feat(profile): general update.

apparmor.d/groups/freedesktop/colord

@@ -62,7 +62,7 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/drm/ r,
   @{sys}/class/video4linux/ r,
   @{sys}/devices/@{pci}/{vendor,model,type} r,
-  @{sys}/devices/@{pci}/drm/card@{int}/card[0-9]-{HDMI,VGA,LVDS,DP,eDP,Virtual}-*/{enabled,edid} r,
+  @{sys}/devices/@{pci}/drm/card@{int}/**/{enabled,edid} r,
   @{sys}/devices/@{pci}/uevent r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,
 

apparmor.d/groups/gvfs/gvfs-udisks2-volume-monitor

@@ -53,6 +53,8 @@ profile gvfs-udisks2-volume-monitor @{exec_path} flags=(attach_disconnected) {
   @{MOUNTS}/**/ r,
   @{HOME}/**/ r,
 
+  owner @{MOUNTS}/autorun.inf r,
+
   owner @{desktop_config_dirs}/dconf/user r,
 
   @{run}/mount/utab r,

apparmor.d/groups/systemd/systemd-networkd

@@ -50,6 +50,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
 
   /etc/networkd-dispatcher/carrier.d/{,*} r,
 
+  / r,
+
         @{run}/systemd/network/ r,
         @{run}/systemd/network/*.network r,
         @{run}/systemd/notify rw,

apparmor.d/groups/virt/virtstoraged

@@ -25,6 +25,7 @@ profile virtstoraged @{exec_path} flags=(attach_disconnected) {
   @{bin}/qemu-system*  rUx, # TODO: Integration with virt-aa-helper
   @{bin}/qemu-img      rUx, # TODO: Integration with virt-aa-helper
 
+  /etc/libvirt/**/ r,
   /etc/libvirt/libvirt.conf r,
 
   # For disk images

apparmor.d/profiles-a-f/anyremote

@@ -46,14 +46,13 @@ profile anyremote @{exec_path} {
   @{bin}/convert-im6.q16 rCx -> imagemagic,
   @{bin}/killall         rCx -> killall,
   @{bin}/pgrep           rCx -> pgrep,
-  @{lib}/qt5/bin/qdbus   rCx -> qdbus,
-
 
   @{bin}/pacmd           rPx,
   @{bin}/pactl           rPx,
-  @{bin}/wmctrl          rPx,
-  @{bin}/qtchooser       rPx,
   @{bin}/ps              rPx,
+  @{bin}/qtchooser       rPx,
+  @{bin}/wmctrl          rPx,
+  @{lib}/qt{5,6}/bin/qdbus rPx,
 
   # Players
   @{bin}/smplayer        rPx,
@@ -128,14 +127,6 @@ profile anyremote @{exec_path} {
     include if exists <local/anyremote_pgrep>
   }
 
-  profile qdbus {
-    include <abstractions/base>
-
-    @{lib}/qt5/bin/qdbus mr,
-
-    include if exists <local/anyremote_qdbus>
-  }
-
   include if exists <local/anyremote>
 }
 

apparmor.d/profiles-a-f/fusermount

@@ -23,7 +23,7 @@ profile fusermount @{exec_path} {
   mount fstype={fuse,fuse.*} -> @{MOUNTS}/*/*/,
   mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/*/,
   mount fstype={fuse,fuse.*} -> /var/tmp/flatpak-cache-*/*/,
-  mount fstype={fuse,fuse.*} -> /tmp/.mount_nextcl@{rand6}/,
+  mount fstype={fuse,fuse.*} -> /tmp/.mount_*@{rand6}/,
 
   umount @{HOME}/*/,
   umount @{HOME}/*/*/,
@@ -47,6 +47,8 @@ profile fusermount @{exec_path} {
 
   owner @{user_cache_dirs}/**/ rw,
 
+  /tmp/.mount_*@{rand6}/ r,
+
   @{run}/user/@{uid}/doc/ r,
 
   @{PROC}/@{pid}/mounts r,

apparmor.d/profiles-a-f/fwupd

@@ -113,6 +113,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /dev/bus/usb/ r,
   /dev/bus/usb/@{int}/@{int} rw,
   /dev/cpu/@{int}/msr rw,
+  /dev/dri/card@{int} rw,
   /dev/drm_dp_aux@{int} rw,
   /dev/gpiochip@{int} r,
   /dev/hidraw@{int} rw,

apparmor.d/profiles-m-r/run-parts

@@ -31,7 +31,6 @@ profile run-parts @{exec_path} {
   /etc/conf.d/snapper{,**}                             r,
   /etc/snapper/configs/root                            r,
 
