feat(profiles): general update.

apparmor.d/groups/gnome/gio-launch-desktop

@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2018-2021 Mikhail Morfikov
-#               2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2022 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,

apparmor.d/groups/gnome/gnome-control-center

@@ -49,6 +49,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/bwrap                                  rPUx,
   /{usr/,}bin/openvpn                                 rPx,
   /{usr/,}bin/passwd                                  rPx,
+  /{usr/,}bin/software-properties-gtk                 rPx,
   /{usr/,}lib/@{multiarch}/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
   /{usr/,}lib/webkit2gtk-{3,4}.0/WebKitNetworkProcess rix,
   /usr/share/language-tools/language2locale           rix,

apparmor.d/groups/gnome/gnome-extension-ding

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /usr/share/gnome-shell/extensions/ding@rastersoft.com/ding.js
 profile gnome-extension-ding @{exec_path} {
   include <abstractions/base>
+  include <abstractions/dbus-gtk>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gnome-shell

@@ -164,13 +164,13 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c226:[0-9]* r,   # for /dev/dri/card* 
   @{run}/udev/data/n[0-9]* r,
 
+  @{sys}/**/uevent r,
   @{sys}/bus/ r,
   @{sys}/class/ r,
   @{sys}/class/hwmon/ r,
   @{sys}/class/input/ r,
   @{sys}/class/net/ r,
   @{sys}/class/power_supply/ r,
-  @{sys}/**/uevent r,
   @{sys}/devices/**/hwmon[0-9]*/{,name,temp*,fan*} r,
   @{sys}/devices/**/hwmon[0-9]*/**/{,name,temp*,fan*} r,
   @{sys}/devices/**/hwmon/{,name,temp*,fan*} r,
@@ -180,6 +180,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/drm/ r,
   @{sys}/devices/pci[0-9]*/**/input[0-9]*/{properties,name} r,
   @{sys}/devices/pci[0-9]*/**/net/*/statistics/{rx_bytes,tx_bytes} r,
+  @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/scaling_cur_freq r,
   @{sys}/devices/system/cpu/possible r,
   @{sys}/devices/virtual/net/*/statistics/{rx_bytes,tx_bytes} r,
 

apparmor.d/groups/gnome/gnome-terminal-server

@@ -17,6 +17,7 @@ profile gnome-terminal-server @{exec_path} {
   include <abstractions/gtk>
 
   signal (send) set=(term hup kill) peer=unconfined,
+  ptrace (read) peer=unconfined,
 
   @{exec_path} mr,
 

apparmor.d/groups/gnome/gsd-print-notifications

@@ -38,6 +38,12 @@ profile gsd-print-notifications @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.Avahi.Server
        member=StateChanged,
 
+  dbus (send,receive) bus=session path=/org/gnome/SessionManager{,/*}
+       interface={org.freedesktop.DBus.Properties,org.gnome.SessionManager},
+
+  dbus bind bus=session
+       name=org.gnome.SettingsDaemon.PrintNotifications,
+
   @{exec_path} mr,
   @{libexec}/gsd-printer rPx,
 

apparmor.d/groups/gnome/gsd-sharing

@@ -36,6 +36,10 @@ profile gsd-sharing @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.NetworkManager
        member=CheckPermissions,
 
+  dbus receive bus=system path=/org/freedesktop/NetworkManager/ActiveConnection/[0-9]*
+       interface=org.freedesktop.NetworkManager.Connection.Active
+       member=StateChanged,
+
   @{exec_path} mr,
 
   /usr/share/dconf/profile/gdm r,

apparmor.d/groups/gnome/tracker-extract

@@ -59,6 +59,8 @@ profile tracker-extract @{exec_path} {
   @{run}/udev/data/c51[0-9]:[0-9]* r,
   @{run}/mount/utab r,
 
+  @{sys}/devices/system/cpu/possible r,
+
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mountinfo r,
 
@@ -67,5 +69,7 @@ profile tracker-extract @{exec_path} {
   /dev/media[0-9]* r,
   /dev/video[0-9]* rw,
 
+  deny owner @{user_share_dirs}/gvfs-metadata/** r,
+
   include if exists <local/tracker-extract>
 }