feat(profiles): general update.

apparmor.d/profiles-s-z/snap

@@ -23,6 +23,8 @@ profile snap @{exec_path} {
 
   @{exec_path} mrix,
 
+  /{usr/,}bin/systemctl        rPx -> child-systemctl,
+
   /snap/{,**} rw,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-confine  rPx,
   /{snap/snapd/[0-9]*/,}{usr/,}lib/snapd/snap-seccomp  rPx,
@@ -37,6 +39,7 @@ profile snap @{exec_path} {
 
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
+  owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
   owner @{run}/user/@{uid}/systemd/notify rw,
 
   @{run}/snapd.socket rw,

apparmor.d/profiles-s-z/snap-update-ns

@@ -10,18 +10,26 @@ include <tunables/global>
 profile snap-update-ns @{exec_path} {
   include <abstractions/base>
 
+  capability dac_override,
   capability sys_admin,
   capability sys_chroot,
 
+  mount -> /snap/**/,
+  mount -> /usr/**/,
+  mount /snap/**/ ->  /tmp/.snap/**,
+  umount /snap/**/,
+
   @{exec_path} mr,
 
   /var/lib/snapd/mount/{,*} r,
 
+  /tmp/.snap/{,**} rwk,
+
   @{run}/snapd/lock/*.lock rwk,
   @{run}/snapd/ns/{,**} rw,
 
   @{sys}/fs/cgroup/{,**/} r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze r,
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.freeze rw,
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   @{PROC}/@{pids}/cgroup r,

apparmor.d/profiles-s-z/snapd

@@ -94,12 +94,13 @@ profile snapd @{exec_path} {
   /etc/systemd/system/{,**/} r,
   /etc/systemd/system/snap* rw,
   /etc/systemd/user/{,**/} r,
-  /etc/systemd/user/snap* rw,
+  /etc/systemd/user/**/*snap* rw,
+  /etc/systemd/user/*snap* rw,
   /etc/udev/rules.d/{,*snap*} rw,
 
   /snap/{,**} rw,
-  /var/cache/snapd/{,**} rwk,
-  /var/lib/snapd/{,**} rwk,
+  /var/cache/snapd/{,**} rwlk,
+  /var/lib/snapd/{,**} rwlk,
   /var/snap/{,**} rw,
 
   /var/cache/apparmor/{,*/} r,
@@ -119,7 +120,8 @@ profile snapd @{exec_path} {
   owner @{run}/mount/utab{,.*} rw,
   owner @{run}/mount/utab.lock wk,
 
-  owner @{run}/user/{,@{uid}/} r,
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/snapd-session-agent.socket rw,
   owner @{run}/user/snap.*/{,**} rw,
 
   @{run}/snapd*.socket rw,
@@ -136,6 +138,8 @@ profile snapd @{exec_path} {
   @{sys}/kernel/security/apparmor/features/ r,
   @{sys}/kernel/security/apparmor/profiles r,
 
+  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,
+
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/cgroups r,

apparmor.d/profiles-s-z/udisksd

@@ -37,8 +37,8 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]*p[0-9]* -> @{MOUNTS}/*/,
 
   # Allow mounting of cdrom
-  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> /media/cdrom[0-9]/,
-  mount fstype={iso9660,udf,ntfs3}                 /dev/sr[0-9]*   -> /media/cdrom[0-9]/,
+  mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/loop[0-9]* -> @{MOUNTS}/*/,
+  mount fstype={iso9660,udf,ntfs3}                 /dev/sr[0-9]*   -> @{MOUNTS}/*/,
 
   # Allow mounting od sd cards
   mount fstype={btrfs,ext*,vfat,iso9660,udf,ntfs3} /dev/mmcblk[0-9]         -> @{MOUNTS}/*/,

apparmor.d/profiles-s-z/virt-manager

@@ -68,8 +68,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/ r,
   owner @{user_cache_dirs}/ rw,
-  owner @{user_cache_dirs}/virt-manager/ rw,
-  owner @{user_cache_dirs}/virt-manager/** rw,
+  owner @{user_cache_dirs}/virt-manager/{,**} rw,
 
   # For disk images
   @{MOUNTS}/ r,
@@ -87,6 +86,7 @@ profile virt-manager @{exec_path} flags=(attach_disconnected) {
   owner @{user_vm_dirs}/{,**} rw,
 
   owner @{run}/user/@{uid}/libvirt/libvirtd.lock rwk,
+  owner @{run}/user/@{uid}/wayland-cursor-shared-* rw,
         @{run}/mount/utab r,
         @{run}/udev/data/c51[0-9]:[0-9]* r,