-
   # Crontab
   /etc/cron.{hourly,daily,weekly,monthly}/                     r,
   /etc/cron.{hourly,daily,weekly,monthly}/0anacron             rix,

apparmor.d/profiles-s-z/steam

@@ -266,7 +266,7 @@ profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
     ptrace trace peer=steam//web,
 
-    signal receive set=kill peer=steam,
+    signal receive set=(cont kill term) peer=steam,
 
     unix receive type=stream,
 

apparmor.d/profiles-s-z/strawberry

@@ -40,6 +40,8 @@ profile strawberry @{exec_path} {
 
   @{open_path} rPx -> child-open-help,
 
+  /etc/fstab r,
+
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
@@ -50,6 +52,7 @@ profile strawberry @{exec_path} {
 
   owner @{user_config_dirs}/strawberry/ rw,
   owner @{user_config_dirs}/strawberry/* rwkl -> @{user_config_dirs}/strawberry/#@{int},
+  owner @{user_config_dirs}/strawberryrc r,
 
   owner @{user_share_dirs}/strawberry/ rw,
   owner @{user_share_dirs}/strawberry/** rwk,
@@ -65,6 +68,8 @@ profile strawberry @{exec_path} {
   owner @{tmp}/*= w,
   owner @{tmp}/#@{int} rw,
   owner @{tmp}/etilqs_@{hex16} rw,
+  owner @{tmp}/kdsingleapp-daemonspudguy-strawberry w,
+  owner @{tmp}/kdsingleapp-daemonspudguy-strawberry.lock rwk,
   owner @{tmp}/qipc_{systemsem,sharedmemory}_*[a-f0-9]* rw,
   owner @{tmp}/strawberry-cover-@{rand6}.jpg rwl -> @{tmp}/#@{int},
   owner @{tmp}/strawberry*[0-9] w,

apparmor.d/profiles-s-z/top

@@ -19,9 +19,9 @@ profile top @{exec_path} flags=(attach_disconnected) {
   capability sys_nice,
   capability sys_ptrace,
 
-  signal (send),
+  signal send,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 

apparmor.d/profiles-s-z/update-ca-trust

@@ -24,10 +24,7 @@ profile update-ca-trust @{exec_path} {
   / r,
   /usr/share/p11-kit/modules/{,*} r,
 
-  /etc/ca-certificates/extracted/{tls,email,objsign}-ca-bundle.pem{,.*} w,
-  /etc/ca-certificates/extracted/ca-bundle.trust.crt{,.*} w,
-  /etc/ca-certificates/extracted/cadir/{,*} rw,
-  /etc/ca-certificates/extracted/edk2-cacerts.bin{,.*} w,
+  /etc/ca-certificates/extracted/** rw,
   /etc/ssl/certs/{,*} rw,
   /etc/ssl/certs/java/cacerts{,.*} w,
 

apparmor.d/profiles-s-z/wireplumber

@@ -61,7 +61,7 @@ profile wireplumber @{exec_path} {
   @{sys}/bus/ r,
   @{sys}/bus/media/devices/ r,
   @{sys}/devices/@{pci}/video4linux/video@{int}/uevent r,
-  @{sys}/devices/**/device:*/**/path r,
+  @{sys}/devices/**/device:*/{,**/}path r,
   @{sys}/devices/**/sound/**/pcm_class r,
   @{sys}/devices/**/sound/**/uevent r,
   @{sys}/devices/system/node/ r,