feat(abs): add the themes abs.

fix #860

.github/workflows/main.yml

@@ -3,16 +3,31 @@ name: Ubuntu
 on: [push, pull_request, workflow_dispatch]
 
 jobs:
+  check:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+
+      - name: Install linter dependencies
+        run: |
+          pipx install rust-just
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
+
+      - name: Run basic profile linter check
+        run: |
+          just check
+
   build:
     runs-on: ${{ matrix.os }}
+    needs: check
     strategy:
       matrix:
-        os:
-          - ubuntu-24.04
-          - ubuntu-22.04
-        mode:
-          - default
-          - full-system-policy
+        include:
+          - os: ubuntu-24.04
+            mode: default
+          - os: ubuntu-24.04
+            mode: full-system-policy
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -23,12 +38,14 @@ jobs:
           sudo apt-get install -y \
             devscripts debhelper config-package-dev \
             auditd apparmor-profiles apparmor-utils
+          pipx install rust-just
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
           sudo rm /etc/apparmor.d/usr.lib.snapd.snap-confine.real
 
       - name: Build the apparmor.d package
         run: |
           if [[ ${{ matrix.mode }} == full-system-policy ]]; then
-            echo -e "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
+            sed -e "s/just complain/just fsp-complain/" -i debian/rules
           fi
           bash dists/build.sh dpkg
 
@@ -37,13 +54,10 @@ jobs:
 
       - name: Reload AppArmor
         run: |
-          sudo systemctl restart apparmor.service || true
-          sudo systemctl status apparmor.service
-
-      - name: Ensure compatibility with some AppArmor userspace tools
-        if: matrix.os != 'ubuntu-24.04'
-        run: |
-          sudo aa-enforce /etc/apparmor.d/aa-notify
+            if ! sudo systemctl restart apparmor.service; then
+              sudo journalctl -xeu apparmor.service
+              exit 1
+            fi
 
       - name: Show AppArmor log and rules
         run: |
@@ -64,6 +78,7 @@ jobs:
   tests:
     runs-on: ubuntu-24.04
     needs: build
+    if: github.ref_name == 'dev' || github.event_name == 'workflow_dispatch'
     steps:
       - name: Check out repository code
         uses: actions/checkout@v4
@@ -83,17 +98,52 @@ jobs:
           sudo apt-get install -y \
             apparmor-profiles apparmor-utils \
             bats bats-support
+          pipx install rust-just
+          echo "$HOME/.local/bin" >> $GITHUB_PATH
 
       - name: Install apparmor.d
         run: |
           sudo dpkg --install .pkg/apparmor.d_*_amd64.deb || true
           sudo systemctl restart apparmor.service
+          sudo systemctl daemon-reload
+          systemctl --user daemon-reload
 
-      - name: Run the bats integration tests
+      - name: Restart some services to ensure they are confined
         run: |
-          make bats
+          services=(
+            containerd cron
+            dbus docker
+            ModemManager multipathd
+            networkd-dispatcher
+            packagekit polkit
+            snapd
+            systemd-journald systemd-hostnamed systemd-logind systemd-networkd
+            systemd-resolved systemd-udevd
+            udisks2
+          )
+          sudo systemctl daemon-reload
+          for service in "${services[@]}"; do
+            sudo systemctl restart "$service" || systemctl status "$service.service" || true
+          done
+          systemctl restart --user dbus || systemctl status --user "dbus.service" || true
+          sudo ps auxZ | grep -v '\[.*\]'
+          sudo aa-log -s --raw
+
+      - name: Install integration dependencies
+        run: |
+          just init
+          find /usr/sbin/ -type f
+
+      - name: Run the integration tests
+        run: |
+          just integration
 
       - name: Show final AppArmor logs
         if: always()
         run: |
           sudo aa-log -s --raw
+
+      - name: Show final processes security context
+        if: always()
+        run: |
+          sudo ps auxZ | grep -v '\[.*\]'

.gitignore

@@ -1,6 +1,7 @@
 # Build
 .build
 .logs
+.pkg
 tests/tldr
 tests/tldr.tar.gz
 

.gitlab-ci.yml

@@ -24,13 +24,13 @@ bash:
   script:
     - shellcheck --shell=bash
         PKGBUILD dists/build.sh dists/docker.sh tests/check.sh
-        tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh
+        tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh
 
 golangci-lint:
   stage: lint
   image: golangci/golangci-lint
   script:
-    - golangci-lint run --exclude-dirs pkg/paths
+    - golangci-lint run
 
 packer:
   stage: lint
@@ -54,7 +54,6 @@ tests:
   image: golang
   coverage: '/Coverage: \d+.\d+/'
   script:
-    - apt update && apt install -y rsync
     - cp tests/journalctl /usr/bin/journalctl
     - chmod 755 /usr/bin/journalctl
     - mkdir -p /var/log/audit/
@@ -67,7 +66,7 @@ check:
   stage: test
   image: registry.gitlab.com/roddhjav/builders/archlinux
   script:
-    - make check
+    - just check
 
 # Package Build
 # -------------
@@ -85,13 +84,12 @@ archlinux:
 
 debian:
   stage: build
-  image: registry.gitlab.com/roddhjav/builders/debian
+  image: registry.gitlab.com/roddhjav/builders/debian:trixie
   script:
     - sudo chown -R build:build /builds/
     - git config --global --add safe.directory $CI_PROJECT_DIR
     - mkdir -p "$PKGDEST"
-    - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync
-    - sudo apt-get install -y -t bookworm-backports golang-go
+    - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
     - bash dists/build.sh dpkg
   artifacts:
     expire_in: 1 day
@@ -100,12 +98,13 @@ debian:
 
 ubuntu:
   stage: build
-  image: registry.gitlab.com/roddhjav/builders/ubuntu
+  image: registry.gitlab.com/roddhjav/builders/ubuntu:24.04
+  variables:
+    GOFLAGS: "-buildvcs=false"
   script:
-    - sudo chown -R ubuntu:ubuntu /builds/
     - git config --global --add safe.directory $CI_PROJECT_DIR
     - mkdir -p "$PKGDEST"
-    - sudo apt-get update -q && sudo apt-get install -y config-package-dev rsync golang-go
+    - sudo apt-get update -q && sudo apt-get install -y config-package-dev golang-go lsb-release libdistro-info-perl
     - bash dists/build.sh dpkg
   artifacts:
     expire_in: 1 day
@@ -117,14 +116,14 @@ whonix:
   variables:
     DISTRIBUTION: whonix
   before_script:
-    - echo "\noverride_dh_auto_build:\n\tmake full" >> debian/rules
+    - sed -e "s/just complain/just fsp-complain/" -i debian/rules
 
 opensuse:
   stage: build
   image: registry.gitlab.com/roddhjav/builders/opensuse
   script:
     - mkdir -p "$PKGDEST"
-    - sudo zypper install -y distribution-release golang-packaging rsync apparmor-profiles
+    - sudo zypper install -y distribution-release golang-packaging apparmor-profiles
     - bash dists/build.sh rpm
   artifacts:
     expire_in: 1 day
@@ -147,7 +146,7 @@ preprocess-archlinux:
 
 preprocess-debian:
   stage: preprocess
-  image: debian
+  image: debian:trixie
   dependencies:
     - debian
   script:
@@ -167,7 +166,7 @@ preprocess-ubuntu:
     - dpkg --install $PKGDEST/*
     - apparmor_parser --preprocess /etc/apparmor.d 1> /dev/null
 
-preprocess-whonix:
+.preprocess-whonix:
   extends: preprocess-debian
   dependencies:
     - whonix

.golangci.yaml

@@ -1,5 +1,15 @@
 ---
 
-linters-settings:
-  staticcheck:
-    checks: ["all", "-SA1019" ]
+version: "2"
+linters:
+  settings:
+    staticcheck:
+      checks:
+        - all
+        - -SA1019
+        - -ST1000
+  exclusions:
+      paths:
+      - pkg/paths
+      - tests/cmd/
+

Justfile

@@ -0,0 +1,399 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Usage: `just`
+# See https://apparmor.pujol.io/development/ for more information.
+
+# Build settings
+destdir := "/"
+build := ".build"
+pkgdest := `pwd` / ".pkg"
+pkgname := "apparmor.d"
+
+# Admin username
+username := "user"
+
+# Default admin password
+password := "user"
+
+# Disk size of the VM to build
+disk_size := "40G"
+
+# Virtual machine CPU
+vcpus := "6"
+
+# Virtual machine RAM
+ram := "4096"
+
+# Path to the ssh key
+ssh_keyname := "id_ed25519"
+ssh_privatekey := home_dir() / ".ssh/" + ssh_keyname
+ssh_publickey := ssh_privatekey + ".pub" 
+
+# Where the VM are stored
+vm := home_dir() / ".vm"
+
+# Where the VM images are stored
+base_dir := home_dir() / ".libvirt/base"
+
+# Where the packer temporary output is stored
+output_dir := base_dir / "packer"
+
+# SSH options
+sshopt := "-i " + ssh_privatekey + " -o IdentitiesOnly=yes -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
+
+# Libvirt connection address
+c := "--connect=qemu:///system"
+
+# VM prefix
+prefix := "aa-"
+
+# Show this help message
+help:
+	@just --list --unsorted
+	@printf "\n%s\n" "See https://apparmor.pujol.io/development/ for more information."
+
+# Build the go programs
+[group('build')]
+build:
+	@go build -o {{build}}/ ./cmd/aa-log
+	@go build -o {{build}}/ ./cmd/prebuild
+
+# Prebuild the profiles in enforced mode
+[group('build')]
+enforce: build
+	@./{{build}}/prebuild --buildir {{build}}
+
+# Prebuild the profiles in enforce mode (test)
+enforce-test: build
+	@./{{build}}/prebuild --buildir {{build}} --test
+
+# Prebuild the profiles in complain mode
+[group('build')]
+complain: build
+	./{{build}}/prebuild --buildir {{build}} --complain
+
+# Prebuild the profiles in complain mode (test)
+complain-test: build
+	@./{{build}}/prebuild --buildir {{build}} --complain --test
+
+# Prebuild the profiles in FSP mode
+[group('build')]
+fsp: build
+	@./{{build}}/prebuild --buildir {{build}} --full
+
+# Prebuild the profiles in FSP mode (complain)
+[group('build')]
+fsp-complain: build
+	@./{{build}}/prebuild --buildir {{build}} --complain --full
+
+# Prebuild the profiles in FSP mode (debug)
+[group('build')]
+fsp-debug: build
+	@./{{build}}/prebuild --buildir {{build}} --complain --full --debug
+
+# Install prebuild profiles
+[group('install')]
+install:
+	#!/usr/bin/env bash
+	set -eu -o pipefail
+	install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
+	mapfile -t share < <(find "{{build}}/share" -type f -not -name "*.md" -printf "%P\n")
+	for file in "${share[@]}"; do
+		install -Dm0644 "{{build}}/share/$file" "{{destdir}}/usr/share/$file"
+	done
+	mapfile -t aa < <(find "{{build}}/apparmor.d" -type f -printf "%P\n")
+	for file in "${aa[@]}"; do
+		install -Dm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
+	done
+	mapfile -t links < <(find "{{build}}/apparmor.d" -type l -printf "%P\n")
+	for file in "${links[@]}"; do
+		mkdir -p "{{destdir}}/etc/apparmor.d/disable"
+		cp -d "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
+	done
+	for file in "{{build}}/systemd/system/"*; do
+		service="$(basename "$file")"
+		install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/system/$service.d/apparmor.conf"
+	done
+	for file in "{{build}}/systemd/user/"*; do
+		service="$(basename "$file")"
+		install -Dm0644 "$file" "{{destdir}}/usr/lib/systemd/user/$service.d/apparmor.conf"
+	done
+
+# Locally install prebuild profiles
+[group('install')]
+local +names:
+	#!/usr/bin/env bash
+	set -eu -o pipefail
+	install -Dm0755 {{build}}/aa-log {{destdir}}/usr/bin/aa-log
+	mapfile -t abs < <(find "{{build}}/apparmor.d/abstractions" -type f -printf "%P\n")
+	for file in "${abs[@]}"; do
+		install -Dm0644 "{{build}}/apparmor.d/abstractions/$file" "{{destdir}}/etc/apparmor.d/abstractions/$file"
+	done;
+	mapfile -t tunables < <(find "{{build}}/apparmor.d/tunables" -type f -printf "%P\n")
+	for file in "${tunables[@]}"; do
+		install -Dm0644 "{{build}}/apparmor.d/tunables/$file" "{{destdir}}/etc/apparmor.d/tunables/$file"
+	done;
+	echo "Warning: profile dependencies fallback to unconfined."
+	for file in {{names}}; do
+		grep -Ei 'rPx|rpx' "{{build}}/apparmor.d/$file" || true
+		sed -i -e "s/rPx/rPUx/g" "{{build}}/apparmor.d/$file"
+		install -Dvm0644 "{{build}}/apparmor.d/$file" "{{destdir}}/etc/apparmor.d/$file"
+	done;
+	systemctl restart apparmor || sudo journalctl -xeu apparmor.service
+
+# Prebuild, install, and load a dev profile
+[group('install')]
+dev name:
+	go run ./cmd/prebuild --complain --file `find apparmor.d -iname {{name}}`
+	sudo install -Dm644 {{build}}/apparmor.d/{{name}} /etc/apparmor.d/{{name}}
+	sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
+
+# Build & install apparmor.d on Arch based systems
+[group('packages')]
+pkg:
+	@makepkg --syncdeps --install --cleanbuild --force --noconfirm
+
+# Build & install apparmor.d on Debian based systems
+[group('packages')]
+dpkg:
+	@bash dists/build.sh dpkg
+	@sudo dpkg -i {{pkgdest}}/{{pkgname}}_*.deb
+
+# Build & install apparmor.d on OpenSUSE based systems
+[group('packages')]
+rpm:
+	@bash dists/build.sh rpm
+	@sudo rpm -ivh --force {{pkgdest}}/{{pkgname}}-*.rpm
+
+# Run the unit tests
+[group('tests')]
+tests:
+	@go test ./cmd/... -v -cover -coverprofile=coverage.out
+	@go test ./pkg/... -v -cover -coverprofile=coverage.out
+	@go tool cover -func=coverage.out
+
+# Run the linters
+[group('linter')]
+lint:
+	golangci-lint run
+	packer fmt tests/packer/
+	packer validate --syntax-only tests/packer/
+	shellcheck --shell=bash \
+		PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
+		tests/packer/init.sh tests/packer/src/aa-update tests/packer/clean.sh \
+		debian/{{pkgname}}.postinst debian/{{pkgname}}.postrm
+
+# Run style checks on the profiles
+[group('linter')]
+check:
+	@bash tests/check.sh
+
+# Generate the man pages
+[group('docs')]
+man:
+	@pandoc -t man -s -o share/man/man8/aa-log.8 share/man/man8/aa-log.md
+
+# Build the documentation
+[group('docs')]
+docs:
+	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
+
+# Serve the documentation
+[group('docs')]
+serve:
+	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
+
+# Remove all build artifacts
+clean:
+	@rm -rf \
+		debian/.debhelper debian/debhelper* debian/*.debhelper debian/{{pkgname}} \
+		{{pkgdest}}/{{pkgname}}* {{build}} coverage.out
+
+# Build the package in a clean OCI container
+[group('packages')]
+package dist:
+	#!/usr/bin/env bash
+	set -eu -o pipefail
+	dist="{{dist}}"
+	version=""
+	if [[ $dist =~ ubuntu([0-9]+) ]]; then
+		version="${BASH_REMATCH[1]}.04"
+		dist="ubuntu"
+	elif [[ $dist == debian* ]]; then
+		version="trixie"
+		dist="debian"
+	fi
+	bash dists/docker.sh $dist $version
+
+# Build the VM image
+[group('vm')]
+img dist flavor: (package dist)
+	@mkdir -p {{base_dir}}
+	packer build -force \
+		-var dist={{dist}} \
+		-var flavor={{flavor}} \
+		-var prefix={{prefix}} \
+		-var username={{username}} \
+		-var password={{password}} \
+		-var ssh_publickey={{ssh_publickey}} \
+		-var disk_size={{disk_size}} \
+		-var cpus={{vcpus}} \
+		-var ram={{ram}} \
+		-var base_dir={{base_dir}} \
+		-var output_dir={{output_dir}} \
+		tests/packer/
+
+# Create the machine
+[group('vm')]
+create dist flavor:
+	@cp -f {{base_dir}}/{{prefix}}{{dist}}-{{flavor}}.qcow2 {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
+	@virt-install {{c}} \
+		--import \
+		--name {{prefix}}{{dist}}-{{flavor}} \
+		--vcpus {{vcpus}} \
+		--ram {{ram}} \
+		--machine q35 \
+		{{ if dist == "archlinux" { "" } else { "--boot uefi" } }} \
+		--memorybacking source.type=memfd,access.mode=shared \
+		--disk path={{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2,format=qcow2,bus=virtio \
+		--filesystem "`pwd`,0a31bc478ef8e2461a4b1cc10a24cc4",accessmode=passthrough,driver.type=virtiofs \
+		--os-variant "`just _get_osinfo {{dist}}`" \
+		--graphics spice \
+		--audio id=1,type=spice \
+		--sound model=ich9 \
+		--noautoconsole
+
+# Start a machine
+[group('vm')]
+up dist flavor:
+	@virsh {{c}} start {{prefix}}{{dist}}-{{flavor}}
+
+# Stops the machine
+[group('vm')]
+halt dist flavor:
+	@virsh {{c}} shutdown {{prefix}}{{dist}}-{{flavor}}
+
+# Reboot the machine
+[group('vm')]
+reboot dist flavor:
+	@virsh {{c}} reboot {{prefix}}{{dist}}-{{flavor}}
+
+# Destroy the machine
+[group('vm')]
+destroy dist flavor:
+	@virsh {{c}} destroy {{prefix}}{{dist}}-{{flavor}} || true
+	@virsh {{c}} undefine {{prefix}}{{dist}}-{{flavor}} --nvram
+	@rm -fv {{vm}}/{{prefix}}{{dist}}-{{flavor}}.qcow2
+
+# Connect to the machine
+[group('vm')]
+ssh dist flavor:
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}`
+
+# Mount the shared directory on the machine
+[group('vm')]
+mount dist flavor:
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
+		sh -c 'mount | grep 0a31bc478ef8e2461a4b1cc10a24cc4 || sudo mount 0a31bc478ef8e2461a4b1cc10a24cc4'
+
+# Unmout the shared directory on the machine
+[group('vm')]
+umount dist flavor:
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
+		sh -c 'true; sudo umount /home/{{username}}/Projects/apparmor.d || true'
+
+# List the machines
+[group('vm')]
+list:
+	@printf "{{BOLD}} %-4s %-22s %s{{NORMAL}}\n" "Id" "Distribution-Flavor" "State"
+	@virsh {{c}} list --all | grep {{prefix}} | sed 's/{{prefix}}//g'
+
+# List the VM images
+[group('vm')]
+images:
+	#!/usr/bin/env bash
+	set -eu -o pipefail
+	mkdir -p {{base_dir}}
+	ls -lh {{base_dir}} | awk '
+	BEGIN {
+		printf("{{BOLD}}%-18s %-10s %-5s %s{{NORMAL}}\n", "Distribution", "Flavor", "Size", "Date")
+	}
+	{
+		if ($9 ~ /^{{prefix}}.*\.qcow2$/) {
+			split($9, arr, "-|\\.")
+			printf("%-18s %-10s %-5s %s %s %s\n", arr[2], arr[3], $5, $6, $7, $8)
+		}
+	}
+	'
+
+# List the VM images that can be created
+[group('vm')]
+available:
+	#!/usr/bin/env bash
+	set -eu -o pipefail
+	ls -lh tests/cloud-init | awk '
+	BEGIN {
+		printf("{{BOLD}}%-18s %s{{NORMAL}}\n", "Distribution", "Flavor")
+	}
+	{
+		if ($9 ~ /^.*\.user-data.yml$/) {
+			split($9, arr, "-|\\.")
+			printf("%-18s %s\n", arr[1], arr[2])
+		}
+	}
+	'
+
+# Install dependencies for the integration tests
+[group('tests')]
+init:
+	@bash tests/requirements.sh
+
+# Run the integration tests
+[group('tests')]
+integration name="":
+	bats --recursive --timing --print-output-on-failure tests/integration/{{name}}
+
+# Install dependencies for the integration tests (machine)
+[group('tests')]
+tests-init dist flavor:
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
+		just --justfile /home/{{username}}/Projects/apparmor.d/Justfile init
+
+# Synchronize the integration tests (machine)
+[group('tests')]
+tests-sync dist flavor:
+	@ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
+		rsync -a --delete /home/{{username}}/Projects/apparmor.d/tests/ /home/{{username}}/Projects/tests/
+
+# Re-synchronize the integration tests (machine)
+[group('tests')]
+tests-resync dist flavor: (mount dist flavor) \
+	(tests-sync dist flavor) \
+	(umount dist flavor)
+
+# Run the integration tests (machine)
+[group('tests')]
+tests-run dist flavor name="": (tests-resync dist flavor)
+	ssh {{sshopt}} {{username}}@`just _get_ip {{dist}} {{flavor}}` \
+		bats --recursive --pretty --timing --print-output-on-failure \
+			/home/{{username}}/Projects/tests/integration/{{name}}
+
+_get_ip dist flavor:
+	@virsh --quiet --readonly {{c}} domifaddr {{prefix}}{{dist}}-{{flavor}} | \
+		head -1 | \
+		grep -E -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'
+
+_get_osinfo dist:
+	#!/usr/bin/env python3
+	osinfo = {
+		"archlinux": "archlinux",
+		"debian12": "debian12",
+		"debian13": "debian13",
+		"ubuntu22": "ubuntu22.04",
+		"ubuntu24": "ubuntu24.04",
+		"ubuntu25": "ubuntu25.04", 
+		"opensuse": "opensusetumbleweed",
+	}
+	print(osinfo.get("{{dist}}", "{{dist}}"))

