Update various profiles

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>

apparmor.d/profiles-s-z/sensors

@@ -25,12 +25,12 @@ profile sensors @{exec_path} {
   @{sys}/devices/**/hwmon*/{name,temp*,*_input} r,
   @{sys}/devices/**/hwmon*/**/{name,temp*,*_input} r,
   @{sys}/devices/**/hwmon/hwmon@{int}/power@{int}_crit r,
+  @{sys}/devices/**/hwmon/hwmon@{int}/fan@{int}_{label,max,min} r,
   @{sys}/devices/{,platform/*.{i2c,hdmi}/}i2c-@{int}/name r,
   @{sys}/devices/@{pci}/name r,
   @{sys}/devices/platform/**/power_supply/**/hwmon@{int}/curr1_max r,
   @{sys}/devices/virtual/hwmon/hwmon@{int}/ r,
   @{sys}/devices/virtual/hwmon/hwmon@{int}/{name,temp*} r,
-  @{sys}/devices/virtual/hwmon/hwmon@{int}/fan[0-9]_label r,
 
   # file_inherit
   deny @{PROC}/@{pid}/net/dev r,

apparmor.d/profiles-s-z/thermald

@@ -49,6 +49,8 @@ profile thermald @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/**/hwmon@{int}/temp@{int}_{max,crit} r,
   @{sys}/devices/**/path r,
 
+  @{sys}/devices/platform/*/uuids/current_uuid rw,
+
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_uuid r,
 

apparmor.d/profiles-s-z/thunderbird

@@ -96,6 +96,7 @@ profile thunderbird @{exec_path} {
   /usr/share/qt5ct/** r,
   /usr/share/sounds/freedesktop/stereo/*.oga r,
   /usr/share/xul-ext/kwallet5/* r,
+  /usr/share/uim/* r,
 
   /etc/@{name}/{,**} r,
   /etc/fstab r,
@@ -104,9 +105,12 @@ profile thunderbird @{exec_path} {
   /etc/timezone r,
   /etc/xul-ext/kwallet5.js r,
 
+  /var/lib/uim/* r,
   owner /var/mail/* rwk,
 
   owner @{HOME}/ r,
+  owner @{HOME}/.uim.d/customs/* r,
+  owner @{HOME}/.XCompose r,
 
   owner @{user_config_dirs}/kwalletrc r,
   owner @{user_config_dirs}/mimeapps.list.* rw,
@@ -116,11 +120,14 @@ profile thunderbird @{exec_path} {
   owner @{user_mail_dirs}/** rwl -> @{user_mail_dirs}/**,
 
   owner @{config_dirs}/ rw,
+  owner @{user_config_dirs}/gtk-3.0/assets/* r,
   owner @{config_dirs}/*/ rw,
   owner @{config_dirs}/*/** rwk,
   owner @{config_dirs}/installs.ini rw,
   owner @{config_dirs}/profiles.ini rw,
 
+  owner @{user_cache_dirs}/gtk-3.0/**/*.cache r,
+
   owner @{cache_dirs}/{,**} rw,
 
         /tmp/ r,
@@ -134,7 +141,8 @@ profile thunderbird @{exec_path} {
   owner /tmp/MozillaMailnews/*.msf rw,
   owner /tmp/Temp-@{uuid}/ rw,
 
-  @{run}/mount/utab r,
+        @{run}/mount/utab r,
+  owner @{run}/user/@{uid}/uim/socket/uim-helper rw,
 
   @{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
   @{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,

apparmor.d/profiles-s-z/thunderbird-vaapitest

@@ -20,7 +20,7 @@ profile thunderbird-vaapitest @{exec_path} {
 
   @{exec_path} mr,
 
-  /etc/igfx_user_feature{,_next}.txt w,
+  /etc/igfx_user_feature{,_next}.txt rw,
 
   owner /tmp/thunderbird/.parentlock rw,
 
@@ -29,4 +29,4 @@ profile thunderbird-vaapitest @{exec_path} {
   deny @{config_dirs}/*/startupCache/** r,
 
   include if exists <local/thunderbird-vaapitest>
-}
+}

apparmor.d/profiles-s-z/update-secureboot-policy

@@ -25,10 +25,12 @@ profile update-secureboot-policy @{exec_path} {
   @{bin}/wc              rix,
   /usr/share/debconf/frontend rPx,
 
+  / r,
+
   /usr/share/debconf/confmodule r,
 
   /var/lib/dkms/ r,
-  /var/lib/shim-signed/dkms-list r,
+  /var/lib/shim-signed/dkms-list rw,
 
   include if exists <local/update-secureboot-policy>
-}
+}

apparmor.d/profiles-s-z/usbguard-daemon

@@ -19,6 +19,9 @@ profile usbguard-daemon @{exec_path} flags=(attach_disconnected) {
 
   network netlink dgram,
 
+  unix (bind, listen) type=stream,
+  unix (bind, connect, listen) type=stream peer=(name=usbguard-dbus, addr=none),
+
   @{exec_path} mr,
 
   /etc/usbguard/*.conf rw,

apparmor.d/profiles-s-z/usbguard-dbus

@@ -10,10 +10,13 @@ include <tunables/global>
 @{exec_path} = @{bin}/usbguard-dbus
 profile usbguard-dbus @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-system>
 
   # Needed?
   deny capability sys_nice,
 
+  unix (send, receive, connect) type=stream peer=(name=usbguard-daemon, addr=@@{int}),
+
   @{exec_path} mr,
   /dev/shm/qb-usbguard-{request,response,event}-@{int}-@{int}-@{int}-{header,data} rw,
   /dev/shm/qb-@{int}-@{int}-@{int}-*/qb-{request,response,event}-usbguard-{header,data} rw,

apparmor.d/profiles-s-z/xinput

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/xinput
 profile xinput @{exec_path} {
   include <abstractions/base>
+  include <abstractions/X-strict>
 
   @{exec_path} mr,