feat(profile): update and enforce a few profiles.

apparmor.d/profiles-m-r/mdevctl

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/mdevctl
 profile mdevctl @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/metadata-cleaner

@@ -9,9 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/metadata-cleaner
 profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/dconf-write>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
+  include <abstractions/common/gnome>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
   include <abstractions/user-read-strict>
@@ -20,12 +18,10 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
   @{python_path} rix,
 
-  @{bin}/bwrap rCx -> bwrap,
-  @{open_path} rPx -> child-open-help,
+  @{bin}/bwrap  Cx -> bwrap,
+  @{open_path}  Px -> child-open-help,
 
-  /usr/share/metadata-cleaner/{,**} r,
   /usr/share/metadata-cleaner/src/metadatacleaner/{,*/}__pycache__/ w,
-
   /usr/share/poppler/{,**} r,
 
   /etc/httpd/conf/mime.types r,
@@ -38,10 +34,8 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
 
   @{run}/mount/utab r,
 
-  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
-  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/* r,
   deny owner @{user_cache_dirs}/thumbnails/** r,
@@ -51,7 +45,7 @@ profile metadata-cleaner @{exec_path} flags=(attach_disconnected) {
     include <abstractions/common/bwrap>
     include <abstractions/perl>
 
-    signal (receive) set=(kill) peer=metadata-cleaner,
+    signal receive set=(kill) peer=metadata-cleaner,
 
     @{bin}/bwrap mr,
     @{bin}/vendor_perl/exiftool rix,