feat(profiles): general update.

apparmor.d/profiles-s-z/snap

@@ -9,9 +9,10 @@ include <tunables/global>
 @{exec_path} = /{snap/snapd/[0-9]*/,}{usr/,}bin/snap
 profile snap @{exec_path} {
   include <abstractions/base>
-  include <abstractions/nameservice-strict>
-  include <abstractions/dbus-session-strict>
   include <abstractions/consoles>
+  include <abstractions/dbus-session-strict>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mrix,
 

apparmor.d/profiles-s-z/snap-seccomp

@@ -22,9 +22,9 @@ profile snap-seccomp @{exec_path} {
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
-  deny @{user_share_dirs}/gvfs-metadata/* r,
-
   owner @{PROC}/@{pids}/mountinfo r,
 
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
   include if exists <local/snap-seccomp>
 }

apparmor.d/profiles-s-z/spice-vdagent

@@ -15,6 +15,15 @@ profile spice-vdagent @{exec_path} {
   include <abstractions/gtk>
   include <abstractions/X-strict>
 
+  dbus send bus=session path=/org/a11y/bus
+       interface=org.a11y.Bus
+       member=GetAddress
+       peer=(name=org.a11y.Bus),
+
+  dbus send bus=session path=/org/gnome/Mutter/DisplayConfig
+       interface=org.gnome.Mutter.DisplayConfig
+       member=GetCurrentState,
+
   @{exec_path} mr,
 
   /etc/pipewire/client.conf r,

apparmor.d/profiles-s-z/steam

@@ -81,6 +81,7 @@ profile steam @{exec_path} {
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/*driverquery rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fossilize_replay rPx,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/gameoverlayui rpx,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/panorama/** rm,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
@@ -107,6 +108,9 @@ profile steam @{exec_path} {
   /{usr/,}lib{,32,64}/ r,
   /etc/ r,
   /home/ r,
+  /run/ r,
+  /usr/bin/ r,
+  /var/ r,
 
   owner @{HOME}/ r,
   owner @{HOME}/.local/ r,
@@ -115,6 +119,8 @@ profile steam @{exec_path} {
   owner @{HOME}/.steampath rw,
   owner @{HOME}/.steampid rw,
 
+  owner @{user_games_dirs}/{,**} rwkl,
+
   owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/autostart/ r,
   owner @{user_config_dirs}/unity3d/{,**} rwk,
@@ -136,10 +142,11 @@ profile steam @{exec_path} {
 
   owner /tmp/dumps/ rw,
   owner /tmp/dumps/{assert,crash}_[0-9]*_[0-9]*.dmp rw,
-  owner /tmp/sh-thd.* rw,
-  owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
+  owner /tmp/gdkpixbuf-xpm-tmp.[0-9A-Z]* rw,
   owner /tmp/miles_image_* mrw,
   owner /tmp/runtime-info.txt.* rw,
+  owner /tmp/sh-thd.* rw,
+  owner /tmp/steam_chrome_shmem_uid@{uid}_spid[0-9]* rw,
 
   @{run}/udev/data/+input* r,      # for mouse, keyboard, touchpad
   @{run}/udev/data/+sound* r,

apparmor.d/profiles-s-z/steam-game

@@ -25,7 +25,6 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/audio>
   include <abstractions/devices-usb>
   include <abstractions/dri-common>
-  include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
@@ -108,6 +107,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix,
 
+  @{user_games_dirs}/*/* mr,
+  @{user_games_dirs}/*/**.dll mr,
+
   @{run}/host/usr/bin/ldconfig rix,
   @{run}/host/usr/lib{,32,64}/**.so* rm,
   @{run}/host/usr/bin/localedef rix,
@@ -136,6 +138,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner @{HOME}/.steam/steam.pid r,
   owner @{HOME}/.steam/steam.pipe r,
 
+  owner @{user_games_dirs}/{,*/} r,
+  owner @{user_games_dirs}/*/{,**} rwkl,
+
   owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/unity3d/{,**} rwk,
 
@@ -151,7 +156,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/steamapps/common/*/ r,
   owner @{user_share_dirs}/Steam/steamapps/common/*/** rwkl,
   owner @{user_share_dirs}/Steam/steamapps/common/Proton*/files/share/{,**} r,
-  owner @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/{,**} rwk,
+  owner @{user_share_dirs}/Steam/steamapps/compatdata/{,**} rwk,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/{,**} rwk,
   owner @{user_share_dirs}/Steam/userdata/**/remotecache.vdf rw,
 
@@ -161,6 +166,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   owner @{run}/pressure-vessel/{,**} rw,
   owner @{run}/user/@{uid}/ r,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
+  owner @{run}/user/@{uid}/orcexec.* mrw,  # gstreamer
 
   owner /dev/shm/#[0-9]* rw,
   owner /dev/shm/mono.* rw,
@@ -206,12 +212,13 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/kernel/overflowuid r,
         @{PROC}/uptime r,
         @{PROC}/version r,
-  owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/cmdline r,
+  owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/gid_map rw,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
   owner @{PROC}/@{pid}/task/@{tid}/stat r,