feat(profile): use @{sbin} for all program inside /usr/sbin.

apparmor.d/groups/network/openvpn

@@ -22,7 +22,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/openvpn
+@{exec_path} = @{sbin}/openvpn
 profile openvpn @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/nameservice-strict>
@@ -61,7 +61,7 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
   @{run}/openvpn/*.{pid,status} rw,
   @{run}/systemd/journal/dev-log r,
 
-  @{bin}/ip                                rix,
+  @{sbin}/ip                               rix,
   @{bin}/systemd-ask-password              rPx,
   @{lib}/nm-openvpn-service-openvpn-helper rPx,
   /etc/openvpn/force-user-traffic-via-vpn.sh    rCx -> force-user-traffic-via-vpn,
@@ -83,9 +83,9 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
 
     @{sh_path}                rix,
     @{bin}/cut                rix,
-    @{bin}/ip                 rix,
+    @{sbin}/ip                rix,
     @{bin}/which{,.debianutils}  rix,
-    @{bin}/xtables-nft-multi rix,
+    @{sbin}/xtables-nft-multi rix,
 
     /etc/iproute2/rt_tables r,
     /etc/iproute2/rt_tables.d/{,*} r,
@@ -110,8 +110,8 @@ profile openvpn @{exec_path} flags=(attach_disconnected) {
     @{bin}/{,e}grep   rix,
     @{bin}/cut        rix,
     @{bin}/env        rix,
-    @{bin}/ip         rix,
-    @{bin}/nft        rix,
+    @{sbin}/ip        rix,
+    @{sbin}/nft       rix,
     @{bin}/sed        rix,
 
     /etc/iproute2/rt_realms r,