diff --git a/debian/README.Debian b/debian/README.Debian
index 2a5c5ebb57cead5f22f0d2417766b89a771696ce..e1ff2a88785eb46cb024c17ae14bafe29a3e1f53 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -2,12 +2,12 @@ Included profiles
=================
- apt-cacher-ng: taken from the apparmor-profiles repository at commit 9d7bd63.
-- GStreamer abstraction, gst_plugin_scanner named profile: taken from
- the apparmor-profiles repository at commit 5ba92ee.
+- GStreamer abstraction: taken from the apparmor-profiles repository
+ at commit 835edc5.
- irssi: taken from the apparmor-profiles repository at commit 5ba92ee.
-- Pidgin: taken from the apparmor-profiles repository at commit 6ae555e
+- Pidgin: taken from the apparmor-profiles repository at commit 835edc5
with apparmor/apparmor-profiles!29 applied on top.
-- Totem: taken from the apparmor-profiles repository at commit 6ae555e.
+- Totem: taken from the apparmor-profiles repository at commit 835edc5.
Sources
=======
@@ -17,4 +17,4 @@ apparmor-profiles repository
https://gitlab.com/apparmor/apparmor-profiles
- -- intrigeri <intrigeri@debian.org>, Sat, 20 Oct 2018 21:22:11 +0200
+ -- intrigeri <intrigeri@debian.org>, Sat, 27 Oct 2018 11:47:14 +0200
diff --git a/debian/apparmor-profiles-extra.maintscript b/debian/apparmor-profiles-extra.maintscript
new file mode 100644
index 0000000000000000000000000000000000000000..411c9abec53476e02af05af2559bcc5e761e9ea6
--- /dev/null
+++ b/debian/apparmor-profiles-extra.maintscript
@@ -0,0 +1 @@
+rm_conffile /etc/apparmor.d/gst_plugin_scanner 1.22~
diff --git a/debian/control b/debian/control
index d9db7895806940875cbf1dc8ea0ec1a49480c0e8..7a7a7446b1bdf0c2d9384ca4bb431d19586d06ef 100644
--- a/debian/control
+++ b/debian/control
@@ -5,7 +5,7 @@ Section: admin
Priority: optional
Build-Depends: debhelper (>= 11),
dh-apparmor,
- apparmor (>= 2.9.0)
+ apparmor (>= 2.13.1-1~)
Standards-Version: 4.2.1
Vcs-Browser: https://salsa.debian.org/apparmor-team/apparmor-profiles-extra
Vcs-Git: https://salsa.debian.org/apparmor-team/apparmor-profiles-extra.git
@@ -14,7 +14,9 @@ Homepage: https://wiki.debian.org/AppArmor
Package: apparmor-profiles-extra
Architecture: all
Depends: ${misc:Depends},
- apparmor (>= 2.9.0)
+ apparmor (>= 2.13.1-1~)
+Breaks: surf (<< 2.0+git20180223-1.),
+ surf-apparmor (<< 2.0+git20180223-1.)
Description: Extra profiles for AppArmor Security policies
This package provides various AppArmor profiles that are not shipped in
the upstream AppArmor releases.
diff --git a/debian/copyright b/debian/copyright
index ab121890c9f1404041ad13ba9f6d4f88db6a0af4..3e4bf6a2a74cc29de0c35cfd4b66a306ca326554 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -5,7 +5,7 @@ Files: debian/*
Copyright: 2014-2017 Debian AppArmor Team <pkg-apparmor-team@lists.alioth.debian.org>
License: GPL-2+
-Files: profiles/abstractions/gstreamer profiles/gst_plugin_scanner
+Files: profiles/abstractions/gstreamer
Copyright: 2008-2016 AppArmor developers <apparmor@lists.ubuntu.com>
License: GPL-2+
diff --git a/profiles/abstractions/gstreamer b/profiles/abstractions/gstreamer
index 893e672ef0d5f735b303d0fd13af3391a080fa70..00f1ac81d1880ce970f551d46c1740b913606078 100644
--- a/profiles/abstractions/gstreamer
+++ b/profiles/abstractions/gstreamer
@@ -1,9 +1,17 @@
# vim:syntax=apparmor
+ #include <abstractions/base>
#include <abstractions/p11-kit>
+ #include <abstractions/X>
+
+ # TODO: adjust when support finer-grained netlink rules
+ network netlink raw,
/etc/udev/udev.conf r,
+ /etc/wildmidi/wildmidi.cfg r,
+ /dev/ r,
+ /dev/bus/usb/ r,
/dev/dri/ r,
# /dev/shm is a symlink to /run/shm on ubuntu
@@ -13,6 +21,10 @@
/run/udev/data/+pci:* r,
/run/udev/data/+usb* r,
+ /sys/bus/ r,
+ /sys/bus/usb/devices/ r,
+ /sys/class/ r,
+ /sys/class/drm/ r,
/sys/devices/pci[0-9]*/**/{busnum,config,devnum,descriptors,speed,uevent} r,
/sys/devices/system/node/ r,
