feat(profile): improve the upgrade stack.

apparmor.d/groups/cron/cron

@@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  ptrace (read) peer=unconfined,
-
-  unix bind type=stream addr=@@{udbus}/bus/cron/system,
-
   @{exec_path} mr,
 
-  @{sh_path}         rix,
-  @{bin}/nice        rix,
-  @{bin}/ionice      rix,
-  @{bin}/exim4       rPx,
-  @{bin}/run-parts   rCx -> run-parts, # could even be rix, as long as we are not
-                                       # using the  run-parts profile we are good
-
-  @{lib}/sysstat/debian-sa1            rPx,
+  @{sh_path}                 rix,
+  @{bin}/exim4               rPx,
+  @{bin}/ionice              rix,
+  @{bin}/nice                rix,
+  @{bin}/run-parts           rCx -> run-parts,
+  @{lib}/sysstat/debian-sa1  rPx,
 
   /etc/cron.d/{,*} r,
   /etc/crontab r,

apparmor.d/groups/snap/snapd

@@ -50,7 +50,7 @@ profile snapd @{exec_path} {
   ptrace read peer=@{p_systemd},
   ptrace read peer=snap{,.*},
 
-  signal send set=kill peer=journalctl,
+  signal send set=kill peer=snapd//journalctl,
 
   dbus send bus=system path=/org/freedesktop/
          interface=org.freedesktop.login1.Manager

apparmor.d/profiles-m-r/needrestart

@@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   capability checkpoint_restore,
   capability dac_read_search,
-  capability kill,
   capability sys_ptrace,
 
   ptrace read,
@@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{bin}/systemctl                         rCx -> systemctl,
   @{bin}/systemd-detect-virt               rPx,
   @{bin}/udevadm                           rCx -> udevadm,
+  @{bin}/who                               rPx,
   @{lib}/needrestart/*                     rPx,
   @{python_path}                           rix,
   @{sbin}/unix_chkpwd                      rPx,
 
-  /etc/needrestart/hook.d/*                rPx,
-  /etc/needrestart/notify.d/*              rPx,
-  /etc/needrestart/restart.d/*             rPx,
+  @{etc_ro}/needrestart/hook.d/*           rPx,
+  @{etc_ro}/needrestart/notify.d/*         rPx,
+  @{etc_ro}/needrestart/restart.d/*        rPx,
 
   /etc/init.d/* r,
   /etc/needrestart/{,**} r,

apparmor.d/profiles-m-r/needrestart-hook

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /etc/needrestart/hook.d/*
+@{exec_path} = @{etc_ro}/needrestart/hook.d/*
 profile needrestart-hook @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/profiles-m-r/needrestart-notify

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /etc/needrestart/notify.d/*
+@{exec_path} = @{etc_ro}/needrestart/notify.d/*
 profile needrestart-notify @{exec_path} {
   include <abstractions/base>
 
@@ -18,8 +18,11 @@ profile needrestart-notify @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path} r,
-  @{bin}/gettext.sh r,
-  @{bin}/sed ix,
+  @{bin}/fold         ix,
+  @{bin}/gettext.sh    r,
+  @{bin}/mail         Px,
+  @{bin}/notify-send  Px,
+  @{bin}/sed          ix,
 
   /etc/needrestart/notify.conf r,
 

apparmor.d/profiles-m-r/needrestart-restart

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /etc/needrestart/restart.d/*
+@{exec_path} = @{etc_ro}/needrestart/restart.d/*
 profile needrestart-restart @{exec_path} {
   include <abstractions/base>
 

apparmor.d/profiles-m-r/pam-auth-update

@@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) {
   /usr/share/pam{,-configs}/{,*} r,
 
   /etc/pam.d/* rw,
+  /etc/shadow r,
 
+  /var/lib/dpkg/info/libpam-runtime.templates r,
   /var/lib/pam/* rw,
 
   include if exists <local/pam-auth-update>