feat(profiles): improve some profiles related to kde (with xorg).

apparmor.d/groups/akonadi/akonadi_mailmerge_agent

@@ -11,6 +11,7 @@ profile akonadi_mailmerge_agent @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
   include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/X-strict>
@@ -23,8 +24,6 @@ profile akonadi_mailmerge_agent @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/hwdata/*.ids r,
-  /usr/share/icons/{,**} r,
-  /usr/share/mime/{,**} r,
   /usr/share/qt/translations/*.qm r,
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,

apparmor.d/groups/akonadi/akonadi_migration_agent

@@ -12,6 +12,7 @@ profile akonadi_migration_agent @{exec_path} {
   include <abstractions/dri-common>
   include <abstractions/dri-enumerate>
   include <abstractions/fonts>
+  include <abstractions/freedesktop.org>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5>
@@ -21,7 +22,6 @@ profile akonadi_migration_agent @{exec_path} {
   @{exec_path} mr,
 
   /usr/share/hwdata/*.ids r,
-  /usr/share/mime/{,**} r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
 
   /etc/xdg/kdeglobals r,

apparmor.d/groups/akonadi/akonadi_notes_agent

@@ -28,7 +28,6 @@ profile akonadi_notes_agent @{exec_path} {
 
   /usr/share/hwdata/*.ids r,
   /usr/share/mime/{,**} r,
-  /usr/share/qt/translations/*.qm r,
 
   /etc/xdg/kdeglobals r,
   /etc/xdg/kwinrc r,

apparmor.d/groups/freedesktop/polkit-kde-authentication-agent

@@ -32,6 +32,7 @@ profile polkit-kde-authentication-agent @{exec_path} {
   /{usr/,}lib/polkit-[0-9]/polkit-agent-helper-[0-9] rPx,
 
   /usr/share/hwdata/pnp.ids r,
+  /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
   /usr/share/qt5ct/** r,
 
   /etc/machine-id r,

apparmor.d/groups/freedesktop/xdg-desktop-portal-gtk

@@ -166,6 +166,7 @@ profile xdg-desktop-portal-gtk @{exec_path} {
   owner /tmp/runtime-*/xauth_?????? r,
 
         @{run}/mount/utab r,
+        @{run}/user/@{uid}/xauth_* rl,
   owner @{run}/user/@{uid}/.mutter-Xwaylandauth.[0-9A-Z]* rw,
   owner @{run}/user/@{uid}/gdm/Xauthority r,
   owner @{run}/user/@{uid}/wayland-[0-9]* rw,

apparmor.d/groups/freedesktop/xdg-desktop-portal-kde

@@ -10,17 +10,25 @@ include <tunables/global>
 profile xdg-desktop-portal-kde @{exec_path} {
   include <abstractions/base>
   include <abstractions/dri-common>
+  include <abstractions/dri-enumerate>
   include <abstractions/freedesktop.org>
   include <abstractions/mesa>
   include <abstractions/nameservice-strict>
   include <abstractions/qt5>
   include <abstractions/vulkan>
 
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
   @{exec_path} mr,
 
   /usr/share/hwdata/pnp.ids r,
   /usr/share/icu/[0-9]*.[0-9]*/*.dat r,
   /usr/share/mime/{,**} r,
+  /usr/share/qt5/qtlogging.ini r,
 
   /etc/xdg/kdeglobals r,
   /etc/xdg/kwinrc r,
@@ -30,13 +38,14 @@ profile xdg-desktop-portal-kde @{exec_path} {
 
   owner @{user_cache_dirs}/icon-cache.kcache rw,
 
+  owner @{user_config_dirs}/autostart/org.kde.*.desktop r,
   owner @{user_config_dirs}/kdedefaults/kdeglobals r,
   owner @{user_config_dirs}/kdedefaults/kwinrc r,
   owner @{user_config_dirs}/kdeglobals r,
   owner @{user_config_dirs}/kwinrc r,
   owner @{user_config_dirs}/xdg-desktop-portal-kderc r,
 
-  @{sys}/devices/pci[0-9]*/**/{device,subsystem_device,subsystem_vendor,uevent,vendor} r,
+  @{run}/user/@{uid}/xauth_* rl,
 
   @{PROC}/sys/kernel/core_pattern r,
 

apparmor.d/groups/freedesktop/xkbcomp

@@ -21,6 +21,7 @@ profile xkbcomp @{exec_path} flags=(attach_disconnected) {
   /usr/share/X11/xkb/** r,
 
   /var/lib/xkb/server-[0-9]*.xkm w,
+  /var/lib/xkb/compiled/server-[0-9]*.xkm rw,
 
   owner @{HOME}/.Xauthority r,
   owner @{HOME}/*.{xkb,xkm} rw,

apparmor.d/groups/freedesktop/xrdb

@@ -21,6 +21,7 @@ profile xrdb @{exec_path} {
   /{usr/,}lib/llvm-[0-9]*/bin/clang       rix,
 
   /usr/include/stdc-predef.h r,
+  /usr/etc/X11/xdm/Xresources r,
 
   @{etc_ro}/Xresources/x11-common r,
   @{etc_ro}/X11/Xresources r,

apparmor.d/groups/freedesktop/xsetroot

@@ -24,6 +24,7 @@ profile xsetroot @{exec_path} {
   owner @{user_share_dirs}/sddm/xorg-session.log w,
 
   @{run}/sddm/\{@{uuid}\} r,
+  @{run}/user/@{uid}/xauth_* rl,
 
   include if exists <local/xsetroot>
 }

apparmor.d/groups/network/ModemManager

@@ -10,6 +10,7 @@ include <tunables/global>
 profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/dri-enumerate>
   include <abstractions/dbus-strict>
   include <abstractions/devices-usb>
 
@@ -70,7 +71,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/wwan/ r,
 
   @{sys}/devices/**/uevent r,
-  @{sys}/devices/pci[0-9]*/**/{vendor,device,revision} r,
+  @{sys}/devices/pci[0-9]*/**/revision r,
   @{sys}/devices/virtual/net/*/ r,
   @{sys}/devices/virtual/tty/*/ r,
 

apparmor.d/profiles-m-r/packagekitd

@@ -160,8 +160,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
     owner /etc/pacman.d/gnupg/ r, # only: arch
     owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,
 
-    /var/tmp/zypp.*/zypp-*/ r, # only: opensuse
+    owner /var/tmp/zypp.*/*/ r, # only: opensuse
-    /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
+    owner /var/tmp/zypp.*/*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
 
     owner @{run}/user/@{uid}/gnupg/ r,
     owner @{run}/user/@{uid}/gnupg/ rwkl -> @{run}/user/@{uid}/gnupg/**,

apparmor.d/profiles-s-z/smartctl

@@ -21,6 +21,8 @@ profile smartctl @{exec_path} {
   /usr/share/smartmontools/** r,
   /var/lib/smartmontools/** r,
 
+  /etc/smart_drivedb.h r,
+
   @{PROC}/devices r,
 
   include if exists <local/smartctl>