feat(profiles): general update.

apparmor.d/profiles-a-f/apparmor.systemd

@@ -1,5 +1,5 @@
 # apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -9,8 +9,10 @@ include <tunables/global>
 @{exec_path} = @{lib}/apparmor/apparmor.systemd
 profile apparmor.systemd @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/nameservice-strict>
 
+  capability dac_read_search,
   capability mac_admin,
 
   @{exec_path} mr,

apparmor.d/profiles-a-f/dkms

@@ -22,7 +22,8 @@ profile dkms @{exec_path} flags=(attach_disconnected) {
 
   unix (receive) type=stream,
 
-  @{exec_path} r,
+  @{exec_path} rm,
+
   @{bin}/cat        rix,
   @{bin}/cp         rix,
   @{bin}/cut        rix,

apparmor.d/profiles-a-f/dkms-autoinstaller

@@ -12,7 +12,8 @@ profile dkms-autoinstaller @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
 
-  @{exec_path} r,
+  @{exec_path} rm,
+
   @{bin}/{,ba,da}sh rix,
   @{bin}/dkms       rPx,
   @{bin}/echo       rix,