From 5e6af165806ba1e568ca826b02edd33fa589b73f Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 18 May 2024 13:09:25 +0100
Subject: [PATCH] feat(profile): small improvment on systemd profiles.

---
 apparmor.d/groups/systemd/systemd-localed          | 3 ---
 apparmor.d/groups/systemd/systemd-machine-id-setup | 6 +++---
 apparmor.d/groups/systemd/systemd-mount            | 3 +--
 apparmor.d/groups/systemd/systemd-oomd             | 4 ++--
 apparmor.d/groups/systemd/systemd-sleep-grub2      | 3 +--
 5 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index be99033cb..83f9dedba 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -14,9 +14,6 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/common/systemd>
 
-  # Needed?
-  audit capability net_admin,
-
   unix (bind) type=stream addr=@@{hex16}/bus/systemd-localed/system,
 
   #aa:dbus own bus=system name=org.freedesktop.locale1
diff --git a/apparmor.d/groups/systemd/systemd-machine-id-setup b/apparmor.d/groups/systemd/systemd-machine-id-setup
index c7347dcdd..565f281f8 100644
--- a/apparmor.d/groups/systemd/systemd-machine-id-setup
+++ b/apparmor.d/groups/systemd/systemd-machine-id-setup
@@ -19,21 +19,21 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
 
   ptrace (read),
 
-  mount flags=(rw rslave) -> /,
+  mount options=(rw rslave) -> /,
   umount /etc/machine-id,
 
   @{exec_path} mr,
 
   / r,
-  /etc/machine-id rw,
   /etc/ r,
+  /etc/machine-id rw,
   /var/ r,
 
         @{PROC}/1/environ r,
         @{PROC}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
-  owner @{PROC}/@{pid}/stat r,
   owner @{PROC}/@{pid}/setgroups r,
+  owner @{PROC}/@{pid}/stat r,
 
   include if exists <local/systemd-machine-id-setup>
 }
diff --git a/apparmor.d/groups/systemd/systemd-mount b/apparmor.d/groups/systemd/systemd-mount
index d210b260b..75ee93546 100644
--- a/apparmor.d/groups/systemd/systemd-mount
+++ b/apparmor.d/groups/systemd/systemd-mount
@@ -6,8 +6,7 @@ abi <abi/3.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/systemd-mount
-@{exec_path} += @{bin}/systemd-umount
+@{exec_path} = @{bin}/systemd-mount @{bin}/systemd-umount
 profile systemd-mount @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>
diff --git a/apparmor.d/groups/systemd/systemd-oomd b/apparmor.d/groups/systemd/systemd-oomd
index bbbfd1a1a..2ad2a82d7 100644
--- a/apparmor.d/groups/systemd/systemd-oomd
+++ b/apparmor.d/groups/systemd/systemd-oomd
@@ -24,8 +24,8 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/oomd.conf r,
   /etc/systemd/oomd.conf.d/{,**} r,
 
-          @{run}/systemd/io.system.ManagedOOM rw,
-          @{run}/systemd/io.systemd.ManagedOOM rw,
+        @{run}/systemd/io.system.ManagedOOM rw,
+        @{run}/systemd/io.systemd.ManagedOOM rw,
         @{run}/systemd/notify rw,
   owner @{run}/systemd/journal/socket w,
 
diff --git a/apparmor.d/groups/systemd/systemd-sleep-grub2 b/apparmor.d/groups/systemd/systemd-sleep-grub2
index 0749c9397..031bfe426 100644
--- a/apparmor.d/groups/systemd/systemd-sleep-grub2
+++ b/apparmor.d/groups/systemd/systemd-sleep-grub2
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{lib}/systemd/system-sleep/grub2.sleep
 profile systemd-sleep-grub @{exec_path} {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
@@ -18,8 +19,6 @@ profile systemd-sleep-grub @{exec_path} {
 
   /etc/sysconfig/bootloader r,
 
-  /var/lib/nscd/passwd r,
-
   @{PROC}/@{pid}/maps r,
 
   /dev/tty rw,