feat(profiles): general update.

apparmor.d/groups/children/child-open

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Note: This profile does not specify an attachment path because it is
-# intended to be used only via "Px -> child-open-X" exec transitions
+# intended to be used only via "Px -> child-open" exec transitions
 # from other profiles. 
 
 # Instead of allowing the run of all software in /{usr/,}bin/, the purpose of
@@ -32,10 +32,14 @@ profile child-open {
   /{usr/,}bin/readlink          rix,
 
   # Sandbox managers
+  /{usr/,}bin/bwrap            rPUx,
   /{usr/,}bin/firejail         rPUx,
   /{usr/,}bin/flatpak          rPUx,
   /{usr/,}bin/snap             rPUx,
 
+  # Files explorer
+  /{usr/,}bin/nautilus          rPx,
+
   # Browsers
   /{usr/,}bin/chromium                                                        rPx,
   /{usr/,}bin/firefox                                                         rPx,
@@ -58,11 +62,13 @@ profile child-open {
   /{usr/,}bin/filezilla         rPx,
   /{usr/,}bin/flameshot         rPx,
   /{usr/,}bin/geany             rPx,
+  /{usr/,}bin/gnome-disk-image-mounter rPx,
   /{usr/,}bin/okular            rPx,
   /{usr/,}bin/qbittorrent       rPx,
   /{usr/,}bin/qpdfview          rPx,
   /{usr/,}bin/smplayer          rPx,
   /{usr/,}bin/spacefm           rPx,
+  /{usr/,}bin/teams            rPUx,
   /{usr/,}bin/telegram-desktop  rPx,
   /{usr/,}bin/thunderbird       rPx,
   /{usr/,}bin/transmission-gtk  rPx,

apparmor.d/groups/freedesktop/pipewire

@@ -8,13 +8,15 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/pipewire
-profile pipewire @{exec_path} {
+profile pipewire @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio>
   include <abstractions/dbus-session-strict>
   include <abstractions/dbus-strict>
   include <abstractions/nameservice-strict>
 
+  capability sys_ptrace,
+
   ptrace (read),
 
   dbus send bus=system path=/org/freedesktop/RealtimeKit[0-9]

apparmor.d/groups/gnome/gnome-shell

@@ -63,6 +63,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
 
   /opt/*/**/*.png r,
   /snap/*/@{uid}/**.png r,
+  /usr/share/app-info/icons/{,**} r,
   /usr/share/backgrounds/{,**} r,
   /usr/share/dconf/profile/gdm r,
   /usr/share/desktop-directories/{,*.directory} r,
@@ -103,6 +104,7 @@ profile gnome-shell @{exec_path} flags=(attach_disconnected) {
   /var/lib/gdm{3,}/greeter-dconf-defaults r,
 
   /var/lib/flatpak/app/**/gnome-shell/{,**} r,
+  /var/lib/flatpak/appstream/**/icons/** r,
   /var/lib/flatpak/exports/share/gnome-shell/{,**} r,
 
   /var/lib/snapd/desktop/icons/{,**} r,

apparmor.d/groups/gnome/nautilus

@@ -37,7 +37,7 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
   /{usr/,}bin/{,ba,da}sh rix,
-  /{usr/,}lib/gio-launch-desktop  rPx -> child-open,
+  /{usr/,}lib/gio-launch-desktop rPx -> child-open,
 
   /usr/share/nautilus/{,**} r,
   /usr/share/poppler/{,**} r,
@@ -49,15 +49,17 @@ profile nautilus @{exec_path} flags=(attach_disconnected) {
   /var/lib/snapd/desktop/icons/{,**} r,
 
   # Full access to user's data
+  include <abstractions/deny-sensitive-home>
   / r,
   /home/ r,
+  @{MOUNTDIRS}/ r,
+  @{MOUNTS}/ r,
   owner @{HOME}/{,**} rw,
-  owner @{MOUNTS}/{,**} rw,
+  owner @{MOUNTS}/** rw,
   owner @{run}/user/@{uid}/{,**} rw,
   owner /tmp/{,**} rw,
 
