From 379a093b10f93e69a03e5524b89278cb17334aff Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 13 Apr 2025 18:34:59 +0200
Subject: [PATCH] feat(fsp): small improvment to systemd profiles.

---
 apparmor.d/groups/_full/systemd      | 8 +++-----
 apparmor.d/groups/_full/systemd-user | 1 +
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index d055135bd..d3a193244 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -79,8 +79,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   mount fstype=tmpfs       options=(rw nosuid nodev noexec)               tmpfs -> /dev/shm/,
   mount fstype=tmpfs       options=(rw nosuid noexec strictatime)         tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
   mount fstype=tracefs     options=(rw nodev noexec nosuid)             tracefs -> @{sys}/kernel/tracing/,
-  mount fstype=vfat                                                             -> /boot/efi/,
 
+  mount                                                             /dev/** -> /boot/{,efi/},
   mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
   mount options=(rw bind)                                           /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
   mount options=(rw bind)                       @{run}/systemd/propagate/*/ -> @{run}/systemd/mount-rootfs/@{run}/systemd/incoming/,
@@ -108,7 +108,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   remount                                        @{run}/systemd/unit-root/{,**},
   remount                                        /,
   remount                                        /snap/{,**},
-  remount options=(ro bind)                      /boot/efi/,
+  remount options=(ro bind)                      /boot/{,efi/},
   remount options=(ro noexec noatime bind)       /var/snap/{,**},
   remount options=(ro nosuid bind)               /dev/,
   remount options=(ro nosuid nodev bind)         /dev/hugepages/,
@@ -221,12 +221,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{att}/@{run}/systemd/journal/dev-log r,
 
   @{run}/ rw,
-  @{run}/*.socket w,
+  @{run}/* rw,
   @{run}/*/ rw,
   @{run}/*/* rw,
-  @{run}/auditd.pid r,
   @{run}/credentials/{,**} rw,
-  @{run}/initctl rw,
   @{run}/systemd/{,**} rw,
 
   @{run}/udev/data/+bluetooth:* r,
diff --git a/apparmor.d/groups/_full/systemd-user b/apparmor.d/groups/_full/systemd-user
index e3ae3acb4..b0b3272a1 100644
--- a/apparmor.d/groups/_full/systemd-user
+++ b/apparmor.d/groups/_full/systemd-user
@@ -146,6 +146,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   deny capability net_admin,
   deny capability perfmon,
   deny capability sys_admin,
+  deny capability sys_boot,
   deny capability sys_resource,
 
   profile systemctl {