feat(profiles): general update.

apparmor.d/profiles-s-z/smartctl

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,

apparmor.d/profiles-s-z/spotify

@@ -59,6 +59,7 @@ profile spotify @{exec_path} {
 
   owner @{cache_dirs}/ rw,
   owner @{cache_dirs}/** rwk -> @{cache_dirs}/**,
+  owner @{cache_dirs}/WidevineCdm/**/libwidevinecdm.so rm,
 
   owner @{run}/user/@{uid}/pulse/ r,
 

apparmor.d/profiles-s-z/thermald

@@ -49,10 +49,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
-  @{sys}/devices/platform/{,*} r,
-  @{sys}/devices/platform/**/path r,
-  @{sys}/devices/platform/**/available_uuids r,
-  @{sys}/devices/platform/**/current_uuid rw,
+  @{sys}/devices/platform/ r,
+  @{sys}/devices/platform/** r,
 
   @{sys}/devices/system/cpu/present r,
   @{sys}/devices/system/cpu/intel_pstate/max_perf_pct rw,
@@ -65,6 +63,7 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmax_us r,
   @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmin_us r,
 
+  @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/name r,
   @{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
   @{sys}/devices/**/path r,
@@ -86,13 +85,13 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
   @{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r,
 
-  @{sys}/devices/virtual/powercap/intel-rapl/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/* r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/constraint_* w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/enabled w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/**/name r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/constraint_* w,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl{,-mmio}/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
 
   /dev/acpi_thermal_rel rw,
   /dev/input/ r,

apparmor.d/profiles-s-z/thunderbird-glxtest

@@ -19,6 +19,7 @@ profile thunderbird-glxtest @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/opencl-nvidia>
   include <abstractions/vulkan>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,
 
@@ -26,11 +27,10 @@ profile thunderbird-glxtest @{exec_path} {
 
   owner /tmp/thunderbird/.parentlock rw,
 
-  owner @{run}/user/@{uid}/xauth_@{rand6} r,
-
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/pci[0-9]*/**/class r,
 
+  owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/thunderbird-glxtest>
 }

apparmor.d/profiles-s-z/thunderbird-vaapitest

@@ -25,8 +25,8 @@ profile thunderbird-vaapitest @{exec_path} {
   /etc/igfx_user_feature{,_next}.txt w,
   /etc/libva.conf r,
 
-  owner @{thunderbird_config_dirs}/*/.parentlock rw,
-  owner @{thunderbird_config_dirs}/*/startupCache/*Cache* r,
+  deny owner @{thunderbird_config_dirs}/*/.parentlock rw,
+  deny owner @{thunderbird_config_dirs}/*/startupCache/** r,
 
   owner /tmp/thunderbird/.parentlock rw,
 

apparmor.d/profiles-s-z/udisksd

@@ -152,8 +152,6 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/loop-control rw,
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
   /dev/null.[0-9]* rw,
 
   include if exists <local/udisksd>

apparmor.d/profiles-s-z/wpa-supplicant

@@ -44,10 +44,11 @@ profile wpa-supplicant @{exec_path} flags=(attach_disconnected) {
   /var/log/wpa_supplicant.log rw,
 
   @{HOME}/.cat_installer/*.pem r,
+  @{user_config_dirs}/cat_installer/*.pem r,
 
   owner @{run}/wpa_supplicant/{,**} rw,
 
-  @{sys}/devices/pci[0-9]*/**/ieee80211/phy[0-9]/name r,
+  @{sys}/devices/pci[0-9]*/**/ieee*/phy@{int}/name r,
 
   @{PROC}/sys/net/ipv{4,6}/conf/p2p*/drop_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlan*/drop_* rw,