feat(profiles): general update.

apparmor.d/groups/ubuntu/apt-esm-hook

@@ -15,7 +15,12 @@ profile apt-esm-hook @{exec_path} {
 
   /{usr/,}bin/dpkg  rPx,
 
+  /etc/machine-id r,
+
+  /var/lib/ubuntu-advantage/messages/{,**} rw,
+
   owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pids}/cmdline r,
 
   include if exists <local/apt-esm-hook>
 }

apparmor.d/groups/ubuntu/check-new-release-gtk

@@ -10,13 +10,18 @@ include <tunables/global>
 profile check-new-release-gtk @{exec_path} {
   include <abstractions/base>
   include <abstractions/apt-common>
+  include <abstractions/dbus-session-strict>
   include <abstractions/dconf>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/python>
   include <abstractions/ssl_certs>
 
   network inet dgram,
   network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mr,
 
@@ -25,17 +30,22 @@ profile check-new-release-gtk @{exec_path} {
   /{usr/,}bin/lsb_release  rPx -> lsb_release,
 
   /usr/share/distro-info/{,**} r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
   /usr/share/themes/{,**} r,
   /usr/share/ubuntu-release-upgrader/{,**} r,
   /usr/share/update-manager/{,**} r,
+  /usr/share/X11/xkb/{,**} r,
 
   /etc/update-manager/{,**} r,
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
 
+  owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-[0-9] rw,
+
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/mounts r,
+        @{PROC}/@{pids}/mounts r,
 
   include if exists <local/check-new-release-gtk>
 }

apparmor.d/groups/ubuntu/livepatch-notification

@@ -10,16 +10,19 @@ include <tunables/global>
 profile livepatch-notification @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf>
+  include <abstractions/gtk>
 
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
   /usr/share/X11/{,**} r,
-  /usr/share/themes/{,**} r,
 
+  owner @{run}/user/@{uid}/at-spi/bus rw,
+  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   include if exists <local/livepatch-notification>
 }

apparmor.d/groups/ubuntu/package-system-locked

@@ -16,6 +16,9 @@ profile package-system-locked @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
+  network inet dgram,
+  network inet6 dgram,
+
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,

apparmor.d/groups/ubuntu/ubuntu-advantage-notification

@@ -11,16 +11,18 @@ profile ubuntu-advantage-notification @{exec_path} {
   include <abstractions/base>
   include <abstractions/dbus-session>
   include <abstractions/dconf>
+  include <abstractions/gtk>
 
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
   /usr/share/X11/xkb/{,**} r,
-  /usr/share/themes/{,**} r,
 
+  owner @{run}/user/@{uid}/at-spi/bus rw,
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   include if exists <local/ubuntu-advantage-notification>
 }

apparmor.d/groups/ubuntu/ubuntu-report

@@ -10,6 +10,7 @@ include <tunables/global>
 profile ubuntu-report @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/ssl_certs>
 
   @{exec_path} mr,
 

apparmor.d/groups/ubuntu/update-motd-updates-available

@@ -9,28 +9,42 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/update-notifier/update-motd-updates-available
 profile update-motd-updates-available @{exec_path} {
   include <abstractions/base>
+  include <abstractions/apt-common>
+  include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/python>
 
+  capability dac_read_search,
+
   @{exec_path} mr,
 
   /{usr/,}bin/python3.[0-9]* r,
 
+  /{usr/,}bin/{,ba,da}sh                    rix,
   /{usr/,}bin/apt-config                    rPx,
+  /{usr/,}bin/chmod                         rix,
   /{usr/,}bin/dirname                       rix,
   /{usr/,}bin/dpkg                          rPx -> child-dpkg,
   /{usr/,}bin/find                          rix,
   /{usr/,}bin/ischroot                      rix,
+  /{usr/,}bin/lsb_release                   rPx -> lsb_release,
   /{usr/,}bin/mktemp                        rix,
   /{usr/,}bin/mv                            rix,
+  /{usr/,}bin/rm                            rix,
   /{usr/,}lib/update-notifier/apt_check.py  rix,
 
-  /etc/apt/apt.conf.d/{,*} r,
-  /etc/apt/sources.list r,
+  /usr/share/distro-info/{,**} r,
+
+  /etc/machine-id r,
 
-  /var/lib/apt/lists/{,*} r,
   /var/lib/update-notifier/{,*} rw,
 
+  /var/cache/apt/ r,
+  /var/cache/apt/** rwk,
+
   owner @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pids}/mountinfo r,
 
   include if exists <local/update-motd-updates-available>
 }

apparmor.d/groups/ubuntu/update-notifier

@@ -18,33 +18,46 @@ profile update-notifier @{exec_path} {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg                                    rPx,
+  /{usr/,}bin/{,ba,da}sh                              rix,
   /{usr/,}bin/ionice                                  rix,
   /{usr/,}bin/ischroot                                rix,
-  /{usr/,}bin/lsb_release                             rPx -> lsb_release,
   /{usr/,}bin/nice                                    rix,
+
+  /{usr/,}bin/dpkg                                    rPx,
+  /{usr/,}bin/lsb_release                             rPx -> lsb_release,
   /{usr/,}bin/pkexec                                  rPx,
   /{usr/,}bin/systemctl                               rPx -> child-systemctl,
+  /{usr/,}bin/update-manager                          rPx,
+  /{usr/,}lib/ubuntu-release-upgrader/check-new-release-gtk rPx,
   /{usr/,}lib/update-notifier/apt_check.py            rix,
+  /{usr/,}lib/update-notifier/list-oem-metapackages   rPx,
   /{usr/,}lib/update-notifier/livepatch-notification  rPx,
   /{usr/,}lib/update-notifier/package-system-locked   rPx,
   /usr/share/apport/apport-checkreports               rPx,
+  /usr/share/apport/apport-gtk                        rPx,
 
-  /usr/share/applications/{,*.desktop} r,
+  /usr/share/applications/{,**} r,
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/icons/{,**} r,
-  /usr/share/themes/{,**} r,
+  /usr/share/mime/mime.cache r,
+  /usr/share/pixmaps/ r,
   /usr/share/ubuntu/applications/ r,
+  /usr/share/update-notifier/{,**} r,
   /usr/share/X11/{,**} r,
 
   /etc/machine-id r,
   /etc/gnome/defaults.list r,
 
+  /var/lib/snapd/desktop/applications/{,**} r,
+  /var/lib/snapd/desktop/icons/ r,
   /var/lib/update-notifier/user.d/ r,
-  /var/lib/snapd/desktop/applications/{,/mimeinfo.cache} r,
 
+  owner @{user_share_dirs}/applications/ r,
+
+  owner @{run}/user/@{uid}/at-spi/bus rw,
+  owner @{run}/user/@{uid}/bus rw,
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
   owner @{run}/user/@{uid}/update-notifier.pid rwk,