feat(profile): general update.

apparmor.d/groups/freedesktop/xdg-permission-store

@@ -28,11 +28,11 @@ profile xdg-permission-store @{exec_path} flags=(attach_disconnected) {
   @{HOME}/@{XDG_DATA_DIR}/flatpak/db/gnome rw,
 
   owner @{desktop_share_dirs}/flatpak/ w,
-  audit owner @{desktop_share_dirs}/flatpak/db/ rw,
-  audit owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
-  audit owner @{desktop_share_dirs}/flatpak/db/background rw,
-  audit owner @{desktop_share_dirs}/flatpak/db/devices r,
-  audit owner @{desktop_share_dirs}/flatpak/db/notifications rw,
+  owner @{desktop_share_dirs}/flatpak/db/ rw,
+  owner @{desktop_share_dirs}/flatpak/db/.goutputstream-@{rand6} rw,
+  owner @{desktop_share_dirs}/flatpak/db/background rw,
+  owner @{desktop_share_dirs}/flatpak/db/devices r,
+  owner @{desktop_share_dirs}/flatpak/db/notifications rw,
 
   owner @{user_share_dirs}/flatpak/ w,
   owner @{user_share_dirs}/flatpak/db/ rw,

apparmor.d/groups/gnome/gdm-session-worker

@@ -59,7 +59,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   @{bin}/gnome-keyring-daemon             rPx,
   @{etc_ro}/X11/xdm/Xstartup             rPUx,
-  @{lib}/{,gdm/}gdm-{x,wayland}-session   rPx -> gdm-session,
+  @{lib}/{,gdm/}gdm-{x,wayland}-session   rpx -> gdm-session,
   /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
   /etc/gdm{3,}/PostLogin/Default          rix,
   /etc/gdm{3,}/PrimeOff/Default           rix,

apparmor.d/groups/gnome/gjs-console

@@ -51,8 +51,8 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/       r,
-  @{bin}/*   rPUx,
-  @{lib}/**  rPUx,
+  @{bin}/*    PUx,
+  @{lib}/**   PUx,
 
   /usr/share/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx,
   @{user_share_dirs}/gnome-shell/extensions/gsconnect@andyholmes.github.io/{service/daemon.js,gsconnect-preferences} rPx,

apparmor.d/groups/gnome/gnome-calculator-search-provider

@@ -17,10 +17,7 @@ profile gnome-calculator-search-provider @{exec_path} {
 
   signal (send) set=kill peer=unconfined,
 
-  dbus bind bus=session name=org.gnome.Calculator.SearchProvider,
-  dbus receive bus=session path=/org/gnome/Calculator/SearchProvider
-       interface=org.gnome.Shell.SearchProvider2
-       peer=(name=:*, label=gnome-shell),
+  #aa:dbus own bus=session name=org.gnome.Calculator.SearchProvider interface=org.gnome.Shell.SearchProvider2
 
   @{exec_path} mrix,
 

apparmor.d/groups/gnome/gnome-characters

@@ -15,10 +15,7 @@ profile gnome-characters @{exec_path} {
   include <abstractions/fontconfig-cache-read>
   include <abstractions/nameservice-strict>
 
-  #aa:dbus own bus=session name=org.gnome.Characters
-  dbus receive bus=session path=/org/gnome/Characters/SearchProvider
-       interface=org.gnome.Shell.SearchProvider2
-       peer=(name=:*, label=gnome-shell),
+  #aa:dbus own bus=session name=org.gnome.Characters interface=org.gnome.Shell.SearchProvider2
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gnome-control-center-print-renderer

@@ -21,6 +21,8 @@ profile gnome-control-center-print-renderer @{exec_path} {
 
   /usr/share/pixmaps/{,**} r,
 
+  / r,
+
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/gnome-control-center-print-renderer>

apparmor.d/groups/gnome/gnome-shell

@@ -175,10 +175,18 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   @{exec_path} mr,
 
-  @{bin}/Xwayland         rPx,
-  @{lib}/polkit-1/polkit* rPx,
-  @{lib}/*                rPUx,
-  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop rix,
+  @{bin}/unzip                  rix,
+
+  @{bin}/gjs-console            rPx,
+  @{bin}/glib-compile-schemas   rPx,
+  @{bin}/ibus-daemon            rPx,
+  @{bin}/Xwayland               rPx,
+  @{lib}/mutter-x11-frames      rPx,
+  #aa:exec polkit-agent-helper
+
+  @{sh_path}                                           rCx -> shell,
+  @{lib}/gio-launch-desktop                            rCx -> open,
+  @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop   rCx -> open,
 
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
 
@@ -363,5 +371,44 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   /dev/media@{int} rw,
   /dev/tty@{int} rw,
 
+  profile shell flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+  
+    capability sys_ptrace,
+
+    ptrace (read),
+
+    @{sh_path} mr,
+  
+    @{bin}/pmap rix,
+    @{bin}/grep rix,
+
+    @{sys}/devices/system/node/ r,
+
+          @{PROC}/uptime r,
+    owner @{PROC}/@{pid}/cmdline r,
+    owner @{PROC}/@{pid}/stat r,
+
+    /dev/tty rw,
+
+    include if exists <local/gnome-shell_shell>
+  }
+
+  profile open flags=(attach_disconnected,mediate_deleted) {
+    include <abstractions/base>
+    include <abstractions/app-launcher-user>
+
+    @{lib}/gio-launch-desktop                               mr,
+    @{lib}/@{multiarch}/glib-[0-9]*/gio-launch-desktop      mr,
+  
+    @{lib}/*      PUx,
+    /usr/games/*  PUx,
+    /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
+
+    deny @{user_share_dirs}/gvfs-metadata/* r,
+
+    include if exists <local/gnome-shell_open>
+  }
+
   include if exists <local/gnome-shell>
 }

apparmor.d/groups/gvfs/gvfsd-wsdd

@@ -10,7 +10,14 @@ include <tunables/global>
 profile gvfsd-wsdd @{exec_path} {
   include <abstractions/base>
 
+  network netlink raw,
+
   @{exec_path} mr,
 
+  @{bin}/wsdd rPx,
+
+        @{run}/mount/utab r,
+  owner @{run}/user/@{uid}/gvfsd/socket-@{rand8} rw,
+
   include if exists <local/gvfsd-wsdd>
 }