feat(gnome): improve first boot compatibility.

apparmor.d/groups/freedesktop/pulseaudio

@@ -18,10 +18,12 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>
   include <abstractions/hosts_access>
   include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
   include <abstractions/X-strict>
 
   ptrace (trace) peer=@{profile_name},

apparmor.d/groups/freedesktop/xdg-user-dirs-update

@@ -49,8 +49,9 @@ profile xdg-user-dirs-update @{exec_path} {
   owner @{HOME}/@{XDG_TEMPLATES_DIR}/ w,
   owner @{HOME}/@{XDG_VIDEOS_DIR}/ w,
 
-  owner @{user_config_dirs}/user-dirs.dirs r,
+  owner @{user_config_dirs}/user-dirs.dirs rw,
   owner @{user_config_dirs}/user-dirs.dirs?????? rw,
+  owner @{user_config_dirs}/user-dirs.locale rw,
 
   include if exists <local/xdg-user-dirs-update>
 }

apparmor.d/groups/gnome/gnome-contacts-search-provider

@@ -26,6 +26,8 @@ profile gnome-contacts-search-provider @{exec_path} {
   owner @{user_share_dirs}/folks/relationships.ini rw,
   owner @{user_share_dirs}/mime/mime.cache r,
 
+  owner @{user_cache_dirs}/folks/{,**/} rw,
+
   owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/gnome-contacts-search-provider>

apparmor.d/groups/gnome/gnome-session-binary

@@ -156,7 +156,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   @{libexec}/gio-launch-desktop                            rix,
 
   /{usr/,}bin/aa-notify                                    rPx,
-  /{usr/,}bin/baloo_file                                  rPUx,
+  /{usr/,}bin/baloo_file                                   rPx,
   /{usr/,}bin/blueman-applet                               rPx,
   /{usr/,}bin/firewall-applet                             rPUx,
   /{usr/,}bin/gnome-keyring-daemon                         rPx,

apparmor.d/groups/gnome/gnome-shell

@@ -523,7 +523,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   /var/lib/gdm{3,}/.cache/ w,
   /var/lib/gdm{3,}/.cache/event-sound-cache.tdb.*.x86_64-pc-linux-gnu rwk,
-  /var/lib/gdm{3,}/.cache/fontconfig/* rw, 
+  /var/lib/gdm{3,}/.cache/fontconfig/{,*} rwl, 
   /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/ rw,
   /var/lib/gdm{3,}/.cache/gstreamer-[0-9]*/registry.*.bin{,.tmp*} rw,
   /var/lib/gdm{3,}/.cache/libgweather/ r,
@@ -565,6 +565,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   owner @{user_config_dirs}/.goutputstream{,*} rw,
   owner @{user_config_dirs}/ibus/ w,
   owner @{user_config_dirs}/monitors.xml{,~} rwl,
+  owner @{user_config_dirs}/pulse/ r,
   owner @{user_config_dirs}/tiling-assistant/{,**} rw,
 
   owner @{user_share_dirs}/backgrounds/{,**} rw,

apparmor.d/groups/gnome/gnome-software

@@ -74,9 +74,12 @@ profile gnome-software @{exec_path} {
   /var/tmp/#[0-9]* rw,
 
   owner @{HOME}/.var/app/{,**} rw,
-  owner @{user_cache_dirs}/flatpak/system-cache/{,**} rw,
+
+  owner @{user_cache_dirs}/flatpak/{,**} rw,
   owner @{user_cache_dirs}/gnome-software/{,**} rw,
+
   owner @{user_config_dirs}/pulse/*.conf r,
+
   owner @{user_share_dirs}/ r,
   owner @{user_share_dirs}/flatpak/repo/{,**} rw,
   owner @{user_share_dirs}/gnome-software/{,**} rw,

apparmor.d/groups/gnome/gsd-keyboard

@@ -105,7 +105,7 @@ profile gsd-keyboard @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/.config/.gsd-keyboard.settings-ported* rw,
 
   owner @{user_config_dirs}/.gsd-keyboard.settings-ported* rw,
-  owner @{user_share_dirs}/gnome-settings-daemon/ rw,
+  owner @{user_share_dirs}/gnome-settings-daemon/{,input-sources*} rw,
 
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/wayland-[0-9] rw,

apparmor.d/groups/gnome/kgx

@@ -11,11 +11,15 @@ profile kgx @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dconf-write>
+  include <abstractions/dri-common>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
+  include <abstractions/vulkan>
+
+  capability sys_ptrace,
 
   ptrace (read),
 
@@ -36,6 +40,9 @@ profile kgx @{exec_path} {
   /usr/share/themes/{,**} r,
   /usr/share/X11/xkb/{,**} r,
 
+  owner /tmp/#[0-9]* rw,
+
+        @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/cgroup r,

apparmor.d/groups/gnome/nautilus

@@ -43,9 +43,10 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /{usr/,}bin/{,ba,da}sh          rix,
-  /{usr/,}bin/net                rPUx,
-  /{usr/,}bin/firejail           rPUx,
   /{usr/,}bin/bwrap              rPUx,
+  /{usr/,}bin/firejail           rPUx,
+  /{usr/,}bin/net                rPUx,
+  /{usr/,}bin/tracker3           rPUx,
   /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
 
   /usr/share/*ubuntu/applications/{,**} r,

apparmor.d/profiles-m-r/mission-control

@@ -18,7 +18,9 @@ profile mission-control @{exec_path} flags=(attach_disconnected)  {
   /usr/share/telepathy/{,**} r,
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 
-  owner @{user_share_dirs}/telepathy/mission-control/*.cfg r,
+  owner @{user_share_dirs}/telepathy/ rw,
+  owner @{user_share_dirs}/telepathy/mission-control/ rw,
+  owner @{user_share_dirs}/telepathy/mission-control/*.cfg* rw,
 
   owner @{user_config_dirs}/libaccounts-glib/accounts.db{,-shm,-wal} rwk,