feat(abs): add the themes abs.

fix #860

.github/workflows/main.yml

@@ -47,11 +47,6 @@ jobs:
           if [[ ${{ matrix.mode }} == full-system-policy ]]; then
             sed -e "s/just complain/just fsp-complain/" -i debian/rules
           fi
-          if [[ ${{ matrix.os }} == ubuntu-24.04 ]] && [[ ${{ matrix.mode }} == default ]]; then
-            # Test with Re-attach disconnected path
-            sed -e 's;// builder.Register("attach");builder.Register("attach");' -i pkg/prebuild/cli/cli.go
-            sed -e '/@{att}/d' -i apparmor.d/tunables/multiarch.d/system
-          fi
           bash dists/build.sh dpkg
 
       - name: Install apparmor.d

Justfile

@@ -49,44 +49,52 @@ c := "--connect=qemu:///system"
 # VM prefix
 prefix := "aa-"
 
-[doc('Show this help message')]
+# Show this help message
 help:
 	@just --list --unsorted
 	@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
 
+# Build the go programs
 [group('build')]
-[doc('Build the go programs')]
 build:
 	@go build -o {{build}}/ ./cmd/aa-log
 	@go build -o {{build}}/ ./cmd/prebuild
 
+# Prebuild the profiles in enforced mode
 [group('build')]
-[doc('Prebuild the profiles in enforced mode')]
 enforce: build
 	@./{{build}}/prebuild --buildir {{build}}
 
+# Prebuild the profiles in enforce mode (test)
+enforce-test: build
+	@./{{build}}/prebuild --buildir {{build}} --test
+
+# Prebuild the profiles in complain mode
 [group('build')]
-[doc('Prebuild the profiles in complain mode')]
 complain: build
 	./{{build}}/prebuild --buildir {{build}} --complain
 
+# Prebuild the profiles in complain mode (test)
+complain-test: build
+	@./{{build}}/prebuild --buildir {{build}} --complain --test
+
+# Prebuild the profiles in FSP mode
 [group('build')]
-[doc('Prebuild the profiles in FSP mode')]
 fsp: build
 	@./{{build}}/prebuild --buildir {{build}} --full
 
+# Prebuild the profiles in FSP mode (complain)
 [group('build')]
-[doc('Prebuild the profiles in FSP mode (complain)')]
 fsp-complain: build
 	@./{{build}}/prebuild --buildir {{build}} --complain --full
 
+# Prebuild the profiles in FSP mode (debug)
 [group('build')]
-[doc('Prebuild the profiles in FSP mode (debug)')]
 fsp-debug: build
 	@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
 
+# Install prebuild profiles
 [group('install')]
-[doc('Install prebuild profiles')]
 install:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@@ -113,8 +121,8 @@ install:
 		install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
 	done
 
+# Locally install prebuild profiles
 [group('install')]
-[doc('Locally install prebuild profiles')]
 local +names:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@@ -135,39 +143,39 @@ local +names:
 	done;
 	systemctl restart apparmor || sudo journalctl -xeu apparmor.service
 
+# Prebuild, install, and load a dev profile
 [group('install')]
-[doc('Prebuild, install, and load a dev profile')]
 dev name:
 	go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
 	sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
 	sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
 
+# Build & install apparmor.d on Arch based systems
 [group('packages')]
-[doc('Build & install apparmor.d on Arch based systems')]
 pkg:
 	@makepkg --syncdeps --install --cleanbuild --force --noconfirm
 
+# Build & install apparmor.d on Debian based systems
 [group('packages')]
-[doc('Build & install apparmor.d on Debian based systems')]
 dpkg:
 	@bash dists/build.sh dpkg
 	@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
 
+# Build & install apparmor.d on OpenSUSE based systems
 [group('packages')]
-[doc('Build & install apparmor.d on OpenSUSE based systems')]
 rpm:
 	@bash dists/build.sh rpm
 	@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
 
+# Run the unit tests
 [group('tests')]
-[doc('Run the unit tests')]
 tests:
 	@go test ./cmd/... -v -cover -coverprofile=coverage.out
 	@go test ./pkg/... -v -cover -coverprofile=coverage.out
 	@go tool cover -func=coverage.out
 
+# Run the linters
 [group('linter')]
-[doc('Run the linters')]
 lint:
 	golangci-lint run
 	packer fmt tests/packer/
@@ -177,34 +185,34 @@ lint:
 		tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
 		debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
 
+# Run style checks on the profiles
 [group('linter')]
-[doc('Run style checks on the profiles')]
 check:
 	@bash tests/check.sh
 
+# Generate the man pages
 [group('docs')]
-[doc('Generate the man pages')]
 man:
 	@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
 
+# Build the documentation
 [group('docs')]
-[doc('Build the documentation')]
 docs:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
 
+# Serve the documentation
 [group('docs')]
-[doc('Serve the documentation')]
 serve:
 	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
 
-[doc('Remove all build artifacts')]
+# Remove all build artifacts
 clean:
 	@rm -rf \
 		debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
 		{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
 
+# Build the package in a clean OCI container
 [group('packages')]
-[doc('Build the package in a clean OCI container')]
 package dist:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@@ -219,8 +227,8 @@ package dist:
 	fi
 	bash dists/docker.sh $dist $version
 
+# Build the VM image
 [group('vm')]
-[doc('Build the VM image')]
 img dist flavor: (package dist)
 	@mkdir -p {{base_dir}}
 	packer build -force \
@@ -237,8 +245,8 @@ img dist flavor: (package dist)
 		-var output_dir={{output_dir}} \
 		tests/packer/
 
+# Create the machine
 [group('vm')]
-[doc('Create the machine')]
 create dist flavor:
 	@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
 	@virt-install {{c}} \
@@ -257,53 +265,53 @@ create dist flavor:
 		--sound model=ich9 \
 		--noautoconsole
 
+# Start a machine
 [group('vm')]
-[doc('Start a machine')]
 up dist flavor:
 	@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
 
+# Stops the machine
 [group('vm')]
-[doc('Stops the machine')]
 halt dist flavor:
 	@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
 
+# Reboot the machine
 [group('vm')]
-[doc('Reboot the machine')]
 reboot dist flavor:
 	@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
 
+# Destroy the machine
 [group('vm')]
-[doc('Destroy the machine')]
 destroy dist flavor:
 	@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
 	@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
 	@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
 
+# Connect to the machine
 [group('vm')]
-[doc('Connect to the machine')]
 ssh dist flavor:
 	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
 
+# Mount the shared directory on the machine
 [group('vm')]
-[doc('Mount the shared directory on the machine')]
 mount dist flavor:
 	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
 
+# Unmout the shared directory on the machine
 [group('vm')]
-[doc('Unmout the shared directory on the machine')]
 umount dist flavor:
 	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
 
+# List the machines
 [group('vm')]
-[doc('List the machines')]
 list:
 	@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
 	@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
 
+# List the VM images
 [group('vm')]
-[doc('List the VM images')]
 images:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@@ -320,8 +328,8 @@ images:
 	}
 	'
 
+# List the VM images that can be created
 [group('vm')]
-[doc('List the VM images that can be created')]
 available:
 	#!/usr/bin/env bash
 	set -eu -o pipefail
@@ -337,36 +345,36 @@ available:
 	}
 	'
 
+# Install dependencies for the integration tests
 [group('tests')]
-[doc('Install dependencies for the integration tests')]
 init:
 	@bash tests/requirements.sh
 
+# Run the integration tests
 [group('tests')]
-[doc('Run the integration tests')]
 integration name="":
 	bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
 
+# Install dependencies for the integration tests (machine)
 [group('tests')]
-[doc('Install dependencies for the integration tests (machine)')]
 tests-init dist flavor:
 	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
 
+# Synchronize the integration tests (machine)
 [group('tests')]
-[doc('Synchronize the integration tests (machine)')]
 tests-sync dist flavor:
 	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
 
+# Re-synchronize the integration tests (machine)
 [group('tests')]
-[doc('Re-synchronize the integration tests (machine)')]
 tests-resync dist flavor: (mount dist flavor) \
 	(tests-sync dist flavor) \
 	(umount dist flavor)
 
+# Run the integration tests (machine)
 [group('tests')]
-[doc('Run the integration tests (machine)')]
 tests-run dist flavor name="": (tests-resync dist flavor)
 	ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
 		bats --recursive --pretty --timing --print-output-on-failure \

PKGBUILD

@@ -3,8 +3,15 @@
 
 # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use.
 
