update apparmor profiles

apparmor.d/abstractions/fontconfig-cache-read

@@ -28,17 +28,22 @@
        /var/cache/fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} r,
        /var/cache/fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} r,
 
+  #owner @{HOME}/.fonts/ r,
+  deny  @{HOME}/.fonts/ w,
+  owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  r,
+  deny  @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  w,
+
   # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
   # identify the font directory and is used to determine the cache filename if available.
+  #    owner /usr/local/share/fonts/ r,
        owner /usr/local/share/fonts/.uuid r,
   deny       /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} w,
              /usr/share/**/.uuid  r,
   deny       /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  w,
 
-  # For Google Fonts downloaded via font-manager
-       owner "@{user_share_dirs}/fonts/Google Fonts/.uuid" r,
-  deny       "@{user_share_dirs}/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" w,
-       owner "@{user_share_dirs}/fonts/Google Fonts/**/.uuid" r,
-  deny       "@{user_share_dirs}/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,
+  # For fonts downloaded via font-manager
+  #    owner "@{user_share_dirs}/fonts/ r,
+       owner "@{user_share_dirs}/fonts/**/.uuid" r,
+  deny       "@{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" w,
 
-  include if exists <abstractions/fontconfig-cache-read.d>
+  include if exists <abstractions/fontconfig-cache-read.d>

apparmor.d/abstractions/fontconfig-cache-write

@@ -12,17 +12,23 @@
   owner @{HOME}/.fontconfig/CACHEDIR.TAG{,.NEW,.LCK,.TMP-*} rw,
   owner @{HOME}/.fontconfig/[a-f0-9]*.cache-?{,.NEW,.LCK,.TMP-*} rwk,
 
+  owner @{HOME}/.fonts/ rw,
+   link @{HOME}/.fonts/.uuid.LCK -> @{HOME}/.fonts/.uuid.TMP-*,
+  owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  r,
+  owner @{HOME}/.fonts/.uuid{,.NEW,.LCK,.TMP-*}  w,
+
   # This is to create .uuid file containing an UUID at a font directory. The UUID will be used to
   # identify the font directory and is used to determine the cache filename if available.
+  owner /usr/local/share/fonts/ rw,
   owner /usr/local/share/fonts/.uuid{,.NEW,.LCK,.TMP-*} rw,
    link /usr/local/share/fonts/.uuid.LCK -> /usr/local/share/fonts/.uuid.TMP-*,
+  # Should writing to these dirs be blocked?
         /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  r,
   deny  /usr/share/**/.uuid{,.NEW,.LCK,.TMP-*}  w,
 
-  # For Google Fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
-  owner "@{user_share_dirs}/fonts/Google Fonts/.uuid{,.NEW,.LCK,.TMP-*}" rw,
-   link "@{user_share_dirs}/fonts/Google Fonts/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/.uuid.TMP-*",
-  owner "@{user_share_dirs}/fonts/Google Fonts/**/.uuid{,.NEW,.LCK,.TMP-*}" rw,
-   link "@{user_share_dirs}/fonts/Google Fonts/**/.uuid.LCK" -> "/home/*/.local/share/fonts/Google Fonts/**/.uuid.TMP-*",
+  # For fonts downloaded via font-manager (###FIXME### when they fix resolving of vars)
+  owner @{user_share_dirs}/fonts/ rw,
+  owner @{user_share_dirs}/fonts/**/.uuid{,.NEW,.LCK,.TMP-*} rw,
+   link @{user_share_dirs}/fonts/**/.uuid.LCK -> /home/*/.local/share/fonts/**/.uuid.TMP-*,
 
-  include if exists <abstractions/fontconfig-cache-write.d>
+  include if exists <abstractions/fontconfig-cache-write.d>

apparmor.d/abstractions/video

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2021 Mikhail Morfikov
+# SPDX-License-Identifier: GPL-2.0-only
+
+  abi <abi/3.0>,
+
+  # System devices
+  @{sys}/class/video4linux/ r,
+  @{sys}/class/video4linux/** r,
+
+  owner /dev/shm/libv4l-* rw,
+        /dev/video[0-9]* rw,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/video4linux/video[0-9]*/dev r,
+  @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/{modalias,speed} r,
+
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_{name,version} r,
+  @{sys}/devices/virtual/dmi/id/board_{vendor,name,version} r,
+
+  # Include additions to the abstraction
+  include if exists <abstractions/video.d>