feat(profiles): general update.

apparmor.d/groups/virt/cockpit-askpass

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/cockpit/cockpit-askpass
 profile cockpit-askpass @{exec_path} {
   include <abstractions/base>
+  include <abstractions/python>
 
   @{exec_path} mr,
 

apparmor.d/groups/virt/cockpit-bridge

@@ -10,8 +10,10 @@ include <tunables/global>
 profile cockpit-bridge @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-root>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/python>
 
   capability dac_read_search,
   capability sys_nice,
@@ -21,6 +23,8 @@ profile cockpit-bridge @{exec_path} {
   network inet6 dgram,
   network inet6 stream,
 
+  ptrace (read),
+
   signal (send) set=term peer=cockpit-pcp,
   signal (send) set=term peer=dbus-daemon,
   signal (send) set=term peer=journalctl,
@@ -48,13 +52,19 @@ profile cockpit-bridge @{exec_path} {
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* rw,
   @{run}/utmp r,
 
+  @{sys}/devices/**/hwmon[0-9]*/ r,
+  @{sys}/devices/**/hwmon[0-9]*/{name,temp*} r,
+  @{sys}/fs/cgroup/*.slice/**/memory* r,
+
+        @{PROC}/ r,
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pids}/io r,
         @{PROC}/@{pids}/net/dev r,
         @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/diskstats r,
         @{PROC}/loadavg r,
         @{PROC}/uptime r,
-  owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,