feat(profiles): general update.

apparmor.d/groups/cron/cron

@@ -44,10 +44,11 @@ profile cron @{exec_path} flags=(attach_disconnected) {
   @{etc_ro}/security/limits.d/{,**} r,
 
   /var/spool/cron/crontabs/{,*} r,
+  /var/spool/cron/tabs/{,*} r,
 
+  @{run}/crond.pid rwk,
+  @{run}/crond.reboot rw,
   @{run}/systemd/sessions/*.ref rw,
-  owner @{run}/crond.pid rwk,
-  owner @{run}/crond.reboot rw,
 
   owner /tmp/#[0-9]*[0-9] rw,
 

apparmor.d/groups/network/ModemManager

@@ -11,6 +11,7 @@ profile ModemManager @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
+  include <abstractions/devices-usb>
 
   network qipcrtr dgram,
   network netlink raw,

apparmor.d/groups/network/mullvad-daemon

@@ -36,6 +36,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/ip  rix,
 
   "/opt/Mullvad VPN/resources/openvpn" rix,
+  "/opt/Mullvad VPN/resources/*.so*" mr,
   "/opt/Mullvad VPN/resources/*" r,
 
   /etc/mullvad-vpn/{,*} r,

apparmor.d/groups/network/openvpn

@@ -50,13 +50,8 @@ profile openvpn @{exec_path} {
 
   @{exec_path} mr,
 
-  # OpenVPN config
-  /etc/openvpn/*.{conf,ovpn} r,
-  /etc/openvpn/client/*.{conf,ovpn} r,
-  /etc/openvpn/client/*_userpass.txt r,
-  /etc/openvpn/server/*.{conf,ovpn} r,
-  /etc/openvpn/auth/*.auth r,
-  /etc/openvpn/certs/*.{key,crt} r,
+  /etc/openvpn/{,**} r,
+
   @{HOME}/.cert/{,**} r,
 
   /var/log/openvpn/*.log w,

apparmor.d/groups/systemd/systemd-userwork

@@ -12,6 +12,8 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/systemd-common>
 
+  capability sys_resource,
+
   @{exec_path} mr,
 
   /etc/machine-id r,

apparmor.d/profiles-a-f/firewalld

@@ -34,6 +34,7 @@ profile firewalld @{exec_path} {
   /{usr/,}bin/false                     rix,
 
   /usr/share/libalternatives/ r,
+  /usr/share/libalternatives/ebtables*/{,*} r,
   /usr/share/libalternatives/ip{,4,6}tables*/{,*} r,
 
   /etc/firewalld/{,**} r,
@@ -41,12 +42,15 @@ profile firewalld @{exec_path} {
   /etc/iproute2/group r,
   /etc/iproute2/rt_realms r,
 
+  /var/lib/ebtables/lock rwk,
+
   /var/log/firewalld rw,
 
   @{run}/firewalld/{,*} rw,
   @{run}/xtables.lock rwk,
 
         @{PROC}/sys/kernel/modprobe r,
+        @{PROC}/sys/net/ipv{4,6}/ip_forward rw,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/@{pids}/net/ip_tables_names r,

apparmor.d/profiles-g-l/kmod

@@ -17,6 +17,7 @@ profile kmod @{exec_path} flags=(attach_disconnected) {
 
   capability dac_override,
   capability mknod,
+  capability net_admin,
   capability sys_module,
   capability syslog,
 

apparmor.d/profiles-m-r/packagekitd

@@ -160,8 +160,8 @@ profile packagekitd @{exec_path} flags=(attach_disconnected) {
     owner /etc/pacman.d/gnupg/ r, # only: arch
     owner /etc/pacman.d/gnupg/** rwkl -> /tmp/pacman.d/gnupg/**,
 
-    owner /var/tmp/zypp.*/zypp-*/ r, # only: opensuse
-    owner /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
+    /var/tmp/zypp.*/zypp-*/ r, # only: opensuse
+    /var/tmp/zypp.*/zypp-*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,
 
     owner @{run}/user/@{uid}/gnupg/ r,
     owner @{run}/user/@{uid}/gnupg/ rwkl -> @{run}/user/@{uid}/gnupg/**,