feat(profile): cleanup log from well known programs.

apparmor.d/groups/freedesktop/xdg-mime

@@ -59,6 +59,12 @@ profile xdg-mime @{exec_path} flags=(attach_disconnected) {
 
   /dev/tty rw,
 
+  # file_inherit
+  deny /opt/*/** r,
+  deny owner @{user_config_dirs}/*/** rw,
+  deny owner @{tmp}/.org.chromium.Chromium.@{rand6} rw,
+  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
   profile bus flags=(complain) {
     include <abstractions/base>
     include <abstractions/app/bus>

apparmor.d/groups/utils/blkid

@@ -34,8 +34,6 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
   @{run}/blkid/blkid.tab{,-@{rand6}} rw,
   @{run}/blkid/blkid.tab.old rwl -> @{run}/blkid/blkid.tab,
 
-  @{run}/cloud-init/ds-identify.log w, # file_inherit
-
   @{PROC}/@{pid}/mounts r,
   @{PROC}/partitions r,
   @{PROC}/swaps r,
@@ -47,6 +45,9 @@ profile blkid @{exec_path} flags=(attach_disconnected) {
 
   owner /dev/tty@{int} rw,
 
+  # file_inherit
+  deny @{run}/cloud-init/ds-identify.log w,
+
   include if exists <local/blkid>
 }
 

apparmor.d/groups/utils/lspci

@@ -45,7 +45,9 @@ profile lspci @{exec_path} flags=(attach_disconnected) {
   @{PROC}/cmdline r,
   @{PROC}/ioports r,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  # file_inherit
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_cache_dirs}/*/** rw,
 
   include if exists <local/lspci>
 }

apparmor.d/profiles-g-l/gsettings

@@ -23,6 +23,14 @@ profile gsettings @{exec_path} flags=(attach_disconnected) {
   owner @{desktop_config_dirs}/dconf/user rw,
   owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
 
+  # file_inherit
+  deny network netlink raw,
+  deny /etc/nsswitch.conf r,
+  deny /etc/passwd r,
+  deny /opt/*/** r,
+  deny owner @{user_config_dirs}/[^d]*/** rw, # all but dconf
+  deny owner /dev/shm/.org.chromium.Chromium.@{rand6} rw,
+
   include if exists <local/gsettings>
 }