feat(profiles): general update.

apparmor.d/groups/apt/dpkg-preconfigure

@@ -38,7 +38,7 @@ profile dpkg-preconfigure @{exec_path} {
   owner /var/cache/debconf/{config,passwords,templates}.dat{,-old,-new} rwk,
   owner /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
 
-  owner @{run}/user/@{uid}/pk-debconf-socket rw,
+  @{run}/user/@{uid}/pk-debconf-socket rw,
 
   # The following is needed when dpkg-preconfigure uses debcconf GUI frontends.
   include <abstractions/gtk>

apparmor.d/groups/freedesktop/geoclue

@@ -41,6 +41,10 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member={GetAll,PropertiesChanged},
 
+  dbus receive bus=system path=/
+       interface=org.freedesktop.Avahi.Server
+       member=StateChanged,
+
   dbus receive bus=system path=/Client[0-9]/ServiceBrowser[0-9]
        interface=org.freedesktop.Avahi.ServiceBrowser
        member={AllForNow,CacheExhausted},

apparmor.d/groups/freedesktop/plymouthd

@@ -18,6 +18,7 @@ profile plymouthd @{exec_path} {
 
   signal (send) peer=unconfined,
 
+  unix type=stream addr="@/org/freedesktop/plymouthd",
   unix type=stream peer=(addr="@/org/freedesktop/plymouthd"),
 
   @{exec_path} mr,
@@ -27,6 +28,7 @@ profile plymouthd @{exec_path} {
   /etc/default/keyboard r,
 
   @{run}/udev/data/+drm:* r,
+  @{run}/udev/data/c226:* r,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,
@@ -38,6 +40,8 @@ profile plymouthd @{exec_path} {
   @{PROC}/cmdline r,
 
   /dev/dri/card[0-9]* rw,
+  /dev/ptmx rw,
+  /dev/tty[0-9]* rw,
 
   include if exists <local/plymouthd>
 }

apparmor.d/groups/freedesktop/upowerd

@@ -34,7 +34,7 @@ profile upowerd @{exec_path} flags=(attach_disconnected) {
 
   dbus receive bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager
-       member={SessionNew,PrepareForShutdown},
+       member={SessionNew,SessionRemoved,PrepareForShutdown},
 
   dbus bind bus=system 
        name=org.freedesktop.UPower,

apparmor.d/groups/gnome/gnome-characters-backgroudservice

@@ -6,7 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} =   /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
+@{exec_path} = /usr/share/org.gnome.Characters/org.gnome.Characters.BackgroundService
 profile gnome-characters-backgroudservice @{exec_path} {
   include <abstractions/base>
   include <abstractions/dconf-write>

apparmor.d/groups/gnome/gnome-control-center

@@ -61,7 +61,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   dbus send bus=system path=/org/freedesktop/Accounts
        interface=org.freedesktop.Accounts
-       member=ListCachedUsers,
+       member={ListCachedUsers,FindUserById},
 
   dbus send bus=system path=/net/hadess/SwitcherooControl
        interface=org.freedesktop.DBus.Properties
@@ -107,7 +107,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   /usr/share/egl/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/gnome-background-properties/{,**} r,
-  /usr/share/gnome-bluetooth/{,**} r,
+  /usr/share/gnome-bluetooth{-*,}/{,**} r,
   /usr/share/gnome-color-manager/{,**} r,
   /usr/share/gnome-shell/search-providers/{,**} r,
   /usr/share/gnome/gnome-version.xml r,

apparmor.d/groups/gnome/gnome-control-center-goa-helper

@@ -15,6 +15,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
   include <abstractions/gnome>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/opencl>
   include <abstractions/openssl>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>

apparmor.d/groups/gnome/gnome-music

@@ -31,6 +31,7 @@ profile gnome-music @{exec_path} {
   /{usr/,}bin/ r,
   /{usr/,}bin/python3.[0-9]* rix,
 
+  /usr/share/egl/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
   /usr/share/org.gnome.Music/{,**} r,

apparmor.d/groups/gnome/gnome-terminal-server

@@ -23,6 +23,9 @@ profile gnome-terminal-server @{exec_path} {
   /{usr/,}bin/{,b,d,rb}ash         rUx,
   /{usr/,}bin/{c,k,tc,z}sh         rUx,
 
+  # Some CLI program can be launched directly from Gnome Shell
+  /{usr/,}bin/htop                 rPx,
+
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
   /usr/share/X11/xkb/{,**} r,
 

apparmor.d/groups/pacman/pacman-key

@@ -43,11 +43,14 @@ profile pacman-key @{exec_path} {
 
   profile gpg {
     include <abstractions/base>
+    include <abstractions/p11-kit>
+    include <abstractions/ssl_certs>
 
     capability dac_read_search,
     capability mknod,
 
     /{usr/,}bin/gpg        mr,
+    /{usr/,}bin/dirmngr    rix,
     /{usr/,}bin/gpg-agent  rix,
 
