feat(profiles): use /etc read only variable: etc_ro

apparmor.d/groups/gnome/gdm-session-worker

@@ -67,15 +67,15 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,
 
+  @{etc_ro}/environment r,
+  @{etc_ro}/security/limits.d/{,*.conf} r,
   /etc/default/locale r,
-  /etc/environment r,
   /etc/gdm{3,}/custom.conf r,
   /etc/gdm{3,}/daemon.conf r,
   /etc/locale.conf r,
   /etc/machine-id r,
   /etc/motd r,
   /etc/motd.d/ r,
-  /etc/security/limits.d/{,*.conf} r,
   /etc/shells r,
 
   owner @{run}/user/@{uid}/keyring/control rw,

apparmor.d/groups/gnome/gdm-wayland-session

@@ -65,6 +65,7 @@ profile gdm-wayland-session @{exec_path} {
   /{usr/,}bin/gettext.sh r,
   /usr/share/im-config/{,**} r,
 
+  @{etc_ro}/profile.d/{,*} r,
   /etc/debuginfod/{,*} r,
   /etc/default/im-config r,
   /etc/gdm{3,}/custom.conf r,

apparmor.d/groups/gnome/gnome-session-binary

@@ -201,7 +201,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   /usr/share/session-migration/scripts/{,*} r,
 
   /etc/gnome/defaults.list r,
-  /etc/xdg/autostart/{,*.desktop} r,
+  @{etc_ro}/xdg/autostart/{,*.desktop} r,
 
   /var/lib/gdm{3,}/.cache/mesa_shader_cache/index rw,
   /var/lib/gdm{3,}/.config/dconf/user r,

apparmor.d/groups/gnome/gsd-xsettings

@@ -133,8 +133,8 @@ profile gsd-xsettings @{exec_path} {
   /usr/share/libdrm/*.ids r,
 
   /etc/X11/Xsession.options r,
-  /etc/xdg/Xwayland-session.d/ r,
-  /etc/xdg/Xwayland-session.d/* rix,
+  @{etc_ro}/xdg/Xwayland-session.d/ r,
+  @{etc_ro}/xdg/Xwayland-session.d/* rix,
 
   /var/lib/gdm{3,}/.config/dconf/user r,