feat(profiles): general update.

apparmor.d/groups/apt/apt

@@ -28,6 +28,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   capability setgid,
   capability setuid,
   capability sys_nice,
+  capability sys_ptrace,
 
   signal (send) peer=apt-methods-*,
 
@@ -46,7 +47,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
        member=Inhibit
        peer=(name=org.freedesktop.login[0-9]),
 
-  dbus send bus=system path=/org/freedesktop/DBus
+  dbus send bus=system path=/org/freedesktop/DBus{,/Bus}
        interface=org.freedesktop.DBus{,.Introspectable}
        member={RequestName,GetConnectionUnixProcessID,Introspect}
        peer=(name=org.freedesktop.DBus),
@@ -101,6 +102,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/ubuntu-advantage/apt-esm-json-hook             rPx,
   /{usr/,}lib/update-notifier/update-motd-updates-available  rPx,
   /usr/share/command-not-found/cnf-update-db                 rPx,
+  /usr/share/language-tools/language-options                 rPx,
 
   # For editing the sources.list file
   /{usr/,}bin/sensible-editor rCx -> editor,
@@ -110,6 +112,7 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/sensible-pager  rCx -> pager,
 
   /usr/share/xml/iso-codes/{,**} r,
+  /usr/share/language-selector/data/pkg_depends r,
 
   /etc/apt/sources.list rwk,
   /etc/machine-id r,

apparmor.d/groups/browsers/chromium-chromium

@@ -32,6 +32,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read) peer=browserpass,
   ptrace (read) peer=chrome-gnome-shell,
+  ptrace (read) peer=gnome-browser-connector-host,
   ptrace (read) peer=keepassxc-proxy,
   ptrace (read) peer=lsb_release,
   ptrace (read) peer=xdg-settings,
@@ -49,6 +50,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   /{usr/,}bin/chrome-gnome-shell                rPx,
+  /{usr/,}bin/gnome-browser-connector-host      rPx,
   /{usr/,}lib/chromium/chrome-sandbox           rPx,
   /{usr/,}lib/chromium/chrome_crashpad_handler  rPx,
 

apparmor.d/groups/freedesktop/fc-cache

@@ -10,8 +10,9 @@ include <tunables/global>
 @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/fc-cache{,-32,-v*}
 profile fc-cache @{exec_path} {
   include <abstractions/base>
-  include <abstractions/fonts>
+  include <abstractions/consoles>
   include <abstractions/fontconfig-cache-write>
+  include <abstractions/fonts>
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gjs-console

@@ -46,16 +46,17 @@ profile gjs-console @{exec_path} flags=(attach_disconnected) {
   owner @{user_cache_dirs}/gstreamer-1.0/ rw,
   owner @{user_cache_dirs}/gstreamer-1.0/registry.*.bin{,.tmp*} rw,
 
-  owner @{run}/user/@{uid}/gdm/Xauthority r,
         @{run}/user/@{uid}/wayland-cursor-shared-* rw,
+  owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 
   @{sys}/devices/system/cpu/possible r,
 
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/task/ r,
-  owner @{PROC}/@{pid}/task/@{tid}/stat r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/stat r,
+  owner @{PROC}/@{pid}/task/ r,
+  owner @{PROC}/@{pid}/task/@{tid}/stat r,
 
   /dev/ r,
   /dev/tty rw,

apparmor.d/groups/gnome/gnome-extensions-app

@@ -9,6 +9,14 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/gnome-extensions-app
 profile gnome-extensions-app @{exec_path} {
   include <abstractions/base>
+  # include <abstractions/vulkan>
+  include <abstractions/dconf-write>
+  include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
+  include <abstractions/mesa>
+  include <abstractions/opencl>
 
   @{exec_path} mr,
 
@@ -16,6 +24,15 @@ profile gnome-extensions-app @{exec_path} {
   /{usr/,}bin/gjs-console rix,
 
