feat(profile): general update.

apparmor.d/groups/_full/systemd

@@ -107,7 +107,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{bin}/mandb                      rPx -> systemd-service,
   @{bin}/savelog                    rPx -> systemd-service,
   @{coreutils_path}                 rPx -> systemd-service,
-  @{shells_path}                    rPx -> systemd-service,
+  @{sh_path}                        rPx -> systemd-service,
 
   @{bin}/**                         PUx,
   @{lib}/**                         PUx,
@@ -128,8 +128,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /var/tmp/ r,
   @{lib}/ r,
 
-  /usr/share/** r,
-
   /etc/binfmt.d/{,**} r,
   /etc/conf.d/{,**} r,
   /etc/credstore.encrypted/{,**} r,
@@ -139,6 +137,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /etc/machine-id r,
   /etc/modules-load.d/{,**} r,
   /etc/systemd/{,**} r,
+  /etc/udev/hwdb.d/{,**} r,
 
         /var/lib/systemd/{,**} rw,
   owner /var/tmp/systemd-private-*/{,**} rw,

apparmor.d/groups/_full/systemd-service

@@ -23,7 +23,7 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
   @{bin}/systemctl     rix,
   @{bin}/gzip          rix,
   @{coreutils_path}    rix,
-  @{shells_path}      rmix,
+  @{sh_path}          rmix,
 
   # shadow.service
   @{bin}/pwck          rPx,

apparmor.d/groups/_full/systemd-user

@@ -4,7 +4,7 @@
 
 # Profile for 'systemd --user', not PID 1 but the user manager for any UID.
 # It does not specify an attachment path because it is intended to be used only
-# via "AppArmorProfile=systemd-user" from a systemd unit file.
+# via "px -> systemd-user" exec transitions from the `systemd` profile.
 
 # Only use this profile with a fully configured system. Otherwise it **WILL**
 # break your computer. See https://apparmor.pujol.io/full-system-policy/.