feat(fsp): improve systemd profile.

apparmor.d/groups/_full/systemd

@@ -57,9 +57,9 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   mount fstype=autofs                                             systemd-1 -> /efi/,
   mount fstype=proc  options=(rw nosuid nodev noexec)                  proc -> @{run}/systemd/namespace-@{rand6}/,
   mount fstype=sysfs options=(rw nosuid nodev noexec)                 sysfs -> @{run}/systemd/namespace-@{rand6}/,
+  mount fstype=tmpfs                                                  tmpfs -> /dev/shm/,
   mount fstype=tmpfs                                                  tmpfs -> /tmp/,
   mount fstype=tmpfs options=(rw nosuid nodev noexec strictatime)     tmpfs -> @{run}/systemd/mount-rootfs/@{run}/credentials/,
-  mount fstype=tmpfs options=(rw nosuid nodev noexec)                 tmpfs -> /dev/shm/,
   mount fstype=tmpfs options=(rw nosuid noexec strictatime)           tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
 
   mount options=(rw bind)                                           /dev/** -> @{run}/systemd/namespace-@{rand6}/dev/**,
@@ -184,6 +184,10 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{run}/initctl rw,
   @{run}/systemd/{,**} rw,
 
+  @{run}/udev/data/+bluetooth:* r,
+  @{run}/udev/data/+backlight:* r,
+  @{run}/udev/data/+leds:*backlight* r,
+
   @{run}/udev/data/+module:configfs r,
   @{run}/udev/data/+module:fuse r,
   @{run}/udev/data/c4:@{int} r,           # For TTY devices

apparmor.d/groups/_full/systemd-service

@@ -2,7 +2,9 @@
 # Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
-# Profile for generic systemd unit services. Only used by service without profile.
+# Profile for generic systemd unit services. Only used by tiny systemd services
+# that start a shell or use context specific programs.
+
 # It does not specify an attachment path because it is intended to be used only
 # via "Px -> systemd-service" exec transitions from the systemd profile.