Various fixes: man, nvidia-strict, iwd, lynx

apparmor.d/abstractions/nvidia-strict

@@ -26,7 +26,8 @@
         @{PROC}/sys/vm/max_map_count r,
         @{PROC}/sys/vm/mmap_min_addr r,
         @{PROC}/modules r,
-  owner @{PROC}/@{pid}/comm r,
+  owner @{PROC}/@{pid}/{,task/*/}comm r,
+  owner @{PROC}/@{pid}/cmdline r,
 
   /dev/char/195:@{int} w,  # Nvidia graphics devices
   /dev/nvidia-modeset rw,

apparmor.d/groups/network/iwd

@@ -21,8 +21,10 @@ profile iwd @{exec_path} {
   network netlink raw,
   network netlink dgram,
   network alg seqpacket,
+  network packet dgram,
 
   @{exec_path} mr,
+  @{bin}/resolvconf rPx,
 
   /etc/iwd/{,**} r,
   /var/lib/iwd/{,**} rw,
@@ -33,9 +35,13 @@ profile iwd @{exec_path} {
   @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/arp_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/drop_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/ndisc_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/accept_ra rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlan@{int}/optimistic_dad rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlp*/arp_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlp*/drop_* rw,
   @{PROC}/sys/net/ipv{4,6}/conf/wlp*/ndisc_* rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/accept_ra rw,
+  @{PROC}/sys/net/ipv{4,6}/conf/wlp*/optimistic_dad rw,
 
   /dev/rfkill rw,
 

apparmor.d/profiles-g-l/lynx

@@ -34,7 +34,8 @@ profile lynx @{exec_path} {
   /etc/mime.types r,
 
   owner @{tmp}/lynxXXXX*/ rw,
-  owner @{tmp}/lynxXXXX*/*TMP.html{,.gz} rw,
+  # soon there may be .zst here as well. Maybe just give it the whole dir?
+  owner @{tmp}/lynxXXXX*/*TMP.html{,.{gz,br}} rw,
 
   include if exists <local/lynx>
 }

apparmor.d/profiles-m-r/man

@@ -16,10 +16,13 @@ profile man @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/{n,g}roff rmix,
+  @{bin}/grotty rmix,
+
   # Use a special profile when man calls anything groff-related. We only include
   # the programs that actually parse input data in a non-trivial way, not
   # wrappers such as groff and nroff, since they would need a broader profile.
-  @{bin}/eqn      rCx -> man_groff,
+  @{bin}/{,n}eqn  rCx -> man_groff,
   @{bin}/grap     rCx -> man_groff,
   @{bin}/pic      rCx -> man_groff,
   @{bin}/preconv  rCx -> man_groff,
@@ -46,9 +49,10 @@ profile man @{exec_path} {
 
   /usr/share/groff/{,**} r,
 
-  /usr/**/man/{,**} r,
+  /usr{,/local}{,/share}{,/X11R6}/man/{,**} r,
+  /opt/man/{,**} r,
   /var/**/man/{,**} r,
-  /var/cache/man/index.db rk,
+  /var/cache/man{,/**}/index.{db,bt,dir,pag} rk,
 
   /etc/man_db.conf r,
   /etc/manpath.config r,
@@ -58,7 +62,7 @@ profile man @{exec_path} {
   include if exists <local/man>
 }
 
-profile man_groff {
+profile man//man_groff {
   include <abstractions/base>
   include <abstractions/consoles>
 
@@ -85,7 +89,7 @@ profile man_groff {
   include if exists <local/man_groff>
 }
 
-profile man_filter {
+profile man//man_filter {
   include <abstractions/base>
   include <abstractions/consoles>
 
@@ -97,6 +101,7 @@ profile man_filter {
   @{bin}/compress   mr,
   @{bin}/iconv      mr,
   @{bin}/lzip.lzip  mr,
+  @{bin}/lzip       mr,
   @{bin}/tr         mr,
   @{bin}/xz         mr,