feat(profile): general update.

apparmor.d/groups/virt/cockpit-bridge

@@ -59,6 +59,7 @@ profile cockpit-bridge @{exec_path} {
   @{sys}/class/hwmon/ r,
   @{sys}/devices/**/hwmon@{int}/ r,
   @{sys}/devices/**/hwmon@{int}/{name,temp*} r,
+  @{sys}/fs/cgroup/ r,
   @{sys}/fs/cgroup/**/ r,
   @{sys}/fs/cgroup/**/cpu.{stat,weight} r,
   @{sys}/fs/cgroup/**/memory* r,

apparmor.d/groups/virt/cockpit-pcp

@@ -27,16 +27,17 @@ profile cockpit-pcp @{exec_path} {
   /var/lib/pcp/{,**} rw,
 
   /var/log/pcp/pmlogger/ r,
+  /var/log/pcp/pmlogger/** r,
 
   @{sys}/fs/cgroup/{,**/} r,
   @{sys}/fs/cgroup/**/{memory,cpu}* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/temp* r,
   @{sys}/devices/platform/**/hwmon/hwmon@{int}/fan* r,
 
+        @{PROC}/@{pid}/net/dev r,
         @{PROC}/diskstats r,
         @{PROC}/swaps r,
   owner @{PROC}/@{pid}/mounts r,
-        @{PROC}/@{pid}/net/dev r,
 
   include if exists <local/cockpit-pcp>
 }

apparmor.d/groups/virt/dockerd

@@ -32,9 +32,8 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   network inet6 stream,
   network netlink raw,
 
-  mount fstype=overlayfs -> /var/lib/docker/overlay2/*/merged/,
+  mount /var/lib/docker/overlay2/**/,
   mount options=(rw, bind) -> /run/docker/netns/*,
-  mount options=(rw, rbind) -> /var/lib/docker/overlay*/**/,
   mount options=(rw, rbind) -> /var/lib/docker/tmp/docker-builder[0-9]*/,
   mount options=(rw, rprivate) -> /.pivot_root[0-9]*/,
   mount options=(rw, rslave) -> /,