feat(profile): general update.

apparmor.d/groups/bus/dbus-accessibility

@@ -48,6 +48,8 @@ profile dbus-accessibility @{exec_path} flags=(attach_disconnected) {
   owner @{DESKTOP_HOME}/greeter-dconf-defaults r,
   owner @{desktop_config_dirs}/dconf/user r,
 
+  owner @{HOME}/.Xauthority r,
+
         @{run}/systemd/users/@{uid} r,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
 

apparmor.d/groups/display-manager/lightdm

@@ -32,6 +32,7 @@ profile lightdm @{exec_path} flags=(attach_disconnected) {
   network netlink raw,
 
   signal (send) set=(term) peer=lightdm-*-greeter,
+  signal (send) set=(term) peer=xorg,
   signal (receive) set=(usr1) peer=xorg,
 
   @{exec_path} mrix,

apparmor.d/groups/freedesktop/fc-cache

@@ -11,7 +11,6 @@ include <tunables/global>
 profile fc-cache @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
-  include <abstractions/fontconfig-cache-write>
   include <abstractions/fonts>
 
   capability dac_read_search,

apparmor.d/groups/freedesktop/plymouthd

@@ -18,6 +18,7 @@ profile plymouthd @{exec_path} {
   capability sys_admin,
   capability sys_chroot,
   capability sys_tty_config,
+  capability syslog,
 
   network netlink raw,
 
@@ -63,6 +64,7 @@ profile plymouthd @{exec_path} {
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/stat r,
 
+  /dev/kmsg rw,
   /dev/ptmx rw,
   /dev/tty@{int} rw,
   /dev/ttyS@{int} rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal-rewrite-launchers

@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path} = @{lib}/xdg-desktop-portal-rewrite-launchers
 profile xdg-desktop-portal-rewrite-launchers @{exec_path} {
   include <abstractions/base>
-  include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/bus-session>
+  include <abstractions/bus/org.gtk.vfs.MountTracker>
 
   @{exec_path} mr,
 

apparmor.d/groups/freedesktop/xdg-email

@@ -13,7 +13,7 @@ profile xdg-email @{exec_path} flags=(complain) {
 
   @{exec_path}  r,
 
-  @{sh_path}         rix,
+  @{sh_path}          rix,
   @{bin}/{,e}grep     rix,
   @{bin}/{m,g,}awk    rix,
   @{bin}/basename     rix,

apparmor.d/groups/freedesktop/xorg

@@ -20,9 +20,11 @@ profile xorg @{exec_path} flags=(attach_disconnected) {
   include <abstractions/graphics-full>
   include <abstractions/nameservice-strict>
 
+  capability chown,
   capability dac_override,
   capability dac_read_search,
   capability ipc_owner,
+  capability mknod,
   capability net_admin,
   capability perfmon,
   capability setgid,

apparmor.d/groups/gnome/gdm-session

@@ -55,8 +55,7 @@ profile gdm-session @{exec_path} {
   owner @{gdm_config_dirs}/dconf/user r,
   owner @{GDM_HOME}/greeter-dconf-defaults r,
 
-  owner @{run}/gdm{3,}/custom.conf r,
-
+        @{run}/gdm{3,}/custom.conf r,
   owner @{run}/user/@{uid}/gdm/ w,
   owner @{run}/user/@{uid}/gdm/Xauthority rw,  # only: xorg
 

apparmor.d/groups/gnome/gnome-calendar

@@ -39,6 +39,8 @@ profile gnome-calendar @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   /usr/share/evolution-data-server/{,**} r,
   /usr/share/libgweather/Locations.xml r,
 

apparmor.d/groups/gnome/gnome-characters

@@ -27,6 +27,8 @@ profile gnome-characters @{exec_path} {
 
   @{bin}/gjs-console rix,
 
+  @{open_path} rPx -> child-open-help,
+
   /usr/share/icu/@{int}.@{int}/*.dat r,
   /usr/share/org.gnome.Characters/org.gnome.Characters.*.gresource r,
   /usr/share/nvidia/nvidia-application-profiles-*-rc r,

apparmor.d/groups/gnome/gnome-contacts

@@ -29,6 +29,8 @@ profile gnome-contacts @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   owner @{user_cache_dirs}/evolution/addressbook/{,**} r,
   owner @{user_config_dirs}/gnome-contacts/{,**} rw,
   owner @{user_share_dirs}/folks/relationships.ini r,

apparmor.d/groups/gnome/gnome-control-center-goa-helper

@@ -41,7 +41,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
 
   @{bin}/bwrap  rPUx,
 
-  @{lib}/{,@{multiarch}/}webkit{,2}gtk-*/WebKitNetworkProcess rix,
+  @{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
 
   /usr/share/cracklib/* r,
   /usr/share/publicsuffix/public_suffix_list.dafsa r,

apparmor.d/groups/gnome/gnome-disks

@@ -19,7 +19,7 @@ profile gnome-disks @{exec_path} {
 
   @{exec_path} mr,
 
-  @{open_path}  rPx -> child-open,
+  @{open_path}  rPx -> child-open-help,
 
   owner @{user_cache_dirs}/gnome-disks/{,**} rw,
 

apparmor.d/groups/gnome/gnome-extension-gsconnect

@@ -44,7 +44,7 @@ profile gnome-extension-gsconnect @{exec_path} {
   @{lib}/gio/modules/*.so* rm,
   @{lib}/girepository-1.0/* r,
 
