General update

apparmor.d/profiles-s-z/sudo

@@ -37,7 +37,7 @@ profile sudo @{exec_path} {
 
   signal (send) peer=unconfined,
   signal (send) set=(cont,hup) peer=su,
-  signal (send) set=winch peer=apt,
+  signal (send) set=winch peer={apt,zsysd,zsys-system-autosnapshot},
 
   dbus send bus=system path=/org/freedesktop/login[0-9]
        interface=org.freedesktop.login[0-9].Manager

apparmor.d/profiles-s-z/zfs

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}{local/,}{s,}bin/zfs
 profile zfs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   
   capability sys_admin,
   capability dac_read_search,

apparmor.d/profiles-s-z/zsysd

@@ -23,7 +23,8 @@ profile zsysd @{exec_path} flags=(complain) {
   @{exec_path}                   rmix,
   /{usr/,}{local/,}{s,}bin/zfs   rPx,
   /{usr/,}{local/,}{s,}bin/zpool rPx,
-  /{usr/,}{s,}bin/update-grub    rPUx,
+  # ALLOWED zsysd exec /usr/sbin/update-grub info="no new privs" comm=zsysd requested_mask=x denied_mask=x error=-1
+  /{usr/,}{s,}bin/update-grub    rPx,
 
   /etc/hostid r,
   /etc/zsys.conf r,
@@ -35,10 +36,10 @@ profile zsysd @{exec_path} flags=(complain) {
   @{run}/zsys-snapshot.unattended-upgrades rw,
   @{run}/zsysd.sock rw,
 
-  owner @{PROC}/@{pids}/stat r,
-        @{PROC}/@{pids}/mounts r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/spl/hostid r,
+  @{PROC}/@{pids}/stat r,
+  @{PROC}/@{pids}/mounts r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/spl/hostid r,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,