feat(profiles): general update.

apparmor.d/groups/systemd/bootctl

@@ -13,6 +13,7 @@ profile bootctl @{exec_path} {
   include <abstractions/disks-read>
 
   capability mknod,
+  capability net_admin,
 
   signal (send) peer=child-pager,
 

apparmor.d/groups/systemd/systemd-homed

@@ -68,8 +68,6 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/uevent_seqnum r,
   @{sys}/devices/**/read_ahead_kb r,
 
-  @{sys}/fs/cgroup/system.slice/systemd-homed.service/memory.pressure rw,
-
         @{PROC}/devices r,
         @{PROC}/sysvipc/{shm,sem,msg} r,
   owner @{PROC}/@{pid}/gid_map w,

apparmor.d/groups/systemd/systemd-journald

@@ -30,7 +30,8 @@ profile systemd-journald @{exec_path} {
 
   @{run}/log/ rw,
   /{run,var}/log/journal/ rw,
-  /{run,var}/log/journal/@{md5}/{,*} rw -> /{run,var}/log/journal/@{md5}/**,
+  /{run,var}/log/journal/@{md5}/ rw,
+  /{run,var}/log/journal/@{md5}/* rw -> /{run,var}/log/journal/@{md5}/#@{int},
 
   owner @{run}/systemd/journal/{,**} rw,
   owner @{run}/systemd/notify rw,

apparmor.d/groups/systemd/systemd-logind

@@ -128,7 +128,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
   @{sys}/fs/cgroup/memory.max r,
   @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
-  @{sys}/fs/cgroup/system.slice/systemd-logind.service/memory.pressure rw,
   @{sys}/module/vt/parameters/default_utf8 r,
   @{sys}/power/{state,resume_offset,resume,disk} r,
 

apparmor.d/groups/systemd/systemd-machined

@@ -71,7 +71,5 @@ profile systemd-machined @{exec_path} {
   @{run}/systemd/userdb/io.systemd.Machine rw,
   @{run}/systemd/notify w,
 
-  @{sys}/fs/cgroup/system.slice/systemd-machined.service/memory.pressure rw,
-
   include if exists <local/systemd-machined>
 }

apparmor.d/groups/systemd/systemd-oomd

@@ -9,8 +9,8 @@ include <tunables/global>
 @{exec_path} = @{lib}/systemd/systemd-oomd
 profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/systemd-common>
   include <abstractions/dbus-strict>
+  include <abstractions/systemd-common>
 
   capability dac_override,
   capability kill,
@@ -33,7 +33,6 @@ profile systemd-oomd @{exec_path} flags=(attach_disconnected) {
 
   @{sys}/fs/cgroup/cgroup.controllers r,
   @{sys}/fs/cgroup/memory.pressure r,
-  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.* r,
 
   @{PROC}/pressure/{cpu,io,memory} r,
 

apparmor.d/groups/systemd/systemd-resolved

@@ -55,8 +55,6 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/resolve/{,**} rw,
   owner @{run}/systemd/journal/socket w,
 
-  owner @{sys}/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure rw,
-
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 

apparmor.d/groups/systemd/systemd-timesyncd

@@ -37,8 +37,6 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
 
   owner /var/lib/systemd/timesync/clock rw,
 
-  @{sys}/fs/cgroup/system.slice/systemd-timesyncd.service/memory.pressure rw,
-
   owner @{run}/systemd/journal/socket w,
   owner @{run}/systemd/timesync/synchronized rw,
         @{run}/resolvconf/*.conf r,

apparmor.d/groups/systemd/systemd-vconsole-setup

@@ -34,7 +34,7 @@ profile systemd-vconsole-setup @{exec_path} {
 
   @{sys}/module/vt/parameters/default_utf8 w,
 
-  /dev/tty@{int} rw,
+  /dev/tty@{int} rwk,
 
   include if exists <local/systemd-vconsole-setup>
 }