From 13680be0a6a0421bdc2a59ec03284b55debd57ff Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 6 Jul 2025 21:53:53 +0200
Subject: [PATCH] feat(fsp): sdu: add consoles

---
 apparmor.d/groups/_full/sdu | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/_full/sdu b/apparmor.d/groups/_full/sdu
index 80d8c1fb9..f9c50b65f 100644
--- a/apparmor.d/groups/_full/sdu
+++ b/apparmor.d/groups/_full/sdu
@@ -23,6 +23,7 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/audio-server>
   include <abstractions/bus-session>
   include <abstractions/bus-system>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/xdg-desktop>
 
@@ -108,6 +109,8 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
   owner @{PROC}/@{pid}/oom_score_adj rw,
   owner @{PROC}/@{pid}/task/@{tid}/comm rw,
 
+  /dev/kmsg w,
+
   deny capability net_admin,
 
   profile shell flags=(attach_disconnected,mediate_deleted,complain) {
@@ -123,10 +126,10 @@ profile sdu flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
     include <abstractions/app/systemctl>
 
-    audit capability net_admin,
-
     owner @{run}/user/@{uid}/systemd/private rw,
 
+    deny capability net_admin,
+
     include if exists <usr/sdu_systemctl.d>
     include if exists <local/sdu_systemctl>
   }