feat(profile): general update.

apparmor.d/abstractions/freedesktop.org.d/complete

@@ -13,8 +13,6 @@
   @{system_share_dirs}/ r,
   @{system_share_dirs}/mime/ r,
 
-  /usr/share/mime/ r,
-
   /etc/gnome/defaults.list r,
   /etc/xfce4/defaults.list r,  
 

apparmor.d/groups/grub/grub-mkconfig

@@ -32,6 +32,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   @{bin}/find                 rix,
   @{bin}/findmnt              rPx,
   @{bin}/gettext              rix,
+  @{bin}/grub-editenv         rPx,
   @{bin}/grub-mkrelpath       rPx,
   @{bin}/grub-probe           rPx,
   @{bin}/grub-script-check    rPx,
@@ -60,6 +61,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   @{bin}/zpool                rPx,
   /etc/grub.d/{,**}           rix,
 
+  @{lib}/grub-customizer/*      rix,
   @{lib}/grub/grub-sort-version rPx,
   @{lib}/libostree/grub[0-9]-@{int}_ostree rix,
 
@@ -81,7 +83,7 @@ profile grub-mkconfig @{exec_path} flags=(attach_disconnected) {
   /boot/{,**} r,
   /boot/grub/{,**} rw,
 
-  # owner /tmp/** rw,
+  /tmp/grub-*.@{rand10}/{,**} rw,
 
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
 

apparmor.d/groups/grub/grub-probe

@@ -13,6 +13,7 @@ profile grub-probe @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/disks-read>
 
+  capability dac_read_search,
   capability sys_admin,
 
   @{exec_path} mr,
@@ -36,6 +37,7 @@ profile grub-probe @{exec_path} {
   /dev/bus/ r,
   /dev/bus/usb/ r,
   /dev/bus/usb/@{int}/ r,
+  /dev/char/ r,
   /dev/cpu/ r,
   /dev/cpu/@{int}/ r,
   /dev/dma_heap/ r,

apparmor.d/groups/systemd/systemd-logind

@@ -79,7 +79,9 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+hid:* r,
   @{run}/udev/data/+i2c:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
+  @{run}/udev/data/+leds:* r,
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
+  @{run}/udev/data/+wakeup:* r,
   @{run}/udev/data/c1:@{int}    r,        # For RAM disk
   @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
   @{run}/udev/data/c13:@{int} r,          # For /dev/input/*

apparmor.d/profiles-a-f/firewalld

@@ -9,12 +9,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/firewalld
 profile firewalld @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/app/kmod>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
-  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/nameservice-strict>
-  include <abstractions/app/kmod>
 
   capability dac_read_search,
   capability mknod,
@@ -27,21 +27,6 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   network inet6 raw,
   network netlink raw,
 
-  dbus receive bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.direct
-       member=passthrough
-       peer=(name=:*, label=libvirtd),
-
-  dbus receive bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.zone
-       member={changeZoneOfInterface,getZones}
-       peer=(name=:*, label=libvirtd),
-
-  dbus receive bus=system path=/org/fedoraproject/FirewallD1
-       interface=org.fedoraproject.FirewallD1.zone
-       member={changeZoneOfInterface,removeInterface}
-       peer=(name=:*, label=libvirtd),
-
   #aa:dbus own bus=system name=org.fedoraproject.FirewallD1
 
   @{exec_path} mr,
@@ -53,7 +38,7 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   @{bin}/false                    rix,
   @{bin}/ipset                    rix,
   @{bin}/kmod                     rix,
-  @{bin}/modprobe                 rPx,
+  @{bin}/modprobe                 rix,
   @{bin}/xtables-legacy-multi     rix,
   @{bin}/xtables-nft-multi        rix,
 
@@ -76,11 +61,9 @@ profile firewalld @{exec_path} flags=(attach_disconnected) {
   @{run}/xtables.lock rwk,
 
   @{sys}/module/compression r,
-  @{sys}/module/crc32c_{generic,intel}/initstate r,
+  @{sys}/module/crc32c_*/initstate r,
   @{sys}/module/libcrc32c/initstate r,
-  @{sys}/module/nf_conntrack{,_tftp}/initstate r,
-  @{sys}/module/nf_defrag_ipv{4,6}/initstate r,
-  @{sys}/module/nf_nat/initstate r,
+  @{sys}/module/nf_*/initstate r,
 
         @{PROC}/sys/kernel/modprobe r,
         @{PROC}/sys/net/ipv{4,6}/ip_forward rw,

apparmor.d/profiles-g-l/ifup

@@ -106,10 +106,8 @@ profile ifup @{exec_path} {
   profile sysctl {
     include <abstractions/base>
 
-#    capability mac_admin,
-   capability net_admin,
-   capability sys_admin,
-#    capability sys_resource,
+    capability net_admin,
+    capability sys_admin,
 
     @{bin}/sysctl mr,
 

apparmor.d/profiles-m-r/os-prober

@@ -10,6 +10,7 @@ include <tunables/global>
 profile os-prober @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/disks-read>
 
   capability dac_read_search,
   capability sys_admin,
@@ -59,11 +60,12 @@ profile os-prober @{exec_path} flags=(attach_disconnected) {
   / r,
   /boot/{efi/,} r,
   /boot/{efi/,}EFI/ r,
-  /boot/{efi/,}EFI/*/ r,
+  /boot/{efi/,}EFI/**/ r,
 
   owner @{tmp}/os-prober.*/{,**} rw,
 
-  @{sys}/block/ r,
+  @{run}/mount/utab r,
+
   @{sys}/devices/@{pci}/block/*/ r,
   @{sys}/devices/virtual/block/*/ r,
 

apparmor.d/profiles-s-z/wsdd

@@ -10,9 +10,12 @@ include <tunables/global>
 profile wsdd @{exec_path} {
   include <abstractions/base>
   include <abstractions/python>
+  include <abstractions/ssl_certs>
 
   network inet dgram,
+  network inet stream,
   network inet6 dgram,
+  network inet6 stream,
   network netlink raw,
 
   @{exec_path} mr,