feat(profile): integrate fsp with apt and ubuntu.

apparmor.d/groups/apt/apt-methods-http

@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/apt/methods/http{,s}
-profile apt-methods-http @{exec_path} {
+profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal receive peer=@{p_apt_news},
+  signal receive peer=@{p_packagekitd},
   signal receive peer=apt-get,
   signal receive peer=apt,
   signal receive peer=aptitude,
-  signal receive peer=@{p_packagekitd},
   signal receive peer=role_*,
   signal receive peer=synaptic,
   signal receive peer=ubuntu-advantage,

apparmor.d/groups/apt/dpkg-script-apparmor

@@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} {
   /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
 
   /var/lib/dpkg/info/*.list r,
+  /var/lib/dpkg/info/format r,
   /var/lib/dpkg/status r,
   /var/lib/dpkg/triggers/File r,
   /var/lib/dpkg/triggers/Unincorp r,

apparmor.d/groups/apt/dpkg-script-systemd

@@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} {
   /etc/systemd/system/*.wants/ rw,
   /etc/systemd/system/*.wants/* rw,
 
+  /etc/pam.d/sed@{rand6} rw,
+  /etc/pam.d/common-password  rw,
+
   /var/lib/systemd/{,*} rw,
   /var/log/journal/ rw,
 

apparmor.d/groups/apt/dpkg-scripts

@@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} {
   @{sbin}/update-rc.d                             Cx -> rc,
 
   # Maintainer scripts can legitimately start/restart anything
+  # PU is only used as a safety fallback.
   @{bin}/**                                       PUx,
   @{sbin}/**                                      PUx,
   @{lib}/**                                       PUx,
@@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
     include <abstractions/app/bus>
     include <abstractions/bus-system>
 
+    capability dac_read_search,
+
     dbus send bus=system path=/
          interface=org.freedesktop.DBus
          member=ReloadConfig

apparmor.d/groups/apt/unattended-upgrade

@@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   capability setuid,
   capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
   network netlink raw,
 
   signal send peer=apt-methods-http,

apparmor.d/groups/ubuntu/cron-ubuntu-fan

@@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}         rix,
-  @{sbin}/fanctl     rix,
+  @{sbin}/fanctl     rPx,
-  @{bin}/flock       rix,
   @{bin}/grep        rix,
-  @{bin}/id          rix,
   @{sbin}/ip         rix,
   @{bin}/mkdir       rix,
   @{bin}/sed         rix,
-  @{bin}/touch       rix,
 
   /etc/network/fan r,
 
-  @{run}/ubuntu-fan/ rw,
-  @{run}/ubuntu-fan/.lock rwk,
-
   include if exists <local/cron-ubuntu-fan>
 }
 

apparmor.d/groups/ubuntu/update-notifier-crash

@@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/systemctl Cx -> systemctl,
+
   /usr/share/apport/apport-checkreports Px,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+  
+    include if exists <local/update-notifier-crash_systemctl>
+  }
+
   include if exists <local/update-notifier-crash>
 }