Merge Abstractions: better integration

This is the first MR of a possibly very long list of MR in order to upstream stable abstraction & profiles previously tested in https://github.com/roddhjav/apparmor.d

This first MR focuses on integrating abstraction completion from the `*.d` directory in [apparmor.d/abstractions](https://github.com/roddhjav/apparmor.d/tree/main/apparmor.d/abstractions)

MR: https://gitlab.com/apparmor/apparmor/-/merge_requests/995
Approved-by: John Johansen <john@jjmx.net>
Merged-by: John Johansen <john@jjmx.net>

profiles/apparmor.d/abstractions/audio

@@ -39,6 +39,7 @@ abi <abi/3.0>,
 @{PROC}/asound/** rw,
 
 /usr/share/alsa/** r,
+/usr/share/sounds/ r,
 /usr/share/sounds/** r,
 
 owner @{HOME}/.esd_auth r,

profiles/apparmor.d/abstractions/base

@@ -32,8 +32,10 @@
   @{etc_ro}/locale/**          r,
   @{etc_ro}/locale.alias       r,
   @{etc_ro}/localtime          r,
+  @{etc_rw}/localtime          r,
   /usr/share/locale-bundle/**    r,
   /usr/share/locale-langpack/**  r,
+  /usr/share/locale/             r,
   /usr/share/locale/**           r,
   /usr/share/**/locale/**        r,
   /usr/share/zoneinfo{,-icu}/    r,

profiles/apparmor.d/abstractions/dbus-session-strict

@@ -15,9 +15,10 @@
   /etc/machine-id r,
   /var/lib/dbus/machine-id r,
 
-  unix (connect, receive, send)
-       type=stream
-       peer=(addr="@/tmp/dbus-*"),
+  unix (connect, receive, send, accept) type=stream peer=(addr="@/tmp/dbus-*"),
+
+  unix (connect, send, receive, accept) type=stream addr="@/tmp/dbus-*",
+  unix (bind, listen) type=stream addr="@/tmp/dbus-*",
 
   # dbus with systemd and --enable-user-session
   owner @{run}/user/[0-9]*/bus rw,
@@ -29,5 +30,10 @@
        member={Hello,AddMatch,RemoveMatch,GetNameOwner,NameHasOwner,StartServiceByName}
        peer=(name=org.freedesktop.DBus),
 
+  owner @{run}/user/@{uid}/at-spi/ rw,
+  owner @{run}/user/@{uid}/at-spi/bus{,_[0-9]*} rw,
+
+  owner /tmp/dbus-[0-9a-zA-Z]* rw,
+
   # Include additions to the abstraction
   include if exists <abstractions/dbus-session-strict.d>

profiles/apparmor.d/abstractions/freedesktop.org

@@ -13,12 +13,20 @@
 
   # system configuration
   @{system_share_dirs}/applications/{**,} r,
+  @{system_share_dirs}/*ubuntu/applications/{**,} r,
+  @{system_share_dirs}/gnome/applications/{**,} r,
+  @{system_share_dirs}/xfce4/applications/{**,} r,
   @{system_share_dirs}/icons/{**,}        r,
   @{system_share_dirs}/pixmaps/{**,}      r,
 
   # this should probably go elsewhere
   @{system_share_dirs}/mime/** r,
 
+  @{system_share_dirs}/glib-2.0/schemas/gschemas.compiled r,
+
+  /etc/gnome/defaults.list r,
+  /etc/xfce4/defaults.list r,  
+
   # per-user configurations
   owner @{HOME}/.icons/{,**}            r,
   owner @{HOME}/.recently-used.xbel*    rw,

profiles/apparmor.d/abstractions/gtk

@@ -24,6 +24,7 @@
 
   /etc/gtk-{3,4}.0/ r,
   /etc/gtk-{3,4}.0/*.conf r,
+  /etc/gtk-{3,4}.0/settings.ini r,
 