-pkgname=apparmor.d
-pkgver=0.001
+pkgbase=apparmor.d
+pkgname=(
+  apparmor.d 
+  # apparmor.d.enforced
+  # apparmor.d.fsp apparmor.d.fsp.enforced
+  # apparmor.d.server apparmor.d.server.enforced
+  # apparmor.d.server.fsp apparmor.d.server.fsp.enforced
+)
+pkgver=0.0001
 pkgrel=1
 pkgdesc="Full set of apparmor profiles"
 arch=('x86_64' 'armv6h' 'armv7h' 'aarch64')
@@ -12,10 +19,9 @@ url="https://github.com/roddhjav/apparmor.d"
 license=('GPL-2.0-only')
 depends=('apparmor>=4.1.0' 'apparmor<5.0.0')
 makedepends=('go' 'git' 'rsync' 'just')
-conflicts=("$pkgname-git")
 
 pkgver() {
-  cd "$srcdir/$pkgname"
+  cd "$srcdir/$pkgbase"
   echo "0.$(git rev-list --count HEAD)"
 }
 
@@ -24,17 +30,104 @@ prepare() {
 }
 
 build() {
-  cd "$srcdir/$pkgname"
+  cd "$srcdir/$pkgbase"
   export CGO_CPPFLAGS="${CPPFLAGS}"
   export CGO_CFLAGS="${CFLAGS}"
   export CGO_CXXFLAGS="${CXXFLAGS}"
   export CGO_LDFLAGS="${LDFLAGS}"
+  export GOPATH="${srcdir}"
   export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
   export DISTRIBUTION=arch
-  just complain
+  local -A modes=(
+    # Mapping of modes to just build target.
+    [default]=complain
+    # [enforced]=enforce
+    # [fsp]=fsp-complain
+    # [fsp.enforced]=fsp
+    # [server]=server-complain
+    # [server.enforced]=server
+    # [server.fsp]=server-fsp-complain
+    # [server.fsp.enforced]=server-fsp
+  )
+  for mode in "${!modes[@]}"; do
+    just build=".build/$mode" "${modes[$mode]}"
+  done
 }
 
-package() {
-  cd "$srcdir/$pkgname"
-  just destdir="$pkgdir" install
+_conflicts() {
+  local mode="$1"
+  local pattern=".$mode"
+  if [[ "$mode" == "default" ]]; then
+    pattern=""
+  else
+    echo "$pkgbase"
+  fi
+  for pkg in "${pkgname[@]}"; do
+    if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then
+      continue
+    fi
+    echo "$pkg"
+  done
+}
+
+_install() {
+  local mode="${1:?}"
+  cd "$srcdir/$pkgbase"
+  just build=".build/$mode" destdir="$pkgdir" install
+}
+
+package_apparmor.d() {
+  mode=default
+  pkgdesc="$pkgdesc (complain mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.enforced() {
+  mode=enforced
+  pkgdesc="$pkgdesc (enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.fsp() {
+  mode="fsp"
+  pkgdesc="$pkgdesc (FSP mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.fsp.enforced() {
+  mode="fsp.enforced"
+  pkgdesc="$pkgdesc (FSP enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server() {
+  mode="server"
+  pkgdesc="$pkgdesc (server complain mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server.enforced() {
+  mode="server.enforced"
+  pkgdesc="$pkgdesc (server enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server.fsp() {
+  mode="server.fsp"
+  pkgdesc="$pkgdesc (server FSP complain mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server.fsp.enforced() {
+  mode="server.fsp.enforced"
+  pkgdesc="$pkgdesc (server FSP enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
 }

apparmor.d/abstractions/X-strict

@@ -5,10 +5,10 @@
   abi <abi/4.0>,
 
   # The unix socket to use to connect to the display
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
-  unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
-  unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
+  unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}),
+  unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}),
+  unix type=stream addr=@/tmp/.ICE-unix/@{int},
+  unix type=stream addr=@/tmp/.X11-unix/X@{int},
 
   /usr/share/X11/{,**} r,
   /usr/share/xsessions/{,*.desktop} r,  # Available Xsessions
@@ -16,13 +16,13 @@
 
   /etc/X11/cursors/{,**} r,
 
-  owner @{HOME}/.ICEauthority rw,  # ICEauthority files required for X authentication, per user
+  owner @{HOME}/.ICEauthority r,  # ICEauthority files required for X authentication, per user
   owner @{HOME}/.Xauthority rw,  # Xauthority files required for X connections, per user
   owner @{HOME}/.xsession-errors rw,
 
-        /tmp/.ICE-unix/* rw,
+        /tmp/.ICE-unix/@{int} rw,
         /tmp/.X@{int}-lock rw,
-        /tmp/.X11-unix/* rw,
+        /tmp/.X11-unix/X@{int} rw,
   owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int},
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,  # Xwayland

apparmor.d/abstractions/accessibility

@@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow communication with Assistive Technology Service Provider Interface (AT-SPI)
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus/accessibility/org.a11y>
+  include <abstractions/bus/session/org.a11y>
+
+  include if exists <abstractions/accessibility.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/app/chromium

@@ -2,6 +2,11 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
+# NEEDS-VARIABLE: name
+# NEEDS-VARIABLE: domain
+# NEEDS-VARIABLE: lib_dirs
+# NEEDS-VARIABLE: config_dirs
+# NEEDS-VARIABLE: cache_dirs
 
 # Full set of rules for all chromium based browsers. It works as a *function*
 # and requires some variables to be provided as *arguments* and set in the
@@ -20,32 +25,32 @@
   abi <abi/4.0>,
 
   include <abstractions/audio-client>
+  include <abstractions/avahi-observe>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.bluez>
-  include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.Notifications>
-  include <abstractions/bus/org.freedesktop.ScreenSaver>
-  include <abstractions/bus/org.freedesktop.secrets>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
-  include <abstractions/bus/org.gnome.ScreenSaver>
-  include <abstractions/bus/org.gnome.SessionManager>
-  include <abstractions/bus/org.kde.kwalletd>
+  include <abstractions/bus/session/org.gnome.SessionManager>
+  include <abstractions/bus/system/org.bluez>
+  include <abstractions/camera>
   include <abstractions/common/chromium>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
-  include <abstractions/devices-usb>
+  include <abstractions/devices-u2f>
+  include <abstractions/devices-usb-read>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
+  include <abstractions/pcscd>
+  include <abstractions/screensaver>
+  include <abstractions/secrets-service>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
+  include <abstractions/upower-observe>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
-  include <abstractions/video>
 
   network inet dgram,
   network inet6 dgram,
@@ -103,7 +108,6 @@
 
   /etc/@{name}/{,**} r,
   /etc/fstab r,
-  /etc/{,opensc/}opensc.conf r,
 
   / r,
   owner @{HOME}/ r,
@@ -151,9 +155,7 @@
   @{sys}/class/**/ r,
   @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
   @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/report_descriptor r,
   @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/**/report_descriptor r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/fd/ r,
@@ -178,7 +180,6 @@
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
         /dev/ r,
-        /dev/hidraw@{int} rw,
         /dev/tty rw,
   owner /dev/tty@{int} rw,
 

apparmor.d/abstractions/app/firefox

@@ -2,6 +2,10 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
+# NEEDS-VARIABLE: name
+# NEEDS-VARIABLE: lib_dirs
+# NEEDS-VARIABLE: config_dirs
+# NEEDS-VARIABLE: cache_dirs
 
 # Full set of rules for all firefox based browsers. It works as a *function*
 # and requires some variables to be provided as *arguments* and set in the
@@ -18,7 +22,6 @@
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.FileManager1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.portal.Desktop>
@@ -27,11 +30,13 @@
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
+  include <abstractions/devices-u2f>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
+  include <abstractions/pcscd>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
@@ -75,7 +80,6 @@
   /usr/share/webext/{,**} r,
   /usr/share/xul-ext/kwallet5/* r,
 
-  /etc/{,opensc/}opensc.conf r,
   /etc/@{name}/{,**} r,
   /etc/fstab r,
   /etc/lsb-release r,
@@ -160,7 +164,6 @@
   owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
 
         /dev/ r,
-        /dev/hidraw@{int} rw,
         /dev/tty rw,
         /dev/video@{int} rw,
   owner /dev/tty@{int} rw, # File Inherit

apparmor.d/abstractions/app/open

@@ -7,6 +7,8 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/accessibility>
+  include <abstractions/bus-session>
   include <abstractions/desktop>
 
   # We cannot use `@{open_path} mrix,` here because it includes:
@@ -29,9 +31,6 @@
   # if @{DE} == kde
 
     include <abstractions/audio-client>
-    include <abstractions/bus-accessibility>
-    include <abstractions/bus-session>
-    include <abstractions/bus/org.a11y>
     include <abstractions/graphics>
     include <abstractions/nameservice-strict>
 

apparmor.d/abstractions/app/pgrep

@@ -19,6 +19,7 @@
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
   @{PROC}/ r,
+  @{PROC}/@{pid}/status r,
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/environ r,

apparmor.d/abstractions/apt

@@ -6,7 +6,9 @@
   abi <abi/4.0>,
 
   /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/ostable r,
   /usr/share/dpkg/tupletable r,
+  /usr/share/dpkg/varianttable r,
 
   /etc/apt/apt.conf r,
   /etc/apt/apt.conf.d/{,*} r,
@@ -18,6 +20,9 @@
   /etc/apt/sources.list.d/ r,
   /etc/apt/sources.list.d/*.{sources,list} r,
 
+  /etc/apt/trusted.gpg r,
+  /etc/apt/trusted.gpg.d/{,*} r,
+
   /var/lib/apt/lists/{,**} r,
   /var/lib/apt/extended_states r,
 
