feat(profile): remove rules already included in the base abs.

apparmor.d/groups/apt/apt-overlay

@@ -22,7 +22,6 @@ profile apt-overlay @{exec_path} {
   owner @{bin}/env r,
 
   @{lib}/ruby/{,**} r,
-  @{lib}/locale/locale-archive r,
   @{lib}/ruby/gems/3.0.0/specifications/default/*.gemspec rwk,
 
   /usr/share/rubygems-integration/{,**} r,

apparmor.d/groups/cron/cron-apt

@@ -70,9 +70,6 @@ profile cron-apt @{exec_path} {
   /var/log/cron-apt/mail rw,
   /var/log/cron-apt/lastfullmessage rw,
 
-  # For the "ls" command
-  @{lib}/locale/locale-archive r,
-
   # TMP
         /tmp/ r,
   owner @{tmp}/cron-apt.*/ rw,

apparmor.d/groups/freedesktop/colord

@@ -52,7 +52,6 @@ profile colord @{exec_path} flags=(attach_disconnected) {
   @{desktop_share_dirs}/icc/edid-*.icc r,
   @{user_share_dirs}/icc/edid-*.icc r,
 
-  @{run}/systemd/journal/socket rw,
   @{run}/systemd/sessions/* r,
 
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)

apparmor.d/groups/freedesktop/geoclue

@@ -41,8 +41,6 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
   /var/lib/nscd/services r,
   /var/lib/dbus/machine-id r,
 
-  @{run}/systemd/journal/socket rw,
-
   @{PROC}/@{pids}/cgroup r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 

apparmor.d/groups/gnome/evolution-alarm-notify

@@ -34,7 +34,6 @@ profile evolution-alarm-notify @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/evolution-data-server/{,**} r,
-  /usr/share/{,zoneinfo-}icu/{,**} r,
 
   /etc/timezone r,
 

apparmor.d/groups/gnome/gnome-control-center

@@ -165,7 +165,6 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/loginuid r,
-  owner @{PROC}/@{pid}/maps r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/statm r,

apparmor.d/groups/gnome/gnome-shell

@@ -194,7 +194,6 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   /opt/**/share/icons/{,**} r,
   /snap/*/@{uid}/**.png r,
-  /usr/share/{,zoneinfo-}icu/{,**} r,
   /usr/share/**.{png,jpg,svg} r,
   /usr/share/**/icons/{,**} r,
   /usr/share/backgrounds/{,**} r,

apparmor.d/groups/gnome/gnome-shell-calendar-server

@@ -36,7 +36,6 @@ profile gnome-shell-calendar-server @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/glib-2.0/schemas/gschemas.compiled r,
-  /usr/share/{,zoneinfo-}icu/{,**} r,
 
   /etc/sysconfig/clock r,
   /etc/timezone r,

apparmor.d/groups/grub/grub-multi-install

@@ -31,7 +31,6 @@ profile grub-multi-install @{exec_path} {
 
   /boot/grub/grub.cfg rw,
 
-  owner @{PROC}/@{pid}/maps r,
   owner @{PROC}/@{pid}/mounts r,
 
   /dev/disk/by-id/ r,

apparmor.d/groups/kde/konsole

@@ -35,7 +35,6 @@ profile konsole @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/htop                 rPx,
   @{bin}/micro               rPUx,
   @{bin}/nvtop                rPx,
-  @{bin}/nvtop                rPx,
   @{bin}/vim                  rUx,
 
   /usr/share/color-schemes/{,**} r,

apparmor.d/groups/kde/startplasma

@@ -73,8 +73,7 @@ profile startplasma @{exec_path} {
 
   owner @{run}/user/@{uid}/ r,
 
-        @{PROC}/sys/kernel/random/boot_id r,
-  owner @{PROC}/@{pid}/maps r,
+  @{PROC}/sys/kernel/random/boot_id r,
 
   /dev/tty r,
   /dev/tty@{int} rw,

apparmor.d/groups/network/openvpn

@@ -59,7 +59,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
 
   @{run}/NetworkManager/nm-openvpn-@{uuid} rw,
   @{run}/openvpn/*.{pid,status} rw,
-  @{run}/systemd/journal/dev-log rw,
+  @{run}/systemd/journal/dev-log r,
 
