fix(profile): multiple minor fixes.

fix #493 #480

apparmor.d/groups/children/child-pager

@@ -37,6 +37,8 @@ profile child-pager {
   owner @{user_state_dirs}/ r,
   owner @{user_state_dirs}/lesshs* rw,
 
+  /dev/tty@{int} rw,
+
   include if exists <local/child-pager>
 }
 

apparmor.d/groups/pacman/archlinux-keyring-wkd-sync

@@ -30,7 +30,7 @@ profile archlinux-keyring-wkd-sync @{exec_path} {
   /etc/pacman.conf r,
   /etc/pacman.d/*-mirrorlist r,
   /etc/pacman.d/gnupg/ rw,
-  /etc/pacman.d/gnupg/** rwk -> /etc/pacman.d/gnupg/**,
+  /etc/pacman.d/gnupg/** rwlk -> /etc/pacman.d/gnupg/**,
   /etc/pacman.d/mirrorlist r,
 
   owner @{PROC}/@{pid}/fd/ r,

apparmor.d/groups/systemd/systemd-generator-user-environment

@@ -12,6 +12,8 @@ profile systemd-generator-user-environment @{exec_path} {
   include <abstractions/common/systemd>
   include <abstractions/nameservice-strict>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
   @{sh_path}         rix,

apparmor.d/groups/systemd/systemd-journald

@@ -49,6 +49,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/+acpi:*      r,
   @{run}/udev/data/+bluetooth:* r,
   @{run}/udev/data/+hid:* r,              # for HID-Compliant Keyboard
+  @{run}/udev/data/+ieee80211:* r,
   @{run}/udev/data/+input:input@{int} r,  # for mouse, keyboard, touchpad
   @{run}/udev/data/+mdio_bus:* r,
   @{run}/udev/data/+pci:*       r,

apparmor.d/profiles-a-f/auditd

@@ -31,6 +31,7 @@ profile auditd @{exec_path} flags=(attach_disconnected) {
   owner @{run}/auditd.pid rwl,
   owner @{run}/auditd.state rw,
 
+        @{PROC}/@{pid}/ r,
   owner @{PROC}/@{pid}/attr/current r,
   owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/oom_score_adj rw,

apparmor.d/profiles-g-l/login

@@ -54,13 +54,15 @@ profile login @{exec_path} flags=(attach_disconnected) {
   /etc/security/pam_env.conf r,
   /etc/shells r,
 
+  /var/lib/faillock/@{user} rwk,
   /var/log/btmp{,.@{int}} r,
 
   owner @{user_cache_dirs}/motd.legal-displayed rw,
 
-  @{run}/motd.d/{,*} r,
+  @{run}/credentials/getty@tty@{int}.service/ r,
   @{run}/dbus/system_bus_socket rw,
   @{run}/faillock/@{user} rwk,
+  @{run}/motd.d/{,*} r,
   @{run}/motd.dynamic{,.new} rw,
   @{run}/systemd/sessions/*.ref rw,
 

apparmor.d/profiles-m-r/nft

@@ -20,6 +20,8 @@ profile nft @{exec_path} {
 
   @{exec_path} mr,
 
+  /usr/share/iproute2/{,**} r,
+
   /etc/iproute2/** r,
   /etc/nftables.conf r,
   /etc/nftables/{,**} r,

apparmor.d/profiles-m-r/pidof

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/pidof
 profile pidof @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   capability sys_ptrace,
 

apparmor.d/profiles-m-r/resolvconf

@@ -22,6 +22,7 @@ profile resolvconf @{exec_path} {
   @{bin}/rm          rix,
   @{bin}/run-parts   rix,
   @{bin}/sed         rix,
+  @{bin}/systemctl   rCx -> systemctl,
   @{lib}/resolvconf/list-records rix,
 
   /usr/lib/resolvconf/{,**} r,
@@ -35,6 +36,16 @@ profile resolvconf @{exec_path} {
 
   /dev/tty rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    include if exists <local/resolvconf_systemctl>
+  }
+  
   include if exists <local/resolvconf>
 }