feat(profiles): general update.

apparmor.d/groups/apt/command-not-found

@@ -29,6 +29,8 @@ profile command-not-found @{exec_path} {
 
   owner @{PROC}/@{pid}/fd/ r,
 
+  /dev/tty[0-9]* rw,
+
   # Silencer
   deny /usr/lib/ r,
 

apparmor.d/groups/network/networkd-dispatcher

@@ -14,7 +14,7 @@ profile networkd-dispatcher @{exec_path} {
   include <abstractions/python>
   include <abstractions/openssl>
 
-  dbus receive bus=system path=/org/freedesktop/network1/link/*
+  dbus receive bus=system path=/org/freedesktop/network1{,/link/*}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged
        peer=(name=:*),

apparmor.d/groups/systemd/systemd-journald

@@ -51,6 +51,7 @@ profile systemd-journald @{exec_path} {
   @{run}/udev/data/c4:[0-9]* r,       # For TTY devices
   @{run}/udev/data/c10:[0-9]*   r,    # For non-serial mice, misc features
   @{run}/udev/data/c18[8-9]:[0-9]* r, # USB devices & USB serial converters
+  @{run}/udev/data/c29:[0-9]* r,      # For CD-ROM
   @{run}/udev/data/c23[4-9]:[0-9]* r, # For dynamic assignment range 234 to 254
   @{run}/udev/data/c24[0-9]:[0-9]* r,
   @{run}/udev/data/c25[0-4]:[0-9]* r,

apparmor.d/groups/systemd/systemd-networkd

@@ -30,7 +30,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
        member=RequestName
        peer=(name=org.freedesktop.DBus),
 
-  dbus send bus=system path=/org/freedesktop/hostname[0-9]
+  dbus send bus=system path=/org/freedesktop/hostname1
        interface=org.freedesktop.hostname1
        member=SetHostname
        peer=(name=org.freedesktop.hostname1),
@@ -39,7 +39,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
        interface=org.freedesktop.DBus.Properties
        member=Get,
 
-  dbus send bus=system path=/org/freedesktop/network[0-9]/link/*
+  dbus send bus=system path=/org/freedesktop/network1{,/link/*}
        interface=org.freedesktop.DBus.Properties
        member=PropertiesChanged 
        peer=(name=org.freedesktop.DBus),
@@ -63,10 +63,9 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
         @{run}/systemd/notify rw,
   owner @{run}/systemd/netif/.#state rw,
   owner @{run}/systemd/netif/.#state* rw,
-  owner @{run}/systemd/netif/leases/.#* rw,
-  owner @{run}/systemd/netif/leases/[0-9]* rw,
-  owner @{run}/systemd/netif/links/.#* rw,
-  owner @{run}/systemd/netif/links/[0-9]* rw,
+  owner @{run}/systemd/netif/leases/{,*} rw,
+  owner @{run}/systemd/netif/links/{,*} rw,
+  owner @{run}/systemd/netif/lldp/ rw,
   owner @{run}/systemd/netif/state rw,
 
   @{run}/udev/data/n[0-9]* r,

apparmor.d/groups/systemd/systemd-remount-fs

@@ -9,14 +9,25 @@ include <tunables/global>
 @{exec_path} = /{usr/,}lib/systemd/systemd-remount-fs
 profile systemd-remount-fs @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
   include <abstractions/systemd-common>
 
+  capability net_admin,
+  capability sys_admin,
+  capability sys_resource,
+
+  mount options=(rw, remount) -> /,
+  mount options=(rw, remount) -> /proc/,
+
   @{exec_path} mr,
 
+  /{usr/,}bin/mount rix,
+
   /etc/fstab r,
 
   @{run}/host/container-manager r,
 
+  @{PROC}/ r,
   @{PROC}/1/cmdline r,
 
   include if exists <local/systemd-remount-fs>

apparmor.d/groups/systemd/systemd-sysctl

@@ -15,6 +15,7 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
   capability net_admin,
   capability sys_admin,
   capability sys_ptrace,
+  capability sys_rawio,
   # capability sys_resource,
 
   @{exec_path} mr,

apparmor.d/groups/systemd/systemd-sysusers

@@ -11,6 +11,10 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/systemd-common>
 
+  capability chown,
+  capability fsetid,
+  capability net_admin,
+
   @{exec_path} mr,
 
   # Config file locations

apparmor.d/groups/ubuntu/release-upgrade-motd

@@ -22,5 +22,7 @@ profile release-upgrade-motd @{exec_path} {
 
   /var/lib/ubuntu-release-upgrader/release-upgrade-available rw,
 
+  /dev/tty[0-9]* rw,
+
   include if exists <local/release-upgrade-motd>
 }

apparmor.d/groups/ubuntu/update-motd-fsck-at-reboot

@@ -27,6 +27,8 @@ profile update-motd-fsck-at-reboot @{exec_path} {
 
   @{PROC}/uptime r,
 
+  /dev/tty[0-9]* rw,
+
   profile mount {
     include <abstractions/base>
 
@@ -41,6 +43,8 @@ profile update-motd-fsck-at-reboot @{exec_path} {
 
     @{PROC}/@{pid}/mountinfo r,
 
+    /dev/tty[0-9]* rw,
+
   }
 
   include if exists <local/update-motd-fsck-at-reboot>

apparmor.d/groups/ubuntu/update-motd-updates-available

@@ -39,6 +39,7 @@ profile update-motd-updates-available @{exec_path} {
   /etc/machine-id r,
 
   /var/lib/update-notifier/{,*} rw,
+  /var/lib/ubuntu-advantage/apt-esm/var/cache/apt/pkgcache.bin* rw,
 
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,