feat(fsp): restrict @{run} for systemd.

apparmor.d/groups/_full/systemd

@@ -19,6 +19,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/authentication>
   include <abstractions/bus-system>
+  include <abstractions/disks-read>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
@@ -145,18 +146,24 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /tmp/namespace-dev-@{rand6}/{,**} rw,
   /tmp/systemd-private-*/{,**} rw,
 
-        @{run}/ r,
-        @{run}/credentials/{,**} rw,
-        @{run}/dbus/system_bus_socket rw,
-        @{run}/spice-vdagentd/spice-vdagent-sock rw,
-        @{run}/systemd/{,**} rw,
-        @{run}/udev/control rw,
-        @{run}/udev/data/* r,
-        @{run}/udev/tags/systemd/ r,
-        @{run}/user/@{uid}/{,**} rwlk,
-  owner @{run}/* rw,
-  owner @{run}/*/ rw,
-  owner @{run}/*/* rw,
+  @{run}/ rw,
+  @{run}/auditd.pid r,
+  @{run}/credentials/{,**} rw,
+  @{run}/initctl rw,
+  @{run}/spice-vdagentd/* rw,
+  @{run}/systemd/{,**} rw,
+  @{run}/udev/control rw,
+  @{run}/mount/ rw,
+  @{run}/mount/utab r,
+
+  @{run}/udev/data/+module:configfs r,
+  @{run}/udev/data/+module:fuse r,
+  @{run}/udev/data/c4:@{int} r,           # For TTY devices
+  @{run}/udev/data/c10:@{int}   r,        # For non-serial mice, misc features
+  @{run}/udev/data/c116:@{int} r,         # For ALSA
+  @{run}/udev/data/c@{dynamic}:@{int} r,  # For dynamic assignment range 234 to 254, 384 to 511
+  @{run}/udev/data/n@{int} r,
+  @{run}/udev/tags/systemd/ r,
 
   @{sys}/bus/ r,
   @{sys}/class/ r,