/Local State" r,
-  owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
-  owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
-  owner @{user_config_dirs}/chromium/*/ r,
-  owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
 
-  /etc/fstab r,
+  # For importing data (bookmarks, cookies, etc) from Chromium
+  # owner "@{user_config_dirs}/chromium/Local State" r,
+  # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
+  # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
+  # owner @{user_config_dirs}/chromium/*/ r,
+  # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
-
-  # Needed or Google Chrome crash with the following error:
-  #  illegal hardware instruction
              @{PROC}/ r,
-  #
   deny       @{PROC}/vmstat r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
              @{PROC}/@{pid}/fd/ r,
   deny       @{PROC}/@{pids}/stat r,
   deny       @{PROC}/@{pids}/statm r,
-  # To remove the following error:
+       owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  #  Failed to adjust OOM score of renderer with pid : Permission denied
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  #
   deny       @{PROC}/@{pids}/cmdline r,
   deny owner @{PROC}/@{pids}/environ r,
        owner @{PROC}/@{pid}/task/ r,
@@ -123,56 +117,21 @@ profile google-chrome-chrome @{exec_path} {
        owner @{PROC}/@{pid}/mounts r,
   deny       @{PROC}/diskstats r,
 
-  # To play DRM media (protected content)
+  @{run}/udev/data/* r,
-  @{CHROME_INSTALLDIR}/libwidevinecdm.so mr,
-  @{CHROME_INSTALLDIR}/libwidevinecdmadapter.so mr,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  # Udev enumeration
   @{sys}/bus/ r,
   @{sys}/bus/**/devices/ r,
-  @{sys}/devices/**/uevent r,
   @{sys}/class/ r,
   @{sys}/class/**/ r,
-  @{run}/udev/data/* r,
+  @{sys}/devices/**/uevent r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
-
-  deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
-  deny @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
-
-  # To remove the following error:
-  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
-  # The irq file is needed to render pages.
   @{sys}/devices/pci[0-9]*/**/irq r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]/cpuinfo_max_freq r,
+  @{sys}/devices/virtual/tty/tty[0-9]/active r,
 
   # Silencer
   deny @{CHROME_INSTALLDIR}/** w,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    /{usr/,}bin/xdg-open mr,
-
-    /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
-    /{usr/,}bin/readlink        rix,
-    /{usr/,}bin/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/google-chrome-chrome>
 }

apparmor.d/groups/browsers/opera

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,20 +14,20 @@ include <tunables/global>
 @{exec_path} = @{OPERA_INSTALLDIR}/opera{,-beta,-developer}
 profile opera @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dconf-write>
-  include <abstractions/opencl-intel>
-  include <abstractions/gtk>
-  include <abstractions/freedesktop.org>
-  include <abstractions/fonts>
-  include <abstractions/fontconfig-cache-read>
-  include <abstractions/mesa>
   include <abstractions/audio>
-  include <abstractions/user-download-strict>
+  include <abstractions/chromium-common>
-  include <abstractions/thumbnails-cache-read>
+  include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
+  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  include <abstractions/chromium-common>
+  include <abstractions/thumbnails-cache-read>
+  include <abstractions/user-download-strict>
 
   ptrace (trace) peer=@{profile_name},
 
@@ -41,25 +42,32 @@ profile opera @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{usr/,}bin/which{,.debianutils}                        rix,
+  /{usr/,}bin/which{,.debianutils}         rix,
 
   @{OPERA_INSTALLDIR}/opera_sandbox        rPx,
   @{OPERA_INSTALLDIR}/opera_crashreporter  rPx,
   @{OPERA_INSTALLDIR}/opera_autoupdate    krix,
 
+  /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr,
+  /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr,
+
   /{usr/,}bin/lsb_release        rPx -> lsb_release,
   /{usr/,}bin/xdg-mime           rPx,
-  /{usr/,}bin/xdg-open           rCx -> open,
+  /{usr/,}bin/xdg-open           rPx -> child-open,
   /{usr/,}bin/xdg-settings       rPx,
   /{usr/,}bin/xdg-desktop-menu   rPx,
   /{usr/,}bin/xdg-icon-resource  rPx,
 
-  # Opera home files
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  /etc/fstab r,
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
   owner @{HOME}/ r,
   owner @{OPERA_HOMEDIR}/ rw,
   owner @{OPERA_HOMEDIR}/** rwk,
 
-  # Cache files
   owner @{user_cache_dirs}/ rw,
   owner @{OPERA_CACHEDIR}/{,**/} rw,
   owner @{OPERA_CACHEDIR}/**/{*-,}index rw,
@@ -67,38 +75,31 @@ profile opera @{exec_path} {
   owner @{OPERA_CACHEDIR}/**/todelete_* rw,
 
   # For importing data (bookmarks, cookies, etc) from Firefox
-  owner @{HOME}/.mozilla/firefox/profiles.ini r,
+  # owner @{HOME}/.mozilla/firefox/profiles.ini r,
-  owner @{HOME}/.mozilla/firefox/*/ r,
+  # owner @{HOME}/.mozilla/firefox/*/ r,
-  owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
+  # owner @{HOME}/.mozilla/firefox/*/compatibility.ini r,
-  owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
+  # owner @{HOME}/.mozilla/firefox/*/search{,-metadata}.json r,
-  owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
+  # owner @{HOME}/.mozilla/firefox/*/.parentlock rwk,
-  owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
+  # owner @{HOME}/.mozilla/firefox/*/{places,cookies,favicons,formhistory,}.sqlite{,-wal,-shm,-journal} rwk,
-  owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
+  # owner @{HOME}/.mozilla/firefox/*/{cert9,key4}.db rwk,
-  owner @{HOME}/.mozilla/firefox/*/logins.json r,
+  # owner @{HOME}/.mozilla/firefox/*/logins.json r,
-  # For importing data from Chromium
-  owner "@{user_config_dirs}/chromium/Local State" r,
-  owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
-  owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
-  owner @{user_config_dirs}/chromium/*/ r,
-  owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
 
