feat(profile): minor profiles improvement.

apparmor.d/groups/freedesktop/colord

@@ -59,7 +59,9 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/{vendor,model,type} r,
   @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r,
   @{sys}/devices/@{pci}/uevent r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
         @{PROC}/sys/dev/parport/ r,
         @{PROC}/sys/dev/parport/parport@{int}/base-addr r,

apparmor.d/groups/freedesktop/pipewire

@@ -47,6 +47,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
 
   owner @{tmp}/librnnoise-@{int}.so rm,
 
+        @{run}/snapd.socket rw,
   owner @{run}/user/@{uid}/pipewire-@{int} rw,
   owner @{run}/user/@{uid}/pipewire-@{int}-manager.lock rwk,
   owner @{run}/user/@{uid}/pipewire-@{int}.lock rwk,
@@ -62,6 +63,7 @@ profile pipewire @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,bios_vendor,board_vendor} r,
   @{sys}/module/apparmor/parameters/enabled r,
 
+  owner @{PROC}/@{pid}/attr/apparmor/current r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/media@{int} rw,

apparmor.d/groups/kde/kscreenlocker_greet

@@ -25,6 +25,8 @@ profile kscreenlocker_greet @{exec_path} {
 
   network netlink raw,
 
+  ptrace read peer=ksmserver,
+
   signal (receive) set=(term) peer=kwin_wayland,
   signal (receive) set=(usr1, term) peer=ksmserver,
   signal (send) peer=kcheckpass,

apparmor.d/groups/ssh/sshd-session

@@ -74,6 +74,7 @@ profile sshd-session @{exec_path} flags=(attach_disconnected) {
 
   @{att}/@{run}/systemd/sessions/@{int}.ref w,
 
+        @{run}/cockpit/active.issue r,
         @{run}/motd.d/{,*} r,
         @{run}/motd.dynamic rw,
         @{run}/motd.dynamic.new rw,

apparmor.d/groups/systemd/systemd-delta

@@ -10,11 +10,11 @@ include <tunables/global>
 profile systemd-delta @{exec_path} {
   include <abstractions/base>
 
-  signal (send) peer=child-pager,
+  signal send peer=child-pager,
 
   @{exec_path} mr,
 
-  @{bin}/less  rPx -> child-pager,
+  @{pager_path}           rPx -> child-pager,
 
   /etc/binfmt.d/{,**} r,
   /etc/modprobe.d/{,**} r,

apparmor.d/groups/systemd/systemd-detect-virt

@@ -21,6 +21,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
 
   @{run}/cloud-init/ds-identify.log w,
   @{run}/host/container-manager r,
+  @{run}/systemd/container r,
   @{run}/systemd/notify w,
 
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
@@ -29,6 +30,12 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/firmware/dmi/entries/*/raw r,
+  @{sys}/firmware/uv/prot_virt_guest r,
+  @{sys}/hypervisor/properties/features r,
+
+  @{PROC}/xen/capabilities r,
+
+  /dev/cpu/@{int}/msr r,
 
   include if exists <local/systemd-detect-virt>
 }

apparmor.d/profiles-a-f/cheese

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2025 Roman Beslik <me@beroal.in.ua>
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/4.0>,
@@ -41,7 +42,10 @@ profile cheese @{exec_path} {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
-  @{sys}/devices/virtual/dmi/id/{bios_vendor,board_vendor,product_name,sys_vendor} r,
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,