feat(profiles): use /etc read only variable: etc_ro

apparmor.d/groups/cron/cron

@@ -40,8 +40,8 @@ profile cron @{exec_path} {
   /etc/cron.d/{,*} r,
   /etc/crontab r,
   /etc/default/locale r,
-  /etc/environment r,
-  /etc/security/limits.d/{,**} r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,**} r,
 
   /var/spool/cron/crontabs/{,*} r,
 

apparmor.d/groups/cron/cron-exim4-base

@@ -50,7 +50,7 @@ profile cron-exim4-base @{exec_path} {
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/1/limits r,
 
-  /etc/security/limits.d/ r,
+  @{etc_ro}/security/limits.d/ r,
 
   include if exists <local/cron-exim4-base>
 }

apparmor.d/groups/cron/cron-popularity-contest

@@ -100,7 +100,7 @@ profile cron-popularity-contest @{exec_path} {
     owner @{PROC}/@{pids}/loginuid r,
           @{PROC}/1/limits r,
 
-    /etc/security/limits.d/ r,
+    @{etc_ro}/security/limits.d/ r,
 
     /var/log/popularity-contest.new w,
 

apparmor.d/groups/freedesktop/xrdb

@@ -22,7 +22,7 @@ profile xrdb @{exec_path} {
 
   /usr/include/stdc-predef.h r,
 
-  /etc/X11/Xresources/x11-common r,
+  @{etc_ro}/Xresources/x11-common r,
 
   # The location of the .Xresources file
   owner @{HOME}/.Xresources r,

apparmor.d/groups/gnome/gdm-session-worker

@@ -67,15 +67,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,
 
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/default/locale r,
-  /etc/environment r,
   /etc/gdm{3,}/custom.conf r,
   /etc/gdm{3,}/daemon.conf r,
   /etc/locale.conf r,
   /etc/machine-id r,
   /etc/motd r,
   /etc/motd.d/ r,
-  /etc/security/limits.d/{,*.conf} r,
   /etc/shells r,
 
   owner @{run}/user/@{uid}/keyring/control rw,

apparmor.d/groups/gnome/gdm-wayland-session

@@ -65,6 +65,7 @@ profile gdm-wayland-session @{exec_path} {
   /{usr/,}bin/gettext.sh r,
   /usr/share/im-config/{,**} r,
 
+  @{etc_ro}/profile.d/{,*} r,
   /etc/debuginfod/{,*} r,
   /etc/default/im-config r,
   /etc/gdm{3,}/custom.conf r,

apparmor.d/groups/gnome/gnome-session-binary

@@ -201,7 +201,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /usr/share/session-migration/scripts/{,*} r,
 
   /etc/gnome/defaults.list r,
-  /etc/xdg/autostart/{,*.desktop} r,
+  @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
   /var/lib/gdm{3,}/.config/dconf/user r,

apparmor.d/groups/gnome/gsd-xsettings

@@ -133,8 +133,8 @@ profile gsd-xsettings @{exec_path} {
   /usr/share/libdrm/*.ids r,
 
   /etc/X11/Xsession.options r,
-  /etc/xdg/Xwayland-session.d/ r,
-  /etc/xdg/Xwayland-session.d/* rix,
+  @{etc_ro}/xdg/Xwayland-session.d/ r,
+  @{etc_ro}/xdg/Xwayland-session.d/* rix,
 
   /var/lib/gdm{3,}/.config/dconf/user r,
 

apparmor.d/groups/ssh/sshd

@@ -68,15 +68,15 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
 
   /etc/shells r,
   /etc/default/locale r,
-  /etc/environment r,
+  @{etc_ro}/environment r,
   /etc/gss/mech.d/{,*} r,
   /etc/issue.net r,
   /etc/motd r,
-  /etc/security/limits.d/{,*.conf} r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
 
+  @{etc_ro}/ssh/sshd_config r,
+  @{etc_ro}/ssh/sshd_config.d/{,*} r,
   /etc/ssh/ssh_host_* r,
-  /etc/ssh/sshd_config r,
-  /etc/ssh/sshd_config.d/{,*} r,
 
   # For scp
   owner @{user_download_dirs}/{,**} rwl,

apparmor.d/groups/systemd/systemd-environment-d-generator

@@ -19,8 +19,8 @@ profile systemd-environment-d-generator @{exec_path} {
   /{usr/,}bin/gpgconf     rPx,
   /{usr/,}bin/{m,g,}awk   rix,
 
-  /etc/environment r,
-  /etc/environment.d/{,**} r,
+  @{etc_ro}/environment r,
+  @{etc_ro}/environment.d/{,**} r,
 
   owner @{user_config_dirs}/environment.d/{,*.conf} r,