Global profile update.

apparmor.d/groups/browsers/chrome-gnome-shell

@@ -21,7 +21,10 @@ profile chrome-gnome-shell @{exec_path} {
   network netlink raw,
 
   @{exec_path} mr,
+
+  /{usr/,}bin/ r,
   /{usr/,}bin/python3.[0-9]* r,
+  owner @{user_lib_dirs}/python3.9/site-packages/ r,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
 

apparmor.d/groups/gnome/gnome-keyring-daemon

@@ -16,6 +16,8 @@ profile gnome-keyring-daemon @{exec_path} {
   #  gnome-keyring-daemon: insufficient process capabilities, unsecure memory might get used
   capability ipc_lock,
 
+  signal (send) set=(term) peer=ssh-agent,
+
   @{exec_path} mr,
   /{usr/,}bin/ssh-add   rix,
   /{usr/,}bin/ssh-agent rPx,

apparmor.d/groups/gnome/gsd-xsettings

@@ -38,6 +38,7 @@ profile gsd-xsettings @{exec_path} {
   owner @{PROC}/@{pid}/fd/ r,
 
   /dev/dri/ r,
+  /dev/dri/renderD[0-9]* rw,
 
   /dev/tty rw,
   /dev/tty[0-9]* rw,

apparmor.d/groups/network/NetworkManager

@@ -41,6 +41,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/systemctl rPx -> child-systemctl,
   /{usr/,}bin/{,ba,da}sh rix,
 
+  / r,
   /etc/ r,
   /etc/resolv.conf rw,
   /etc/resolv.conf.[0-9A-Z]* rw,
@@ -70,9 +71,13 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+pci* r,
 
   @{sys}/devices/**/uevent r,
-  @{sys}/devices/virtual/net/{,*} r,
+  @{sys}/devices/virtual/net/{,**} r,
   @{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
 
+  @{PROC}/sys/kernel/osrelease r,
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+
   include if exists <local/NetworkManager>
 }

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -13,6 +13,7 @@ profile systemd-tmpfiles @{exec_path} {
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
+  capability net_admin,
   capability fsetid,
   capability mknod,
   capability fowner,
@@ -33,11 +34,13 @@ profile systemd-tmpfiles @{exec_path} {
 
   # Where the tmpfiles can be created,
   /{,*} rw,
+  /home/ rw,
   /dev/{,**} rw,
   /var/{,**} rwk,
   /run/{,**} rw,
   /tmp/{,**} rwk,
   /srv/{,**} rw,
+  /etc/{,**} r,
 
   @{run}/systemd/userdb/ r,
   @{sys}/devices/system/cpu/microcode/reload w,

apparmor.d/profiles-a-l/browserpass

@@ -27,5 +27,8 @@ profile browserpass @{exec_path} {
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
 
+  @{user_share_dirs}/gvfs-metadata/home r,
+  @{user_share_dirs}/gvfs-metadata/home-*.log r,
+
   include if exists <local/browserpass>
 }

apparmor.d/profiles-a-l/git

@@ -25,6 +25,7 @@ profile git @{exec_path} {
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
+  network netlink raw,
 
   @{exec_path} mrix,
 
@@ -114,6 +115,7 @@ profile git @{exec_path} {
     network inet6 dgram,
     network inet stream,
     network inet6 stream,
+    network netlink raw,
 
     /{usr/,}bin/ssh mr,
 

apparmor.d/profiles-m-z/udisksd

@@ -124,7 +124,7 @@ profile udisksd @{exec_path} flags=(attach_disconnected) {
   @{run}/udisks2/mounted-fs{,.*} rw,
 
   @{run}/systemd/seats/seat[0-9]* r,
-
+  @{run}/systemd/inhibit/[0-9]*.ref rw,
 
   profile systemd-escape {
     include <abstractions/base>

apparmor.d/profiles-m-z/wpa-supplicant

@@ -25,9 +25,8 @@ profile wpa-supplicant @{exec_path} {
   #  remove this file before starting wpa_supplicant again.
   capability chown,
 
-  # Needed? (#FIXME#)
   capability fsetid,
-  audit deny capability sys_module,
+  capability sys_module,
 
   network packet raw,
   network packet dgram,