XFCE: Debian 12 / Xubuntu 24.04

apparmor.d/groups/apt/dpkg-preconfigure

@@ -30,18 +30,24 @@ profile dpkg-preconfigure @{exec_path} {
   @{bin}/sort       rix,
   @{bin}/stty       rix,
   @{bin}/tr         rix,
+  @{bin}/head       rix,
+  @{bin}/readlink   rix,
+  @{bin}/realpath   rix,
 
   @{bin}/dpkg                 rPx -> child-dpkg,
   @{bin}/apt-extracttemplates rPx,
   @{bin}/whiptail             rPx,
   @{lib}/apt/apt-extracttemplates rPx,
 
   /usr/share/debconf/confmodule r,
+  /usr/share/dictionaries-common/{,*} r,
 
+  /etc/cloud/cloud.cfg.d/90_dpkg.cfg r,
   /etc/debconf.conf r,
   /etc/default/grub r,
   /etc/inputrc r,
   /etc/shadow r,
+  /etc/X11/Xwrapper.config r,
 
   owner @{tmp}/*.template.* rw,
   owner @{tmp}/*.config.* rwPUx,
@@ -54,6 +60,7 @@ profile dpkg-preconfigure @{exec_path} {
   owner /var/cache/debconf/tmp.ci/*.config.@{rand6} w,
   owner /var/cache/debconf/tmp.ci/*.passwords.@{rand6} w,
   owner /var/cache/debconf/tmp.ci/*.template.@{rand6} w,
+  owner /var/cache/dictionaries-common/flag-wordlist-new w,
   owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
   @{run}/user/@{uid}/.mutter-Xwaylandauth.@{rand6} r,

apparmor.d/groups/children/child-dpkg-divert

@@ -22,6 +22,7 @@ profile child-dpkg-divert {
   /var/lib/dpkg/arch r,
   /var/lib/dpkg/status r,
   /var/lib/dpkg/updates/ r,
+  /var/lib/dpkg/updates/@{int} r,
   /var/lib/dpkg/triggers/File r,
   /var/lib/dpkg/triggers/Unincorp r,
   /var/lib/dpkg/diversions r,

apparmor.d/groups/display-manager/lightdm

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/lightdm
 profile lightdm @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/bus-system>
   include <abstractions/authentication>
   include <abstractions/desktop>
   include <abstractions/fontconfig-cache-read>
@@ -36,6 +37,10 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   signal (send) set=(term) peer=xfce-session,
   signal (send) set=(term) peer=xorg,
 
+  unix (bind) type=stream addr="@@{udbus}/bus/lightdm/system",
+
+  #aa:dbus own bus=system name=org.freedesktop.DisplayManager
+
   @{exec_path} mrix,
 
   @{bin}/rm     rix,
@@ -45,13 +50,18 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   @{bin}/Xorg                  rPx,
   @{bin}/plymouth              rPx,
   @{bin}/gnome-keyring-daemon  rPx,
+  @{bin}/lightdm-session       rPx,
 
   @{lib}/security-misc/*       rPx, #aa:only whonix
   @{lib}/{,at-spi2{,-core}/}at-spi-bus-launcher rPx,
 
   /etc/lightdm/Xsession        rPx,
   /etc/X11/Xsession            rPx,
 
+  @{sh_path}        rix,
+  @{bin}/{,e,f}grep rix,
+  @{bin}/df         rix,
+
   /usr/share/lightdm/{,**} r,
   /usr/share/wayland-sessions/{,*.desktop} r,
   /usr/share/xgreeters/{,**} r,
@@ -81,6 +91,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid rw,
   owner @{PROC}/@{pid}/uid_map r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/tty@{int} r,
 

apparmor.d/groups/display-manager/lightdm-session

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/lightdm-session
+profile lightdm-session @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{bin}/im-launch rPx,
+
+  @{sh_path} rix,
+  @{bin}/mktemp rix,
+  @{bin}/expr rix,
+
+  include if exists <local/lightdm-session>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/freedesktop/pkla-admin-identities