Makefile

@@ -1,134 +0,0 @@
-#!/usr/bin/make -f
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-DESTDIR ?= /
-BUILD ?= .build
-PKGDEST ?= ${PWD}/.pkg
-PKGNAME := apparmor.d
-PROFILES = $(filter-out dpkg,$(notdir $(wildcard ${BUILD}/apparmor.d/*)))
-
-.PHONY: all
-all: build
-	@./${BUILD}/prebuild --complain
-
-.PHONY: build
-build:
-	@go build -o ${BUILD}/ ./cmd/aa-log
-	@go build -o ${BUILD}/ ./cmd/prebuild
-
-.PHONY: enforce
-enforce: build
-	@./${BUILD}/prebuild
-
-.PHONY: full
-full: build
-	@./${BUILD}/prebuild --complain --full
-
-.PHONY: install
-install:
-	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
-	@for file in $(shell find "${BUILD}/share" -type f -not -name "*.md" -printf "%P\n"); do \
-		install -Dm0644 "${BUILD}/share/$${file}" "${DESTDIR}/usr/share/$${file}"; \
-	done;
-	@for file in $(shell find "${BUILD}/apparmor.d" -type f -printf "%P\n"); do \
-		install -Dm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
-	done;
-	@for file in $(shell find "${BUILD}/apparmor.d" -type l -printf "%P\n"); do \
-		mkdir -p "${DESTDIR}/etc/apparmor.d/disable"; \
-		cp -d "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
-	done;
-	@for file in ${BUILD}/systemd/system/*; do \
-		service="$$(basename "$$file")"; \
-		install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/system/$${service}.d/apparmor.conf"; \
-	done;
-	@for file in ${BUILD}/systemd/user/*; do \
-		service="$$(basename "$$file")"; \
-		install -Dm0644 "$${file}" "${DESTDIR}/usr/lib/systemd/user/$${service}.d/apparmor.conf"; \
-	done
-
-
-.PHONY: $(PROFILES)
-$(PROFILES):
-	@install -Dm0755 ${BUILD}/aa-log ${DESTDIR}/usr/bin/aa-log
-	@for file in $(shell find ${BUILD}/apparmor.d/abstractions/ -type f -printf "%P\n"); do \
-		install -Dm0644 "${BUILD}/apparmor.d/abstractions/$${file}" "${DESTDIR}/etc/apparmor.d/abstractions/$${file}"; \
-	done;
-	@for file in $(shell find ${BUILD}/apparmor.d/tunables/ -type f -printf "%P\n"); do \
-		install -Dm0644 "${BUILD}/apparmor.d/tunables/$${file}" "${DESTDIR}/etc/apparmor.d/tunables/$${file}"; \
-	done;
-	@echo "Warning: profile dependencies fallback to unconfined."
-	@for file in ${@}; do \
-		grep 'rPx' "${BUILD}/apparmor.d/$${file}"; \
-		sed -i -e "s/rPx/rPUx/g" "${BUILD}/apparmor.d/$${file}"; \
-		install -Dvm0644 "${BUILD}/apparmor.d/$${file}" "${DESTDIR}/etc/apparmor.d/$${file}"; \
-	done;
-	@systemctl restart apparmor || sudo journalctl -xeu apparmor.service
-
-.PHONY: dev
-name ?= 
-dev:
-	@go run ./cmd/prebuild --complain --file $(shell find apparmor.d -iname ${name})
-	@sudo install -Dm644 ${BUILD}/apparmor.d/${name} /etc/apparmor.d/${name}
-	@sudo systemctl restart apparmor || sudo journalctl -xeu apparmor.service
-
-.PHONY: package
-dist ?= archlinux
-package:
-	@bash dists/docker.sh ${dist}
-
-.PHONY: pkg
-pkg:
-	@makepkg --syncdeps --install --cleanbuild --force --noconfirm
-
-.PHONY: dpkg
-dpkg:
-	@bash dists/build.sh dpkg
-	@sudo dpkg -i ${PKGDEST}/${PKGNAME}_*.deb
-
-.PHONY: rpm
-rpm:
-	@bash dists/build.sh rpm
-	@sudo rpm -ivh --force  ${PKGDEST}/${PKGNAME}-*.rpm
-
-.PHONY: tests
-tests:
-	@go test ./cmd/... -v -cover -coverprofile=coverage.out
-	@go test ./pkg/... -v -cover -coverprofile=coverage.out
-	@go tool cover -func=coverage.out
-
-.PHONY: lint
-lint:
-	@golangci-lint run
-	@make --directory=tests lint
-	@shellcheck --shell=bash \
-		PKGBUILD dists/build.sh dists/docker.sh tests/check.sh \
-		tests/packer/init/init.sh tests/packer/src/aa-update tests/packer/init/clean.sh \
-		debian/${PKGNAME}.postinst debian/${PKGNAME}.postrm
-
-.PHONY: check
-check:
-	@bash tests/check.sh
-
-.PHONY: bats
-bats:
-	@bats --print-output-on-failure tests/bats/
-
-.PHONY: manual
-manual:
-	@pandoc -t man -s -o root/usr/share/man/man8/aa-log.8 root/usr/share/man/man8/aa-log.md
-
-.PHONY: docs
-docs:
-	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=true mkdocs build --strict
-
-.PHONY: serve
-serve:
-	@ENABLED_GIT_REVISION_DATE=false MKDOCS_OFFLINE=false mkdocs serve
-
-.PHONY: clean
-clean:
-	@rm -rf \
-		debian/.debhelper debian/debhelper* debian/*.debhelper debian/${PKGNAME} \
-		.pkg/${PKGNAME}* ${BUILD} coverage.out

PKGBUILD

@@ -3,19 +3,25 @@
 
 # Warning: for development only, use https://aur.archlinux.org/packages/apparmor.d-git for production use.
 
-pkgname=apparmor.d
-pkgver=0.001
+pkgbase=apparmor.d
+pkgname=(
+  apparmor.d 
+  # apparmor.d.enforced
+  # apparmor.d.fsp apparmor.d.fsp.enforced
+  # apparmor.d.server apparmor.d.server.enforced
+  # apparmor.d.server.fsp apparmor.d.server.fsp.enforced
+)
+pkgver=0.0001
 pkgrel=1
 pkgdesc="Full set of apparmor profiles"
-arch=("x86_64")
-url="https://github.com/roddhjav/$pkgname"
-license=('GPL2')
-depends=('apparmor')
-makedepends=('go' 'git' 'rsync')
-conflicts=("$pkgname-git")
+arch=('x86_64' 'armv6h' 'armv7h' 'aarch64')
+url="https://github.com/roddhjav/apparmor.d"
+license=('GPL-2.0-only')
+depends=('apparmor>=4.1.0' 'apparmor<5.0.0')
+makedepends=('go' 'git' 'rsync' 'just')
 
 pkgver() {
-  cd "$srcdir/$pkgname"
+  cd "$srcdir/$pkgbase"
   echo "0.$(git rev-list --count HEAD)"
 }
 
@@ -24,16 +30,104 @@ prepare() {
 }
 
 build() {
-  cd "$srcdir/$pkgname"
+  cd "$srcdir/$pkgbase"
   export CGO_CPPFLAGS="${CPPFLAGS}"
   export CGO_CFLAGS="${CFLAGS}"
   export CGO_CXXFLAGS="${CXXFLAGS}"
   export CGO_LDFLAGS="${LDFLAGS}"
+  export GOPATH="${srcdir}"
   export GOFLAGS="-buildmode=pie -trimpath -ldflags=-linkmode=external -mod=readonly -modcacherw"
-  make DISTRIBUTION=arch
+  export DISTRIBUTION=arch
+  local -A modes=(
+    # Mapping of modes to just build target.
+    [default]=complain
+    # [enforced]=enforce
+    # [fsp]=fsp-complain
+    # [fsp.enforced]=fsp
+    # [server]=server-complain
+    # [server.enforced]=server
+    # [server.fsp]=server-fsp-complain
+    # [server.fsp.enforced]=server-fsp
+  )
+  for mode in "${!modes[@]}"; do
+    just build=".build/$mode" "${modes[$mode]}"
+  done
 }
 
