feat(profile): various improvements and update.

apparmor.d/groups/gnome/gnome-session

@@ -58,6 +58,8 @@ profile gnome-session @{exec_path} {
   /etc/X11/xinit/xinputrc r,
   /etc/X11/Xsession.d/*im-config_launch r,
 
+  owner @{HOME}/ r,
+
   owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,

apparmor.d/groups/gnome/gnome-software

@@ -39,6 +39,7 @@ profile gnome-software @{exec_path} {
 
   /usr/share/app-info/{,**} r,
   /usr/share/appdata/{,**} r,
+  /usr/share/flatpak/remotes.d/ r,
   /usr/share/metainfo/{,**} r,
   /usr/share/swcatalog/{,**} r,
   /usr/share/xml/iso-codes/{,**} r,

apparmor.d/groups/network/mullvad-daemon

@@ -59,6 +59,7 @@ profile mullvad-daemon @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/@{uuid} rw,
   owner @{tmp}/talpid-openvpn-@{uuid} rw,
 
+        @{PROC}/sys/net/ipv{4,6}/conf/all/arp_ignore rw,
         @{PROC}/sys/net/ipv{4,6}/conf/all/src_valid_mark rw,
   owner @{PROC}/@{pid}/mounts r,
   owner @{PROC}/sys/net/ipv6/conf/all/disable_ipv6 r,

apparmor.d/groups/pacman/pacman-hook-systemd

@@ -44,6 +44,7 @@ profile pacman-hook-systemd @{exec_path} {
     include <abstractions/app/systemctl>
 
     capability net_admin,
+    capability sys_resource,
 
     signal send set=term peer=systemd-tty-ask-password-agent,
 

apparmor.d/groups/systemd/bootctl

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/bootctl
-profile bootctl @{exec_path} {
+profile bootctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/disks-read>

apparmor.d/groups/systemd/busctl

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/busctl
-profile busctl @{exec_path} {
+profile busctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-accessibility>
   include <abstractions/bus-session>

apparmor.d/groups/systemd/systemd-backlight

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-backlight
-profile systemd-backlight @{exec_path} {
+profile systemd-backlight @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 

apparmor.d/groups/systemd/systemd-cryptsetup

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/systemd-cryptsetup @{lib}/systemd/systemd-cryptsetup
-profile systemd-cryptsetup @{exec_path} {
+profile systemd-cryptsetup @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/disks-write>

apparmor.d/groups/systemd/systemd-generator-user-autostart

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/user-generators/systemd-xdg-autostart-generator
-profile systemd-generator-user-autostart @{exec_path} {
+profile systemd-generator-user-autostart @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>

apparmor.d/groups/systemd/systemd-generator-user-environment

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/user-environment-generators/*
-profile systemd-generator-user-environment @{exec_path} {
+profile systemd-generator-user-environment @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>

apparmor.d/groups/systemd/systemd-journald

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-journald
-profile systemd-journald @{exec_path} {
+profile systemd-journald @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/common/systemd>

apparmor.d/groups/systemd/systemd-machined

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-machined
-profile systemd-machined @{exec_path} {
+profile systemd-machined @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/nameservice-strict>

apparmor.d/groups/systemd/systemd-random-seed

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-random-seed
-profile systemd-random-seed @{exec_path} {
+profile systemd-random-seed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 

apparmor.d/groups/systemd/systemd-update-done

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-update-done
-profile systemd-update-done @{exec_path} {
+profile systemd-update-done @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   capability net_admin,

apparmor.d/groups/systemd/systemd-update-utmp

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-update-utmp
-profile systemd-update-utmp @{exec_path} {
+profile systemd-update-utmp @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/wutmp>

apparmor.d/groups/systemd/systemd-user-runtime-dir

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-user-runtime-dir
-profile systemd-user-runtime-dir @{exec_path} {
+profile systemd-user-runtime-dir @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>

apparmor.d/groups/systemd/systemd-user-sessions

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-user-sessions
-profile systemd-user-sessions @{exec_path} {
+profile systemd-user-sessions @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 

apparmor.d/groups/virt/libvirtd

@@ -171,6 +171,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+leds:* r,
   @{run}/udev/data/+pci:* r,              # Identifies all PCI devices (CPU, GPU, Network, Disks, USB, etc.)
   @{run}/udev/data/+platform:* r,
+  @{run}/udev/data/+power_supply:* r,
   @{run}/udev/data/+rfkill:* r,
   @{run}/udev/data/+sound:card@{int} r,   # For sound card
   @{run}/udev/data/+thunderbolt:* r,

apparmor.d/profiles-a-f/flatpak-system-helper

@@ -37,8 +37,9 @@ profile flatpak-system-helper @{exec_path} {
   /etc/flatpak/{,**} r,
   /etc/machine-id r,
 
-  /usr/share/mime/mime.cache r,
+  /usr/share/flatpak/remotes.d/ r,
   /usr/share/flatpak/triggers/ r,
+  /usr/share/mime/mime.cache r,
 
   /var/lib/flatpak/{,**} rwkl,
   /var/tmp/flatpak-cache-*/{,**} rw,

apparmor.d/profiles-a-f/fwupd

@@ -17,7 +17,7 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   include <abstractions/bus/org.freedesktop.UDisks2>
   include <abstractions/bus/org.freedesktop.UPower>
   include <abstractions/consoles>
-  include <abstractions/disks-read>
+  include <abstractions/disks-write>
   include <abstractions/fonts>
   include <abstractions/nameservice-strict>
 
@@ -129,7 +129,6 @@ profile fwupd @{exec_path} flags=(attach_disconnected,complain) {
   /dev/mei@{int} rw,
   /dev/mem r,
   /dev/mtd@{int} rw,
-  /dev/sd[a-z]* r,
   /dev/tpm@{int} rw,
   /dev/tpmrm@{int} rw,
   /dev/wmi/* r,