From 74dcf2defc35609514354e8e99848874bc9de86d Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 4 May 2025 20:31:10 +0200
Subject: [PATCH] feat(profile): systemd: improve some ctl tools.

---
 apparmor.d/groups/systemd/bootctl     |  2 ++
 apparmor.d/groups/systemd/busctl      | 13 +++++++++++++
 apparmor.d/groups/systemd/coredumpctl |  3 ++-
 apparmor.d/groups/systemd/localectl   |  7 +++++++
 apparmor.d/groups/systemd/loginctl    | 18 +++++++++++++++++-
 apparmor.d/groups/systemd/resolvectl  |  2 ++
 6 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 28c2851fa..12fcceaea 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -15,6 +15,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
 
   capability mknod,
   capability net_admin,
+  capability sys_resource,
 
   signal (send) peer=child-pager,
 
@@ -36,6 +37,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
   /{boot,efi}/loader/entries.srel w,
   /{boot,efi}/loader/random-seed w,
 
+  /etc/kernel/entry-token r,
   /etc/machine-id r,
   /etc/machine-info r,
 
diff --git a/apparmor.d/groups/systemd/busctl b/apparmor.d/groups/systemd/busctl
index 8b32b348f..c31b28836 100644
--- a/apparmor.d/groups/systemd/busctl
+++ b/apparmor.d/groups/systemd/busctl
@@ -34,6 +34,19 @@ profile busctl @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Monitoring
        member=BecomeMonitor
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
+  dbus send bus=system path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionCredentials,ListNames,ListActivatableNames}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
+
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus.Monitoring
+       member=BecomeMonitor
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
+  dbus send bus=session path=/org/freedesktop/DBus
+       interface=org.freedesktop.DBus
+       member={GetConnectionCredentials,ListNames,ListActivatableNames}
+       peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/systemd/coredumpctl b/apparmor.d/groups/systemd/coredumpctl
index e77f326fe..d1ee1141c 100644
--- a/apparmor.d/groups/systemd/coredumpctl
+++ b/apparmor.d/groups/systemd/coredumpctl
@@ -10,8 +10,9 @@ include <tunables/global>
 @{exec_path} = @{bin}/coredumpctl
 profile coredumpctl @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability dac_read_search,
diff --git a/apparmor.d/groups/systemd/localectl b/apparmor.d/groups/systemd/localectl
index db8e7b21b..7a5c67623 100644
--- a/apparmor.d/groups/systemd/localectl
+++ b/apparmor.d/groups/systemd/localectl
@@ -10,9 +10,14 @@ include <tunables/global>
 profile localectl @{exec_path} {
   include <abstractions/base>
   include <abstractions/common/systemd>
+  include <abstractions/bus-system>
 
   capability net_admin,
 
+  signal send set=cont peer=child-pager,
+
+  #aa:dbus talk bus=system org.freedesktop.locale1 label=systemd-localed
+
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,
@@ -20,6 +25,8 @@ profile localectl @{exec_path} {
 
   /usr/share/kbd/keymaps/{,**} r,
 
+  owner @{PROC}/@{pid}/cgroup r,
+
   include if exists <local/localectl>
 }
 
diff --git a/apparmor.d/groups/systemd/loginctl b/apparmor.d/groups/systemd/loginctl
index a6406ab70..c65bb4edd 100644
--- a/apparmor.d/groups/systemd/loginctl
+++ b/apparmor.d/groups/systemd/loginctl
@@ -9,9 +9,10 @@ include <tunables/global>
 @{exec_path} = @{bin}/loginctl
 profile loginctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-system>
+  include <abstractions/bus/org.freedesktop.systemd1>
   include <abstractions/common/systemd>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
   capability net_admin,
@@ -26,6 +27,21 @@ profile loginctl @{exec_path} flags=(attach_disconnected) {
   @{pager_path} rPx -> child-pager,
   @{bin}/ssh    rPx,
 
+  /etc/machine-id r,
+
+  @{run}/log/journal/ r,
+
+  /var/lib/systemd/catalog/database r,
+
+  /{run,var}/log/journal/ r,
+  /{run,var}/log/journal/@{hex32}/ r,
+  /{run,var}/log/journal/@{hex32}/system.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
+  /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
+
         @{PROC}/sys/fs/nr_open r,
   owner @{PROC}/@{pid}/cgroup r,
 
diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl
index dc3090c5a..5c436f6c1 100644
--- a/apparmor.d/groups/systemd/resolvectl
+++ b/apparmor.d/groups/systemd/resolvectl
@@ -13,6 +13,8 @@ profile resolvectl @{exec_path} {
   include <abstractions/bus-system>
   include <abstractions/common/systemd>
 
+  signal send set=cont peer=child-pager,
+
   #aa:dbus talk bus=system name=org.freedesktop.resolve1 label=systemd-resolved
 
   @{exec_path} mr,