feat(profile): improve some core profiles.

apparmor.d/profiles-a-f/cgrulesengd

@@ -12,19 +12,9 @@ profile cgrulesengd @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
 
-  # For creating Unix domain sockets/IPC sockets:
-  #  socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
-  #  ...
-  #  bind(3, {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation
-  #   not permitted)
-  capability net_admin,
-
-  # To remove the following errors:
-  #  readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied)
-  capability sys_ptrace,
-
-  # To be able to read the /proc/ files of all processes in the system.
   capability dac_read_search,
+  capability net_admin,
+  capability sys_ptrace,
 
   network netlink dgram,
 
@@ -32,22 +22,22 @@ profile cgrulesengd @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sys}/fs/cgroup/**/tasks w,
+
+  /etc/cgconfig.conf r,
+  /etc/cgconfig.d/{,*} r,
+
+  /etc/cgrules.conf r,
+  /etc/cgrules.d/{,*} r,
+
+  owner @{run}/cgred.socket w,
+
+  @{sys}/fs/cgroup/** rw,
 
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/@{pids}/task/ r,
-  owner @{PROC}/@{pid}/mounts r,
         @{PROC}/cgroups r,
-
-  @{sys}/fs/cgroup/unified/cgroup.controllers r,
-
-  owner @{run}/cgred.socket w,
-
-  /etc/cgconfig.conf r,
-  /etc/cgrules.conf r,
-  /etc/cgconfig.d/ r,
-
+  owner @{PROC}/@{pid}/mounts r,
 
   include if exists <local/cgrulesengd>
 }

apparmor.d/profiles-a-f/chsh

@@ -26,11 +26,13 @@ profile chsh @{exec_path} {
 
   /etc/shells r,
 
+  /etc/.chsh.@{rand6} rw,
   /etc/passwd rw,
   /etc/passwd- w,
-  /etc/passwd+ rw,
   /etc/passwd.@{pid} w,
   /etc/passwd.lock wl -> /etc/passwd.@{pid},
+  /etc/passwd.OLD wl -> /etc/passwd,
+  /etc/passwd+ rw,
 
   /etc/shadow r,