feat(profiles): general update.

apparmor.d/abstractions/chromium

@@ -185,7 +185,7 @@
   @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/{in_intensity_sampling_frequency,in_intensity_scale,in_illuminance_raw} r,
   @{sys}/devices/pci[0-9]*/**/boot_vga r,
-  @{sys}/devices/pci[0-9]*/**/irq r,
+  @{sys}/devices/pci[0-9]*/**/{resource,irq} r,
   @{sys}/devices/pci[0-9]*/**/report_descriptor r,
   @{sys}/devices/system/cpu/cpufreq/policy[0-9]*/cpuinfo_max_freq r,
   @{sys}/devices/system/cpu/kernel_max r,

apparmor.d/groups/apt/dpkg-genchanges

@@ -18,6 +18,9 @@ profile dpkg-genchanges @{exec_path} flags=(complain) {
 
   /usr/share/dpkg/cputable r,
   /usr/share/dpkg/tupletable r,
+  /usr/share/lto-disabled-list/lto-disabled-list r,
+
+  /etc/dpkg/origins/* r,
 
   # For package building
   owner @{user_build_dirs}/** rw,

apparmor.d/groups/children/child-dpkg

@@ -2,10 +2,6 @@
 # Copyright (C) 2019-2021 Mikhail Morfikov
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Note: This profile does not specify an attachment path because it is
-# intended to be used only via "Px -> child-dpkg" exec transitions
-# from other profiles. 
-
 # Note: This profile does not specify an attachment path because it is
 # intended to be used only via "Px -> child-dpkg" exec transitions from
 # other profiles. We want to confine the dpkg(1) utility when it

apparmor.d/groups/children/child-open

@@ -56,9 +56,9 @@ profile child-open {
   /usr/share/code/{bin/,}code   rPx,
 
   # Others
+  /{usr/,}bin/*Foliate         rPUx,
   /{usr/,}bin/discord{,-ptb}    rPx,
   /{usr/,}bin/draw.io          rPUx,
-  /{usr/,}bin/*Foliate         rPUx,
   /{usr/,}bin/dropbox           rPx,
   /{usr/,}bin/engrampa          rPx,
   /{usr/,}bin/eog              rPUx,
@@ -68,6 +68,7 @@ profile child-open {
   /{usr/,}bin/geany             rPx,
   /{usr/,}bin/gnome-calculator rPUx,
   /{usr/,}bin/gnome-disk-image-mounter rPx,
+  /{usr/,}bin/gnome-disks       rPx,
   /{usr/,}bin/kgx              rPUx,
   /{usr/,}bin/okular            rPx,
   /{usr/,}bin/qbittorrent       rPx,

apparmor.d/groups/freedesktop/geoclue

@@ -70,6 +70,8 @@ profile geoclue @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /usr/share/glib-2.0/schemas/gschemas.compiled r,
+
   /etc/geoclue/{,**} r,
 
   @{run}/systemd/journal/socket rw,

apparmor.d/groups/freedesktop/xdg-user-dir

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /{usr/,}bin/xdg-user-dir
+profile xdg-user-dir @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /{usr/,}bin/{,ba,da}sh             rix,
+  /{usr/,}bin/env                    rix,
+
+  owner @{user_config_dirs}/user-dirs.dirs r,
+
+  include if exists <local/xdg-user-dir>
+}

apparmor.d/profiles-s-z/steam

@@ -18,9 +18,10 @@ profile steam @{exec_path} {
   include <abstractions/dri-enumerate>
   include <abstractions/fonts>
   include <abstractions/freedesktop.org>
+  include <abstractions/gtk>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
-  include <abstractions/opencl-nvidia>
+  include <abstractions/opencl>
   include <abstractions/ssl_certs>
   include <abstractions/vulkan>
 
@@ -42,40 +43,44 @@ profile steam @{exec_path} {
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh             rix,
+  /{usr/,}bin/{m,g,}awk              rix,
   /{usr/,}bin/*sum                   rix,
   /{usr/,}bin/basename               rix,
   /{usr/,}bin/cat                    rix,
   /{usr/,}bin/cmp                    rix,
   /{usr/,}bin/cp                     rix,
-  /{usr/,}bin/timeout                rix,
   /{usr/,}bin/cut                    rix,
   /{usr/,}bin/dirname                rix,
-  /{usr/,}bin/{m,g,}awk              rix,
+  /{usr/,}bin/file                   rix,
+  /{usr/,}bin/find                   rix,
   /{usr/,}bin/getopt                 rix,
   /{usr/,}bin/grep                   rix,
   /{usr/,}bin/head                   rix,
   /{usr/,}bin/ldconfig               rix,
   /{usr/,}bin/ldd                    rix,
   /{usr/,}bin/ln                     rix,
+  /{usr/,}bin/lsb_release            rPx -> lsb_release,
   /{usr/,}bin/lspci                  rPx,
   /{usr/,}bin/mkdir                  rix,
   /{usr/,}bin/mv                     rix,
   /{usr/,}bin/readlink               rix,
   /{usr/,}bin/realpath               rix,
   /{usr/,}bin/rm                     rix,
+  /{usr/,}bin/rmdir                  rix,
   /{usr/,}bin/sed                    rix,
   /{usr/,}bin/steam-runtime-urlopen  rix,
   /{usr/,}bin/tail                   rix,
   /{usr/,}bin/tar                    rix,
+  /{usr/,}bin/timeout                rix,
   /{usr/,}bin/touch                  rix,
   /{usr/,}bin/tr                     rix,
   /{usr/,}bin/uname                  rix,
   /{usr/,}bin/which                  rix,
   /{usr/,}bin/xdg-icon-resource      rPx,
+  /{usr/,}bin/xdg-user-dir           rPx,
   /{usr/,}bin/xz                     rix,
   /{usr/,}bin/zenity                 rix,
   /{usr/,}lib{32,64}/ld-linux.so*    rix,
-  /{usr/,}bin/lsb_release            rPx -> lsb_release,
 
