Profiles update.

apparmor.d/groups/systemd/child-systemctl

@@ -13,7 +13,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 # Do not attach to /{usr/,}bin/systemctl by default
-profile child-systemctl {
+profile child-systemctl flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/wutmp>
@@ -38,5 +38,7 @@ profile child-systemctl {
 
   /dev/kmsg w,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/child-systemctl>
 }

apparmor.d/groups/systemd/systemd-hwdb

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/systemd-hwdb
-profile systemd-hwdb @{exec_path} {
+profile systemd-hwdb @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
@@ -19,5 +19,7 @@ profile systemd-hwdb @{exec_path} {
 
   owner @{PROC}/@{pid}/stat r,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/systemd-hwdb>
 }

apparmor.d/groups/systemd/systemd-journald

@@ -13,16 +13,14 @@ profile systemd-journald @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/systemd-common>
 
-  capability syslog,
-  capability sys_ptrace,
+  capability audit_control,
   capability dac_read_search,
   capability kill,
-  capability sys_admin,
-  capability setuid,
   capability setgid,
-
-  # For audit logs
-  capability audit_control,
+  capability setuid,
+  capability sys_admin,
+  capability sys_ptrace,
+  capability syslog,
 
   network netlink raw,
 

apparmor.d/groups/systemd/systemd-sysusers

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/systemd-sysusers
-profile systemd-sysusers @{exec_path} {
+profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
 
   @{exec_path} mr,
@@ -37,5 +37,7 @@ profile systemd-sysusers @{exec_path} {
   owner @{PROC}/@{pid}/stat r,
         @{PROC}/sys/kernel/random/boot_id r,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/systemd-sysusers>
 }

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -7,7 +7,7 @@ abi <abi/3.0>,
 include <tunables/global>
 
 @{exec_path} = /{usr/,}bin/systemd-tmpfiles
-profile systemd-tmpfiles @{exec_path} {
+profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
   include <abstractions/nameservice-strict>
@@ -50,5 +50,7 @@ profile systemd-tmpfiles @{exec_path} {
 
   @{PROC}/@{pid}/net/unix r,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/systemd-tmpfiles>
 }

apparmor.d/groups/systemd/systemd-udevd

@@ -97,5 +97,7 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected complain) {
   # file_inherit
   owner @{HOME}/.xsession-errors w,
 
+  deny /apparmor/.null rw,
+
   include if exists <local/systemd-udevd>
 }