feat(profile): improvement raised by unit tests.

apparmor.d/groups/ubuntu/apport

@@ -49,7 +49,17 @@ profile apport @{exec_path} flags=(attach_disconnected) {
   owner /var/cache/apt/pkgcache.bin.@{rand6} rw,
   owner /var/log/apport.log rw,
 
+  /{run,var}/log/journal/ r,
+  /{run,var}/log/journal/@{hex32}/ r,
+  /{run,var}/log/journal/@{hex32}/system.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
+
   @{run}/apport.lock rwk,
+  @{run}/log/journal/ r,
 
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/@{pid}/environ r,

apparmor.d/groups/utils/fstrim

@@ -26,6 +26,8 @@ profile fstrim @{exec_path} flags=(attach_disconnected) {
   /boot/efi/ r,
   /var/ r,
 
+  @{PROC}/@{pid}/mountinfo r,
+
   include if exists <local/fstrim>
 }
 

apparmor.d/groups/utils/uuidd

@@ -11,6 +11,8 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability dac_override,
+
   network inet dgram,
 
   @{exec_path} mr,
@@ -18,9 +20,11 @@ profile uuidd @{exec_path} flags=(attach_disconnected) {
   owner /var/lib/libuuid/clock.txt rwk,
   owner /var/lib/libuuid/clock-cont.txt rwk,
 
-  @{run}/uuidd/request rw,
   @{att}/@{run}/uuidd/request rw,
 
+  @{run}/uuidd/request rw,
+  @{run}/uuidd/uuidd.pid rwk,
+
   include if exists <local/uuidd>
 }
 

apparmor.d/groups/utils/zramctl

@@ -13,8 +13,10 @@ profile zramctl @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sys}/devices/virtual/block/zram{int}/disksize w,
+  @{sys}/devices/virtual/block/zram{int}/reset w,
   @{sys}/devices/virtual/block/zram@{int}/ r,
-  @{sys}/devices/virtual/block/zram@{int}/comp_algorithm r,
+  @{sys}/devices/virtual/block/zram@{int}/comp_algorithm rw,
   @{sys}/devices/virtual/block/zram@{int}/disksize r,
   @{sys}/devices/virtual/block/zram@{int}/max_comp_streams r,
   @{sys}/devices/virtual/block/zram@{int}/mm_stat r,

apparmor.d/profiles-g-l/kdump-config

@@ -17,6 +17,7 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   @{sh_path}       rix,
+  @{bin}/{,e}grep   ix,
   @{bin}/basename   ix,
   @{bin}/cat        ix,
   @{bin}/cmp        ix,
@@ -25,13 +26,13 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
   @{bin}/file       ix,
   @{bin}/find       ix,
   @{bin}/flock      ix,
-  @{bin}/{,e}grep   ix,
   @{bin}/hexdump    ix,
   @{bin}/ln         ix,
   @{bin}/logger     ix,
   @{bin}/plymouth   Px,
   @{bin}/readlink   ix,
   @{bin}/rev        ix,
+  @{bin}/rm         ix,
   @{bin}/run-parts  ix,
   @{bin}/sed        ix,
   @{bin}/systemctl  Cx -> systemctl,
@@ -48,9 +49,15 @@ profile kdump-config @{exec_path} flags=(attach_disconnected) {
   / r,
   @{efi}/ r,
 
-        /var/crash/kdump_lock wk,
-        /var/crash/kexec_cmd w,
-  owner /var/lib/kdump/{,**} rw,
+  /var/crash/kdump_lock wk,
+  /var/crash/kexec_cmd w,
+  /var/lib/kdump/{,**} rw,
+
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
 
   @{sys}/firmware/efi/efivars/ r,
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,

apparmor.d/profiles-g-l/kernel-postinst-kdump

@@ -12,15 +12,32 @@ profile kernel-postinst-kdump @{exec_path} {
 
   @{exec_path} mr,
 
+  @{sh_path}           r,
+  @{bin}/{,e}grep      rix,
+  @{bin}/{m,g,}awk     rix,
+  @{bin}/cp            rix,
   @{bin}/du            rix,
   @{bin}/find          rix,
-  @{bin}/{m,g,}awk     rix,
+  @{bin}/kmod          rCx -> kmod, 
+  @{bin}/ischroot      rPx,
+  @{bin}/linux-version rPx,
+  @{bin}/mkdir         rix,
+  @{bin}/mktemp        rix,
   @{bin}/mv            rix,
   @{bin}/rm            rix,
   @{bin}/sync          rix,
+  @{bin}/cut           rix,
   @{sbin}/mkinitramfs  rPx,
 
-  owner /var/lib/kdump/* w,
+  / r,
+
+  /etc/initramfs-tools/conf.d/{,**} r,
+  /etc/initramfs-tools/initramfs.conf r,
+
+  owner /var/lib/kdump/** rw,
+
+  owner /tmp/tmp.@{rand10}/ rw,
+  owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,
 
   owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6} rw,
   owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/ rw,
@@ -28,6 +45,13 @@ profile kernel-postinst-kdump @{exec_path} {
   owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
   owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
 
