feat(profiles): general update.

apparmor.d/groups/freedesktop/polkit-agent-helper

@@ -11,10 +11,10 @@ include <tunables/global>
 @{exec_path} += @{libexec}/polkit-agent-helper-[0-9]
 profile polkit-agent-helper @{exec_path} {
   include <abstractions/base>
-  include <abstractions/dbus-strict>
   include <abstractions/authentication>
-  include <abstractions/nameservice-strict>
   include <abstractions/consoles>
+  include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
 
   capability audit_write,
   capability dac_override,
@@ -41,11 +41,14 @@ profile polkit-agent-helper @{exec_path} {
 
   @{exec_path} mr,
 
-  # file_inherit
-  owner /dev/tty[0-9]* rw,
   owner @{HOME}/.xsession-errors w,
 
   @{run}/faillock/[a-zA-z0-9]* rwk,
 
+        @{PROC}/1/cgroup r,
+  owner @{PROC}/@{pid}/cgroup r,
+
+  owner /dev/tty[0-9]* rw,
+
   include if exists <local/polkit-agent-helper>
 }

apparmor.d/groups/freedesktop/xdg-desktop-portal

@@ -133,10 +133,10 @@ profile xdg-desktop-portal @{exec_path} flags=(attach_disconnected) {
   owner @{run}/user/@{uid}/pipewire-[0-9]* rw,
 
         @{PROC}/ r,
+        @{PROC}/*/ r,
         @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
-        @{PROC}/@{pid}/ r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/task/ r,
   owner @{PROC}/@{pid}/task/@{tid}/ r,

apparmor.d/profiles-a-f/auditctl

@@ -16,5 +16,7 @@ profile auditctl @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/audit/audit.rules r,
+
   include if exists <local/auditctl>
 }

apparmor.d/profiles-a-f/augenrules

@@ -13,9 +13,18 @@ profile augenrules @{exec_path} {
 
   @{exec_path} mr,
 
+  /{usr/,}bin/auditctl  rPx,
+  /{usr/,}bin/chmod     rix,
+  /{usr/,}bin/cmp       rix,
+  /{usr/,}bin/cp        rix,
+  /{usr/,}bin/gawk      rix,
+  /{usr/,}bin/grep      rix,
+  /{usr/,}bin/ls        rix,
   /{usr/,}bin/mktemp    rix,
   /{usr/,}bin/rm        rix,
-  /{usr/,}bin/auditctl  rPx,
+
+  /etc/audit/audit.rules r,
+  /etc/audit/rules.d/ r,
 
   owner /tmp/aurules.* rw,
 

apparmor.d/profiles-a-f/fwupd

@@ -74,9 +74,10 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   /usr/share/fwupd/{,**} r,
   /usr/share/mime/mime.cache r,
 
-  /etc/pki/fwupd/{,**} r,
-  /etc/pki/fwupd-metadata/{,**} r,
   /etc/fwupd/{,**} rw,
+  /etc/lsb-release r,
+  /etc/pki/fwupd-metadata/{,**} r,
+  /etc/pki/fwupd/{,**} r,
 
   /var/cache/fwupd/{,**} rw,
   /var/lib/fwupd/{,**} rw,
@@ -94,6 +95,7 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
 
   # In order to get to this file, the attach_disconnected flag has to be set
   owner @{user_cache_dirs}/fwupd/lvfs-metadata.xml.gz r,
+  owner @{user_cache_dirs}/gnome-software/fwupd/{,**} r,
 
   @{sys}/**/ r,
   @{sys}/devices/** r,
@@ -102,7 +104,8 @@ profile fwupd @{exec_path} flags=(complain,attach_disconnected) {
   @{sys}/firmware/dmi/tables/DMI r,
   @{sys}/firmware/dmi/tables/smbios_entry_point r,
   @{sys}/firmware/efi/** r,
-  @{sys}/firmware/efi/efivars/BootNext-* rw,
+  @{sys}/firmware/efi/efivars/BootNext-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
   @{sys}/firmware/efi/efivars/fwupd-* rw,
   @{sys}/kernel/security/lockdown r,
   @{sys}/kernel/security/tpm[0-9]/binary_bios_measurements r,

apparmor.d/profiles-g-l/git

@@ -117,6 +117,8 @@ profile git @{exec_path} {
     owner /tmp/.git_vtag_tmp* r,
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
+
+    include if exists <local/git_gpg>
   }
 
   profile ssh {
@@ -144,6 +146,8 @@ profile git @{exec_path} {
     owner @{PROC}/@{pid}/fd/ r,
 
     deny @{user_share_dirs}/gvfs-metadata/* r,
+
+    include if exists <local/git_ssh>
   }
 
   profile exec {
@@ -151,6 +155,7 @@ profile git @{exec_path} {
 
     owner @{user_build_dirs}/**/bin/* mr,
 
+    include if exists <local/git_exec>
   }
 
   profile editor {
@@ -185,6 +190,7 @@ profile git @{exec_path} {
     owner @{user_build_dirs}/ r,
     owner @{user_build_dirs}/** rw,
 
+    include if exists <local/git_editor>
   }
 
   include if exists <local/git>

apparmor.d/profiles-m-r/pass

@@ -83,15 +83,17 @@ profile pass @{exec_path} {
     owner @{HOME}/.fzf/plugin/fzf.vim r,
     owner @{HOME}/.viminfo{,.tmp} rw,
 
-    owner @{user_password_store_dirs}/ r,
-    owner @{user_projects_dirs}/**/*-store/ r,
-    owner @{user_config_dirs}/*-store/ r,
+    owner @{user_password_store_dirs}/{,**/} r,
+    owner @{user_projects_dirs}/**/*-store/{,**/} r,
+    owner @{user_config_dirs}/*-store/{,**/} r,
 
     owner @{user_cache_dirs}/vim/{,**} rw,
     owner @{user_config_dirs}/vim/{,**} rw,
     /dev/shm/pass.*/{,*} rw,
 
     deny owner @{HOME}/ r,
+
+    include if exists <local/pass_editor>
   }
 
   profile git {
@@ -109,6 +111,10 @@ profile pass @{exec_path} {
     /{usr/,}bin/git*          mrix,
     @{libexec}/git-core/git*  mrix,
 
+    /{usr/,}bin/pager         rPx -> child-pager,
+    /{usr/,}bin/less          rPx -> child-pager,
+    /{usr/,}bin/more          rPx -> child-pager,
+
     /{usr/,}bin/gpg{2,}  rUx,
 
     /usr/share/git-core/{,**} r,
@@ -123,6 +129,9 @@ profile pass @{exec_path} {
     owner @{user_config_dirs}/*-store/   rw,
     owner @{user_config_dirs}/*-store/** rwkl -> @{user_config_dirs}/*-store/**,
 
+    owner /tmp/.git_vtag_tmp* rw,              # For git log --show-signature
+
+    include if exists <local/pass_git>
   }
 
   include if exists <usr/pass.d>