feat(profile): general update.

Also include some preparation for the systemd profile.

apparmor.d/groups/systemd/systemd-homed

@@ -68,7 +68,9 @@ profile systemd-homed @{exec_path} flags=(attach_disconnected) {
   @{sys}/kernel/uevent_seqnum r,
   @{sys}/devices/**/read_ahead_kb r,
 
+        @{PROC}/@{pid}/cgroup r,
         @{PROC}/devices r,
+        @{PROC}/pressure/* r,
         @{PROC}/sysvipc/{shm,sem,msg} r,
   owner @{PROC}/@{pid}/gid_map w,
   owner @{PROC}/@{pid}/mountinfo r,

apparmor.d/groups/systemd/systemd-hostnamed

@@ -15,6 +15,13 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
 
   capability sys_admin,  # To set a hostname
 
+  dbus bind bus=system name=org.freedesktop.hostname1,
+
+  dbus receive bus=system path=/org/freedesktop/hostname1
+       interface=org.freedesktop.hostname1
+       member=SetHostname 
+       peer=(name=:*, label=systemd//&systemd-networkd),
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName,GetConnectionUnixUser}
@@ -35,9 +42,6 @@ profile systemd-hostnamed @{exec_path}  flags=(attach_disconnected) {
        member=Set*Hostname
        peer=(name=:*, label=hostnamectl),
 
-  dbus bind bus=system
-       name=org.freedesktop.hostname[0-9],
-
   @{exec_path} mr,
 
   @{etc_rw}/.#hostname* rw,

apparmor.d/groups/systemd/systemd-journald

@@ -70,12 +70,13 @@ profile systemd-journald @{exec_path} {
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/module/printk/parameters/time r,
 
-  @{PROC}/@{pids}/comm r,
-  @{PROC}/@{pids}/cmdline r,
   @{PROC}/@{pids}/attr/current r,
-  @{PROC}/@{pids}/sessionid r,
-  @{PROC}/@{pids}/loginuid r,
   @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/cmdline r,
+  @{PROC}/@{pids}/comm r,
+  @{PROC}/@{pids}/loginuid r,
+  @{PROC}/@{pids}/sessionid r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/kernel/hostname r,
 
   /dev/kmsg rw,

apparmor.d/groups/systemd/systemd-logind

@@ -66,6 +66,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   /etc/systemd/sleep.conf r,
   /etc/systemd/logind.conf.d/{,**} r,
 
+  / r,
   /boot/{,**} r,
   /swap/swapfile r,
   /swapfile r,
@@ -138,6 +139,7 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected,complain) {
   @{PROC}/@{pid}/sessionid r,
   @{PROC}/@{pid}/stat r,
   @{PROC}/1/cmdline r,
+  @{PROC}/pressure/* r,
   @{PROC}/swaps r,
   @{PROC}/sysvipc/{shm,sem,msg} r,
 

apparmor.d/groups/systemd/systemd-modules-load

@@ -25,5 +25,7 @@ profile systemd-modules-load @{exec_path} {
   /etc/modules-load.d/ r,
   /etc/modules-load.d/*.conf r,
 
+  @{sys}/module/compression r,
+
   include if exists <local/systemd-modules-load>
 }

apparmor.d/groups/systemd/systemd-networkd

@@ -76,6 +76,8 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected,complain) {
   @{sys}/devices/virtual/dmi/id/product_name r,
   @{sys}/devices/virtual/dmi/id/product_version r,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/net/ipv{4,6}/** rw,
 
   include if exists <local/systemd-networkd>

apparmor.d/groups/systemd/systemd-resolved

@@ -55,6 +55,8 @@ profile systemd-resolved @{exec_path} flags=(attach_disconnected) {
         @{run}/systemd/resolve/{,**} rw,
   owner @{run}/systemd/journal/socket w,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
   @{PROC}/sys/kernel/hostname r,
   @{PROC}/sys/net/ipv{4,6}/conf/all/disable_ipv{4,6} r,
 

apparmor.d/groups/systemd/systemd-timesyncd

@@ -21,13 +21,13 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
   network inet stream,
   network inet6 stream,
 
+  dbus bind bus=system name=org.freedesktop.timesync1,
+
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member={RequestName,ReleaseName}
        peer=(name=org.freedesktop.DBus, label=dbus-daemon),
 
-  dbus bind bus=system name=org.freedesktop.timesync1,
-
   @{exec_path} mr,
 
   @{etc_rw}/adjtime r,
@@ -36,11 +36,14 @@ profile systemd-timesyncd @{exec_path} flags=(attach_disconnected) {
 
   owner /var/lib/systemd/timesync/clock rw,
 
-  owner @{run}/systemd/journal/socket w,
-  owner @{run}/systemd/timesync/synchronized rw,
         @{run}/resolvconf/*.conf r,
         @{run}/systemd/netif/state r,
         @{run}/systemd/notify rw,
+  owner @{run}/systemd/journal/socket w,
+  owner @{run}/systemd/timesync/synchronized rw,
+
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
 
   include if exists <local/systemd-timesyncd>
 }

apparmor.d/groups/systemd/systemd-udevd

@@ -108,13 +108,15 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   @{sys}/** rw,
 
+        @{PROC}/@{pid}/mountinfo r,
         @{PROC}/@{pids}/cgroup r,
         @{PROC}/devices r,
         @{PROC}/driver/nvidia/gpus/ r,
         @{PROC}/driver/nvidia/gpus/*/information r,
+        @{PROC}/pressure/* r,
+        @{PROC}/sys/fs/nr_open r,
   owner @{PROC}/@{pid}/fd/ r,
   owner @{PROC}/@{pid}/loginuid r,
-        @{PROC}/@{pid}/mountinfo r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
 
   /dev/ rw,

apparmor.d/groups/systemd/systemd-user-runtime-dir

@@ -22,10 +22,10 @@ profile systemd-user-runtime-dir @{exec_path} {
   mount fstype=tmpfs options=(rw,nosuid,nodev) -> @{run}/user/@{uid}/,
   umount @{run}/user/@{uid}/,
 
-  dbus send bus=system path=/org/freedesktop/login[0-9]
+  dbus send bus=system path=/org/freedesktop/login1
        interface=org.freedesktop.DBus.Properties
        member=Get
-       peer=(name=org.freedesktop.login[0-9]),
+       peer=(name=org.freedesktop.login1),
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-userdbd

@@ -30,5 +30,8 @@ profile systemd-userdbd @{exec_path} flags=(attach_disconnected) {
 
   @{run}/systemd/userdb/{,**} rw,
 
+  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/pressure/* r,
+
   include if exists <local/systemd-userdbd>
 }

apparmor.d/groups/systemd/systemd-userwork

@@ -17,6 +17,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
   @{exec_path} mr,
 
   /etc/machine-id r,
+  /etc/shadow r,
 
   @{run}/systemd/userdb/ r,