@@ -25,11 +30,14 @@
   /var/cache/apt/srcpkgcache.bin r,
 
   /var/lib/dpkg/status r,
-  /var/lib/ubuntu-advantage/apt-esm/{,**} r,
+  /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu
 
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/clearsigned.message.* rw,
 
-  include if exists <abstractions/common/apt.d>
+  #aa:only test
+  /tmp/autopkgtest.@{rand6}/** rwk,
+
+  include if exists <abstractions/apt.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/attached/base

@@ -8,7 +8,7 @@
 
   abi <abi/4.0>,
 
-  include <abstractions/base-strict>
+  include <abstractions/base>
 
   @{att}/@{run}/systemd/journal/dev-log w,
   @{att}/@{run}/systemd/journal/socket w,

apparmor.d/abstractions/audio-client

@@ -57,12 +57,18 @@
   owner @{run}/user/@{uid}/pulse/ rw,
   owner @{run}/user/@{uid}/pulse/native rw,
 
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/+sound:card@{int} r,   # For sound card
+
+  @{sys}/class/ r,
   @{sys}/class/sound/ r,
 
         /dev/shm/ r,
   owner /dev/shm/pulse-shm-@{int} rw,
 
   /dev/snd/controlC@{int} r,
+  /dev/snd/pcmC@{int}D@{int}[cp] r,
+  /dev/snd/timer r,
 
   include if exists <abstractions/audio-client.d>
 

apparmor.d/abstractions/audio-server

@@ -9,11 +9,6 @@
 
   include <abstractions/audio-client>
 
-  @{run}/udev/data/+sound:card@{int} r,   # for sound card
-
-  @{sys}/class/ r,
-  @{sys}/class/sound/ r,
-
   @{PROC}/asound/** rw,
 
   /dev/admmidi*   rw,

apparmor.d/abstractions/avahi-observe

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2016 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows domain, record, service, and service type browsing as well as address,
+# host and service resolving
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+
+  include <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser>
+
+  @{run}/avahi-daemon/socket rw,
+
+  include if exists <abstractions/avahi-observe.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/base.d/complete

@@ -8,20 +8,20 @@
   signal receive                           peer=@{p_systemd_user},
 
   # Allow to receive some signals from new well-known profiles
-  signal (receive)                           peer=btop,
-  signal (receive)                           peer=htop,
-  signal (receive)                           peer=pkill,
-  signal (receive)                           peer=sudo,
-  signal (receive)                           peer=top,
-  signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
-  signal (receive) set=(hup term)            peer=login,
-  signal (receive) set=(hup)                 peer=xinit,
-  signal (receive) set=(term,kill)           peer=gnome-shell,
-  signal (receive) set=(term,kill)           peer=gnome-system-monitor,
-  signal (receive) set=(term,kill)           peer=openbox,
-  signal (receive) set=(term,kill)           peer=su,
+  signal receive                           peer=btop,
+  signal receive                           peer=htop,
+  signal receive                           peer=pkill,
+  signal receive                           peer=sudo,
+  signal receive                           peer=top,
+  signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
+  signal receive set=(hup term)            peer=login,
+  signal receive set=(hup)                 peer=xinit,
+  signal receive set=(term,kill)           peer=gnome-shell,
+  signal receive set=(term,kill)           peer=gnome-system-monitor,
+  signal receive set=(term,kill)           peer=openbox,
+  signal receive set=(term,kill)           peer=su,
 
-  ptrace (readby) peer=@{p_systemd_coredump},
+  ptrace readby peer=@{p_systemd_coredump},
 
   @{etc_rw}/localtime r,
   /etc/locale.conf r,
@@ -30,4 +30,6 @@
 
   @{PROC}/sys/kernel/core_pattern r,
 
+  /apparmor/.null rw,
+
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/accessibility/org.a11y

@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  # Allow the accessibility services in the user session to send us any events
+
+  dbus receive bus=accessibility
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  # Allow querying for capabilities and registering
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member=NotifyListenersSync
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  # org.a11y.atspi is not designed for application isolation and these rules
+  # can be used to send change events for other processes.
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Event.Object
+       member=ChildrenChanged
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Accessible
+       member=Get*
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
+       interface=org.a11y.atspi.Event.Object
+       member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/cache
+       interface=org.a11y.atspi.Cache
+       member={AddAccessible,RemoveAccessible}
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  include if exists <abstractions/bus/accessibility/org.a11y.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.a11y

@@ -1,63 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  # Accessibility bus
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name="@{busname}", label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry),
-
-  # Session bus
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=Get
-       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus),
-
-  include if exists <abstractions/bus/org.a11y.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.Notifications

@@ -1,26 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  #aa:dbus common bus=session name=org.freedesktop.Notifications label=gjs-console
-
-  dbus send bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={GetCapabilities,GetServerInformation,Notify}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={NotificationClosed,CloseNotification}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member=Notify
-       peer=(name=org.freedesktop.DBus, label=gjs-console),
-
-  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.PackageKit

@@ -2,6 +2,9 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow communication with PackageKit transactions. Transactions are exported
+# with random object paths that currently take the form /@{int}_@{hex8}.
+
   abi <abi/4.0>,
 
   #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd
@@ -16,6 +19,14 @@
        member=StateHasChanged
        peer=(name=org.freedesktop.PackageKit),
 
+  dbus send bus=system path=/@{int}_@{hex8}
+       interface=org.freedesktop.PackageKit.Transaction
+       peer=(label=packagekitd),
+
+  dbus receive bus=system path=/@{int}_@{hex8}
+       interface=org.freedesktop.PackageKit.Transaction
+       peer=(label=packagekitd),
+
   include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1

@@ -2,6 +2,8 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Can talk to polkitd's CheckAuthorization API
+
   abi <abi/4.0>,
 
   #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
@@ -13,17 +15,13 @@
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
-       member=CheckAuthorization
-       peer=(name=org.freedesktop.PolicyKit1, label="@{p_polkitd}"),
+       member={CheckAuthorization,CancelCheckAuthorization}
+       peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
-       member=CheckAuthorization
-       peer=(name="@{busname}", label="@{p_polkitd}"),
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.PolicyKit1.Authority
-       member=CheckAuthorization
-       peer=(name=org.freedesktop.PolicyKit1),
+       member=RegisterAuthenticationAgentWithOptions
+       peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
 
   include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.resolve1

@@ -1,16 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  #aa-dbus common bus=system name=org.freedesktop.resolve1 label="@{p_systemd_resolved}"
-
-  dbus send bus=system path=/org/freedesktop/resolve1
-       interface=org.freedesktop.resolve1.Manager
-       member={ResolveAddress,ResolveHostname,ResolveRecord,ResolveService}
-       peer=(name=org.freedesktop.resolve1, label="@{p_systemd_resolved}"),
-
-  include if exists <abstractions/bus/org.freedesktop.resolve1.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.ScreenSaver

@@ -1,21 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  #aa:dbus common bus=session name=org.gnome.ScreenSaver label=gjs-console
-
-  dbus send bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member=GetActive
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member={ActiveChanged,WakeUpScreen}
-       peer=(name="@{busname}", label=gjs-console),
-
-  include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter

@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow accessing the GNOME crypto services prompt APIs as used by
+# applications using libgcr (such as pinentry-gnome3) for secure pin
+# entry to unlock GPG keys etc. See:
+# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
+# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
+# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
+
+  abi <abi/4.0>,
+
+  unix type=stream peer=(label=gnome-keyring-daemon),
+
+  dbus send bus=session path=/org/gnome/keyring/Prompter
+       interface=org.gnome.keyring.internal.Prompter
+       member={BeginPrompting,PerformPrompt,StopPrompting}
+       peer=(name=@{busname}, label=pinentry-*),
+
+  dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
+       interface=org.gnome.keyring.internal.Prompter.Callback
+       member={PromptReady,PromptDone}
+       peer=(name=@{busname}, label=pinentry-*),
+
+  include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/io.snapcraft.Launcher

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow use of snapd's internal xdg-open
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/
+      interface=com.canonical.SafeLauncher
+      member=OpenURL
+      peer=(name=@{busname}, label=snap),
+
+  dbus send bus=session path=/io/snapcraft/Launcher
+       interface=io.snapcraft.Launcher
+       member={OpenURL,OpenFile}
+       peer=(name=@{busname}, label=snap),
+
+  include if exists <abstractions/bus/session/io.snapcraft.Launcher.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Can identify and launch other snaps.
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher
+       interface=io.snapcraft.PrivilegedDesktopLauncher
+       member=OpenDesktopEntry
+       peer=(name=io.snapcraft.Launcher, label=snap),
+
+  include if exists <abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/io.snapcraft.Settings

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow use of snapd's internal 'xdg-settings'
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/io/snapcraft/Settings
+       interface=io.snapcraft.Settings
+       member={Check,CheckSub,Get,GetSub,Set,SetSub}
+       peer=(name=io.snapcraft.Settings, label=snap),
+
+  include if exists <abstractions/bus/session/io.snapcraft.Settings.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.a11y

