feat: improve dbus integration for chsh, better handling of generic needrestart.

apparmor.d/profiles-a-f/chsh

@@ -10,18 +10,24 @@ include <tunables/global>
 @{exec_path} = @{bin}/chsh
 profile chsh @{exec_path} {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/authentication>
+  include <abstractions/bus-system>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
   capability audit_write,
   capability chown,
   capability fsetid,
+  capability net_admin,
   capability setuid,
 
   network netlink raw,
 
+  unix type=stream addr=@@{udbus}/bus/chsh/system,
+
+  #aa:dbus talk bus=system name=org.freedesktop.home1 label=systemd-homed
+
   @{exec_path} mr,
 
   /etc/shells r,

apparmor.d/profiles-m-r/needrestart

@@ -26,6 +26,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mrix,
 
+  @{bin}/*                                 r,
   @{sh_path}                               rix,
   @{bin}/dpkg-query                        rpx,
   @{bin}/fail2ban-server                   rPx,
@@ -42,8 +43,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{lib}/needrestart/*                     rPx,
   /usr/share/debconf/frontend              rix,
 
-  @{bin}/networkd-dispatcher r,
-  @{bin}/gettext.sh r,
   /usr/share/needrestart/{,**} r,
   /usr/share/unattended-upgrades/unattended-upgrade-shutdown r,
 

apparmor.d/profiles-s-z/snapd

@@ -93,6 +93,7 @@ profile snapd @{exec_path} {
   @{lib_dirs}/snapd/snap-update-ns   rPx,
 
   /usr/share/bash-completion/{,**} r,
+  /usr/share/dbus-1/{system,session}.d.d/snapd.{system,session}-services.conf* rw,
   /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
   /usr/share/dbus-1/services/*snap* r,
   /usr/share/polkit-1/actions/{,**/} r,