   /usr/share/terminfo/x/xterm-256color r,
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+  /usr/share/gnome-shell/org.gnome.Extensions* r,
+  /usr/share/X11/xkb/{,**} r,
+
+  @{sys}/devices/system/cpu/possible r,
+
+  owner @{PROC}/@{pid}/mounts r,
+  owner @{PROC}/@{pids}/stat r,
+  owner @{PROC}/@{pids}/task/@{tid}/stat r,
 
   /dev/tty rw,
 

apparmor.d/groups/network/mullvad-gui

@@ -53,6 +53,7 @@ profile mullvad-gui @{exec_path} {
   @{sys}/bus/pci/devices/ r,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/devices/pci[0-9]*/**/{vendor,device,class,config} r,
+  @{sys}/devices/system/cpu/possible r,
 
         @{PROC}/ r,
         @{PROC}/sys/fs/inotify/max_user_watches r,

apparmor.d/groups/network/nm-dispatcher

@@ -8,7 +8,7 @@ include <tunables/global>
 
 @{exec_path} = /{usr/,}lib/nm-dispatcher
 @{exec_path} += /{usr/,}lib/NetworkManager/nm-dispatcher
-profile nm-dispatcher @{exec_path} {
+profile nm-dispatcher @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
 

apparmor.d/groups/systemd/child-systemctl

@@ -27,7 +27,7 @@ profile child-systemctl flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
-  dbus send bus=system path=/org/freedesktop/systemd[0-9]
+  dbus send bus=system path=/org/freedesktop/systemd[0-9]/Unit
        interface=org.freedesktop.systemd[0-9].Manager
        member=GetUnitFileState,
 

apparmor.d/groups/systemd/systemd-analyze

@@ -10,12 +10,18 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-analyze
 profile systemd-analyze @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/dbus-strict>
   include <abstractions/systemd-common>
 
   capability sys_resource,
   capability net_admin,
 
+  network inet dgram,
+  network netlink raw,
+
+  signal (send) peer=child-pager,
+
   dbus send bus=system path=/org/freedesktop/systemd1
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
@@ -28,12 +34,8 @@ profile systemd-analyze @{exec_path} {
       interface=org.freedesktop.DBus.Properties
       member=GetAll,
 
-  signal (send) peer=child-pager,
-
-  network inet dgram,
-  network netlink raw,
-
   @{exec_path} mr,
+
   /{usr/,}lib/systemd/system-environment-generators/* rix,
 
   /{usr/,}bin/pager     rPx -> child-pager,
@@ -68,13 +70,12 @@ profile systemd-analyze @{exec_path} {
   @{sys}/firmware/efi/efivars/LoaderTimeInitUSec-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderTimeExecUSec-@{uuid} r,
 
-  owner @{PROC}/@{pid}/cgroup r,
-  owner @{PROC}/@{pid}/mountinfo r,
-  owner @{PROC}/@{pid}/comm r,
         @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/mountinfo r,
 
   /dev/tty rw,
-  /dev/pts/1 rw,
 
   include if exists <local/systemd-analyze>
 }

apparmor.d/groups/systemd/systemd-hwdb

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-hwdb
 profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/groups/ubuntu/notify-reboot-required

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/update-notifier/notify-reboot-required
 profile notify-reboot-required @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 

apparmor.d/groups/ubuntu/software-properties-gtk

@@ -67,6 +67,7 @@ profile software-properties-gtk @{exec_path} {
   @{sys}/devices/**/modalias r,
 
         @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/asound/cards r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
 

apparmor.d/groups/ubuntu/update-notifier

@@ -38,6 +38,8 @@ profile update-notifier @{exec_path} {
   /usr/share/apport/apport-checkreports               rPx,
   /usr/share/apport/apport-gtk                        rPx,
 
+  /{usr/,}lib/python3.[0-9]*/dist-packages/{apt,gi}/**/__pycache__/{,**} rw,
+
   /usr/share/applications/{,**} r,
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,