feat(full): improve fps setup.

apparmor.d/groups/_full/default

@@ -44,6 +44,8 @@ profile default @{exec_path} flags=(attach_disconnected,mediate_deleted) {
   @{bin}/su              rPx -> default-sudo,
   @{bin}/sudo            rPx -> default-sudo,
   @{bin}/systemctl       rix,
+  @{coreutils_path}      rix,
+  @{shells_path}         rix,
 
   @{bin}/less            rPx -> child-pager,
   @{bin}/more            rPx -> child-pager,

apparmor.d/groups/_full/systemd

@@ -93,20 +93,18 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   # dbus: own bus=system name=org.freedesktop.systemd1
 
   @{bin}/systemctl                  rix,
-  @{bin}/true                       rix,
-  @{lib}/systemd/systemd            rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE
 
-  @{bin}/{,ba,da}sh                 rPx -> systemd.service,
+  @{lib}/systemd/systemd-executor   rix,
-  @{bin}/chgrp                      rPx -> systemd.service,
+  @{lib}/systemd/systemd            rix, # FIXME: AppArmorProfile=systemd-user, does not work with DE
-  @{bin}/chmod                      rPx -> systemd.service,
+                                         # Maybe: rPx -> systemd-user-gdm (in user@120.service.d)?
-  @{bin}/cp                         rPx -> systemd.service,
+
-  @{bin}/find                       rPx -> systemd.service,
-  @{bin}/install                    rPx -> systemd.service,
   @{bin}/ldconfig                   rPx -> systemd.service,
   @{bin}/mandb                      rPx -> systemd.service,
-  @{bin}/mkdir                      rPx -> systemd.service,
   @{bin}/mount                      rPx -> systemd.service,
   @{bin}/savelog                    rPx -> systemd.service,
+  @{coreutils_path}                 rPx -> systemd.service,
+  @{shells_path}                    rPx -> systemd.service,
+
 
   audit @{bin}/**                   Pix,
   audit @{lib}/**                   Pix,
@@ -193,6 +191,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   @{sys}/fs/**/ r,
   @{sys}/fs/cgroup/{,**} rw,
   @{sys}/kernel/**/ r,
+  @{sys}/module/**/uevent r,
   @{sys}/module/apparmor/parameters/enabled r,
 
         @{PROC}/@{pid}/{uid_map,gid_map} r,
@@ -203,6 +202,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/@{pid}/coredump_filter r,
         @{PROC}/@{pid}/environ r,
         @{PROC}/@{pid}/fd/ r,
+        @{PROC}/@{pid}/fdinfo/@{int} r,
         @{PROC}/@{pid}/gid_map w,
         @{PROC}/@{pid}/loginuid rw,
         @{PROC}/@{pid}/mountinfo r,
@@ -219,6 +219,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/kernel/* r,
         @{PROC}/sys/kernel/random/* rw,
         @{PROC}/sys/net/ipv{4,6}/** rw,
+        @{PROC}/sysvipc/{shm,sem,msg} r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
 
         /dev/ r,

apparmor.d/groups/_full/systemd-user

@@ -27,10 +27,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   ptrace (read),
 
   signal (send) set=(term, cont, kill),
+  signal (receive) set=(hup) peer=@{systemd},
+
 
   @{exec_path} mr,
 
   @{bin}/systemctl                  rCx -> systemctl,
+  @{lib}/systemd/systemd-executor   rix,
 
   audit @{lib}/** Pix,
   audit @{bin}/** Pix,
@@ -76,6 +79,7 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/pid_max r,
         @{PROC}/sys/kernel/threads-max r,
+  owner @{PROC}/@{pid}/fdinfo/@{int} r,
   owner @{PROC}/@{pids}/attr/apparmor/exec w,
   owner @{PROC}/@{pids}/fd/ r,
   owner @{PROC}/@{pids}/mountinfo r,