feat(profiles): apply guideline on some profile. Update flags list.

apparmor.d/groups/ssh/sshd

@@ -19,8 +19,8 @@ include <tunables/global>
 profile sshd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/authentication>
-  include <abstractions/dbus-strict>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
   include <abstractions/hosts_access>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>

apparmor.d/groups/systemd/loginctl

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/loginctl
+@{exec_path} = @{bin}/loginctl
 profile loginctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-strict>

apparmor.d/profiles-a-f/btop

@@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,local/}bin/btop
+@{exec_path} = @{bin}/btop
 profile btop @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-g-l/host

@@ -1,16 +1,17 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/host
+@{exec_path} = @{bin}/host
 profile host @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/openssl>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
 
   network inet dgram,
   network inet6 dgram,
@@ -21,5 +22,7 @@ profile host @{exec_path} {
 
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
+  @{sys}/kernel/mm/transparent_hugepage/enabled r,
+
   include if exists <local/host>
 }

apparmor.d/profiles-m-r/murmurd

@@ -1,14 +1,15 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}{,s}bin/murmurd
+@{exec_path} = @{bin}/murmurd
 profile murmurd @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
   include <abstractions/openssl>
-  include <abstractions/dbus-strict>
   include <abstractions/ssl_certs>
 
   capability chown,
@@ -31,7 +32,7 @@ profile murmurd @{exec_path} {
 
   @{exec_path} mr,
 
-  /{,usr/}bin/lsb_release Px -> lsb_release,
+  @{bin}/lsb_release rPx -> lsb_release,
 
   /etc/mumble-server.ini r,
 

apparmor.d/profiles-m-r/nvidia-detector

@@ -1,15 +1,16 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/nvidia-detector
+@{exec_path} =  @{bin}/nvidia-detector
 profile nvidia-detector @{exec_path} {
   include <abstractions/base>
 
-  @{exec_path} r,
+  @{exec_path} mr,
 
   include if exists <local/nvidia-detector>
 }

apparmor.d/profiles-m-r/nvidia-persistenced

@@ -1,21 +1,22 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/nvidia-persistenced
+@{exec_path} = @{bin}/nvidia-persistenced
 profile nvidia-persistenced @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nvidia>
   include <abstractions/nameservice-strict>
+  include <abstractions/nvidia>
 
   capability chown,
   capability setgid,
   capability setuid,
 
-  @{exec_path} r,
+  @{exec_path} mr,
 
   /etc/netconfig r,
 

apparmor.d/profiles-m-r/pstree

@@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/pstree
+@{exec_path} = @{bin}/pstree
 profile pstree @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
@@ -18,11 +19,11 @@ profile pstree @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
         @{PROC} r,
-        @{PROC}/uptime r,
+        @{PROC}/@{pids}/attr/current r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/@{pids}/task/ r,
-        @{PROC}/@{pids}/attr/current r,
         @{PROC}/@{pids}/task/@{tid}/stat r,
+        @{PROC}/uptime r,
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/pstree>

apparmor.d/profiles-m-r/remmina

@@ -1,24 +1,26 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/remmina
+@{exec_path} = @{bin}/remmina
 profile remmina @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
-  include <abstractions/ibus>
+  include <abstractions/dbus-accessibility-strict>
+  include <abstractions/dbus-gtk>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
   include <abstractions/dconf-write>
   include <abstractions/fonts>
-  include <abstractions/ssl_certs>
-  include <abstractions/openssl>
   include <abstractions/freedesktop.org>
-  include <abstractions/dbus-strict>
-  include <abstractions/dbus-session-strict>
-  include <abstractions/dbus-accessibility-strict>
-  include <abstractions/dbus-gtk>
+  include <abstractions/ibus>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/X-strict>
 
   network inet stream,
   network inet6 stream,
@@ -112,33 +114,27 @@ profile remmina @{exec_path} {
 
   @{exec_path} r,
 
+  /usr/share/remmina/{,**} r,
+  /usr/share/themes/{,**} r,
+
   /etc/timezone r,
   /etc/ssh/ssh_config r,
   /etc/ssh/ssh_config.d/{,*} r,
-  /usr/share/remmina/{,**} r,
+  /etc/gtk-3.0/settings.ini r,
+
+  owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
 