-  /etc/fstab r,
+  # For importing data (bookmarks, cookies, etc) from Chromium
+  # owner "@{user_config_dirs}/chromium/Local State" r,
+  # owner @{user_config_dirs}/chromium/Singleton{Lock,Socket,Cookie} w,
+  # owner "@{user_config_dirs}/chromium/*/Login Data{,-journal}" rwk,
+  # owner @{user_config_dirs}/chromium/*/ r,
+  # owner @{user_config_dirs}/chromium/*/{History,Cookies,Favicons,Bookmarks} rwk,
 
-  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw,
 
-  # Needed or opera crashes with the following error:
-  #  illegal hardware instruction
              @{PROC}/ r,
-  #
   deny       @{PROC}/vmstat r,
              @{PROC}/sys/kernel/yama/ptrace_scope r,
              @{PROC}/@{pid}/fd/ r,
   deny       @{PROC}/@{pids}/stat r,
   deny       @{PROC}/@{pids}/statm r,
-  # To remove the following error:
+       owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  #  Failed to adjust OOM score of renderer with pid : Permission denied
-  deny owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  #
   deny owner @{PROC}/@{pids}/cmdline r,
   deny owner @{PROC}/@{pids}/environ r,
        owner @{PROC}/@{pid}/task/ r,
@@ -110,60 +111,22 @@ profile opera @{exec_path} {
        owner @{PROC}/@{pid}/mounts r,
              @{PROC}/sys/fs/inotify/max_user_watches r,
 
-  # To play DRM media (protected content)
+  @{run}/udev/data/* r,
-  /opt/google/chrome{,-beta,-unstable}/libwidevinecdm.so mr,
-  /opt/google/chrome{,-beta,-unstable}/libwidevinecdmadapter.so mr,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  # Udev enumeration
   @{sys}/bus/ r,
   @{sys}/bus/**/devices/ r,
-  @{sys}/devices/**/uevent r,
   @{sys}/class/ r,
   @{sys}/class/**/ r,
-  @{run}/udev/data/* r,
+  @{sys}/devices/**/uevent r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
-  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
-
-  deny @{sys}/devices/virtual/tty/tty[0-9]/active r,
-
-  # To remove the following error:
-  #  pcilib: Cannot open /sys/bus/pci/devices/0000:03:00.0/irq: Permission denied
-  # The irq file is needed to render pages.
   @{sys}/devices/pci[0-9]*/**/irq r,
-
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{busnum,devnum} r,
-  # For crashreporter
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/{,**/}{descriptors,manufacturer,product,serial,bConfigurationValue} r,
-  owner /tmp/opera-crashlog-[0-9]*-[0-9]*.txt rw,
+  @{sys}/devices/virtual/tty/tty[0-9]/active r,
 
   /dev/ r,
 
   # Silencer
   deny @{OPERA_INSTALLDIR}/** w,
 
-
-  profile open {
-    include <abstractions/base>
-    include <abstractions/xdg-open>
-
-    /{usr/,}bin/xdg-open mr,
-
-    /{usr/,}bin/{,ba,da}sh      rix,
-    /{usr/,}bin/gawk            rix,
-    /{usr/,}bin/readlink        rix,
-    /{usr/,}bin/basename        rix,
-
-    owner @{HOME}/ r,
-
-    owner @{run}/user/@{uid}/ r,
-
-    # Allowed apps to open
-
-    # file_inherit
-    owner @{HOME}/.xsession-errors w,
-
-  }
-
   include if exists <local/opera>
 }

apparmor.d/groups/children/child-open

@@ -0,0 +1,75 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Note: This profile does not specify an attachment path because it is
+# intended to be used only via "Px -> child-open-X" exec transitions
+# from other profiles. 
+
+# Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
+# this profile is to list all GUI program that can open resources.
+
+# Ultimatelly, only sandbox manager program like bwrap, snap, flatpak, firejail
+# should be present here. Until this day, this profile will be a controlled mess.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+# App allowed to open
+profile child-open {
+  include <abstractions/base>
+  include <abstractions/xdg-open>
+
+  /{usr/,}bin/exo-open                                     mr,
+  /{usr/,}bin/xdg-open                                     mr,
+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  mr,
+  /{usr/,}lib/gio-launch-desktop                           mr,
+
+  /{usr/,}bin/{,ba,da}sh        rix,
+  /{usr/,}bin/{,m,g}awk         rix,
+  /{usr/,}bin/basename          rix,
+  /{usr/,}bin/readlink          rix,
+
+  # Sandbox managers
+  /{usr/,}bin/firejail         rPUx,
+  /{usr/,}bin/flatpak          rPUx,
+  /{usr/,}bin/snap             rPUx,
+
+  # Browsers
+  /{usr/,}bin/chromium                                                        rPx,
+  /{usr/,}bin/firefox                                                         rPx,
+  /{usr/,}lib/@{multiarch}/opera{,-beta,-developer}/opera{,-beta,-developer}  rPx,
+  /{usr/,}lib/chromium/chromium                                               rPx,
+  /opt/brave.com/brave{,-beta,-dev}/brave{,-beta,-dev}                        rPx,
+  /opt/google/chrome{,-beta,-unstable}/chrome{,-beta,-unstable}               rPx,
+
+  # Text editors
+  /{usr/,}bin/code              rPx,
+  /{usr/,}bin/gedit            rPUx,
+  /usr/share/code/{bin/,}code   rPx,
+
+  # Others
+  /{usr/,}bin/discord{,-ptb}    rPx,
+  /{usr/,}bin/draw.io          rPUx,
+  /{usr/,}bin/dropbox           rPx,
+  /{usr/,}bin/engrampa          rPx,
+  /{usr/,}bin/evince            rPx,
+  /{usr/,}bin/filezilla         rPx,
+  /{usr/,}bin/flameshot         rPx,
+  /{usr/,}bin/geany             rPx,
+  /{usr/,}bin/okular            rPx,
+  /{usr/,}bin/qbittorrent       rPx,
+  /{usr/,}bin/qpdfview          rPx,
+  /{usr/,}bin/smplayer          rPx,
+  /{usr/,}bin/spacefm           rPx,
+  /{usr/,}bin/telegram-desktop  rPx,
+  /{usr/,}bin/thunderbird       rPx,
+  /{usr/,}bin/transmission-gtk  rPx,
+  /{usr/,}bin/viewnior         rPUx,
+  /{usr/,}bin/vlc               rPx,
+  /{usr/,}bin/xarchiver         rPx,
+
+  include if exists <usr/child-open.d>
+  include if exists <local/child-open>
+}

