feat(fsp): systemd drop in files: configure stacked profile

It comes as a replacement of old and unsecure config that was disabling the nnp flag.
The new solution is:
1. Safe
2. Scalable  as hundred of profile could be configured this way

systemd/full/system/ModemManager.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&ModemManager

systemd/full/system/archlinux-keyring-wkd-sync.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&archlinux-keyring-wkd-sync

systemd/full/system/dbus-org.freedesktop.hostname1.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-hostnamed

systemd/full/system/dbus-org.freedesktop.import1.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-importd

systemd/full/system/dbus-org.freedesktop.locale1.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-localed

systemd/full/system/dbus-org.freedesktop.login1.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-logind

systemd/full/system/dbus-org.freedesktop.machine1.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-machined

systemd/full/system/dbus-org.freedesktop.timedate1.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-timedated

systemd/full/system/e2scrub@.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&e2scrub

systemd/full/system/e2scrub_reap.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&e2scrub_all

systemd/full/system/fprintd.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&fprintd

systemd/full/system/fwupd-refresh.service

@@ -1,4 +1,2 @@
 [Service]
-ProtectKernelModules=no
+AppArmorProfile=&fwupdmgr
-RestrictRealtime=no
-ProtectKernelModules=no

systemd/full/system/geoclue.service

@@ -1,6 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&geoclue
-MemoryDenyWriteExecute=no
-ProtectKernelTunables=no
-ProtectKernelModules=no
-RestrictRealtime=no

systemd/full/system/irqbalance.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&irqbalance

systemd/full/system/nm-priv-helper.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&nm-priv-helper

systemd/full/system/polkit.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&polkitd

systemd/full/system/rngd.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&rngd

systemd/full/system/systemd-homed.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-homed

systemd/full/system/systemd-hostnamed.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-hostnamed

systemd/full/system/systemd-journald.service

@@ -1,3 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-journald
-ProtectClock=no

systemd/full/system/systemd-journald@.service

@@ -1,3 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-journald
-ProtectClock=no

systemd/full/system/systemd-localed.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-localed

systemd/full/system/systemd-logind.service

@@ -1,3 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-logind
-ProtectClock=no

systemd/full/system/systemd-machined.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-machined

systemd/full/system/systemd-networkd.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-networkd

systemd/full/system/systemd-resolved.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-resolved

systemd/full/system/systemd-timedated.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-timedated

systemd/full/system/systemd-userdbd.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&systemd-userdbd

systemd/full/system/upower.service

@@ -1,2 +1,2 @@
 [Service]
-NoNewPrivileges=no
+AppArmorProfile=&upowerd