-package() {
-  cd "$srcdir/$pkgname"
-  make install DESTDIR="$pkgdir"
+_conflicts() {
+  local mode="$1"
+  local pattern=".$mode"
+  if [[ "$mode" == "default" ]]; then
+    pattern=""
+  else
+    echo "$pkgbase"
+  fi
+  for pkg in "${pkgname[@]}"; do
+    if [[ "$pkg" == "${pkgbase}${pattern}" ]]; then
+      continue
+    fi
+    echo "$pkg"
+  done
+}
+
+_install() {
+  local mode="${1:?}"
+  cd "$srcdir/$pkgbase"
+  just build=".build/$mode" destdir="$pkgdir" install
+}
+
+package_apparmor.d() {
+  mode=default
+  pkgdesc="$pkgdesc (complain mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.enforced() {
+  mode=enforced
+  pkgdesc="$pkgdesc (enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.fsp() {
+  mode="fsp"
+  pkgdesc="$pkgdesc (FSP mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.fsp.enforced() {
+  mode="fsp.enforced"
+  pkgdesc="$pkgdesc (FSP enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server() {
+  mode="server"
+  pkgdesc="$pkgdesc (server complain mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server.enforced() {
+  mode="server.enforced"
+  pkgdesc="$pkgdesc (server enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server.fsp() {
+  mode="server.fsp"
+  pkgdesc="$pkgdesc (server FSP complain mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
+}
+
+package_apparmor.d.server.fsp.enforced() {
+  mode="server.fsp.enforced"
+  pkgdesc="$pkgdesc (server FSP enforced mode)"
+  mapfile -t conflicts < <(_conflicts $mode)
+  _install $mode
 }

README.md

@@ -2,7 +2,7 @@
 
 # apparmor.d
 
-[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] 
+[![][workflow]][action] [![][build]][project] [![][quality]][goreportcard] [![][matrix]][matrix-link] [![][play]][play-link]
 
 **Full set of AppArmor profiles**
 
@@ -35,8 +35,11 @@
     * Gnome (GDM)
     * KDE (SDDM)
     * XFCE (Lightdm) *(work in progress)*
-- Fully tested *(work in progress)*
+- [Fully tested](https://apparmor.pujol.io/development/tests/)
 
+**Demo**
+
+You want to try this project, or you are curious about the advanced usage and security it can provide without installing it on your machine. You can try it online on my AppArmor play machine at https://play.pujol.io/
 
 > This project is originally based on the work from [Morfikov][upstream] and aims to extend it to more Linux distributions and desktop environments.
 
@@ -59,6 +62,10 @@ Building the largest set of AppArmor profiles:
 - [Linux Security Summit North America (LSS-NA 2023)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2023.sched.com/event/1K7bI/building-the-largest-working-set-of-apparmor-profiles-alexandre-pujol-the-collaboratory-tudublin), [Video](https://www.youtube.com/watch?v=OzyalrOzxE8))*
 - [Ubuntu Summit 2023](https://events.canonical.com/event/31/) *([Slide](https://events.canonical.com/event/31/contributions/209/), [Video](https://www.youtube.com/watch?v=GK1J0TlxnFI))*
 
+Lessons learned while making an AppArmor Play machine:
+
+- [Linux Security Summit North America (LSS-NA 2025)](https://events.linuxfoundation.org/linux-security-summit-north-america/) *([Slide](https://lssna2025.sched.com/event/1zalf/lessons-learned-while-making-an-apparmor-play-machine-alexandre-pujol-linagora), [Video](https://www.youtube.com/watch?v=zCSl8honRI0))*
+
 ## Installation
 
 Please see [apparmor.pujol.io/install](https://apparmor.pujol.io/install)
@@ -93,6 +100,8 @@ and thus has the same license (GPL2).
 [goreportcard]: https://goreportcard.com/report/github.com/roddhjav/apparmor.d
 [matrix]: https://img.shields.io/badge/Matrix-%23apparmor.d-blue?style=flat-square&logo=matrix
 [matrix-link]: https://matrix.to/#/#apparmor.d:matrix.org
+[play]: https://img.shields.io/badge/Live_Demo-play.pujol.io-blue?style=flat-square
+[play-link]: https://play.pujol.io
 
 [android_model]: https://arxiv.org/pdf/1904.05572
 [clipos]: https://clip-os.org/en/

apparmor.d/abstractions/X-strict

@@ -4,25 +4,25 @@
 
   abi <abi/4.0>,
 
-
   # The unix socket to use to connect to the display
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*"),
-  unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"),
-  unix type=stream addr="@/tmp/.ICE-unix/[0-9]*",
-  unix type=stream addr="@/tmp/.X11-unix/X[0-9]*",
+  unix (connect, receive, send) type=stream peer=(addr=@/tmp/.ICE-unix/@{int}),
+  unix (connect, receive, send) type=stream peer=(addr=@/tmp/.X11-unix/X@{int}),
+  unix type=stream addr=@/tmp/.ICE-unix/@{int},
+  unix type=stream addr=@/tmp/.X11-unix/X@{int},
 
   /usr/share/X11/{,**} r,
   /usr/share/xsessions/{,*.desktop} r,  # Available Xsessions
+  /usr/share/xkeyboard-config-2/{,**} r,
 
   /etc/X11/cursors/{,**} r,
 
-  owner @{HOME}/.ICEauthority rw,  # ICEauthority files required for X authentication, per user
+  owner @{HOME}/.ICEauthority r,  # ICEauthority files required for X authentication, per user
   owner @{HOME}/.Xauthority rw,  # Xauthority files required for X connections, per user
   owner @{HOME}/.xsession-errors rw,
 
-        /tmp/.ICE-unix/* rw,
+        /tmp/.ICE-unix/@{int} rw,
         /tmp/.X@{int}-lock rw,
-        /tmp/.X11-unix/* rw,
+        /tmp/.X11-unix/X@{int} rw,
   owner @{tmp}/xauth_@{rand6} rl -> @{tmp}/#@{int},
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} rw,  # Xwayland

apparmor.d/abstractions/accessibility

@@ -0,0 +1,15 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow communication with Assistive Technology Service Provider Interface (AT-SPI)
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus/accessibility/org.a11y>
+  include <abstractions/bus/session/org.a11y>
+
+  include if exists <abstractions/accessibility.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/amdgpu

@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Kernel Fusion Driver for AMD GPUs
+
+  abi <abi/4.0>,
+
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
+
+  @{sys}/devices/virtual/kfd/kfd/dev r,
+  @{sys}/devices/virtual/kfd/kfd/topology/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/generation_id r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/ r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/caches/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/gpu_id r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/io_links/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/mem_banks/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/nodes/@{int}/properties r,
+  @{sys}/devices/virtual/kfd/kfd/topology/system_properties r,
+  @{sys}/devices/virtual/kfd/kfd/uevent r,
+  @{sys}/module/amdgpu/initstate r,
+
+  /dev/kfd rw,
+
+  include if exists <abstractions/amdgpu.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/ansible

@@ -0,0 +1,11 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  owner @{HOME}/.ansible/tmp/ansible-tmp-*/* rw,
+
+  include if exists <abstractions/ansible.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/app-launcher-root

@@ -5,13 +5,11 @@
 
   abi <abi/4.0>,
 
-  @{bin}/**                     PUx,
-  /usr/local/{s,}bin/**         PUx,
+  include <abstractions/path>
 
-  @{bin}/                       r,
-  /                             r,
-  /usr/                         r,
-  /usr/local/{s,}bin/           r,
+  @{bin}/**                     PUx,
+  @{sbin}/**                    PUx,
+  /usr/local/{s,}bin/**         PUx,
 
   include if exists <abstractions/app-launcher-root.d>
 

apparmor.d/abstractions/app-launcher-user

@@ -5,6 +5,8 @@
 
   abi <abi/4.0>,
 
+  include <abstractions/path>
+
   @{bin}/**                     PUx,
   /opt/*/**                     PUx,
   /usr/share/**                 PUx,
@@ -18,13 +20,7 @@
   @{thunderbird_path}           Px,
   @{offices_path}              PUx,
 
-  @{bin}/                       r,
-  /                             r,
-  /usr/                         r,
-  /usr/local/bin/               r,
-
-  @{user_bin_dirs}/             r,
-  @{user_bin_dirs}/**         PUx,
+  @{user_bin_dirs}/**          PUx,
 
   include if exists <abstractions/app-launcher-user.d>
 

apparmor.d/abstractions/app-open

@@ -18,6 +18,7 @@
 
   # Labeled programs
   @{archive_viewers_path}       PUx,
+  @{backup_path}                PUx,
   @{browsers_path}              Px,
   @{document_viewers_path}      PUx,
   @{emails_path}                PUx,
@@ -25,6 +26,7 @@
   @{help_path}                  Px,
   @{image_viewers_path}         PUx,
   @{offices_path}               PUx,
+  @{terminal_path}              Px,
   @{text_editors_path}          PUx,
 
   # Others
@@ -33,17 +35,19 @@
   @{bin}/discord{,-ptb}         Px,
   @{bin}/draw.io                PUx,
   @{bin}/dropbox                Px,
+  @{bin}/ebook-edit             PUx,
   @{bin}/element-desktop        Px,
   @{bin}/extension-manager      Px,
   @{bin}/filezilla              Px,
   @{bin}/flameshot              Px,
-  @{bin}/gimp*                  PUx,
-  @{bin}/gnome-calculator       PUx,
+  @{bin}/gimp{,-3.0}            Px,
+  @{bin}/gnome-calculator       Px,
   @{bin}/gnome-disk-image-mounter Px,
   @{bin}/gnome-disks            Px,
+  @{bin}/gnome-session-quit     Px,
   @{bin}/gnome-software         Px,
   @{bin}/gwenview               PUx,
-  @{bin}/kgx                    Px,
+  @{bin}/keepassxc              Px,
   @{bin}/qbittorrent            Px,
   @{bin}/qpdfview               Px,
   @{bin}/smplayer               Px,
@@ -51,15 +55,12 @@
   @{bin}/telegram-desktop       Px,
   @{bin}/transmission-gtk       Px,
   @{bin}/viewnior               PUx,
-  @{bin}/vlc                    PUx,
+  @{bin}/vlc                    Px,
   @{bin}/xbrlapi                Px,
 
   #aa:only opensuse
   @{lib}/YaST2/**               PUx,
 
-  # Backup
-  @{lib}/deja-dup/deja-dup-monitor PUx,
-
   include if exists <abstractions/app-open.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/app/chromium

@@ -2,6 +2,11 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
+# NEEDS-VARIABLE: name
+# NEEDS-VARIABLE: domain
+# NEEDS-VARIABLE: lib_dirs
+# NEEDS-VARIABLE: config_dirs
+# NEEDS-VARIABLE: cache_dirs
 
 # Full set of rules for all chromium based browsers. It works as a *function*
 # and requires some variables to be provided as *arguments* and set in the
@@ -20,39 +25,32 @@
   abi <abi/4.0>,
 
   include <abstractions/audio-client>
+  include <abstractions/avahi-observe>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.bluez>
-  include <abstractions/bus/org.freedesktop.Avahi>
   include <abstractions/bus/org.freedesktop.FileManager1>
-  include <abstractions/bus/org.freedesktop.Notifications>
-  include <abstractions/bus/org.freedesktop.ScreenSaver>
-  include <abstractions/bus/org.freedesktop.secrets>
-  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/bus/org.gnome.Mutter.IdleMonitor>
-  include <abstractions/bus/org.gnome.ScreenSaver>
-  include <abstractions/bus/org.gnome.SessionManager>
-  include <abstractions/bus/org.kde.kwalletd>
+  include <abstractions/bus/session/org.gnome.SessionManager>
+  include <abstractions/bus/system/org.bluez>
+  include <abstractions/camera>
+  include <abstractions/common/chromium>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
-  include <abstractions/devices-usb>
+  include <abstractions/devices-u2f>
+  include <abstractions/devices-usb-read>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics-full>
+  include <abstractions/graphics>
   include <abstractions/nameservice-strict>
+  include <abstractions/notifications>
+  include <abstractions/pcscd>
+  include <abstractions/screensaver>
+  include <abstractions/secrets-service>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
+  include <abstractions/upower-observe>
   include <abstractions/user-download-strict>
   include <abstractions/user-read-strict>
-  include <abstractions/video>
-
-  userns,
-
-  capability setgid,
-  capability setuid,
-  capability sys_admin,
-  capability sys_chroot,
-  capability sys_ptrace,
 
   network inet dgram,
   network inet6 dgram,
@@ -78,7 +76,7 @@
   @{lib_dirs}/chrome-sandbox           rPx,
 
   # Desktop integration
-  @{bin}/lsb_release        rPx -> lsb_release,
+  @{bin}/lsb_release        rPx,
   @{bin}/xdg-desktop-menu   rPx,
   @{bin}/xdg-email          rPx,
   @{bin}/xdg-icon-resource  rPx,
@@ -86,16 +84,11 @@
   @{bin}/xdg-open           rPx -> child-open,
   @{bin}/xdg-settings       rPx,
 
-  # Installing/removing extensions & applications
-  @{bin}/{,e}grep rix,
-  @{bin}/basename rix,
-  @{bin}/cat      rix,
-  @{bin}/cut      rix,
-  @{bin}/mkdir    rix,
-  @{bin}/mktemp   rix,
-  @{bin}/rm       rix,
-  @{bin}/sed      rix,
-  @{bin}/touch    rix,
+  # Installing/removing extensions, applications, and stacked xdg menus
+  @{sh_path}        rix,
+  @{bin}/{,e}grep    ix,
+  @{bin}/{m,g,}awk   ix,
+  @{coreutils_path}  ix,
 
   # For storing passwords externally
   @{bin}/keepassxc-proxy    rix, # as a temporary solution - see issue #128
@@ -115,23 +108,14 @@
 
   /etc/@{name}/{,**} r,
   /etc/fstab r,
-  /etc/{,opensc/}opensc.conf r,
-
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
 
   / r,
   owner @{HOME}/ r,
 
-  owner @{HOME}/.pki/ rw,
-  owner @{HOME}/.pki/nssdb/ rw,
-  owner @{HOME}/.pki/nssdb/pkcs11.txt rw,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db rwk,
-  owner @{HOME}/.pki/nssdb/{cert9,key4}.db-journal rw,
-
-  owner @{user_config_dirs}/gtk-3.0/servers r,
-  owner @{user_share_dirs}/.@{domain}.@{rand6} rw,
   owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
+  owner @{user_config_dirs}/gtk-3.0/servers r,
+
+  owner @{user_share_dirs}/icons/hicolor/.xdg-icon-resource-dummy w,
 
   owner @{config_dirs}/ rw,
   owner @{config_dirs}/** rwk,
@@ -141,7 +125,7 @@
 
   owner @{user_config_dirs}/kioslaverc r,
   owner @{user_config_dirs}/menus/applications-merged/ r,
-  owner @{user_config_dirs}/menus/applications-merged/xdg-desktop-menu-dummy.menu r,
+  owner @{user_config_dirs}/menus/applications-merged/*.menu rw,
 
