feat(profile): update systemd profiles.

apparmor.d/groups/systemd-generators/systemd-generator-system-update

@@ -13,7 +13,8 @@ profile systemd-generator-system-update @{exec_path} flags=(attach_disconnected)
 
   @{exec_path} mr,
 
-  @{PROC}/@{pid}/cgroup r,
+  @{PROC}/@{pids}/cgroup r,
+  @{PROC}/@{pids}/status r,
 
   include if exists <local/systemd-generator-system-update>
 }

apparmor.d/groups/systemd/coredumpctl

@@ -68,7 +68,7 @@ profile coredumpctl @{exec_path} flags=(complain) {
 
     @{PROC}/@{pids}/fd/  r,
 
-  include if exists <local/coredumpctl_gdb>
+    include if exists <local/coredumpctl_gdb>
   }
 
   include if exists <local/coredumpctl>

apparmor.d/groups/systemd/localectl

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/localectl
-profile localectl @{exec_path} {
+profile localectl @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/common/systemd>
   include <abstractions/bus-system>

apparmor.d/groups/systemd/systemd-detect-virt

@@ -45,6 +45,7 @@ profile systemd-detect-virt @{exec_path} flags=(attach_disconnected) {
 
   deny capability net_admin,
   deny capability perfmon,
+  deny network (send receive) netlink raw,
 
   include if exists <local/systemd-detect-virt>
 }

apparmor.d/groups/systemd/systemd-dissect

@@ -27,7 +27,7 @@ profile systemd-dissect @{exec_path} flags=(attach_disconnected) {
 
   signal send set=cont peer=child-pager,
 
-  ptrace read peer=unconfined,
+  ptrace read peer=@{p_systemd},
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-hostnamed

@@ -44,6 +44,8 @@ profile systemd-hostnamed @{exec_path} flags=(attach_disconnected) {
   @{sys}/devices/virtual/dmi/id/board_vendor r,
   @{sys}/devices/virtual/dmi/id/chassis_type r,
   @{sys}/devices/virtual/dmi/id/product_name r,
+  @{sys}/devices/virtual/dmi/id/product_serial r,
+  @{sys}/devices/virtual/dmi/id/product_uuid r,
   @{sys}/devices/virtual/dmi/id/product_version r,
   @{sys}/devices/virtual/dmi/id/sys_vendor r,
   @{sys}/devices/virtual/dmi/id/uevent r,

apparmor.d/groups/systemd/systemd-journald

@@ -28,7 +28,7 @@ profile systemd-journald @{exec_path} flags=(attach_disconnected,mediate_deleted
 
   network netlink raw,
 
-  ptrace (read),
+  ptrace read,
 
   @{exec_path} mr,
 

apparmor.d/groups/systemd/systemd-localed

@@ -24,18 +24,30 @@ profile systemd-localed @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
+  @{bin}/cat           ix,
+  @{bin}/gzip          ix,
+  @{bin}/localedef     ix,
+  @{bin}/rm            ix,
+  @{bin}/sort          ix,
+  @{sbin}/locale-gen  rPx,
+
+  /usr/share/i18n/{,**} r,
   /usr/share/kbd/keymaps/{,**} r,
-  /usr/share/xkeyboard-config-2/{,**} r,
   /usr/share/systemd/*-map r,
   /usr/share/X11/xkb/{,**} r,
   /usr/share/xkeyboard-config-2/{,**} r,
 
+  /etc/ r,
   /etc/.#locale.conf@{hex16} rw,
+  /etc/.#locale.gen@{hex16} rw,
   /etc/.#vconsole.conf* rw,
   /etc/default/.#locale* rw,
   /etc/default/keyboard r,
   /etc/default/locale rw,
   /etc/locale.conf rw,
+  /etc/locale.gen rw,
+  /etc/nsswitch.conf r,
+  /etc/passwd r,
   /etc/vconsole.conf rw,
   /etc/X11/xorg.conf.d/ rw,
   /etc/X11/xorg.conf.d/.#*.conf@{hex} rw,

apparmor.d/groups/systemd/systemd-logind

@@ -124,12 +124,13 @@ profile systemd-logind @{exec_path} flags=(attach_disconnected) {
   @{sys}/module/vt/parameters/default_utf8 r,
   @{sys}/power/{state,resume_offset,resume,disk} r,
 
-        @{PROC}/@{pid}/cgroup r,
-        @{PROC}/@{pid}/comm r,
-        @{PROC}/@{pid}/fd/ r,
-        @{PROC}/@{pid}/mountinfo r,
-        @{PROC}/@{pid}/sessionid r,
-        @{PROC}/@{pid}/stat r,
+        @{PROC}/@{pids}/cgroup r,
+        @{PROC}/@{pids}/comm r,
+        @{PROC}/@{pids}/fd/ r,
+        @{PROC}/@{pids}/mountinfo r,
+        @{PROC}/@{pids}/sessionid r,
+        @{PROC}/@{pids}/stat r,
+        @{PROC}/@{pids}/status r,
         @{PROC}/1/cmdline r,
         @{PROC}/pressure/* r,
         @{PROC}/swaps r,

apparmor.d/groups/systemd/systemd-machine-id-setup

@@ -17,7 +17,7 @@ profile systemd-machine-id-setup @{exec_path} flags=(attach_disconnected) {
   capability sys_admin,
   capability sys_chroot,
 
-  ptrace (read),
+  ptrace read,
 
   mount options=(rw rshared) -> /,
   mount options=(rw rslave) -> /,

apparmor.d/groups/systemd/systemd-rfkill

@@ -13,6 +13,7 @@ profile systemd-rfkill @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/systemd>
 
   capability net_admin,
+  capability sys_admin,
   capability sys_ptrace,
 
   network netlink raw,

apparmor.d/groups/systemd/systemd-sleep-hdparm

@@ -13,6 +13,8 @@ profile systemd-sleep-hdparm @{exec_path} {
   @{exec_path} mr,
   @{sh_path} r,
 
+  @{lib}/pm-utils/power.d/*hdparm-apm ix,
+
   include if exists <local/systemd-sleep-hdparm>
 }
 

apparmor.d/groups/systemd/systemd-sleep-sysstat

@@ -12,6 +12,9 @@ profile systemd-sleep-sysstat @{exec_path} {
 
   @{exec_path} mr,
 
+  @{lib}/sysstat/sa{1,2} Px,
+  @{lib}/sysstat/debian-sa{1,2} Px,
+
   include if exists <local/systemd-sleep-sysstat>
 }
 

apparmor.d/groups/systemd/systemd-sleep-upgrades

@@ -11,6 +11,7 @@ profile systemd-sleep-upgrades @{exec_path} {
   include <abstractions/base>
 
   @{exec_path} mr,
+  @{sh_path} r,
 
   include if exists <local/systemd-sleep-upgrades>
 }

apparmor.d/groups/systemd/systemd-timedated

@@ -23,6 +23,14 @@ profile systemd-timedated @{exec_path} flags=(attach_disconnected) {
        interface=org.freedesktop.DBus.Properties
        member=GetAll
        peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member={DisableUnitFiles,EnableUnitFiles}
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
+  dbus send bus=system path=/org/freedesktop/systemd1
+       interface=org.freedesktop.systemd1.Manager
+       member={JobRemoved,Reload,StartUnit,StopUnit}
+       peer=(name=org.freedesktop.systemd1, label="@{p_systemd}"),
 
   @{exec_path} mr,