feat(profile): update gnome profiles.

apparmor.d/groups/gnome/gdm-session-worker

@@ -105,6 +105,8 @@ profile gdm-session-worker @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/.pam_environment r,
 
+  owner @{user_cache_dirs}/ w,
+
         @{run}/cockpit/inactive.motd r,
   owner @{run}/systemd/seats/seat@{int} r,
   owner @{run}/user/@{uid}/keyring/control rw,

apparmor.d/groups/gnome/gio-launch-desktop

@@ -33,6 +33,8 @@ profile gio-launch-desktop @{exec_path} flags=(attach_disconnected) {
 
   owner @{HOME}/{,**} rw,
 
+  owner @{user_share_dirs}/gvfs-metadata/{,*} r,
+
   owner @{tmp}/wl-copy-buffer-@{rand6}/stdin r,
 
   @{run}/mount/utab r,

apparmor.d/groups/gnome/gnome-control-center

@@ -181,7 +181,7 @@ profile gnome-control-center @{exec_path} flags=(attach_disconnected) {
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 
-  profile bwrap {
+  profile bwrap flags=(attach_disconnected) {
     include <abstractions/base>
     include <abstractions/common/bwrap>
 

apparmor.d/groups/gnome/gnome-session-binary

@@ -48,11 +48,8 @@ profile gnome-session-binary @{exec_path} flags=(attach_disconnected) {
   @{sh_path}                                     rix,
   @{bin}/tput                                    rix,
   @{bin}/session-migration                       rPx,
-
+  @{lib}/gnome-session-check-*                   rPx,
-  @{lib}/gnome-session-check-accelerated               rix,
+  @{lib}/gnome-session-failed                    rix,
-  @{lib}/gnome-session-check-accelerated-gl-helper     rix,
-  @{lib}/gnome-session-check-accelerated-gles-helper   rix,
-  @{lib}/gnome-session-failed                          rix,
 
   @{lib}/gio-launch-desktop                               rCx -> open,
   @{lib}/@{multiarch}/glib-@{version}/gio-launch-desktop  rCx -> open,

apparmor.d/groups/gnome/gnome-software

@@ -64,8 +64,7 @@ profile gnome-software @{exec_path} {
 
   /var/lib/PackageKit/offline-update-competed r,
   /var/lib/PackageKit/prepared-update r,
-  /var/lib/swcatalog/icons/**.png r,
+  /var/lib/swcatalog/** r,
-  /var/lib/swcatalog/yaml/ r,
 
   /var/tmp/flatpak-cache-*/ rw,
   /var/tmp/flatpak-cache-*/** rwkl,
@@ -91,6 +90,7 @@ profile gnome-software @{exec_path} {
   owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/deploy r,
   owner @{user_share_dirs}/flatpak/{app,runtime}/*/**/@{hex64}/metadata r,
   owner @{user_share_dirs}/flatpak/{app,runtime}/*/*/ r,
+  owner @{user_share_dirs}/flatpak/overrides/* r,
   owner @{user_share_dirs}/flatpak/repo/ rw,
   owner @{user_share_dirs}/flatpak/repo/** rwl -> @{user_share_dirs}/flatpak/repo/**,
   owner @{user_share_dirs}/gnome-software/{,**} rw,

apparmor.d/groups/gnome/gnome-tweaks

@@ -7,12 +7,10 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/gnome-tweaks
-profile gnome-tweaks @{exec_path} {
+profile gnome-tweaks @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/audio-client>
-  include <abstractions/dconf-write>
+  include <abstractions/common/gnome>
-  include <abstractions/gnome-strict>
-  include <abstractions/graphics>
   include <abstractions/python>
   include <abstractions/thumbnails-cache-read>
 
@@ -21,6 +19,7 @@ profile gnome-tweaks @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/ r,
+  @{bin}/env r,
   @{bin}/ps rPx,
   @{bin}/python3.@{int} rix,
 
@@ -28,8 +27,6 @@ profile gnome-tweaks @{exec_path} {
 
   @{lib}/python3.@{int}/site-packages/gtweak/{,*/,**/}__pycache__/*pyc* w,
 
-  /usr/share/gnome-tweaks/{,**} r,
-
   /etc/xdg/autostart/{,**} r,
 
   owner @{HOME}/@{XDG_WALLPAPERS_DIR}/{,**} r,
@@ -44,7 +41,12 @@ profile gnome-tweaks @{exec_path} {
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/c13:@{int}  r,         # for /dev/input/*
 
+  @{sys}/bus/ r,
+  @{sys}/class/input/ r,
+  @{sys}/devices/**/uevent r,
+
   owner @{PROC}/@{pid}/fd/ r,
+  owner @{PROC}/@{pid}/mounts r,
 
   deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,
 

apparmor.d/groups/gnome/kgx

@@ -41,6 +41,7 @@ profile kgx @{exec_path} {
         @{PROC}/@{pids}/stat r,
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
+  owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
   /dev/ptmx rw,
 

apparmor.d/groups/gnome/mutter-x11-frames

@@ -15,6 +15,7 @@ profile mutter-x11-frames @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus/org.a11y>
   include <abstractions/bus/org.gtk.vfs.MountTracker>
   include <abstractions/dconf-write>
+  include <abstractions/fontconfig-cache-write>
   include <abstractions/gnome-strict>
   include <abstractions/graphics>
   include <abstractions/nameservice-strict>

apparmor.d/groups/gnome/tracker-miner

@@ -21,7 +21,6 @@ profile tracker-miner @{exec_path} flags=(attach_disconnected) {
   include <abstractions/gnome-strict>
   include <abstractions/gstreamer>
   include <abstractions/nameservice-strict>
-  include <abstractions/private-files-strict>
 
   network netlink raw,
 

apparmor.d/groups/gnome/yelp

@@ -28,11 +28,13 @@ profile yelp @{exec_path} {
 
   /etc/xml/{,**} r,
 
-  @{sys}/devices/virtual/dmi/id/chassis_type r,
+        @{sys}/devices/virtual/dmi/id/chassis_type r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
+        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/app-gnome-yelp-*.scope/memory.* r,
-
   owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/*.slice/*/memory.* r,
-
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.current r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.high r,
+  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/session.slice/xdg-desktop-portal.service/memory.max r,
+  
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/cmdline r,