   # For importing data (bookmarks, cookies, etc) from Firefox
   # owner @{HOME}/.mozilla/firefox/profiles.ini r,
@@ -155,10 +139,8 @@
 
         /tmp/ r,
         /var/tmp/ r,
-  owner @{tmp}/.@{domain}.@{rand6} rw,
-  owner @{tmp}/.@{domain}.@{rand6}/{,**} rw,
   owner @{tmp}/@{name}-crashlog-@{int}-@{int}.txt rw,
-  owner @{tmp}/scoped_dir@{rand6}/{,**} rw,
+  owner @{tmp}/tmp.@{rand10} rw,
   owner @{tmp}/tmp.@{rand6} rw,
   owner @{tmp}/tmp.@{rand6}/ rw,
   owner @{tmp}/tmp.@{rand6}/** rwk,
@@ -166,9 +148,6 @@
   owner @{run}/user/@{uid}/app/org.keepassxc.KeePassXC/org.keepassxc.KeePassXC.BrowserServer rw,
   owner @{run}/user/@{uid}/org.keepassxc.KeePassXC.BrowserServer rw,
 
-        /dev/shm/ r,
-  owner /dev/shm/.@{domain}.@{rand6} rw,
-
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
   @{sys}/bus/ r,
@@ -176,16 +155,12 @@
   @{sys}/class/**/ r,
   @{sys}/devices/@{pci}/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
   @{sys}/devices/@{pci}/boot_vga r,
-  @{sys}/devices/@{pci}/report_descriptor r,
   @{sys}/devices/**/uevent r,
-  @{sys}/devices/system/cpu/kernel_max r,
-  @{sys}/devices/virtual/**/report_descriptor r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_name} r,
-  @{sys}/devices/virtual/tty/tty@{int}/active r,
 
         @{PROC}/ r,
         @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pid}/statm r,
         @{PROC}/@{pid}/task/@{tid}/status r,
         @{PROC}/pressure/{memory,cpu,io} r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
@@ -194,21 +169,17 @@
   owner @{PROC}/@{pid}/clear_refs w,
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/environ r,
-  owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/limits r,
   owner @{PROC}/@{pid}/mem r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_{,score_}adj rw,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/statm r,
+  owner @{PROC}/@{pid}/smaps_rollup r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,
-  owner @{PROC}/@{pid}/uid_map w,
 
         /dev/ r,
-        /dev/hidraw@{int} rw,
         /dev/tty rw,
   owner /dev/tty@{int} rw,
 

apparmor.d/abstractions/app/editor

@@ -10,11 +10,12 @@
   include <abstractions/consoles>
 
   @{sh_path}                  rix,
-  @{bin}/nvim                 mix,
+  @{bin}/nvim                mrix,
   @{bin}/sensible-editor       mr,
-  @{bin}/vim{,.*}             mix,
-  @{bin}/which{,.debianutils}  ix,
+  @{bin}/vim*                mrix,
+  @{bin}/which{,.debianutils} rix,
 
+  /usr/share/doc/{,**} r,
   /usr/share/nvim/{,**} r,
   /usr/share/terminfo/** r,
   /usr/share/vim/{,**} r,
@@ -24,6 +25,8 @@
   /etc/xdg/nvim/* r,
 
   owner @{HOME}/.selected_editor r,
+  owner @{HOME}/.vim/{after/,}spell/{,**} rw,
+  owner @{HOME}/.vim/** r,
   owner @{HOME}/.viminf@{c}{,.tmp} rw,
   owner @{HOME}/.vimrc r,
 

apparmor.d/abstractions/app/firefox

@@ -2,6 +2,10 @@
 # Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
+# NEEDS-VARIABLE: name
+# NEEDS-VARIABLE: lib_dirs
+# NEEDS-VARIABLE: config_dirs
+# NEEDS-VARIABLE: cache_dirs
 
 # Full set of rules for all firefox based browsers. It works as a *function*
 # and requires some variables to be provided as *arguments* and set in the
@@ -18,17 +22,21 @@
   include <abstractions/audio-client>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.freedesktop.FileManager1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.freedesktop.portal.Desktop>
+  include <abstractions/bus/org.freedesktop.RealtimeKit1>
+  include <abstractions/bus/org.freedesktop.timedate1>
   include <abstractions/cups-client>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
+  include <abstractions/devices-u2f>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics-full>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
+  include <abstractions/pcscd>
   include <abstractions/ssl_certs>
   include <abstractions/thumbnails-cache-read>
   include <abstractions/uim>
@@ -64,7 +72,7 @@
   @{lib_dirs}/plugin-container  rPx,
 
   # Desktop integration
-  @{bin}/lsb_release            rPx -> lsb_release,
+  @{bin}/lsb_release            rPx,
 
   /usr/share/@{name}/{,**} r,
   /usr/share/doc/{,**} r,
@@ -72,7 +80,6 @@
   /usr/share/webext/{,**} r,
   /usr/share/xul-ext/kwallet5/* r,
 
-  /etc/{,opensc/}opensc.conf r,
   /etc/@{name}/{,**} r,
   /etc/fstab r,
   /etc/lsb-release r,
@@ -92,16 +99,22 @@
   owner @{cache_dirs}/ rw,
   owner @{cache_dirs}/** rwk,
 
-        /tmp/ r,
+        /tmp/ rw,
         /var/tmp/ r,
   owner @{tmp}/@{name}/ rw,
   owner @{tmp}/@{name}/* rwk,
+  owner @{tmp}/@{rand6}.tmp rw,
   owner @{tmp}/firefox/ rw,
   owner @{tmp}/firefox/* rwk,
+  owner @{tmp}/mozilla* rw,
+  owner @{tmp}/mozilla*/ rw,
+  owner @{tmp}/mozilla*/* rwk,
+  owner @{tmp}/remote-settings-startup-bundle- rw,
+  owner @{tmp}/remote-settings-startup-bundle-.tmp rw,
   owner @{tmp}/Temp-@{uuid}/ rw,
   owner @{tmp}/Temp-@{uuid}/* rwk,
   owner @{tmp}/tmp-*.xpi rw,
-  owner @{tmp}/tmpaddon r,
+  owner @{tmp}/tmpaddon rw,
   owner @{tmp}/tmpaddon-@{int} r,
 
   owner /dev/shm/org.chromium.@{rand6} rw,
@@ -124,8 +137,10 @@
         @{sys}/devices/**/uevent r,
         @{sys}/devices/power/events/energy-* r,
         @{sys}/devices/power/type r,
+        @{sys}/devices/virtual/dmi/id/product_name r,
+        @{sys}/devices/virtual/dmi/id/product_sku r,
         @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
-        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,
 
         @{PROC}/@{pid}/net/arp r,
@@ -149,7 +164,6 @@
   owner @{PROC}/@{pid}/uid_map w, # If kernel.unprivileged_userns_clone = 1
 
         /dev/ r,
-        /dev/hidraw@{int} rw,
         /dev/tty rw,
         /dev/video@{int} rw,
   owner /dev/tty@{int} rw, # File Inherit

apparmor.d/abstractions/app/fusermount

@@ -0,0 +1,35 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Minimal set of rules for fusermount subprofiles. Path to mount/unmount should
+# be defined in the calling profile.
+
+  abi <abi/4.0>,
+
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability sys_admin,  # To mount anything
+
+  @{bin}/fusermount{,3} mr,
+
+  @{bin}/mount          rix,
+  @{bin}/umount         rix,
+
+  @{etc_ro}/fuse{,3}.conf r,
+
+  @{run}/mount/utab r,
+  @{run}/mount/utab.* rwk,
+
+  @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/mounts r,
+
+  /dev/fuse rw,
+
+  include if exists <abstractions/app/fusermount.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/app/kmod

@@ -7,13 +7,7 @@
 
   include <abstractions/consoles>
 
-  @{bin}/depmod    mr,
-  @{bin}/insmod    mr,
-  @{bin}/kmod      mr,
-  @{bin}/lsmod     mr,
-  @{bin}/modinfo   mr,
-  @{bin}/modprobe  mr,
-  @{bin}/rmmod     mr,
+  @{bin}/kmod       mr,
 
   @{lib}/modprobe.d/ r,
   @{lib}/modprobe.d/*.conf r,

apparmor.d/abstractions/app/open

@@ -3,19 +3,44 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Full set of rules for child-open-* profiles.
+# Full set of rules for desktop generic open-* used in child-open-* profiles.
 
   abi <abi/4.0>,
 
+  include <abstractions/accessibility>
+  include <abstractions/bus-session>
   include <abstractions/desktop>
 
-  @{open_path} mrix,
+  # We cannot use `@{open_path} mrix,` here because it includes:
+  #     @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop
+  # And `@{multiarch}` has a wildcard that cannot be merged and that will generate
+  # "has merged rule with conflicting x modifiers" error when used with other
+  # wilcard over PUx transition.
+  @{bin}/exo-open            mrix,
+  @{bin}/xdg-open            mrix,
+  @{bin}/gio                 mrix,
+  @{bin}/kde-open            mrix,
+  @{bin}/gio-launch-desktop  mrix,
+  @{lib}/gio-launch-desktop  mrix,
 
-  @{sh_path} r,
   @{bin}/env rix,
+  @{sh_path} r,
 
   /dev/tty rw,
 
+  # if @{DE} == kde
+
+    include <abstractions/audio-client>
+    include <abstractions/graphics>
+    include <abstractions/nameservice-strict>
+
+    owner @{run}/user/@{uid}/#@{int} rw,
+    owner @{run}/user/@{uid}/kioclient@{rand6}.@{int}.kioworker.socket rwl -> @{run}/user/@{uid}/#@{int},
+
+    @{PROC}/sys/kernel/random/boot_id r,
+
+  # fi
+
   include if exists <abstractions/app/open.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/app/pager

@@ -0,0 +1,39 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Minimal set of rules for pagers.
+
+  abi <abi/4.0>,
+
+  include <abstractions/consoles>
+
+  capability dac_override,
+  capability dac_read_search,
+
+  signal receive set=(stop, cont, term, kill),
+
+  @{bin}/       r,
+  @{pager_path} mrix,
+
+  @{system_share_dirs}/terminfo/{,**} r,
+  /usr/share/file/misc/** r,
+  /usr/share/nvim/{,**} r,
+
+  @{etc_ro}/lesskey.bin r,
+
+  @{HOME}/.lesshst r,
+
+  owner @{HOME}/ r,
+  owner @{HOME}/.lesshs* rw,
+  owner @{HOME}/.terminfo/@{int}/* r,
+  owner @{user_cache_dirs}/lesshs* rw,
+  owner @{user_state_dirs}/ r,
+  owner @{user_state_dirs}/lesshs* rw,
+
+  /dev/tty@{int} rw,
+
+  include if exists <abstractions/app/pager.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/app/pgrep

@@ -19,10 +19,13 @@
   @{sys}/devices/system/node/node@{int}/meminfo r,
 
   @{PROC}/ r,
+  @{PROC}/@{pid}/status r,
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/environ r,
   @{PROC}/@{pids}/stat r,
   @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/tty/drivers r,
   @{PROC}/uptime r,
 
   include if exists <abstractions/app/pgrep.d>

apparmor.d/abstractions/app/pkexec

@@ -30,6 +30,8 @@
 
   /etc/shells r,
 
+        @{PROC}/@{pid}/fdinfo/@{int} r,
+        @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/loginuid r,
 
   owner /dev/tty@{int} rw,

apparmor.d/abstractions/app/sudo

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-# Minimal set of rules for sudo. Interactive sudo need more rules.
+# Minimal set of rules for sudo.
 
   abi <abi/4.0>,
 
@@ -24,10 +24,10 @@
 
   network netlink raw,   # PAM
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.logi1.Manager
-       member=CreateSession
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+  unix type=stream addr=@@{udbus}/bus/sudo/system,
+
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label="@{p_systemd_homed}"
+  #aa:dbus talk bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   dbus (send receive) bus=session path=/org/freedesktop/systemd1
          interface=org.freedesktop.systemd.Manager

apparmor.d/abstractions/app/systemctl

@@ -10,10 +10,13 @@
 
   ptrace read peer=@{p_systemd},
 
-  unix bind type=stream addr=@@{hex16}/bus/systemctl/,
+  unix bind type=stream addr=@@{udbus}/bus/systemctl/,
+  unix bind type=stream addr=@@{udbus}/bus/systemctl/system,
 
   @{bin}/systemctl mr,
 
+  @{att}/@{run}/systemd/private rw,
+
   owner @{run}/systemd/private rw,
 
           @{PROC}/1/cgroup r,

apparmor.d/abstractions/app/udevadm

@@ -11,7 +11,8 @@
 
   /etc/udev/udev.conf r,
 
-  @{run}/udev/data/* r,
+  @{run}/udev/data/+*:* r,                # Identifies all subsystems
+  @{run}/udev/data/c@{int}:@{int} r,      # Identifies all character devices
 
   @{sys}/** r,
 

apparmor.d/abstractions/apt

@@ -6,7 +6,9 @@
   abi <abi/4.0>,
 
   /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/ostable r,
   /usr/share/dpkg/tupletable r,
+  /usr/share/dpkg/varianttable r,
 
   /etc/apt/apt.conf r,
   /etc/apt/apt.conf.d/{,*} r,
@@ -18,6 +20,9 @@
   /etc/apt/sources.list.d/ r,
   /etc/apt/sources.list.d/*.{sources,list} r,
 
+  /etc/apt/trusted.gpg r,
+  /etc/apt/trusted.gpg.d/{,*} r,
+
   /var/lib/apt/lists/{,**} r,
   /var/lib/apt/extended_states r,
 
@@ -25,11 +30,14 @@
   /var/cache/apt/srcpkgcache.bin r,
 
   /var/lib/dpkg/status r,
-  /var/lib/ubuntu-advantage/apt-esm/{,**} r,
+  /var/lib/ubuntu-advantage/apt-esm/{,**} r, #aa:only ubuntu
 
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/clearsigned.message.* rw,
 
-  include if exists <abstractions/common/apt.d>
+  #aa:only test
+  /tmp/autopkgtest.@{rand6}/** rwk,
+
+  include if exists <abstractions/apt.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/attached/base

@@ -3,11 +3,21 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
-  # Do not use it manually, it is automatically included in profiles when it is required.
+  # Do not use it manually, It automatically replaces the base abstraction in a
+  # profile with the attach_disconnected flag set and the re-attached path enabled.
 
   abi <abi/4.0>,
 
-  deny @{att}/apparmor/.null rw,
+  include <abstractions/base>
+
+  @{att}/@{run}/systemd/journal/dev-log w,
+  @{att}/@{run}/systemd/journal/socket w,
+  @{att}/@{run}/systemd/journal/stdout rw,
+
+  @{att}/dev/null  rw,
+
+  /apparmor/.null rw,
+  @{att}/apparmor/.null rw,
 
   include if exists <abstractions/attached/base.d>
 

apparmor.d/abstractions/attached/consoles

@@ -3,10 +3,26 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # LOGPROF-SUGGEST: no
 
