From b479013f91ff8727a0fee398d1da9475f7c58065 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 25 May 2025 01:28:08 +0200
Subject: [PATCH] feat(profile): update some systemd profiles.

---
 apparmor.d/groups/systemd/bootctl             | 22 +++++++++----------
 .../groups/systemd/systemd-generator-sysv     |  3 ++-
 apparmor.d/groups/systemd/systemd-localed     |  2 +-
 apparmor.d/groups/systemd/systemd-logind      |  7 ++----
 .../groups/systemd/systemd-network-generator  |  2 +-
 apparmor.d/groups/systemd/systemd-networkd    |  9 +++++++-
 apparmor.d/groups/systemd/systemd-remount-fs  |  3 +--
 apparmor.d/groups/systemd/systemd-timedated   |  2 +-
 8 files changed, 27 insertions(+), 23 deletions(-)

diff --git a/apparmor.d/groups/systemd/bootctl b/apparmor.d/groups/systemd/bootctl
index 12fcceaea..9508cfcf2 100644
--- a/apparmor.d/groups/systemd/bootctl
+++ b/apparmor.d/groups/systemd/bootctl
@@ -25,17 +25,17 @@ profile bootctl @{exec_path} flags=(attach_disconnected) {
 
   @{pager_path} rPx -> child-pager,
 
-  /{boot,efi}/ r,
-  /{boot,efi}/EFI/{,**} r,
-  /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
-  /{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
-  /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
-  /{boot,efi}/EFI/systemd/systemd-boot*.efi w,
-  /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
-  /{boot,efi}/loader/.#entries.srel* w,
-  /{boot,efi}/loader/{,**} r,
-  /{boot,efi}/loader/entries.srel w,
-  /{boot,efi}/loader/random-seed w,
+  @{efi}/ r,
+  @{efi}/EFI/{,**} r,
+  @{efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
+  @{efi}/EFI/BOOT/BOOTX64.EFI w,
+  @{efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
+  @{efi}/EFI/systemd/systemd-boot*.efi w,
+  @{efi}/loader/.#bootctlrandom-seed@{hex} rw,
+  @{efi}/loader/.#entries.srel* w,
+  @{efi}/loader/{,**} r,
+  @{efi}/loader/entries.srel w,
+  @{efi}/loader/random-seed w,
 
   /etc/kernel/entry-token r,
   /etc/machine-id r,
diff --git a/apparmor.d/groups/systemd/systemd-generator-sysv b/apparmor.d/groups/systemd/systemd-generator-sysv
index 4feb65d51..fc290fca4 100644
--- a/apparmor.d/groups/systemd/systemd-generator-sysv
+++ b/apparmor.d/groups/systemd/systemd-generator-sysv
@@ -17,9 +17,10 @@ profile systemd-generator-sysv @{exec_path} flags=(attach_disconnected) {
   /etc/init.d/{,**} r,
   /etc/rc@{int}.d/{,**} r,
 
-  @{run}/systemd/generator.late/* w,
+  @{run}/systemd/generator.late/** w,
 
   @{PROC}/@{pid}/cgroup r,
+  @{PROC}/1/environ r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 
diff --git a/apparmor.d/groups/systemd/systemd-localed b/apparmor.d/groups/systemd/systemd-localed
index 205d8a55f..3befcd92a 100644
--- a/apparmor.d/groups/systemd/systemd-localed
+++ b/apparmor.d/groups/systemd/systemd-localed
@@ -14,7 +14,7 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   include <abstractions/consoles>
   include <abstractions/common/systemd>
 
-  unix (bind) type=stream addr=@@{udbus}/bus/systemd-localed/system,
+  unix bind type=stream addr=@@{udbus}/bus/systemd-localed/system,
 
   #aa:dbus own bus=system name=org.freedesktop.locale1
 
diff --git a/apparmor.d/groups/systemd/systemd-logind b/apparmor.d/groups/systemd/systemd-logind
index a56e16298..39192e7e1 100644
--- a/apparmor.d/groups/systemd/systemd-logind
+++ b/apparmor.d/groups/systemd/systemd-logind
@@ -12,11 +12,11 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
+  include <abstractions/common/systemd>
   include <abstractions/consoles>
   include <abstractions/devices-usb>
   include <abstractions/disks-write>
   include <abstractions/nameservice-strict>
-  include <abstractions/common/systemd>
 
   capability chown,
   capability dac_override,
@@ -50,8 +50,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   /etc/systemd/sleep.conf.d/{,**} r,
 
