feat(profile): modernise the crontab profile.

fix #428

apparmor.d/abstractions/app/editor

@@ -1,16 +1,19 @@
 # apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
 # Copyright (C) 2024 Zane Zakraisek <zz@eng.utah.edu>
 # SPDX-License-Identifier: GPL-2.0-only
 
   include <abstractions/nameservice-strict>
 
+  @{sh_path}                   rix,
+  @{bin}/nvim                 mrix,
   @{bin}/sensible-editor        mr,
   @{bin}/vim{,.*}             mrix,
-  @{sh_path}                   rix,
   @{bin}/which{,.debianutils}  rix,
 
-  /usr/share/vim/{,**} r,
+  /usr/share/nvim/{,**} r,
   /usr/share/terminfo/** r,
+  /usr/share/vim/{,**} r,
 
   /etc/vimrc r,
   /etc/vim/{,**} r,
@@ -19,11 +22,11 @@
   owner @{HOME}/.viminf@{c}{,.tmp} rw,
   owner @{HOME}/.vimrc r,
 
-  # Vim swap file 
   owner @{HOME}/ r,
   owner @{user_cache_dirs}/ r,
   owner @{user_cache_dirs}/vim/{,**} rw,
   owner @{user_config_dirs}/vim/{,**} r,
+  owner @{user_state_dirs}/nvim/{,**} rw,
 
   include if exists <abstractions/app/editor.d>
 

apparmor.d/groups/cron/crontab

@@ -10,9 +10,12 @@ include <tunables/global>
 @{exec_path} = @{bin}/crontab
 profile crontab @{exec_path} {
   include <abstractions/base>
+  include <abstractions/authentication>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
+  capability net_admin,
   capability setgid,
   capability setuid,
 
@@ -23,15 +26,17 @@ profile crontab @{exec_path} {
   # When editing the crontab file
   @{bin}/sensible-editor rCx -> editor,
   @{bin}/vim.*           rCx -> editor,
+  @{bin}/nvim            rCx -> editor,
 
   /etc/cron.{allow,deny} r,
   /etc/pam.d/* r,
 
         /var/spool/cron/ r,
         /var/spool/cron/crontabs/ rw,
+        /var/spool/cron/user r,
   owner /var/spool/cron/crontabs/* rw,
 
-  owner @{tmp}/crontab.*/{,crontab} rw,
+  owner @{tmp}/crontab.@{rand6}/{,crontab} rw,
 
   profile editor {
     include <abstractions/base>
@@ -42,7 +47,8 @@ profile crontab @{exec_path} {
     /etc/cron.{allow,deny} r,
 
           /tmp/ r,
-    owner @{tmp}/crontab.*/crontab rw,
+    owner @{tmp}/crontab.@{rand6}/crontab rw,
+    owner @{tmp}/crontab.@{rand6} rw,
 
     include if exists <local/crontab_editor>
   }

apparmor.d/profiles-a-f/flatpak

@@ -35,6 +35,8 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   ptrace (read) peer=flatpak-app,
 
+  signal send peer=flatpak-app,
+
   @{exec_path} mr,
 
   @{bin}/bwrap               rPx -> flatpak-app,

apparmor.d/profiles-a-f/flatpak-app

@@ -44,8 +44,9 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   ptrace (read),
   ptrace trace peer=flatpak-app,
 
-  signal (receive) set=(int term) peer=flatpak-portal,
+  signal receive peer=flatpak,
-  signal (receive) set=(int) peer=flatpak-session-helper,
+  signal receive set=(int term) peer=flatpak-portal,
+  signal receive set=(int) peer=flatpak-session-helper,
 
   @{bin}/**                            rmix,
   @{lib}/**                            rmix,