+  owner @{user_cache_dirs}/remmina/{,**} rw,
   owner @{user_config_dirs}/autostart/remmina-applet.desktop r,
-  owner @{user_config_dirs}/gtk-3.0/bookmarks r,
   owner @{user_config_dirs}/freerdp/known_hosts2 rwk,
+  owner @{user_config_dirs}/gtk-3.0/bookmarks r,
   owner @{user_config_dirs}/remmina/{,**} rw,
   owner @{user_share_dirs}/remmina/{,**} rw,
-  owner @{user_cache_dirs}/remmina/{,**} rw,
-  owner @{HOME}/@{XDG_SSH_DIR}/{,*} r,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/mountinfo r,
 
   owner @{run}/user/@{uid}/keyring/ssh rw,
 
-  # gtk-tiny
-  /etc/gtk-3.0/settings.ini r,
-  /usr/share/themes/{,**} r,
-
-  # X-tiny
-  owner @{HOME}/.Xauthority r,
-  owner @{HOME}/.xsession-errors w,
-  unix (send, receive, connect) type=stream peer=(addr="@/tmp/.X11-unix/X[0-9]*", label="{xorg,xkbcomp}"),
-  /etc/X11/{,**} r,
-
   include if exists <local/remmina>
 }

apparmor.d/profiles-m-r/rustdesk

@@ -50,15 +50,15 @@ profile rustdesk @{exec_path} {
 
   @{exec_path} mrix,
 
-  /{,usr/}bin/w        rPx,
-  /{,usr/}bin/ps       rPx,
-  /{,usr/}bin/whoami   rPx,
-  /{,usr/}bin/loginctl rPx,
-  /{,usr/}bin/curl     rix,
-  /{,usr/}bin/ls       rix,
+  @{bin}/w        rPx,
+  @{bin}/ps       rPx,
+  @{bin}/whoami   rPx,
+  @{bin}/loginctl rPx,
+  @{bin}/curl     rix,
+  @{bin}/ls       rix,
 
-  /{,usr/}bin/python3.[0-9]* rPx -> rustdesk_python,
-  /{,usr/}bin/{,ba,da}sh     rPx -> rustdesk_shell,
+  @{bin}/python3.[0-9]* rPx -> rustdesk_python,
+  @{bin}/{,ba,da}sh     rPx -> rustdesk_shell,
 
   /etc/gdm{,3}/custom.conf r,
 
@@ -122,8 +122,8 @@ profile rustdesk @{exec_path} {
 #  deny /etc/passwd r,
 
   # It's possible to disable root-based service ('systemctl disable rustdesk.service') and use RD only on-demand (or as client-only). After that, sudo isn't necessary.
-#  deny /{,usr/}bin/sudo   x,
-  /{,usr/}bin/sudo rCx -> sudo,
+#  deny @{bin}/sudo   x,
+  @{bin}/sudo rCx -> sudo,
   profile sudo {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
@@ -138,7 +138,7 @@ profile rustdesk @{exec_path} {
 
     network netlink raw,
 
-    /{,usr/}bin/sudo r,
+    @{bin}/sudo r,
 
     /etc/sudo.conf r,
     /etc/sudoers r,
@@ -161,7 +161,7 @@ profile rustdesk @{exec_path} {
     owner @{PROC}/@{pid}/fd/ r,
 
     /{,usr/}{,local/}bin/rustdesk rPx,
-    /{,usr/}bin/python3.[0-9]*    rPx -> rustdesk_python,
+    @{bin}/python3.[0-9]*    rPx -> rustdesk_python,
 
     include if exists <local/rustdesk_sudo>
   }
@@ -185,11 +185,11 @@ profile rustdesk_python {
   capability dac_read_search,
   capability dac_override,
 
-  /{,usr/}bin/python3.[0-9]* r,
+  @{bin}/python3.[0-9]* r,
 
-  /{,usr/}bin/{,ba,da}sh rix,
-  /{,usr/}bin/chmod rix,
-  /{,usr/}bin/uname rPx,
+  @{bin}/{,ba,da}sh rix,
+  @{bin}/chmod rix,
+  @{bin}/uname rPx,
   /usr/share/rustdesk/files/pynput_service.py rPx,
 
   /usr/local/lib/python3.[0-9]*/dist-packages/pynput/{,**} r,
@@ -218,16 +218,16 @@ profile rustdesk_shell {
 
   ptrace (read),
 
-  /{,usr/}bin/{,ba,da}sh r,
+  @{bin}/{,ba,da}sh r,
 
-  /{,usr/}bin/tr       rix,
-  /{,usr/}bin/{,e}grep rix,
-  /{,usr/}bin/tail     rix,
-  /{,usr/}bin/xargs    rix,
-  /{,usr/}bin/sed      rix,
-  /{,usr/}bin/cat      rix,
+  @{bin}/tr       rix,
+  @{bin}/{,e}grep rix,
+  @{bin}/tail     rix,
+  @{bin}/xargs    rix,
+  @{bin}/sed      rix,
+  @{bin}/cat      rix,
 
-  /{,usr/}bin/ps rPx,
+  @{bin}/ps rPx,
 
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pid}/environ r,

apparmor.d/profiles-s-z/ss

@@ -1,11 +1,12 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /{,usr/}bin/ss
+@{exec_path} = @{bin}/ss
 profile ss @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>