abstractions/mesa, chromium_browser, firefox: Updates

Mesa now needs ~/.cache/mesa_shader_cache_db/marker .

Chromium wants uid_map readable, /proc/$PID/smaps_rollup,
/sys/.../report_descriptor, and two XDG utilities used by the "Create
shortcut..." feature. Deny the latter for now, due to additional
permissions that would be needed and a questionable security trade-off
as a result.

Firefox wants a socket for its crash helper, product_{name,sku} from
DMI devices, and .sql files in its cache directory. It also wants
uevent from devices more broadly than currently allowed.

profiles/apparmor.d/abstractions/mesa

@@ -24,6 +24,7 @@
 
   owner @{HOME}/.cache/mesa_shader_cache_db/ rw,
   owner @{HOME}/.cache/mesa_shader_cache_db/index rwk,
+  owner @{HOME}/.cache/mesa_shader_cache_db/marker rwk,
   owner @{HOME}/.cache/mesa_shader_cache_db/part*/ rw,
   owner @{HOME}/.cache/mesa_shader_cache_db/part*/mesa_cache.db rwkl,
   owner @{HOME}/.cache/mesa_shader_cache_db/part*/mesa_cache.idx rwkl,

profiles/apparmor/profiles/extras/chromium_browser

@@ -132,8 +132,8 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   owner @{PROC}/@{pid}/io r,
   owner @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/setgroups w,
-  owner @{PROC}/@{pid}/{uid,gid}_map w,
-  owner @{PROC}/@{pid}/smaps r,
+  owner @{PROC}/@{pid}/{uid,gid}_map rw,
+  owner @{PROC}/@{pid}/smaps{,_rollup} r,
   @{PROC}/@{pid}/stat r,
   @{PROC}/@{pid}/statm r,
   owner @{PROC}/@{pid}/status r,
@@ -164,6 +164,7 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /sys/devices/@{pci_bus}/**/irq r,
   /sys/devices/@{pci_bus}/**/manufacturer r,
   /sys/devices/@{pci_bus}/**/product r,
+  /sys/devices/@{pci_bus}/**/report_descriptor r,
   /sys/devices/@{pci_bus}/**/resource r,
   /sys/devices/@{pci_bus}/**/revision r,
   /sys/devices/@{pci_bus}/**/serial r,
@@ -233,6 +234,9 @@ profile chromium_browser /usr/lib/@{chromium}/@{chromium} flags=(attach_disconne
   /usr/bin/gvfs-open ixr,
   /usr/bin/kdialog ixr,
   # TODO: xfce
+  # Block "Create shortcut..." functionality for now
+  deny /usr/bin/xdg-desktop-menu x,
+  deny /usr/bin/xdg-icon-resource x,
 
   # Importing firefox settings (requires 'r' access to @{HOME}/.mozilla/**
   # which is provided by abstractions/ubuntu-browsers.d/user-files).

profiles/apparmor/profiles/extras/firefox

@@ -110,6 +110,8 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
        member=GetAll
        peer=(label=unconfined),
 
+  unix (bind, listen) type=seqpacket addr="@gecko-crash-helper-pipe.*",
+
   @{exec_path} mr,
 
   # should maybe be in abstractions
@@ -193,13 +195,14 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   @{PROC}/filesystems r,
   @{PROC}/sys/vm/overcommit_memory r,
   @{sys}/fs/cgroup/user.slice/user-[0-9]*.slice/session-{,c}[0-9]*.scope/cpu.max r,
+  /sys/devices/**/uevent r,
   # prevent crash LP: #1931602
-  /sys/devices/@{pci_bus}/**/{uevent,resource,irq,class} r,
-  /sys/devices/platform/**/uevent r,
+  /sys/devices/@{pci_bus}/**/{resource,irq,class} r,
   /sys/devices/@{pci_bus}/**/{boot_vga,busnum,config,idVendor,idProduct,revision} r,
   /sys/devices/@{pci_bus}/**/{,subsystem_}device r,
   /sys/devices/@{pci_bus}/**/{,subsystem_}vendor r,
   /sys/devices/system/node/node[0-9]*/meminfo r,
+  /sys/devices/virtual/dmi/id/product_{name,sku} r,
   owner @{HOME}/.cache/thumbnails/** rw,
 
   /etc/mtab r,
@@ -246,7 +249,7 @@ profile firefox @{MOZ_LIBDIR}/@{MOZ_APP_NAME}{,*[^s][^h]} {
   owner @{HOME}/.gnome2/firefox* rwk,
   owner @{HOME}/.cache/mozilla/{,@{MOZ_APP_NAME}/} rw,
   owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/** rw,
-  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sqlite{,-shm} k,
+  owner @{HOME}/.cache/mozilla/@{MOZ_APP_NAME}/**/*.sql{,ite}{,-shm} k,
   owner @{HOME}/.config/gtk-3.0/bookmarks r,
   owner @{HOME}/.config/dconf/user w,
   owner @{run}/user/[0-9]*/dconf/ w,