feat(profile): general update.

apparmor.d/abstractions/app-open

@@ -18,6 +18,7 @@
   @{bin}/nautilus               rPx,
 
   # Browsers
+  @{bin}/chromium               rPx,
   @{brave_path}                 rPx,
   @{chrome_path}                rPx,
   @{chromium_path}              rPx,

apparmor.d/abstractions/deny-sensitive-home

@@ -9,7 +9,7 @@
 # should be authorized. Meaning, you should not allow everything (or a large area)
 # and blacklist some sub area.
 
-# Use in this project: file browser and search engine
+# The only legitimate use in this project is for file browser and search engine.
 
   deny @{HOME}/.*.bak                     mrwkl,
   deny @{HOME}/.*.swp                     mrwkl,

apparmor.d/abstractions/nvidia-strict

@@ -31,4 +31,6 @@
   /dev/nvidia@{int} rw,
   /dev/nvidiactl rw,
 
+  deny owner @{HOME}/.nv/.local/share/gvfs-metadata/* r,
+
   include if exists <abstractions/nvidia-strict.d>

apparmor.d/groups/browsers/firefox

@@ -166,31 +166,31 @@ profile firefox @{exec_path} flags=(attach_disconnected) {
 
         /tmp/ r,
         /var/tmp/ r,
-  owner /tmp/user/@{uid}/ rw,
+  owner /tmp/.xfsm-ICE-@{rand6} rw,
-  owner /tmp/user/@{uid}/* rwk,
-  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
-  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
-  owner /tmp/user/@{uid}/@{name}/ rw,
-  owner /tmp/user/@{uid}/@{name}/* rwk,
   owner /tmp/@{name}/ rw,
   owner /tmp/@{name}/* rwk,
   owner /tmp/@{rand6}.tmp r,
+  owner /tmp/@{rand8}.txt w,
+  owner /tmp/* w,  # file downloads (to anywhere)
   owner /tmp/firefox_*/ rw,
   owner /tmp/firefox_*/* rwk,
   owner /tmp/mozilla_*/ rw,
   owner /tmp/mozilla_*/* rw,
-  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
+  owner /tmp/mozilla-temp-@{int} rw,
-  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
-  owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk,
   owner /tmp/Mozilla@{uuid}-cachePurge-??????????????? rwk,
   owner /tmp/Mozilla\{@{uuid}\}-cachePurge-??????????????? rwk,
+  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/.parentlock k,
+  owner /tmp/MozillaBackgroundTask-???????????????-removeDirectory/{**,} rw,
+  owner /tmp/Mozillato-be-removed-cachePurge-??????????????? rwk,
   owner /tmp/Temp-@{uuid}/{**,} rw,
-  owner /tmp/mozilla-temp-@{int} rw,
-  owner /tmp/@{rand8}.txt w,
   owner /tmp/tmp-???.xpi rw,
-  owner /tmp/.xfsm-ICE-@{rand6} rw,
   owner /tmp/tmpaddon r,
-  owner /tmp/* w,  # file downloads (to anywhere)
+  owner /tmp/user/@{uid}/ rw,
+  owner /tmp/user/@{uid}/@{name}/ rw,
+  owner /tmp/user/@{uid}/@{name}/* rwk,
+  owner /tmp/user/@{uid}/* rwk,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/ rw,
+  owner /tmp/user/@{uid}/Temp-@{uuid}/* rwk,
 
   @{run}/mount/utab r,
 

apparmor.d/groups/freedesktop/pulseaudio

@@ -22,6 +22,7 @@ profile pulseaudio @{exec_path} {
   include <abstractions/dconf-write>
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
   include <abstractions/gstreamer>

apparmor.d/groups/kde/sddm

@@ -81,6 +81,7 @@ profile sddm @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/startplasma-wayland  rPx,
   @{bin}/startplasma-x11      rPx,
   @{bin}/systemctl            rPx -> child-systemctl,
+  @{bin}/unix_chkpwd          rPx,
   @{bin}/xrdb                 rPx,
   @{bin}/xset                 rPx,
   @{etc_ro}/X11/xdm/Xsession  rPx,

apparmor.d/groups/kde/utempter

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/utempter/utempter
-profile utempter @{exec_path} {
+profile utempter @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>

apparmor.d/groups/network/ModemManager

@@ -16,6 +16,8 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/devices-usb>
   include <abstractions/dri-enumerate>
 
+  capability net_admin,
+
   network qipcrtr dgram,
   network netlink raw,
 

apparmor.d/groups/service/init-exim4

@@ -15,7 +15,13 @@ profile init-exim4 @{exec_path} {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability kill,
   capability net_admin,
+  capability sys_ptrace,
+
+  signal (send) peer=exim4,
+
+  ptrace (read) peer=@{systemd},
 
   @{exec_path} mr,
 
@@ -45,7 +51,7 @@ profile init-exim4 @{exec_path} {
 
   /var/lib/exim4/* rw,
 
-  owner @{run}/exim4/{,**} rw,
+  @{run}/exim4/{,**} rw,
 
   include if exists <local/init-exim4>
 }

apparmor.d/profiles-a-f/evince-thumbnailer

@@ -7,10 +7,16 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/evince-thumbnailer
-profile evince-thumbnailer @{exec_path} {
+profile evince-thumbnailer @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
 
+  /usr/share/mime/mime.cache r,
+  /usr/share/poppler/{,**} r,
+
+  owner /tmp/gnome-desktop-file-to-thumbnail.pdf r,
+  owner /tmp/gnome-desktop-thumbnailer.png w,
+
   include if exists <local/evince-thumbnailer>
 }

apparmor.d/profiles-a-f/exim4

@@ -30,6 +30,8 @@ profile exim4 @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal (receive) peer=init-exim4,
+
   @{exec_path} mrix,
 
   /etc/email-addresses r,

apparmor.d/profiles-g-l/htop

@@ -36,7 +36,7 @@ profile htop @{exec_path} {
 
   owner @{user_config_dirs}/ rw,
   owner @{user_config_dirs}/htop/ rw,
-  owner @{user_config_dirs}/htop/htoprc rw,
+  owner @{user_config_dirs}/htop/* rw,
 
   owner @{PROC}/@{pid}/smaps_rollup r,
 

apparmor.d/profiles-s-z/snapd-aa-prompt-ui

@@ -6,11 +6,13 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{lib}/snapd/snapd-aa-prompt-ui
+@{lib_dirs} = @{lib}/ /snap/snapd/@{int}@{lib}
+
+@{exec_path} = @{lib_dirs}/snapd/snapd-aa-prompt-ui
 profile snapd-aa-prompt-ui @{exec_path} {
   include <abstractions/base>
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
   /snap/snapd/@{int}@{lib}/snapd/info r,