feat(profile): minor update & cosmetic.

apparmor.d/abstractions/app/firefox

@@ -26,7 +26,7 @@
   include <abstractions/desktop>
   include <abstractions/enchant>
   include <abstractions/fontconfig-cache-read>
-  include <abstractions/graphics-full>
+  include <abstractions/graphics>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
@@ -126,6 +126,8 @@
         @{sys}/devices/**/uevent r,
         @{sys}/devices/power/events/energy-* r,
         @{sys}/devices/power/type r,
+        @{sys}/devices/virtual/dmi/id/product_name r,
+        @{sys}/devices/virtual/dmi/id/product_sku r,
         @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
         @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{word}.scope/cpu.max r,
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,

apparmor.d/abstractions/common/game

@@ -6,9 +6,9 @@
 # wine, proton, game launchers should use this abstraction.
 
 # This abstraction uses the following tunables:
-# - @{XDG_GAMESSTUDIO_DIR} for game studio and game engines specific directories
+# - @{XDG_GAMESSTUDIO_DIR}/ for game studio and game engines specific directories
 #   (Default: @{XDG_GAMESSTUDIO_DIR}="unity3d")
-# - @{user_games_dirs} for user specific game directories (eg: steam storage dir)
+# - @{user_games_dirs}/ for user specific game directories (eg: steam storage dir)
 
   abi <abi/4.0>,
 

apparmor.d/groups/apparmor/aa-log

@@ -21,8 +21,6 @@ profile aa-log @{exec_path} {
   /var/log/audit/* r,
   /var/log/syslog* r,
 
-  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
-
   /dev/tty@{int} rw,
 
   profile journalctl {

apparmor.d/groups/apparmor/aa-status

@@ -22,8 +22,8 @@ profile aa-status @{exec_path} {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/ r,
-        @{PROC}/@{pids}/attr/apparmor/current r,
+        @{PROC}/@{pid}/attr/apparmor/current r,
-        @{PROC}/@{pids}/attr/current r,
+        @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/tty@{int} rw,

apparmor.d/groups/bluetooth/bluetoothd

@@ -45,6 +45,7 @@ profile bluetoothd @{exec_path} flags=(attach_disconnected) {
 
         @{run}/sdp rw,
   owner @{run}/systemd/notify w,
+
   @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
 
   @{sys}/devices/@{pci}/rfkill@{int}/name r,

apparmor.d/groups/bluetooth/obexd

@@ -31,6 +31,8 @@ profile obexd @{exec_path} {
 
   owner @{HOME}/bluetooth/* rw,
 
+  @{run}/systemd/users/@{uid} r,
+
   include if exists <local/obexd>
 }
 

apparmor.d/groups/gnome/evolution-calendar-factory

@@ -71,8 +71,8 @@ profile evolution-calendar-factory @{exec_path} {
   owner @{user_cache_dirs}/evolution/tasks/{,**} rwk,
 
   owner @{user_share_dirs}/evolution/calendar/{,**} rwk,
-  owner @{user_share_dirs}/evolution/tasks/system/ w,
+  owner @{user_share_dirs}/evolution/memos/system/{,**} rw,
-  owner @{user_share_dirs}/evolution/tasks/system/tasks.ics* rw,
+  owner @{user_share_dirs}/evolution/tasks/system/{,**} rw,
   owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/groups/gnome/gsd-color

@@ -45,7 +45,7 @@ profile gsd-color @{exec_path} flags=(attach_disconnected) {
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{gdm_share_dirs}/icc/ rw,
-  owner @{gdm_share_dirs}/icc/edid-@{hex32}icc rw,
+  owner @{gdm_share_dirs}/icc/edid-@{hex32}.icc rw,
 
   owner @{user_share_dirs}/icc/ rw,
   owner @{user_share_dirs}/icc/edid-@{hex32}.icc rw,

apparmor.d/groups/gnome/org.gnome.NautilusPreviewer

@@ -39,6 +39,7 @@ profile org.gnome.NautilusPreviewer @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*org.gnome.NautilusPreviewer.slice/*/memory.* r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/dbus.service/memory.* r,
 

apparmor.d/groups/grub/grub-mkconfig

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{sbin}/grub-mkconfig
+@{exec_path} = @{sbin}/grub-mkconfig @{sbin}/grub2-mkconfig
 profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/kde/ksmserver-logout-greeter

@@ -53,7 +53,6 @@ profile ksmserver-logout-greeter @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/sys/dev/i915/perf_stream_paranoid r,
   owner @{PROC}/@{pid}/exe r,
-  owner @{PROC}/@{pid}/status r,
 
   include if exists <local/ksmserver-logout-greeter>
 }

apparmor.d/groups/ssh/sshd

@@ -29,8 +29,8 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   capability audit_write,
   capability chown,
-  capability dac_read_search,
   capability dac_override,
+  capability dac_read_search,
   capability fowner,
   capability kill,
   capability net_bind_service,
@@ -50,9 +50,11 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
-  signal (receive) set=(hup) peer=@{p_systemd},
+  unix type=stream peer=(label=sshd-session),
 