-  @{open_path}         rPx -> child-open,
+  @{open_path}  rPx -> child-open-help,
 
   @{share_dirs}/{,**} r,
   @{share_dirs}/gsconnect-preferences rix,

apparmor.d/groups/gnome/gnome-extension-manager

@@ -26,7 +26,7 @@ profile gnome-extension-manager @{exec_path} {
 
   @{bin}/gjs-console rix,
 
-  @{open_path}         rPx -> child-open,
+  @{open_path}  rPx -> child-open-help,
 
   /usr/share/gnome-shell/org.gnome.Shell.Extensions r,
 

apparmor.d/groups/gnome/gnome-extensions-app

@@ -19,7 +19,7 @@ profile gnome-extensions-app @{exec_path} {
   @{sh_path}         rix,
   @{bin}/gjs-console rix,
 
-  @{open_path}         rPx -> child-open,
+  @{open_path}  rPx -> child-open-help,
 
   /usr/share/gnome-shell/org.gnome.Extensions* r,
   /usr/share/icu/@{int}.@{int}/*.dat r,

apparmor.d/groups/gnome/gnome-music

@@ -31,6 +31,8 @@ profile gnome-music @{exec_path} flags=(attach_disconnected) {
   @{bin}/python3.@{int} rix,
   @{lib}/python3.@{int}/site-packages/gnomemusic/__pycache__/{,**} rw,
 
+  @{open_path}  rPx -> child-open-help,
+
   /usr/share/grilo-plugins/grl-lua-factory/{,*} r,
   /usr/share/org.gnome.Music/{,**} r,
   /usr/share/tracker3/{,**} r,

apparmor.d/groups/gnome/gnome-recipes

@@ -25,6 +25,8 @@ profile gnome-recipes @{exec_path} {
 
   @{bin}/tar rix,
 
+  @{open_path}  rPx -> child-open-help,
+
   /usr/share/gnome-recipes/{,**} r,
 
   owner @{user_cache_dirs}/gnome-recipes/{,**} rw,

apparmor.d/groups/gnome/gnome-session-binary

@@ -83,8 +83,6 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   owner @{GDM_HOME}/greeter-dconf-defaults r,
   owner @{gdm_share_dirs}/applications/{,**} r,
 
-  owner /tmp/dirs-@{rand6} rw,
-
   owner @{user_config_dirs}/autostart/{,*.desktop} r,
   owner @{user_config_dirs}/gnome-session/ rw,
   owner @{user_config_dirs}/gnome-session/saved-session/ rw,
@@ -122,6 +120,7 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
     @{bin}/blueman-applet                                  rPx,
     @{bin}/firewall-applet                                 rPx,
     @{bin}/gnome-keyring-daemon                            rPx,
+    @{bin}/gnome-shell                                     rPx,
     @{bin}/gnome-software                                  rPx,
     @{bin}/im-launch                                       rPx,
     @{bin}/keepassxc                                       rPx,
@@ -153,6 +152,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
     @{lib}/kdeconnectd rPUx,
     @{lib}/@{multiarch}/{,libexec/}kdeconnectd rPUx,
 
+    /dev/tty@{int} rw,
+
     include if exists <usr/gnome-session-binary_open.d>
     include if exists <local/gnome-session-binary_open>
   }

apparmor.d/groups/gnome/gnome-tweaks

@@ -21,6 +21,8 @@ profile gnome-tweaks @{exec_path} {
   @{bin}/ps rPx,
   @{bin}/python3.@{int} rix,
 
+  @{open_path}  rPx -> child-open-help,
+
   @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
 
   /usr/share/gnome-tweaks/{,**} r,

apparmor.d/groups/gnome/kgx

@@ -30,7 +30,7 @@ profile kgx @{exec_path} {
   @{bin}/nvtop                rPx,
   @{bin}/vim                  rUx,
 
-  @{open_path}                rPx -> child-open,
+  @{open_path}                rPx -> child-open-help,
 
   owner /tmp/#@{int} rw,
 

apparmor.d/groups/gnome/loupe

@@ -22,6 +22,7 @@ profile loupe @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{bin}/bwrap rCx -> bwrap,
+  @{open_path} rPx -> child-open-help,
 
   /usr/share/glycin-loaders/{,**} r,
 

apparmor.d/groups/gnome/seahorse

@@ -32,6 +32,8 @@ profile seahorse @{exec_path} {
   @{bin}/gpg{,2}  rPx,
   @{bin}/gpgsm    rPx,
 
