Ubuntu 22.04, first batch and misc

apparmor.d/profiles-m-r/pstree

@@ -22,8 +22,8 @@ profile pstree @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pids}/stat r,
         @{PROC}/@{pids}/task/ r,
         @{PROC}/@{pids}/attr/current r,
-  owner @{PROC}/@{pids}/cmdline r,
-  owner @{PROC}/@{pids}/task/@{tid}/stat r,
+        @{PROC}/@{pids}/task/@{tid}/stat r,
+  owner @{PROC}/@{pid}/cmdline r,
 
   include if exists <local/pstree>
 }

apparmor.d/profiles-m-r/rsyslogd

@@ -26,8 +26,14 @@ profile rsyslogd @{exec_path} {
   # for creating new log files and changing their owner/group
   capability chown,
 
+  # downgrade privileges on Ubuntu
+  capability setgid,
+  capability setuid,
+
   # Needed?
   deny capability sys_nice,
+#  capability sys_ptrace,
+#  ptrace (read),
 
   @{exec_path} mr,
 
@@ -50,5 +56,12 @@ profile rsyslogd @{exec_path} {
   /etc/CA/*.crt r,
   /etc/CA/*.key r,
 
+  @{PROC}/1/environ r,
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  @{run}/systemd/userdb/io.systemd.Machine rw,
+  @{run}/systemd/notify w,
+
   include if exists <local/rsyslogd>
 }