feat(profiles): general update.

apparmor.d/groups/gnome/gdm

@@ -26,13 +26,17 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/plymouth            rPx,
-  /{usr/,}lib/gdm-session-worker  rPx,
-
+  /{usr/,}{s,}prime-switch       rPx,
+  /{usr/,}bin/{,ba,da}sh         rix,
+  /{usr/,}bin/plymouth           rPx,
+  /etc/gdm{3,}/PrimeOff/Default  rix,
+  @{libexec}/gdm-session-worker  rPx,
+  
   /usr/share/gdm/gdm.schemas r,
   /usr/share/wayland-sessions/*.desktop r,
   /usr/share/xsessions/*.desktop r,
 
+  /etc/default/locale r,
   /etc/gdm{3,}/custom.conf r,
   /etc/locale.conf r,
 
@@ -49,6 +53,7 @@ profile gdm @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/users/@{uid} r,
   @{run}/udev/tags/master-of-seat/ r,
 
+  @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/boot_vga r,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
 

apparmor.d/groups/gnome/gdm-session-worker

@@ -45,6 +45,10 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   @{libexec}/gdm-wayland-session          rPx,
   @{libexec}/gdm-x-session                rPx,
   /etc/gdm{3,}/{Pre,Post}Session/Default  rix,
+  /etc/gdm{3,}/PrimeOff/Default           rix,
+
+  /usr/share/gdm/gdm.schemas r,
+  /usr/share/wayland-sessions/*.desktop r,
 
   /etc/default/locale r,
   /etc/environment r,
@@ -56,8 +60,7 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   /etc/security/limits.d/{,*.conf} r,
   /etc/shells r,
 
-  /usr/share/gdm/gdm.schemas r,
-  /usr/share/wayland-sessions/*.desktop r,
+  owner @{run}/user/@{uid}/keyring/control rw,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
   @{run}/gdm/custom.conf r,
@@ -65,8 +68,6 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/users/@{uid} r,
   @{run}/utmp rwk,
 
-  @{run}/systemd/userdb/io.systemd.DynamicUser w,
-
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid rw,
   owner @{PROC}/@{pid}/task/@{tid}/attr/exec rw,

apparmor.d/groups/gnome/gdm-wayland-session

@@ -22,18 +22,19 @@ profile gdm-wayland-session @{exec_path} {
 
   @{exec_path} mr,
 
-  # It can run hooks, how to handle them nicely? rCx? them mostly include if exist
-
   /{usr/,}bin/{,ba,da}sh           rix,
   /{usr/,}bin/env                  rix,
+  /{usr/,}bin/gettext              rix,
   /{usr/,}bin/gnome-session        rix,
   /{usr/,}bin/grep                 rix,
   /{usr/,}bin/gsettings            rix,
+  /{usr/,}bin/head                 rix,
   /{usr/,}bin/locale               rix,
   /{usr/,}bin/locale-check         rix,
+  /{usr/,}bin/qmake                rix,
   /{usr/,}bin/sed                  rix,
+  /{usr/,}bin/sort                 rix,
   /{usr/,}bin/tty                  rix,
-  /{usr/,}bin/gettext              rix,
   /{usr/,}bin/zsh                  rix,
 
   /{usr/,}bin/dbus-daemon          rPx,
@@ -42,12 +43,14 @@ profile gdm-wayland-session @{exec_path} {
   /{usr/,}bin/flatpak             rPUx,
   @{libexec}/gnome-session-binary  rPx,
 
+  /{usr/,}bin/gettext.sh r,
   /usr/share/im-config/{,**} r,
 
   /etc/default/im-config r,
   /etc/gdm{3,}/custom.conf r,
   /etc/machine-id r,
   /etc/shells r,
+  /etc/X11/xinit/xinputrc r,
   /etc/X11/Xsession.d/*im-config_launch r,
 
   /usr/share/gdm/gdm.schemas r,

apparmor.d/groups/gnome/gnome-calendar

@@ -30,7 +30,5 @@ profile gnome-calendar @{exec_path} {
   owner @{run}/user/@{uid}/dconf/user rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 
-  @{PROC}/sys/dev/i915/perf_stream_paranoid r,
-
   include if exists <local/gnome-calendar>
 }

apparmor.d/groups/gnome/gnome-contacts

@@ -14,6 +14,7 @@ profile gnome-contacts @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/gnome>
   include <abstractions/gstreamer>
+  include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/opencl>
   include <abstractions/openssl>
@@ -28,14 +29,11 @@ profile gnome-contacts @{exec_path} {
   /usr/share/applications/{,*.desktop} r,
 
   owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
-  owner @{user_cache_dirs}/mesa_shader_cache/index rw,
   owner @{user_config_dirs}/gnome-contacts/{,**} rw,
   owner @{user_share_dirs}/folks/relationships.ini r,
 
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
 
-  @{PROC}/sys/dev/i915/perf_stream_paranoid r,
-
   include if exists <local/gnome-contacts>
 }

apparmor.d/groups/gnome/gnome-control-center

@@ -111,6 +111,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/comm r,
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/maps r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/statm r,

apparmor.d/groups/gnome/gnome-extension-ding

@@ -10,8 +10,9 @@ include <tunables/global>
 profile gnome-extension-ding @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf>
-  include <abstractions/freedesktop.org>
   include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
 
