feat(profiles): general update.

apparmor.d/groups/ssh/ssh-agent

@@ -17,34 +17,26 @@ profile ssh-agent @{exec_path} {
 
   @{exec_path} mr,
 
-  owner /tmp/ssh-*/ rw,
-  owner /tmp/ssh-*/agent.* rw,
-
-  # When SSH agent is not used with GPG
+  /{usr/,}bin/enlightenment_start  rPUx,
+  /{usr/,}bin/gpg-agent             rPx,
+  /{usr/,}bin/kwalletaskpass       rPUx,
   /{usr/,}bin/openbox-session       rPx,
   /{usr/,}bin/startkde             rPUx,
   /{usr/,}bin/sway                 rPUx,
-  /{usr/,}bin/enlightenment_start  rPUx,
 
-  # SSH keys
   owner @{HOME}/@{XDG_SSH_DIR}/ rw,
   owner @{HOME}/@{XDG_SSH_DIR}/* r,
+  owner @{HOME}/.xsession-errors w,
   owner @{user_projects_dirs}/**/ssh/{,*} r,
 
-  # When started via systemd
+  owner /tmp/ssh-*/ rw,
+  owner /tmp/ssh-*/agent.* rw,
+
   @{run}/user/@{uid}/openssh_agent rw,
-
-  # askpass apps
-  #/{usr/,}lib/ssh/x11-ssh-askpass rPUx,
-  #/{usr/,}bin/ksshaskpass         rPUx,
-  /{usr/,}bin/kwalletaskpass       rPUx,
-
-  # file_inherit
-  owner /dev/tty[0-9]* rw,
-  owner @{HOME}/.xsession-errors w,
-
   @{run}/user/@{uid}/keyring/.ssh rw,
   @{run}/user/@{uid}/ssh-agent.[0-9A-Z]* w,
 
+  owner /dev/tty[0-9]* rw,
+
   include if exists <local/ssh-agent>
 }

apparmor.d/groups/ssh/sshd

@@ -84,28 +84,28 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/@{XDG_SSH_DIR}/authorized_keys{,.*} r,
 
-  owner @{run}/sshd{,.init}.pid wl,
+        @{run}/faillock/[a-zA-z0-9]* rwk,
         @{run}/motd.d/{,*} r,
         @{run}/motd.dynamic rw,
         @{run}/motd.dynamic.new rw,
         @{run}/resolvconf/resolv.conf r,
         @{run}/systemd/notify w,
         @{run}/systemd/sessions/*.ref rw,
-        @{run}/faillock/[a-zA-z0-9]* rwk,
+  owner @{run}/sshd{,.init}.pid wl,
 
   @{sys}/fs/cgroup/*/user/*/[0-9]*/ rw,
   @{sys}/fs/cgroup/systemd/user.slice/user-@{uid}.slice/session-*.scope/ rw,
 
+        @{PROC}/@{pids}/fd/ r,
+        @{PROC}/1/environ r,
+        @{PROC}/cmdline r,
+        @{PROC}/sys/kernel/ngroups_max r,
   owner @{PROC}/@{pid}/limits r,
   owner @{PROC}/@{pid}/loginuid rw,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/oom_adj rw,
   owner @{PROC}/@{pid}/oom_score_adj rw,
   owner @{PROC}/@{pid}/uid_map r,
-        @{PROC}/@{pids}/fd/ r,
-        @{PROC}/1/environ r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/ngroups_max r,
 
   /dev/ptmx rw,
 

apparmor.d/groups/systemd/systemd-binfmt

@@ -21,12 +21,12 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
   @{run}/binfmt.d/{,*.conf} r,
   /usr/lib/binfmt.d/{,*.conf} r,
 
-  owner @{PROC}/@{pid}/stat r,
         @{PROC}/1/environ r,
         @{PROC}/cmdline r,
-        @{PROC}/sys/fs/binfmt_misc/status w,
         @{PROC}/sys/fs/binfmt_misc/register w,
+        @{PROC}/sys/fs/binfmt_misc/status w,
         @{PROC}/sys/kernel/osrelease r,
+  owner @{PROC}/@{pid}/stat r,
 
   deny /apparmor/.null rw,
 

apparmor.d/groups/systemd/systemd-resolved

@@ -50,10 +50,10 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/resolved.conf r,
   /etc/systemd/resolved.conf.d/{,*} r,
 
-  owner @{run}/systemd/journal/socket w,
         @{run}/systemd/netif/links/* r,
         @{run}/systemd/notify rw,
         @{run}/systemd/resolve/{,**} rw,
+  owner @{run}/systemd/journal/socket w,
 
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

apparmor.d/groups/ubuntu/apport-gtk

@@ -30,7 +30,7 @@ profile apport-gtk @{exec_path} {
 
   @{exec_path} mr,
 
-  @{libexec}/colord-sane            rPx,
+  @{libexec}/{,colord/}colord-sane  rPx,
   /{usr/,}{s,}bin/killall5          rix,
   /{usr/,}bin/{,ba,da}sh            rix,
   /{usr/,}bin/{f,}grep              rix,

apparmor.d/groups/virt/libvirtd

@@ -78,6 +78,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   signal (send) peer=dnsmasq,
   signal (send) set=(kill, term) peer=virtiofsd,
   signal (send) set=(term) peer=libvirtd//qemu_bridge_helper,
+  signal (send) set=(term) peer=swtpm,
 
   unix (send, receive) type=stream addr=none peer=(label=libvirt-@{uuid}),
   unix (send, receive) type=stream addr=none peer=(label=libvirtd//qemu_bridge_helper),