   signal,
   ptrace,
   capability,
   mount,
   umount,
   network,
   deny /tmp/pqp/** r,
   allow change_profile -> **,
   deny /sys/module/apparmor/** w,
   deny /sys/kernel/security/apparmor/** w,
   deny /var/spool/cron/root w,
   deny /usr/{bin,sbin}/tcpdump x,
   allow /usr/bin/ecfsk ix,
   allow /usr/bin/ecryptfs-add-passphrase ix,
   deny /sbin/mount-copybind x,
   allow /bin/kmod ix,
   allow /bin/systemctl ix,
   allow /opt/logs/messages.txt w,
   / r,
   allow /** pix,
   allow /** rwlkm,