apparmor.d/groups/cron/cron-apt

@@ -33,7 +33,7 @@ profile cron-apt @{exec_path} {
   /{usr/,}bin/cp          rix,
   /{usr/,}bin/dd          rix,
   /{usr/,}bin/cksum       rix,
-  /{usr/,}bin/gawk        rix,
+  /{usr/,}bin/{m,g,}awk   rix,
   /{usr/,}bin/sleep       rix,
   /{usr/,}bin/mv          rix,
   /{usr/,}bin/logger      rix,

apparmor.d/groups/freedesktop/plymouth-set-default-theme

@@ -7,16 +7,17 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/plymouth-set-default-theme
-profile plymouth-set-default-theme @{exec_path} {
+profile plymouth-set-default-theme @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
 
-  /{usr/,}bin/gawk      rix,
+  /{usr/,}bin/{m,g,}awk   rix,
-  /{usr/,}bin/grep      rix,
+  /{usr/,}bin/grep        rix,
-  /{usr/,}bin/plymouth  rPx,
+  /{usr/,}bin/plymouth    rPx,
+  /{usr/,}bin/{,ba,da}sh  rix,
 
   /etc/plymouth/{,*} r,
 
   include if exists <local/plymouth-set-default-theme>
-}
+}

apparmor.d/groups/freedesktop/plymouthd

@@ -30,6 +30,10 @@ profile plymouthd @{exec_path} {
   /etc/plymouth/plymouthd.conf r,
   /etc/vconsole.conf r,
 
+  /var/lib/plymouth/{,**} rw,
+
+  @{run}/plymouth/{,**} rw,
+
   @{run}/udev/data/+drm:* r,
   @{run}/udev/data/c226:* r,
   @{run}/udev/data/c29:* r,

apparmor.d/groups/freedesktop/polkitd

@@ -22,8 +22,8 @@ profile polkitd @{exec_path} {
 
   ptrace (read),
 
-  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/*
+  dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit1/*
-       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit[0-9].*}, # all members
+       interface=org.freedesktop.{DBus.Introspectable,DBus.Properties,PolicyKit1.*}, # all members
 
   dbus (send) bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -31,7 +31,7 @@ profile polkitd @{exec_path} {
        peer=(name=org.freedesktop.DBus),
 
   dbus (bind) bus=system
-       name=org.freedesktop.PolicyKit[0-9],
+       name=org.freedesktop.PolicyKit1,
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/xdg-dbus-proxy

@@ -13,8 +13,6 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
   owner @{run}/firejail/dbus/[0-9]*/[0-9]*-user rw,
   owner @{run}/user/@{uid}/.dbus-proxy/{system,session,a11y}-bus-proxy-[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/webkitgtk/a11y-proxy-[0-9A-Z]* rw,
@@ -25,5 +23,7 @@ profile xdg-dbus-proxy @{exec_path} flags=(attach_disconnected) {
 
   /dev/dri/card[0-9]* rw,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/xdg-dbus-proxy>
 }

apparmor.d/groups/freedesktop/xdg-desktop-menu

@@ -23,7 +23,7 @@ profile xdg-desktop-menu @{exec_path} flags=(complain) {
   /{usr/,}bin/cp         rix,
   /{usr/,}bin/cat        rix,
   /{usr/,}bin/touch      rix,
-  /{usr/,}bin/gawk       rix,
+  /{usr/,}bin/{m,g,}awk  rix,
   /{usr/,}bin/whoami     rix,
   /{usr/,}bin/mv         rix,
   /{usr/,}bin/{,e}grep   rix,

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -105,8 +105,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/snap        rPx,
 
-  # Allowed apps to open
+  /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop  rPx -> child-open,
-  /{usr/,}bin/firefox rPx -> firefox,
+  /{usr/,}lib/gio-launch-desktop                           rPx -> child-open,
+
+  /{usr/,}bin/nautilus rPx,
 
   / r,
   /.flatpak-info r,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gnome

@@ -18,6 +18,7 @@ profile xdg-desktop-portal-gnome @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/user-download>
   include <abstractions/user-read>
+  include <abstractions/vulkan>
 
   dbus send bus=session path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus

apparmor.d/groups/freedesktop/xdg-email

@@ -14,8 +14,10 @@ profile xdg-email @{exec_path} flags=(complain) {
   @{exec_path}  r,
 
