feat(profile): small general improvments.

apparmor.d/groups/flatpak/flatpak

@@ -98,7 +98,9 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   owner @{tmp}/ostree-gpg-@{rand6}/{,**} rw,
   owner /dev/shm/flatpak*/{,**} rw,
 
-        @{run}/.userns r,
+         @{run}/.userns r,
+  @{att}/@{run}/.userns r,
+
         @{run}/user/@{uid}/.dbus-proxy/ w,
         @{run}/user/@{uid}/dconf/user rw,
   owner @{run}/user/@{uid}/.dbus-proxy/* rw,
@@ -146,6 +148,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
     include <abstractions/base>
     include <abstractions/app/fusermount>
 
+    capability setuid,
+
     mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
     umount /var/tmp/flatpak-cache-*/*/,
 

apparmor.d/groups/freedesktop/xdg-desktop-portal-kde

@@ -10,10 +10,12 @@ include <tunables/global>
 @{exec_path} += @{lib}/@{multiarch}/{,libexec/}xdg-desktop-portal-kde
 profile xdg-desktop-portal-kde @{exec_path} {
   include <abstractions/base>
+  include <abstractions/bus-session>
   include <abstractions/graphics>
   include <abstractions/kde-globals-write>
   include <abstractions/kde-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/qt5-shader-cache>
 
   network inet dgram,
   network inet6 dgram,
@@ -27,8 +29,14 @@ profile xdg-desktop-portal-kde @{exec_path} {
 
   #aa:exec kioworker
 
+  /usr/share/plasma/look-and-feel/** r,
+
+  owner @{HOME}/ r,
+
   owner @{desktop_config_dirs}/user-dirs.dirs r,
 
+  owner @{user_cache_dirs}/xdg-desktop-portal-kde/{,**} rw,
+
   owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
   owner @{user_config_dirs}/breezerc r,
   owner @{user_config_dirs}/xdg-desktop-portal-kderc{,.*} rwlk,

apparmor.d/profiles-a-f/finalrd

@@ -65,9 +65,8 @@ profile finalrd @{exec_path} {
     include <abstractions/base>
     include <abstractions/nameservice-strict>
 
-    @{bin}/ldd mr,
+    @{bin}/* mr,
     @{lib}/@{multiarch}/ld-linux-*so* mrix,
-    @{lib}/ld-linux.so* mr,
 
     include if exists <local/finalrd_ldd>
   }

apparmor.d/profiles-s-z/spotify

@@ -36,6 +36,8 @@ profile spotify @{exec_path} flags=(attach_disconnected) {
   /etc/spotify-adblock/* r,
   /var/lib/dbus/machine-id r,
 
+  owner @{HOME}/.tmp rw,
+
   owner @{user_music_dirs}/{,**} r,
 
   owner @{user_config_dirs}/spotify-adblock/* r,

apparmor.d/profiles-s-z/syncthing

@@ -36,10 +36,14 @@ profile syncthing @{exec_path} {
   @{user_sync_dirs}/{,**} rw,
 
         @{PROC}/@{pids}/net/route r,
+        @{PROC}/bus/pci/devices r,
+        @{PROC}/modules r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/core/somaxconn r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/mountinfo r,
+  owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/statm r,
 
   include if exists <local/syncthing>
 }