feat(abs): internal cleanup.

apparmor.d/abstractions/audio-server

@@ -5,6 +5,8 @@
 # Provide access to audio devices. It should only be used by audio servers that
 # need direct access to them. 
 
+  include <abstractions/audio-client>
+
   /usr/share/alsa/{,**} r,
 
   /etc/alsa/conf.d/{,**} r,

apparmor.d/abstractions/bus/org.freedesktop.login1

@@ -27,4 +27,9 @@
        member=Introspect
        peer=(name=:*, label=systemd-logind),
 
+  dbus send bus=system path=/org/freedesktop/login1/session/*
+       interface=org.freedesktop.login1.Session
+       member=PauseDeviceComplete
+       peer=(name=org.freedesktop.login1, label=systemd-logind),
+
   include if exists <abstractions/bus/org.freedesktop.login1.d>

apparmor.d/abstractions/common/chromium

@@ -8,14 +8,11 @@
 
   # userns,
 
-  # Only needed when kernel.unprivileged_userns_clone is set to "1"
+  capability setgid, # If kernel.unprivileged_userns_clone = 1
+  capability setuid, # If kernel.unprivileged_userns_clone = 1
   capability sys_admin,
   capability sys_chroot,
-  capability setuid,
+  capability sys_ptrace,
-  capability setgid,
-  owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/gid_map w,
-  owner @{PROC}/@{pid}/uid_map w,
 
   owner @{HOME}/.pki/ rw,
   owner @{HOME}/.pki/nssdb/ rw,
@@ -37,4 +34,9 @@
         /dev/shm/ r,
   owner /dev/shm/.org.chromium.Chromium.* rw,
 
+  # If kernel.unprivileged_userns_clone = 1
+  owner @{PROC}/@{pid}/setgroups w,
+  owner @{PROC}/@{pid}/gid_map w,
+  owner @{PROC}/@{pid}/uid_map w,
+
   include if exists <abstractions/common/chromium.d>

apparmor.d/abstractions/thumbnails-cache-read

@@ -5,6 +5,6 @@
 
   owner @{user_cache_dirs}/thumbnails/ r,
   owner @{user_cache_dirs}/thumbnails/{*large,normal}/ r,
-  owner @{user_cache_dirs}/thumbnails/{*large,normal}/@{hex32}.png r,
+  owner @{user_cache_dirs}/thumbnails/{*large,normal}/*.png r,
 
   include if exists <abstractions/thumbnails-cache-read.d>

apparmor.d/abstractions/thumbnails-cache-write

@@ -5,8 +5,8 @@
 
   owner @{user_cache_dirs}/thumbnails/ rw,
   owner @{user_cache_dirs}/thumbnails/{large,normal}/ rw,
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/@{hex32}.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
+  owner @{user_cache_dirs}/thumbnails/{large,normal}/*.png rwl -> @{user_cache_dirs}/thumbnails/{large,normal}/#@{int},
-  owner @{user_cache_dirs}/thumbnails/{large,normal}/@{hex32}.png.@{rand6} rw,
+  owner @{user_cache_dirs}/thumbnails/{large,normal}/*.png.@{rand6} rw,
   owner @{user_cache_dirs}/thumbnails/{large,normal}/#@{int} rw,
 
   include if exists <abstractions/thumbnails-cache-write.d>

apparmor.d/abstractions/xfce

@@ -8,8 +8,8 @@
   include <abstractions/wayland>
   include <abstractions/X-strict>
 
-  owner @{user_config_dirs}/xfce4/help.rc rw,
+  owner @{user_config_dirs}/xfce4/help{,ers}.rc rw,
-  owner @{user_config_dirs}/xfce4/help.rc.@{int}.tmp rw,
+  owner @{user_config_dirs}/xfce4/help{,ers}.rc.@{int}.tmp rw,
 
   owner @{HOME}/.local/ rw,
   owner @{user_cache_dirs}/ rw,