   /{usr/,}bin/{,ba,da}sh  rix,
-  /{usr/,}bin/gio         rPx,
   /{usr/,}bin/{,e}grep    rix,
+  /{usr/,}bin/basename    rix,
+  /{usr/,}bin/gio         rPx,
+  /{usr/,}bin/readlink    rix,
   /{usr/,}bin/sed         rix,
   /{usr/,}bin/which       rix,
   /{usr/,}bin/xdg-mime    rPx,

apparmor.d/groups/freedesktop/xdg-mime

@@ -39,7 +39,6 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.Xauthority r,
   owner @{user_config_dirs}/mimeapps.list{,.new} rw,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   owner @{run}/user/@{uid}/ r,
 
@@ -60,6 +59,8 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
   deny /{usr/,}bin/dbus-launch rx,
   deny /{usr/,}bin/dbus-send   rx,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   profile dbus {
     include <abstractions/base>
     include <abstractions/nameservice-strict>

apparmor.d/groups/freedesktop/xdg-open

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,8 +10,8 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/xdg-open
 profile xdg-open @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/app-launcher-user>
+  include <abstractions/consoles>
 
   @{exec_path} r,
 
@@ -29,27 +30,16 @@ profile xdg-open @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/gio          rPx,
   #/{usr/,}bin/kde-open5  rPUx,
 
-  # When xdg-open is run as root, it wants to exec dbus-launch, and hence it creates the two
+  /{usr/,}bin/dbus-launch  rCx -> dbus,
-  # following root processes:
+  /{usr/,}bin/dbus-send    rCx -> dbus,
-  #  dbus-launch --autolaunch e0a30ad97cd6421c85247839ccef9db2 --binary-syntax --close-stderr
-  #  /usr/bin/dbus-daemon --syslog-only --fork --print-pid 5 --print-address 7 --session
-  #
-  # Should this be allowed? Xdg-open works fine without this.
-  #/{usr/,}bin/dbus-launch        rCx -> dbus,
-  #/{usr/,}bin/dbus-send          rCx -> dbus,
-  deny /{usr/,}bin/dbus-launch rx,
-  deny /{usr/,}bin/dbus-send   rx,
 
   /usr/share/applications/*.desktop r,
-  owner @{user_share_dirs}/applications/ r,
-
-  owner @{HOME}/.Xauthority r,
 
         /** r,
   owner /** rw,
 
-  # file_inherit
+  owner @{user_share_dirs}/applications/ r,
-  /dev/dri/card[0-9]* rw,
+
   /dev/tty rw,
 
   profile dbus {

apparmor.d/groups/freedesktop/xdg-user-dirs-gtk-update

@@ -13,6 +13,7 @@ profile xdg-user-dirs-gtk-update @{exec_path} {
 
   @{exec_path} mr,
 
+  owner @{user_config_dirs}/gtk-3.0/bookmarks* rw,
   owner @{user_config_dirs}/user-dirs.dirs r,
   owner @{user_config_dirs}/user-dirs.locale r,
 

apparmor.d/groups/gnome/evolution-source-registry

@@ -27,11 +27,12 @@ profile evolution-source-registry @{exec_path} {
 
   owner @{user_config_dirs}/evolution/sources/{,*} rw,
   owner @{user_share_dirs}/evolution/{,**} r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_cache_dirs}/evolution/{,**} rwk,
 
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/cmdline r,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/evolution-source-registry>
 }

apparmor.d/groups/gnome/gio-launch-desktop

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,6 +9,7 @@ include <tunables/global>
 
 @{exec_path}  = /{usr/,}bin/gio
 @{exec_path} += /{usr/,}bin/gio-launch-desktop
+@{exec_path} += /{usr/,}lib/gio-launch-desktop
 @{exec_path} += /{usr/,}lib/@{multiarch}/glib-[0-9]*/gio-launch-desktop
 profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>

apparmor.d/groups/gnome/gnome-browser-connector-host

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/gnome-browser-connector-host
+profile gnome-browser-connector-host @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/python>
+  include <abstractions/dconf-write>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/env             rix,
+  /{usr/,}bin/python3.[0-9]*  rix,
+
+  /{usr/,}lib/python3.[0-9]*/site-packages/gnome_browser_connector/__pycache__/{,**} rw,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
+  owner @{PROC}/@{pid}/mounts r,
+
+  include if exists <local/gnome-browser-connector-host>
+}

apparmor.d/groups/gnome/gnome-control-center

@@ -77,6 +77,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/bwrap                                  rPUx,
   /{usr/,}bin/openvpn                                 rPx,
   /{usr/,}bin/passwd                                  rPx,
+  /{usr/,}bin/software-properties-gtk                 rPx,
   /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
   /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
   /usr/share/language-tools/language2locale           rix,
@@ -117,10 +118,9 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gnome-control-center/{,**} rw,
   owner @{user_cache_dirs}/thumbnails/{,**} rw,
   owner @{user_config_dirs}/gnome-control-center/{,**} rw,
-  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix{,-wayland}-[0-9]} r,
+  owner @{user_config_dirs}/ibus/bus/{,@{hex}-unix{,-wayland}-[0-9]} r,
   owner @{user_config_dirs}/mimeapps.list.* rw,
   owner @{user_share_dirs}/backgrounds/{,**} rw,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_share_dirs}/icc/{,edid-*} r,
   owner @{user_share_dirs}/sounds/__custom/{,*} rw,
   owner @{user_share_dirs}/webkitgtk/{,**} r,
@@ -153,6 +153,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/class/input/ r,
   @{sys}/devices/**/{name,vendor,product,uevent} r,
+  @{sys}/devices/**/power_supply/{,**} r,
   @{sys}/devices/platform/**/uevent r,
   @{sys}/devices/system/cpu/possible r,
   @{sys}/devices/virtual/**/uevent r,
@@ -178,5 +179,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /dev/media[0-9]* r,
   /dev/video[0-9]* rw,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/gnome-control-center>
 }