+  # Do not use it manually, It automatically replaces the consoles abstraction in a
+  # profile with the attach_disconnected flag set and the re-attached path enabled.
+
   abi <abi/4.0>,
 
-        @{att}/dev/tty@{int} rw,
-  owner @{att}/dev/pts/@{int} rw,
+  # There are the common ways to refer to consoles
+  /dev/console          rw,
+  /dev/tty              rw,
+  /dev/tty@{u8}         rw,
+  @{att}/dev/tty        rw,
+  @{att}/dev/tty@{u8}   rw,
+
+  # These entries are a bit unfortunate; /dev/tty will always be
+  # associated with the controlling terminal by the kernel, but if a
+  # program uses the /dev/pts/ interface, it actually has access to
+  # -all- xterm, sshd, etc, terminals on the system.
+        /dev/pts/ r,
+  owner /dev/pts/@{u16} rw,
+        @{att}/pts/ r,
+  owner @{att}/dev/pts/@{u16} rw,
 
   include if exists <abstractions/attached/consoles.d>
 

apparmor.d/abstractions/audio-client

@@ -11,6 +11,7 @@
   /usr/share/openal/hrtf/{,**} r,
   /usr/share/pipewire/client-rt.conf r,
   /usr/share/pipewire/client.conf r,
+  /usr/share/pipewire/jack.conf r,
   /usr/share/sounds/{,**} r,
 
   /etc/alsa/conf.d/{,**} r,
@@ -20,6 +21,7 @@
   /etc/openal/alsoft.conf r,
   /etc/pipewire/client{,-rt}.conf r,
   /etc/pipewire/client{,-rt}.conf.d/{,**} r,
+  /etc/pipewire/jack.conf.d/{,**} r,
   /etc/pulse/client.conf r,
   /etc/pulse/client.conf.d/{,**} r,
   /etc/wildmidi/wildmidi.cfg r,
@@ -55,11 +57,19 @@
   owner @{run}/user/@{uid}/pulse/ rw,
   owner @{run}/user/@{uid}/pulse/native rw,
 
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/+sound:card@{int} r,   # For sound card
+
+  @{sys}/class/ r,
   @{sys}/class/sound/ r,
 
         /dev/shm/ r,
   owner /dev/shm/pulse-shm-@{int} rw,
 
+  /dev/snd/controlC@{int} r,
+  /dev/snd/pcmC@{int}D@{int}[cp] r,
+  /dev/snd/timer r,
+
   include if exists <abstractions/audio-client.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/audio-server

@@ -9,11 +9,6 @@
 
   include <abstractions/audio-client>
 
-  @{run}/udev/data/+sound:card@{int} r,   # for sound card
-
-  @{sys}/class/ r,
-  @{sys}/class/sound/ r,
-
   @{PROC}/asound/** rw,
 
   /dev/admmidi*   rw,

apparmor.d/abstractions/authentication.d/complete

@@ -3,9 +3,10 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
   @{bin}/pam-tmpdir-helper rPx,
+  @{lib}/pam-tmpdir/pam-tmpdir-helper rPx,
 
   #aa:only abi3
-  @{bin}/unix_chkpwd rPx,
+  @{sbin}/unix_chkpwd rPx,
 
   #aa:only whonix
   @{lib}/security-misc/pam-abort-on-locked-password  rPx,

apparmor.d/abstractions/avahi-observe

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2016 Canonical Ltd
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allows domain, record, service, and service type browsing as well as address,
+# host and service resolving
+
+  abi <abi/4.0>,
+
+  include <abstractions/bus/system/org.freedesktop.Avahi.Server>
+
+  include <abstractions/bus/system/org.freedesktop.Avahi.AddressResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.DomainBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.HostNameResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.RecordBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceBrowser>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceResolver>
+  include <abstractions/bus/system/org.freedesktop.Avahi.ServiceTypeBrowser>
+
+  @{run}/avahi-daemon/socket rw,
+
+  include if exists <abstractions/avahi-observe.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/base-strict

@@ -0,0 +1,132 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2002-2009 Novell/SUSE
+# Copyright (C) 2009-2011 Canonical Ltd.
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+  # Do not use it manually, It automatically replaces the base abstraction in
+  # profiles when the re-attached mode is enabled.
+
+  # For now, it is only a restructuring of the base abstraction with awareness
+  # of the apparmor.d architecture.
+
+  abi <abi/4.0>,
+
+  include <abstractions/crypto>
+  include <abstractions/glibc>
+  include <abstractions/ld>
+  include <abstractions/locale>
+
+  # Allow us to signal ourselves
+  signal peer=@{profile_name},
+
+  # Checking for PID existence is quite common so add it by default for now
+  signal (receive, send) set=exists,
+
+  #aa:exclude RBAC
+  # Allow unconfined processes to send us signals by default
+  signal receive                           peer=unconfined,
+
+  # Systemd: allow to receive any signal from the systemd profiles stack
+  signal receive                           peer=@{p_systemd},
+  signal receive                           peer=@{p_systemd_user},
+
+  # Htop like programs can send any signal to any process
+  signal receive                           peer=btop,
+  signal receive                           peer=htop,
+  signal receive                           peer=top,
+  signal receive set=(cont,term,kill,stop) peer=gnome-system-monitor,
+
+  # Allow to receive termination signal from manager such as sudo, login, shutdown or systemd
+  signal receive                           peer=su,
+  signal receive                           peer=sudo,
+  signal receive set=(cont,term,kill,stop) peer=gnome-shell,
+  signal receive set=(cont,term,kill,stop) peer=login,
+  signal receive set=(cont,term,kill,stop) peer=openbox,
+  signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
+  signal receive set=(cont,term,kill,stop) peer=xinit,
+
+  # Allow other processes to read our /proc entries, futexes, perf tracing and
+  # kcmp for now (they will need 'read' in the first place). Administrators can
+  # override with:
+  #   deny ptrace readby ...
+  ptrace readby,
+
+  # Allow other processes to trace us by default (they will need 'trace' in
+  # the first place). Administrators can override with:
+  #   deny ptrace tracedby ...
+  ptrace tracedby,
+
+  # Allow us to ptrace read ourselves
+  ptrace read peer=@{profile_name},
+
+  # Allow us to create and use abstract and anonymous sockets
+  unix peer=(label=@{profile_name}),
+
+  # Allow unconfined processes to us via unix sockets
+  unix receive peer=(label=unconfined),
+
+  # Allow communication to children and stacked profiles
+  signal peer=@{profile_name}//*,
+  signal peer=@{profile_name}//&*,
+  unix type=stream peer=(label=@{profile_name}//*),
+
+  # Allow us to create abstract and anonymous sockets
+  unix create,
+
+  # Allow us to getattr, getopt, setop and shutdown on unix sockets
+  unix (getattr, getopt, setopt, shutdown),
+
+  # Allow all programs to use common libraries
+  @{lib}/** r,
+  @{lib}/**.so* m,
+  @{lib}/@{multiarch}/**.so* m,
+  @{lib}/@{multiarch}/** r,
+
+  # Some applications will display license information
+  /usr/share/common-licenses/** r,
+
+  # Allow access to the uuidd daemon (this daemon is a thin wrapper around
+  # time and getrandom()/{,u}random and, when available, runs under an
+  # unprivilged, dedicated user).
+  @{run}/uuidd/request r,
+
+  # Transparent hugepage support
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
+  # Systemd's equivalent of /dev/log
+  @{run}/systemd/journal/dev-log w,
+
+  # Systemd native journal API (see sd_journal_print(4))
+  @{run}/systemd/journal/socket w,
+
+  # Nested containers and anything using systemd-cat need this. 'r' shouldn't
+  # be required but applications fail without it. journald doesn't leak
+  # anything when reading so this is ok.
+  @{run}/systemd/journal/stdout rw,
+
+  # Allow determining the highest valid capability of the running kernel
+  @{PROC}/sys/kernel/cap_last_cap r,
+
+  # Controls how core dump files are named
+  @{PROC}/sys/kernel/core_pattern r,
+
+  # Sometimes used to determine kernel/user interfaces to use
+  @{PROC}/sys/kernel/version r,
+
+  # Harmless and frequently used
+  /dev/null rw,
+  /dev/random r,
+  /dev/urandom r,
+  /dev/zero rw,
+
+  # The __canary_death_handler function writes a time-stamped log
+  # message to /dev/log for logging by syslogd. So, /dev/log, timezones,
+  # and localisations of date should be available EVERYWHERE, so
+  # StackGuard, FormatGuard, etc., alerts can be properly logged.
+  /dev/log w,
+
+  include if exists <abstractions/base-strict.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/base.d/complete

@@ -3,36 +3,33 @@
 # Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-  # Allow to receive some signals from new well-known profiles
-  signal (receive)                           peer=btop,
-  signal (receive)                           peer=htop,
-  signal (receive)                           peer=sudo,
-  signal (receive)                           peer=top,
-  signal (receive) set=(cont,term,kill,stop) peer=systemd-shutdown,
-  signal (receive) set=(cont,term)           peer=@{p_systemd_user},
-  signal (receive) set=(cont,term)           peer=@{p_systemd},
-  signal (receive) set=(hup term)            peer=login,
-  signal (receive) set=(hup)                 peer=xinit,
-  signal (receive) set=(term,kill)           peer=gnome-shell,
-  signal (receive) set=(term,kill)           peer=gnome-system-monitor,
-  signal (receive) set=(term,kill)           peer=openbox,
-  signal (receive) set=(term,kill)           peer=su,
+  # Systemd: allow to receive any signal from the systemd profiles stack
+  signal receive                           peer=@{p_systemd},
+  signal receive                           peer=@{p_systemd_user},
 
-  ptrace (readby) peer=systemd-coredump,
+  # Allow to receive some signals from new well-known profiles
+  signal receive                           peer=btop,
+  signal receive                           peer=htop,
+  signal receive                           peer=pkill,
+  signal receive                           peer=sudo,
+  signal receive                           peer=top,
+  signal receive set=(cont,term,kill,stop) peer=systemd-shutdown,
+  signal receive set=(hup term)            peer=login,
+  signal receive set=(hup)                 peer=xinit,
+  signal receive set=(term,kill)           peer=gnome-shell,
+  signal receive set=(term,kill)           peer=gnome-system-monitor,
+  signal receive set=(term,kill)           peer=openbox,
+  signal receive set=(term,kill)           peer=su,
+
+  ptrace readby peer=@{p_systemd_coredump},
 
   @{etc_rw}/localtime r,
   /etc/locale.conf r,
 
-  # mesa 24.2 introduced a shader disk cache which opens quite a lot of fd.
-  # They are not closed and get inherited by child programs. Denying it can cause
-  # crash, so we are allowing it globally while the issue is beeing fixed in mesa.
-  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.db rw,
-  owner @{user_cache_dirs}/mesa_shader_cache_db/part@{int}/mesa_cache.idx rw,
-
   @{sys}/devices/system/cpu/possible r,
 
   @{PROC}/sys/kernel/core_pattern r,
 
-  deny /apparmor/.null rw,
+  /apparmor/.null rw,
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bash-strict

@@ -2,7 +2,7 @@
 # Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# This abstraction is only required when an interactive shell is started.
+# This abstraction is only required when .bashrc is loaded (e.g. interactive shell).
 # Classic shell scripts do not need it.
 
   abi <abi/4.0>,

apparmor.d/abstractions/bus-accessibility

@@ -7,12 +7,7 @@
   dbus send bus=accessibility path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
-
-  dbus send bus=accessibility path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-accessibility),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
 
   owner @{run}/user/@{uid}/at-spi/ rw,
   owner @{run}/user/@{uid}/at-spi/bus rw,

apparmor.d/abstractions/bus-session

@@ -4,19 +4,12 @@
 
   abi <abi/4.0>,
 
-  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
-  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
-  unix (connect, send, receive, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+  unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/session,
 
-  dbus send bus=session path=/org/freedesktop/DBus
+  dbus send bus=session path=/org/freedesktop/{dbus,DBus}
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
-
-  dbus send bus=session path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-session),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,

apparmor.d/abstractions/bus-system

@@ -4,17 +4,15 @@
 
   abi <abi/4.0>,
 
+  unix bind type=stream addr=@@{udbus}/bus/@{profile_name}/system,
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
-  dbus send bus=system path=/org/freedesktop/DBus
-       interface=org.freedesktop.DBus
-       member={RequestName,ReleaseName}
-       peer=(name=org.freedesktop.DBus, label=dbus-system),
-
-  @{run}/dbus/system_bus_socket rw,
+         @{run}/dbus/system_bus_socket rw,
+  @{att}/@{run}/dbus/system_bus_socket rw,
 
   include if exists <abstractions/bus-system.d>
 

apparmor.d/abstractions/bus/accessibility/org.a11y

@@ -0,0 +1,65 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  # Allow the accessibility services in the user session to send us any events
+
+  dbus receive bus=accessibility
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  # Allow querying for capabilities and registering
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Socket
+       member=Embed
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry
+       interface=org.a11y.atspi.Registry
+       member=GetRegisteredEvents
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member={GetKeystrokeListeners,GetDeviceEventListeners}
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
+       interface=org.a11y.atspi.DeviceEventController
+       member=NotifyListenersSync
+       peer=(name=org.a11y.atspi.Registry, label="@{p_at_spi2_registryd}"),
+
+  # org.a11y.atspi is not designed for application isolation and these rules
+  # can be used to send change events for other processes.
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Event.Object
+       member=ChildrenChanged
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
+       interface=org.a11y.atspi.Accessible
+       member=Get*
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
+       interface=org.a11y.atspi.Event.Object
+       member={ChildrenChanged,PropertyChange,StateChanged,TextCaretMoved}
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/accessible/@{int}
+       interface=org.freedesktop.DBus.Properties
+       member={Get,GetAll}
+       peer=(label="@{p_at_spi2_registryd}"),
+
+  dbus send bus=accessibility path=/org/a11y/atspi/cache
+       interface=org.a11y.atspi.Cache
+       member={AddAccessible,RemoveAccessible}
+       peer=(name=org.freedesktop.DBus, label="@{p_at_spi2_registryd}"),
+
+  include if exists <abstractions/bus/accessibility/org.a11y.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/accessibility/own

@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+# LOGPROF-SUGGEST: no
+
+# Do not use it manually, It is automatically included in a profile by the
+# `aa:dbus own` directive.
+
+# Allow owning a name on DBus public bus
+
+  abi <abi/4.0>,
+
+  dbus send bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={RequestName,ReleaseName}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=accessibility path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionUnixProcessID,GetConnectionUnixUser,GetConnectionCredentials}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_accessibility}"),
+
+  include if exists <abstractions/bus/accessibility/own.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/ca.desrt.dconf.Writer

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Change
+       peer=(name=ca.desrt.dconf), # no peer's labels
+
+  dbus receive bus=session path=/ca/desrt/dconf/Writer/user
+       interface=ca.desrt.dconf.Writer
+       member=Notify
+       peer=(name=@{busname}, label=dconf-service),
+
+  include if exists <abstractions/bus/ca.desrt.dconf.Writer.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/com.canonical.dbusmenu