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=GetAddress
+       peer=(name=org.a11y.Bus),
+
+  include if exists <abstractions/bus/session/org.a11y.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow access to the IBus portal
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/freedesktop/IBus
+       interface=org.freedesktop.IBus.Portal
+       member=CreateInputContext
+       peer=(name=org.freedesktop.portal.IBus),
+
+  dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int}
+       interface=org.freedesktop.IBus.InputContext
+       peer=(label=ibus-daemon),
+
+  dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int}
+       interface=org.freedesktop.IBus.InputContext
+       peer=(label=ibus-daemon),
+
+  include if exists <abstractions/bus/session/org.freedesktop.IBus.Portal.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.Notifications

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
+
+  dbus send bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={ActionInvoked,NotificationClosed,NotificationReplied}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.Notifications.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow checking status, activating and locking the screensaver
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={Inhibit,UnInhibit}
+       peer=(name=org.freedesktop.ScreenSaver),
+
+  dbus send bus=session path=/{,org/freedesktop/}ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={GetActive,GetActiveTime,Lock,SetActive}
+       peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
+
+  dbus receive bus=session path=/org/freedesktop/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={ActiveChanged,WakeUpScreen}
+       peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.Secret

@@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Provide full access to the secret-service API:
+# - https://standards.freedesktop.org/secret-service/)
+#
+# The secret-service allows managing (add/delete/lock/etc) collections and
+# (add/delete/etc) items within collections. The API also has the concept of
+# aliases for collections which is typically used to access the default
+# collection. While it would be possible for an application developer to use a
+# snap-specific collection and mediate by object path, application developers
+# are meant to instead to treat collections (typically the default collection)
+# as a database of key/value attributes each with an associated secret that
+# applications may query. Because AppArmor does not mediate member data,
+# typical and recommended usage of the API does not allow for application
+# isolation. For details, see:
+# - https://standards.freedesktop.org/secret-service/ch03.html
+#
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon
+
+  dbus send bus=session path=/org/freedesktop/secrets{,/**}
+       interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
+
+  dbus receive bus=session path=/org/freedesktop/secrets{,/**}
+       interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
+
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gnome-keyring-daemon),
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.Secret.Service
+       member=ReadAlias
+       peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon),
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.Secret.Service
+       member=SearchItems
+       peer=(name=@{busname}, label=gnome-keyring-daemon),
+
+  include if exists <abstractions/bus/session/org.freedesktop.Secret.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Settings
+       member=Read
+       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Settings
+       member=ReadAll
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  include if exists <abstractions/bus/session/org.freedesktop.portal.Settings.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1

@@ -11,6 +11,6 @@
        member=GetSupportedTypes
        peer=(name="@{busname}", label="@{p_file_roller}"),
 
-  include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
+  include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2

@@ -6,6 +6,6 @@
 
   #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus
 
-  include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
+  include if exists <abstractions/bus/session/org.gnome.Nautilus.FileOperations2.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver

@@ -2,18 +2,20 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow checking status, activating and locking the screensaver (GNOME version)
+
   abi <abi/4.0>,
 
-  dbus send bus=session path=/ScreenSaver
-       interface=org.freedesktop.ScreenSaver
-       member={Inhibit,UnInhibit}
-       peer=(name=org.freedesktop.ScreenSaver),
+  dbus send bus=session path=/{,org/gnome/}ScreenSaver
+       interface=org.gnome.ScreenSaver
+       member={GetActive,GetActiveTime,Lock,SetActive}
+       peer=(name=@{busname}, label=gjs-console),
 
   dbus receive bus=session path=/org/gnome/ScreenSaver
        interface=org.gnome.ScreenSaver
        member={ActiveChanged,WakeUpScreen}
        peer=(name=@{busname}, label=gjs-console),
 
-  include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
+  include if exists <abstractions/bus/session/org.gnome.ScreenSaver.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.SessionManager

@@ -1,48 +1,46 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# FIXME: Too large, restrict it.
-
   abi <abi/4.0>,
 
-  #aa:dbus common bus=session name=org.gnome.SessionManager label=gnome-session-binary
+  #aa:dbus common bus=session name=org.gnome.SessionManager label="{gnome-session-binary,gnome-session-service}"
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={RegisterClient,IsSessionRunning}
-       peer=(name="@{busname}", label=gnome-session-binary),
+       peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={Inhibit,Uninhibit}
-       peer=(name="@{busname}", label=gnome-session-binary),
+       peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
 
   dbus send bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={Setenv,IsSessionRunning}
-       peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
+       peer=(name=org.gnome.SessionManager, label="{gnome-session-binary,gnome-session-service}"),
 
   dbus receive bus=session path=/org/gnome/SessionManager
        interface=org.gnome.SessionManager
        member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
-       peer=(name="@{busname}", label=gnome-session-binary),
+       peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
 
   dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
        interface=org.gnome.SessionManager.ClientPrivate
        member=EndSessionResponse
-       peer=(name="@{busname}", label=gnome-session-binary),
+       peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
 
   dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
        interface=org.gnome.SessionManager.ClientPrivate
        member={CancelEndSession,QueryEndSession,EndSession,Stop}
-       peer=(name="@{busname}", label=gnome-session-binary),
+       peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
 
   dbus receive bus=session path=/org/gnome/SessionManager/Presence
        interface=org.gnome.SessionManager.Presence
        member=StatusChanged
-       peer=(name="@{busname}", label=gnome-session-binary),
+       peer=(name="@{busname}", label="{gnome-session-binary,gnome-session-service}"),
 
-  include if exists <abstractions/bus/org.gnome.SessionManager.d>
+  include if exists <abstractions/bus/session/org.gnome.SessionManager.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow requesting interest in receiving media key events. This tells Gnome
+# settings that our application should be notified when key events we are
+# interested in are pressed, and allows us to receive those events.
+
+  abi <abi/4.0>,
+
+  # DBus.Properties: read all properties from the interface
+  dbus send bus=session path=/org/gnome/SettingsDaemon/MediaKeys
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
+
+  dbus (receive, send) bus=session path=/org/gnome/SettingsDaemon/MediaKeys
+       interface=org.gnome.SettingsDaemon.MediaKeys
+       peer=(name="{@{busname},org.gnome.SettingsDaemon.MediaKeys}", label=gsd-media-keys),
+
+  include if exists <abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Actions

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gnome-shell),
+
+  dbus receive bus=session
+       interface=org.gtk.Actions
+       member={Activate,DescribeAll,SetState},
+
+  dbus send bus=session
+       interface=org.gtk.Actions
+       member=Changed,
+
+  include if exists <abstractions/bus/session/org.gtk.Actions.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Menus

@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus receive bus=session
+       interface=org.gtk.Menus
+       member={Start,End}
+       peer=(name=@{busname}),
+
+  dbus send bus=session
+       interface=org.gtk.Menus
+       member=Changed,
+
+  include if exists <abstractions/bus/session/org.gtk.Menus.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.MountOperationHandler

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/gtk/MountOperationHandler
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gnome-shell),
+
+  include if exists <abstractions/bus/session/org.gtk.MountOperationHandler.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Notifications

@@ -11,6 +11,6 @@
        member={AddNotification,RemoveNotification}
        peer=(name=org.gtk.Notifications, label=gnome-shell),
 
-  include if exists <abstractions/bus/org.gtk.Notifications.d>
+  include if exists <abstractions/bus/session/org.gtk.Notifications.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor

@@ -19,6 +19,6 @@
        member={VolumeAdded,DriveDisconnected,DriveConnected,DriveChanged}
        peer=(name="@{busname}", label=gvfs-*-volume-monitor),
 
-  include if exists <abstractions/bus/org.gtk.Private.RemoteVolumeMonitor.d>
+  include if exists <abstractions/bus/session/org.gtk.Private.RemoteVolumeMonitor.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.Settings

@@ -0,0 +1,18 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/gtk/Settings
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gsd-xsettings),
+  dbus receive bus=session path=/org/gtk/Settings
+       interface=org.freedesktop.DBus.Properties
+       member=PropertiesChanged
+       peer=(name=@{busname}, label=gsd-xsettings),
+
+  include if exists <abstractions/bus/session/org.gtk.Settings.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.vfs.Daemon

@@ -1,7 +1,9 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Each daemon (main and for mounts) implement this.
+
   abi <abi/4.0>,
 
   dbus send bus=session path=/org/gtk/vfs/Daemon
@@ -14,6 +16,6 @@
        member=GetConnection
        peer=(name=@{busname}),
 
-  include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
+  include if exists <abstractions/bus/session/org.gtk.vfs.Daemon.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.vfs.Metadata

@@ -13,13 +13,13 @@
   dbus send bus=session path=/org/gtk/vfs/metadata
        interface=org.gtk.vfs.Metadata
        member={Set,Move,GetTreeFromDevice,Remove}
-       peer=(name="@{busname}", label=gvfsd-metadata),
+       peer=(name=@{busname}, label=gvfsd-metadata),
 
   dbus receive bus=session path=/org/gtk/vfs/metadata
        interface=org.gtk.vfs.Metadata
        member=AttributeChanged
-       peer=(name="@{busname}", label=gvfsd-metadata),
+       peer=(name=@{busname}, label=gvfsd-metadata),
 
-  include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
+  include if exists <abstractions/bus/session/org.gtk.vfs.Metadata.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.vfs.MountOperation

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+ dbus receive bus=session path=/org/gtk/gvfs/mountop/@{int}
+       interface=org.gtk.vfs.MountOperation
+       member={AskPassword,AskQuestion}
+       peer=(name=@{busname}, label=gvfsd-*),
+
+  include if exists <abstractions/bus/session/org.gtk.vfs.MountOperation.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.vfs.MountTracker

@@ -2,12 +2,9 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  abi <abi/4.0>,
+# The mount tracking interface.
 