apparmor.d/groups/gnome/gnome-extension-ding

@@ -171,5 +171,7 @@ profile gnome-extension-ding @{exec_path} {
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/gnome-extension-ding>
 }

apparmor.d/groups/gnome/gnome-extension-manager

@@ -0,0 +1,37 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/extension-manager
+profile gnome-extension-manager @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
+  include <abstractions/opencl>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/gjs-console rix,
+
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
+  /usr/share/X11/xkb/{,**} r,
+
+  include if exists <local/gnome-extension-manager>
+}

apparmor.d/groups/gnome/gnome-music

@@ -15,6 +15,9 @@ profile gnome-music @{exec_path} {
   include <abstractions/gstreamer>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
+  include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/p11-kit>
   include <abstractions/python>
@@ -45,7 +48,6 @@ profile gnome-music @{exec_path} {
   owner @{user_cache_dirs}/media-art/album-*.jpeg rw,
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/root{,-*.log} r,
 
   owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
         @{run}/systemd/inhibit/[0-9]*.ref rw,
@@ -54,5 +56,7 @@ profile gnome-music @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/gnome-music>
 }

apparmor.d/groups/gnome/gnome-shell

@@ -23,6 +23,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   include <abstractions/ibus>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl-intel>
+  include <abstractions/opencl-mesa>
   include <abstractions/opencl-nvidia>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
@@ -43,12 +45,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term, hup) peer=gdm*,
   signal (send),
- 
+
   unix (send,receive) type=stream addr=none peer=(label=gnome-extension-ding),
   unix (send,receive) type=stream addr=none peer=(label=xkbcomp),
   unix (send,receive) type=stream addr=none peer=(label=xwayland),
   unix (send, receive, connect) type=stream peer=(addr="@/var/lib/gdm{3,}/.cache/ibus/dbus-*", label=ibus-daemon),
 
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName,ListNames}
+       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
+
   dbus send bus=session path=/ interface=org.freedesktop.DBus
        member=ListNames
        peer=(name=org.freedesktop.DBus label=dbus-daemon),
@@ -62,14 +69,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser,
 
-  dbus send bus=session path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName,ListNames}
-       peer=(name=org.freedesktop.DBus, label=dbus-daemon),
-
-  dbus (send,receive) bus=system path=/org/freedesktop/login[0-9]{,/**}
-       interface=org.freedesktop.{DBus.Properties,login[0-9].*},
-
   dbus (send,receive) bus=system path=/org/freedesktop/PolicyKit[0-9]/Authority
        interface=org.freedesktop.{DBus.Properties,PolicyKit[0-9].Authority}
        member={CheckAuthorization,RegisterAuthenticationAgent,Changed,GetAll},
@@ -228,7 +227,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(name=:* label=xdg-desktop-portal-*),
-       
+
   dbus receive bus=session path=/org/gnome/Shell/Introspect
        interface=org.freedesktop.DBus.Properties
        member=Get
@@ -459,29 +458,17 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
        member={List,IsSupported}
        peer=(name=:*, label=gvfs-*-volume-monitor),
 
-  dbus bind bus=session
+  dbus bind bus=session name=com.rastersoft.dingextension,
-       name=org.gnome.Shell{,*},
 
-  dbus bind bus=session
+  dbus bind bus=session name=com.canonical.Unity,
-       name=com.rastersoft.dingextension,
 
-  dbus bind bus=session
+  dbus bind bus=session name=org.kde.StatusNotifierWatcher,
-       name=org.gnome.Mutter.{DisplayConfig,IdleMonitor,ScreenCast,RemoteDesktop},
 
-  dbus bind bus=session
+  dbus bind bus=session name=org.gtk.MountOperationHandler,
-       name=org.gtk.MountOperationHandler,
 
-  dbus bind bus=session
+  dbus bind bus=session name=org.gtk.Notifications,
-       name=org.gtk.Notifications,
 
-  dbus bind bus=session
+  dbus bind bus=session name=org.gnome.*,
-       name=org.gnome.keyring.SystemPrompter,
-
-  dbus bind bus=session
-       name=com.canonical.Unity,
-
-  dbus bind bus=session
-       name=org.kde.StatusNotifierWatcher,
 
   @{exec_path} mr,
 
@@ -554,7 +541,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/desktop-directories/{,**} r,
   owner @{user_share_dirs}/gnome-shell/{,**} rw,
   owner @{user_share_dirs}/gnome-shell/extensions/{,**} r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   owner @{user_cache_dirs}/evolution/addressbook/*/PHOTO-*.JPEG r,
   owner @{user_cache_dirs}/gnome-boxes/*.png r,
@@ -601,13 +587,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c226:[0-9]* r,   # for /dev/dri/card* 
   @{run}/udev/data/n[0-9]* r,
 
+  @{sys}/**/uevent r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
   @{sys}/class/hwmon/ r,
   @{sys}/class/input/ r,
   @{sys}/class/net/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/**/uevent r,
   @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
   @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
   @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@@ -617,6 +603,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/drm/ r,
   @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
   @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
   @{sys}/devices/system/cpu/possible r,
   @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
 
@@ -639,5 +626,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /dev/input/event[0-9]* rw,
   /dev/tty[0-9]* rw,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/gnome-shell>
 }

apparmor.d/groups/gnome/gnome-system-monitor

@@ -37,8 +37,6 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/snapd/desktop/icons/ r,
 
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
-
   owner @{run}/user/@{uid}/doc/ rw,
 