   @{bin}/ip                                rix,
   @{bin}/systemd-ask-password              rPx,

apparmor.d/groups/pacman/aurpublish

@@ -57,8 +57,6 @@ profile aurpublish @{exec_path} {
 
   owner @{tmp}/tmp.@{rand10} rw,
 
-  owner @{PROC}/@{pid}/maps r,
-
   /dev/tty rw,
 
   profile gpg {

apparmor.d/groups/systemd/systemd-logind

@@ -97,7 +97,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/inhibit/ rw,
   @{run}/systemd/inhibit/.#* rw,
   @{run}/systemd/inhibit/@{int}{,.ref} rw,
-  @{run}/systemd/journal/socket rw,
   @{run}/systemd/notify rw,
   @{run}/systemd/seats/ rw,
   @{run}/systemd/seats/.#seat* rw,

apparmor.d/groups/systemd/systemd-oomd

@@ -24,10 +24,9 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/oomd.conf r,
   /etc/systemd/oomd.conf.d/{,**} r,
 
-        @{run}/systemd/io.system.ManagedOOM rw,
-        @{run}/systemd/io.systemd.ManagedOOM rw,
-        @{run}/systemd/notify rw,
-  owner @{run}/systemd/journal/socket w,
+  @{run}/systemd/io.system.ManagedOOM rw,
+  @{run}/systemd/io.systemd.ManagedOOM rw,
+  @{run}/systemd/notify rw,
 
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/memory.* r,

apparmor.d/groups/systemd/systemd-resolved

@@ -41,10 +41,9 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/resolved.conf r,
   /etc/systemd/resolved.conf.d/{,*} r,
 
-        @{run}/systemd/netif/links/* r,
-        @{run}/systemd/notify rw,
-        @{run}/systemd/resolve/{,**} rw,
-  owner @{run}/systemd/journal/socket w,
+  @{run}/systemd/netif/links/* r,
+  @{run}/systemd/notify rw,
+  @{run}/systemd/resolve/{,**} rw,
 
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/pressure/* r,

apparmor.d/groups/systemd/systemd-sleep-grub2

@@ -19,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} {
 
   /etc/sysconfig/bootloader r,
 
-  @{PROC}/@{pid}/maps r,
-
   /dev/tty rw,
 
   include if exists <local/systemd-sleep-grub>

apparmor.d/groups/systemd/systemd-timesyncd

@@ -38,7 +38,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/netif/state r,
         @{run}/systemd/notify rw,
         @{run}/systemd/timesyncd.conf.d/{,**} r,
-  owner @{run}/systemd/journal/socket w,
   owner @{run}/systemd/timesync/synchronized rw,
 
   @{PROC}/@{pid}/cgroup r,

apparmor.d/groups/virt/k3s

@@ -130,7 +130,6 @@ profile k3s @{exec_path} flags=(attach_disconnected) {
         @{PROC}/sys/net/ipv{4,6}/conf/default/* rw,
         @{PROC}/sys/net/bridge/bridge-nf-call-iptables r,
         @{PROC}/sys/net/netfilter/* rw,
-        @{PROC}/sys/vm/overcommit_memory rw,
         @{PROC}/sys/vm/panic_on_oom r,
 
   @{sys}/class/net/ r,

apparmor.d/profiles-a-f/auditd

@@ -27,7 +27,6 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
 
   /var/log/audit/{,**} rw,
 
-        @{run}/systemd/journal/dev-log w,
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
 

apparmor.d/profiles-a-f/boltd

@@ -26,7 +26,6 @@ profile boltd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/boltd/{,**} rw,
 
   @{run}/systemd/notify rw,
-  @{run}/systemd/journal/socket w,
   @{run}/udev/data/+thunderbolt:* r,
 
   @{sys}/bus/ r,

apparmor.d/profiles-a-f/cups-browsed

@@ -39,7 +39,6 @@ profile cups-browsed @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/cups/locale/{,**} r,
-  /usr/share/locale/{,**} r,
 
   /etc/cups/{,**} r,
 

apparmor.d/profiles-s-z/spice-vdagentd

@@ -16,7 +16,6 @@ profile spice-vdagentd @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-        @{run}/systemd/journal/dev-log w,
         @{run}/systemd/seats/seat@{int} r,
         @{run}/systemd/sessions/* r,
         @{run}/systemd/users/@{uid} r,