feat(profile): general update.

apparmor.d/profiles-s-z/setpci

@@ -16,6 +16,7 @@ profile setpci @{exec_path} flags=(complain) {
 
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/@{pci}/** r,
+  @{sys}/devices/@{pci}/config w,
 
   include if exists <local/setpci>
 }

apparmor.d/profiles-s-z/snap

@@ -14,6 +14,7 @@ profile snap @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/consoles>
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
@@ -24,6 +25,8 @@ profile snap @{exec_path} {
 
   network netlink raw,
 
+  ptrace read peer=snap.snap-store.snap-store,
+
   unix (send, receive) type=stream peer=(label=apt),
 
   mount options=(ro, silent) -> /tmp/snapd-auto-import-mount-@{int}/,
@@ -32,6 +35,7 @@ profile snap @{exec_path} {
   #aa:dbus own bus=session name=io.snapcraft.SessionAgent
   #aa:dbus own bus=session name=io.snapcraft.Settings
 
+  #aa:dbus talk bus=session name=io.snapcraft.PrivilegedDesktopLauncher label=snap.snap-store.snap-store
   #aa:dbus talk bus=session name=org.freedesktop.systemd1 label="@{p_systemd_user}"
 
   dbus send bus=session path=/org/freedesktop/portal/documents
@@ -39,6 +43,11 @@ profile snap @{exec_path} {
        member=GetMountPoint
        peer=(name=org.freedesktop.portal.Documents, label="{xdg-document-portal,unconfined}"),
 
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=@{busname}, label=gnome-shell),
+
   @{exec_path} mrix,
 
   @{bin}/mount rix,
@@ -83,6 +92,7 @@ profile snap @{exec_path} {
         @{PROC}/sys/kernel/random/uuid r,
         @{PROC}/sys/kernel/seccomp/actions_avail r,
         @{PROC}/version r,
+  owner @{PROC}/@{pid}/attr/apparmor/current r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/tty@{int} rw,

apparmor.d/profiles-s-z/snapd

@@ -47,8 +47,8 @@ profile snapd @{exec_path} {
   umount /tmp/syscheck-mountpoint-@{int}/,
   umount /snap/*/*/,
 
-  ptrace (read) peer=snap,
-  ptrace (read) peer=@{p_systemd},
+  ptrace read peer=@{p_systemd},
+  ptrace read peer=snap{,.*},
 
   unix (bind) type=stream addr=@@{udbus}/bus/systemctl/,
 
@@ -155,16 +155,15 @@ profile snapd @{exec_path} {
   @{sys}/fs/cgroup/{,*/} r,
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/system.slice/{,**/} r,
+  @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
   @{sys}/fs/cgroup/user.slice/ r,
   @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
   @{sys}/kernel/kexec_loaded r,
   @{sys}/kernel/security/apparmor/.notify r,
   @{sys}/kernel/security/apparmor/features/{,**} r,
   @{sys}/kernel/security/apparmor/profiles r,
 
-  @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
-
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/mounts r,
         @{PROC}/@{pid}/stat r,

apparmor.d/profiles-s-z/syncthing

@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/syncthing
 profile syncthing @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/ssl_certs>
 
@@ -28,15 +29,14 @@ profile syncthing @{exec_path} {
 
   /etc/mime.types r,
 
-  owner @{HOME}/ r,
-  owner @{HOME}/@{XDG_DATA_DIR}/syncthing/{,**} rwk,
-  owner @{user_config_dirs}/syncthing/{,**} rwk,
-  owner @{user_state_dirs}/syncthing/{,**} rwk,
+  @{HOME}/ r,
+  @{HOME}/** rwk,
 
   /home/ r,
   @{user_sync_dirs}/{,**} rw,
 
         @{PROC}/@{pids}/net/route r,
+        @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/net/core/somaxconn r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/mountinfo r,