@@ -0,0 +1,20 @@
+# apparmor.d - Full set of apparmor profiles
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/pkla-admin-identities
+profile pkla-admin-identities @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/nameservice-strict>
+
+  @{exec_path} mr,
+
+  /etc/polkit-1/localauthority.conf.d/{,**} r,
+
+  include if exists <local/pkla-admin-identities>
+}
+
+# vim:syntax=apparmor

apparmor.d/groups/freedesktop/polkit-gnome-authentication-agent

@@ -12,11 +12,19 @@ include <tunables/global>
 @{exec_path} += @{lib}/polkit-gnome/polkit-gnome-authentication-agent-1
 profile polkit-gnome-authentication-agent @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+  include <abstractions/bus-accessibility>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/nameservice-strict>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
 
+  signal (send) set=(term) peer=polkit-agent-helper,
+
   @{exec_path} mr,
 
+  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
+
   @{PROC}/@{pid}/cgroup r,
 
   include if exists <local/polkit-gnome-authentication-agent>

apparmor.d/groups/freedesktop/polkitd

@@ -31,6 +31,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/pkla-check-authorization rPUx,
+  @{bin}/pkla-admin-identities     rPx,
 
   /etc/machine-id r,
 

apparmor.d/groups/gnome/gnome-system-monitor

@@ -36,7 +36,7 @@ profile gnome-system-monitor @{exec_path} flags=(attach_disconnected) {
   @{bin}/tr     rix,
 
   /usr/share/gnome-system-monitor/{,**} r,
-  /usr/share/firefox-esr/browser/chrome/icons/default/*.png r,
+  /usr/share/firefox{,-esr}/browser/chrome/icons/{,**} r,
 
   / r,
 

apparmor.d/groups/grub/grub-mkconfig

@@ -65,6 +65,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   @{lib}/grub/grub-sort-version rPx,
   @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
 
+  /usr/share/desktop-base/*/grub/* r,
   /usr/share/grub/{,**} r,
   /usr/share/terminfo/** r,
 

apparmor.d/groups/grub/grub-probe

@@ -27,6 +27,7 @@ profile grub-probe @{exec_path} {
 
   / r,
   /boot/ r,
+  /boot/grub/ r,
   /boot/grub/themes/{,**} r,
 
   @{PROC}/@{pids}/mountinfo r,

apparmor.d/groups/gvfs/gvfsd-computer

@@ -10,6 +10,9 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,gvfs/}gvfsd-computer
 profile gvfsd-computer @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
+
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
 
   @{exec_path} mr,
 

apparmor.d/groups/gvfs/gvfsd-wsdd

@@ -9,9 +9,12 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,gvfs/}gvfsd-wsdd
 profile gvfsd-wsdd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
 
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_wsdd
+
   @{exec_path} mr,
 
   @{bin}/env r,

apparmor.d/groups/network/NetworkManager

@@ -109,6 +109,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /etc/network/interfaces.d/{,*} r,
   /etc/NetworkManager/{,**} r,
   /etc/NetworkManager/system-connections/{,**} w,
+  @{etc_rw}/netplan/90-NM-@{uuid}.yaml w,
   @{etc_rw}/resolv.conf rw,
   @{etc_rw}/resolv.conf.[0-9A-Z]* rw,
 

apparmor.d/groups/network/wg

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wg
 profile wg @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
   capability net_bind_service,

apparmor.d/groups/network/wg-quick

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/wg-quick
 profile wg-quick @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability net_admin,

apparmor.d/groups/systemd/systemd-hwdb

@@ -16,10 +16,10 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{exec_path} mr,
 
   @{lib}/udev/#@{int} rwl,
-  @{lib}/udev/.#hwdb.bin@{hex16} wl -> @{lib}/udev/#@{int},
+  @{lib}/udev/.#hwdb.bin{@{hex16},@{rand6}} wl -> @{lib}/udev/#@{int},
   @{lib}/udev/hwdb.bin w,
 
-  /etc/udev/.#hwdb.bin@{hex16} wl ->  /etc/udev/#@{int},
+  /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} wl ->  /etc/udev/#@{int},
   /etc/udev/hwdb.bin w,
   /etc/udev/hwdb.d/{,*} r,
 

apparmor.d/groups/systemd/systemd-udevd

@@ -79,7 +79,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   /etc/nfs.conf rk,
 
   /etc/udev/{,**} r,
-  /etc/udev/.#hwdb.bin* rw,
+  /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw,
   /etc/udev/hwdb.bin rw,
 
