feat(abs): minor improvments.

apparmor.d/abstractions/bwrap

@@ -4,7 +4,9 @@
 
 # Minimal set of rules for bwrap
 
-# A profile using this abstaction still needs to include: @{bin}/bwrap rix,
+# A profile using this abstaction still needs to set:
+# - the attach_disconnected flag
+# - bwrap execution: '@{bin}/bwrap rix,'
 
   capability net_admin,
   capability setpcap,
@@ -36,10 +38,6 @@
   owner /tmp/newroot/ w,
   owner /tmp/oldroot/ w,
 
-  @{sys}/fs/cgroup/user.slice/cpu.max r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/cpu.max r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
 
         @{PROC}/sys/kernel/overflowgid r,
         @{PROC}/sys/kernel/overflowuid r,

apparmor.d/abstractions/user-read

@@ -5,8 +5,10 @@
 # This abstraction gives read access on all defined user directories. It should
 # only be used if access to **ALL** folders is required.
 
-  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_DESKTOP_DIR}/{,**} r,
   owner @{HOME}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
+  owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
+  owner @{MOUNTS}/@{XDG_DESKTOP_DIR}/{,**} r,
   owner @{MOUNTS}/@{XDG_SCREENSHOTS_DIR}/{,**} r,
   owner @{MOUNTS}/@{XDG_WALLPAPERS_DIR}/{,**} r,