feat(full): add new systemd variable.

apparmor.d/groups/ssh/sshd

@@ -44,14 +44,16 @@ profile sshd @{exec_path} flags=(attach_disconnected) {
   # but will fall back to a non-privileged version if it fails.
   deny capability net_admin,
 
-  ptrace (read,trace) peer=unconfined,
-
   network inet  stream,
   network inet6 stream,
   network inet  dgram,
   network inet6 dgram,
   network netlink raw,
 
+  signal (receive) set=(hup) peer=@{systemd},
+
+  ptrace (read,trace) peer=@{systemd},
+
   dbus send bus=system path=/org/freedesktop/login[0-9]
     interface=org.freedesktop.login[0-9].Manager
     member={CreateSession,ReleaseSession}

apparmor.d/groups/systemd/systemd-update-done

@@ -12,7 +12,7 @@ profile systemd-update-done @{exec_path} {
 
   capability net_admin,
 
-  ptrace (read) peer=unconfined,
+  ptrace (read) peer=@{systemd},
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-userwork

@@ -14,6 +14,8 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
 
   capability sys_resource,
 
+  signal (send) peer=@{systemd},
+
   @{exec_path} mr,
 
   /etc/machine-id r,