feat(profile): general update.

apparmor.d/groups/apt/debsign

@@ -55,6 +55,7 @@ profile debsign @{exec_path} {
     owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo} r,
     owner @{tmp}/debsign.*/*.{dsc,changes,buildinfo}.asc rw,
 
+    include if exists <local/debsign_gpg>
   }
 
   include if exists <local/debsign>

apparmor.d/groups/apt/debsums

@@ -20,13 +20,6 @@ profile debsums @{exec_path} {
   @{sh_path}        rix,
   @{bin}/{m,g,}awk  rix,
 
-  /etc/dpkg/dpkg.cfg.d/{,*} r,
-  /etc/dpkg/dpkg.cfg r,
-
-  /var/lib/dpkg/info/* r,
-
-  /etc/locale.nopurge r,
-
   # Do not strip env to avoid errors like the following:
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
@@ -35,6 +28,13 @@ profile debsums @{exec_path} {
   @{bin}/dpkg        rPx -> child-dpkg,
   @{bin}/dpkg-divert rPx -> child-dpkg-divert,
 
+  /etc/dpkg/dpkg.cfg.d/{,*} r,
+  /etc/dpkg/dpkg.cfg r,
+
+  /etc/locale.nopurge r,
+
+  /var/lib/dpkg/info/* r,
+
   # For shell pwd
   / r,
   /root/ r,

apparmor.d/groups/apt/dpkg-divert

@@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
 
   /var/lib/dpkg/** r,
 
-  /usr/share/*/** w,
+  /usr/share/*/** rw,
 
   /var/lib/dpkg/diversions rw,
   /var/lib/dpkg/diversions-new rw,

apparmor.d/groups/browsers/firefox-minidump-analyzer

@@ -15,7 +15,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/mozilla/
 
 @{exec_path} = @{lib_dirs}/minidump-analyzer
-profile firefox-minidump-analyzer @{exec_path} {
+profile firefox-minidump-analyzer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   signal (receive) set=(term, kill) peer=firefox,
@@ -27,10 +27,10 @@ profile firefox-minidump-analyzer @{exec_path} {
   owner "@{config_dirs}/firefox/Crash Reports/" rw,
   owner "@{config_dirs}/firefox/Crash Reports/pending/" rw,
   owner "@{config_dirs}/firefox/Crash Reports/pending/@{hex}.{dmp,extra}" rw,
-  owner @{config_dirs}/*.*/extensions/*.xpi r,
+  owner @{config_dirs}/{,firefox/}*.*/extensions/*.xpi r,
-  owner @{config_dirs}/*.*/minidumps/ rw,
+  owner @{config_dirs}/{,firefox/}*.*/minidumps/ rw,
-  owner @{config_dirs}/*.*/minidumps/@{uuid}.{dmp,extra} rw,
+  owner @{config_dirs}/{,firefox/}*.*/minidumps/@{uuid}.{dmp,extra} rw,
-  owner @{config_dirs}/*.*/storage/default/* r,
+  owner @{config_dirs}/{,firefox/}*.*/storage/default/* r,
 
   owner @{cache_dirs}/firefox/*.*/startupCache/*Cache* r,
 

apparmor.d/groups/bus/ibus-memconf

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/{,ibus/}ibus-memconf
-profile ibus-memconf @{exec_path} {
+profile ibus-memconf @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
@@ -27,5 +27,7 @@ profile ibus-memconf @{exec_path} {
   owner @{desktop_config_dirs}/ibus/bus/ r,
   owner @{desktop_config_dirs}/ibus/bus/@{hex32}-unix-{,wayland-}@{int} r,
 
+  owner /dev/tty@{int} rw,
+
   include if exists <local/ibus-memconf>
 }

apparmor.d/groups/cron/cron-popularity-contest

@@ -49,6 +49,7 @@ profile cron-popularity-contest @{exec_path} {
   /var/log/popularity-contest{,.new} rw,
   /var/log/popularity-contest{,.new}.gpg rw,
   /var/log/popularity-contest.@{int} rw,
+  /var/log/popularity-contest.@{int}.gpg rw,
 
   # Store last successful http submission timestamp
   /var/lib/popularity-contest/ rw,
@@ -66,15 +67,14 @@ profile cron-popularity-contest @{exec_path} {
 
