feat(profile): minor improvements.

apparmor.d/groups/apt/apt

@@ -177,7 +177,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
     @{bin}/                      r,
     @{sh_path}                   rix,
     @{pager_path}               rmix,
-    @{bin}/which{,.debianutils}  rix,
+    @{bin}/which                 rix,
 
     /root/ r,  # For shell pwd
 

apparmor.d/groups/apt/apt-systemd-daily

@@ -37,7 +37,7 @@ profile apt-systemd-daily @{exec_path} {
   @{bin}/touch      rix,
   @{bin}/uniq       rix,
   @{bin}/wc         rix,
-  @{bin}/which{,.debianutils}      rix,
+  @{bin}/which      rix,
   @{bin}/xargs      rix,
 
   @{bin}/apt-config         rPx,

apparmor.d/groups/apt/aptitude-create-state-bundle

@@ -16,7 +16,7 @@ profile aptitude-create-state-bundle @{exec_path} {
   @{exec_path} r,
   @{sh_path}        rix,
 
-  @{bin}/which{,.debianutils}      rix,
+  @{bin}/which      rix,
   @{bin}/tar        rix,
   @{bin}/bzip2      rix,
   @{bin}/gzip       rix,

apparmor.d/groups/apt/unattended-upgrade

@@ -10,13 +10,14 @@ include <tunables/global>
 @{exec_path} = @{bin}/unattended-upgrade
 profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/common/apt>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
   include <abstractions/bus/org.freedesktop.PackageKit>
+  include <abstractions/common/apt>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
+  include <abstractions/perl>
   include <abstractions/python>
 
   capability chown,
@@ -65,7 +66,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   @{etc_ro}/login.defs r,
   @{etc_ro}/security/capability.conf r,
-  /etc/apport/report-ignore/ r,
+  /etc/apport/report-ignore/{,**} r,
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
   /etc/debian_version r,
@@ -89,8 +90,10 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/vmware-tools/* r,
 
   /var/log/unattended-upgrades/{,**} rw,
+  /var/crash/*.crash w,
 
   /var/lib/apt/periodic/unattended-upgrades-stamp w,
+  /var/lib/dpkg/info/ r,
   /var/lib/dpkg/lock rwk,
   /var/lib/dpkg/lock-frontend rwk,
   /var/lib/dpkg/updates/ r,

apparmor.d/groups/grub/update-grub

@@ -14,8 +14,9 @@ profile update-grub @{exec_path} {
   capability dac_read_search,
 
   @{exec_path} mr,
-  @{sh_path}        rix,
-  @{sbin}/grub-mkconfig rPx,
+
+  @{sh_path}             rix,
+  @{sbin}/grub-mkconfig  rPx,
 
   /dev/tty@{int} rw,
 

apparmor.d/profiles-a-f/acpi

@@ -19,7 +19,6 @@ profile acpi @{exec_path} flags=(complain) {
   @{sys}/devices/**/power_supply/{,**} r,
   @{sys}/devices/virtual/thermal/{,**} r,
 
-
   include if exists <local/acpi>
 }
 

apparmor.d/profiles-a-f/evince

@@ -44,13 +44,14 @@ profile evince @{exec_path} {
   /usr/share/poppler/{,**} r,
   /usr/share/thumbnailers/{,*} r,
 
-  owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   owner @{user_config_dirs}/evince/{,*} rw,
 
+  owner @{tmp}/.goutputstream-@{rand6} rw,
   owner @{tmp}/*.pdf r,
   owner @{tmp}/evince-@{int}/{,**} rw,
-  owner @{tmp}/gtkprint* rw,
+  owner @{tmp}/gtkprint_@{rand6} rw,
+  owner @{tmp}/gtkprint@{rand6} rw,
 
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/profiles-g-l/kmod

@@ -28,7 +28,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   @{bin}/basename    rix,
   @{bin}/false       rix,
   @{bin}/id          rix,
-  @{sbin}/sysctl     rPx,
+  @{sbin}/sysctl     rCx -> sysctl,
   @{bin}/true        rix,
 
   @{lib}/modprobe.d/{,*.conf} r,
@@ -74,6 +74,18 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   deny @{user_share_dirs}/gvfs-metadata/* r,
   deny unix (receive) type=stream,
 
+  profile sysctl {
+    include <abstractions/base>
+
+    @{sbin}/sysctl mr,
+
+    /etc/sysctl.conf r,
+    /etc/sysctl.d/{,**} r,
+    /usr/lib/sysctl.d/{,**} r,
+
+    include if exists <local/kmod_sysctl>
+  }
+
   include if exists <local/kmod>
 }
 

apparmor.d/profiles-m-r/mkinitramfs

@@ -96,6 +96,12 @@ profile mkinitramfs @{exec_path} {
   owner /var/tmp/mkinitramfs-@{rand6} rw,
   owner /var/tmp/mkinitramfs-*_@{rand6} rw,
 
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
+
   @{sys}/devices/platform/ r,
   @{sys}/devices/platform/**/ r,
   @{sys}/devices/platform/**/modalias r,

apparmor.d/profiles-s-z/spice-vdagent

@@ -47,6 +47,8 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/task/@{tid}/comm rw,
 
+  /dev/udmabuf rw,
+
   include if exists <local/spice-vdagent>
 }