   # Silence non user's data
-  include <abstractions/deny-sensitive-home>
   deny /boot/{,**} r,
   deny /opt/{,**} r,
   deny /root/{,**} r,

apparmor.d/groups/network/NetworkManager

@@ -102,13 +102,14 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   / r,
   /etc/ r,
+  /etc/machine-id r,
   /etc/resolv.conf rw,
   /etc/resolv.conf.[0-9A-Z]* rw,
 
   /etc/NetworkManager/{,**} r,
   /etc/NetworkManager/system-connections/{,**} w,
 
-  /etc/machine-id r,
+  /var/lib/iwd/*open* rw,
   /var/lib/NetworkManager/{,**} rw,
 
   @{sys}/bus/ r,
@@ -130,6 +131,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/net/*/{,**} r,
   @{sys}/devices/pci[0-9]*/**/usb[0-9]/**/net/{,**} r,
 
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/environ r,

apparmor.d/groups/pacman/pacman

@@ -59,6 +59,7 @@ profile pacman @{exec_path} {
   /{usr/,}bin/env                         rix,
   /{usr/,}bin/filecap                     rix,
   /{usr/,}bin/find                        rix,
+  /{usr/,}bin/gdbus                       rix,
   /{usr/,}bin/getent                      rix,
   /{usr/,}bin/gettext                     rix,
   /{usr/,}bin/ghc-pkg-*                   rix,

apparmor.d/profiles-a-f/appstreamcli

@@ -21,11 +21,13 @@ profile appstreamcli @{exec_path} flags=(complain) {
   /{usr/,}bin/gzip rix,
   /{usr/,}bin/tar  rix,
 
+  /usr/share/app-info/{,**} r,
   /usr/share/appdata/ r,
   /usr/share/applications/{,*.desktop} r,
   /usr/share/metainfo/ r,
   /usr/share/metainfo/*.{metainfo,appdata}.xml r,
   /usr/share/mime/mime.cache r,
+  /usr/share/swcatalog/{,**} r,
 
   /etc/appstream.conf r,
 

apparmor.d/profiles-a-f/flatpak-system-helper

@@ -15,6 +15,7 @@ profile flatpak-system-helper @{exec_path} {
 
   capability chown,
   capability dac_override,
+  capability fowner,
   capability net_admin,
   capability setgid,
   capability setuid,
@@ -33,17 +34,18 @@ profile flatpak-system-helper @{exec_path} {
 
   /etc/flatpak/{,**} r,
 
+  /usr/share/mime/mime.cache r,
   /usr/share/flatpak/triggers/ r,
 
   /var/lib/flatpak/{,**} rwkl,
   /var/tmp/flatpak-cache-*/{,**} rw,
 
-  owner /tmp/#[0-9]* rw, 
-  owner /tmp/ostree-gpg-*/ rw,
+  owner /{var/,}tmp/#[0-9]* rw, 
+  owner /{var/,}tmp/ostree-gpg-*/ rw,
   owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
 
+        @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/fd/ r,
-  owner @{PROC}/@{pid}/stat r,
 
   profile gpg {
     include <abstractions/base>

apparmor.d/profiles-g-l/kmod

@@ -24,7 +24,9 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mrix,
 
   /{usr/,}bin/{,ba,da}sh  rix,
+  /{usr/,}bin/false       rix,
   /{usr/,}bin/sysctl      rPx,
+  /{usr/,}bin/true        rix,
 
   /{usr/,}lib/modprobe.d/{,*.conf} r,
   /{usr/,}lib/modules/*/modules.* rw,

apparmor.d/profiles-m-r/mount

@@ -64,7 +64,7 @@ profile mount @{exec_path} flags=(complain) {
   /tmp/sanity-squashfs-[0-9]* rw,
   /tmp/syscheck-squashfs-[0-9]* rw,
 
-  owner @{PROC}/@{pid}/mountinfo r,
+  @{PROC}/@{pid}/mountinfo r,
 
   # The special /dev/loop-control file can be used to create and destroy loop
   # devices or to find the first available loop device.