fix(profile): various fixes from issue raised by the CI.

apparmor.d/groups/apt/dpkg-script-systemd

@@ -11,6 +11,8 @@ profile dpkg-script-systemd @{exec_path} {
   include <abstractions/base>
   include <abstractions/common/debconf>
 
+  capability dac_read_search,
+
   @{exec_path} mrix,
 
   @{coreutils_path}               rix,
@@ -21,7 +23,7 @@ profile dpkg-script-systemd @{exec_path} {
   @{bin}/dpkg-divert               Px,
   @{bin}/dpkg-maintscript-helper   Px,
   @{bin}/journalctl                Px,
-  @{bin}/kernel-install            Px,
+  @{bin}/kernel-install          mrPx,
   @{bin}/systemctl                 Cx -> systemctl,
   @{bin}/systemd-machine-id-setup  Px,
   @{bin}/systemd-sysusers          Px,
@@ -35,11 +37,14 @@ profile dpkg-script-systemd @{exec_path} {
   /etc/pam.d/sed@{rand6} rw,
   /etc/pam.d/common-password  rw,
 
+  @{efi}/ r,
+
   /var/lib/systemd/{,*} rw,
   /var/log/journal/ rw,
 
   profile dpkg {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/common/apt>
 
     capability dac_read_search,

apparmor.d/groups/systemd/bootctl

@@ -16,6 +16,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   capability linux_immutable,
   capability mknod,
   capability net_admin,
+  capability sys_rawio,
   capability sys_resource,
 
   signal send peer=child-pager,

apparmor.d/groups/systemd/localectl

@@ -17,6 +17,10 @@ profile localectl @{exec_path} {
   signal send set=cont peer=child-pager,
 
   #aa:dbus talk bus=system name=org.freedesktop.locale1 label="@{p_systemd_localed}"
+  dbus send bus=system path=/org/freedesktop/locale1
+       interface=org.freedesktop.DBus.Properties
+       member=GetAll
+       peer=(name=org.freedesktop.locale1),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-localed

@@ -17,6 +17,10 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system,
 
   #aa:dbus own bus=system name=org.freedesktop.locale1
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member=Reload
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-userdbd

@@ -33,6 +33,7 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected,mediate_deleted)
   @{att}/@{run}/systemd/notify w,
   @{att}/@{run}/systemd/userdb/io.systemd.DynamicUser rw,
   @{att}/@{run}/systemd/userdb/io.systemd.Home rw,
+  @{att}/@{run}/systemd/userdb/io.systemd.Machine rw,
 
   @{run}/systemd/userdb/{,**} rw,
 

apparmor.d/groups/virt/dockerd

@@ -73,6 +73,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   @{bin}/kmod                    rCx -> kmod,
   @{bin}/ps                      rPx,
   @{sbin}/runc                   rUx,
+  @{bin}/runc                    rUx, #aa:lint ignore
   @{bin}/unpigz                  rix,
   @{sbin}/xtables-nft-multi      rCx -> nft,
   @{sbin}/xtables-legacy-multi   rCx -> nft,

apparmor.d/profiles-g-l/kernel-install

@@ -14,6 +14,7 @@ profile kernel-install @{exec_path} {
   include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
 
+  capability sys_rawio,
   capability sys_resource,
 
   ptrace read peer=@{p_systemd},