From 881402dc2166b735712e40134558568512059ee8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 12 Jul 2025 20:17:26 +0200
Subject: [PATCH] feat(profile): improve some systemd profiles.

---
 apparmor.d/groups/systemd/systemd-coredump    |  2 +-
 apparmor.d/groups/systemd/systemd-machined    | 22 ++++++++++++++++++-
 .../systemd/systemd-tty-ask-password-agent    |  3 ++-
 3 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/apparmor.d/groups/systemd/systemd-coredump b/apparmor.d/groups/systemd/systemd-coredump
index 52efea3db..2f6d81fdb 100644
--- a/apparmor.d/groups/systemd/systemd-coredump
+++ b/apparmor.d/groups/systemd/systemd-coredump
@@ -39,7 +39,7 @@ profile systemd-coredump @{exec_path} flags=(attach_disconnected,mediate_deleted
   /etc/systemd/coredump.conf r,
   /etc/systemd/coredump.conf.d/{,**} r,
 
-  owner @{HOME}/**.so r,
+  owner @{HOME}/**.so* r,
 
   /var/lib/systemd/coredump/{,**} rwl,
 
diff --git a/apparmor.d/groups/systemd/systemd-machined b/apparmor.d/groups/systemd/systemd-machined
index b37f2300b..b9244ece6 100644
--- a/apparmor.d/groups/systemd/systemd-machined
+++ b/apparmor.d/groups/systemd/systemd-machined
@@ -10,6 +10,7 @@ include <tunables/global>
 profile systemd-machined @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
   include <abstractions/common/systemd>
 
@@ -21,6 +22,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
   capability kill,
   capability mknod,
   capability setgid,
+  capability setuid,
   capability sys_admin,
   capability sys_chroot,
   capability sys_ptrace,
@@ -31,26 +33,44 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
   network inet6 dgram,
   network netlink raw,
 
+  signal send set=rtmin+6 peer=systemd-nspawn,
+
+  ptrace read peer=systemd-nspawn,
+
   #aa:dbus own bus=system name=org.freedesktop.machine1
 
   #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
 
   @{exec_path} mr,
 
-  /var/lib/machines/{,**} rw,
   /etc/machine-id r,
 
+  / r,
+  @{att}/ r,
+
+  owner /var/lib/machines/ rw,
+  owner /var/lib/machines/** rwk,
+
+  owner @{run}/systemd/nspawn/ w,
+  owner @{run}/systemd/nspawn/locks/ w,
+  owner @{run}/systemd/nspawn/locks/** rwk,
+
   @{run}/systemd/machine/{,**} rw,
   @{run}/systemd/machines/{,**} rw,
   @{run}/systemd/notify w,
 
   @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pid}/fdinfo/@{int} r,
+  @{PROC}/@{pid}/gid_map r,
+  @{PROC}/@{pid}/setgroups r,
+  @{PROC}/@{pid}/uid_map r,
   @{PROC}/pressure/cpu r,
   @{PROC}/pressure/io r,
   @{PROC}/pressure/memory r,
 
   /dev/ptmx rw,
   /dev/pts/@{int} rw,
+  /dev/pts/ptmx rw,
 
   include if exists <local/systemd-machined>
 }
diff --git a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
index 30d30b295..b318bf3dd 100644
--- a/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
+++ b/apparmor.d/groups/systemd/systemd-tty-ask-password-agent
@@ -17,10 +17,11 @@ profile systemd-tty-ask-password-agent @{exec_path} {
   capability net_admin,
   capability sys_resource,
 
+  signal receive set=(term cont winch) peer=@{p_logrotate},
   signal receive set=(term cont winch) peer=*//systemctl,
   signal receive set=(term cont winch) peer=deb-systemd-invoke,
   signal receive set=(term cont winch) peer=default,
-  signal receive set=(term cont winch) peer=@{p_logrotate},
+  signal receive set=(term cont winch) peer=machinectl,
   signal receive set=(term cont winch) peer=makepkg//sudo,
   signal receive set=(term cont winch) peer=role_*,
   signal receive set=(term cont winch) peer=rpm,