Update profiles.

apparmor.d/groups/systemd/bootctl

@@ -22,17 +22,20 @@ profile bootctl @{exec_path} {
 
   /{usr/,}bin/less       rPx -> child-pager,
 
-  /boot/ r,
-  /boot/EFI/{,**} r,
-  /boot/loader/{,**} r,
-  /boot/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
-  /boot/EFI/BOOT/BOOTX64.EFI w,
-  /boot/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
-  /boot/EFI/systemd/systemd-boot*.efi w,
-  /boot/loader/.#bootctlrandom-seed[0-9a-f]* rw,
-  /boot/loader/random-seed w,
+  /{boot,efi}/ r,
+  /{boot,efi}/EFI/{,**} r,
+  /{boot,efi}/loader/{,**} r,
+  /{boot,efi}/EFI/BOOT/.#BOOT*.EFI[0-9a-f]* rw,
+  /{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
+  /{boot,efi}/EFI/systemd/.#systemd-boot*.efi[0-9a-f]* rw,
+  /{boot,efi}/EFI/systemd/systemd-boot*.efi w,
+  /{boot,efi}/loader/.#bootctlrandom-seed[0-9a-f]* rw,
+  /{boot,efi}/loader/random-seed w,
 
-   /etc/machine-id r,
+  /etc/machine-id r,
+  /etc/machine-info r,
+
+  @{run}/host/container-manager r,
 
   @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
   @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

apparmor.d/groups/systemd/journalctl

@@ -33,6 +33,8 @@ profile journalctl @{exec_path} {
   /{run,var}/log/journal/[0-9a-f]*/system.journal* r,
   /{run,var}/log/journal/[0-9a-f]*/system@[0-9a-f]*.journal* rw,
 
+  @{run}/host/container-manager r,
+
   # For --setup-keys and --verify
   owner /{run,var}/log/journal/[0-9a-f]*/fss.tmp.* rw,
   owner /{run,var}/log/journal/[0-9a-f]*/fss wl -> /var/log/journal/[0-9a-f]*/fss.tmp.*,

apparmor.d/groups/systemd/systemd-detect-virt

@@ -13,12 +13,17 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/systemd-common>
 
+  capability net_admin,
+
   @{exec_path} mr,
 
-  @{sys}/devices/virtual/dmi/id/product_name r,
-  @{sys}/devices/virtual/dmi/id/sys_vendor r,
-  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{run}/host/container-manager r,
+
   @{sys}/devices/virtual/dmi/id/bios_vendor r,
+  @{sys}/devices/virtual/dmi/id/board_vendor r,
+  @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_version r,
+  @{sys}/devices/virtual/dmi/id/sys_vendor r,
 
   # Inherit silencer
   deny /apparmor/.null rw,

apparmor.d/groups/systemd/systemd-journald

@@ -39,6 +39,8 @@ profile systemd-journald @{exec_path} {
   owner @{run}/systemd/journal/{,**} rw,
   owner @{run}/systemd/notify rw,
 
+  @{run}/host/container-manager r,
+
   @{run}/udev/data/c189:[0-9]*  r, # for /dev/bus/usb/**
   @{run}/udev/data/c10:224      r, # for /dev/tpm0
   @{run}/udev/data/c243:0       r,

apparmor.d/groups/systemd/systemd-logind

@@ -32,6 +32,8 @@ profile systemd-logind @{exec_path} flags=(complain) {
 
   /var/lib/systemd/linger/ r,
 
+  @{run}/host/container-manager r,
+
   @{run}/utmp rk,
 
   @{run}/udev/tags/master-of-seat/ r,
@@ -74,6 +76,7 @@ profile systemd-logind @{exec_path} flags=(complain) {
 
   @{sys}/module/vt/parameters/default_utf8 r,
   @{sys}/fs/cgroup/memory/memory.limit_in_bytes r,
+  @{sys}/fs/cgroup/memory.max r,
   @{sys}/devices/virtual/tty/tty[0-9]*/active r,
   @{sys}/devices/**/{uevent,enabled,status} r,
   @{sys}/devices/**/brightness rw,
@@ -89,8 +92,10 @@ profile systemd-logind @{exec_path} flags=(complain) {
   @{PROC}/@{pid}/cgroup r,
   @{PROC}/@{pid}/comm r,
   @{PROC}/@{pid}/fd/ r,
+  @{PROC}/@{pid}/mountinfo r,
   @{PROC}/@{pid}/sessionid r,
   @{PROC}/@{pid}/stat r,
+  @{PROC}/1/cmdline r,
   @{PROC}/swaps r,
   @{PROC}/sysvipc/{shm,sem,msg} r,
 

apparmor.d/groups/systemd/systemd-remount-fs

@@ -13,5 +13,11 @@ profile systemd-remount-fs @{exec_path} {
 
   @{exec_path} mr,
 
+  /etc/fstab r,
+
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
+
   include if exists <local/systemd-remount-fs>
 }

apparmor.d/groups/systemd/systemd-sysusers

@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = /{usr/,}bin/systemd-sysusers
 profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
+  include <abstractions/systemd-common>
 
   @{exec_path} mr,
 
@@ -34,9 +35,6 @@ profile systemd-sysusers @{exec_path} flags=(attach_disconnected) {
   /etc/.#{group,gshadow}[0-9a-zA-Z]* rw,
   /etc/.pwd.lock rwk,
 
-  owner @{PROC}/@{pid}/stat r,
-        @{PROC}/sys/kernel/random/boot_id r,
-
   # Inherit Silencer
   deny network inet6 stream,
   deny network inet stream,

apparmor.d/groups/systemd/systemd-tmpfiles

@@ -49,6 +49,7 @@ profile systemd-tmpfiles @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/system/cpu/microcode/reload w,
 
   @{PROC}/@{pid}/net/unix r,
+  @{PROC}/1/cmdline r,
 
   deny /apparmor/.null rw,
 

apparmor.d/groups/systemd/systemd-update-done

@@ -21,6 +21,9 @@ profile systemd-update-done @{exec_path} {
   /var/.#.updated[0-9a-zA-Z]* rw,
   /var/.updated w,
 
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/groups/systemd/systemd-update-utmp

@@ -22,6 +22,9 @@ profile systemd-update-utmp @{exec_path} {
   owner /var/log/wtmp rwk,
   owner @{run}/utmp rwk,
 
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,

apparmor.d/groups/systemd/systemd-user-sessions

@@ -20,6 +20,9 @@ profile systemd-user-sessions @{exec_path} {
   owner @{run}/.#nologin rw,
   owner @{run}/nologin rw,
 
+  @{run}/host/container-manager r,
+
+  @{PROC}/1/cmdline r,
   @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,