feat(profile): general update.

apparmor.d/profiles-a-f/borg

@@ -16,8 +16,6 @@ profile borg @{exec_path} {
 
   capability dac_override,
   capability dac_read_search,
-  capability fowner,
-  capability sys_admin,
 
   network inet dgram,
   network inet6 dgram,
@@ -77,6 +75,7 @@ profile borg @{exec_path} {
   owner /var/tmp/tmp*/idx rw,
 
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/stat r,
 
   /dev/fuse rw,
 
@@ -103,8 +102,8 @@ profile borg @{exec_path} {
 
     capability sys_admin,
 
-    mount fstype=fuse borgfs -> @{MOUNTS}/,
-    mount fstype=fuse borgfs -> @{MOUNTS}/*/,
+    mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/,
+    mount fstype=fuse options=(ro nosuid nodev) borgfs -> @{MOUNTS}/*/,
 
     umount @{MOUNTS}/,
     umount @{MOUNTS}/*/,

apparmor.d/profiles-a-f/flatpak-session-helper

@@ -25,7 +25,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   @{bin}/flatpak                       rPx,
   @{bin}/ps                            rPx,
   @{bin}/p11-kit                       rix,
-  @{bin}/pkexec                        rPx,
+  @{bin}/pkexec                        rPx, # TODO: too wide, rCx.
   @{lib}/p11-kit/p11-kit-remote        rix,
   @{lib}/p11-kit/p11-kit-server        rix,
   /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,

apparmor.d/profiles-a-f/fwupdmgr

@@ -61,6 +61,7 @@ profile fwupdmgr @{exec_path} flags=(attach_disconnected,complain) {
 
     owner @{HOME}/.Xauthority r,
 
+    include if exists <local/fwupdmgr_dbus>
   }
 
   include if exists <local/fwupdmgr>