feat(full): disable nnp flag on some services.

pkg/prebuild/prepare.go

@@ -200,6 +200,11 @@ func SetFullSystemPolicy() error {
 		return err
 	}
 
+	// Set systemd unit drop-in files
+	if err := copyTo(paths.New("systemd/full/"), Root.Join("systemd")); err != nil {
+		return err
+	}
+
 	logging.Success("Configure AppArmor for full system policy")
 	return nil
 }

systemd/full/system/ModemManager.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/e2scrub_reap.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/fwupd-refresh.service

@@ -0,0 +1,3 @@
+[Service]
+ProtectKernelModules=no
+RestrictRealtime=no

systemd/full/system/irqbalance.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/rngd.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-homed.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-hostnamed.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-journald.service

@@ -0,0 +1,3 @@
+[Service]
+NoNewPrivileges=no
+ProtectClock=no

systemd/full/system/systemd-localed.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-logind.service

@@ -0,0 +1,3 @@
+[Service]
+NoNewPrivileges=no
+ProtectClock=no

systemd/full/system/systemd-timedated.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/systemd-userdbd.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/upower.service

@@ -0,0 +1,2 @@
+[Service]
+NoNewPrivileges=no

systemd/full/system/user@.service

@@ -0,0 +1,3 @@
+# TODO: works as intended on server, does not work on desktop
+# [Service]
+# AppArmorProfile=systemd-user