From 04513af86336dc86ddd4cb5558ee812e6a637c1a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 22 Nov 2023 18:43:43 +0000
Subject: [PATCH] feat: cleanup child-systemctl

---
 apparmor.d/groups/children/child-systemctl | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/apparmor.d/groups/children/child-systemctl b/apparmor.d/groups/children/child-systemctl
index fd599740..cb793cca 100644
--- a/apparmor.d/groups/children/child-systemctl
+++ b/apparmor.d/groups/children/child-systemctl
@@ -1,6 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
-# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Note: This profile does not specify an attachment path because it is
@@ -18,14 +18,13 @@ profile child-systemctl flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/dbus-strict>
+  include <abstractions/systemd-common>
   include <abstractions/wutmp>
 
   capability mknod,
   capability net_admin,
   capability sys_ptrace,
 
-  ptrace (read),
-
   network inet stream,
   network inet6 stream,
 
@@ -46,18 +45,6 @@ profile child-systemctl flags=(attach_disconnected) {
 
   @{run}/systemd/private rw,
 
-  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
-
-        @{PROC}/1/environ r,
-        @{PROC}/1/sched r,
-        @{PROC}/cmdline r,
-        @{PROC}/sys/kernel/osrelease r,
-        @{PROC}/sys/kernel/random/boot_id r,
-        @{PROC}/@{pid}/comm r,
-  owner @{PROC}/@{pid}/stat r,
-
-  /dev/kmsg w,
-
   deny /apparmor/.null rw,
 
   include if exists <local/child-systemctl>