From 4dba131fb38418b898a02aaec92e977fe7a0a4c7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 17 Aug 2025 17:16:24 +0200
Subject: [PATCH] feat(profile): parser: move sysctl to its own subprofile.

---
 apparmor.d/groups/apparmor/apparmor.systemd | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/apparmor/apparmor.systemd b/apparmor.d/groups/apparmor/apparmor.systemd
index cb862ff48..f58512a02 100644
--- a/apparmor.d/groups/apparmor/apparmor.systemd
+++ b/apparmor.d/groups/apparmor/apparmor.systemd
@@ -26,7 +26,7 @@ profile apparmor.systemd @{exec_path} {
   @{bin}/sed                  rix,
   @{bin}/cat                  rix,
   @{bin}/sort                 rix,
-  @{sbin}/sysctl              rix,
+  @{sbin}/sysctl              rCx -> sysctl,
   @{bin}/systemd-detect-virt  rPx,
   @{bin}/xargs                rix,
 
@@ -43,10 +43,19 @@ profile apparmor.systemd @{exec_path} {
   @{PROC}/@{pids}/maps r,
   @{PROC}/@{pids}/mounts r,
   @{PROC}/mounts r,
-  @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
 
   /dev/tty rw,
 
+  profile sysctl {
+    include <abstractions/base>
+
+    @{sbin}/sysctl mr,
+
+    @{PROC}/sys/kernel/apparmor_restrict_unprivileged_userns r,
+
+    include if exists <local/apparmor.systemd_sysctl>
+  }
+
   include if exists <local/apparmor.systemd>
 }