From ddf5f1f5128b6e3c3992c69de129847a0917f9f3 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sat, 30 Jul 2022 18:38:26 +0200
Subject: [PATCH] Use nameservice-strict, fix exec

---
 apparmor.d/profiles-s-z/zsysd | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/apparmor.d/profiles-s-z/zsysd b/apparmor.d/profiles-s-z/zsysd
index 1ca6e0e0..68b75348 100644
--- a/apparmor.d/profiles-s-z/zsysd
+++ b/apparmor.d/profiles-s-z/zsysd
@@ -10,6 +10,7 @@ include <tunables/global>
 profile zsysctl @{exec_path} flags=(complain) {
   include <abstractions/base>
   include <abstractions/dbus-strict>
+  include <abstractions/nameservice-strict>
 
   capability sys_ptrace,
   capability sys_admin,
@@ -18,13 +19,9 @@ profile zsysctl @{exec_path} flags=(complain) {
        interface=org.freedesktop.PolicyKit1.Authority
        member=CheckAuthorization,
 
-  @{exec_path}          rm,
-  /{usr/,}bin/zsysctl   rix,
-  /{usr/,}bin/zsysd     rix,
+  @{exec_path} rmix,
 
   /etc/hostid r,
-  /etc/passwd r,
-  /etc/nsswitch.conf r,
   /etc/zsys.conf r,
   
   /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,