-  ptrace (read,trace) peer=@{p_systemd},
+  signal receive set=hup peer=@{p_systemd},
+
+  ptrace (read trace) peer=@{p_systemd},
 
   dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.login1.Manager

apparmor.d/groups/systemd-generators/systemd-generator-ssh

@@ -30,8 +30,12 @@ profile systemd-generator-ssh @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/system/ r,
   @{run}/systemd/transient/ r,
 
+  @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/firmware/dmi/entries/*/raw r,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/cgroup r,

apparmor.d/groups/systemd-generators/systemd-generator-tpm2

@@ -15,6 +15,7 @@ profile systemd-generator-tpm2 @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sys}/class/tpmrm/ r,
+  @{sys}/devices/**/tpm/tpm@{int}/tpm_version_major r,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/1/cgroup r,

apparmor.d/groups/systemd/systemd-localed

@@ -21,6 +21,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /usr/share/kbd/keymaps/{,**} r,
+  /usr/share/xkeyboard-config-2/{,**} r,
   /usr/share/systemd/*-map r,
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xkeyboard-config-2/{,**} r,

apparmor.d/groups/utils/lspci

@@ -13,12 +13,8 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
-  capability sys_admin,
-
   @{exec_path} mr,
 
-  /app/lib/libzypak-preload-host*.so rm,
-
   /usr/share/hwdata/pci.ids r,
   /usr/share/misc/pci.ids r,
   /usr/share/misc/pci.ids.gz r,

apparmor.d/profiles-a-f/fwupd

@@ -52,6 +52,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /usr/share/hwdata/* r,
   /usr/share/libdrm/*.ids r,
   /usr/share/mime/mime.cache r,
+  /usr/share/misc/*.ids r,
 
   /etc/fwupd/{,**} rw,
   /etc/lsb-release r,

apparmor.d/profiles-g-l/haveged

@@ -23,7 +23,6 @@ profile haveged @{exec_path} {
   @{PROC}/sys/kernel/osrelease r,
   @{PROC}/sys/kernel/random/poolsize r,
   @{PROC}/sys/kernel/random/write_wakeup_threshold w,
-  owner @{PROC}/@{pid}/status r,
 
   /dev/random w,
 

apparmor.d/profiles-g-l/linuxqq

@@ -29,7 +29,7 @@ profile linuxqq @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   @{sh_path}  r,
-  @{bin}/grep rix,
+  @{bin}/{,e}grep rix,
   @{lib_dirs}/chrome_crashpad_handler ix,
   @{lib_dirs}/resources/app/{,**} m,
   @{open_path} rPx -> child-open-strict,

apparmor.d/profiles-m-r/mandb

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/mandb
-profile mandb @{exec_path} flags=(complain) {
+profile mandb @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -20,9 +20,6 @@ profile mandb @{exec_path} flags=(complain) {
   /etc/man_db.conf r,
   /etc/manpath.config r,
 
-  /var/cache/man/ r,
-  /var/cache/man/** rwk,
-
   /usr/share/man/{,**} r,
   /usr/local/man/{,**} r,
   /usr/local/share/man/{,**} r,
@@ -32,6 +29,9 @@ profile mandb @{exec_path} flags=(complain) {
 
   /usr/share/**/man/man@{u8}/*.@{int}.gz r,
 
+  owner /var/cache/man/ rw,
+  owner /var/cache/man/** rwk,
+
   owner @{user_share_dirs}/man/** rwk,
 
   include if exists <local/mandb>

apparmor.d/profiles-m-r/mimetype

@@ -13,7 +13,6 @@ profile mimetype @{exec_path} {
   include <abstractions/perl>
 
   @{exec_path} r,
-  /usr/bin/perl r,
 
   /usr/share/mime/**.xml r,
   /usr/share/mime/globs r,

apparmor.d/profiles-m-r/needrestart-notify

@@ -13,7 +13,7 @@ profile needrestart-notify @{exec_path} {
   capability dac_read_search,
   capability sys_ptrace,
 
-  ptrace read peer=unconfined,
+  ptrace read,
 
   @{exec_path} mr,
 

apparmor.d/profiles-m-r/pam-auth-update

@@ -14,8 +14,9 @@ profile pam-auth-update @{exec_path} flags=(complain) {
 
   @{exec_path} mrix,
 
-  @{bin}/md5sum  ix,
   @{bin}/cp      ix,
+  @{bin}/md5sum  ix,
+  @{bin}/stty    ix,
 
   /usr/share/pam{,-configs}/{,*} r,
 

apparmor.d/profiles-m-r/pcscd

@@ -16,13 +16,13 @@ profile pcscd @{exec_path} {
 
   network netlink raw,
 
-  ptrace (read) peer=@{p_systemd_user},
+  ptrace read peer=@{p_systemd_user},
-  ptrace (read) peer=gsd-smartcard,
+  ptrace read peer=gsd-smartcard,
-  ptrace (read) peer=keepassxc,
+  ptrace read peer=keepassxc,
-  ptrace (read) peer=pkcs11-register,
+  ptrace read peer=pkcs11-register,
-  ptrace (read) peer=rngd,
+  ptrace read peer=rngd,
-  ptrace (read) peer=scdaemon,
+  ptrace read peer=scdaemon,
-  ptrace (read) peer=veracrypt,
+  ptrace read peer=veracrypt,
 
   @{exec_path} mr,