feat: update profiles.

apparmor.d/groups/gnome/gnome-control-center

@@ -95,11 +95,12 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/class/input/ r,
   @{sys}/devices/**/{name,vendor,product,uevent} r,
-  @{sys}/devices/platform/**/uevent r,
-  @{sys}/devices/virtual/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/drm/ r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
+  @{sys}/devices/pci[0-9]*/**/revision r,
+  @{sys}/devices/platform/**/uevent r,
+  @{sys}/devices/virtual/**/uevent r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/devices/virtual/thermal/thermal_zone[0-9]/hwmon[0-9]/temp* r,
 

apparmor.d/groups/gnome/gnome-control-center-print-renderer

@@ -40,6 +40,7 @@ profile gnome-control-center-print-renderer @{exec_path} {
   @{sys}/devices/pci[0-9]*/**/drm/ r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/**/id r,
   @{sys}/devices/pci[0-9]*/**/drm/card[0-9]*/gt_*_mhz r,
+  @{sys}/devices/pci[0-9]*/**/revision r,
 
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -19,7 +19,8 @@ profile gnome-terminal-server @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/{,z,ba,da}sh rux,
+  # The shell is not confined on purpose.
+  /{usr/,}bin/{,z,ba,da}sh rUx,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/X11/xkb/{,**} r,

apparmor.d/groups/gnome/nautilus

@@ -35,12 +35,11 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   owner /tmp/{,**} rw,
 
   # Silence non user's data
-  deny owner @{HOME}/@{XDG_VM_DIR}/{,**} rw,
-  deny /boot rw,
-  deny /opt rw,
-  deny /root rw,
+  deny /boot/{,**} r,
+  deny /opt/{,**} r,
+  deny /root/{,**} r,
   deny /tmp/.* rw,
-  deny /tmp/.*/ rw,
+  deny /tmp/.*/{,**} rw,
 
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,