feat(profile): improve core snap profiles.

apparmor.d/groups/snap/snap

@@ -25,7 +25,7 @@ profile snap @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  ptrace read peer=snap.snap-store.snap-store,
+  ptrace read peer=snap.*,
 
   unix (send, receive) type=stream peer=(label=apt),
 

apparmor.d/groups/snap/snapd

@@ -50,7 +50,7 @@ profile snapd @{exec_path} {
   ptrace read peer=@{p_systemd},
   ptrace read peer=snap{,.*},
 
-  unix (bind) type=stream addr=@@{udbus}/bus/systemctl/,
+  signal send set=kill peer=journalctl,
 
   dbus send bus=system path=/org/freedesktop/
          interface=org.freedesktop.login1.Manager
@@ -64,29 +64,28 @@ profile snapd @{exec_path} {
 
   @{exec_path} mrix,
 
-  @{bin}/adduser                  rPx,
-  @{bin}/groupadd                 rPx,
-  @{bin}/hostnamectl              rPx,
-  @{bin}/ssh-keygen               rPx,
-  @{bin}/useradd                  rPx,
-
   @{sh_path}                      rix,
+  @{bin}/adduser                  rPx,
   @{bin}/apparmor_parser          rPx,
   @{bin}/cp                       rix,
   @{bin}/getent                   rix,
+  @{bin}/groupadd                 rPx,
   @{bin}/gzip                     rix,
+  @{bin}/hostnamectl              rPx,
   @{bin}/journalctl               rPx,
   @{bin}/kmod                     rPx,
   @{bin}/mount                    rix,
   @{bin}/runuser                  rCx -> runuser,
+  @{bin}/ssh-keygen               rPx,
   @{bin}/sync                     rix,
-  @{bin}/systemctl                rix,
+  @{bin}/systemctl                rCx -> systemctl,
   @{bin}/systemd-detect-virt      rPx,
   @{bin}/tar                      rix,
   @{bin}/udevadm                  rPx,
   @{bin}/umount                   rix,
   @{bin}/unsquashfs               rix,
   @{bin}/update-desktop-database  rPx,
+  @{bin}/useradd                  rPx,
 
   @{bin_dirs}/fc-cache-*              mr,
   @{bin_dirs}/snap                  rPUx,
@@ -111,11 +110,6 @@ profile snapd @{exec_path} {
   /etc/modprobe.d/{,**/} r,
   /etc/modules-load.d/{,**/} r,
   /etc/modules-load.d/*snap* rw,
-  /etc/systemd/system/{,**/} r,
-  /etc/systemd/system/snap* rw,
-  /etc/systemd/user/{,**/} rw,
-  /etc/systemd/user/**/*snap* rw,
-  /etc/systemd/user/*snap* rw,
   /etc/udev/rules.d/{,*snap*} rw,
 
   /snap/{,**} rw,
@@ -181,6 +175,23 @@ profile snapd @{exec_path} {
 
   /dev/loop-control rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+
+    /etc/systemd/system/{,**/} r,
+    /etc/systemd/system/snap* rw,
+    /etc/systemd/user/{,**/} rw,
+    /etc/systemd/user/**/*snap* rw,
+    /etc/systemd/user/*snap* rw,
+
+    @{run}/systemd/notify rw,
+
+    include if exists <local/snapd_systemctl>
+  }
+
   profile runuser {
     include <abstractions/base>
 

tests/integration/snap.bats

@@ -10,11 +10,11 @@ load common
 }
 
 @test "snap: Install a package" {
-    sudo snap install nano-strict
+    sudo snap install vault
 }
 
 @test "snap: Update a package to another channel (track, risk, or branch)" {
-    sudo snap refresh nano-strict --channel=edge
+    sudo snap refresh vault --channel=edge
 }
 
 @test "snap: Update all packages" {
@@ -25,10 +25,31 @@ load common
     sudo snap list
 }
 
-@test "snap: Check for recent snap changes in the system" {
+@test "snap: lists information about the services" {
-    sudo snap changes
+    sudo snap services
+    sudo snap services vault
+}
+
+@test "snap: starts, and optionally enables, the given services" {
+    sudo snap start --enable vault
+}
+
+@test "snap: logs of the given services" {
+    sudo snap logs vault || true
+}
+
+@test "snap: restarts the given services" {
+    sudo snap restart vault
+}
+
+@test "snap: stops, and optionally disables, the given services" {
+    sudo snap stop --disable vault
 }
 
 @test "snap: Uninstall a package" {
-    sudo snap remove nano-strict
+    sudo snap remove vault
+}
+
+@test "snap: Check for recent snap changes in the system" {
+    sudo snap changes
 }