     @{bin}/savelog mr,
 
-    @{bin}/date       rix,
     @{bin}/basename   rix,
-    @{bin}/which{,.debianutils}      rix,
+    @{bin}/date       rix,
     @{bin}/dirname    rix,
-    @{bin}/rm         rix,
-    @{bin}/mv         rix,
-    @{bin}/touch      rix,
     @{bin}/gzip       rix,
-
+    @{bin}/mv         rix,
+    @{bin}/rm         rix,
+    @{bin}/touch      rix,
+    @{bin}/which{,.debianutils}      rix,
     @{sh_path}        rix,
 
     /var/log/ r,
@@ -82,9 +82,9 @@ profile cron-popularity-contest @{exec_path} {
     /var/log/popularity-contest.@{int} rw,
     /var/log/popularity-contest rw,
 
-    # file_inherit
+    owner @{tmp}/#@{int} rw,  # file_inherit
-    owner @{tmp}/#@{int} rw,
 
+    include if exists <local/cron-popularity-contest_savelog>
   }
 
   profile runuser {
@@ -96,19 +96,18 @@ profile cron-popularity-contest @{exec_path} {
     @{bin}/runuser mr,
 
     @{sh_path}                 rix,
-
     @{bin}/popularity-contest  rPx,
 
-    owner @{PROC}/@{pids}/loginuid r,
-          @{PROC}/1/limits r,
-
     @{etc_ro}/security/limits.d/ r,
 
     /var/log/popularity-contest.new w,
 
-    # file_inherit
+          @{PROC}/1/limits r,
-    owner @{tmp}/#@{int} rw,
+    owner @{PROC}/@{pids}/loginuid r,
 
+    owner @{tmp}/#@{int} rw,  # file_inherit
+
+    include if exists <local/cron-popularity-contest_runuser>
   }
 
   profile gpg {
@@ -126,9 +125,9 @@ profile cron-popularity-contest @{exec_path} {
 
     owner @{tmp}/tmp.*/** rwkl -> /tmp/tmp.*/**,
 
-    # file_inherit
+    owner @{tmp}/#@{int} rw,  # file_inherit
-    owner @{tmp}/#@{int} rw,
 
+    include if exists <local/cron-popularity-contest_gpg>
   }
 
   profile popcon-upload {
@@ -142,18 +141,18 @@ profile cron-popularity-contest @{exec_path} {
     network inet6 stream,
     network netlink raw,
 
-    /usr/share/popularity-contest/popcon-upload r,
     @{bin}/perl r,
-
     @{bin}/gzip rix,
 
+    /usr/share/popularity-contest/popcon-upload r,
+
     /var/log/ r,
     /var/log/popularity-contest.new.gpg r,
     /var/log/popularity-contest.@{int}.gpg r,
 
-    # file_inherit
+    owner @{tmp}/#@{int} rw,  # file_inherit
-    owner @{tmp}/#@{int} rw,
 
+    include if exists <local/cron-popularity-contest_/popcon-upload>
   }
 
   include if exists <local/cron-popularity-contest>

apparmor.d/groups/gnome/gnome-shell

@@ -407,6 +407,8 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
     /usr/games/*  PUx,
     /usr/share/gnome-shell/extensions/ding@rastersoft.com/{,*/}ding.js rPx,
 
+    owner @{run}/user/@{uid}/gnome-shell-disable-extensions w, 
+
     deny @{user_share_dirs}/gvfs-metadata/* r,
 
     include if exists <local/gnome-shell_open>

apparmor.d/groups/gnome/gnome-software

@@ -99,6 +99,9 @@ profile gnome-software @{exec_path} {
   owner @{run}/user/@{uid}/.flatpak/**/*.ref rwk,
   owner @{run}/user/@{uid}/app/{,*/} rw,
 
+  owner /dev/shm/flatpak-com.*/ rw,
+  owner /dev/shm/flatpak-com.*/.flatpak-tmpdir rw,
+
   @{run}/systemd/inhibit/*.ref rw,
 