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    include if exists <local/dkernel-postinst-kdump_kmod>
+  }
+
   include if exists <local/kernel-postinst-kdump>
 }
 

apparmor.d/profiles-m-r/initramfs-hooks

@@ -16,14 +16,15 @@ profile initramfs-hooks @{exec_path} {
 
   @{sh_path}                               rix,
   @{coreutils_path}                        rix,
+  @{bin}/fc-cache                           ix,
   @{bin}/ischroot                           Px,
   @{bin}/ldd                                Cx -> ldd,
   @{bin}/plymouth                           Px,
-  @{sbin}/update-alternatives               Px,
-  @{sbin}/blkid                             Px,
+  @{bin}/update-alternatives                Px,
   @{lib}/dracut/dracut-install              Px,
   @{lib}/initramfs-tools/bin/busybox        ix,
   @{lib}/klibc/bin/fstype                   ix,
+  @{sbin}/blkid                             Px,
   /usr/share/mdadm/mkconf                   Px,
 
   @{bin}/* mr,

apparmor.d/profiles-m-r/mdadm-mkconf

@@ -25,6 +25,7 @@ profile mdadm-mkconf @{exec_path} {
   / r,
 
   /var/tmp/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,
+  /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/etc/mdadm/mdadm.conf.tmp rw,
 
   include if exists <local/mdadm-mkconf>
 }

apparmor.d/profiles-m-r/mkinitramfs

@@ -47,13 +47,16 @@ profile mkinitramfs @{exec_path} {
   @{bin}/rmdir      rix,
   @{bin}/sed        rix,
   @{bin}/sort       rix,
+  @{bin}/stat       rix,
   @{bin}/touch      rix,
   @{bin}/tr         rix,
   @{bin}/tsort      rix,
+  @{bin}/uname      rix,
   @{bin}/uniq       rix,
   @{bin}/xargs      rix,
   @{bin}/xz         rix,
   @{bin}/zstd       rix,
+  @{sbin}/blkid     rPx,
   @{lib}/dracut/dracut-install rix,
 
   @{bin}/find                 rCx -> find,
@@ -87,6 +90,9 @@ profile mkinitramfs @{exec_path} {
   owner /boot/config-* r,
   owner /boot/initrd.img-*.new rw,
 
+  owner /var/lib/kdump/initramfs-tools/** rw,
+  owner /var/lib/kdump/initrd.* rw,
+
         /var/tmp/ r,
         /var/tmp/mkinitramfs_@{rand6}/** w,
         /var/tmp/modules_@{rand6} rw,
@@ -102,13 +108,17 @@ profile mkinitramfs @{exec_path} {
   owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** w,
   owner /tmp/tmp.@{rand10}/mkinitramfs-@{rand6} rw,
   owner /tmp/tmp.@{rand10}/mkinitramfs-*_@{rand6} rw,
+  owner /tmp/tmp.@{rand10}/modules_@{rand6} rw,
 
+  @{sys}/bus/ r,
+  @{sys}/bus/*/drivers/ r,
   @{sys}/devices/platform/ r,
   @{sys}/devices/platform/**/ r,
   @{sys}/devices/platform/**/modalias r,
   @{sys}/module/compression r,
   @{sys}/module/firmware_class/parameters/path r,
 
+        @{PROC}/@{pid}/mounts r,
         @{PROC}/cmdline r,
         @{PROC}/modules r,
   owner @{PROC}/@{pid}/fd/ r,
@@ -143,18 +153,8 @@ profile mkinitramfs @{exec_path} {
     @{sh_path}               rix,
     @{sbin}/ldconfig.real    rix,
 
-    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf r,
-    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.conf.d/{,*.conf} r,
-
-    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/ r,
-    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/ r,
-    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/@{multiarch}/*.so* rw,
-    owner /var/tmp/mkinitramfs_@{rand6}/@{lib}/*.so* rw,
-
-    owner /var/tmp/mkinitramfs_@{rand6}/etc/ld.so.cache{,~} rw,
-
-    owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/ rw,
-    owner /var/tmp/mkinitramfs_@{rand6}/var/cache/ldconfig/aux-cache{,~} rw,
+    owner /var/tmp/mkinitramfs_@{rand6}/** rwl -> /var/tmp/mkinitramfs_@{rand6}/**,
+    owner /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/** rwl -> /tmp/tmp.@{rand10}/mkinitramfs_@{rand6}/**,
 
     include if exists <local/mkinitramfs_ldconfig>
   }

apparmor.d/profiles-m-r/needrestart

@@ -23,6 +23,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{sh_path}                               rix,
   @{bin}/dpkg-query                        rpx,
   @{bin}/fail2ban-server                   rPx,
+  @{bin}/stty                              rix, 
   @{bin}/systemctl                         rCx -> systemctl,
   @{bin}/systemd-detect-virt               rPx,
   @{bin}/udevadm                           rCx -> udevadm,

apparmor.d/profiles-s-z/tlp

@@ -71,6 +71,8 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/+platform:* r,
 
   @{sys}/bus/pci/devices/ r,
+  @{sys}/bus/pci/drivers/*/ r,
+  @{sys}/bus/platform/devices/ r,
   @{sys}/class/drm/ r,
   @{sys}/class/net/ r,
   @{sys}/class/power_supply/ r,
@@ -80,6 +82,7 @@ profile tlp @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/@{pci}/class r,
   @{sys}/devices/**/net/**/uevent r,
   @{sys}/devices/system/cpu/cpufreq/policy@{int}/energy_performance_preference rw,
+  @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/net/**/uevent r,
   @{sys}/firmware/acpi/platform_profile* rw,