feat(fsp): update systemd related profiles.

apparmor.d/groups/_full/systemd

@@ -18,6 +18,7 @@ include <tunables/global>
 profile systemd flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/authentication>
+  include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
   include <abstractions/wutmp>
 
@@ -46,15 +47,14 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   capability sys_tty_config,
 
   network inet dgram,
-  network inet raw,
   network inet stream,
   network inet6 dgram,
-  network inet6 raw,
   network inet6 stream,
   network netlink raw,
 
   mount -> @{run}/systemd/incoming/,
   mount -> @{run}/systemd/mount-rootfs/{,**},
+  mount -> @{run}/systemd/unit-root/{,**},
   mount -> @{sys}/fs/fuse/connections/,
   mount -> @{sys}/kernel/config/,
   mount -> @{sys}/kernel/debug/,
@@ -75,6 +75,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   mount fstype=sysfs sysfs -> @{run}/systemd/namespace-@{rand6}/,
   mount fstype=tmpfs tmpfs -> @{run}/systemd/namespace-@{rand6}/dev/,
   mount fstype=tmpfs tmpfs -> /dev/shm/,
+  mount fstype=ramfs ramfs -> /dev/shm/,
 
   umount /,
   umount /dev/shm/,
@@ -94,7 +95,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
 
   unix (send) type=dgram,
 
-  dbus, # TODO: WIP
   # dbus: own bus=system name=org.freedesktop.systemd1
 
   @{bin}/systemctl                  rix,
@@ -134,15 +134,11 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /etc/conf.d/{,**} r,
   /etc/credstore.encrypted/{,**} r,
   /etc/credstore/{,**} r,
-  /etc/default/** r,
   /etc/environment r,
   /etc/environment.d/{,**} r,
-  /etc/locale.conf r,
   /etc/machine-id r,
-  /etc/modules-load.d/ r,
+  /etc/modules-load.d/{,**} r,
-  /etc/networkd-dispatcher/{,**} r,
   /etc/systemd/{,**} r,
-  /etc/udev/hwdb.d/{,*} r,
 
         /var/lib/systemd/{,**} rw,
   owner /var/tmp/systemd-private-*/{,**} rw,

apparmor.d/groups/_full/systemd-service

@@ -13,10 +13,15 @@ include <tunables/global>
 profile systemd-service @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
+  include <abstractions/nameservice-strict>
+
+  capability chown,
+  capability fsetid,
 
   @{bin}/ldconfig      rix,
   @{bin}/savelog       rix,
   @{bin}/systemctl     rix,
+  @{bin}/gzip          rix,
   @{coreutils_path}    rix,
   @{shells_path}      rmix,
 

apparmor.d/groups/_full/systemd-user

@@ -19,6 +19,8 @@ include <tunables/global>
 profile systemd-user flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/audio>
+  include <abstractions/bus-session>
+  include <abstractions/bus-system>
   include <abstractions/nameservice-strict>
   include <abstractions/video>
 
@@ -29,6 +31,13 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   ptrace (read),
 
+  # dbus: own bus=session name=org.freedesktop.systemd1
+
+  dbus receive bus=session
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect 
+       peer=(name=:*, label=gnome-shell),
+
   @{exec_path} mr,
 
   @{bin}/dbus-broker-launch         rix,  # To avoid issue as in #74, #80 & #235
@@ -62,10 +71,12 @@ profile systemd-user flags=(attach_disconnected,mediate_deleted) {
 
   / r,
 
+  /var/lib/gdm{3,}/.config/pulse/{,**} rw,
   /var/lib/gdm{3,}/.local/state/wireplumber/{,**} rw,
 
   owner @{HOME}/.local/ w,
 
+  owner @{user_config_dirs}/pulse/{,**} rw,
   owner @{user_config_dirs}/systemd/user/{,**} r,
 
   owner @{user_state_dirs}/ w,