feat(abs): deny apparmor/.null in the base abstraction.

apparmor.d/groups/children/child-systemctl

@@ -46,7 +46,5 @@ profile child-systemctl flags=(attach_disconnected) {
 
   @{run}/systemd/private rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/child-systemctl>
 }

apparmor.d/groups/pacman/mkinitcpio

@@ -116,7 +116,6 @@ profile mkinitcpio @{exec_path} flags=(attach_disconnected) {
 
   # Inherit silencer
   deny @{HOME}/** r,
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
 

apparmor.d/groups/pacman/pacdiff

@@ -44,8 +44,5 @@ profile pacdiff @{exec_path} flags=(attach_disconnected) {
   /dev/tty rw,
   /dev/pts/@{int} rw,
 
-  # Inherit Silencer
-  deny /apparmor/.null rw,
-
   include if exists <local/pacdiff>
 }

apparmor.d/groups/pacman/pacman-conf

@@ -22,7 +22,6 @@ profile pacman-conf @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
-  deny /apparmor/.null rw,
 
   include if exists <local/pacman-conf>
 }

apparmor.d/groups/pacman/pacman-hook-dkms

@@ -29,7 +29,6 @@ profile pacman-hook-dkms @{exec_path} flags=(attach_disconnected) {
   /dev/tty rw,
 
   # Inherit Silencer
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
   deny unix (receive) type=stream,

apparmor.d/groups/pacman/pacman-hook-mkinitcpio

@@ -46,7 +46,6 @@ profile pacman-hook-mkinitcpio @{exec_path} flags=(attach_disconnected) {
   # # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
-  # deny /apparmor/.null rw,
 
   include if exists <local/pacman-hook-mkinitcpio>
 }

apparmor.d/groups/systemd/journalctl

@@ -51,7 +51,6 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
   owner @{PROC}/@{pid}/cgroup r,
 
   deny @{user_share_dirs}/gvfs-metadata/* r,
-  deny /apparmor/.null rw,
   deny network inet stream,
   deny network inet6 stream,
 

apparmor.d/groups/systemd/systemd-binfmt

@@ -28,7 +28,5 @@ profile systemd-binfmt @{exec_path} flags=(attach_disconnected) {
   /dev/tty@{int} rw,
   /dev/pts/@{int} rw,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-binfmt>
 }

apparmor.d/groups/systemd/systemd-detect-virt

@@ -30,8 +30,5 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/firmware/dmi/entries/*/raw r,
 
-  # Inherit silencer
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-detect-virt>
 }

apparmor.d/groups/systemd/systemd-hwdb

@@ -25,7 +25,5 @@ profile systemd-hwdb @{exec_path} flags=(attach_disconnected,mediate_deleted) {
 
   owner @{PROC}/@{pid}/stat r,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-hwdb>
 }

apparmor.d/groups/systemd/systemd-sysctl

@@ -29,8 +29,5 @@ profile systemd-sysctl @{exec_path} flags=(attach_disconnected) {
 
   @{PROC}/sys/** rw,
 
-  # Inherit Silencer
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-sysctl>
 }

apparmor.d/groups/systemd/systemd-sysusers

@@ -47,7 +47,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,
-  deny /apparmor/.null rw,
 
   include if exists <local/systemd-sysusers>
 }

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -57,7 +57,5 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   @{PROC}/1/cmdline r,
   @{PROC}/sched_debug w,
 
-  deny /apparmor/.null rw,
-
   include if exists <local/systemd-tmpfiles>
 }

apparmor.d/groups/systemd/systemd-udevd

@@ -129,8 +129,6 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
   /dev/ rw,
   /dev/** rwk,
 
-  deny /apparmor/.null rw,
-
   profile systemctl flags=(attach_disconnected,complain) {
     include <abstractions/base>
     include <abstractions/systemd-common>