+  @{open_path}    rPx -> child-open-help,
+
   /etc/pki/trust/blocklist/ r,
   /etc/gcrypt/hwf.deny r,
 

apparmor.d/groups/pacman/mkinitcpio

@@ -10,6 +10,7 @@ include <tunables/global>
 profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/fonts>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,

apparmor.d/groups/systemd/systemd-journald

@@ -65,6 +65,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c108:@{int} r,         # For /dev/ppp
   @{run}/udev/data/c18[8-9]:@{int} r,     # USB devices & USB serial converters
+  @{run}/udev/data/c203:@{int} r,         # CPU CPUID information
   @{run}/udev/data/c29:@{int} r,          # For CD-ROM
   @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
 

apparmor.d/groups/systemd/systemd-logind

@@ -75,8 +75,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+backlight:* r,
   @{run}/udev/data/+drivers:* r,
   @{run}/udev/data/+drm:card@{int}-* r,   # For screen outputs
+  @{run}/udev/data/+hid:* r,
+  @{run}/udev/data/+i2c:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c13:@{int} r,          # For /dev/input/*
   @{run}/udev/data/c14:@{int} r,          # Open Sound System (OSS)
@@ -104,6 +107,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/systemd/users/.#* rw,
   @{run}/systemd/users/@{uid} rw,
 
+  @{sys}/bus/serial-base/drivers/port/uevent r,
   @{sys}/class/drm/ r,
   @{sys}/class/power_supply/ r,
   @{sys}/devices/** r,

apparmor.d/groups/xfce/mousepad

@@ -16,6 +16,8 @@ profile mousepad @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path}  rPx -> child-open-help,
+
   owner @{user_config_dirs}/Mousepad/ rw,
   owner @{user_config_dirs}/Mousepad/{,**} rw,
 

apparmor.d/groups/xfce/thunar

@@ -22,6 +22,9 @@ profile thunar @{exec_path} {
   @{bin}/thunar-volman rPx,
   @{open_path} rPx -> child-open,
 
+  /usr/share/ r,
+  /usr/share/Thunar/{,**} r,
+
   /etc/fstab r,
   /etc/timezone r,
 

apparmor.d/groups/xfce/xfce-about

@@ -10,11 +10,12 @@ include <tunables/global>
 profile xfce-about @{exec_path} {
   include <abstractions/base>
   include <abstractions/graphics>
+  include <abstractions/nameservice-strict>
   include <abstractions/xfce>
 
   @{exec_path} mr,
 
-  @{open_path} rPx -> child-open-browsers,
+  @{open_path} rPx -> child-open-help,
 
   include if exists <local/xfce-about>
 }

apparmor.d/groups/xfce/xfce-clipman-settings

@@ -13,6 +13,8 @@ profile xfce-clipman-settings @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path} rPx -> child-open-help,
+
   /etc/xdg/xfce4/panel/xfce4-clipman-actions.xml r,
 
   owner @{user_config_dirs}/xfce4/panel/xfce4-clipman-actions.xml rw,

apparmor.d/groups/xfce/xfce-terminal

@@ -16,6 +16,8 @@ profile xfce-terminal @{exec_path} {
 
   @{exec_path} mr,
 
+  @{open_path} rPx -> child-open-help,
+
   # The shell is not confined on purpose.
   @{bin}/@{shells}            rUx,
 

apparmor.d/groups/xfce/xfdesktop

@@ -11,6 +11,7 @@ profile xfdesktop @{exec_path} {
   include <abstractions/base>
   include <abstractions/app-launcher-user>
   include <abstractions/nameservice-strict>
+  include <abstractions/thumbnails-cache-read>
   include <abstractions/xfce>
 
   @{exec_path} mr,

apparmor.d/profiles-s-z/steam

@@ -6,7 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu@{int}_{32,64}
+@{lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9][0-9]_{32,64}
+
 @{exec_path} = @{user_share_dirs}/Steam/steam.sh
 profile steam @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>

apparmor.d/profiles-s-z/steam-game

@@ -20,6 +20,7 @@ include <tunables/global>
 
 @{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
 @{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
+
 @{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/**
 profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>

apparmor.d/profiles-s-z/steam-gameoverlayui

@@ -6,7 +6,8 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}
+@{steam_lib_dirs} = @{user_share_dirs}/Steam/ubuntu[0-9][0-9]_{32,64}
+
 @{exec_path} = @{steam_lib_dirs}/gameoverlayui
 profile steam-gameoverlayui @{exec_path} {
   include <abstractions/base>
@@ -22,7 +23,7 @@ profile steam-gameoverlayui @{exec_path} {
   @{exec_path} mr,
 
   @{steam_lib_dirs}/*.so*  mr,
-  @{steam_lib_dirs}/steam-runtime/{usr/,}lib/**.so*  mr,
+  @{steam_lib_dirs}/steam-runtime/@{lib}/**.so*  mr,
 
   /usr/share/fonts/{,**}  rk,  # ?
 

apparmor.d/profiles-s-z/wireplumber

@@ -47,6 +47,7 @@ profile wireplumber @{exec_path} {
   owner @{HOME}/.local/ w,
   owner @{user_state_dirs}/ w,
   owner @{user_state_dirs}/wireplumber/{,**} rw,
+  owner @{user_config_dirs}/wireplumber/{,**} r,
 
   owner @{run}/user/@{uid}/pipewire-@{int} rw,