From 1dace30af3b9807876b285124bb6b2dd501c2d3b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Mon, 21 Jul 2025 22:17:03 +0200
Subject: [PATCH] fix(profile): various fixes from issue raised by the CI.

---
 apparmor.d/groups/apt/dpkg-script-systemd | 7 ++++++-
 apparmor.d/groups/systemd/bootctl         | 1 +
 apparmor.d/groups/systemd/localectl       | 4 ++++
 apparmor.d/groups/systemd/systemd-localed | 4 ++++
 apparmor.d/groups/systemd/systemd-userdbd | 1 +
 apparmor.d/groups/virt/dockerd            | 1 +
 apparmor.d/profiles-g-l/kernel-install    | 1 +
 7 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd
index 722e72c53..6c76e6f70 100644
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} {
   include <abstractions/base>
   include <abstractions/common/debconf>
 
+  capability dac_read_search,
+
   @{exec_path} mrix,
 
   @{coreutils_path}               rix,
@@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} {
   @{bin}/dpkg-divert               Px,
   @{bin}/dpkg-maintscript-helper   Px,
   @{bin}/journalctl                Px,
-  @{bin}/kernel-install            Px,
+  @{bin}/kernel-install          mrPx,
   @{bin}/systemctl                 Cx -> systemctl,
   @{bin}/systemd-machine-id-setup  Px,
   @{bin}/systemd-sysusers          Px,
@@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} {
   /etc/pam.d/sed@{rand6} rw,
   /etc/pam.d/common-password  rw,
 
+  @{efi}/ r,
+
   /var/lib/systemd/{,*} rw,
   /var/log/journal/ rw,
 
   profile dpkg {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/common/apt>
 
     capability dac_read_search,
diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 47e8737fe..70a91197f 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   capability linux_immutable,
   capability mknod,
   capability net_admin,
+  capability sys_rawio,
   capability sys_resource,
 
   signal send peer=child-pager,
diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl
index f9a3625ef..0d46dbfed 100644
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@@ -17,6 +17,10 @@ profile localectl @{exec_path} {
   signal send set=cont peer=child-pager,
 
   #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
+  dbus send bus=system path=/org/freedesktop/locale1
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.locale1),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index c15eaf5b2..e98bef009 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system,
 
   #aa:dbus own bus=system name=org.freedesktop.locale1
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=Reload
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/systemd/systemd-userdbd b/apparmor.d/groups/systemd/systemd-userdbd
index 20e940b1d..f9fad3693 100644
--- a/apparmor.d/groups/systemd/systemd-userdbd
+++ b/apparmor.d/groups/systemd/systemd-userdbd
@@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
   @{att}/@{run}/systemd/notify w,
   @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
   @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Machine rw,
 
   @{run}/systemd/userdb/{,**} rw,
 
diff --git a/apparmor.d/groups/virt/dockerd b/apparmor.d/groups/virt/dockerd
index abd6c90ec..c21fa2788 100644
--- a/apparmor.d/groups/virt/dockerd
+++ b/apparmor.d/groups/virt/dockerd
@@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   @{bin}/kmod                    rCx -> kmod,
   @{bin}/ps                      rPx,
   @{sbin}/runc                   rUx,
+  @{bin}/runc                    rUx, #aa:lint ignore
   @{bin}/unpigz                  rix,
   @{sbin}/xtables-nft-multi      rCx -> nft,
   @{sbin}/xtables-legacy-multi   rCx -> nft,
diff --git a/apparmor.d/profiles-g-l/kernel-install b/apparmor.d/profiles-g-l/kernel-install
index 96d097417..be5d877a9 100644
--- a/apparmor.d/profiles-g-l/kernel-install
+++ b/apparmor.d/profiles-g-l/kernel-install
@@ -14,6 +14,7 @@ profile kernel-install @{exec_path} {
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
 
+  capability sys_rawio,
   capability sys_resource,
 
   ptrace read peer=@{p_systemd},