   @{exec_path} mr,
 
@@ -22,7 +23,7 @@ profile gnome-extension-ding @{exec_path} {
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/gnome-shell/extensions/ding@rastersoft.com/* r,
   /usr/share/themes/{,**} r,
-  /usr/share/thumbnailers/*.thumbnailer r,
+  /usr/share/thumbnailers/{,*.thumbnailer} r,
   /usr/share/X11/{,**} r,
 
   /var/lib/snapd/desktop/icons/{,**} r,

apparmor.d/groups/gnome/gnome-session-binary

@@ -43,17 +43,18 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/aa-notify                                    rPx,
   /{usr/,}bin/blueman-applet                               rPx,
-  /{usr/,}bin/xdg-user-dirs-update                         rPx,
   /{usr/,}bin/firewall-applet                             rPUx,
   /{usr/,}bin/gnome-keyring-daemon                         rPx,
   /{usr/,}bin/gnome-shell                                  rPx,
   /{usr/,}bin/im-launch                                    rPx,
   /{usr/,}bin/pkcs11-register                              rPx,
   /{usr/,}bin/snap                                        rPUx,
+  /{usr/,}bin/spice-vdagent                                rPx,
   /{usr/,}bin/start-pulseaudio-x11                         rPx,
   /{usr/,}bin/ubuntu-report                                rPx,
   /{usr/,}bin/update-notifier                              rPx,
   /{usr/,}bin/xbrlapi                                      rPx,
+  /{usr/,}bin/xdg-user-dirs-update                         rPx,
   /{usr/,}lib/update-notifier/ubuntu-advantage-notification rPx,
   @{libexec}/at-spi-bus-launcher                           rPx,
   @{libexec}/evolution-data-server/evolution-alarm-notify  rPx,
@@ -98,14 +99,15 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/applications/ r,
   owner @{user_share_dirs}/applications/mimeinfo.cache r,
 
+  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
   owner @{run}/user/@{uid}/dconf/ rw,
   owner @{run}/user/@{uid}/dconf/user rw,
-  owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/gnome-session-leader-fifo rw,
   owner @{run}/user/@{uid}/ICEauthority{,-[a-z]} rwl,
+  owner @{run}/user/@{uid}/systemd/notify w,
         @{run}/systemd/inhibit/[0-9]*.ref rw,
-        @{run}/systemd/sessions/*     r,
+        @{run}/systemd/sessions/* r,
         @{run}/systemd/sessions/*.ref rw,
         @{run}/systemd/users/@{uid} r,
 

apparmor.d/groups/gnome/gnome-shell

@@ -125,6 +125,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/gnome-shell-disable-extensions rw,
   owner @{run}/user/@{uid}/gnome-shell/{,**} rw,
   owner @{run}/user/@{uid}/gvfsd/socket-[0-9A-Za-z]* rw,
+  owner @{run}/user/@{uid}/snap.snapd-desktop-integration/wayland-cursor-shared-* rw,
   owner @{run}/user/@{uid}/wayland-[0-9].lock rwk,
 
   owner /dev/shm/.org.chromium.Chromium.* rw,

apparmor.d/groups/gnome/gsd-color

@@ -10,8 +10,8 @@ include <tunables/global>
 profile gsd-color @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dconf>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
   include <abstractions/gtk>
 
   signal (receive) set=(term, hup) peer=gdm*,

apparmor.d/groups/gnome/gsd-keyboard

@@ -10,8 +10,8 @@ include <tunables/global>
 profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dconf>
-  include <abstractions/fonts>
   include <abstractions/fontconfig-cache-read>
+  include <abstractions/fonts>
   include <abstractions/gtk>
 
   signal (receive) set=(term, hup) peer=gdm*,

apparmor.d/groups/gnome/tracker-miner

@@ -12,17 +12,16 @@ profile tracker-miner @{exec_path} {
   include <abstractions/dbus-session-strict>  # TODO: FIXME: See if we keep them like this.
   include <abstractions/dconf>
   include <abstractions/disks-read>
+  include <abstractions/freedesktop.org>
   include <abstractions/nameservice-strict>
   include <abstractions/private-files-strict>
   include <abstractions/private-files>
 
   @{exec_path} mr,
 
-  /usr/share/applications/{,mimeinfo.cache,*.list} r,
   /usr/share/dconf/profile/gdm r,
   /usr/share/gdm/greeter/applications/{,mimeinfo.cache,*.list} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/mime/mime.cache r,
   /usr/share/tracker3-miners/{,**} r,
   /usr/share/tracker3/{,**} r,
   /usr/share/ubuntu/applications/ r,
@@ -43,8 +42,6 @@ profile tracker-miner @{exec_path} {
   owner @{MOUNTS}/*/{,**} r,
   owner /tmp/*/{,**} r,
 
-  owner @{user_share_dirs}/{applications/,mime/mime.cache} r,
-  owner @{user_config_dirs}/user-dirs.dirs r,
   owner @{user_config_dirs}/tracker3/{,**} rwk,
   owner @{user_cache_dirs}/tracker3/files/{,**} rwk,