feat(profile): general update.

apparmor.d/groups/apps/calibre

@@ -15,9 +15,9 @@ include <tunables/global>
 @{exec_path} += @{bin}/web2disk
 profile calibre @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus/org.a11y>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/chromium-common>
   include <abstractions/devices-usb>

apparmor.d/groups/bus/dbus-daemon

@@ -27,6 +27,7 @@ profile dbus-daemon @{exec_path} flags=(attach_disconnected) {
   network bluetooth stream,
   network bluetooth seqpacket,
 
+  signal (receive) set=(cont term) peer=@{systemd_user},
   signal (receive) set=(term hup kill) peer=at-spi-bus-launcher,
   signal (receive) set=(term hup kill) peer=dbus-run-session,
   signal (receive) set=(term hup kill) peer=gdm*,

apparmor.d/groups/freedesktop/at-spi-bus-launcher

@@ -55,7 +55,7 @@ profile at-spi-bus-launcher @{exec_path} flags=(attach_disconnected) {
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/@{pid}/cmdline r,
-        @{PROC}/@{pid}/oom_score_adj r,
+        @{PROC}/@{pid}/oom_score_adj rw,
         @{PROC}/@{pids}/mounts r,
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/attr/apparmor/current r,

apparmor.d/groups/freedesktop/polkit-agent-helper

@@ -42,6 +42,8 @@ profile polkit-agent-helper @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/unix_chkpwd rPx,
+
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,

apparmor.d/groups/freedesktop/pulseaudio

@@ -41,11 +41,9 @@ profile pulseaudio @{exec_path} {
   network bluetooth stream,
   network bluetooth seqpacket,
 
-  dbus bind bus=session name=org.freedesktop.ReserveDevice1.Audio1,
+  # dbus: own bus=session name=org.freedesktop.ReserveDevice1.Audio@{int}
-
+  # dbus: own bus=session name=org.PulseAudio1
-  dbus bind bus=session name=org.PulseAudio1,
+  # dbus: own bus=session name=org.pulseaudio*
-
-  dbus bind bus=session name=org.pulseaudio*,
 
   dbus receive bus=session
        interface=org.freedesktop.DBus.Introspectable

apparmor.d/groups/ubuntu/subiquity-console-conf

@@ -35,8 +35,8 @@ profile subiquity-console-conf @{exec_path} {
   @{bin}/tty         rix,
 
   @{bin}/journalctl                      rCx -> journalctl,
-  @{bin}/ssh-keygen                      rPx, 
+  @{bin}/ssh-keygen                      rPx,
-  @{bin}/sshd                            rPx, 
+  @{bin}/sshd                            rPx,
   @{bin}/snap                           rPUx,
   /usr/lib/snapd/snap-recovery-chooser  rPUx,
   /usr/share/netplan/netplan.script     rPUx, # TODO: rPx,

apparmor.d/groups/ubuntu/update-notifier

@@ -22,23 +22,16 @@ profile update-notifier @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/python>
 
-  dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
+  # dbus: talk bus=system name=org.debian.apt label=apt
-       interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
-       peer=(name=:*, label=gnome-shell),
 
-  dbus send bus=session path=/StatusNotifierWatcher
+#   dbus receive bus=session path=/org/ayatana/NotificationItem{,/**}
-       interface=org.kde.StatusNotifierWatcher
+#        interface={com.canonical.dbusmenu,org.freedesktop.DBus.Properties}
-       member=RegisterStatusNotifierItem
+#        peer=(name=:*, label=gnome-shell),
-       peer=(name=:*, label=gnome-shell),
 
-  dbus send bus=system path=/org/debian/apt
+  dbus receive bus=session path=/org/ayatana/NotificationItem/software_update_available
-       interface=org.debian.apt
-       member=GetActiveTransactions
-       peer=(name=:*, label=apt),
-  dbus send bus=system path=/org/debian/apt
        interface=org.freedesktop.DBus.Properties
-       member=GetAll
+       member={Get,GetAll}
-       peer=(name=:*, label=apt),
+       peer=(name=:*, label=gnome-shell),
 
   @{exec_path} mr,
 

apparmor.d/profiles-a-f/file-roller

@@ -11,6 +11,7 @@ profile file-roller @{exec_path} {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.a11y>
   include <abstractions/dconf-write>
   include <abstractions/desktop>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-g-l/grpck

@@ -8,7 +8,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/grpck
-profile grpck @{exec_path} {
+profile grpck @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 

apparmor.d/profiles-m-r/pwck

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/pwck
-profile pwck @{exec_path} {
+profile pwck @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>

apparmor.d/profiles-s-z/snapd-aa-prompt-listener

@@ -16,6 +16,8 @@ profile snapd-aa-prompt-listener @{exec_path} {
 
   @{lib_dirs}/snapd/info r,
 
+  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+
   @{PROC}/cmdline r,
 
   include if exists <local/snapd-aa-prompt-listener>

apparmor.d/profiles-s-z/spice-vdagent

@@ -42,7 +42,9 @@ profile spice-vdagent @{exec_path} flags=(attach_disconnected) {
 
   /etc/pipewire/client.conf r,
 
+  /var/lib/gdm{3,}/.config/pulse/cookie rk,
   /var/lib/gdm{3,}/.config/user-dirs.dirs r,
+
   /var/lib/nscd/passwd r,
 
   owner @{user_config_dirs}/user-dirs.dirs r,