   /etc/modprobe.d/ r,

apparmor.d/groups/xfce/startxfce

@@ -19,6 +19,7 @@ profile startxfce @{exec_path} {
   @{bin}/mkdir  rix,
   @{bin}/id     rix,
 
+  @{bin}/xdg-user-dirs-update                rPx,
   @{bin}/xfce4-session                       rPx,
   @{bin}/xrdb                                rPx,
   @{bin}/systemctl                           rCx -> systemctl,
@@ -27,6 +28,8 @@ profile startxfce @{exec_path} {
   /etc/X11/xinit/xinitrc.d/{,**} r,
   /etc/xdg/xfce4/{,**} r,
 
+  owner @{HOME}/.Xdefaults r,
+
   profile systemctl flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/app/systemctl>
@@ -36,6 +39,7 @@ profile startxfce @{exec_path} {
 
   profile dbus {
     include <abstractions/base>
+    include <abstractions/bus-session>
 
     @{bin}/dbus-update-activation-environment mr,
 

apparmor.d/groups/xfce/thunar

@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/thunar
 profile thunar @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/deny-sensitive-home>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
@@ -17,6 +19,10 @@ profile thunar @{exec_path} {
 
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.xfce.Thunar
+  #aa:dbus own bus=session name=org.xfce.FileManager
+  #aa:dbus own bus=session name=org.freedesktop.FileManager1
+
   @{exec_path} mr,
 
   @{bin}/thunar-volman  rPx,
@@ -30,6 +36,7 @@ profile thunar @{exec_path} {
 
   /etc/fstab r,
   /etc/timezone r,
+  /etc/xdg/{,xdg-xubuntu/}Thunar/{,**} r,
 
   # Full access to user's data
   / r,
@@ -50,6 +57,8 @@ profile thunar @{exec_path} {
   deny /tmp/.* rw,
   deny /tmp/.*/{,**} rw,
 
+  @{run}/mount/utab r,
+
   owner @{PROC}/@{pid}/mountinfo r,
 
   profile dbus {

apparmor.d/groups/xfce/thunar-volman

@@ -9,6 +9,8 @@ include <tunables/global>
 @{exec_path} = @{bin}/thunar-volman
 profile thunar-volman @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/nameservice-strict>
   include <abstractions/xfce>
 

apparmor.d/groups/xfce/tumblerd

@@ -9,18 +9,30 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,@{multiarch}/}tumbler-1/tumblerd
 profile tumblerd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/fontconfig-cache-read>
+  include <abstractions/desktop>
+  include <abstractions/bus-session>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/thumbnails-cache-write>
 
+  #aa:dbus own bus=session name=org.freedesktop.thumbnails.Cache1
+  #aa:dbus own bus=session name=org.freedesktop.thumbnails.Manager1
+  #aa:dbus own bus=session name=org.freedesktop.thumbnails.Thumbnailer1
+
   @{exec_path} mr,
 
+  @{bin}/gdk-pixbuf-thumbnailer rPx,
+
   /usr/share/backgrounds/xfce/{,**} r,
   /usr/share/thumbnailers/{,**} r,
 
   /etc/fstab r,
   /etc/xdg/tumbler/* r,
 
+  owner /tmp/tumbler-@{rand6}.png r,
+  owner /tmp/tumbler-@{rand6}.??? w,
+
   owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/ r,

apparmor.d/groups/xfce/xfce-clipman-settings

@@ -9,8 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/xfce4-clipman-settings
 profile xfce-clipman-settings @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/xfce>
 
+  #aa:dbus own bus=session name=org.xfce.clipman.settings
+
   @{exec_path} mr,
 
   @{open_path} rPx -> child-open-help,

apparmor.d/groups/xfce/xfce-notifyd

@@ -10,6 +10,8 @@ include <tunables/global>
 @{exec_path} = @{lib}/{,@{multiarch}/}xfce4/notifyd/xfce4-notifyd
 profile xfce-notifyd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
   include <abstractions/fontconfig-cache-read>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
@@ -22,6 +24,9 @@ profile xfce-notifyd @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  #aa:dbus own bus=session name=org.xfce.Notifyd
+  #aa:dbus own bus=session name=org.freedesktop.Notifications
+
   @{exec_path} mr,
 
   owner @{user_cache_dirs}/xfce4/notifyd/ rw,