@@ -4,6 +4,10 @@
 
   abi <abi/4.0>,
 
+  dbus send bus=session path=/com/canonical/unity/launcherentry/**
+       interface=com.canonical.dbusmenu
+       member={GetGroupProperties,GetLayout}
+       peer=(name=@{busname}, label=nautilus),
 
   include if exists <abstractions/bus/com.canonical.dbusmenu.d>
 

apparmor.d/abstractions/bus/fi.w1.wpa_supplicant1

@@ -4,14 +4,11 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/fi/w1/wpa_supplicant1
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged}
-       peer=(name="@{busname}", label=wpa-supplicant),
+  #aa:dbus common bus=system name=fi.w1.wpa_supplicant1 label=wpa-supplicant
 
   dbus send bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
        interface=org.freedesktop.DBus.Properties
-       member={GetAll,Set}
+       member=Set
        peer=(name="@{busname}", label=wpa-supplicant),
 
   dbus send bus=system path=/fi/w1/wpa_supplicant1
@@ -39,16 +36,6 @@
        member={BSSAdded,BSSRemoved,NetworkAdded,NetworkRemoved,NetworkSelected,ScanDone,PropertiesChanged}
        peer=(name="@{busname}", label=wpa-supplicant),
 
-  dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged}
-       peer=(name="@{busname}", label=wpa-supplicant),
-
-  dbus receive bus=system path=/fi/w1/wpa_supplicant1/Interfaces/@{int}/BSSs/@{int}
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged}
-       peer=(name="@{busname}", label=wpa-supplicant),
-
   include if exists <abstractions/bus/fi.w1.wpa_supplicant1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/net.hadess.PowerProfiles

@@ -4,10 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/net/hadess/PowerProfiles
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=power-profiles-daemon),
+  #aa:dbus common bus=system name=net.hadess.PowerProfiles label="@{p_power_profiles_daemon}"
 
   include if exists <abstractions/bus/net.hadess.PowerProfiles.d>
 

apparmor.d/abstractions/bus/net.hadess.SwitcherooControl

@@ -4,10 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/net/hadess/SwitcherooControl
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=switcheroo-control),
+  #aa:dbus common bus=system name=net.hadess.SwitcherooControl label=switcheroo-control
 
   include if exists <abstractions/bus/net.hadess.SwitcherooControl.d>
 

apparmor.d/abstractions/bus/net.reactivated.Fprint

@@ -4,10 +4,12 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=net.reactivated.Fprint label="@{p_fprintd}"
+
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
        member={GetDevices,GetDefaultDevice}
-       peer=(name="@{busname}", label=fprintd),
+       peer=(name="@{busname}", label="@{p_fprintd}"),
 
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
@@ -17,7 +19,7 @@
   dbus send bus=system path=/net/reactivated/Fprint/Manager
        interface=net.reactivated.Fprint.Manager
        member={GetDevices,GetDefaultDevice}
-       peer=(name=net.reactivated.Fprint, label=fprintd),
+       peer=(name=net.reactivated.Fprint, label="@{p_fprintd}"),
 
   include if exists <abstractions/bus/net.reactivated.Fprint.d>
 

apparmor.d/abstractions/bus/org.a11y

@@ -1,48 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  # Accessibility bus
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=EventListenerDeregistered
-       peer=(name="@{busname}", label=at-spi2-registryd),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry
-       interface=org.a11y.atspi.Registry
-       member=GetRegisteredEvents
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/registry/deviceeventcontroller
-       interface=org.a11y.atspi.DeviceEventController
-       member={GetKeystrokeListeners,GetDeviceEventListeners}
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
-
-  dbus receive bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.freedesktop.DBus.Properties
-       member=Set
-       peer=(name="@{busname}", label=at-spi2-registryd),
-
-  dbus send bus=accessibility path=/org/a11y/atspi/accessible/root
-       interface=org.a11y.atspi.Socket
-       member=Embed
-       peer=(name=org.a11y.atspi.Registry, label=at-spi2-registryd),
-
-  # Session bus
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus, label=dbus-accessibility),
-
-  dbus send bus=session path=/org/a11y/bus
-       interface=org.a11y.Bus
-       member=GetAddress
-       peer=(name=org.a11y.Bus),
-
-  include if exists <abstractions/bus/org.a11y.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.Accounts

@@ -4,30 +4,27 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.Accounts label="@{p_accounts_daemon}"
+
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
-       member={FindUserByName,ListCachedUsers}
-       peer=(name="@{busname}", label=accounts-daemon),
-
-  dbus send bus=system path=/org/freedesktop/Accounts{,/User@{uid}}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=accounts-daemon),
+       member={FindUserByName,ListCachedUsers,FindUserById}
+       peer=(name="{@{busname},org.freedesktop.Accounts}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.Accounts.User
        member=*Changed
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
        member=UserAdded
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   dbus receive bus=system path=/org/freedesktop/Accounts/User@{uid}
        interface=org.freedesktop.DBus.Properties
        member=*Changed
-       peer=(name="@{busname}", label=accounts-daemon),
+       peer=(name="@{busname}", label="@{p_accounts_daemon}"),
 
   include if exists <abstractions/bus/org.freedesktop.Accounts.d>
 

apparmor.d/abstractions/bus/org.freedesktop.Avahi

@@ -4,25 +4,42 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.Avahi label="@{p_avahi_daemon}"
+
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Peer
        member=Ping
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi),
 
   dbus send bus=system path=/
        interface=org.freedesktop.Avahi.Server
        member={GetAPIVersion,GetState,Service*New}
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
 
   dbus send bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
        member=Free
-       peer=(name=org.freedesktop.Avahi, label=avahi-daemon),
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
 
   dbus receive bus=system path=/Client@{int}/ServiceBrowser@{int}
        interface=org.freedesktop.Avahi.ServiceBrowser
-       member={ItemNew,AllForNow,CacheExhausted}
-       peer=(name="@{busname}", label=avahi-daemon),
+       member={ItemNew,ItemRemove,AllForNow,CacheExhausted}
+       peer=(name="@{busname}", label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged
+       peer=(name=@{busname},  label="@{p_avahi_daemon}"),
+
+  dbus receive bus=system path=/Client@{int}/ServiceResolver@{int}
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Found
+       peer=(name=@{busname}, label="@{p_avahi_daemon}"),
+
+  dbus send bus=system path=/Client@{int}/ServiceResolver@{int}
+       interface=org.freedesktop.Avahi.ServiceResolver
+       member=Free
+       peer=(name=org.freedesktop.Avahi, label="@{p_avahi_daemon}"),
 
   include if exists <abstractions/bus/org.freedesktop.Avahi.d>
 

apparmor.d/abstractions/bus/org.freedesktop.ColorManager

@@ -1,29 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=GetDevices
-       peer=(name="@{busname}", label=colord),
-
-  dbus send bus=system path=/org/freedesktop/ColorManager{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=colord),
-
-  dbus send bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member=CreateDevice
-       peer=(name="@{busname}", label=colord),
-
-  dbus receive bus=system path=/org/freedesktop/ColorManager
-       interface=org.freedesktop.ColorManager
-       member={DeviceAdded,DeviceRemoved}
-       peer=(name="@{busname}", label=colord),
-
-  include if exists <abstractions/bus/org.freedesktop.ColorManager.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.FileManager1

@@ -4,15 +4,12 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/freedesktop/FileManager1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=nautilus),
+  #aa:dbus common bus=session name=org.freedesktop.FileManager1 label=nautilus
 
-  dbus receive bus=session path=/org/freedesktop/FileManager1
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=nautilus),
+  dbus send bus=session path=/org/freedesktop/FileManager1
+       interface=org.freedesktop.FileManager1
+       member=ShowItems
+       peer=(name=org.freedesktop.FileManager1, label=nautilus),
 
   include if exists <abstractions/bus/org.freedesktop.FileManager1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.GeoClue2

@@ -4,35 +4,26 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=geoclue),
-
+  #aa:dbus common bus=system name=org.freedesktop.GeoClue2 label="@{p_geoclue}"
   dbus send bus=system path=/org/freedesktop/GeoClue2/Agent
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
-       peer=(name=org.freedesktop.DBus, label=geoclue),
+       peer=(name=org.freedesktop.DBus, label="@{p_geoclue}"),
 
   dbus receive bus=system path=/org/freedesktop/GeoClue2/Agent
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
 
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.DBus.Properties
        member=GetAll
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
 
   dbus send bus=system path=/org/freedesktop/GeoClue2/Manager
        interface=org.freedesktop.GeoClue2.Manager
        member=AddAgent
-       peer=(name="@{busname}", label=geoclue),
-
-  dbus receive bus=system path=/org/freedesktop/GeoClue2/Manager
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=geoclue),
+       peer=(name="@{busname}", label="@{p_geoclue}"),
 
   include if exists <abstractions/bus/org.freedesktop.GeoClue2.d>
 

apparmor.d/abstractions/bus/org.freedesktop.ModemManager1

@@ -4,20 +4,17 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/ModemManager1
-       interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name=org.freedesktop.ModemManager1, label=ModemManager),
+  #aa:dbus common bus=system name=org.freedesktop.ModemManager1 label="@{p_ModemManager}"
 
   dbus send bus=system path=/org/freedesktop/ModemManager1
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
-       peer=(name="@{busname}", label=ModemManager),
+       peer=(name=org.freedesktop.ModemManager1, label="@{p_ModemManager}"),
 
   dbus send bus=system path=/org/freedesktop/ModemManager1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=ModemManager),
+       interface=org.freedesktop.DBus.ObjectManager
+       member=GetManagedObjects
+       peer=(name="@{busname}", label="@{p_ModemManager}"),
 
   include if exists <abstractions/bus/org.freedesktop.ModemManager1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.NetworkManager

@@ -4,14 +4,11 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.NetworkManager label=NetworkManager
+
   dbus send bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
-       member=GetManagedObjects
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
-  dbus send bus=system path=/org/freedesktop/NetworkManager{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
+       member={GetManagedObjects,InterfacesRemoved}
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus send bus=system path=/org/freedesktop/NetworkManager
@@ -29,19 +26,9 @@
        member=GetSettings
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
-  dbus send bus=system path=/org/freedesktop/NetworkManager
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
   dbus receive bus=system path=/org/freedesktop
        interface=org.freedesktop.DBus.ObjectManager
-       member=InterfacesAdded
-       peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
-
-  dbus receive bus=system path=/org/freedesktop/NetworkManager{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
+       member={InterfacesAdded,InterfacesRemoved}
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
   dbus receive bus=system path=/org/freedesktop/NetworkManager
@@ -64,6 +51,11 @@
        member=Updated
        peer=(name="{@{busname},org.freedesktop.NetworkManager}", label=NetworkManager),
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/@{int}
+       interface=org.freedesktop.NetworkManager.Connection.Active
+       member=StateChanged
+       peer=(name=@{busname}, label=NetworkManager),
+
   include if exists <abstractions/bus/org.freedesktop.NetworkManager.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.Notifications

@@ -1,29 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus send bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={GetCapabilities,GetServerInformation,Notify}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,NotificationClosed,CloseNotification}
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/freedesktop/Notifications
-       interface=org.freedesktop.DBus.Properties
-       member=Notify
-       peer=(name=org.freedesktop.DBus, label=gjs-console),
-
-  include if exists <abstractions/bus/org.freedesktop.Notifications.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.PackageKit

@@ -2,17 +2,13 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow communication with PackageKit transactions. Transactions are exported
+# with random object paths that currently take the form /@{int}_@{hex8}.
+
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/PackageKit
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=packagekitd),
+  #aa:dbus common bus=system name=org.freedesktop.PackageKit label=packagekitd
 
-  dbus send bus=system path=/org/freedesktop/PackageKit
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=org.freedesktop.PackageKit, label=packagekitd),
   dbus send bus=system path=/org/freedesktop/PackageKit
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
@@ -21,7 +17,15 @@
   dbus send bus=system path=/org/freedesktop/PackageKit
        interface=org.freedesktop.PackageKit
        member=StateHasChanged
-       peer=(name=org.freedesktop.PackageKit, label=packagekitd),
+       peer=(name=org.freedesktop.PackageKit),
+
+  dbus send bus=system path=/@{int}_@{hex8}
+       interface=org.freedesktop.PackageKit.Transaction
+       peer=(label=packagekitd),
+
+  dbus receive bus=system path=/@{int}_@{hex8}
+       interface=org.freedesktop.PackageKit.Transaction
+       peer=(label=packagekitd),
 
   include if exists <abstractions/bus/org.freedesktop.PackageKit.d>
 

apparmor.d/abstractions/bus/org.freedesktop.PolicyKit1

@@ -2,36 +2,26 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Can talk to polkitd's CheckAuthorization API
+
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.PolicyKit1 label="@{p_polkitd}"
+
   dbus receive bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
        member=Changed
-       peer=(name="@{busname}", label=polkitd),
-
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=polkitd),
+       peer=(name="@{busname}", label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
-       member=CheckAuthorization
-       peer=(name=org.freedesktop.PolicyKit1, label=polkitd),
+       member={CheckAuthorization,CancelCheckAuthorization}
+       peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
 
   dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
        interface=org.freedesktop.PolicyKit1.Authority
-       member=CheckAuthorization
-       peer=(name="@{busname}", label=polkitd),
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.PolicyKit1.Authority
-       member=CheckAuthorization
-       peer=(name=org.freedesktop.PolicyKit1),
-
-  dbus send bus=system path=/org/freedesktop/PolicyKit1/Authority
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="@{busname}", label=polkitd),
+       member=RegisterAuthenticationAgentWithOptions
+       peer=(name="{@{busname},org.freedesktop.PolicyKit1}", label="@{p_polkitd}"),
 
   include if exists <abstractions/bus/org.freedesktop.PolicyKit1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.RealtimeKit1

@@ -2,32 +2,25 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow setting realtime priorities.
+
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.RealtimeKit1 label="@{p_rtkit_daemon}"
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.DBus.Properties
        member=Get
        peer=(name=org.freedesktop.RealtimeKit1),
 
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="@{busname}", label=rtkit-daemon),
+       interface=org.freedesktop.RealtimeKit1
+       member={MakeThreadHighPriority,MakeThreadRealtime}
+       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
 
   dbus send bus=system path=/org/freedesktop/RealtimeKit1
        interface=org.freedesktop.RealtimeKit1
-       member=MakeThread*
-       peer=(name="@{busname}", label=rtkit-daemon),
-
-  dbus send bus=system path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       member=MakeThread*
-       peer=(name=org.freedesktop.RealtimeKit1),
-
-  dbus send bus=system path=/org/freedesktop/RealtimeKit1
-       interface=org.freedesktop.RealtimeKit1
-       member=MakeThread*
-       peer=(name=org.freedesktop.RealtimeKit1, label=rtkit-daemon),
+       member={MakeThreadHighPriorityWithPID,MakeThreadRealtimeWithPID}
+       peer=(name="{@{busname},org.freedesktop.RealtimeKit1}", label="@{p_rtkit_daemon}"),
 
   include if exists <abstractions/bus/org.freedesktop.RealtimeKit1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.ScreenSaver

