feat(fsp): small fsp improvement.

apparmor.d/groups/_full/sd

@@ -18,7 +18,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/systemd-executor
-profile sd flags=(attach_disconnected,mediate_deleted) {
+profile sd flags=(attach_disconnected,mediate_deleted,complain) {
   include <abstractions/base>
   include <abstractions/authentication>
   include <abstractions/bus-system>
@@ -42,6 +42,7 @@ profile sd flags=(attach_disconnected,mediate_deleted) {
   capability linux_immutable,
   capability mknod,
   capability net_admin,
+  capability net_bind_service,
   capability net_raw,
   capability perfmon,
   capability setfcap,
@@ -57,6 +58,8 @@ profile sd flags=(attach_disconnected,mediate_deleted) {
   capability sys_tty_config,
   capability syslog,
 
+  network alg seqpacket,
+  network bluetooth,
   network inet dgram,
   network inet stream,
   network inet6 dgram,
@@ -84,6 +87,22 @@ profile sd flags=(attach_disconnected,mediate_deleted) {
   umount /dev/shm/,
   umount @{run}/systemd/mount-rootfs/{,**},
 
+  # mount tmpfs -> @{run}/lock/,
+  # mount tmpfs -> @{sys}/fs/cgroup/,
+  # mount cgroup -> @{sys}/fs/cgroup/systemd/,
+  # audit mount                                                             /dev/** -> /boot/{,efi/},
+  # audit mount options=(rw bind)                                           /dev/** -> /tmp/namespace-dev-@{rand6}/**,
+  # audit mount options=(rw rbind)                                                  -> @{run}/systemd/unit-root/{,**},
+
+  # audit remount                                        @{run}/systemd/unit-root/{,**},
+  # audit remount options=(ro noexec noatime bind)       /var/snap/{,**},
+  # audit remount options=(ro nosuid nodev bind)         /var/,
+  # audit remount options=(ro nosuid nodev noexec bind)  /boot/,
+
+  # audit umount @{PROC}/sys/fs/binfmt_misc/,
+  # audit umount @{run}/systemd/namespace-@{rand6}/{,**},
+  # audit umount @{run}/systemd/unit-root/{,**},
+
   pivot_root oldroot=/run/systemd/mount-rootfs/ @{run}/systemd/mount-rootfs/,
 
   change_profile,

apparmor.d/groups/_full/systemd

@@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
 
         /dev/autofs r,
         /dev/dri/card@{int} rw,
+        /dev/initctl w,
         /dev/input/ r,
         /dev/kmsg w,
         /dev/tty rw,

apparmor.d/groups/_full/systemd-user

@@ -91,6 +91,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/kernel/pid_max r,
         @{PROC}/sys/kernel/random/boot_id r,
         @{PROC}/sys/kernel/threads-max r,
+  owner @{PROC}/@{pid}/cmdline r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/gid_map r,
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/groups/flatpak/flatpak-app

@@ -65,7 +65,7 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
 
   @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
   @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
-  @{sbin}/update-mime-database         rPx -> flatpak-app//&update-mime-database,
+  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
   @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,
 
   @{lib}/kf5/kioslave5                 rPx,