feat(profiles): general update.

apparmor.d/profiles-s-z/ssserver

@@ -13,13 +13,13 @@ profile ssserver @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  @{exec_path} mr,
-
   network inet stream,
   network inet6 stream,
   network inet dgram,
   network inet6 dgram,
 
+  @{exec_path} mr,
+
   /etc/shadowsocks-rust/server/*/ss.json{,5} r,
 
   owner @{user_config_dirs}/shadowsocks-rust/server/*/ss.json{,5} r,

apparmor.d/profiles-s-z/steam

@@ -181,9 +181,9 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain)
   @{sys}/class/input/ r,
   @{sys}/class/net/ r,
   @{sys}/class/sound/ r,
-  @{sys}/devices/**/input[0-9]*/ r,
-  @{sys}/devices/**/input[0-9]*/capabilities/* r,
-  @{sys}/devices/**/input/input[0-9]*/ r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+  @{sys}/devices/**/input/input@{int}/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/class r,
   @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/report_descriptor r,

apparmor.d/profiles-s-z/steam-game

@@ -83,7 +83,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{lib}/pressure-vessel/from-host/bin/pressure-vessel-locale-gen rix,
   @{lib}/pressure-vessel/from-host/bin/pressure-vessel-try-setlocale rix,
   @{lib}/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
-  @{lib}exec/steam-runtime-tools*/* mrix,
+  @{lib}/steam-runtime-tools*/* mrix,
 
   @{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
   @{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,
@@ -189,14 +189,14 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner /tmp/miles_image_* mr,
   owner /tmp/pressure-vessel-*/{,**} rwl,
 
-  @{run}/udev/data/+input* r,          # for mouse, keyboard, touchpad
+  @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+sound* r,
 
-  @{run}/udev/data/c13:[0-9]*  r,      # for /dev/input/*
-  @{run}/udev/data/c116:[0-9]* r,      # for ALSA
-  @{run}/udev/data/c23[4-9]:[0-9]* r,  # For dynamic assignment range 234 to 254
-  @{run}/udev/data/c24[0-9]:[0-9]* r,
-  @{run}/udev/data/c25[0-4]:[0-9]* r,
+  @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
+  @{run}/udev/data/c116:@{int} r,         # for ALSA
+  @{run}/udev/data/c23[4-9]:@{int} r,     # For dynamic assignment range 234 to 254
+  @{run}/udev/data/c24[0-9]:@{int} r,
+  @{run}/udev/data/c25[0-4]:@{int} r,
 
   @{sys}/ r,
   @{sys}/bus/ r,
@@ -204,10 +204,10 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/hidraw/ r,
   @{sys}/class/input/ r,
   @{sys}/class/sound/ r,
-  @{sys}/devices/**/input[0-9]*/ r,
-  @{sys}/devices/**/input[0-9]*/**/{vendor,product} r,
-  @{sys}/devices/**/input[0-9]*/capabilities/* r,
-  @{sys}/devices/**/input/input[0-9]*/ r,
+  @{sys}/devices/**/input@{int}/ r,
+  @{sys}/devices/**/input@{int}/**/{vendor,product} r,
+  @{sys}/devices/**/input@{int}/capabilities/* r,
+  @{sys}/devices/**/input/input@{int}/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/sound/card[0-9]*/** r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,

apparmor.d/profiles-s-z/thermald

@@ -25,19 +25,18 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
        member={RequestName,ReleaseName}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  dbus (bind) bus=system
-     name=org.freedesktop.thermald,
+  dbus (bind) bus=system name=org.freedesktop.thermald,
 
   @{exec_path} mr,
 
+  /etc/thermald/thermal-conf.xml r,
+  /etc/thermald/thermal-cpu-cdev-order.xml r,
+
   owner @{run}/thermald/ rw,
   owner @{run}/thermald/thd_preference.conf rw,
   owner @{run}/thermald/thd_preference.conf.save w,
   owner @{run}/thermald/thermald.pid rwk,
 
-  /etc/thermald/thermal-conf.xml r,
-  /etc/thermald/thermal-cpu-cdev-order.xml r,
-
   @{sys}/class/hwmon/ r,
   @{sys}/class/thermal/ r,
   @{sys}/devices/platform/{,*} r,
@@ -51,10 +50,10 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/system/cpu/intel_pstate/status r,
 
   @{sys}/devices/pci[0-9]*/**/drm/**/intel_backlight/max_brightness r,
-  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_max_uw r,
-  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_min_uw r,
-  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmax_us r,
-  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_[0-9]*_tmin_us r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_max_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_min_uw r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmax_us r,
+  @{sys}/devices/pci[0-9]*/**/power_limits/power_limit_@{int}_tmin_us r,
 