-  dbus send bus=session path=/org/gtk/vfs/mounttracker
-       interface=org.gtk.vfs.MountTracker
-       member=ListMountableInfo
-       peer=(name="@{busname}", label=gvfsd),
+  abi <abi/4.0>,
 
   dbus send bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
@@ -19,11 +16,16 @@
        member=ListMounts2
        peer=(name="@{busname}", label=gvfsd),
 
+  dbus send bus=session path=/org/gtk/vfs/mounttracker
+       interface=org.gtk.vfs.MountTracker
+       member=ListMountableInfo
+       peer=(name="@{busname}", label=gvfsd),
+
   dbus receive bus=session path=/org/gtk/vfs/mounttracker
        interface=org.gtk.vfs.MountTracker
        member={Mounted,Unmounted}
        peer=(name="@{busname}", label=gvfsd),
 
-  include if exists <abstractions/bus/org.gtk.vfs.MountTracker.d>
+  include if exists <abstractions/bus/session/org.gtk.vfs.MountTracker.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.vfs.Mountable

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus receive bus=session path=/org/gtk/vfs/mountable
+       interface=org.gtk.vfs.Mountable
+       member=Mount
+       peer=(name=@{busname}, label=gvfsd),
+
+  include if exists <abstractions/bus/session/org.gtk.vfs.Mountable.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gtk.vfs.Spawner

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/gtk/gvfs/exec_spaw/@{int}
+       interface=org.gtk.vfs.Spawner
+       member=Spawned
+       peer=(name=@{busname}, label=gvfsd),
+
+  include if exists <abstractions/bus/session/org.gtk.vfs.Spawner.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.kde.StatusNotifierItem

@@ -23,11 +23,6 @@
        member={NewAttentionIcon,NewIcon,NewIconThemePath,NewOverlayIcon,NewStatus,NewTitle,NewToolTip}
        peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
 
-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
-
-  include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
+  include if exists <abstractions/bus/session/org.kde.StatusNotifierItem.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.kde.kwalletd

@@ -1,9 +1,9 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/4.0>,
 
-  include if exists <abstractions/bus/org.kde.kwalletd.d>
+  include if exists <abstractions/bus/session/org.kde.kwalletd.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.mpris.MediaPlayer2.Player

@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/4.0>,
@@ -33,6 +33,6 @@
        member=Seeked
        peer=(name=org.freedesktop.DBus),
 
-  include if exists <abstractions/bus/org.mpris.MediaPlayer2.Player.d>
+  include if exists <abstractions/bus/session/org.mpris.MediaPlayer2.Player.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.bluez

@@ -36,6 +36,6 @@
        member=RegisterApplication
        peer=(name=org.bluez, label="@{p_bluetoothd}"),
 
-  include if exists <abstractions/bus/org.bluez.d>
+  include if exists <abstractions/bus/system/org.bluez.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.AddressResolver

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Address resolving
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=AddressResolverNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/AddressResolver@{int}
+       interface=org.freedesktop.Avahi.AddressResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/AddressResolver@{int}
+       interface=org.freedesktop.Avahi.AddressResolver
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Domain browsing
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=DomainBrowserNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/DomainBrowser@{int}
+       interface=org.freedesktop.Avahi.DomainBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/DomainBrowser@{int}
+       interface=org.freedesktop.Avahi.DomainBrowser
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Hostname resolving
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=HostNameResolverNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/HostNameResolver@{int}
+       interface=org.freedesktop.Avahi.HostNameResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/HostNameResolver@{int}
+       interface=org.freedesktop.Avahi.HostNameResolver
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Record browsing
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=RecordBrowserNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/RecordBrowser@{int}
+       interface=org.freedesktop.Avahi.RecordBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/RecordBrowser@{int}
+       interface=org.freedesktop.Avahi.RecordBrowser
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.Server

@@ -0,0 +1,31 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Peer
+       member=Ping
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  # Allow service introspection
+  dbus send bus=system path=/
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  # Allow accessing DBus properties and resolving
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member={Get*,Resolve*,IsNSSSupportAvailable}
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  # Allow receiving anything from the Avahi server
+  dbus receive bus=system
+       interface=org.freedesktop.Avahi.Server
+       peer=(name=@{busname},  label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.Server.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=ServiceBrowserNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
+       interface=org.freedesktop.Avahi.ServiceBrowser
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Service resolving
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=ServiceResolverNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
+       interface=org.freedesktop.Avahi.ServiceResolver
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Service type browsing
+
+  abi <abi/4.0>,
+
+  dbus send bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=ServiceTypeBrowserNew
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
+       interface=org.freedesktop.Avahi.ServiceTypeBrowser
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/ServiceTypeBrowser@{int}
+       interface=org.freedesktop.Avahi.ServiceTypeBrowser
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  include if exists <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.ColorManager

@@ -15,19 +15,19 @@
 
   dbus send bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
-       member=CreateDevice
-       peer=(name="@{busname}", label="@{p_colord}"),
+       member={CreateProfile,CreateDevice,DeleteDevice}
+       peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
 
   dbus receive bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
        member={DeviceAdded,DeviceRemoved}
-       peer=(name="@{busname}", label="@{p_colord}"),
+       peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
 
   dbus (receive, send) bus=system path=/org/freedesktop/ColorManager
        interface=org.freedesktop.ColorManager
-       member=FindDeviceByProperty
-       peer=(name="@{busname}", label="@{p_colord}"),
+       member={FindDeviceByProperty,FindDeviceById}
+       peer=(name="{@{busname},org.freedesktop.ColorManager}", label="@{p_colord}"),
 
-  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
+  include if exists <abstractions/bus/system/org.freedesktop.ColorManager.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.UPower

@@ -29,6 +29,6 @@
        member={DeviceAdded,DeviceRemoved}
        peer=(name="{@{busname},org.freedesktop.UPower}", label="@{p_upowerd}"),
 
-  include if exists <abstractions/bus/org.freedesktop.UPower.d>
+  include if exists <abstractions/bus/system/org.freedesktop.UPower.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.freedesktop.locale1

@@ -4,12 +4,11 @@
 
   abi <abi/4.0>,
 
-  #aa:dbus common bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
   dbus send bus=system path=/org/freedesktop/locale1
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(name=org.freedesktop.locale1),
 
-  include if exists <abstractions/bus/org.freedesktop.locale1.d>
+  include if exists <abstractions/bus/system/org.freedesktop.locale1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/system/org.gnome.DisplayManager

@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
   abi <abi/4.0>,
@@ -11,6 +11,6 @@
        member=RegisterDisplay
        peer=(name="@{busname}", label=gdm),
 
-  include if exists <abstractions/bus/org.gnome.DisplayManager.d>
+  include if exists <abstractions/bus/system/org.gnome.DisplayManager.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/camera

@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows access to all cameras
+
+  abi <abi/4.0>,
+
+  # Allow detection of cameras. Leaks plugged in USB device info
+  @{sys}/bus/usb/devices/ r,
+  @{sys}/devices/@{pci}/usb@{int}/**/busnum r,
+  @{sys}/devices/@{pci}/usb@{int}/**/devnum r,
+  @{sys}/devices/@{pci}/usb@{int}/**/idProduct r,
+  @{sys}/devices/@{pci}/usb@{int}/**/idVendor r,
+  @{sys}/devices/@{pci}/usb@{int}/**/interface r,
+  @{sys}/devices/@{pci}/usb@{int}/**/modalias r,
+  @{sys}/devices/@{pci}/usb@{int}/**/speed r,
+
+  @{sys}/class/video4linux/ r,
+  @{sys}/devices/**/video4linux/** r,
+  @{sys}/devices/**/video4linux/video@{int}/ r,
+  @{sys}/devices/**/video4linux/video@{int}/uevent r,
+
+  @{run}/udev/data/+usb:* r,              # Identifies all USB devices
+  @{run}/udev/data/c81:@{int}  r,         # For video4linux
+
+  # VideoCore cameras (shared device with VideoCore/EGL)
+  /dev/vchiq rw,
+
+  # Access to video /dev devices
+  /dev/video@{int} rw,
+
+  include if exists <abstractions/camera.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/common/app

@@ -2,6 +2,7 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
+# NEEDS-VARIABLE: att
 
