Merge ~intrigeri/apparmor-profiles/+git/apparmor-profiles:stricter-totem into ~apparmor-dev/apparmor-profiles/+git/apparmor-profiles-old:master

Note that https://code.launchpad.net/~intrigeri/apparmor/gnome-gtk3-config/+merge/310132 adds to https://git.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/commit/?id=9d99bd0f2a8824a96d8ef002532c57f6fa07482d and should probably be merged at the same time, in order to avoid a regression that https://git.launchpad.net/~intrigeri/apparmor-profiles/+git/apparmor-profiles/commit/?id=2abc51352b59bf499682c8839ffc9fad9dc4b08f would otherwise cause.

What motivated the change from ** to [a-zA-Z0-9]? This will prevent access to files in directories Видео/ or ビデオ/.

Thanks

Hi!

Seth Arnold:
> What motivated the change from ** to [a-zA-Z0-9]?

Noticing that Totem had access e.g. to my OTR and GnuPG private keys,
which seems to void most of the purpose (for my use case at least) of
confining Totem in the first place. Basically, in my tests, the "**"
rule cancels the effect of private-files-strict.

> This will prevent access to files in directories Видео/ or ビデオ/.

Oops, good catch. Thank you! I'll resubmit something nicer (and
simpler), i.e. granting access to any file in $HOME, as long as the
name of the top-level sub-directory does not start with '.'.

Updated!

Merged current master, copied changes to 17.10. I've now been using these changes since more than 7 months on my main system, and didn't notice any issue. The concern raised by Seth during his first review pass was addressed a while ago :) Time for another review?

Added one more Mesa-related rule to fix a problem reported on Debian (where I've already applied this MR).

All concerns raised in the initial review have been addressed 10 months ago. Again, this changeset has been applied in Debian and Tails for a while, and nobody complained :)

Is there anything I can do to help speed this up?

Thanks for your patience! Looks good, merged.