feat(profile): general update.

apparmor.d/groups/browsers/firefox

@@ -166,31 +166,31 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
         /tmp/ r,
         /var/tmp/ r,
-  owner /tmp/user/@{uid}/ rw,
-  owner /tmp/user/@{uid}/* rwk,
-  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
-  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
-  owner /tmp/user/@{uid}/@{name}/ rw,
-  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/.xfsm-ICE-@{rand6} rw,
   owner /tmp/@{name}/ rw,
   owner /tmp/@{name}/* rwk,
   owner /tmp/@{rand6}.tmp r,
+  owner /tmp/@{rand8}.txt w,
+  owner /tmp/* w,  # file downloads (to anywhere)
   owner /tmp/firefox_*/ rw,
   owner /tmp/firefox_*/* rwk,
   owner /tmp/mozilla_*/ rw,
   owner /tmp/mozilla_*/* rw,
-  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
-  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
-  owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk,
+  owner /tmp/mozilla-temp-@{int} rw,
   owner /tmp/Mozilla@{uuid}-cachePurge-??????????????? rwk,
   owner /tmp/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk,
+  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
+  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
+  owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk,
   owner /tmp/Temp-@{uuid}/{**,} rw,
-  owner /tmp/mozilla-temp-@{int} rw,
-  owner /tmp/@{rand8}.txt w,
   owner /tmp/tmp-???.xpi rw,
-  owner /tmp/.xfsm-ICE-@{rand6} rw,
   owner /tmp/tmpaddon r,
-  owner /tmp/* w,  # file downloads (to anywhere)
+  owner /tmp/user/@{uid}/ rw,
+  owner /tmp/user/@{uid}/@{name}/ rw,
+  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/user/@{uid}/* rwk,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
 
   @{run}/mount/utab r,
 

apparmor.d/groups/freedesktop/pulseaudio

@@ -22,6 +22,7 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>

apparmor.d/groups/kde/sddm

@@ -81,6 +81,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/startplasma-wayland  rPx,
   @{bin}/startplasma-x11      rPx,
   @{bin}/systemctl            rPx -> child-systemctl,
+  @{bin}/unix_chkpwd          rPx,
   @{bin}/xrdb                 rPx,
   @{bin}/xset                 rPx,
   @{etc_ro}/X11/xdm/Xsession  rPx,

apparmor.d/groups/kde/utempter

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/utempter/utempter
-profile utempter @{exec_path} {
+profile utempter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>

apparmor.d/groups/network/ModemManager

@@ -16,6 +16,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/devices-usb>
   include <abstractions/dri-enumerate>
 
+  capability net_admin,
+
   network qipcrtr dgram,
   network netlink raw,
 

apparmor.d/groups/service/init-exim4

@@ -15,7 +15,13 @@ profile init-exim4 @{exec_path} {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability kill,
   capability net_admin,
+  capability sys_ptrace,
+
+  signal (send) peer=exim4,
+
+  ptrace (read) peer=@{systemd},
 
   @{exec_path} mr,
 
@@ -45,7 +51,7 @@ profile init-exim4 @{exec_path} {
 
   /var/lib/exim4/* rw,
 
-  owner @{run}/exim4/{,**} rw,
+  @{run}/exim4/{,**} rw,
 
   include if exists <local/init-exim4>
 }