feat(profile): minor update & cosmetic.

apparmor.d/groups/apparmor/aa-log

@@ -21,8 +21,6 @@ profile aa-log @{exec_path} {
   /var/log/audit/* r,
   /var/log/syslog* r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   /dev/tty@{int} rw,
 
   profile journalctl {

apparmor.d/groups/apparmor/aa-status

@@ -22,8 +22,8 @@ profile aa-status @{exec_path} {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/ r,
-        @{PROC}/@{pids}/attr/apparmor/current r,
-        @{PROC}/@{pids}/attr/current r,
+        @{PROC}/@{pid}/attr/apparmor/current r,
+        @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/tty@{int} rw,

apparmor.d/groups/bluetooth/bluetoothd

@@ -45,7 +45,8 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
 
         @{run}/sdp rw,
   owner @{run}/systemd/notify w,
-        @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+
+  @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
 
   @{sys}/devices/@{pci}/rfkill@{int}/name r,
   @{sys}/devices/@{pci}/**/{uevent,name} r,

apparmor.d/groups/bluetooth/obexd

@@ -31,6 +31,8 @@ profile obexd @{exec_path} {
 
   owner @{HOME}/bluetooth/* rw,
 
+  @{run}/systemd/users/@{uid} r,
+
   include if exists <local/obexd>
 }
 

apparmor.d/groups/gnome/evolution-calendar-factory

@@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} {
   owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
 
   owner @{user_share_dirs}/evolution/calendar/{,**} rwk,
-  owner @{user_share_dirs}/evolution/tasks/system/ w,
-  owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw,
+  owner @{user_share_dirs}/evolution/memos/system/{,**} rw,
+  owner @{user_share_dirs}/evolution/tasks/system/{,**} rw,
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/groups/gnome/gnome-initial-setup

@@ -42,7 +42,7 @@ profile gnome-initial-setup @{exec_path} {
   @{bin}/dpkg    rPx -> child-dpkg,
   @{bin}/locale  rix,
   @{bin}/lscpu   rPx,
-  @{bin}/lspci  rPx,
+  @{bin}/lspci   rPx,
   @{bin}/xrandr  rPx,
 
   @{lib}/gnome-initial-setup-goa-helper rix,

apparmor.d/groups/gnome/gsd-color

@@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
 
   owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

apparmor.d/groups/gnome/org.gnome.NautilusPreviewer

@@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 

apparmor.d/groups/grub/grub-mkconfig

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{sbin}/grub-mkconfig
+@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig
 profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/kde/ksmserver-logout-greeter

@@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/sys/dev/i915/perf_stream_paranoid r,
   owner @{PROC}/@{pid}/exe r,
-  owner @{PROC}/@{pid}/status r,
 
   include if exists <local/ksmserver-logout-greeter>
 }

apparmor.d/groups/ssh/sshd

@@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   capability audit_write,
   capability chown,
-  capability dac_read_search,
   capability dac_override,
+  capability dac_read_search,
   capability fowner,
   capability kill,
   capability net_bind_service,
@@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
-  signal (receive) set=(hup) peer=@{p_systemd},
+  unix type=stream peer=(label=sshd-session),
 
-  ptrace (read,trace) peer=@{p_systemd},
+  signal receive set=hup peer=@{p_systemd},
+
+  ptrace (read trace) peer=@{p_systemd},
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager

apparmor.d/groups/systemd-generators/systemd-generator-ssh

@@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/system/ r,
   @{run}/systemd/transient/ r,
 
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/firmware/dmi/entries/*/raw r,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/cgroup r,

apparmor.d/groups/systemd-generators/systemd-generator-tpm2

@@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sys}/class/tpmrm/ r,
+  @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/cgroup r,

apparmor.d/groups/systemd/systemd-localed

@@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /usr/share/kbd/keymaps/{,**} r,
+  /usr/share/xkeyboard-config-2/{,**} r,
   /usr/share/systemd/*-map r,
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xkeyboard-config-2/{,**} r,

apparmor.d/groups/utils/lspci

@@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  capability sys_admin,
-
   @{exec_path} mr,
 
-  /app/lib/libzypak-preload-host*.so rm,
-
   /usr/share/hwdata/pci.ids r,
   /usr/share/misc/pci.ids r,
   /usr/share/misc/pci.ids.gz r,