feat(profiles): general update.

apparmor.d/groups/virt/dockerd

@@ -18,11 +18,12 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability kill,
   capability mknod,
   capability net_admin,
   capability sys_admin,
   capability sys_chroot,
-  capability kill,
+  capability sys_ptrace,
 
   network inet dgram,
   network inet6 dgram,
@@ -42,6 +43,7 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   pivot_root oldroot=/var/lib/docker/overlay*/**/.pivot_root[0-9]*/ /var/lib/docker/overlay2/**/,
   pivot_root oldroot=/var/lib/docker/tmp/**/.pivot_root[0-9]*/ /var/lib/docker/tmp/**/,
 
+  ptrace (read) peer=docker-*,
   ptrace (read) peer=unconfined,
 
   signal (send) set=kill peer=docker-*,
@@ -62,7 +64,6 @@ profile dockerd @{exec_path} flags=(attach_disconnected) {
   # TODO: should be in a sub profile started with pivot_root, not supported yet.
   /{,**} rw,
   deny /boot/{,**} rw,
-  deny /dev/{,**} rw,
   deny /media/{,**} rw,
   deny /mnt/{,**} rw,
 

apparmor.d/groups/virt/libvirtd

@@ -122,7 +122,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   /{usr/,}bin/qemu-img               rUx, # TODO: Integration with virt-aa-helper
   /{usr/,}lib/libvirt/virt-aa-helper rPx,
 
-  /etc/libvirt/hooks/**    rmix,
+  /etc/libvirt/hooks/**    rPUx,
   /etc/xen/scripts/**      rmix,
   /var/lib/libvirt/virtd*  rix,
 
@@ -175,6 +175,7 @@ profile libvirtd @{exec_path} flags=(attach_disconnected) {
   @{run}/udev/data/c24[0-9]:[0-9]* r,
   @{run}/udev/data/c50[0-9]:[0-9]* r,
   @{run}/udev/data/c51[0-9]:[0-9]* r,
+  @{run}/udev/data/c90:[0-9]* r,
   @{run}/udev/data/n[0-9]* r,
 
   @{sys}/bus/[a-z]*/devices/ r,