feat(profile): general update

apparmor.d/profiles-g-l/hw-probe

@@ -191,6 +191,7 @@ profile hw-probe @{exec_path} {
     @{sys}/devices/**/uevent r,
     @{run}/udev/data/* r,
 
+    include if exists <local/hw-probe_udevadm>
   }
 
   profile kmod {
@@ -205,6 +206,7 @@ profile hw-probe @{exec_path} {
     @{sys}/module/*/{coresize,refcnt} r,
     @{sys}/module/*/holders/ r,
 
+    include if exists <local/hw-probe_kmod>
   }
 
   profile netconfig {

apparmor.d/profiles-g-l/logrotate

@@ -17,11 +17,9 @@ profile logrotate @{exec_path} flags=(attach_disconnected) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
+  capability net_admin,
   capability setgid,
   capability setuid,
-  capability net_admin,
-
-  audit deny capability net_admin,
 
   signal (send) set=(hup),
   signal (send) set=(term cont) peer=systemd-tty-ask-password-agent,

apparmor.d/profiles-g-l/lscpu

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -13,22 +14,19 @@ profile lscpu @{exec_path} {
 
   @{exec_path} mr,
 
-  @{PROC}/ r,
-  @{PROC}/sys/kernel/osrelease r,
-  @{PROC}/bus/pci/devices r,
-
   @{sys}/devices/system/cpu/{,**} r,
-
-  @{sys}/firmware/dmi/tables/DMI r,
-
-
   @{sys}/devices/system/node/ r,
   @{sys}/devices/system/node/node@{int}/cpumap r,
+  @{sys}/firmware/dmi/tables/DMI r,
+  @{sys}/kernel/cpu_byteorder r,
 
-  owner @{sys}/kernel/cpu_byteorder r,
+  @{PROC}/ r,
+  @{PROC}/bus/pci/devices r,
+  @{PROC}/sys/kernel/osrelease r,
 
   /dev/tty@{int} rw,
-  
+
+  deny network unix stream,
 
   include if exists <local/lscpu>
 }