feat(systemd): add some systemd-user-generators.

apparmor.d/groups/systemd/systemd-user-generators-autostart

@@ -0,0 +1,23 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/lib/systemd/user-generators/systemd-xdg-autostart-generator
+profile systemd-user-generators-autostart @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/xdg/autostart/*.desktop r,
+
+  owner @{run}/user/@{uid}/systemd/generator.late/{,**} rw,
+
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  include if exists <local/systemd-user-generators-autostart>
+}

apparmor.d/groups/systemd/systemd-user-generators-environment

@@ -0,0 +1,21 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator
+profile systemd-user-generators-environment @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  /etc/environment.d/{,**} r,
+
+  @{PROC}/cmdline r,
+  @{PROC}/sys/kernel/osrelease r,
+
+  include if exists <local/systemd-user-generators-environment>
+}

apparmor.d/groups/systemd/systemd-user-generators-flatpak

@@ -0,0 +1,16 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = /usr/lib/systemd/user-environment-generators/60-flatpak
+profile systemd-user-generators-flatpak @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  include if exists <local/systemd-user-generators-flatpak>
+}

dists/flags/main.flags

@@ -18,7 +18,7 @@ cc-remote-login-helper complain
 cfdisk complain
 cgdisk complain
 child-open complain
-chronyd complain
+chronyd attach_disconnected,complain
 cockpit-askpass complain
 cockpit-bridge complain
 cockpit-certificate-ensure complain
@@ -238,6 +238,9 @@ systemd-timedated attach_disconnected,complain
 systemd-tty-ask-password-agent complain
 systemd-update-done complain
 systemd-update-utmp complain
+systemd-user-generators-autostart complain
+systemd-user-generators-environment complain
+systemd-user-generators-flatpak complain
 systemd-user-runtime-dir complain
 systemd-user-sessions complain
 systemd-userdbd attach_disconnected,complain
@@ -266,3 +269,129 @@ xdg-permission-store attach_disconnected,complain
 xdg-user-dirs-gtk-update complain
 xdm-xsession complain
 xorg attach_disconnected,complain
+
+# Profiles not commited yet
+glib-genmarshal complain
+glib-gettextize complain
+glib-mkenums complain
+gnome-session-custom-session complain
+gnome-session-inhibit complain
+gnome-session-quit complain
+gnome-shell-extension-prefs complain
+gnome-shell-extension-tool complain
+gnome-shell-hotplug-sniffer complain
+gnome-shell-perf-helper complain
+gnome-shell-perf-tool complain
+gnome-shell-portal-helper complain
+gnome-tweak-tool-lid-inhibitor complain
+homectl complain
+loginctl complain
+machinectl complain
+nfsdcld complain
+oomctl complain
+podman attach_disconnected,complain
+prime-switch complain
+qrencode complain
+splunkforwarder complain
+systemd-bless-boot complain
+systemd-boot-check-no-failures complain
+systemd-cgroups-agent
+systemd-export complain
+systemd-growfs complain
+systemd-hibernate-resume complain
+systemd-import complain
+systemd-import-fs complain
+systemd-importd complain
+systemd-journal-gatewayd complain
+systemd-journal-remote complain
+systemd-journal-upload complain
+systemd-network-generator complain
+systemd-notify complain
+systemd-pstore complain
+systemd-pull complain
+systemd-quotacheck complain
+systemd-repart complain
+systemd-reply-password complain
+systemd-run complain
+systemd-socket-activate complain
+systemd-socket-proxyd complain
+systemd-stdio-bridge complain
+systemd-sulogin-shell complain
+systemd-sysext complain
+systemd-time-wait-sync complain
+systemd-xdg-autostart-condition complain
+timedatectl complain
+virtiofsd complain
+virtlockd complain
+hwsim complain
+iwdmon complain
+nvidia-settings complain
+gkbd-keyboard-display complain
+mullvad-setup complain
+
+# Work in Progress
+bwrap attach_disconnected,complain
+bwrap-default attach_disconnected,mediate_deleted,complain
+cni-bridge complain
+cni-firewall complain
+cni-portmap complain
+cni-tuning complain
+ctop complain
+dbus-broker complain
+dbus-broker-launch complain
+fprintd-delete complain
+fprintd-enroll complain
+fprintd-list complain
+fprintd-verify complain
+install-catalog complain
+lazydocker complain
+losetup complain
+modprobed-db complain
+mount-ntfs-3g complain
+multipathd complain
+rpc.idmapd complain
+rpc.mountd complain
+rpc.statd complain
+rpcbind complain
+smbspool complain
+tomb complain
+tomb-kdb-pbkdf2 complain
+virt-aa-helper complain
+virtlogd complain
+virtnetworkd complain
+virtnodedevd complain
+virtqemud attach_disconnected,complain
+virtstoraged attach_disconnected,complain
+virtxend attach_disconnected,complain
+
+# Debian server dev
+cracklib-packer complain
+cron-cracklib complain
+cron-etckeeper complain
+cron-sysstat complain
+sysstat complain
+update-cracklib complain
+
+# Ubuntu
+
+# Whonix
+mate-notification-daemon complain
+
+# Flatpak slow dev
+flatpak-oci-authenticator complain
+flatpak-portal attach_disconnected,complain
+flatpak-system-helper complain
+flatpak-validate-icon complain
+
+# GDM
+gdm-host-chooser complain
+gdm-simple-chooser complain
+
+# Simple when used for extension, more complex for javascript based gnome app.
+gjs-console attach_disconnected,complain
+
+# Not easy
+portmaster-start complain
+
+# Require firewall rules for firewalld first
+firewall-applet complain