@@ -1,14 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/ScreenSaver
-       interface=org.freedesktop.ScreenSaver
-       member={Inhibit,UnInhibit}
-       peer=(name=org.freedesktop.ScreenSaver),
-
-  include if exists <abstractions/bus/org.freedesktop.ScreenSaver.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.Tracker3.Miner.Files

@@ -7,12 +7,12 @@
   dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
        interface=org.freedesktop.DBus.Peer
        member=Ping
-       peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
+       peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"),
 
   dbus send bus=session path=/org/freedesktop/Tracker3/Endpoint
        interface=org.freedesktop.Tracker3.Endpoint
        member=Query
-       peer=(name=org.freedesktop.Tracker3.Miner.Files, label=tracker-miner),
+       peer=(name=org.freedesktop.Tracker3.Miner.Files, label="{localsearch,tracker-miner}"),
 
   include if exists <abstractions/bus/org.freedesktop.Tracker3.Miner.Files.d>
 

apparmor.d/abstractions/bus/org.freedesktop.UDisks2

@@ -4,16 +4,13 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.UDisks2 label=udisksd
+
   dbus send bus=system path=/org/freedesktop/UDisks2
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
        peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
-  dbus send bus=system path=/org/freedesktop/UDisks2/**
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
-
   dbus send bus=system path=/
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
@@ -29,16 +26,6 @@
        member=Introspect
        peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
-  dbus send bus=system path=/org/freedesktop/UDisks2/drives{,/*}
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
-
-  dbus send bus=system path=/org/freedesktop/UDisks2/block_devices/*
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
-
   dbus receive bus=system path=/org/freedesktop/UDisks2
        interface=org.freedesktop.DBus.ObjectManager
        member=InterfacesAdded
@@ -49,11 +36,6 @@
        member=Completed
        peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
 
-  dbus receive bus=system path=/org/freedesktop/UDisks2/block_devices/*
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="{@{busname},org.freedesktop.UDisks2}", label=udisksd),
-
   include if exists <abstractions/bus/org.freedesktop.UDisks2.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.UPower

@@ -1,48 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=system path=/org/freedesktop/UPower
-       interface=org.freedesktop.UPower
-       member=EnumerateDevices
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
-
-  dbus send bus=system path=/org/freedesktop/UPower{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
-  dbus send bus=system path=/org/freedesktop/UPower{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=org.freedesktop.UPower, label=upowerd),
-
-  dbus send bus=system path=/org/freedesktop/UPower
-       interface=org.freedesktop.DBus.Properties
-       member=GetDisplayDevice
-       peer=(name=org.freedesktop.UPower, label=upowerd),
-
-  dbus send bus=system path=/org/freedesktop/UPower/devices/*
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
-
-  dbus send bus=system path=/org/freedesktop/UPower{,/**}
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
-
-  dbus receive bus=system path=/org/freedesktop/UPower
-       interface=org.freedesktop.UPower
-       member=DeviceAdded
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
-
-  dbus receive bus=system path=/org/freedesktop/UPower/devices/*
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="{@{busname},org.freedesktop.UPower}", label=upowerd),
-
-  include if exists <abstractions/bus/org.freedesktop.UPower.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.UPower.PowerProfiles

@@ -0,0 +1,11 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=system name=org.freedesktop.UPower.PowerProfiles label=@{p_power_profiles_daemon}
+
+  include if exists <abstractions/bus/org.freedesktop.UPower.PowerProfiles.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.background.Monitor

@@ -4,15 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/freedesktop/background/monitor
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=xdg-desktop-portal),
-
-  dbus receive bus=session path=/org/freedesktop/background/monitor
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+  #aa:dbus common bus=session name=org.freedesktop.background.Monitor label=xdg-desktop-portal
 
   include if exists <abstractions/bus/org.freedesktop.background.Monitor.d>
 

apparmor.d/abstractions/bus/org.freedesktop.hostname1

@@ -4,14 +4,11 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/hostname1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.hostname1}", label=systemd-hostnamed),
+  #aa:dbus common bus=system name=org.freedesktop.hostname1 label="@{p_systemd_hostnamed}"
 
   dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
+       member=Get
        peer=(name=org.freedesktop.hostname1),
 
   include if exists <abstractions/bus/org.freedesktop.hostname1.d>

apparmor.d/abstractions/bus/org.freedesktop.impl.portal.PermissionStore

@@ -4,16 +4,18 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=xdg-permission-store),
+  #aa:dbus common bus=session name=org.freedesktop.impl.portal.PermissionStore label=xdg-permission-store
 
   dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
        interface=org.freedesktop.impl.portal.PermissionStore
        member=Lookup
        peer=(name="@{busname}", label=xdg-permission-store),
 
+  dbus send bus=session path=/org/freedesktop/impl/portal/PermissionStore
+       interface=org.freedesktop.impl.portal.PermissionStore
+       member=Lookup
+       peer=(name=org.freedesktop.impl.portal.PermissionStore, label=xdg-permission-store),
+
   include if exists <abstractions/bus/org.freedesktop.impl.portal.PermissionStore.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.login1

@@ -4,35 +4,22 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
-
-  dbus receive bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+  #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member={Inhibit,CanHibernate,CanHybridSleep,CanPowerOff,CanReboot,CanSuspend,CreateSession,GetSessionByPID}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   dbus receive bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
-       member={SessionNew,SessionRemoved,UserNew,UserRemoved,PrepareFor*}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
-
-  dbus send bus=system path=/org/freedesktop/login1
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       member={SessionNew,SessionRemoved,UserNew,UserRemoved,SeatNew,PrepareFor*}
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member=PauseDeviceComplete
-       peer=(name=org.freedesktop.login1, label=systemd-logind),
+       peer=(name=org.freedesktop.login1, label="@{p_systemd_logind}"),
 
   include if exists <abstractions/bus/org.freedesktop.login1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.login1.Session

@@ -4,40 +4,22 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.login1 label="@{p_systemd_logind}"
+
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager
        member=GetSession
-       peer=(name="@{busname}", label=systemd-logind),
-
-  dbus send bus=system path=/org/freedesktop/login1{,session/*,seat/*}
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
-
-  dbus send bus=system path=/org/freedesktop/login1/session/*
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="@{busname}", label=systemd-logind),
+       peer=(name="@{busname}", label="@{p_systemd_logind}"),
 
   dbus send bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={ReleaseDevice,TakeControl,TakeDevice,SetBrightness,SetLockedHint,SetIdleHint}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
-
-  dbus send bus=system path=/org/freedesktop/login1/seat/*
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
-
-  dbus receive bus=system path=/org/freedesktop/login1/session/*
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   dbus receive bus=system path=/org/freedesktop/login1/session/*
        interface=org.freedesktop.login1.Session
        member={PauseDevice,Unlock}
-       peer=(name="{@{busname},org.freedesktop.login1}", label=systemd-logind),
+       peer=(name="{@{busname},org.freedesktop.login1}", label="@{p_systemd_logind}"),
 
   include if exists <abstractions/bus/org.freedesktop.login1.Session.d>
 

apparmor.d/abstractions/bus/org.freedesktop.network1

@@ -4,10 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/network1
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.network1, label=systemd-networkd),
+  #aa:dbus common bus=system name=org.freedesktop.network1 label="@{p_systemd_networkd}"
 
   include if exists <abstractions/bus/org.freedesktop.network1.d>
 

apparmor.d/abstractions/bus/org.freedesktop.portal.Desktop

@@ -4,30 +4,57 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=session name=org.freedesktop.portal.{d,D}esktop label=xdg-desktop-portal
+
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll,Read}
+       member=Read
        peer=(name="{@{busname},org.freedesktop.portal.Desktop}", label=xdg-desktop-portal),
 
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
   dbus send bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Settings
        member={Read,ReadAll}
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.portal.Settings
        member=SettingChanged
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
-  dbus receive bus=session path=/org/freedesktop/portal/desktop
+  dbus receive bus=session path=/org/freedesktop/portal/desktop{,/**}
        interface=org.freedesktop.DBus.Properties
        member={Get,GetAll}
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
   dbus receive bus=session path=/org/freedesktop/portal/desktop
        interface=org.freedesktop.impl.portal.Settings
        member={Read,ReadAll}
-       peer=(name="@{busname}", label=xdg-desktop-portal),
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.host.portal.Registry
+       member=Register
+       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
+
+  dbus receive bus=session path=/org/freedesktop/portal/desktop/**
+       interface=org.freedesktop.portal.Request
+       member=Response
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  dbus receive bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Inhibit
+       member={StateChanged,CreateMonitor}
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  dbus receive bus=session path=/org/freedesktop/portal/desktop/session/**
+       interface=org.freedesktop.impl.portal.Session
+       member=Close
+       peer=(name=@{busname}, label=xdg-desktop-portal),
 
   include if exists <abstractions/bus/org.freedesktop.portal.Desktop.d>
 

apparmor.d/abstractions/bus/org.freedesktop.resolve1

@@ -1,14 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=system path=/org/freedesktop/resolve1
-       interface=org.freedesktop.resolve1.Manager
-       member={SetLink*,ResolveHostname}
-       peer=(name="{@{busname},org.freedesktop.resolve1}", label=systemd-resolved),
-
-  include if exists <abstractions/bus/org.freedesktop.resolve1.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.secrets

@@ -4,15 +4,12 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/freedesktop/secrets{,/**}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gnome-keyring-daemon),
+  #aa:dbus common bus=session name=org.freedesktop.secrets label=gnome-keyring-daemon
 
   dbus send bus=session path=/org/freedesktop/secrets
        interface=org.freedesktop.Secret.Service
-       member={OpenSession,GetSecrets,SearchItems,ReadAlias}
-       peer=(name="@{busname}", label=gnome-keyring-daemon),
+       member={OpenSession,GetSecrets,SearchItems,Unlock,ReadAlias}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
 
   dbus send bus=session path=/org/freedesktop/secrets/aliases/default
        interface=org.freedesktop.Secret.Collection
@@ -24,11 +21,6 @@
        member=ItemCreated
        peer=(name="@{busname}", label=gnome-keyring-daemon),
 
-  dbus receive bus=session path=/org/freedesktop/secrets/collection/login
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=gnome-keyring-daemon),
-
   include if exists <abstractions/bus/org.freedesktop.secrets.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.freedesktop.systemd1

@@ -4,14 +4,16 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
+
   dbus send bus=system path=/org/freedesktop/systemd1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
+       interface=org.freedesktop.systemd1.Manager
+       member={GetUnit,GetUnitByPIDFD,StartUnit,StartTransientUnit}
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
 
-  dbus send bus=session path=/org/freedesktop/systemd1
+  dbus send bus=system path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
-       member={GetUnit,StartUnit,StartTransientUnit}
+       member=ListUnitsByPatterns
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
 
   dbus send bus=session path=/org/freedesktop/systemd1

apparmor.d/abstractions/bus/org.freedesktop.timedate1

@@ -4,21 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=system path=/org/freedesktop/timedate1
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.timedate1, label=systemd-timedated),
-
-  # FIXME: should be under the systemd-timedated label
-  dbus send bus=system path=/org/freedesktop/timedate1
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.freedesktop.timedate1, label=unconfined),
-
-  dbus send bus=system path=/org/freedesktop/timedate1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=systemd-timedated),
+  #aa:dbus common bus=system name=org.freedesktop.timedate1 label="@{p_systemd_timedated}"
 
   include if exists <abstractions/bus/org.freedesktop.timedate1.d>
 

apparmor.d/abstractions/bus/org.gnome.Mutter.DisplayConfig

@@ -4,6 +4,8 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=session name=org.gnome.Mutter.DisplayConfig label=gnome-shell
+
   dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member={GetResources,GetCrtcGamma}
@@ -14,16 +16,6 @@
        member=GetCurrentState
        peer=(name="{@{busname},org.gnome.Mutter.DisplayConfig}", label=gnome-shell),
 
-  dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
-       interface=org.freedesktop.DBus.Properties
-       member={GetAll,PropertiesChanged}
-       peer=(name="@{busname}", label=gnome-shell),
-
-  dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=gnome-shell),
-
   dbus receive bus=session path=/org/gnome/Mutter/DisplayConfig
        interface=org.gnome.Mutter.DisplayConfig
        member=MonitorsChanged

apparmor.d/abstractions/bus/org.gnome.Mutter.IdleMonitor

@@ -4,6 +4,8 @@
 
   abi <abi/4.0>,
 
+  #aa:dbus common bus=session name=org.gnome.Mutter.IdleMonitor label=gnome-shell
+
   dbus send bus=session path=/org/gnome/Mutter/IdleMonitor
        interface=org.freedesktop.DBus.ObjectManager
        member=GetManagedObjects
@@ -11,8 +13,8 @@
 
   dbus send bus=session path=/org/gnome/Mutter/IdleMonitor/Core
        interface=org.gnome.Mutter.IdleMonitor
-       member={AddIdleWatch,AddUserActiveWatch,RemoveWatch}
-       peer=(name="@{busname}", label=gnome-shell),
+       member={AddIdleWatch,AddUserActiveWatch,RemoveWatch,GetIdletime}
+       peer=(name="{@{busname},org.gnome.Mutter.IdleMonitor}", label=gnome-shell),
 
   dbus receive bus=session path=/org/gnome/Mutter/IdleMonitor/Core
        interface=org.gnome.Mutter.IdleMonitor

apparmor.d/abstractions/bus/org.gnome.Nautilus.FileOperations2

@@ -1,24 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=nautilus),
-
-  dbus send bus=session path=/org/gnome/Nautilus/FileOperations2
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name="@{busname}", label=nautilus),
-
-  dbus receive bus=session path=/org/gnome/Nautilus/FileOperations2
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=nautilus),
-
-  include if exists <abstractions/bus/org.gnome.Nautilus.FileOperations2.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.ScreenSaver

@@ -1,24 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/org/gnome/ScreenSaver
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus send bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member=GetActive
-       peer=(name="@{busname}", label=gjs-console),
-
-  dbus receive bus=session path=/org/gnome/ScreenSaver
-       interface=org.gnome.ScreenSaver
-       member={ActiveChanged,WakeUpScreen}
-       peer=(name="@{busname}", label=gjs-console),
-
-  include if exists <abstractions/bus/org.gnome.ScreenSaver.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.SessionManager

@@ -1,66 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# FIXME: Too large, restrict it.
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       member={RegisterClient,IsSessionRunning}
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       member={Setenv,IsSessionRunning}
-       peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager
-       interface=org.gnome.SessionManager
-       member={ClientAdded,ClientRemoved,SessionRunning,InhibitorRemoved,InhibitorAdded}
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
-       interface=org.gnome.SessionManager.ClientPrivate
-       member=EndSessionResponse
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
-       interface=org.gnome.SessionManager.ClientPrivate
-       member={CancelEndSession,QueryEndSession,EndSession,Stop}
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager/Client@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager/Client@{int}
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus receive bus=session path=/org/gnome/SessionManager/Presence
-       interface=org.gnome.SessionManager.Presence
-       member=StatusChanged
-       peer=(name="@{busname}", label=gnome-session-binary),
-
-  dbus send bus=session path=/org/gnome/SessionManager
-       interface=org.freedesktop.DBus.Introspectable
-       member=Introspect
-       peer=(name=org.gnome.SessionManager, label=gnome-session-binary),
-
-  include if exists <abstractions/bus/org.gnome.SessionManager.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.Shell.Introspect

