Update profiles.

apparmor.d/groups/pacman/paccache

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/paccache
 profile paccache @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   capability dac_read_search,
   capability mknod,

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -12,11 +12,12 @@ profile systemd-tmpfiles @{exec_path} {
   include <abstractions/systemd-common>
   include <abstractions/nameservice-strict>
 
+  capability chown,
   capability dac_read_search,
-  capability net_admin,
+  capability fowner,
   capability fsetid,
   capability mknod,
-  capability fowner,
+  capability net_admin,
 
   @{exec_path} mr,
 

apparmor.d/profiles-a-l/browserpass

@@ -33,6 +33,7 @@ profile browserpass @{exec_path} {
   deny network inet stream,
   deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
   deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} r,
+  deny /dev/dri/card[0-9]* rw,
 
   include if exists <local/browserpass>
 }

apparmor.d/profiles-m-z/update-mime-database

@@ -14,5 +14,9 @@ profile update-mime-database @{exec_path} {
 
   /usr/share/mime/{,**} rw,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/update-mime-database>
 }

apparmor.d/profiles-m-z/vlc-cache-gen

@@ -15,5 +15,9 @@ profile vlc-cache-gen @{exec_path} {
 
   /{usr/,}lib/vlc/plugins/{,*} rw,
 
+  # Silencer
+  deny network inet6 stream,
+  deny network inet stream,
+
   include if exists <local/vlc-cache-gen>
 }