feat(profiles): general update.

apparmor.d/groups/apt/apt

@@ -30,8 +30,11 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}bin/test       rix,
   /{usr/,}bin/{,e}grep   rix,
+  /{usr/,}bin/echo       rix,
+  /{usr/,}bin/gdbus      rix,
+  /{usr/,}bin/test       rix,
+  /{usr/,}bin/touch      rix,
 
   /{usr/,}{s,}bin/dpkg-preconfigure           rPx,
   /{usr/,}{s,}bin/localepurge                 rPx,

apparmor.d/groups/apt/apt-systemd-daily

@@ -27,6 +27,7 @@ profile apt-systemd-daily @{exec_path} {
   /{usr/,}bin/flock      rix,
   /{usr/,}bin/grep       rix,
   /{usr/,}bin/gzip       rix,
+  /{usr/,}bin/ls         rix,
   /{usr/,}bin/mv         rix,
   /{usr/,}bin/rm         rix,
   /{usr/,}bin/savelog    rix,

apparmor.d/groups/browsers/firefox

@@ -118,6 +118,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   owner @{MOZ_HOMEDIR}/native-messaging-hosts/org.keepassxc.keepassxc_browser.json r,
 
   owner @{user_config_dirs}/ r,
+  owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]*} r,
   owner @{user_config_dirs}/mimeapps.list{,.*} rw,
 
   owner @{user_cache_dirs}/ rw,

apparmor.d/groups/browsers/firefox-pingsender

@@ -20,7 +20,9 @@ profile firefox-pingsender @{exec_path} {
 
   owner @{HOME}/.mozilla/firefox/*.*/saved-telemetry-pings/@{uuid} rw,
 
-  # file_inherit
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
+
   owner /dev/tty[0-9]* rw,
 
   include if exists <local/firefox-pingsender>

apparmor.d/groups/bus/ibus-engine-simple

@@ -15,6 +15,7 @@ profile ibus-engine-simple @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
   owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,

apparmor.d/groups/bus/ibus-extension-gtk3

@@ -32,6 +32,7 @@ profile ibus-extension-gtk3 @{exec_path} {
   /usr/share/icons/{,**} r,
   /usr/share/X11/xkb/** r,
 
+  /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
   owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,

apparmor.d/groups/bus/ibus-portal

@@ -20,6 +20,8 @@ profile ibus-portal @{exec_path} flags=(attach_disconnected) {
 
   /usr/share/locale/locale.alias r,
 
+  /etc/machine-id r,
+
   /var/lib/dbus/machine-id r,
   /var/lib/gdm/.config/ibus/bus/ r,
   /var/lib/gdm/.config/ibus/bus/[0-9a-f]*-unix-{,wayland-}[0-9] r,

apparmor.d/groups/bus/ibus-x11

@@ -20,6 +20,7 @@ profile ibus-x11 @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
   owner @{user_config_dirs}/ibus/bus/{,[0-9a-f]*-unix-wayland-[0-9]} r,

apparmor.d/groups/freedesktop/fc-list

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -12,7 +13,7 @@ profile fc-list @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
 
-  /{usr/,}bin/fc-list mr,
+  @{exec_path} mr,
 
   include if exists <local/fc-list>
 }

apparmor.d/groups/freedesktop/xrdb

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2019-2022 Mikhail Morfikov
+# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -32,6 +33,8 @@ profile xrdb @{exec_path} {
   owner /tmp/xauth-[0-9]*-_[0-9] r,
   owner /tmp/kcminit.* r,
 
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.* r,
+
   # file_inherit
   owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,

apparmor.d/groups/freedesktop/xwayland

@@ -25,6 +25,7 @@ profile xwayland @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/xkbcomp    rPx,
 
   /usr/share/egl/{,**} r,
+  /usr/share/fonts/X11/{,**} r,
   /usr/share/X11/xkb/rules/evdev r,
 
   owner /tmp/server-[0-9]*.xkm rwk,

apparmor.d/groups/gnome/gjs-console

@@ -16,6 +16,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/openssl>
   include <abstractions/vulkan>

apparmor.d/groups/gnome/gnome-calendar

@@ -11,6 +11,7 @@ profile gnome-calendar @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf>
   include <abstractions/gnome>
+  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
   include <abstractions/openssl>

apparmor.d/groups/gnome/gnome-control-center

@@ -40,8 +40,8 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/locale     rix,
   /{usr/,}bin/openvpn    rPx,
   /{usr/,}bin/passwd     rPx,
-  /{usr/,}lib/gnome-control-center-goa-helper         rPx,
-  /{usr/,}lib/gnome-control-center-print-renderer     rPx,
+  @{libexec}/gnome-control-center-goa-helper          rPx,
+  @{libexec}/gnome-control-center-print-renderer      rPx,
   /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
 
   /usr/share/backgrounds/gnome/* r,

apparmor.d/groups/gnome/gnome-control-center-print-renderer

@@ -15,6 +15,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
   include <abstractions/fonts>
   include <abstractions/gtk>
   include <abstractions/mesa>
+  include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
 

apparmor.d/groups/gnome/gnome-music

@@ -56,7 +56,5 @@ profile gnome-music @{exec_path} {
 
   owner @{PROC}/@{pid}/mounts r,
 
-  /dev/shm/ r,
-
   include if exists <local/gnome-music>
 }