     /usr/share/pacman/keyrings/{,*} r,

apparmor.d/groups/systemd/bootctl

@@ -39,15 +39,20 @@ profile bootctl @{exec_path} {
 
   @{run}/host/container-manager r,
 
+  @{sys}//class/tpmrm/ r,
+
   @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 
   @{sys}/firmware/dmi/entries/*/raw r,
   @{sys}/firmware/efi/efivars/ r,
+  @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
   @{sys}/firmware/efi/efivars/Boot[0-9A-F]*-@{uuid} r,
   @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
+  @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
+  @{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,

apparmor.d/groups/systemd/systemd-machine-id-setup

@@ -10,6 +10,8 @@ include <tunables/global>
 profile systemd-machine-id-setup @{exec_path} {
   include <abstractions/base>
 
+  capability dac_override,
+
   @{exec_path} mr,
 
   /etc/machine-id rw,

apparmor.d/groups/systemd/systemd-resolved

@@ -11,6 +11,7 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
   include <abstractions/systemd-common>

apparmor.d/groups/systemd/systemd-udevd

@@ -49,8 +49,8 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
 
   /{usr/,}{s,}bin/*             rPUx,
 
-  /{usr,/}lib/pm-utils/power.d/*          rPUx,
-  /{usr,/}lib/snapd/snap-device-helper     rPx,
+  /{usr/,}lib/pm-utils/power.d/*          rPUx,
+  /{usr/,}lib/snapd/snap-device-helper     rPx,
   /{usr/,}lib/crda/*                      rPUx,
   /{usr/,}lib/gdm-runtime-config           rPx,
   /{usr/,}lib/systemd/systemd-*            rPx,

apparmor.d/groups/ubuntu/apt-esm-hook

@@ -18,7 +18,7 @@ profile apt-esm-hook @{exec_path} {
 
   /etc/machine-id r,
 
-  /var/cache/apt/pkgcache.bin.* rw,
+  /var/cache/apt/pkgcache.bin* rw,
   /var/lib/ubuntu-advantage/messages/{,**} rw,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/ubuntu/apt-esm-json-hook

@@ -13,5 +13,7 @@ profile apt-esm-json-hook @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   include if exists <local/apt-esm-json-hook>
 }

apparmor.d/groups/ubuntu/update-manager

@@ -30,7 +30,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
        interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}}
-       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll},
+       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache},
 
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
@@ -54,13 +54,14 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  /{usr/,}bin/dpkg                  rPx -> child-dpkg,
-  /{usr/,}bin/hwe-support-status    rPx,
-  /{usr/,}bin/ischroot              rix,
-  /{usr/,}bin/lsb_release           rPx -> lsb_release,
-  /{usr/,}bin/snap                 rPUx,
-  /{usr/,}bin/uname                 rix,
-  /{usr/,}lib/apt/methods/http{,s}  rPx,
+  /{usr/,}bin/dpkg                     rPx -> child-dpkg,
+  /{usr/,}bin/hwe-support-status       rPx,
+  /{usr/,}bin/ischroot                 rix,
+  /{usr/,}bin/lsb_release              rPx -> lsb_release,
+  /{usr/,}bin/snap                    rPUx,
+  /{usr/,}bin/software-properties-gtk  rPx,
+  /{usr/,}bin/uname                    rix,
+  /{usr/,}lib/apt/methods/http{,s}     rPx,
 
   /usr/share/distro-info/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
@@ -70,6 +71,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   /usr/share/update-manager/{,**} r,
   /usr/share/X11/{,**} r,
 
+  /etc/gnome/defaults.list r,
   /etc/machine-id r,
   /etc/update-manager/{,**} r,
 
@@ -82,6 +84,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   /var/lib/update-manager/{,**} rw,
 
   owner @{user_cache_dirs}/update-manager-core/{,**} rw,
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   owner @{run}/user/@{uid}/wayland-[0-9]* rw,
 

apparmor.d/groups/virt/containerd

@@ -21,7 +21,9 @@ profile containerd @{exec_path} {
   /{usr/,}bin/containerd-shim-runc-v2 rPUx,
   /{usr/,}bin/kmod                    rPx,
 
+  /etc/cni/ rw,
   /etc/cni/{,**} r,
+  /etc/cni/net.d/ rw,
   /etc/containerd/*.toml r,
 
   /var/lib/containerd/{,**} rwk,
@@ -30,6 +32,8 @@ profile containerd @{exec_path} {
   @{run}/docker/containerd/{,**} rwk,
   /opt/containerd/{,**} rw,
 
+  @{run}/systemd/notify w,
+
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
   owner @{PROC}/@{pids}/uid_map r,