   @{user_share_dirs}/Steam/config/widevine/linux-x64/libwidevinecdm.so mr,
   @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier/*entry-point rpx,
@@ -87,9 +92,9 @@ profile steam @{exec_path} {
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rpx,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime-heavy.sh rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{amd64,i386}/usr/bin/* rix,
-  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime{,-heavy}/{setup,run}.sh  rix,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/**  mr,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steamwebhelper.sh rix,
 
@@ -126,6 +131,7 @@ profile steam @{exec_path} {
 
   owner @{user_config_dirs}/ r,
   owner @{user_config_dirs}/autostart/ r,
+  owner @{user_config_dirs}/cef_user_data/{,**} r,
   owner @{user_config_dirs}/unity3d/{,**} rwk,
 
   owner @{user_share_dirs}/ r,
@@ -176,6 +182,7 @@ profile steam @{exec_path} {
   @{sys}/devices/**/input/input[0-9]*/ r,
   @{sys}/devices/**/uevent r,
   @{sys}/devices/pci[0-9]*/**/class r,
+  @{sys}/devices/pci[0-9]*/**/i2c-[0-9]*/report_descriptor r,
   @{sys}/devices/pci[0-9]*/**/sound/card[0-9]*/** r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]*/{manufacturer,product,bcdDevice,bInterfaceNumber} r,
   @{sys}/devices/system/cpu/** r,

apparmor.d/profiles-s-z/steam-fossilize

@@ -12,7 +12,7 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/mesa>
-  include <abstractions/opencl-nvidia>
+  include <abstractions/opencl>
   include <abstractions/vulkan>
 
   @{exec_path} mr,
@@ -26,11 +26,8 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
   owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/ rw,
   owner @{user_share_dirs}/Steam/steamapps/shadercache/[0-9]*/nvidiav[0-9]*/GLCache/** rwk,
 
-
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
 
-  owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
-
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/cpumap r,
 
@@ -38,6 +35,8 @@ profile steam-fossilize @{exec_path} flags=(attach_disconnected) {
         @{PROC}/pressure/io r,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  owner /dev/shm/fossilize-*-[0-9]*-[0-9]* rw,
+
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
   include if exists <local/steam-fossilize>

apparmor.d/profiles-s-z/steam-game

@@ -18,7 +18,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{steamruntime}=@{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
+@{runtime} = @{user_share_dirs}/Steam/steamapps/common/SteamLinuxRuntime_soldier
 @{exec_path} = @{user_share_dirs}/Steam/steamapps/common/*/**
 profile steam-game @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
@@ -84,13 +84,13 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   /{usr/,}lib/pressure-vessel/from-host/libexec/steam-runtime-tools-*/*-detect-platform rix,
   /{usr/,}libexec/steam-runtime-tools*/* mrix,
 
-  @{steamruntime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
+  @{runtime}/pressure-vessel/bin/pressure-vessel-unruntime rix,
-  @{steamruntime}/pressure-vessel/bin/pressure-vessel-wrap rix,
+  @{runtime}/pressure-vessel/bin/pressure-vessel-wrap rix,
-  @{steamruntime}/pressure-vessel/bin/pv-bwrap rix,
+  @{runtime}/pressure-vessel/bin/pv-bwrap rix,
-  @{steamruntime}/pressure-vessel/bin/steam-runtime-launcher-interface-* rix,
+  @{runtime}/pressure-vessel/bin/steam-runtime-launcher-interface-* rix,
-  @{steamruntime}/pressure-vessel/lib{,exec}/ r,
+  @{runtime}/pressure-vessel/lib{,exec}/ r,
-  @{steamruntime}/pressure-vessel/lib{,exec}/** mrix,
+  @{runtime}/pressure-vessel/lib{,exec}/** mrix,
-  @{steamruntime}/run rix,
+  @{runtime}/run rix,
 
   @{user_share_dirs}/Steam/bin/ r,
   @{user_share_dirs}/Steam/bin/* mr,
@@ -108,6 +108,7 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
   @{user_share_dirs}/Steam/steamapps/compatdata/[0-9]*/pfx/**.dll rm,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/{,**} r,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/**.so*  mr,
+  @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/reaper rix,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-launch-wrapper rm,
   @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/steam-runtime/{usr/,}lib{exec,}/** mrix,
 
@@ -235,8 +236,9 @@ profile steam-game @{exec_path} flags=(attach_disconnected) {
 
   /dev/hidraw[0-9]* rw,
   /dev/input/ r,
-  /dev/uinput rw,
+  /dev/input/* rw,
   /dev/tty rw,
+  /dev/uinput rw,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 

apparmor.d/profiles-s-z/steam-gameoverlayui

@@ -39,6 +39,8 @@ profile steam-gameoverlayui @{exec_path} {
   owner @{user_share_dirs}/Steam/ubuntu[0-9]*_{32,64}/fontconfig/{,**} rwl,
   owner @{user_share_dirs}/Steam/userdata/[0-9]*/{,**} rk,
 
+  owner /var/cache/fontconfig/ rw,
+
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,