   @{sys}/module/nvidia/version r,

apparmor.d/groups/virt/libvirtd

@@ -206,6 +206,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/devices/system/cpu/cpu@{int}/cache/{,**} r,
   @{sys}/devices/system/cpu/cpu@{int}/topology/{,**} r,
+  @{sys}/devices/system/cpu/isolated r,
   @{sys}/devices/system/cpu/present r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/ r,

apparmor.d/profiles-a-f/cups-notifier-dbus

@@ -11,14 +11,13 @@ profile cups-notifier-dbus @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/cups-client>
   include <abstractions/nameservice-strict>
 
   signal (receive) set=(term) peer=cupsd,
 
   @{exec_path} mr,
  
-  /etc/cups/client.conf r,
-
   owner /var/spool/cups/tmp/cups-dbus-notifier-lockfile rw,
 
   owner @{tmp}/cups-dbus-notifier-lockfile rwk,

apparmor.d/profiles-a-f/flatpak-portal

@@ -34,6 +34,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
   / r,
   /.flatpak-info r,
 
+  owner @{HOME}/.var/app/*/**/.ref rw,
+  owner @{HOME}/.var/app/*/**/logs/* rw,
+
   owner @{user_config_dirs}/user-dirs.dirs r,
   owner @{user_share_dirs}/mime/mime.cache r,
 

apparmor.d/profiles-g-l/kodi-xrandr

@@ -16,7 +16,7 @@ profile kodi-xrandr @{exec_path} {
   owner @{HOME}/.Xauthority r,
 
   # file_inherit
-  @{sys}/devices/virtual/thermal/thermal_zone0/temp r,
+  @{sys}/devices/virtual/thermal/thermal_zone@{int}/temp r,
   @{sys}/devices/system/cpu/cpufreq/policy0/scaling_cur_freq r,
   owner @{HOME}/.kodi/temp/kodi.log w,
 

apparmor.d/profiles-g-l/libreoffice

@@ -52,13 +52,17 @@ profile libreoffice @{exec_path} {
   @{lib}/libreoffice/share/uno_packages/cache/stamp.sys w,
   @{lib}/libreoffice/{,**} rm,
 
+  /usr/share/hyphen/{,**} r,
   /usr/share/libexttextcat/{,**} r,
   /usr/share/liblangtag/{,**} r,
+  /usr/share/libreoffice/{,**} r,
+  /usr/share/mythes/{,**} r,
 
   /etc/java-openjdk/{,**} r,
   /etc/libreoffice/{,**} r,
   /etc/paperspecs r,
 
+  owner @{user_cache_dirs}/libreoffice/{,**} rw,
   owner @{user_config_dirs}/libreoffice/ rw,
   owner @{user_config_dirs}/libreoffice/** rwk,
 
@@ -75,6 +79,7 @@ profile libreoffice @{exec_path} {
         @{sys}/kernel/mm/transparent_hugepage/enabled r,
         @{sys}/kernel/mm/transparent_hugepage/shmem_enabled r,
   owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/app.slice/**/memory.max r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{int}.slice/user@@{int}.service/session.slice/org.gnome.Shell@wayland.service/memory.max r,
 
         @{PROC}/cgroups r,
   owner @{PROC}/@{pid}/cgroup r,

apparmor.d/profiles-m-r/mkinitramfs

@@ -59,7 +59,7 @@ profile mkinitramfs @{exec_path} {
   @{bin}/kmod                 rCx -> kmod,
   @{bin}/ldconfig             rCx -> ldconfig,
   @{bin}/ldd                  rCx -> ldd,
-  @{lib}/ld-linux.so.2        rCx -> ldd,
+  @{lib}/ld-linux.so*         rCx -> ldd,
 
   @{bin}/dpkg          rPx -> child-dpkg,
   @{bin}/linux-version rPx,

apparmor.d/profiles-m-r/qpdfview

@@ -62,5 +62,3 @@ profile qpdfview @{exec_path} {
 
   include if exists <local/qpdfview>
 }
-
-

apparmor.d/profiles-s-z/wsdd

@@ -11,6 +11,10 @@ profile wsdd @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
 
+  network inet dgram,
+  network inet6 dgram,
+  network netlink raw,
+
   @{exec_path} mr,
 
   @{bin}/env r,
@@ -18,6 +22,8 @@ profile wsdd @{exec_path} {
 
   /etc/machine-id r,
 
+  owner /var/lib/libuuid/clock.txt rw,
+
   owner @{run}/user/@{uid}/gvfsd/wsdd w,
 
   include if exists <local/wsdd>