update apparmor profiles

Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/profiles-s-z/update-alternatives

@@ -28,5 +28,7 @@ profile update-alternatives @{exec_path} {
 
   /usr/** rw,
 
+  /lib/firmware/* rw,
+
   include if exists <local/update-alternatives>
 }

apparmor.d/profiles-s-z/uscan

@@ -28,10 +28,13 @@ profile uscan @{exec_path} {
   /{usr/,}bin/pwd        rix,
   /{usr/,}bin/find       rix,
   /{usr/,}bin/file       rix,
+  /{usr/,}bin/getconf    rix,
 
   /{usr/,}bin/tar        rix,
   /{usr/,}bin/gzip       rix,
   /{usr/,}bin/bzip2      rix,
+  /{usr/,}bin/gunzip     rix,
+  /{usr/,}bin/xz         rix,
 
   /{usr/,}bin/uupdate   rPUx,
 

apparmor.d/profiles-s-z/vsftpd

@@ -15,6 +15,9 @@ profile vsftpd @{exec_path} {
   # Only for local users authentication
   include <abstractions/authentication>
 
+  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
+  include <abstractions/hosts_access>
+
   # To be able to listen on ports < 1024
   capability net_bind_service,
 
@@ -48,9 +51,6 @@ profile vsftpd @{exec_path} {
   # List of users disallowed FTP access
   /etc/ftpusers r,
 
-  # For libwrap (TCP Wrapper) support (tcp_wrappers=YES)
-  /etc/hosts.{allow,deny} r,
-
   # vsftpd config files
   /etc/vsftpd.conf r,
   /etc/vsftpd/**/ r,

apparmor.d/profiles-s-z/yt-dlp

@@ -65,7 +65,7 @@ profile yt-dlp @{exec_path} {
 
   # Which files yt-dlp should be able to open
   owner /media/**/ r,
-  owner /media/**.@{ytdlp_ext} rw,
+  owner /media/**.@{ytdlp_ext} rwk,
 
   owner @{HOME}/.cache/ rw,
   owner @{HOME}/.cache/yt-dlp/ rw,