feat(profile): general minor update.

apparmor.d/groups/firewall/firewalld

@@ -33,6 +33,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   @{python_path} r,
 
   @{bin}/ r,
+  @{sbin}/ r,
   @{bin}/alts                     rix,
   @{sbin}/ebtables-legacy         rix,
   @{sbin}/ebtables-legacy-restore rix,

apparmor.d/groups/freedesktop/wireplumber

@@ -50,6 +50,7 @@ profile wireplumber @{exec_path} {
   owner @{user_config_dirs}/wireplumber/{,**} r,
 
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
+  owner @{run}/user/@{uid}/pipewire-@{int}-manager rw,
 
         /dev/shm/lttng-ust-wait-@{int} r,
   owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -61,7 +61,9 @@ profile xdg-desktop-portal-gtk @{exec_path} flags=(attach_disconnected) {
 
   owner /var/lib/xkb/server-@{int}.xkm rw,
 
+  owner @{gdm_cache_dirs}/fontconfig/@{hex32}-le{32,64}{,d4}.cache-@{d} r,
   owner @{gdm_config_dirs}/dconf/user r,
+  owner /var/lib/gdm3/greeter-dconf-defaults r,
 
   owner @{tmp}/runtime-*/xauth_@{rand6} r,
 

apparmor.d/groups/gnome/gnome-desktop-thumbnailers

@@ -27,6 +27,9 @@ profile gnome-desktop-thumbnailers flags=(attach_disconnected) {
   owner @{tmp}/gnome-desktop-thumbnailer.png w,
   owner @{tmp}/gsf-thumbnailer-@{rand6} rw,
 
+  owner /dev/shm/lttng-ust-wait-@{int}-@{uid} rw,
+  owner /dev/shm/lttng-ust-wait-@{int} rw,
+
   include if exists <local/gnome-desktop-thumbnailers>
 }
 

apparmor.d/groups/gnome/gsd-sound

@@ -16,7 +16,7 @@ profile gsd-sound @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
 
-  signal (receive) set=(term, hup) peer=gdm*,
+  signal receive set=(term, hup) peer=gdm*,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.Sound
 

apparmor.d/groups/gvfs/gvfsd-computer

@@ -13,6 +13,7 @@ profile gvfsd-computer @{exec_path} {
   include <abstractions/bus-session>
 
   #aa:dbus own bus=session name=org.gtk.vfs.mountpoint_@{int}
+  #aa:dbus talk bus=session name=org.gtk.Private.RemoteVolumeMonitor label=gvfs-afc-volume-monitor
 
   @{exec_path} mr,
 

apparmor.d/groups/polkit/pkexec

@@ -21,6 +21,7 @@ profile pkexec @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/*       PUx,
+  @{sbin}/*      PUx,
   @{lib}/**      PUx,
   /opt/*/**      PUx,
   /usr/share/**  PUx,

apparmor.d/groups/polkit/polkitd

@@ -20,7 +20,7 @@ profile polkitd @{exec_path} flags=(attach_disconnected) {
   capability sys_ptrace,
   audit capability net_admin,
 
-  ptrace (read),
+  ptrace read,
 
   #aa:dbus own bus=system name=org.freedesktop.PolicyKit1
 

apparmor.d/groups/snap/snapd

@@ -150,6 +150,7 @@ profile snapd @{exec_path} {
   @{run}/user/@{uid}/snapd-session-agent.socket rw,
   @{run}/user/snap.*/{,**} rw,
 
+  @{run}/mount/utab.act rk,
   @{run}/snapd*.socket rw,
   @{run}/snapd/{,**} rw,
   @{run}/snapd/lock/*.lock rwk,

apparmor.d/groups/utils/uuidd

@@ -16,6 +16,7 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   owner /var/lib/libuuid/clock.txt rwk,
+  owner /var/lib/libuuid/clock-cont.txt rwk,
 
   @{run}/uuidd/request rw,
   @{att}/@{run}/uuidd/request rw,

apparmor.d/groups/utils/whereis

@@ -15,6 +15,7 @@ profile whereis @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/{,*/} r,
+  @{sbin}/{,*/} r,
   @{lib}/ r,
   @{lib}/go-*/bin/ r,
   /usr/{local/,}games/ r,

apparmor.d/profiles-a-f/finalrd

@@ -42,8 +42,9 @@ profile finalrd @{exec_path} {
   @{lib}/systemd/systemd-shutdown    rPx,
   /usr/share/finalrd/*.finalrd       rix,
 
-  @{lib}/{,*} r,
   @{bin}/{,*} r,
+  @{lib}/{,*} r,
+  @{sbin}/{,*} r,
 
   /usr/share/finalrd/{,**} r,
   /usr/share/initramfs-tools/hook-functions r,
@@ -54,10 +55,11 @@ profile finalrd @{exec_path} {
 
   / r,
 
-  @{run}/initramfs/{,**} rw,
   @{run}/ r,
-  @{run}/mount/ r,
   @{run}/finalrd-libs.conf rw,
+  @{run}/initramfs/{,**} rw,
+  @{run}/mount/ r,
+  @{run}/mount/utab r,
 
   @{PROC}/@{pid}/mountinfo r,
 
@@ -66,6 +68,7 @@ profile finalrd @{exec_path} {
     include <abstractions/nameservice-strict>
 
     @{bin}/* mr,
+    @{sbin}/* mr,
     @{lib}/@{multiarch}/ld-linux-*so* mrix,
 
     include if exists <local/finalrd_ldd>

apparmor.d/profiles-g-l/gtk-query-immodules

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0
+@{exec_path} = @{bin}/gtk-query-immodules-{2,3}.0 @{lib}/@{multiarch}/libgtk-*/gtk-query-immodules-*
 profile gtk-query-immodules @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-g-l/kerneloops-applet

@@ -10,8 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/kerneloops-applet
 profile kerneloops-applet @{exec_path} {
   include <abstractions/base>
-  include <abstractions/fontconfig-cache-read>
+  include <abstractions/bus-accessibility>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
+  include <abstractions/bus/org.a11y>
   include <abstractions/desktop>
+  include <abstractions/fontconfig-cache-read>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/needrestart-iucode-scan-versions

@@ -21,6 +21,7 @@ profile needrestart-iucode-scan-versions @{exec_path} {
   /usr/share/misc/ r,
   /usr/share/misc/intel-microcode* r,
 
+  /etc/default/amd64-microcode r,
   /etc/default/intel-microcode r,
   /etc/needrestart/iucode.sh r,
 

apparmor.d/profiles-m-r/power-profiles-daemon

@@ -12,6 +12,7 @@ profile power-profiles-daemon @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,

apparmor.d/profiles-s-z/wpa-supplicant

@@ -42,6 +42,7 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
   @{user_config_dirs}/cat_installer/*.pem r,
 
   owner @{run}/wpa_supplicant/{,**} rw,
+  owner @{run}/netplan/* r,
 
   @{sys}/devices/@{pci}/ieee*/phy@{int}/name r,