General profiles update.

apparmor.d/groups/systemd/systemd-journald

@@ -51,11 +51,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+scsi:*      r,
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+usb-serial:* r,
-  @{run}/udev/data/+platform:intel_pmc_core.[0-9]* r,
-  @{run}/udev/data/+platform:iTCO_wdt r,
-  @{run}/udev/data/+platform:regulatory.[0-9]* r,
-  @{run}/udev/data/+platform:rtsx_pci_sdmmc.[0-9]* r,
-  @{run}/udev/data/+platform:simple-framebuffer.[0-9]* r,
+  @{run}/udev/data/+platform* r,
 
   @{sys}/devices/**/uevent r,
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

apparmor.d/groups/systemd/systemd-update-utmp

@@ -9,25 +9,17 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-update-utmp
 profile systemd-update-utmp @{exec_path} {
   include <abstractions/base>
+  include <abstractions/systemd-common>
+  include <abstractions/wutmp>
 
   capability audit_write,
   capability net_admin,
 
   network netlink raw,
 
-  ptrace (read) peer=unconfined,
-
   @{exec_path} mr,
 
-  owner /var/log/wtmp rwk,
-  owner @{run}/utmp rwk,
-
   @{run}/host/container-manager r,
 
-  @{PROC}/1/cmdline r,
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-
   include if exists <local/systemd-update-utmp>
 }

apparmor.d/groups/systemd/systemd-user-runtime-dir

@@ -10,6 +10,7 @@ include <tunables/global>
 profile systemd-user-runtime-dir @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
+  include <abstractions/systemd-common>
 
   capability dac_override,
   capability dac_read_search,
@@ -17,8 +18,6 @@ profile systemd-user-runtime-dir @{exec_path} {
   capability net_admin,
   capability sys_admin,
 
-  ptrace (read) peer=unconfined,
-
   mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
   umount @{run}/user/@{uid}/,
 
@@ -28,9 +27,5 @@ profile systemd-user-runtime-dir @{exec_path} {
 
   @{run}/user/@{uid}/{,**} rw,
 
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-
   include if exists <local/systemd-user-runtime-dir>
 }

apparmor.d/groups/systemd/systemd-user-sessions

@@ -9,11 +9,10 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-user-sessions
 profile systemd-user-sessions @{exec_path} {
   include <abstractions/base>
+  include <abstractions/systemd-common>
 
   capability net_admin,
 
-  ptrace (read) peer=unconfined,
-
   @{exec_path} mr,
 
   owner @{run}/.#nologin* rw,
@@ -22,10 +21,5 @@ profile systemd-user-sessions @{exec_path} {
 
   @{run}/host/container-manager r,
 
-  @{PROC}/1/cmdline r,
-  @{PROC}/1/environ r,
-  @{PROC}/cmdline r,
-  @{PROC}/sys/kernel/osrelease r,
-
   include if exists <local/systemd-user-sessions>
 }