From e0174ac95e30f56b68e47b1ab0e9b5ad2caa2e95 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 6 Aug 2025 17:37:03 +0200
Subject: [PATCH] feat(profile): merge resolvectl and systemd-resolve.

---
 apparmor.d/groups/systemd/resolvectl      | 10 +++++++--
 apparmor.d/groups/systemd/systemd-resolve | 27 -----------------------
 dists/flags/main.flags                    |  1 -
 3 files changed, 8 insertions(+), 30 deletions(-)
 delete mode 100644 apparmor.d/groups/systemd/systemd-resolve

diff --git a/apparmor.d/groups/systemd/resolvectl b/apparmor.d/groups/systemd/resolvectl
index 1ef3404d9..142d0c9d8 100644
--- a/apparmor.d/groups/systemd/resolvectl
+++ b/apparmor.d/groups/systemd/resolvectl
@@ -7,11 +7,17 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/resolvectl
-profile resolvectl @{exec_path} {
+profile resolvectl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
-  include <abstractions/consoles>
   include <abstractions/bus-system>
   include <abstractions/common/systemd>
+  include <abstractions/consoles>
+
+  capability net_admin,
+
+  network inet raw,
+  network inet6 raw,
+  network netlink raw, 
 
   signal send set=cont peer=child-pager,
 
diff --git a/apparmor.d/groups/systemd/systemd-resolve b/apparmor.d/groups/systemd/systemd-resolve
deleted file mode 100644
index f716aa3af..000000000
--- a/apparmor.d/groups/systemd/systemd-resolve
+++ /dev/null
@@ -1,27 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = @{bin}/resolvectl
-@{exec_path} += @{bin}/systemd-resolve
-profile systemd-resolve @{exec_path} {
-  include <abstractions/base>
-
-  capability mknod,
-  capability net_admin,
-
-  network netlink raw,
-
-  @{exec_path} mr,
-
-        @{PROC}/ r,
-  owner @{PROC}/@{pids}/fd/ r,
-
-  include if exists <local/systemd-resolve>
-}
-
-# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 3aeab3192..22e9a1447 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -362,7 +362,6 @@ systemd-network-generator attach_disconnected,complain
 systemd-nsresourced attach_disconnected,complain
 systemd-nsresourcework complain
 systemd-portabled complain
-systemd-resolve complain
 systemd-shutdown complain
 systemd-sleep-tlp complain
 systemd-socket-proxyd complain