feat(profile): general update.

apparmor.d/groups/virt/cockpit-bridge

@@ -23,6 +23,7 @@ profile cockpit-bridge @{exec_path} {
 
   signal (send) set=term peer=cockpit-pcp,
   signal (send) set=term peer=dbus-daemon,
+  signal (send) set=term peer=journalctl,
   signal (send) set=term peer=ssh-agent,
   signal (send) set=term peer=sudo,
   signal (send) set=term peer=unconfined,
@@ -36,9 +37,11 @@ profile cockpit-bridge @{exec_path} {
   /usr/share/cockpit/{,**} r,
 
   /etc/cockpit/{,**} r,
+  /etc/login.defs r,
   /etc/machine-id r,
   /etc/motd r,
   /etc/shadow r,
+  /etc/shells r,
 
   owner @{user_cache_dirs}/ssh-agent.[0-9A-Z]* rw,
 

apparmor.d/groups/virt/docker-proxy

@@ -11,10 +11,13 @@ profile docker-proxy @{exec_path} {
   include <abstractions/base>
 
   capability net_admin,
+  capability net_bind_service,
 
   network inet stream,
   network inet6 stream,
 
+  signal (receive) set=int peer=dockerd,
+
   @{exec_path} mr,
 
   @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,

apparmor.d/groups/virt/dockerd

@@ -47,6 +47,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   ptrace (read) peer=docker-*,
   ptrace (read) peer=unconfined,
 
+  signal (send) set=int peer=docker-proxy,
   signal (send) set=kill peer=docker-*,
   signal (send) set=term peer=containerd,
 

apparmor.d/groups/virt/virtinterfaced

@@ -14,6 +14,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  ptrace (read) peer=virtqemud,
+
   @{exec_path} mr,
 
   /{usr/,}lib/gconv/gconv-modules rm,
@@ -33,6 +35,8 @@ profile virtinterfaced @{exec_path} flags=(attach_disconnected) {
   @{sys}/class/ r,
   @{sys}/class/net/ r,
   @{sys}/devices/pci[0-9]*/**/net/{,**} r,
+  @{sys}/devices/system/node/ r,
+  @{sys}/devices/system/node/node[0-9]*/meminfo r,
   @{sys}/devices/virtual/net/{,**} r,
 
   owner @{PROC}/@{pids}/stat r,

apparmor.d/groups/virt/virtnodedevd

@@ -17,11 +17,13 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  ptrace (read) peer=virtqemud,
+
   @{exec_path} mr,
 
   /{usr/,}bin/mdevctl rPx,
 
-  /usr/share/hwdata/pnp.ids r,
+  /usr/share/hwdata/*.ids r,
 
   /etc/mdevctl.d/{,**} r,
 
@@ -46,7 +48,8 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/udev/data/c1:[0-9]* r,         # For RAM disk
   @{run}/udev/data/c10:[0-9]* r,        # For non-serial mice, misc features
-  @{run}/udev/data/c13:[0-9]* r,        # for /dev/input/*
+  @{run}/udev/data/c13:[0-9]* r,        # For /dev/input/*
+  @{run}/udev/data/c29:[0-9]* r,        # For /dev/fb[0-9]*
   @{run}/udev/data/c90:[0-9]* r,        # For RAM, ROM, Flash
   @{run}/udev/data/c116:[0-9]* r,       # For ALSA
   @{run}/udev/data/c226:[0-9]* r,       # For /dev/dri/card[0-9]*
@@ -68,7 +71,7 @@ profile virtnodedevd @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/pci[0-9]*/**/sriov_totalvfs r,
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node[0-9]*/meminfo r,
-  @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date} r,
+  @{sys}/devices/virtual/dmi/id/{product_name,sys_vendor,board_vendor,bios_vendor,bios_date,bios_version,product_version} r,
   @{sys}/devices/virtual/net/{,**} r,
   @{sys}/kernel/iommu_groups/ r,
   @{sys}/kernel/iommu_groups/[0-9]*/devices/ r,

apparmor.d/groups/virt/virtsecretd

@@ -14,13 +14,17 @@ profile virtsecretd @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
+  ptrace (read) peer=virtqemud,
+
   @{exec_path} mr,
 
+  owner @{user_config_dirs}/libvirt/secrets/ rw,
+  owner @{user_config_dirs}/libvirt/secrets/run/{,*} rwk,
+
         @{run}/systemd/inhibit/*.ref rw,
   owner @{run}/user/@{uid}/libvirt/common/system.token rwk,
   owner @{run}/user/@{uid}/libvirt/secrets/ rw,
-  owner @{run}/user/@{uid}/libvirt/secrets/run rw,
-  owner @{run}/user/@{uid}/libvirt/secrets/run/* rwk,
+  owner @{run}/user/@{uid}/libvirt/secrets/run/{,*} rwk,
   owner @{run}/user/@{uid}/libvirt/virtsecretd* rwk,
 
   @{run}/utmp rk,