Update profiles.

apparmor.d/profiles-a-f/acpid

@@ -11,6 +11,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability mknod,
 
   network netlink raw,
@@ -20,7 +21,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/{ba,da,}sh        rix,
   /{usr/,}bin/logger            rix,
 
-  /etc/acpi/powerbtn-acpi-support.sh rPx -> acpid//powerbtn-acpi-support.sh,
+  /etc/acpi/powerbtn-acpi-support.sh rPx -> powerbtn-acpi-support,
 
   /etc/acpi/{,**} r,
   /etc/acpi/handler.sh rix,
@@ -37,26 +38,35 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
   include if exists <local/acpid>
 }
 
-profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) {
+profile powerbtn-acpi-support flags=(attach_disconnected) {
   include <abstractions/base>
 
   /etc/acpi/powerbtn-acpi-support.sh r,
 
-  /{usr/,}bin/sed          rix,
-  /{usr/,}bin/pgrep        rix,
-  /{usr/,}bin/{e,}grep     rix,
-  /{usr/,}bin/pinky        rix,
-  /{usr/,}bin/{ba,da,}sh   rix,
-  /{usr/,}bin/dbus-send    rix,
   /{usr/,}{s,}bin/killall5 rix,
   /{usr/,}{s,}bin/shutdown rix,
+  /{usr/,}bin/{ba,da,}sh   rix,
+  /{usr/,}bin/{e,}grep     rix,
+  /{usr/,}bin/dbus-send    rix,
+  /{usr/,}bin/pgrep        rix,
+  /{usr/,}bin/pinky        rix,
+  /{usr/,}bin/sed          rix,
   /etc/acpi/powerbtn.sh    rix,
 
   /{usr/,}bin/systemctl    rPx -> child-systemctl,
   /{usr/,}bin/ps           rPx,
 
   /{usr/,}bin/fgconsole rCx,
-  profile fgconsole /usr/bin/fgconsole {
+
+  /usr/share/acpi-support/** r,
+
+  @{PROC} r,
+  @{PROC}/uptime r,
+  @{PROC}/@{pids}/cmdline r,
+
+  deny / r,
+
+  profile fgconsole {
     include <abstractions/base>
 
     capability sys_tty_config,
@@ -67,13 +77,5 @@ profile acpid//powerbtn-acpi-support.sh flags=(attach_disconnected) {
     owner /dev/tty[0-9]* rw,
   }
 
-  /usr/share/acpi-support/** r,
-
-  deny / r,
-
-  @{PROC} r,
-  @{PROC}/uptime r,
-  @{PROC}/@{pids}/cmdline r,
-
-  include if exists <local/acpid_powerbtn-acpi-support.sh>
+  include if exists <local/powerbtn-acpi-support>
 }

apparmor.d/profiles-a-f/aurpublish

@@ -13,10 +13,17 @@ profile aurpublish @{exec_path} {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/cat         rix,
   /{usr/,}bin/git         rPx,
   /{usr/,}bin/makepkg     rUx,
   /{usr/,}bin/rm          rix,
   /{usr/,}bin/wc          rix,
 
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.git/COMMIT_EDITMSG rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/.SRCINFO rw,
+  owner @{HOME}/@{XDG_PROJECTS_DIR}/**/PKGBUILD r,
+
+  /dev/tty rw,
+
   include if exists <local/aurpublish>
 }

apparmor.d/profiles-a-f/borg

@@ -7,8 +7,6 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{BACKUP_DIR} = @{MOUNTS}/Arti/backup-*
-
 @{exec_path} = /{usr/,}bin/borg
 profile borg @{exec_path} {
   include <abstractions/base>
@@ -82,8 +80,8 @@ profile borg @{exec_path} {
   /var/{,**}   r,
 
   # The backup dirs
-  owner @{BACKUP_DIR}/ r,
-  owner @{BACKUP_DIR}/** rwkl -> @{BACKUP_DIR}/**,
+  owner @{MOUNTS}/ r,
+  owner @{MOUNTS}/** rwkl -> @{MOUNTS}/**,
 
   # For exporting the key
   owner /**/key w,

apparmor.d/profiles-a-f/browserpass

@@ -34,9 +34,10 @@ profile browserpass @{exec_path} flags=(attach_disconnected) {
   deny network inet dgram,
   deny network inet6 stream,
   deny network inet stream,
-  deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
+  deny owner @{HOME}/.mozilla/firefox/[0-9a-z]*.default/storage/default/{,**} r,
   deny owner @{HOME}/@{XDG_DOWNLOAD_DIR}/{,**} rw,
   deny owner @{run}/user/@{uid}/gnome-shell-disable-extensions w,
+  deny owner @{user_share_dirs}/gvfs-metadata/{,**} r,
   deny /dev/dri/card[0-9]* rw,
   deny /dev/dri/renderD128 rw,
 

apparmor.d/profiles-a-f/fusermount

@@ -21,7 +21,7 @@ profile fusermount @{exec_path} {
   owner @{HOME}/*/ rw,
   owner @{HOME}/*/*/ rw,
   owner @{user_cache_dirs}/**/ rw,
-  owner @{run}/user/@{uid}/doc/ r,
+        @{run}/user/@{uid}/doc/ r,
 
   # Be able to mount ISO images
   mount fstype={fuse,fuse.*} -> @{HOME}/*/,