 # Common rules for applications sandboxed using bwrap.
 
@@ -12,31 +13,35 @@
   abi <abi/4.0>,
 
   include <abstractions/audio-client>
-  include <abstractions/bus-accessibility>
+  include <abstractions/avahi-observe>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.a11y>
+  include <abstractions/camera>
   include <abstractions/consoles>
   include <abstractions/cups-client>
   include <abstractions/desktop>
+  include <abstractions/devices-u2f>
   include <abstractions/devices-usb>
   include <abstractions/disks-read>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
   include <abstractions/gstreamer>
+  include <abstractions/input>
   include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
   include <abstractions/p11-kit>
   include <abstractions/path>
+  include <abstractions/screensaver>
+  include <abstractions/secrets-service>
   include <abstractions/sqlite>
   include <abstractions/ssl_certs>
-  include <abstractions/video>
 
   dbus bus=accessibility,
   dbus bus=session,
   dbus bus=system,
 
-  /usr/** r,
+  /usr/** rk,
   /usr/share/** rk,
 
   /etc/{,**} r,
@@ -67,13 +72,10 @@
 
   @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
 
-  @{run}/avahi-daemon/socket rw, # Allow access to avahi-daemon socket.
   @{run}/host/{,**} r,
   @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
   @{run}/utmp rk,
 
-  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
-
   @{sys}/ r,
   @{sys}/block/ r,
   @{sys}/bus/ r,
@@ -83,6 +85,7 @@
   @{sys}/bus/pci/slots/@{int}/address r,
   @{sys}/class/*/ r,
   @{sys}/devices/** r,
+  @{sys}/devices/virtual/dmi/id/bios_version k,
 
         @{sys}/fs/cgroup/user.slice/* r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/* r,
@@ -94,11 +97,13 @@
         @{PROC}/@{pid}/cmdline r,
         @{PROC}/@{pid}/comm rk,
         @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/maps r,
         @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pid}/net/** r,
         @{PROC}/@{pid}/smaps r,
         @{PROC}/@{pid}/stat r,
         @{PROC}/@{pid}/statm r,
+        @{PROC}/@{pid}/status r,
         @{PROC}/@{pid}/task/@{tid}/stat r,
         @{PROC}/@{pid}/task/@{tid}/status r,
         @{PROC}/bus/pci/devices r,
@@ -142,9 +147,6 @@
         @{att}/dev/dri/renderD129 rw,
   owner @{att}/dev/shm/@{uuid} r,
 
-  /dev/hidraw@{int} rw,
-  /dev/input/ r,
-  /dev/input/event@{int} rw,
   /dev/ptmx rw,
   /dev/pts/ptmx rw,
   /dev/tty rw,

apparmor.d/abstractions/common/bwrap

@@ -1,6 +1,7 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# NEEDS-VARIABLE: att
 
 # A minimal set of rules for sandboxed programs using bwrap.
 # A profile using this abstraction still needs to set:

apparmor.d/abstractions/common/chromium

@@ -2,6 +2,7 @@
 # Copyright (C) 2022 Mikhail Morfikov
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# NEEDS-VARIABLE: domain
 
 # This abstraction is for chromium based application. Chromium based browsers
 # need to use abstractions/app/chromium instead.
@@ -16,9 +17,14 @@
 
   userns,
 
+  # Required for dropping into PID namespace. Keep in mind that until the
+  # process drops this capability it can escape confinement, but once it
+  # drops CAP_SYS_ADMIN we are ok.
+  capability sys_admin,
+
+  # All of these are for sanely dropping from root and chrooting
   capability setgid, # If kernel.unprivileged_userns_clone = 1
   capability setuid, # If kernel.unprivileged_userns_clone = 1
-  capability sys_admin,
   capability sys_chroot,
   capability sys_ptrace,
 
@@ -32,20 +38,22 @@
 
   owner @{tmp}/.@{domain}.@{rand6} rw,
   owner @{tmp}/.@{domain}.@{rand6}/ rw,
-  owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie w,
-  owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket w,
+  owner @{tmp}/.@{domain}.@{rand6}/SingletonCookie rw,
+  owner @{tmp}/.@{domain}.@{rand6}/SingletonSocket rw,
   owner @{tmp}/scoped_dir@{rand6}/ rw,
-  owner @{tmp}/scoped_dir@{rand6}/SingletonCookie w,
-  owner @{tmp}/scoped_dir@{rand6}/SingletonSocket w,
-  owner @{tmp}/scoped_dir@{rand6}/SS w,
+  owner @{tmp}/scoped_dir@{rand6}/SingletonCookie rw,
+  owner @{tmp}/scoped_dir@{rand6}/SingletonSocket rw,
+  owner @{tmp}/scoped_dir@{rand6}/SS rw,
 
         /dev/shm/ r,
   owner /dev/shm/.@{domain}.@{rand6} rw,
 
   @{sys}/devices/system/cpu/kernel_max r,
+  @{sys}/devices/virtual/tty/tty@{int}/active r,
+
+  # Allow getting the manufacturer and model of the computer where chromium is currently running.
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
   # If kernel.unprivileged_userns_clone = 1
   owner @{PROC}/@{pid}/setgroups w,

apparmor.d/abstractions/common/electron

@@ -1,6 +1,11 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# NEEDS-VARIABLE: name
+# NEEDS-VARIABLE: domain
+# NEEDS-VARIABLE: lib_dirs
+# NEEDS-VARIABLE: config_dirs
+# NEEDS-VARIABLE: cache_dirs
 
 # Minimal set of rules for all electron based UI application. It works as a
 # *function* and requires some variables to be provided as *arguments* and set
@@ -15,6 +20,7 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/bus-session>
   include <abstractions/common/chromium>
   include <abstractions/dconf-write>
   include <abstractions/desktop>

apparmor.d/abstractions/common/game

@@ -17,8 +17,10 @@
   include <abstractions/devices-usb>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/graphics>
+  include <abstractions/input>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
+  include <abstractions/uinput>
 
   @{bin}/uname          rix,
   @{bin}/xdg-settings   rPx,
@@ -66,9 +68,6 @@
   owner /dev/shm/mono.@{int} rw,
   owner /dev/shm/softbuffer-x11-@{rand6}@{c} rw,
 
-  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
-  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
-
   @{sys}/ r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
@@ -79,7 +78,6 @@
   @{sys}/devices/@{pci}/net/*/carrier r,
   @{sys}/devices/**/input@{int}/ r,
   @{sys}/devices/**/input@{int}/**/{vendor,product} r,
-  @{sys}/devices/**/input@{int}/capabilities/* r,
   @{sys}/devices/**/input/input@{int}/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/system/ r,
@@ -108,11 +106,7 @@
 
   /dev/ r,
   /dev/hidraw@{int} rw,
-  /dev/input/ r,
-  /dev/input/event@{int} rw,
-  /dev/input/js@{int} rw,
   /dev/tty rw,
-  /dev/uinput rw,
 
   include if exists <abstractions/common/game.d>
 

apparmor.d/abstractions/common/gnome

@@ -6,9 +6,8 @@
 
   abi <abi/4.0>,
 
-  include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
-  include <abstractions/bus/org.a11y>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>

apparmor.d/abstractions/common/steam-game

@@ -1,6 +1,9 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
+# NEEDS-VARIABLE: app_dirs
+# NEEDS-VARIABLE: lib_dirs
+# NEEDS-VARIABLE: share_dirs
 
   abi <abi/4.0>,
 

apparmor.d/abstractions/desktop

@@ -9,14 +9,17 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/accessibility>
   include <abstractions/desktop-files>
   include <abstractions/fonts>
-  include <abstractions/gsettings>
-  include <abstractions/gtk>
+  include <abstractions/gschemas>
+  include <abstractions/gtk-strict>
   include <abstractions/icons>
   include <abstractions/mime>
   include <abstractions/qt5>
   include <abstractions/recently-used>
+  include <abstractions/themes>
+  include <abstractions/user-dirs>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>

apparmor.d/abstractions/devices-u2f

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2019 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows access to Universal 2nd Factor (U2F) devices
+
+  abi <abi/4.0>,
+
+  @{run}/udev/data/+power_supply:* r,     # For power supply devices (batteries, AC adapters, USB chargers)
+
+  # Needed for dynamic assignment of U2F devices
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+
+  @{sys}/devices/**/i2c*/**/report_descriptor r,
+  @{sys}/devices/**/usb@{int}/**/report_descriptor r,
+
+  # Allow raw access HDI (Human Interface Devices) wich is how U2F devices are exposed
+  /dev/hidraw@{int} rw,
+
+  include if exists <abstractions/devices-u2f.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/devices-usb

