feat(profile): use @{sbin} for all program inside /usr/sbin.

apparmor.d/groups/utils/agetty

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/agetty
+@{exec_path} = @{sbin}/agetty
 profile agetty @{exec_path} {
   include <abstractions/base>
   include <abstractions/nameservice-strict>

apparmor.d/groups/utils/blkid

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/blkid
+@{exec_path} = @{sbin}/blkid
 profile blkid @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/utils/blockdev

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/blockdev
+@{exec_path} = @{sbin}/blockdev
 profile blockdev @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/groups/utils/fsck

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/fsck
+@{exec_path} = @{sbin}/fsck
 profile fsck @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/disks-read>
@@ -18,8 +18,8 @@ profile fsck @{exec_path} flags=(attach_disconnected) {
 
   @{exec_path} mr,
 
-  @{bin}/e2fsck rPx,
-  @{bin}/fsck.* rPx,
+  @{sbin}/e2fsck rPx,
+  @{sbin}/fsck.* rPx,
 
   /etc/fstab r,
 

apparmor.d/groups/utils/fstrim

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/fstrim
+@{exec_path} = @{sbin}/fstrim
 profile fstrim @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/groups/utils/locale-gen

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/locale-gen
+@{exec_path} = @{sbin}/locale-gen
 profile locale-gen @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/utils/losetup

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/losetup
+@{exec_path} = @{sbin}/losetup
 profile losetup @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/utils/nologin

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/nologin
+@{exec_path} = @{sbin}/nologin
 profile nologin @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/utils/su

@@ -22,7 +22,7 @@ profile su @{exec_path} {
   @{exec_path} mr,
 
   @{bin}/@{shells}     rUx,
-  @{bin}/nologin       rPx,
+  @{sbin}/nologin      rPx,
 
   @{etc_ro}/default/su r,
   /etc/default/locale r,

apparmor.d/groups/utils/sulogin

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/sulogin
+@{exec_path} = @{sbin}/sulogin
 profile sulogin @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/utils/swaplabel

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/swaplabel
+@{exec_path} = @{sbin}/swaplabel
 profile swaplabel @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/groups/utils/swapon

@@ -7,7 +7,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/swapon @{bin}/swapoff
+@{exec_path} = @{sbin}/swapon @{sbin}/swapoff
 profile swapon @{exec_path} {
   include <abstractions/base>
   include <abstractions/disks-write>

apparmor.d/groups/utils/uuidd

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/uuidd
+@{exec_path} = @{sbin}/uuidd
 profile uuidd @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>

apparmor.d/groups/utils/zramctl

@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = @{bin}/zramctl
+@{exec_path} = @{sbin}/zramctl
 profile zramctl @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>