/sys/devices/system/node/*/meminfo r,
@@ -21,3 +33,13 @@
owner /{,var/}run/user/[0-9]*/orcexec.* mrw,
# needed if /tmp is mounted noexec:
owner @{HOME}/orcexec.* mr,
+
+ /usr/lib/frei0r-[0-9]/*.so m,
+ # /usr/lib/@{multiarch}/dri/** mr,
+ /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner mrix,
+ /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
+ /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
+
+ owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/ rw,
+ owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
+ owner @{HOME}/{.cache/,.}gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
diff --git a/profiles/abstractions/totem b/profiles/abstractions/totem
index 79b57f9f34ef2f72d9cfbf84cc5333b95c9b9aa2..111bee789f7e5e0ebb11a9e66884087dce0cda40 100644
--- a/profiles/abstractions/totem
+++ b/profiles/abstractions/totem
@@ -28,11 +28,6 @@
/usr/share/** r,
/{media,mnt,opt,srv}/** r,
- /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Px -> gst_plugin_scanner,
-
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
owner @{HOME}/.cache/mesa/** rwk,
owner @{HOME}/.cache/thumbnails/** rw,
owner @{HOME}/.cache/totem/ rw,
diff --git a/profiles/gst_plugin_scanner b/profiles/gst_plugin_scanner
deleted file mode 100644
index bea6c32e25e20c1e015099e2cfcc646c5e4b74ca..0000000000000000000000000000000000000000
--- a/profiles/gst_plugin_scanner
+++ /dev/null
@@ -1,27 +0,0 @@
-# vim:syntax=apparmor
-
-#include <tunables/global>
-
-profile gst_plugin_scanner {
- #include <abstractions/base>
- #include <abstractions/gstreamer>
- #include <abstractions/X>
-
- # TODO: adjust when support finer-grained netlink rules
- network netlink raw,
-
- /dev/ r,
- /dev/bus/usb/ r,
-
- /sys/bus/ r,
- /sys/bus/usb/devices/ r,
- /sys/class/ r,
-
- /etc/wildmidi/wildmidi.cfg r,
-
- /usr/lib/frei0r-[0-9]/*.so m,
- # /usr/lib/@{multiarch}/dri/** mr,
- /usr/lib/@{multiarch}/gstreamer[0-9].[0-9]/gstreamer-[0-9].[0-9]/gst-plugin-scanner mr,
- /usr/lib/@{multiarch}/libproxy/*/modules/*.so mr,
- /usr/lib/@{multiarch}/libvisual-[0-9].[0-9]/*/*.so m,
-}
diff --git a/profiles/usr.bin.pidgin b/profiles/usr.bin.pidgin
index 5e00e965837922064d078a4c19cf02722dee6536..c3ce8e1430f397bc8f8fb5d8a209fb77217114f4 100644
--- a/profiles/usr.bin.pidgin
+++ b/profiles/usr.bin.pidgin
@@ -38,12 +38,6 @@
deny capability sys_ptrace,
deny @{HOME}/.local/share/applications/wine/ r,
- owner @{HOME}/.gstreamer*/ rw,
- owner @{HOME}/.gstreamer*/** rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/ rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin rw,
- owner @{HOME}/.cache/gstreamer-[0-9]*.[0-9]*/registry.*.bin.tmp* rw,
- /usr/lib/@{multiarch}/gstreamer[0-9]*.[0-9]*/gstreamer-[0-9]*.[0-9]*/gst-plugin-scanner Pix -> gst_plugin_scanner,
owner @{HOME}/.purple/ rw,
owner @{HOME}/.purple/** rwk,
owner @{HOME}/.purple/plugins/*.so m,
diff --git a/profiles/usr.bin.totem b/profiles/usr.bin.totem
index f94049f730340b6a06d2288ad4adf23ab8190ad6..f6091d8fff878cfa0884031e0f45d4aa4cf28d24 100644
--- a/profiles/usr.bin.totem
+++ b/profiles/usr.bin.totem
@@ -7,6 +7,7 @@
#include <abstractions/audio>
#include <abstractions/dconf>
#include <abstractions/ibus>
+ #include <abstractions/mesa>
#include <abstractions/nvidia>
#include <abstractions/python>
#include <abstractions/totem>
diff --git a/profiles/usr.bin.totem-previewers b/profiles/usr.bin.totem-previewers
index b08af56f7466152308d37fe457e7f173e5194965..80a42e9d14bd6918c9e752669bcb84bb34d45810 100644
--- a/profiles/usr.bin.totem-previewers
+++ b/profiles/usr.bin.totem-previewers
@@ -6,6 +6,10 @@
/usr/bin/totem-video-thumbnailer {
#include <abstractions/totem>
+ # Probably needed due to this program being run with bwrap
+ @{HOMEDIRS} w,
+ owner @{HOME}/ w,
+
# Allow read on almost anything in @{HOME}. Lenient, but private-files-strict is in
# effect.
#include <abstractions/private-files-strict>