feat(profiles): general update.

apparmor.d/groups/pacman/pacman

@@ -109,8 +109,8 @@ profile pacman @{exec_path} {
   @{lib}/ghc-*/bin/ghc-pkg           rix,
   @{lib}/systemd/systemd-*           rPx,
   @{lib}/vlc/vlc-cache-gen           rPx,
-  /opt/Mullvad*/resources/mullvad-setup   rPx,
-  /usr/share/code-features/patch.sh       rPx,
+  /usr/share/code-features/patch.py      rPx,
+  /usr/share/code-marketplace/patch.py   rPx,
   /usr/share/libalpm/scripts/*           rPUx,
   /usr/share/texmf-dist/scripts/texlive/mktexlsr rPUx,
 

apparmor.d/groups/pacman/pacman-hook-code

@@ -6,23 +6,21 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = /usr/share/code-features/patch.sh
+@{exec_path} = /usr/share/code-{features,marketplace}/patch.py
 profile pacman-hook-code @{exec_path} {
   include <abstractions/base>
+  include <abstractions/python>
 
   capability dac_read_search,
 
   @{exec_path} mr,
 
-  @{bin}/{,ba}sh     rix,
-  @{bin}/env         rix,
-  @{bin}/grep        rix,
-  @{bin}/sed         rix,
+  @{bin}/python3.[0-9]* rix,
 
   @{lib}/code/product.json rw,
-  @{lib}/code/sed?????? rw,
 
-  /dev/tty rw,
+  /usr/share/code-{features,marketplace}/* r,
+  /usr/share/code-{features,marketplace}/cache.json rw,
 
   include if exists <local/pacman-hook-code>
 }

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -14,7 +14,7 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability mknod,
 
-  # unix (receive) type=stream,
+  unix (receive) type=stream,
 
   @{exec_path} mr,