feat(profile): general update.

apparmor.d/profiles-a-f/acpid

@@ -18,7 +18,7 @@ profile acpid @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/{ba,da,}sh        rix,
+  @{sh_path}               rix,
   @{bin}/logger            rix,
 
   /etc/acpi/powerbtn-acpi-support.sh rPx -> acpi-powerbtn,

apparmor.d/profiles-a-f/dmesg

@@ -12,8 +12,8 @@ profile dmesg @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  capability syslog,
   capability dac_read_search,
+  capability syslog,
 
   @{exec_path} mr,
 
@@ -28,8 +28,11 @@ profile dmesg @{exec_path} {
 
   /dev/kmsg r,
 
-  deny /{usr/,}local/bin/ r,
   deny @{bin}/{,*/} r,
+  deny /{usr/,}local/{,s}bin/ r,
+  deny /var/lib/flatpak/exports/bin/ r,
+  deny @{HOME}/.go/bin/ r,
+  deny @{user_bin_dirs}/ r,
 
   include if exists <local/dmesg>
 }

apparmor.d/profiles-a-f/f3fix

@@ -12,28 +12,20 @@ profile f3fix @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # To remove the following errors:
-  #  Error: Partition(s) * on /dev/sdb have been written, but we have been unable to inform the
-  #  kernel of the change, probably because it/they are in use.  As a result, the old partition(s)
-  #  will remain in use.  You should reboot now before making further changes.
   capability sys_admin,
-
-  # Needed? (##FIXME##)
   capability sys_rawio,
 
-  # Needed?
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
-  @{sh_path}         rix,
+  @{sh_path}  rix,
 
   @{bin}/dmidecode  rPx,
+  @{bin}/udevadm    rCx -> udevadm,
 
-  @{bin}/udevadm     rCx -> udevadm,
-
-  owner @{PROC}/@{pid}/mounts r,
         @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,
 
   profile udevadm {
     include <abstractions/base>

apparmor.d/profiles-a-f/fatresize

@@ -12,27 +12,20 @@ profile fatresize @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # Needed to inform the system of newly created/removed partitions
-  # ioctl(3, BLKFLSBUF)              = -1 EACCES (Permission denied)
   capability sys_admin,
-
-  # Needed? (##FIXME##)
   capability sys_rawio,
 
-  # Needed?
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
-  @{sh_path}         rix,
+  @{sh_path}  rix,
 
   @{bin}/dmidecode  rPx,
+  @{bin}/udevadm    rCx -> udevadm,
 
-  @{bin}/udevadm     rCx -> udevadm,
-
-  owner @{PROC}/@{pid}/mounts r,
         @{PROC}/swaps r,
-
+  owner @{PROC}/@{pid}/mounts r,
 
   profile udevadm {
     include <abstractions/base>

apparmor.d/profiles-a-f/findmnt

@@ -14,6 +14,7 @@ profile findmnt @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/disks-read>
 
   capability dac_read_search,
+  capability sys_rawio,
 
   @{exec_path} mr,