   / r,
-  /boot/{,**} r,
-  /efi/{,**} r,
+  @{efi}/{,**} r,
   /swap.img r,
   /swap/swapfile r,
   /swapfile r,
@@ -140,8 +139,6 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
         /dev/dri/card@{int} rw,
         /dev/input/event@{int} rw,  # Input devices (keyboard, mouse, etc)
         /dev/mqueue/ r,
-        /dev/tty@{int} rw,
-  owner @{att}/dev/tty@{int} rw,
   owner /dev/shm/{,**/} rw,
 
   include if exists <local/systemd-logind>
diff --git a/apparmor.d/groups/systemd/systemd-network-generator b/apparmor.d/groups/systemd/systemd-network-generator
index e22d89629..ceebbc5c2 100644
--- a/apparmor.d/groups/systemd/systemd-network-generator
+++ b/apparmor.d/groups/systemd/systemd-network-generator
@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/systemd/systemd-network-generator
-profile systemd-network-generator @{exec_path} {
+profile systemd-network-generator @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
 
diff --git a/apparmor.d/groups/systemd/systemd-networkd b/apparmor.d/groups/systemd/systemd-networkd
index ca5450826..3d6c3a4b7 100644
--- a/apparmor.d/groups/systemd/systemd-networkd
+++ b/apparmor.d/groups/systemd/systemd-networkd
@@ -31,6 +31,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
 
   unix bind type=stream addr=@@{udbus}/bus/systemd-network/bus-api-network,
 
+  signal receive set=usr2 peer=@{p_systemd},
+
   #aa:dbus own bus=system name=org.freedesktop.network1
 
   dbus send bus=system path=/org/freedesktop/hostname1
@@ -47,14 +49,18 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 
-  /etc/systemd/networkd.conf r,
+  /etc/systemd/network.conf r,
   /etc/systemd/network/{,**} r,
+  /etc/systemd/networkd.conf r,
+  /etc/systemd/networkd.conf.d/{,**} r,
 
   /etc/networkd-dispatcher/carrier.d/{,*} r,
 
   @{att}/ r,
   @{att}/@{run}/systemd/notify rw,
 
+  @{run}/mount/utab r,
+
   owner @{att}/var/lib/systemd/network/ r,
 
         @{run}/systemd/network/ r,
@@ -75,6 +81,7 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
         @{PROC}/@{pid}/cgroup r,
         @{PROC}/pressure/* r,
         @{PROC}/sys/net/ipv{4,6}/** rw,
+        @{PROC}/version_signature r,
   owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pid}/mountinfo r,
 
diff --git a/apparmor.d/groups/systemd/systemd-remount-fs b/apparmor.d/groups/systemd/systemd-remount-fs
index 750f7e18b..96b182e5f 100644
--- a/apparmor.d/groups/systemd/systemd-remount-fs
+++ b/apparmor.d/groups/systemd/systemd-remount-fs
@@ -28,8 +28,7 @@ profile systemd-remount-fs @{exec_path} flags=(attach_disconnected) {
 
   @{run}/host/container-manager r,
   @{run}/mount/utab rw,
-  @{run}/mount/utab.@{rand6} rw,
-  @{run}/mount/utab.lock rwk,
+  @{run}/mount/utab.* rwk,
 
   @{sys}/devices/virtual/block/dm-@{int}/dm/name r,
 
diff --git a/apparmor.d/groups/systemd/systemd-timedated b/apparmor.d/groups/systemd/systemd-timedated
index e070afe4e..ffed031b5 100644
--- a/apparmor.d/groups/systemd/systemd-timedated
+++ b/apparmor.d/groups/systemd/systemd-timedated
@@ -15,7 +15,7 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
 
   capability sys_time,
 
-  unix (bind) type=stream addr=@@{udbus}/bus/systemd-timedat/system,
+  unix bind type=stream addr=@@{udbus}/bus/systemd-timedat/system,
 
   #aa:dbus own bus=system name=org.freedesktop.timedate1