fix(profile): various fixes.

apparmor.d/groups/network/netplan.script

@@ -16,6 +16,7 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
 
   @{lib}/netplan/generate  rPx,
   @{bin}/udevadm           rCx -> udevadm,
+  @{bin}/systemctl         rCx -> systemctl,
 
   /usr/share/netplan/{,**} r,
 
@@ -35,6 +36,13 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
     include if exists <local/netplan.script_udevadm>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    include if exists <local/netplan.script_systemctl>
+  }
+
   include if exists <local/netplan.script>
 }
 

apparmor.d/groups/network/networkd-dispatcher

@@ -21,7 +21,7 @@ profile networkd-dispatcher @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/ r,
-  @{bin}/chronyc     rPx,
+  @{bin}/chronyc    rPUx,
   @{bin}/ls          rix,
   @{bin}/networkctl  rPx,
   @{bin}/sed         rix,

apparmor.d/groups/snap/snapd

@@ -110,6 +110,11 @@ profile snapd @{exec_path} {
   /etc/modprobe.d/{,**/} r,
   /etc/modules-load.d/{,**/} r,
   /etc/modules-load.d/*snap* rw,
+  /etc/systemd/system/{,**/} r,
+  /etc/systemd/system/snap* rw,
+  /etc/systemd/user/{,**/} rw,
+  /etc/systemd/user/**/*snap* rw,
+  /etc/systemd/user/*snap* rw,
   /etc/udev/rules.d/{,*snap*} rw,
 
   /snap/{,**} rw,
@@ -180,6 +185,7 @@ profile snapd @{exec_path} {
     include <abstractions/app/systemctl>
 
     capability net_admin,
+    capability sys_resource,
 
     /etc/systemd/system/{,**/} r,
     /etc/systemd/system/snap* rw,