feat(profile): general update.

apparmor.d/profiles-a-f/aa-notify

@@ -19,6 +19,8 @@ profile aa-notify @{exec_path} {
 
   ptrace (read),
 
+  signal (receive) set=(cont, term) peer=@{systemd_user},
+
   @{exec_path} mr,
 
   @{bin}/ r,

apparmor.d/profiles-a-f/blueman

@@ -33,7 +33,7 @@ profile blueman @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
-  @{bin}/{b,d}ash            rix,
+  @{sh_path}           rix,
 
   @{bin}/blueman-tray  rPx,
   @{open_path}         rPx -> child-open,

apparmor.d/profiles-a-f/browserpass

@@ -18,11 +18,11 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   @{bin}/gpg{2,} rCx -> gpg,
 
   owner @{HOME}/.password-store/{,**} r,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/.parentlock rw,
-  owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/extensions/* r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/scriptCache-*.bin r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/startupCache/startupCache.*.little r,
-  owner @{user_cache_dirs}/mozilla/firefox/[0-9a-z]*.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
+  owner @{HOME}/.mozilla/firefox/@{rand8}.*/.parentlock rw,
+  owner @{HOME}/.mozilla/firefox/@{rand8}.*/extensions/* r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/scriptCache-*.bin r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/startupCache/startupCache.*.little r,
+  owner @{user_cache_dirs}/mozilla/firefox/@{rand8}.*/safebrowsing-updating/google[0-9]/goog-phish-proto-@{int}.vlpset rw,
   owner /tmp/mozilla-temp-@{int} r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
@@ -32,8 +32,8 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6,
   deny network inet,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/features/*/*.xpi r,
-  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.*/storage/default/{,**} rw,
+  deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/features/*/*.xpi r,
+  deny owner @{HOME}/.mozilla/firefox/@{rand8}.*/storage/default/{,**} rw,
   deny owner @{user_download_dirs}/{,**} rw,
   deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
   deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,

apparmor.d/profiles-a-f/flatpak-app

@@ -14,7 +14,8 @@
 #
 # 1. All of this will have to be improved. However, as of today, it is the only way
 # to not break some (major) flatpak app.
-# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
+# 2. It is not a big deal as flatpak is responsible for the sandbox anyway. This this only defence in depth. 
+# 3. The main purpose of this profile is to ensure all processes are confined.
 
 abi <abi/3.0>,
 
@@ -67,9 +68,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   /app/.ref k,
   /app/extra/** rw,
   /bindfile@{rand6} rw,
-  /newroot/{,**} rw,
-  /tmp/newroot/ w,
-  /tmp/oldroot/ w,
 
   /var/lib/flatpak/app/{,**} r,
   /var/lib/flatpak/exports/** rw,

apparmor.d/profiles-a-f/fwupd

@@ -135,12 +135,14 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
     @{bin}/gpgconf    mr,
     @{bin}/gpgsm      mr,
     @{bin}/gpg-agent  mrix,
+    @{lib}/gnupg/scdaemon rix,
 
     owner /var/lib/fwupd/gnupg/ rw,
     owner /var/lib/fwupd/gnupg/** rwkl -> /var/lib/fwupd/gnupg/**,
 
     owner @{PROC}/@{pids}/fd/ r,
 
+    include if exists <local/fwupd_gpg>
   }
 
   include if exists <local/fwupd>