   @{run}/systemd/sessions/*     r,
@@ -69,5 +67,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{PROC}/@{pids}/wchan r,
   @{PROC}/vmstat r,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/gnome-system-monitor>
 }

apparmor.d/groups/gnome/gnome-terminal-server

@@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/gtk>
 
   signal (send) set=(term hup kill) peer=unconfined,
+  ptrace (read) peer=unconfined,
 
   dbus bind bus=session
        name=org.gnome.Terminal,

apparmor.d/groups/gnome/gnome-tweaks

@@ -33,11 +33,12 @@ profile gnome-tweaks @{exec_path} {
   owner @{user_config_dirs}/autostart/*.desktop r,
   owner @{user_share_dirs}/backgrounds/{,**} r,
   owner @{user_share_dirs}/gnome-shell/extensions/**/schemas/* r,
-  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_share_dirs}/recently-used.xbel* rw,
   owner @{user_share_dirs}/sounds/ r,
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   include if exists <local/gnome-tweaks>
 }

apparmor.d/groups/gnome/gsd-sharing

@@ -99,6 +99,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
   dbus bind bus=session
        name=org.gnome.SettingsDaemon.Sharing,
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.NetworkManager.Connection.Active
+       member=StateChanged,
+
   @{exec_path} mr,
 
   /usr/share/dconf/profile/gdm r,

apparmor.d/groups/gnome/nautilus

@@ -9,7 +9,6 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/nautilus
 profile nautilus @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/app-launcher-user>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
@@ -38,6 +37,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
+  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
 
   /usr/share/nautilus/{,**} r,
   /usr/share/poppler/{,**} r,
@@ -57,6 +57,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner /tmp/{,**} rw,
 
   # Silence non user's data
+  include <abstractions/deny-sensitive-home>
   deny /boot/{,**} r,
   deny /opt/{,**} r,
   deny /root/{,**} r,

apparmor.d/groups/gnome/tracker-extract

@@ -64,6 +64,7 @@ profile tracker-extract @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/applications/*.desktop r,
+  /usr/share/applications/mimeinfo.cache r,
   /usr/share/dconf/profile/gdm r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/hwdata/*.ids r,
@@ -84,6 +85,7 @@ profile tracker-extract @{exec_path} {
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
+  /var/lib/flatpak/exports/share/applications/mimeinfo.cache r,
   /var/lib/snapd/desktop/applications/*.desktop r,
 
   # Allow to search user files
@@ -92,7 +94,6 @@ profile tracker-extract @{exec_path} {
   owner /tmp/*/{,**} r,
 
   owner @{user_cache_dirs}/tracker3/files/{,**} rwk,
-  owner @{user_share_dirs}/gvfs-metadata/** r,
 
   owner /tmp/tracker-extract-3-files.*/{,*} rw,
 
@@ -104,6 +105,8 @@ profile tracker-extract @{exec_path} {
   @{run}/udev/data/c51[0-9]:[0-9]* r,
   @{run}/mount/utab r,
 
+  @{sys}/devices/system/cpu/possible r,
+
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 
@@ -112,6 +115,8 @@ profile tracker-extract @{exec_path} {
   /dev/media[0-9]* r,
   /dev/video[0-9]* rw,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/** r,
+  
   # file_inherit
   owner /dev/tty[0-9]* rw,
 

apparmor.d/groups/gnome/tracker-miner

@@ -12,6 +12,7 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
+  include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gvfs/gvfsd

@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd
 profile gvfsd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-gtk>
   include <abstractions/dbus-session-strict>
 
   dbus send bus=session path=/org/freedesktop/DBus

apparmor.d/groups/gvfs/gvfsd-fuse

@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd-fuse
 profile gvfsd-fuse @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-gtk>
   include <abstractions/dbus-session-strict>
 
   unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),

apparmor.d/groups/gvfs/gvfsd-metadata

@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd-metadata
 profile gvfsd-metadata @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-gtk>
   include <abstractions/dbus-session-strict>
   include <abstractions/disks-read>
 

apparmor.d/groups/gvfs/gvfsd-trash

@@ -11,6 +11,7 @@ include <tunables/global>
 @{exec_path} += @{libexec}/gvfsd-trash
 profile gvfsd-trash @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-gtk>
   include <abstractions/dbus-session-strict>
   include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>

apparmor.d/groups/network/mullvad-daemon

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = "/opt/Mullvad VPN/resources/mullvad-daemon"
-profile mullvad-daemon @{exec_path} {
+profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
@@ -29,6 +29,9 @@ profile mullvad-daemon @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/ip  rix,
+
+  "/opt/Mullvad VPN/resources/openvpn" rix,
   "/opt/Mullvad VPN/resources/*" r,
 
   /etc/mullvad-vpn/{,*} r,
@@ -47,8 +50,13 @@ profile mullvad-daemon @{exec_path} {
   @{sys}/fs/cgroup/net_cls/mullvad-exclusions/net_cls.classid rw,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  owner /tmp/@{uuid} rw,
+  owner /tmp/talpid-openvpn-@{uuid} rw,
+
   owner @{PROC}/@{pid}/mounts r,
         @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
 
+  /dev/net/tun rw,
+
   include if exists <local/mullvad-daemon>
 }

apparmor.d/groups/network/mullvad-gui

@@ -46,7 +46,7 @@ profile mullvad-gui @{exec_path} {
   /var/lib/dbus/machine-id r,
 
   owner "@{user_config_dirs}/Mullvad VPN/{,**}" rwk,
-  owner @{user_share_dirs}/gvfs-metadata/* r,
+  owner @{user_cache_dirs}/dconf/user rw,
 
   owner "/tmp/.org.chromium.Chromium.*/Mullvad VPN*.png" rw,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[a-zA-z0-9]* r,
@@ -73,5 +73,7 @@ profile mullvad-gui @{exec_path} {
 
   /dev/tty rw,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+
   include if exists <local/mullvad-gui>
 }

apparmor.d/groups/network/networkd-dispatcher

@@ -13,6 +13,11 @@ profile networkd-dispatcher @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
+  dbus receive bus=system path=/org/freedesktop/network1/link/*
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=:*),
+
   @{exec_path} mr,
 
