feat(profile): finalize upgrade process.

apparmor.d/groups/apt/dpkg-preconfigure

@@ -30,7 +30,6 @@ profile dpkg-preconfigure @{exec_path} {
   @{bin}/head                  ix,
   @{bin}/locale                ix,
   @{bin}/readlink              ix,
-  @{bin}/readlink              ix,
   @{bin}/realpath              ix,
   @{bin}/sed                   ix,
   @{bin}/sort                  ix,

apparmor.d/groups/apt/dpkg-scripts

@@ -47,11 +47,11 @@ profile dpkg-scripts @{exec_path} {
   @{sbin}/update-rc.d                             Cx -> rc,
 
   # Maintainer scripts can legitimately start/restart anything
-  @{bin}/**                                       Px,
+  @{bin}/**                                       PUx,
-  @{sbin}/**                                      Px,
+  @{sbin}/**                                      PUx,
-  @{lib}/**                                       Px,
+  @{lib}/**                                       PUx,
-  /usr/share/**                                   Px,
+  /usr/share/**                                   PUx,
-  /etc/init.d/*                                   Px,
+  /etc/init.d/*                                   PUx,
 
   # Maintainer's scripts can update a lot of files
   / r,
@@ -76,9 +76,9 @@ profile dpkg-scripts @{exec_path} {
     include <abstractions/bus-system>
 
     dbus send bus=system path=/
-        interface=org.freedesktop.DBus
+         interface=org.freedesktop.DBus
-        member=ReloadConfig
+         member=ReloadConfig
-        peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
+         peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
 
     include if exists <local/dpkg-scripts_bus>
   }

apparmor.d/groups/browsers/firefox

@@ -39,7 +39,7 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
   @{bin}/kreadconfig{,5}                             rPx,
   @{bin}/plasma-browser-integration-host             rPx,
   @{bin}/speech-dispatcher                           rPx,
-  @{sbin}/update-mime-database                       rPx,
+  @{bin}/update-mime-database                        rPx,
   @{lib}/gvfsd-metadata                              rPx,
   @{lib}/mozilla/kmozillahelper                     rPUx,
   @{open_path}                                       rPx -> child-open,

apparmor.d/groups/snap/snap

@@ -85,8 +85,9 @@ profile snap @{exec_path} flags=(attach_disconnected) {
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/kernel/security/apparmor/features/{,**} r,
 
-        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pid}/cgroup r,
-        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pid}/maps r,
+        @{PROC}/@{pid}/mountinfo r,
         @{PROC}/cgroups r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/random/uuid r,

apparmor.d/groups/snap/snapd

@@ -208,6 +208,8 @@ profile snapd @{exec_path} {
 
     network netlink raw,
 
+    signal receive set=kill peer=snapd,
+
     @{bin}/journalctl mr,
 
     /etc/machine-id r,

apparmor.d/profiles-s-z/which

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/which{.debianutils,}
+@{exec_path} = @{bin}/which{,.debianutils}
 profile which @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-s-z/whiptail

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/whiptail
-profile whiptail @{exec_path} flags=(complain) {
+profile whiptail @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
@@ -16,9 +16,7 @@ profile whiptail @{exec_path} flags=(complain) {
 
   @{exec_path} mr,
 
-  /etc/newt/palette.* r,
+  /usr/share/terminfo/** r,
-
-  owner @{tmp}/gpm* w,
 
   include if exists <local/whiptail>
 }