feat(profile): general update.

apparmor.d/groups/gnome/nautilus

@@ -80,9 +80,12 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   @{MOUNTDIRS}/ r,
   @{MOUNTS}/ r,
   @{MOUNTS}/** rw,
-  owner @{HOME}/{,**} rw,
-  owner @{run}/user/@{uid}/{,**} rw,
-  owner @{tmp}/{,**} rw,
+  owner @{HOME}/ r,
+  owner @{HOME}/** rw,
+  owner @{run}/user/@{uid}/ r,
+  owner @{run}/user/@{uid}/** rw,
+  owner @{tmp}/ r,
+  owner @{tmp}/** rw,
 
   # Silence non user's data
   deny /boot/{,**} r,

apparmor.d/groups/gpg/gpg-connect-agent

@@ -18,8 +18,6 @@ profile gpg-connect-agent @{exec_path} {
 
   /etc/inputrc r,
 
-  owner @{PROC}/@{pid}/fd/ r,
-
   owner @{run}/user/@{uid}/gnupg/ w,
   owner @{run}/user/@{uid}/gnupg/d.*/ rw,
 
@@ -27,6 +25,8 @@ profile gpg-connect-agent @{exec_path} {
   owner @{tmp}/tmp.*/.#lk0x@{hex}.*.@{pid}x rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
   owner @{tmp}/tmp.*/gnupg_spawn_agent_sentinel.lock rwl -> /tmp/*/.#lk0x@{hex}.*.@{pid},
 
+  owner @{PROC}/@{pid}/fd/ r,
+
   include if exists <local/gpg-connect-agent>
 }
 

apparmor.d/groups/gvfs/gvfsd-fuse

@@ -14,6 +14,8 @@ profile gvfsd-fuse @{exec_path} {
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/nameservice-strict>
 
+  capability sys_admin,
+
   mount fstype={fuse,fuse.*} -> @{run}/user/@{uid}/gvfs/,
 
   unix (send,receive) type=stream addr=none peer=(label=gvfsd-fuse//fusermount),

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -37,9 +37,10 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   / r,
   /boot/ r,
-  /boot/vmlinuz-* rw,
-  /boot/initramfs-*.img rw,
+  /boot/efi/boot/boot*.efi rw,
   /boot/initramfs-*-fallback.img rw,
+  /boot/initramfs-*.img rw,
+  /boot/vmlinuz-* rw,
 
   /dev/tty rw,
   owner /dev/pts/@{int} rw,

apparmor.d/groups/ubuntu/apport-gtk

@@ -79,12 +79,12 @@ profile apport-gtk @{exec_path} {
         /var/crash/ rw,
   owner /var/crash/*.@{uid}.{crash,upload} rw,
 
-   @{run}/snapd.socket rw,
+  @{run}/snapd.socket rw,
 
-  /tmp/[a-z0-9]* rw,
-  /tmp/apport_core_* rw,
-  /tmp/launchpadlib.cache.[a-z0-9]*/ rw,
-  /tmp/tmp[a-z0-9]*/{,**} rw,
+  owner @{tmp}/@{rand8} rw,
+  owner @{tmp}/apport_core_@{rand8} rw,
+  owner @{tmp}/launchpadlib.cache.@{rand8}/ rw,
+  owner @{tmp}/tmp@{rand8}/{,**} rw,
 
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,

apparmor.d/profiles-a-f/dkms

@@ -27,6 +27,7 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
   @{sh_path}        rix,
   @{coreutils_path} rix,
   @{bin}/as         rix,
+  @{bin}/bc         rix,
   @{bin}/gcc        rix,
   @{bin}/getconf    rix,
   @{bin}/kmod       rCx -> kmod,

apparmor.d/profiles-a-f/element-desktop

@@ -12,7 +12,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{bin}/element-desktop
-profile element-desktop @{exec_path} {
+profile element-desktop @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-session>

apparmor.d/profiles-a-f/freetube

@@ -13,7 +13,7 @@ include <tunables/global>
 @{cache_dirs} = @{user_cache_dirs}/@{name}
 
 @{exec_path} = @{bin}/@{name} @{lib_dirs}/@{name}
-profile freetube @{exec_path} {
+profile freetube @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
   include <abstractions/bus-session>

apparmor.d/profiles-g-l/kernel-install

@@ -25,6 +25,7 @@ profile kernel-install @{exec_path} {
   @{bin}/chmod      rix,
   @{bin}/basename   rix,
 
+  @{pager_path}     rPx -> child-pager,
   @{bin}/kmod       rCx -> kmod,
 
   @{lib}/kernel/install.d/ r,

apparmor.d/profiles-s-z/speech-dispatcher

@@ -10,6 +10,7 @@ include <tunables/global>
 profile speech-dispatcher @{exec_path} {
   include <abstractions/base>
   include <abstractions/audio-client>
+  include <abstractions/bus-session>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>