feat(profile): update systemd profiles.

apparmor.d/groups/systemd/bootctl

@@ -13,6 +13,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/disks-read>
   include <abstractions/common/systemd>
 
+  capability linux_immutable,
   capability mknod,
   capability net_admin,
   capability sys_resource,
@@ -47,8 +48,8 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/firmware/dmi/entries/*/raw r,
   @{sys}/firmware/efi/efivars/ r,
   @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
-  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
-  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
+  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} rw,
+  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} rw,
   @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
@@ -59,7 +60,7 @@ profile bootctl @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
   @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} rw,
-  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
+  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} rw,
   @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
   @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
   @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,

apparmor.d/groups/systemd/busctl

@@ -48,6 +48,13 @@ profile busctl @{exec_path} flags=(attach_disconnected) {
        member={GetConnectionCredentials,ListNames,ListActivatableNames}
        peer=(name=org.freedesktop.DBus, label="@{p_dbus_session}"),
 
+  dbus send bus=system
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect,
+  dbus send bus=system
+       interface=org.freedesktop.DBus.Properties
+       member={GetAll,Get},
+
   @{exec_path} mr,
 
   @{pager_path} rPx -> child-pager,

apparmor.d/groups/systemd/journalctl

@@ -30,6 +30,9 @@ profile journalctl @{exec_path} flags=(attach_disconnected) {
 
   @{pager_path} rPx -> child-pager,
 
+  @{bin}/* r,
+  @{sbin}/* r,
+
   /var/lib/dbus/machine-id r,
   /etc/machine-id r,
 

apparmor.d/groups/systemd/networkctl

@@ -11,6 +11,7 @@ include <tunables/global>
 profile networkctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/bus-system>
+  include <abstractions/nameservice-strict>
 
   capability net_admin,
   capability sys_module,
@@ -52,6 +53,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
 
   @{att}/@{run}/systemd/netif/io.systemd.Network rw,
 
+  @{run}/systemd/netif/links/ r,
   @{run}/systemd/netif/leases/@{int} r,
   @{run}/systemd/netif/links/@{int} r,
   @{run}/systemd/netif/state r,
@@ -63,6 +65,7 @@ profile networkctl @{exec_path} flags=(attach_disconnected) {
 
         @{PROC}/1/cgroup r,
         @{PROC}/cmdline r,
+        @{PROC}/sys/fs/nr_open r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/random/boot_id r,
   owner @{PROC}/@{pid}/cgroup r,

apparmor.d/groups/systemd/systemd-localed

@@ -33,8 +33,8 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
   /etc/default/locale rw,
   /etc/locale.conf rw,
   /etc/vconsole.conf rw,
-  /etc/X11/xorg.conf.d/ r,
-  /etc/X11/xorg.conf.d/.#*.confd* rw,
+  /etc/X11/xorg.conf.d/ rw,
+  /etc/X11/xorg.conf.d/.#*.conf@{hex} rw,
   /etc/X11/xorg.conf.d/*.conf rw,
 
   @{att}/@{run}/systemd/notify rw,

apparmor.d/groups/systemd/systemd-machined

@@ -37,6 +37,8 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
 
   ptrace read peer=systemd-nspawn,
 
+  unix type=stream addr=@@{udbus}/bus/systemd-machine/system,
+
   #aa:dbus own bus=system name=org.freedesktop.machine1
 
   #aa:dbus talk bus=system name=org.freedesktop.systemd1 label="@{p_systemd}"
@@ -71,6 +73,7 @@ profile systemd-machined @{exec_path} flags=(attach_disconnected) {
   /dev/ptmx rw,
   /dev/pts/@{int} rw,
   /dev/pts/ptmx rw,
+  /dev/vsock r,
 
   include if exists <local/systemd-machined>
 }

apparmor.d/groups/systemd/systemd-networkd

@@ -60,9 +60,13 @@ profile systemd-networkd @{exec_path} flags=(attach_disconnected) {
   @{att}/@{run}/systemd/notify rw,
 
   @{run}/mount/utab r,
+  @{run}/systemd/resolve/resolv.conf r,
 
   owner @{att}/var/lib/systemd/network/ r,
 
+  owner /var/lib/systemd/network/ rw,
+  owner /var/lib/systemd/network/** rwk,
+
         @{run}/systemd/network/ r,
         @{run}/systemd/network/*.network r,
   owner @{run}/systemd/netif/** rw,

apparmor.d/groups/systemd/systemd-nsresourcework

@@ -16,6 +16,8 @@ profile systemd-nsresourcework @{exec_path} {
 
   @{exec_path} mr,
 
+  @{run}/systemd/nsresource/registry/ r,
+
   include if exists <local/systemd-nsresourcework>
 }
 

apparmor.d/groups/systemd/systemd-userwork

@@ -18,6 +18,7 @@ profile systemd-userwork @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  /etc/gshadow r,
   /etc/machine-id r,
   /etc/shadow r,
 

apparmor.d/groups/systemd/userdbctl

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/userdbctl
-profile userdbctl @{exec_path} {
+profile userdbctl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -29,6 +29,7 @@ profile userdbctl @{exec_path} {
         @{PROC}/1/cgroup r,
   owner @{PROC}/@{pid}/cgroup r,
   owner @{PROC}/@{pid}/gid_map r,
+  owner @{PROC}/@{pid}/setgroups r,
   owner @{PROC}/@{pid}/uid_map r,
 
   include if exists <local/userdbctl>