feat(profile): general update.

apparmor.d/groups/_full/default

@@ -70,11 +70,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{MOUNTS}/** rwl,
   owner @{HOME}/{,**} rwlk,
   owner @{run}/user/@{uid}/{,**} rw,
-  owner @{user_config_dirs}/** rwkl,
-  owner @{user_share_dirs}/** rwkl,
   owner @{tmp}/{,**} rwk,
-
-  owner @{run}/user/@{uid}/{,**} rw,
+  owner @{run}/user/@{uid}/{,**} rwlk,
 
   @{run}/motd.dynamic.new rw,
 

apparmor.d/groups/browsers/firefox-crashreporter

@@ -30,6 +30,9 @@ profile firefox-crashreporter @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/curl rix,
+  @{bin}/mv   rix,
+
   @{lib_dirs}/minidump-analyzer rPx,
 
   @{bin}/mv rix,

apparmor.d/groups/children/child-modprobe-nvidia

@@ -71,7 +71,7 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
     # @{sys}/module/{drm,nvidia}/initstate r,
     @{sys}/module/compression r,
 
-    deny  @{HOME}/.steam/** r,
+    deny @{HOME}/.steam/** r,
 
     include if exists <local/child-modprobe-nvidia_kmod>
   }

apparmor.d/groups/gnome/gdm-session-worker

@@ -29,6 +29,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   capability sys_tty_config,
 
   network netlink raw,
+  network unix stream,
 
   signal (receive) set=term peer=gdm,
   signal (send) set=(hup term) peer=gdm-session,

apparmor.d/groups/gnome/gsd-media-keys

@@ -27,6 +27,7 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
 
   signal (receive) set=(term, hup) peer=gdm*,
 
+  network inet stream,
   network netlink raw,
 
   #aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys

apparmor.d/groups/gnome/session-migration

@@ -21,6 +21,8 @@ profile session-migration @{exec_path} {
   owner @{gdm_share_dirs}/session_migration-* rw,
   owner @{user_share_dirs}/session_migration-* rw,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/session-migration>
 }
 

apparmor.d/groups/pacman/aurpublish

@@ -29,7 +29,7 @@ profile aurpublish @{exec_path} {
   @{bin}/date        rix,
   @{bin}/gettext     rix,
   @{bin}/git         rPx,
-  @{bin}/gpg{,2}     rPx,
+  @{bin}/gpg{,2}     rCx -> gpg,
   @{bin}/grep        rix,
   @{bin}/makepkg     rix,
   @{bin}/mkdir       rix,
@@ -48,10 +48,9 @@ profile aurpublish @{exec_path} {
   /etc/makepkg.conf.d/{,**} r,
 
   owner @{user_build_dirs}/**/ w,
-  owner @{user_projects_dirs}/**/ r,
+  owner @{user_projects_dirs}/** r,
   owner @{user_projects_dirs}/**/.git/COMMIT_EDITMSG rw,
   owner @{user_projects_dirs}/**/.SRCINFO rw,
-  owner @{user_projects_dirs}/**/PKGBUILD r,
 
   owner @{user_cache_dirs}/makepkg/src/* rw,
   owner @{user_config_dirs}/pacman/makepkg.conf r,
@@ -62,6 +61,22 @@ profile aurpublish @{exec_path} {
 
   /dev/tty rw,
 
+  profile gpg {
+    include <abstractions/base>
+
+    @{bin}/gpg{,2} mr,
+    @{bin}/gpgconf mr,
+
+    owner @{HOME}/@{XDG_GPG_DIR}/ rw,
+    owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
+
+    owner @{user_cache_dirs}/makepkg/src/*.asc r,
+
+    owner @{tmp}/tmp.@{rand10} rw,
+
+    include if exists <local/aurpublish_gpg>
+  }
+
   include if exists <local/aurpublish>
 }
 

apparmor.d/groups/systemd/systemd-cryptsetup

@@ -12,6 +12,7 @@ profile systemd-cryptsetup @{exec_path} {
   include <abstractions/common/systemd>
   include <abstractions/disks-write>
 
+  capability dac_read_search,
   capability ipc_lock,
   capability net_admin,
   capability sys_admin,

apparmor.d/groups/systemd/systemd-logind

@@ -63,6 +63,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   /var/lib/systemd/linger/ r,
 
   @{run}/.#nologin* rw,
+  @{run}/credentials/getty@tty@{int}.service/ r,
   @{run}/host/container-manager r,
   @{run}/nologin rw,
   @{run}/utmp rk,

apparmor.d/groups/systemd/systemd-udevd

@@ -52,6 +52,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   @{bin}/more             rPx -> child-pager,
   @{bin}/multipath        rPx,
   @{bin}/nfsrahead        rix,
+  @{bin}/nvidia-modprobe  rPx -> child-modprobe-nvidia,
   @{bin}/pager            rPx -> child-pager,
   @{bin}/perl             rix,
   @{bin}/setfacl          rix,

apparmor.d/groups/ubuntu/apport-gtk

@@ -51,6 +51,7 @@ profile apport-gtk @{exec_path} {
   @{bin}/pkexec                 rPx, # TODO: rCx or something
   @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
+  @{bin}/uname                  rix,
   @{bin}/which{,.debianutils}   rix,
   @{lib}/{,colord/}colord-sane  rPx,
   @{lib}/@{multiarch}/ld*.so*   rix,
@@ -60,8 +61,8 @@ profile apport-gtk @{exec_path} {
   /usr/share/apport/general-hooks/*.py r,
 
   /etc/apport/{,**} r,
-  /etc/cloud/cloud.cfg.d/{,**} r,
   /etc/bash_completion.d/apport_completion r,
+  /etc/cloud/{,**} r,
   /etc/cron.daily/apport r,
   /etc/default/apport r,
   /etc/gtk-3.0/settings.ini r,
@@ -69,13 +70,15 @@ profile apport-gtk @{exec_path} {
   /etc/logrotate.d/apport r,
   /etc/xdg/autostart/*.desktop r,
 
-  /var/crash/{,*.@{uid}.crash} rw,
   /var/lib/dpkg/info/ r,
   /var/lib/dpkg/info/*.list r,
   /var/lib/usbutils/*.ids r,
   /var/lib/dpkg/info/*.md5sums r,
   /var/log/installer/media-info r,
 
+        /var/crash/ rw,
+  owner /var/crash/*.@{uid}.{crash,upload} rw,
+
    @{run}/snapd.socket rw,
 
   /tmp/[a-z0-9]* rw,
@@ -104,6 +107,7 @@ profile apport-gtk @{exec_path} {
     @{bin}/* r,
 
     /usr/share/gcc/python/{,**/}__pycache__/{,**} rw,
+    /usr/share/gdb/python/{,**/}__pycache__/{,**} rw,
 
     /usr/share/gdb/{,**} r,
     /usr/share/glib-2.0/schemas/gschemas.compiled r,