   /etc/gtk/gtkrc r,
 
@@ -40,6 +41,8 @@
   owner @{HOME}/.config/gtk-{3,4}.0/settings.ini r,
   owner @{HOME}/.config/gtk-{3,4}.0/bookmarks r,
   owner @{HOME}/.config/gtk-{3,4}.0/gtk.css r,
+  owner @{HOME}/.config/gtk-{3,4}.0/colors.css r,
+  owner @{HOME}/.config/gtk-{3,4}.0/servers r,
 
   # for gtk file dialog
   owner @{HOME}/.config/gtk-2.0/ rw,

profiles/apparmor.d/abstractions/nvidia

@@ -6,6 +6,7 @@
   # configuration queries
   capability ipc_lock,
 
+  /etc/nvidia/nvidia-application-profiles* r,
   /usr/share/nvidia/nvidia-application-profiles* r,
 
   # libvdpau config file for nvidia workarounds
@@ -29,9 +30,11 @@
   owner @{HOME}/.nv/ w,
   owner @{HOME}/.nv/GLCache/ rw,
   owner @{HOME}/.nv/GLCache/** rwk,
+  owner @{HOME}/.nv/nvidia-application-profiles* r,
   owner @{PROC}/@{pid}/comm r, # somehwere in libnvidia-glcore.so
 
   unix (send, receive) type=dgram peer=(addr="@nvidia[0-9a-f]*"),
+  unix (send, receive) type=dgram peer=(addr="@var/run/nvidia-xdriver-*"),
 
   # Include additions to the abstraction
   include if exists <abstractions/nvidia.d>

profiles/apparmor.d/abstractions/python

@@ -12,6 +12,9 @@
 
   abi <abi/3.0>,
 
+  /{usr/,}bin/ r,
+  /{usr/,}bin/python{2.[4-7],3,3.[0-9],3.1[0-9]} r,
+
   /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so,so.*[0-9]} mr,
   /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}       r,
   /usr/{local/,}lib{,32,64}/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/ r,
@@ -37,5 +40,10 @@
   # python build configuration and headers
   /usr/include/python{2.[4-7],3.[0-9],3.1[0-9]}*/pyconfig.h r,
 
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{pyc,so}              mr,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/**.{egg,py,pth}          r,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/    r,
+  owner @{HOME}/.local/lib/python{2.[4-7],3,3.[0-9],3.1[0-9]}/{site,dist}-packages/**/ r,
+
   # Include additions to the abstraction
   include if exists <abstractions/python.d>

profiles/apparmor.d/abstractions/vulkan

@@ -5,7 +5,7 @@
 
   # System files
   /dev/dri/ r, # libvulkan_radeon.so, libvulkan_intel.so (Mesa)
-  /etc/glvnd/egl_vendor.d/{*,.json} r,
+  /etc/glvnd/egl_vendor.d/{,*.json} r,
   /etc/vulkan/icd.d/{,*.json} r,
   /etc/vulkan/{explicit,implicit}_layer.d/{,*.json} r,
   # for drmGetMinorNameForFD() from libvulkan_intel.so (Mesa)
@@ -13,7 +13,8 @@
   @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/gt_{max,min}_freq_mhz r, # anv_enumerate_physical_devices() from libvulkan_intel.so
   @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/ r, # anv_enumerate_physical_devices() from libvulkan_intel.so
   @{sys}/devices/pci[0-9]*/*/drm/card[0-9]/metrics/????????-????-????-????-????????????/id r, # anv_enumerate_physical_devices() from libvulkan_intel.so
-  /usr/share/glvnd/egl_vendor.d/{,*.json} r,
+  /usr/share/egl/egl_external_platform.d/{,*} r,
+  /usr/share/glvnd/egl_vendor.d/{,*} r,
   /usr/share/vulkan/icd.d/{,*.json} r,
   /usr/share/vulkan/{explicit,implicit}_layer.d/{,*.json} r,