feat(profile): general update.

apparmor.d/profiles-m-r/parted

@@ -12,40 +12,26 @@ profile parted @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # Needed to inform the system of newly created/removed partitions
-  #  ioctl(3, BLKRRPART)              = -1 EACCES (Permission denied)
-  #
-  #  Error: Partition(s) * on /dev/sd* have been written, but we have been unable to inform the
-  #  kernel of the change, probably because it/they are in use.  As a result, the old partition(s)
-  #  will remain in use.  You should reboot now before making further changes.
   capability sys_admin,
-
-  # Needed? (#FIXME#)
   capability sys_rawio,
 
-  # Needed?
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
   @{sh_path}        rix,
 
   @{bin}/udevadm    rCx -> udevadm,
-
-  @{bin}/dmidecode rPx,
+  @{bin}/dmidecode  rPx,
 
   /etc/inputrc r,
 
-  # Image files
   owner @{user_img_dirs}/{,**} rwk,
 
         @{PROC}/devices r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,
 
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
-
   profile udevadm {
     include <abstractions/base>
     include <abstractions/app/udevadm>

apparmor.d/profiles-m-r/partprobe

@@ -12,34 +12,21 @@ profile partprobe @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
 
-  # To remove the following errors:
-  #  device-mapper: version ioctl on   failed: Permission denied
-  #  Incompatible libdevmapper 1.02.167 (2019-11-30) and kernel driver (unknown version).
   capability sys_admin,
-
-  # To remove the following errors:
-  #  kernel: device-mapper: core: partprobe: sending ioctl 1261 to DM device without required
-  #  privilege.
   capability sys_rawio,
 
-  # Needed?
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 
   @{sh_path}        rix,
 
   @{bin}/udevadm    rCx -> udevadm,
+  @{bin}/dmidecode  rPx,
 
-  @{bin}/dmidecode rPx,
-
-  owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/swaps r,
         @{PROC}/devices r,
-
-  /dev/mapper/ r,
-  /dev/mapper/control rw,
-
+        @{PROC}/swaps r,
+  owner @{PROC}/@{pid}/mounts r,
 
   profile udevadm {
     include <abstractions/base>

apparmor.d/profiles-m-r/pass-import

@@ -9,8 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/pimport
 profile pass-import @{exec_path} {
   include <abstractions/base>
-  include <abstractions/python>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
+  include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/profiles-m-r/pkexec

@@ -37,12 +37,11 @@ profile pkexec @{exec_path} {
 
   # Apps to be run via pkexec
   @{bin}/*            rPUx,
+  @{lib}/{,gvfs/}gvfsd-admin    rPx,
   @{lib}/cc-remote-login-helper rPx,
-  @{lib}/gvfs/gvfsd-admin rPUx, #(#FIXME#)
-  @{lib}/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
-  @{lib}/polkit-agent-helper-[0-9]              rPx,
   @{lib}/update-notifier/package-system-locked  rPx,
   /usr/share/apport/apport-gtk rPx,
+  #aa:exec polkit-agent-helper
 
   @{etc_ro}/environment r,
   @{etc_ro}/security/limits.d/{,*} r,
@@ -59,7 +58,7 @@ profile pkexec @{exec_path} {
   owner @{HOME}/.xsession-errors w,
 
   # Silencer
-deny @{user_share_dirs}/gvfs-metadata/* r,
+  deny @{user_share_dirs}/gvfs-metadata/* r,
 
   include if exists <local/pkexec>
 }

apparmor.d/profiles-m-r/protonmail-bridge

@@ -41,6 +41,8 @@ profile protonmail-bridge @{exec_path} {
   owner @{share_dirs}/ rw,
   owner @{share_dirs}/** rwlk -> @{share_dirs}/**,
 
+  owner @{tmp}/@{uuid}.txt w,
+
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/protonmail-bridge>