   /{usr/,}bin/ r,

apparmor.d/groups/network/tailscaled

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}{,s}bin/tailscaled
-profile tailscaled @{exec_path} {
+profile tailscaled @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
@@ -22,6 +22,8 @@ profile tailscaled @{exec_path} {
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
+  network inet raw,
+  network inet6 raw,
   network netlink raw,
 
   ptrace (read),
@@ -39,8 +41,9 @@ profile tailscaled @{exec_path} {
   /etc/resolv.conf rw,
   /etc/resolv.conf.*.tmp rw,
 
-  owner /var/lib/tailscale/{,**} rw,
   owner @{run}/tailscale/{,**} rw,
+  owner /var/cache/{,**} rw,
+  owner /var/lib/tailscale/{,**} rw,
 
   @{sys}/devices/virtual/dmi/id/{bios_vendor,product_name} r,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

apparmor.d/groups/pacman/archlinux-keyring-wkd-sync

@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/archlinux-keyring-wkd-sync
+profile archlinux-keyring-wkd-sync @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+  include <abstractions/p11-kit>
+  include <abstractions/ssl_certs>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{m,g,}awk    rix,
+  /{usr/,}bin/bash         rix,
+  /{usr/,}bin/gpg          rix,
+  /{usr/,}bin/pacman-conf  rix,
+  /{usr/,}bin/dirmngr rix,
+
+  /etc/pacman.conf r,
+  /etc/pacman.d/*-mirrorlist r,
+  /etc/pacman.d/gnupg/ rw,
+  /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**,
+  /etc/pacman.d/mirrorlist r,
+
+  owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
+
+  include if exists <local/archlinux-keyring-wkd-sync>
+}

apparmor.d/groups/pacman/aurpublish

@@ -16,15 +16,36 @@ profile aurpublish @{exec_path} {
 
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/cat         rix,
+  /{usr/,}bin/chmod       rix,
+  /{usr/,}bin/date        rix,
+  /{usr/,}bin/gettext     rix,
   /{usr/,}bin/git         rPx,
-  /{usr/,}bin/makepkg     rUx,
+  /{usr/,}bin/gpg         rPUx,
+  /{usr/,}bin/grep        rix,
+  /{usr/,}bin/makepkg     rix,
+  /{usr/,}bin/mkdir       rix,
+  /{usr/,}bin/mktemp      rix,
+  /{usr/,}bin/nproc       rix,
   /{usr/,}bin/rm          rix,
+  /{usr/,}bin/sha512sum   rix,
   /{usr/,}bin/wc          rix,
 
+  /usr/share/makepkg/{,**} r,
+
+  /etc/makepkg.conf r,
+
+  owner @{user_build_dirs}/**/ w,
   owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
   owner @{user_projects_dirs}/**/.SRCINFO rw,
   owner @{user_projects_dirs}/**/PKGBUILD r,
 
+  owner @{user_cache_dirs}/makepkg/src/* r,
+  owner @{user_config_dirs}/pacman/makepkg.conf r,
+
+  owner /tmp/tmp.* rw,
+
+  owner @{PROC}/@{pid}/maps r,
+
   /dev/tty rw,
 
   include if exists <local/aurpublish>

apparmor.d/groups/pacman/mkinitcpio

@@ -29,7 +29,7 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/find                rix,
   /{usr/,}bin/findmnt             rPx,
   /{usr/,}bin/fsck                rix,
-  /{usr/,}bin/gawk                rix,
+  /{usr/,}bin/{m,g,}awk           rix,
   /{usr/,}bin/grep                rix,
   /{usr/,}bin/hexdump             rix,
   /{usr/,}bin/install             rix,

apparmor.d/groups/pacman/paccache

@@ -18,7 +18,7 @@ profile paccache @{exec_path} {
 
   /{usr/,}bin/bash         rix,
   /{usr/,}bin/cat          rix,
-  /{usr/,}bin/gawk         rix,
+  /{usr/,}bin/{m,g,}awk    rix,
   /{usr/,}bin/gettext      rix,
   /{usr/,}bin/pacman       rPx,
   /{usr/,}bin/pacman-conf  rPx,
@@ -38,4 +38,4 @@ profile paccache @{exec_path} {
   /dev/tty rw,
 
   include if exists <local/paccache>
-}
+}

apparmor.d/groups/pacman/pacdiff

@@ -22,10 +22,15 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/cat          rix,
   /{usr/,}bin/cmp          rix,
   /{usr/,}bin/find         rix,
-  /{usr/,}bin/gawk         rix,
+  /{usr/,}bin/{m,g,}awk    rix,
   /{usr/,}bin/locate       rix,
+  /{usr/,}bin/pacman       rix,
   /{usr/,}bin/pacman-conf  rPx,
+  /{usr/,}bin/pacsort      rix,
+  /{usr/,}bin/rm           rix,
+  /{usr/,}bin/sed          rix,
   /{usr/,}bin/tput         rix,
+  /{usr/,}bin/vim          rix,
 
   # packages files
   / r,

apparmor.d/groups/pacman/pacman

@@ -91,6 +91,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/mkinitcpio                  rPx,
   /{usr/,}bin/pacdiff                     rPx,
   /{usr/,}bin/pacman-key                  rPx,
+  /{usr/,}bin/sbctl                       rPx,
   /{usr/,}bin/sysctl                      rPx,
   /{usr/,}bin/systemctl                   rPx -> child-systemctl,
   /{usr/,}bin/systemd-*                   rPx,
@@ -121,7 +122,7 @@ profile pacman @{exec_path} {
 
   owner /var/lib/pacman/{,**} rwl,
   owner /tmp/alpm_*/{,**} rw,
-  owner /tmp/checkup-db-[0-9]*/sync/{,*.db.part} rw,
+  owner /tmp/checkup-db-[0-9]*/sync/{,*.db*} rw,
   owner /tmp/checkup-db-[0-9]*/db.lck rw,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/pacman/pacman-conf