@@ -4,15 +4,7 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/gnome/Shell/Introspect
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gnome-shell),
-
-  dbus send bus=session path=/org/gnome/Shell/Introspect
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.gnome.Shell.Introspect, label=gnome-shell),
+  #aa:dbus common bus=session name=org.gnome.Shell.Introspect label=gnome-shell
 
   dbus send bus=session path=/org/gnome/Shell/Introspect
        interface=org.gnome.Shell.Introspect
@@ -24,11 +16,6 @@
        member={RunningApplicationsChanged,WindowsChanged}
        peer=(name="@{busname}", label=gnome-shell),
 
-  dbus receive bus=session path=/org/gnome/Shell/Introspect
-       interface=org.freedesktop.DBus.Properties
-       member=PropertiesChanged
-       peer=(name="@{busname}", label=gnome-shell),
-
   include if exists <abstractions/bus/org.gnome.Shell.Introspect.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gnome.Shell.SearchProvider2

@@ -0,0 +1,22 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.gnome.Shell.SearchProvider2 label=gnome-shell
+
+  dbus receive bus=session path=/org/gnome/Characters/SearchProvider
+       interface=org.gnome.Shell.SearchProvider2
+       member={GetInitialResultSet,GetSubsearchResultSet,GetResultMetas}
+       peer=(name=@{busname}, label=gnome-shell),
+
+    dbus receive bus=session path=/org/gnome/Characters/SearchProvider
+       interface=org.gnome.Shell.SearchProvider2
+       member=*Cancel
+       peer=(name=@{busname}, label=gnome-shell),
+
+  include if exists <abstractions/bus/org.gnome.Shell.SearchProvider2.d>
+
+# vim:syntax=apparmor
+

apparmor.d/abstractions/bus/org.gnome.keyring.internal.Prompter

@@ -0,0 +1,28 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow accessing the GNOME crypto services prompt APIs as used by
+# applications using libgcr (such as pinentry-gnome3) for secure pin
+# entry to unlock GPG keys etc. See:
+# https://developer.gnome.org/gcr/unstable/GcrPrompt.html
+# https://developer.gnome.org/gcr/unstable/GcrSecretExchange.html
+# https://github.com/snapcore/snapd/pull/7673#issuecomment-592229711
+
+  abi <abi/4.0>,
+
+  unix type=stream peer=(label=gnome-keyring-daemon),
+
+  dbus send bus=session path=/org/gnome/keyring/Prompter
+       interface=org.gnome.keyring.internal.Prompter
+       member={BeginPrompting,PerformPrompt,StopPrompting}
+       peer=(name=@{busname}, label=pinentry-*),
+
+  dbus receive bus=session path=/org/gnome/keyring/Prompt/p@{int}
+       interface=org.gnome.keyring.internal.Prompter.Callback
+       member={PromptReady,PromptDone}
+       peer=(name=@{busname}, label=pinentry-*),
+
+  include if exists <abstractions/bus/org.gnome.keyring.internal.Prompter.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gtk.vfs.Daemon

@@ -1,14 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/org/gtk/vfs/Daemon
-       interface=org.gtk.vfs.Daemon
-       member={GetConnection,ListMonitorImplementations,ListMountableInfo}
-       peer=(name="@{busname}", label=gvfsd),
-
-  include if exists <abstractions/bus/org.gtk.vfs.Daemon.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.gtk.vfs.Metadata

@@ -1,19 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-  abi <abi/4.0>,
-
-  dbus send bus=session path=/org/gtk/vfs/metadata
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=gvfsd-metadata),
-
-  dbus receive bus=session path=/org/gtk/vfs/metadata
-       interface=org.gtk.vfs.Metadata
-       member=AttributeChanged
-       peer=(name="@{busname}", label=gvfsd-metadata),
-
-  include if exists <abstractions/bus/org.gtk.vfs.Metadata.d>
-
-# vim:syntax=apparmor

apparmor.d/abstractions/bus/org.kde.StatusNotifierWatcher

@@ -2,22 +2,52 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
+# Allow to display Status Notifier Items in the KDE Plasma systray
+
   abi <abi/4.0>,
 
-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.freedesktop.DBus.Properties
-       member=Get
-       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
-
-  dbus send bus=session path=/StatusNotifierWatcher
-       interface=org.kde.StatusNotifierWatcher
-       member=RegisterStatusNotifierItem
-       peer=(name="{:*,org.kde.StatusNotifierWatcher}", label=gnome-shell),
+  #aa-dbus common bus=session name=org.kde.StatusNotifierWatcher label=gnome-shell
 
   dbus send bus=session path=/StatusNotifierWatcher
        interface=org.freedesktop.DBus.Introspectable
        member=Introspect
-       peer=(name=org.kde.StatusNotifierWatcher, label=gnome-shell),
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.kde.StatusNotifierWatcher, label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/StatusNotifierItem
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(label="@{pp_app_indicator}"),
+
+
+  dbus send bus=session path=/{StatusNotifierItem/menu,org/ayatana/NotificationItem/*/Menu}
+       interface=com.canonical.dbusmenu
+       member={LayoutUpdated,ItemsPropertiesUpdated}
+       peer=(name=org.freedesktop.DBus, label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/{StatusNotifierItem,StatusNotifierItem/menu,org/ayatana/NotificationItem/**}
+       interface={org.freedesktop.DBus.Properties,com.canonical.dbusmenu}
+       member={Get*,AboutTo*,Event*}
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus send bus=session path=/StatusNotifierWatcher
+       interface=org.kde.StatusNotifierWatcher
+       member=RegisterStatusNotifierItem
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus receive bus=session path=/StatusNotifierItem
+       interface=org.kde.StatusNotifierItem
+       member={ProvideXdgActivationToken,Activate}
+       peer=(label="@{pp_app_indicator}"),
+
+  dbus receive bus=session  path=/MenuBar
+       interface=com.canonical.dbusmenu
+       member={AboutToShow,GetLayout,Event}
+       peer=(label="@{pp_app_indicator}"),
 
   include if exists <abstractions/bus/org.kde.StatusNotifierWatcher.d>
 

apparmor.d/abstractions/bus/session/io.snapcraft.Launcher

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow use of snapd's internal xdg-open
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/
+      interface=com.canonical.SafeLauncher
+      member=OpenURL
+      peer=(name=@{busname}, label=snap),
+
+  dbus send bus=session path=/io/snapcraft/Launcher
+       interface=io.snapcraft.Launcher
+       member={OpenURL,OpenFile}
+       peer=(name=@{busname}, label=snap),
+
+  include if exists <abstractions/bus/session/io.snapcraft.Launcher.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Can identify and launch other snaps.
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/io/snapcraft/PrivilegedDesktopLauncher
+       interface=io.snapcraft.PrivilegedDesktopLauncher
+       member=OpenDesktopEntry
+       peer=(name=io.snapcraft.Launcher, label=snap),
+
+  include if exists <abstractions/bus/session/io.snapcraft.PrivilegedDesktopLauncher.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/io.snapcraft.Settings

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow use of snapd's internal 'xdg-settings'
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/io/snapcraft/Settings
+       interface=io.snapcraft.Settings
+       member={Check,CheckSub,Get,GetSub,Set,SetSub}
+       peer=(name=io.snapcraft.Settings, label=snap),
+
+  include if exists <abstractions/bus/session/io.snapcraft.Settings.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.a11y

@@ -0,0 +1,29 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.freedesktop.DBus.Properties
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=Get
+       peer=(name=org.a11y.Bus, label="@{p_dbus_accessibility}"),
+
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=GetAddress
+       peer=(name=org.a11y.Bus),
+
+  include if exists <abstractions/bus/session/org.a11y.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.IBus.Portal

@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow access to the IBus portal
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/freedesktop/IBus
+       interface=org.freedesktop.IBus.Portal
+       member=CreateInputContext
+       peer=(name=org.freedesktop.portal.IBus),
+
+  dbus send bus=session path=/org/freedesktop/IBus/InputContext_@{int}
+       interface=org.freedesktop.IBus.InputContext
+       peer=(label=ibus-daemon),
+
+  dbus receive bus=session path=/org/freedesktop/IBus/InputContext_@{int}
+       interface=org.freedesktop.IBus.InputContext
+       peer=(label=ibus-daemon),
+
+  include if exists <abstractions/bus/session/org.freedesktop.IBus.Portal.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.Notifications

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.Notifications label="@{pp_notification}"
+
+  dbus send bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={GetCapabilities,GetServerInformation,Notify,CloseNotification}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  dbus receive bus=session path=/org/freedesktop/Notifications
+       interface=org.freedesktop.Notifications
+       member={ActionInvoked,NotificationClosed,NotificationReplied}
+       peer=(name="{@{busname},org.freedesktop.Notifications}", label="@{pp_notification}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.Notifications.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.ScreenSaver

@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow checking status, activating and locking the screensaver
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={Inhibit,UnInhibit}
+       peer=(name=org.freedesktop.ScreenSaver),
+
+  dbus send bus=session path=/{,org/freedesktop/}ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={GetActive,GetActiveTime,Lock,SetActive}
+       peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
+
+  dbus receive bus=session path=/org/freedesktop/ScreenSaver
+       interface=org.freedesktop.ScreenSaver
+       member={ActiveChanged,WakeUpScreen}
+       peer=(name=@{busname}, label="{gsd-screensaver-proxy,ksmserver,kwin_wayland}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.ScreenSaver.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.Secret

@@ -0,0 +1,49 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2017 Canonical Ltd
+# Copyright (C) 2021-2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Provide full access to the secret-service API:
+# - https://standards.freedesktop.org/secret-service/)
+#
+# The secret-service allows managing (add/delete/lock/etc) collections and
+# (add/delete/etc) items within collections. The API also has the concept of
+# aliases for collections which is typically used to access the default
+# collection. While it would be possible for an application developer to use a
+# snap-specific collection and mediate by object path, application developers
+# are meant to instead to treat collections (typically the default collection)
+# as a database of key/value attributes each with an associated secret that
+# applications may query. Because AppArmor does not mediate member data,
+# typical and recommended usage of the API does not allow for application
+# isolation. For details, see:
+# - https://standards.freedesktop.org/secret-service/ch03.html
+#
+
+  abi <abi/4.0>,
+
+  #aa:dbus common bus=session name=org.freedesktop.{S,s}ecret label=gnome-keyring-daemon
+
+  dbus send bus=session path=/org/freedesktop/secrets{,/**}
+       interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
+
+  dbus receive bus=session path=/org/freedesktop/secrets{,/**}
+       interface=org.freedesktop.Secret.{Collection,Item,Prompt,Service,Session}
+       peer=(name="{@{busname},org.freedesktop.secrets}", label=gnome-keyring-daemon),
+
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=@{busname}, label=gnome-keyring-daemon),
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.Secret.Service
+       member=ReadAlias
+       peer=(name=org.freedesktop.secrets, label=gnome-keyring-daemon),
+  dbus send bus=session path=/org/freedesktop/secrets
+       interface=org.freedesktop.Secret.Service
+       member=SearchItems
+       peer=(name=@{busname}, label=gnome-keyring-daemon),
+
+  include if exists <abstractions/bus/session/org.freedesktop.Secret.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.portal.Settings

@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Settings
+       member=Read
+       peer=(name=org.freedesktop.portal.Desktop, label=xdg-desktop-portal),
+
+  dbus send bus=session path=/org/freedesktop/portal/desktop
+       interface=org.freedesktop.portal.Settings
+       member=ReadAll
+       peer=(name=@{busname}, label=xdg-desktop-portal),
+
+  include if exists <abstractions/bus/session/org.freedesktop.portal.Settings.d>
+
+# vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.freedesktop.systemd1

@@ -4,21 +4,23 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name=org.freedesktop.systemd1),
-
-  dbus send bus=session path=/org/freedesktop/systemd1
-       interface=org.freedesktop.DBus.Properties
-       member={Get,GetAll}
-       peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
+  #aa:dbus common bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
 
   dbus send bus=session path=/org/freedesktop/systemd1
        interface=org.freedesktop.systemd1.Manager
        member=GetUnit
        peer=(name="{@{busname},org.freedesktop.systemd1}", label="@{p_systemd_user}"),
 
-  include if exists <abstractions/bus/org.freedesktop.systemd1-session.d>
+  dbus send bus=session path=/org/freedesktop/systemd1/unit/app_*
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
+
+  dbus send bus=session path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=StartTransientUnit
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd_user}"),
+
+  include if exists <abstractions/bus/session/org.freedesktop.systemd1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.ArchiveManager1

@@ -4,16 +4,13 @@
 
   abi <abi/4.0>,
 
-  dbus send bus=session path=/org/gnome/ArchiveManager1
-       interface=org.freedesktop.DBus.Properties
-       member=GetAll
-       peer=(name="@{busname}", label=file-roller),
+  #aa:dbus common bus=session name=org.gnome.ArchiveManager1 label="@{p_file_roller}"
 
   dbus send bus=session path=/org/gnome/ArchiveManager1
        interface=org.gnome.ArchiveManager1
        member=GetSupportedTypes
-       peer=(name="@{busname}", label=file-roller),
+       peer=(name="@{busname}", label="@{p_file_roller}"),
 
-  include if exists <abstractions/bus/org.gnome.ArchiveManager1.d>
+  include if exists <abstractions/bus/session/org.gnome.ArchiveManager1.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.Nautilus.FileOperations2

@@ -4,6 +4,8 @@
 
   abi <abi/4.0>,
 
-  include if exists <abstractions/bus/org.kde.StatusNotifierItem.d>
+  #aa:dbus common bus=session name=org.gnome.Nautilus.FileOperations2 label=nautilus
+
+  include if exists <abstractions/bus/session/org.gnome.Nautilus.FileOperations2.d>
 
 # vim:syntax=apparmor

apparmor.d/abstractions/bus/session/org.gnome.ScreenSaver

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Allow checking status, activating and locking the screensaver (GNOME version)
+
+  abi <abi/4.0>,
+
+  dbus send bus=session path=/{,org/gnome/}ScreenSaver
+       interface=org.gnome.ScreenSaver
+       member={GetActive,GetActiveTime,Lock,SetActive}
+       peer=(name=@{busname}, label=gjs-console),
+
+  dbus receive bus=session path=/org/gnome/ScreenSaver
+       interface=org.gnome.ScreenSaver
+       member={ActiveChanged,WakeUpScreen}
+       peer=(name=@{busname}, label=gjs-console),
+
+  include if exists <abstractions/bus/session/org.gnome.ScreenSaver.d>
+
+# vim:syntax=apparmor