@@ -3,13 +3,22 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow raw access to all connected USB devices
+
   abi <abi/4.0>,
 
   include <abstractions/devices-usb-read>
 
-  /dev/bus/usb/@{int}/@{int} wk,
+  @{PROC}/tty/drivers r,
 
-  @{sys}/devices/**/usb@{int}/{,**} w,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} wk,
+
+  # Allow access to all ttyUSB devices too
+  /dev/ttyACM@{int} wk,
+  /dev/ttyUSB@{int} wk,
+
+  # Allow raw access to USB printers (i.e. for receipt printers in POS systems).
+  /dev/usb/lp@{int} wk,
 
   include if exists <abstractions/devices-usb.d>
 

apparmor.d/abstractions/devices-usb-read

@@ -3,26 +3,29 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  abi <abi/4.0>,
+# Allow detection of usb devices. Leaks plugged in USB device info
 
-  /dev/ r,
-  /dev/bus/usb/ r,
-  /dev/bus/usb/@{int}/ r,
-  /dev/bus/usb/@{int}/@{int} r,
+  abi <abi/4.0>,
 
   @{sys}/class/ r,
   @{sys}/class/usbmisc/ r,
 
   @{sys}/bus/ r,
   @{sys}/bus/usb/ r,
-  @{sys}/bus/usb/devices/{,**} r,
-
-  @{sys}/devices/**/usb@{int}/{,**} r,
+  @{sys}/bus/usb/devices/ r,
+  @{sys}/devices/**/usb@{int}/ r,
+  @{sys}/devices/**/usb@{int}/** r,
 
   # Udev data about usb devices (~equal to content of lsusb -v)
   @{run}/udev/data/+usb:* r,              # Identifies all USB devices
-  @{run}/udev/data/c16[6,7]:@{int} r,     # USB modems
-  @{run}/udev/data/c18[0,8,9]:@{int} r,   # USB devices & USB serial converters
+  @{run}/udev/data/b180:@{int} r,         # USB block devices
+  @{run}/udev/data/c16{6,7}:@{d} r,       # ACM USB modems
+  @{run}/udev/data/c18{0,8,9}:@{int} r,   # USB character devices
+
+  /dev/ r,
+  /dev/bus/usb/ r,
+  /dev/bus/usb/@{int}/ r,
+  /dev/bus/usb/@{d}@{d}@{d}/@{d}@{d}@{d} r,
 
   include if exists <abstractions/devices-usb-read.d>
 

apparmor.d/abstractions/dri

@@ -28,8 +28,11 @@
   @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/@{pci}/vendor r,
 
+  # Allow access to all cards
   /dev/dri/ r,
   /dev/dri/card@{int} rw,
+
+  # Video Acceleration API
   /dev/dri/renderD128 rw,
   /dev/dri/renderD129 rw,
 

apparmor.d/abstractions/glibc

@@ -22,9 +22,15 @@
   @{PROC}/stat r,
 
   # Glibc's *printf protections read the maps file
-  @{PROC}/@{pid}/auxv r,
-  @{PROC}/@{pid}/maps r,
-  @{PROC}/@{pid}/status r,
+  owner @{PROC}/@{pid}/auxv r,
+  owner @{PROC}/@{pid}/maps r,
+  owner @{PROC}/@{pid}/status r,
+
+  # @{PROC}/@{pid}/map_files/ contains the same info than @{PROC}/@{pid}/maps,
+  # but in a format that is simpler to manage, because it doesn't require to
+  # parse the text data inside a file, but just reading the contents of
+  # a directory.
+  owner @{PROC}/@{pid}/map_files/ r,
 
   # Glibc statvfs
   @{PROC}/filesystems r,

apparmor.d/abstractions/gnome-strict

@@ -4,14 +4,17 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/accessibility>
   include <abstractions/desktop-files>
   include <abstractions/fonts>
-  include <abstractions/gsettings>
-  include <abstractions/gtk>
+  include <abstractions/gschemas>
+  include <abstractions/gtk-strict>
   include <abstractions/icons>
   include <abstractions/mime>
   include <abstractions/qt5>
   include <abstractions/recently-used>
+  include <abstractions/themes>
+  include <abstractions/user-dirs>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>

apparmor.d/abstractions/gnome.d/complete

@@ -2,7 +2,7 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  include <abstractions/gtk>
+  include <abstractions/gtk-strict>
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/abstractions/graphics

@@ -13,14 +13,22 @@
   /etc/libva.conf r,
 
   @{sys}/bus/pci/devices/ r,
-  @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/* r,
+
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/id r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/level r,
+  @{sys}/devices/system/cpu/cpu@{int}/cache/index@{int}/size r,
   @{sys}/devices/system/cpu/cpu@{int}/cpu_capacity r,
   @{sys}/devices/system/cpu/cpu@{int}/online r,
-  @{sys}/devices/system/cpu/cpu@{int}/topology/* r,
-  @{sys}/devices/system/cpu/cpufreq/policy@{int}/* r,
+  @{sys}/devices/system/cpu/cpu@{int}/topology/core_cpus r,
+  @{sys}/devices/system/cpu/cpu@{int}/topology/physical_package_id r,
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/cpuinfo_max_freq r,
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_cur_freq r,
+  @{sys}/devices/system/cpu/cpufreq/policy@{int}/scaling_max_freq r,
   @{sys}/devices/system/cpu/present r,
+
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/meminfo r,
+  @{sys}/devices/system/node/node@{int}/cpumap r,
 
   include if exists <abstractions/graphics.d>
 

apparmor.d/abstractions/graphics-full

@@ -8,13 +8,7 @@
   include <abstractions/graphics>
   include <abstractions/oneapi>
 
-  @{sys}/devices/@{pci}/numa_node r,
-
-  @{PROC}/devices r,
-
   /dev/char/@{dynamic}:@{int} w,          # For dynamic assignment range 234 to 254, 384 to 511
-  /dev/nvidia-uvm rw,
-  /dev/nvidia-uvm-tools rw,
 
   include if exists <abstractions/graphics-full.d>
 

apparmor.d/abstractions/gschemas

@@ -9,6 +9,6 @@
   @{system_share_dirs}/glib-2.0/schemas/ r,
   @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
 
-  include if exists <abstractions/gsettings.d>
+  include if exists <abstractions/gschemas.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/gtk-strict

@@ -0,0 +1,74 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.gtk.Actions>
+  include <abstractions/bus/session/org.gtk.Menus>
+  include <abstractions/bus/session/org.gtk.Settings>
+  include <abstractions/bus/session/org.gtk.vfs.MountTracker>
+
+  @{lib}/{,@{multiarch}/}gtk-2.0/{,**} mr,
+  @{lib}/{,@{multiarch}/}gtk-3.0/{,**} mr,
+  @{lib}/{,@{multiarch}/}gtk-4.0/{,**} mr,
+
+  /usr/share/gtksourceview-2.0/{,**} r,
+  /usr/share/gtksourceview-3.0/{,**} r,
+  /usr/share/gtksourceview-4/{,**} r,
+  /usr/share/gtksourceview-5/{,**} r,
+
+  /usr/share/gtk-2.0/ r,
+  /usr/share/gtk-2.0/gtkrc r,
+
+  /usr/share/gtk-3.0/ r,
+  /usr/share/gtk-3.0/settings.ini r,
+
+  /usr/share/gtk-4.0/ r,
+  /usr/share/gtk-4.0/settings.ini r,
+
+  /etc/gtk/gtkrc r,
+
+  /etc/gtk-2.0/ r,
+  /etc/gtk-2.0/gtkrc r,
+
+  /etc/gtk-3.0/ r,
+  /etc/gtk-3.0/*.conf r,
+  /etc/gtk-3.0/settings.ini r,
+
+  /etc/gtk-4.0/ r,
+  /etc/gtk-4.0/*.conf r,
+  /etc/gtk-4.0/settings.ini r,
+
+  owner @{HOME}/.gtk r,
+  owner @{HOME}/.gtkrc r,
+  owner @{HOME}/.gtkrc-2.0 r,
+  owner @{HOME}/.gtk-bookmarks r,
+
+  owner @{user_cache_dirs}/gtk-4.0/ rw,
+  owner @{user_cache_dirs}/gtk-4.0/vulkan-pipeline-cache/{,*} rw,
+  owner @{user_cache_dirs}/gtkrc r,
+  owner @{user_cache_dirs}/gtkrc-2.0 r,
+
+  owner @{user_config_dirs}/gtk-2.0/ rw,
+  owner @{user_config_dirs}/gtk-2.0/gtkfilechooser.ini* rw,
+
+  owner @{user_config_dirs}/gtk-3.0/ rw,
+  owner @{user_config_dirs}/gtk-3.0/bookmarks r,
+  owner @{user_config_dirs}/gtk-3.0/colors.css r,
+  owner @{user_config_dirs}/gtk-3.0/gtk.css r,
+  owner @{user_config_dirs}/gtk-3.0/servers r,
+  owner @{user_config_dirs}/gtk-3.0/settings.ini r,
+  owner @{user_config_dirs}/gtk-3.0/window_decorations.css r,
+
+  owner @{user_config_dirs}/gtk-4.0/ rw,
+  owner @{user_config_dirs}/gtk-4.0/bookmarks r,
+  owner @{user_config_dirs}/gtk-4.0/colors.css r,
+  owner @{user_config_dirs}/gtk-4.0/gtk.css r,
+  owner @{user_config_dirs}/gtk-4.0/servers r,
+  owner @{user_config_dirs}/gtk-4.0/settings.ini r,
+  owner @{user_config_dirs}/gtk-4.0/window_decorations.css r,
+
+  include if exists <abstractions/gtk-strict.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/gtk.d/complete

