feat(profiles): general update.

apparmor.d/abstractions/python.d/complete

@@ -7,7 +7,7 @@
 
   /{usr/,}bin/python{2.[4-7],3,3.[0-9]*} r,
 
-  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/**/ r,
+  /usr/local/lib{,32,64}/python{2.[4-7],3,3.[0-9]*}/{site,dist}-packages/{,**/} r,
 
   owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{pyc,so}              mr,
   owner @{user_lib_dirs}/python{2.[4-7],3,3.[0-9]*}/**.{egg,py,pth}          r,

apparmor.d/groups/apt/dpkg-divert

@@ -16,7 +16,7 @@ profile dpkg-divert @{exec_path} {
 
   /var/lib/dpkg/** r,
 
-  /usr/share/*/**.dpkg-divert.tmp w,
+  /usr/share/*/** w,
 
   /var/lib/dpkg/diversions rw,
   /var/lib/dpkg/diversions-new rw,

apparmor.d/groups/browsers/chromium-chromium

@@ -58,6 +58,7 @@ profile chromium-chromium @{exec_path} flags=(attach_disconnected) {
 
   /{usr/,}bin/lsb_release        rPx -> lsb_release,
   /{usr/,}bin/xdg-desktop-menu   rPx,
+  /{usr/,}bin/xdg-email          rPx,
   /{usr/,}bin/xdg-icon-resource  rPx,
   /{usr/,}bin/xdg-mime           rPx,
   /{usr/,}bin/xdg-open           rCx -> open,

apparmor.d/groups/gvfs/gvfsd-dnssd

@@ -30,7 +30,7 @@ profile gvfsd-dnssd @{exec_path} {
   @{exec_path} mr,
 
   owner @{run}/user/@{uid}/gvfsd/ rw,
-  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-z0-9]* rw,
+  owner @{run}/user/@{uid}/gvfsd/socket-[a-zA-Z0-9]* rw,
 
   include if exists <local/gvfsd-dnssd>
 }

apparmor.d/groups/systemd/systemd-logind

@@ -65,6 +65,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/logind.conf r,
   /etc/systemd/sleep.conf r,
 
+  /swapfile r,
   /boot/{,**} r,
 
   /var/lib/systemd/linger/ r,

apparmor.d/groups/ubuntu/update-manager

@@ -74,6 +74,7 @@ profile update-manager @{exec_path} flags=(attach_disconnected) {
   /usr/share/X11/{,**} r,
 
   /etc/gnome/defaults.list r,
+  /etc/gtk-3.0/settings.ini r,
   /etc/machine-id r,
   /etc/update-manager/{,**} r,
 

apparmor.d/groups/virt/containerd-shim-runc-v2

@@ -16,10 +16,14 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability net_admin,
   capability sys_admin,
+  capability sys_ptrace,
   capability sys_resource,
 
-  mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/,
-  umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-z]*/rootfs/,
+  ptrace (read) peer=containerd,
+  ptrace (read) peer=unconfined,
+
+  mount -> /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
+  umount /run/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/rootfs/,
 
   @{exec_path} mrix,
 
@@ -31,7 +35,7 @@ profile containerd-shim-runc-v2 @{exec_path} flags=(attach_disconnected) {
 
   @{run}/containerd/{,containerd.sock.ttrpc} rw,
   @{run}/containerd/io.containerd.grpc.v1.cri/containers/[0-9a-f]*/io/[0-9]*/[0-9a-f]*-{stdin,stdout,stderr} rw,
-  @{run}/containerd/io.containerd.runtime.v2.task/k8s.io/[0-9a-f]*/{,*} rw,
+  @{run}/containerd/io.containerd.runtime.v2.task/{moby,k8s.io}/[0-9a-f]*/{,*} rw,
   @{run}/containerd/s/{,[0-9a-f]*} rw,
 
   @{run}/docker/containerd/[0-9a-f]*/[0-9a-f]*-{stdin,stdout,stderr} rw,

apparmor.d/groups/virt/libvirtd

@@ -207,6 +207,8 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/machine.slice/* r,
   @{sys}/fs/cgroup/machine.slice/machine-qemu*.scope/{,**} rw,
+  @{sys}/fs/cgroup/net_cls/machine.slice/ rw,
+  @{sys}/fs/cgroup/net_cls/machine.slice/machine-qemu*.scope/{,**} rw,
 
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/profiles-s-z/wireplumber

@@ -45,7 +45,7 @@ profile wireplumber @{exec_path} {
   @{sys}/devices/**/sound/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/modalias r,
   @{sys}/devices/pci[0-9]*/**/video4linux/video[0-9]*/uevent r,
-  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
+  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name,board_vendor,bios_vendor} r,
 
   /dev/snd/ r,
   /dev/video[0-9]* rw,