feat(profile): small improvement for snap.

apparmor.d/groups/snap/snap

@@ -18,6 +18,8 @@ profile snap @{exec_path} flags=(attach_disconnected) {
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
 
+  capability chown,
+  capability dac_override,
   capability dac_read_search,
   capability setuid,
   capability sys_admin,
@@ -70,10 +72,10 @@ profile snap @{exec_path} flags=(attach_disconnected) {
   @{DESKTOP_HOME}/snap/{,**} rw,
   /snap/{,**} rw,
 
+  @{HOME}/ r,
+  @{HOME}/.snap.mkdir-new/ rw,
+  @{HOME}/.snap/{,**} rw,
   @{HOME}/snap/{,**} rw,
-  owner @{HOME}/ r,
-  owner @{HOME}/.snap.mkdir-new/ rw,
-  owner @{HOME}/.snap/{,**} rw,
 
   owner @{tmp}/snapd-auto-import-mount-@{int}/ rw,
 
@@ -102,7 +104,11 @@ profile snap @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
   /dev/ttyS@{int} rw,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  /apparmor/.null rw,
+
+  # file_inherit, safe to deny
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
 
   profile gpg {
     include <abstractions/base>

apparmor.d/groups/snap/snap-seccomp

@@ -27,7 +27,11 @@ profile snap-seccomp @{exec_path} flags=(attach_disconnected) {
 
   owner @{PROC}/@{pids}/mountinfo r,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
+  /apparmor/.null rw,
+
+  # file_inherit, safe to deny
+  deny owner @{user_share_dirs}/gnome-shell/session.gvdb rw,
+  deny owner @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/snap-seccomp>
 }