update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/profiles-a-f/appstreamcli

@@ -35,12 +35,17 @@ profile appstreamcli @{exec_path} flags=(complain) {
   
   /var/lib/app-info/yaml/ r,
   /var/lib/app-info/yaml/*_Components-*.yml.gz w,
+  /var/lib/app-info/ w,
   /var/lib/apt/lists/ r,
   /var/lib/apt/lists/*_Components-*.gz r,
+  /var/lib/swcatalog/ rw,
+  /var/lib/swcatalog/yaml/ rw,
+  /var/lib/swcatalog/yaml/*_Components-*.yml.gz w,
   /var/lib/flatpak/appstream/{,**} r,
 
         /var/cache/swcatalog/cache/{,**} rw,
   owner /var/cache/app-info/{,**} rw,
+  owner /var/cache/swcatalog/{,**} rw,
   owner /tmp/appstream-cache-*.mdb rw,
   owner /tmp/appstream/ rw,
   owner /tmp/appstream/appcache-*.mdb rw,

apparmor.d/profiles-a-f/atftpd

@@ -10,6 +10,8 @@ include <tunables/global>
 profile atftpd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice>
+  # For libwrap (TCP Wrapper) support
+  include <abstractions/hosts_access>
 
   # to run atftpd daemon as nobody/nogroup
   capability setgid,
@@ -21,8 +23,5 @@ profile atftpd @{exec_path} {
   /tftpboot/{,**} r,
   /srv/tftp/{,**} r,
 
-  # for libwrap (TCP Wrapper) support
-  /etc/hosts.{,allow,deny} r,
-
   include if exists <local/atftpd>
 }

apparmor.d/profiles-a-f/atril

@@ -30,8 +30,12 @@ profile atril @{exec_path} {
 
   @{exec_path} mr,
 
-  /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitNetworkProcess rix,
-  /usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess rix,
+  /{usr/,}bin/{,ba,da}sh      rix,
+
+  /{usr/,}bin/atril-previewer rPx,
+
+  /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitNetworkProcess rix,
+  /{usr/,}lib/@{multiarch}/webkit2gtk-4.0/WebKitWebProcess     rix,
 
   # Which media files atril should be able to open
         / r,
@@ -52,6 +56,7 @@ profile atril @{exec_path} {
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
 
+       owner @{PROC}/@{pid}/fd/ r,
        owner @{PROC}/@{pid}/mountinfo r,
        owner @{PROC}/@{pid}/mounts r,
        owner @{PROC}/@{pid}/statm r,
@@ -59,24 +64,25 @@ profile atril @{exec_path} {
        owner @{PROC}/@{pid}/cgroup r,
              @{PROC}/zoneinfo r,
 
-  /sys/firmware/acpi/pm_profile r,
-  /sys/devices/virtual/dmi/id/chassis_type r,
-  /sys/fs/cgroup/** r,
+  @{sys}/firmware/acpi/pm_profile r,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
+  @{sys}/fs/cgroup/** r,
 
   /etc/fstab r,
 
-  /usr/share/poppler/** r,
+  /usr/share/poppler/{,**} r,
 
-  owner @{user_config_dirs}/atril/ rw,
-  owner @{user_config_dirs}/atril/* rw,
+  owner @{user_config_dirs}/atril/{,*} rw,
 
-  owner @{user_cache_dirs}/atril/ rw,
-  owner @{user_cache_dirs}/atril/** rw,
+  owner @{user_cache_dirs}/atril/{,**} rw,
 
   owner @{user_share_dirs}/gvfs-metadata/home r,
   owner @{user_share_dirs}/gvfs-metadata/home-*.log r,
 
   owner /tmp/gtkprint_* rw,
+  owner /tmp/settings*.ini rw,
+  owner /tmp/settings*.ini.* rw,
+
   owner /tmp/atril-@{pid}/ rw,
   owner /tmp/atril-@{pid}/*/ rw,
   owner /tmp/atril-@{pid}/*/mimetype rw,

apparmor.d/profiles-a-f/conky

@@ -46,6 +46,7 @@ profile conky @{exec_path} {
   /{usr/,}bin/cat        rix,
   /{usr/,}bin/wc         rix,
   /{usr/,}bin/sed        rix,
+  /{usr/,}bin/sleep      rix,
 
   # For external IP address
   #/{usr/,}bin/dig        rix,

apparmor.d/profiles-a-f/ffplay

@@ -43,9 +43,15 @@ profile ffplay @{exec_path} {
   include <abstractions/X>
   include <abstractions/freedesktop.org>
   include <abstractions/audio>
+  include <abstractions/nameservice-strict>
   include <abstractions/user-download-strict>
   include <abstractions/private-files-strict>
 
+  network inet stream,
+  network inet6 stream,
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   # Which media files ffplay should be able to open