feat(profile): start implementing systemctl subprofile instead of using child-systemctl.

apparmor.d/abstractions/systemctl

@@ -12,6 +12,7 @@
 
   owner @{run}/systemd/private rw,
 
+  @{PROC}/@{pid}/comm r,
   @{PROC}/cmdline r,
   @{PROC}/sys/kernel/osrelease r,
 

apparmor.d/groups/apt/dpkg

@@ -30,7 +30,7 @@ profile dpkg @{exec_path} {
   @{bin}/dpkg-deb    rpx,
   @{bin}/dpkg-query  rpx,
   @{bin}/dpkg-split  rPx,
-  @{bin}/systemctl   rPx -> child-systemctl,
+  @{bin}/systemctl   rCx -> systemctl,
   @{lib}/needrestart/dpkg-status rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
@@ -76,5 +76,12 @@ profile dpkg @{exec_path} {
 
   owner /dev/tty@{int} rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/dpkg_systemctl>
+  }
+
   include if exists <local/dpkg>
 }

apparmor.d/groups/gnome/gdm-xsession

@@ -45,7 +45,7 @@ profile gdm-xsession @{exec_path} {
   @{bin}/gpgconf                               rPx,
   @{bin}/gsettings                             rPx,
   @{bin}/im-launch                             rPx,
-  @{bin}/systemctl                             rPx -> child-systemctl,
+  @{bin}/systemctl                             rCx -> systemctl,
   @{bin}/xbrlapi                               rPx,
   @{bin}/xhost                                 rPx,
   @{bin}/xrdb                                  rPx,
@@ -83,5 +83,12 @@ profile gdm-xsession @{exec_path} {
     include if exists <local/gdm-xsession_dbus>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/gdm-xsession_systemctl>
+  }
+
   include if exists <local/gdm-xsession>
 }

apparmor.d/groups/network/NetworkManager

@@ -94,7 +94,7 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
   @{bin}/kmod                                                rPx,
   @{bin}/netconfig                                          rPUx,
   @{bin}/resolvconf                                          rPx,
-  @{bin}/systemctl                                           rPx -> child-systemctl,
+  @{bin}/systemctl                                           rCx -> systemctl,
   @{lib}/{,NetworkManager/}nm-daemon-helper                  rPx,
   @{lib}/{,NetworkManager/}nm-dhcp-helper                    rPx,
   @{lib}/{,NetworkManager/}nm-dispatcher                     rPx,
@@ -153,5 +153,12 @@ profile NetworkManager @{exec_path} flags=(attach_disconnected) {
 
   /dev/rfkill rw,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/NetworkManager_systemctl>
+  }
+
   include if exists <local/NetworkManager>
 }

apparmor.d/groups/network/netplan.script

@@ -49,14 +49,10 @@ profile netplan.script @{exec_path} flags=(attach_disconnected) {
 
   profile systemctl {
     include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/systemctl>
 
     capability net_admin,
 
-    @{bin}/systemctl mr,
-
-    owner @{run}/systemd/private rw,
-
     include if exists <local/netplan.script_systemctl>
   }
 

apparmor.d/groups/pacman/pacman

@@ -104,7 +104,7 @@ profile pacman @{exec_path} {
   @{bin}/setfacl                     rix,
   @{bin}/sync                        rix,
   @{bin}/sysctl                      rPx,
-  @{bin}/systemctl                   rPx -> child-systemctl,
+  @{bin}/systemctl                   rCx -> systemctl,
   @{bin}/systemd-*                   rPx,
   @{bin}/touch                       rix,
   @{bin}/tput                        rix,
@@ -203,6 +203,15 @@ profile pacman @{exec_path} {
     include if exists <local/pacman_gpg>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/pacman_systemctl>
+  }
+
   include if exists <usr/pacman.d>
   include if exists <local/pacman>
 }

apparmor.d/groups/pacman/pacman-hook-systemd

@@ -19,7 +19,7 @@ profile pacman-hook-systemd @{exec_path} {
   @{bin}/touch rix,
 
   @{bin}/journalctl             rPx,
-  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/systemctl              rCx -> systemctl,
   @{bin}/systemd-detect-virt    rPx,
   @{bin}/systemd-hwdb           rPx,
   @{bin}/systemd-sysusers       rPx,
@@ -38,5 +38,14 @@ profile pacman-hook-systemd @{exec_path} {
   deny network inet6 stream,
   deny network inet stream,
 
+  profile systemctl flags=(attach_disconnected) {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/pacman-hook-systemd_systemctl>
+  }
+
   include if exists <local/pacman-hook-systemd>
 }

apparmor.d/groups/systemd/systemd-udevd

@@ -131,14 +131,12 @@ profile systemd-udevd @{exec_path} flags=(attach_disconnected,complain) {
 
   profile systemctl flags=(attach_disconnected,complain) {
     include <abstractions/base>
-    include <abstractions/systemd-common>
+    include <abstractions/systemctl>
 
     capability net_admin,
     capability sys_ptrace,
 
-    @{bin}/systemctl mr,
-  
-    / r,
+    # / r,
 
     @{PROC}/sys/kernel/cap_last_cap r,
 

apparmor.d/groups/ubuntu/apport-gtk

@@ -48,7 +48,7 @@ profile apport-gtk @{exec_path} {
   @{bin}/lsb_release            rPx -> lsb_release,
   @{bin}/md5sum                 rix,
   @{bin}/pkexec                 rPx, # TODO: rCx or something
-  @{bin}/systemctl              rPx -> child-systemctl,
+  @{bin}/systemctl              rCx -> systemctl,
   @{bin}/which{,.debianutils}   rix,
   @{lib}/{,colord/}colord-sane  rPx,
   @{lib}/@{multiarch}/ld*.so*   rix,
@@ -121,6 +121,14 @@ profile apport-gtk @{exec_path} {
 
     @{PROC}/@{pids}/fd/ r,
 
+    include if exists <local/apport-gtk_gdb>
+  }
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/apport-gtk_systemctl>
   }
 
   include if exists <local/apport-gtk>

apparmor.d/profiles-m-r/needrestart

@@ -31,7 +31,7 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{bin}/python3.@{int}                    rix,
   @{bin}/sed                               rix,
   @{bin}/stty                              rix,
-  @{bin}/systemctl                         rPx -> child-systemctl,
+  @{bin}/systemctl                         rCx -> systemctl,
   @{bin}/systemd-detect-virt               rPx,
   @{bin}/udevadm                           rPx,
   @{bin}/unix_chkpwd                       rPx,
@@ -72,5 +72,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   /dev/ r,
   /dev/**/ r,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    capability net_admin,
+
+    include if exists <local/needrestart_systemctl>
+  }
+
   include if exists <local/needrestart>
 }

apparmor.d/profiles-s-z/sensors-detect

@@ -18,7 +18,7 @@ profile sensors-detect @{exec_path} {
  
   @{bin}/kmod       rCx -> kmod,
   @{bin}/perl         r,
-  @{bin}/systemctl  rPx -> child-systemctl,
+  @{bin}/systemctl  rCx -> systemctl,
   @{bin}/udevadm    rCx -> udevadm,
   @{bin}/uname      rix,
 
@@ -65,5 +65,12 @@ profile sensors-detect @{exec_path} {
     include if exists <local/sensors-detect_udevadm>
   }
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/systemctl>
+
+    include if exists <local/sensors-detect_systemctl>
+  }
+
   include if exists <local/sensors-detect>
 }