   @{sys}/devices/**/hwmon@{int}/name r,
   @{sys}/devices/**/hwmon@{int}/temp[0-9]*_{max,crit} r,
@@ -65,26 +64,25 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/virtual/thermal/**/{type,temp} r,
 
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/ r,
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/mode rw,
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/policy rw,
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_temp rw,
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_type r,
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/trip_point_[0-9]*_hyst r,
-  @{sys}/devices/virtual/thermal/thermal_zone[0-9]*/cdev[0-9]*_trip_point r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/ r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/mode rw,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/policy rw,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_temp rw,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_type r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/trip_point_[0-9]*_hyst r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/cdev[0-9]*_trip_point r,
 
-  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/ r,
-  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/cur_state rw,
-  @{sys}/devices/virtual/thermal/cooling_device[0-9]*/max_state r,
+  @{sys}/devices/virtual/thermal/cooling_device[@{int}/ r,
+  @{sys}/devices/virtual/thermal/cooling_device@{int}/cur_state rw,
+  @{sys}/devices/virtual/thermal/cooling_device@{int}/max_state r,
 
   @{sys}/devices/virtual/powercap/intel-rapl/ r,
   @{sys}/devices/virtual/powercap/intel-rapl/**/name r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/ r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/* r,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_time_window_us w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/constraint_*_power_limit_uw w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/enabled w,
-  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:[0-9]*/intel-rapl:[0-9]*:[0-9]*/{,*} r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/ r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/* r,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/constraint_* w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/enabled w,
+  @{sys}/devices/virtual/powercap/intel-rapl/intel-rapl{,-mmio}:@{int}/intel-rapl:[0-9]*:[0-9]*/{,*} r,
 
   /dev/acpi_thermal_rel rw,
   /dev/input/ r,

apparmor.d/profiles-s-z/thunderbird

@@ -208,8 +208,8 @@ profile thunderbird @{exec_path} {
   deny @{thunderbird_config_dirs}/*.*/pepmda/** rwklmx,
   deny @{thunderbird_lib_dirs}/** w,
   deny /dev/ r,
-  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
   deny /dev/urandom w,
+  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/thunderbird>
 }

apparmor.d/profiles-s-z/update-alternatives

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -20,6 +21,9 @@ profile update-alternatives @{exec_path} {
   /var/lib/dpkg/alternatives/ r,
   /var/lib/dpkg/alternatives/* rw,
 
+  owner /var/lib/alternatives/ r,
+  owner /var/lib/alternatives/* rw,
+
   @{bin}/* w,
   @{bin}/*.dpkg-tmp rw,
 
@@ -28,7 +32,7 @@ profile update-alternatives @{exec_path} {
 
   /usr/** rw,
 
-  /lib/firmware/* rw,
+  @{lib}/firmware/* rw,
 
   include if exists <local/update-alternatives>
 }

apparmor.d/profiles-s-z/vidcutter

@@ -60,11 +60,6 @@ profile vidcutter @{exec_path} {
   owner @{user_config_dirs}/vidcutter/* rwkl -> @{user_config_dirs}/vidcutter/#@{int},
 
   owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/@{hex} rwl -> @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int},
-  owner @{user_cache_dirs}/qtshadercache-*-little_endian-*/#@{int} rw,
-  owner @{user_cache_dirs}/qtshadercache/ rw,
-  owner @{user_cache_dirs}/qtshadercache/@{hex} rwl -> @{user_cache_dirs}/qtshadercache/#@{int},
-  owner @{user_cache_dirs}/qtshadercache/#@{int} rw,
 
   owner @{user_config_dirs}/qt5ct/{,**} r,
 

apparmor.d/profiles-s-z/vlc-cache-gen

@@ -15,6 +15,9 @@ profile vlc-cache-gen @{exec_path} {
 
   @{lib}/vlc/plugins/{,*} rw,
 
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node@{int}/meminfo r,
+
   # Inherit silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/profiles-s-z/wireplumber

@@ -24,12 +24,12 @@ profile wireplumber @{exec_path} {
   /opt/intel/oneapi/{compiler,lib,mkl}/**/ r,
   /opt/intel/oneapi/{compiler,lib,mkl}/**.so* mr,
 
-  /etc/machine-id r,
-
   /usr/share/alsa-card-profile/{,**} r,
   /usr/share/spa-*/bluez[0-9]*/{,*} r,
   /usr/share/wireplumber/{,**} r,
 
+  /etc/machine-id r,
+
   /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
 
   owner @{user_state_dirs}/ w,