feat(profile): general update.

apparmor.d/groups/gnome/gdm-generate-config

@@ -11,7 +11,10 @@ profile gdm-generate-config @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability chown,
   capability dac_read_search,
+  capability fowner,
+  capability fsetid,
   capability setgid,
   capability setuid,
 
@@ -29,8 +32,8 @@ profile gdm-generate-config @{exec_path} {
   /usr/share/gdm/{,**} r,
 
   /var/lib/ r,
+  /var/lib/gdm{3,}/ rw,
   /var/lib/gdm{3,}/{,**} r,
-
   /var/lib/gdm{3,}/greeter-dconf-defaults rw,
   /var/lib/gdm{3,}/greeter-dconf-defaults.@{rand6} w,
 

apparmor.d/groups/gnome/gio-launch-desktop

@@ -20,7 +20,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{lib}/gio-launch-desktop rix,
+  @{bin}/gnome-terminal     rPUx,
+  @{lib}/gio-launch-desktop  rix,
 
   owner @{HOME}/{,**} rw,
 

apparmor.d/groups/gnome/gjs-console

@@ -19,6 +19,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.freedesktop.portal.Desktop>
   include <abstractions/bus/org.gnome.Shell.Introspect>
   include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>
@@ -59,7 +60,7 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   /usr/share/gnome-shell/{,**} r,
   /usr/share/icu/@{int}.@{int}/*.dat r,
 
-  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
+  /var/lib/gdm{3,}/.cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rw,
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/ rw,
   /var/lib/gdm{3,}/.cache/gstreamer-1.0/registry.*.bin{,.tmp@{rand6}} rw,
   /var/lib/gdm{3,}/.config/dconf/user r,

apparmor.d/groups/gnome/gnome-calculator-search-provider

@@ -13,6 +13,7 @@ profile gnome-calculator-search-provider @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
 
   signal (send) set=kill peer=unconfined,
 

apparmor.d/groups/gnome/gnome-initial-setup

@@ -12,7 +12,8 @@ profile gnome-initial-setup @{exec_path} {
   include <abstractions/bus-session>
   include <abstractions/dconf-write>
   include <abstractions/gnome-strict>
-  include <abstractions/mesa>
+  include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
 
   network netlink raw,
 
@@ -22,11 +23,19 @@ profile gnome-initial-setup @{exec_path} {
 
   @{bin}/df      rPx,
   @{bin}/dpkg    rPx -> child-dpkg,
+  @{bin}/locale  rix,
   @{bin}/lscpu   rPx,
   @{bin}/lspci   rPx,
   @{bin}/xrandr  rPx,
 
   @{lib}/gnome-initial-setup-goa-helper rix,
 
+  /usr/share/dconf/profile/gdm r,
+
+  /var/lib/gdm{,3}/greeter-dconf-defaults r,
+
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
+
   include if exists <local/gnome-initial-setup>
 }

apparmor.d/groups/gnome/gnome-music

@@ -28,6 +28,7 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
   @{bin}/ r,
+  @{bin}/env r,
   @{bin}/python3.@{int} rix,
   @{lib}/python3.@{int}/site-packages//gnomemusic/__pycache__/{,**} rw,
 
@@ -44,8 +45,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/grilo-plugins/ rwk,
   owner @{user_share_dirs}/grilo-plugins/*.db{,-shm,-journal,-wal} rwk,
 
-  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
         @{run}/systemd/inhibit/[0-9]*.ref rw,
+  owner @{run}/user/@{uid}/orcexec.[0-9a-zA-Z]* rw,
 
   owner /tmp/grilo-plugin-cache-[0-9A-Z]*/ rw,
   owner /var/tmp/etilqs_@{hex} rw,

apparmor.d/groups/gnome/gnome-shell

@@ -377,6 +377,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/task/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/input/event@{int} rw,
   /dev/media@{int} rw,

apparmor.d/groups/gnome/gnome-software

@@ -104,6 +104,7 @@ profile gnome-software @{exec_path} {
         @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/stat r,
 
   /dev/fuse rw,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -60,6 +60,8 @@ profile gnome-terminal-server @{exec_path} {
   owner @{user_cache_dirs}/event-sound-cache.tdb.@{md5}.@{multiarch} rwk,
 
   owner @{user_config_dirs}/*xdg-terminals.list* rw,
+  owner @{user_config_dirs}/ibus/bus/ r,
+  owner @{user_config_dirs}/ibus/bus/@{md5}-unix-{,wayland-}@{int} r,
   owner @{user_config_dirs}/pulse/cookie rk,
 
   owner @{run}/user/@{uid}/pulse/ r,

apparmor.d/groups/gnome/goa-daemon

@@ -40,6 +40,9 @@ profile goa-daemon @{exec_path} {
 
   /var/lib/gdm{3,}/.config/dconf/user r,
 
+  owner /var/lib/gdm{3,}/.config/ w,
+  owner /var/lib/gdm{3,}/.config/goa-1.0/ w,
+
   owner @{user_config_dirs}/goa-1.0/ rw,
   owner @{user_config_dirs}/goa-1.0/accounts.conf* rw,
 

apparmor.d/groups/gnome/tracker-extract

@@ -16,6 +16,7 @@ profile tracker-extract @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dconf-write>
   include <abstractions/deny-sensitive-home>
   include <abstractions/disks-read>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/gstreamer>