@@ -11,9 +11,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  network inet stream,
-  network inet6 stream,
-
   @{exec_path} mr,
 
   /etc/pacman.conf r,

apparmor.d/groups/pacman/pacman-key

@@ -19,7 +19,7 @@ profile pacman-key @{exec_path} {
   /{usr/,}bin/basename     rix,
   /{usr/,}bin/bash         rix,
   /{usr/,}bin/chmod        rix,
-  /{usr/,}bin/gawk         rix,
+  /{usr/,}bin/{m,g,}awk    rix,
   /{usr/,}bin/gettext      rix,
   /{usr/,}bin/gpg          rCx -> gpg,
   /{usr/,}bin/grep         rix,

apparmor.d/groups/systemd/bootctl

@@ -20,7 +20,9 @@ profile bootctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/less       rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /{boot,efi}/ r,
   /{boot,efi}/EFI/{,**} r,

apparmor.d/groups/systemd/busctl

@@ -0,0 +1,27 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/busctl
+profile busctl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  ptrace (read),
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
+
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/stat r,
+
+  include if exists <local/busctl>
+}

apparmor.d/groups/systemd/coredumpctl

@@ -17,9 +17,9 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
   /{usr/,}bin/gdb   rCx -> gdb,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   owner /tmp/*.coredump w,
   owner /tmp/core.* w,

apparmor.d/groups/systemd/journalctl

@@ -23,9 +23,9 @@ profile journalctl @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,

apparmor.d/groups/systemd/localectl

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/localectl
+profile localectl @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/systemd-common>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
+
+  /usr/share/kbd/keymaps/{,**} r,
+
+  include if exists <local/localectl>
+}

apparmor.d/groups/systemd/networkctl

@@ -31,9 +31,9 @@ profile networkctl @{exec_path} flags=(attach_disconnected,complain) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager            rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/less             rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/more             rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   /etc/udev/hwdb.bin r,
   /var/lib/dbus/machine-id r,

apparmor.d/groups/systemd/systemd-cgls

@@ -14,9 +14,9 @@ profile systemd-cgls @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager     rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/less      rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/more      rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 

apparmor.d/groups/systemd/systemd-cgtop

@@ -12,9 +12,9 @@ profile systemd-cgtop @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager     rPx -> child-pager,
+  /{usr/,}bin/less  rPx -> child-pager,
-  /{usr/,}bin/less      rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
-  /{usr/,}bin/more      rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   @{sys}/fs/cgroup/{,**} r,
 

apparmor.d/groups/systemd/systemd-dissect

@@ -0,0 +1,44 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/systemd-dissect
+profile systemd-dissect @{exec_path} {
+  include <abstractions/base>
+
+  capability dac_read_search,
+  capability sys_admin,
+  capability sys_resource,
+
+  mount options=(rw, rslave) -> /,
+  mount options=(rw, nodev) -> /mnt/*/,
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/fsck  rPx,
+  /{usr/,}bin/less  rPx -> child-pager,
+  /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
+
+  # Location of file system OS images
+  @{user_build_dirs}/{,**} r,
+  @{user_pkg_dirs}/{,**} r,
+  @{user_projects_dirs}/{,**} r,
+  @{user_vm_dirs}/{,**} r,
+
+  owner /tmp/dissect-*/{,**} rw,
+
+  @{sys}/devices/virtual/block/loop[0-9]*/{,**} r,
+  @{sys}/kernel/uevent_seqnum r,
+
+  @{PROC}/@{pids}/cgroup r,
+
+  /dev/loop-control rwk,
+  /dev/loop*  rwk,
+
+  include if exists <local/systemd-dissect>
+}

apparmor.d/groups/systemd/systemd-environment-d-generator

@@ -17,7 +17,7 @@ profile systemd-environment-d-generator @{exec_path} {
   /{usr/,}bin/{,ba,da}sh  rix,
   /{usr/,}bin/flatpak     rPUx,
   /{usr/,}bin/gpgconf     rPx,
-  /{usr/,}bin/mawk        rix,
+  /{usr/,}bin/{m,g,}awk   rix,
 
   /etc/environment r,
   /etc/environment.d/{,**} r,

apparmor.d/groups/systemd/systemd-hwdb

@@ -13,8 +13,8 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /usr/lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
+  /{usr/,}lib/udev/.#hwdb.bin[0-9a-zA-Z]* w,
-  /usr/lib/udev/hwdb.bin w,
+  /{usr/,}lib/udev/hwdb.bin w,
 
   /etc/udev/hwdb.d/{,*} r,
 

apparmor.d/groups/systemd/systemd-id128

@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/systemd-id128
+profile systemd-id128 @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/machine-id r,
+
+  @{PROC}/sys/kernel/random/boot_id r,
+
+  include if exists <local/systemd-id128>
+}

apparmor.d/groups/systemd/systemd-machined

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/systemd/systemd-machined
-profile systemd-machined @{exec_path} flags=(complain) {
+profile systemd-machined @{exec_path} {
   include <abstractions/base>
   include <abstractions/systemd-common>
 

apparmor.d/groups/systemd/systemd-mount

@@ -14,9 +14,9 @@ profile systemd-mount @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/pager rPx -> child-pager,
   /{usr/,}bin/less  rPx -> child-pager,
   /{usr/,}bin/more  rPx -> child-pager,
+  /{usr/,}bin/pager rPx -> child-pager,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,