@@ -2,23 +2,9 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  dbus receive bus=session
-       interface=org.gtk.Actions
-       member={Activate,DescribeAll,SetState}
-       peer=(name=@{busname}),
-
-  dbus send bus=session
-       interface=org.gtk.Actions
-       member=Changed,
-
-  dbus send bus=session path=/org/gtk/Settings
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name=@{busname}, label=gsd-xsettings),
-  dbus receive bus=session path=/org/gtk/Settings
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name=@{busname}, label=gsd-xsettings),
+  include <abstractions/bus/session/org.gtk.Actions>
+  include <abstractions/bus/session/org.gtk.Menus>
+  include <abstractions/bus/session/org.gtk.Settings>
 
   @{lib}/{,@{multiarch}/}gtk*/** mr,
 

apparmor.d/abstractions/input

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Canonical Ltd
+# Copyright (C) 2022-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow reading and writing to raw input devices
+
+  abi <abi/4.0>,
+
+  # network netlink raw,
+
+  # Allow reading for supported event reports for all input devices. See
+  # https://www.kernel.org/doc/Documentation/input/event-codes.txt
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+
+  /dev/input/ r,
+  /dev/input/event@{int} rw,
+  /dev/input/mice rw,
+  /dev/input/mouse@{int} rw,
+
+  include if exists <abstractions/input.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/kde-strict

@@ -4,14 +4,17 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/accessibility>
   include <abstractions/desktop-files>
   include <abstractions/fonts>
-  include <abstractions/gsettings>
-  include <abstractions/gtk>
+  include <abstractions/gschemas>
+  include <abstractions/gtk-strict>
   include <abstractions/icons>
   include <abstractions/mime>
   include <abstractions/qt5>
   include <abstractions/recently-used>
+  include <abstractions/themes>
+  include <abstractions/user-dirs>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>
@@ -45,7 +48,7 @@
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/session/ rw,
-  owner @{user_config_dirs}/session/*_@{hex}_@{int}_@{int} rwlk,
+  owner @{user_config_dirs}/session/*_* rwlk,
   owner @{user_config_dirs}/session/#@{int} rw,
   owner @{user_config_dirs}/trashrc r,
 

apparmor.d/abstractions/lxqt

@@ -4,11 +4,13 @@
 
   abi <abi/4.0>,
 
-  include <abstractions/fonts>
+  include <abstractions/accessibility>
   include <abstractions/fontconfig-cache-write>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
-  include <abstractions/gtk>
+  include <abstractions/gtk-strict>
   include <abstractions/qt5>
+  include <abstractions/themes>
   include <abstractions/wayland>
   include <abstractions/X-strict>
   include <abstractions/xdg-desktop>

apparmor.d/abstractions/media-control

@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows access to media controller such as microphones, and video capture hardware.
+# See: https://www.kernel.org/doc/Documentation/userspace-api/media/mediactl/media-controller-intro.rst
+
+  abi <abi/4.0>,
+
+  # Control of media devices
+  /dev/media@{int} rwk,
+
+  # Access to V4L subnodes configuration
+  # See https://www.kernel.org/doc/html/v4.12/media/uapi/v4l/dev-subdev.html
+  /dev/v4l-subdev@{int} rw,
+
+  include if exists <abstractions/media-control.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/mediakeys

@@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow requesting interest in receiving media key events. This tells Gnome
+# settings that our application should be notified when key events we are
+# interested in are pressed, and allows us to receive those events.
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.gnome.SettingsDaemon.MediaKeys>
+
+  include if exists <abstractions/mediakeys.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/mpris

@@ -0,0 +1,17 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow operating as an MPRIS player.
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.mpris.MediaPlayer2.Player>
+
+  # Allow binding to the well-known DBus mpris interface based on the app's name
+  # See: https://specifications.freedesktop.org/mpris-spec/latest/
+  #aa:dbus own bus=session name=org.mpris.MediaPlayer2.@{profile_name}
+
+  include if exists <abstractions/mpris.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/notifications

@@ -0,0 +1,12 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.freedesktop.Notifications>
+  include <abstractions/bus/session/org.gtk.Notifications>
+
+  include if exists <abstractions/notifications.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/nvidia-strict

@@ -6,7 +6,7 @@
 
   @{bin}/nvidia-modprobe Px -> child-modprobe-nvidia,
 
-  /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so.* mr,
+  /opt/cuda/targets/@{multiarch}/lib/libOpenCL.so{,.*} mr,
 
   /usr/share/nvidia/nvidia-application-profiles-* r,
 
@@ -24,20 +24,34 @@
   owner @{user_cache_dirs}/nvidia/GLCache/ rw,
   owner @{user_cache_dirs}/nvidia/GLCache/** rwk,
 
+  @{sys}/devices/@{pci}/numa_node r,
   @{sys}/devices/system/memory/block_size_bytes r,
   @{sys}/module/nvidia/version r,
 
-        @{PROC}/driver/nvidia/params r,
-        @{PROC}/modules r,
-        @{PROC}/sys/vm/max_map_count r,
-        @{PROC}/sys/vm/mmap_min_addr r,
+  @{PROC}/driver/nvidia/capabilities/mig/monitor r,
+  @{PROC}/driver/nvidia/gpus/@{pci_id}/information r,
+  @{PROC}/driver/nvidia/params r,
+  @{PROC}/modules r,
+  @{PROC}/sys/vm/max_map_count r,
+  @{PROC}/sys/vm/mmap_min_addr r,
+
         @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/task/@{tid}/comm r,
 
-  /dev/char/195:@{int} w,  # Nvidia graphics devices
+  /dev/char/195:@{u8} w,  # Nvidia graphics devices
+
+  # Nvidia proprietary modset driver
   /dev/nvidia-modeset rw,
+
+  # Nvidia graphics devices
   /dev/nvidia@{int} rw,
+
+  # Nvidia's Unified Memory driver
+  /dev/nvidia-uvm rw,
+  /dev/nvidia-uvm-tools rw,
+
+  # Nvidia's control device
   /dev/nvidiactl rw,
 
   deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r,

apparmor.d/abstractions/nvidia.d/complete

@@ -8,6 +8,6 @@
 
   /etc/nvidia/nvidia-application-profiles* r,
 
-  /dev/char/195:@{int} rw,  # Nvidia graphics devices
+  /dev/char/195:@{u8} rw,  # Nvidia graphics devices
 
 # vim:syntax=apparmor

apparmor.d/abstractions/pcscd

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows interacting with PC/SC Smart Card Daemon
+
+  abi <abi/4.0>,
+
+  # Configuration file for OPENSC
+  /etc/opensc.conf r,
+  /etc/opensc/opensc.conf r,
+
+  # Socket for communication between PCSCD and PS/SC API library
+  @{run}/pcscd/pcscd.comm rw,
+
+  include if exists <abstractions/pcscd.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/recently-used

@@ -14,8 +14,6 @@
   owner @{user_share_dirs}/recently-used.xbel.@{rand6} rwl,
   owner @{user_share_dirs}/recently-used.xbel.lock rwk,
 
-  owner @{user_config_dirs}/user-dirs.dirs  r, # FIXME: not here?
-
   include if exists <abstractions/recently-used.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/screensaver

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow checking status, activating and locking the screensaver
+
+  abi <abi/4.0>,
+
+  include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver>
+  include if exists <abstractions/bus/session/org.gnome.ScreenSaver>
+
+  include if exists <abstractions/screensaver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/secrets-service

@@ -0,0 +1,34 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Provide full access to the secret-service API:
+# - https://standards.freedesktop.org/secret-service/)
+#
+# The secret-service allows managing (add/delete/lock/etc) collections and
+# (add/delete/etc) items within collections. The API also has the concept of
+# aliases for collections which is typically used to access the default
+# collection. While it would be possible for an application developer to use a
+# snap-specific collection and mediate by object path, application developers
+# are meant to instead to treat collections (typically the default collection)
+# as a database of key/value attributes each with an associated secret that
+# applications may query. Because AppArmor does not mediate member data,
+# typical and recommended usage of the API does not allow for application
+# isolation. For details, see:
+# - https://standards.freedesktop.org/secret-service/ch03.html
+#
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/session/org.freedesktop.Secret>
+  include <abstractions/bus/session/org.kde.kwalletd>
+
+  dbus send bus=session path=/org/gnome/keyring/daemon
+       interface=org.gnome.keyring.Daemon
+       member=GetEnvironment
+       peer=(name=org.gnome.keyring, label=gnome-keyring-daemon),
+
+  include if exists <abstractions/secrets-service.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/themes

@@ -0,0 +1,14 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  /usr/share/themes/{,**} r,
+
+  owner @{HOME}/.themes/{,**} r,
+  owner @{user_share_dirs}/themes/{,**} r,
+
+  include if exists <abstractions/themes.d>
+
+# vim:syntax=apparmor