From ad8e5a9797aaba4cffc32ed44f35f4974f9aa287 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 10 Mar 2024 21:17:50 +0000
Subject: [PATCH] feat(fsp): update profile stack.

---
 apparmor.d/groups/_full/systemd         | 8 +++-----
 apparmor.d/groups/_full/systemd-service | 4 +++-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/apparmor.d/groups/_full/systemd b/apparmor.d/groups/_full/systemd
index 390f397d..41c10e96 100644
--- a/apparmor.d/groups/_full/systemd
+++ b/apparmor.d/groups/_full/systemd
@@ -32,7 +32,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   capability dac_read_search,
   capability fowner,
   capability fsetid,
-  capability kill,
   capability mknod,
   capability net_admin,
   capability perfmon,
@@ -45,7 +44,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   capability sys_nice,
   capability sys_ptrace,
   capability sys_resource,
-  capability sys_time,
   capability sys_tty_config,
 
   network inet dgram,
@@ -85,6 +83,8 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   remount                                        @{MOUNTS}/{,**},
   remount                                        @{run}/systemd/mount-rootfs/{,**},
   remount                                        /,
+  remount                                        /snap/{,**},
+  remount options=(ro noexec noatime bind)       /var/snap/{,**},
   remount options=(ro nosuid bind)               /dev/,
   remount options=(ro nosuid nodev bind)         /dev/hugepages/,
   remount options=(ro nosuid nodev bind)         /var/,
@@ -117,9 +117,6 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
 
   # dbus: own bus=system name=org.freedesktop.systemd1
 
-  # For stacked profiles
-  # dbus: own bus=system name=org.freedesktop.oom1
-  # dbus: own bus=system name=org.freedesktop.timesync1
   dbus send bus=system path=/org/freedesktop/DBus
        interface=org.freedesktop.DBus
        member=GetConnectionUnixUser
@@ -143,6 +140,7 @@ profile systemd flags=(attach_disconnected,mediate_deleted) {
   /etc/init.d/*                      Px,
   /usr/share/*/**                    Px,
 
+  # stack: systemd-oomd systemd-timesyncd
   @{lib}/systemd/systemd-oomd       rPx -> systemd//&systemd-oomd,
   @{lib}/systemd/systemd-timesyncd  rPx -> systemd//&systemd-timesyncd,
 
diff --git a/apparmor.d/groups/_full/systemd-service b/apparmor.d/groups/_full/systemd-service
index 29094f65..d7620c3c 100644
--- a/apparmor.d/groups/_full/systemd-service
+++ b/apparmor.d/groups/_full/systemd-service
@@ -34,6 +34,7 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
   @{bin}/grub-editenv  rPx,
   @{bin}/ibus-daemon   rPx,
 
+  @{bin}/* r,
   @{lib}/ r,
 
   /var/cache/ldconfig/{,**} rw,
@@ -47,7 +48,8 @@ profile systemd-service @{exec_path} flags=(attach_disconnected) {
 
   # man-db.service
   /usr/{,local/}share/man/{,**} r,
-  /var/cache/man/{,**} rw,
+  /etc/manpath.config r,
+  /var/cache/man/{,**} rwk,
 
   # snapd.system-shutdown.service
   @{run}/initramfs/shutdown rw,