From 02ff27946aa18ac634534f63a7cacba2d7574fd5 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 18 May 2025 20:27:44 +0200
Subject: [PATCH] feat(profile): add initial version for dpkg-scripts.

---
 apparmor.d/groups/apt/dpkg-script-apparmor    |  10 +-
 .../{dpkg-script-udev => dpkg-script-kmod}    |  11 +-
 apparmor.d/groups/apt/dpkg-script-linux       |  45 ++++++
 apparmor.d/groups/apt/dpkg-script-man         |  27 ----
 apparmor.d/groups/apt/dpkg-script-systemd     |  64 ++++++++
 apparmor.d/groups/apt/dpkg-scripts            | 141 ++++++++++++++++++
 dists/flags/main.flags                        |   6 +-
 7 files changed, 263 insertions(+), 41 deletions(-)
 rename apparmor.d/groups/apt/{dpkg-script-udev => dpkg-script-kmod} (54%)
 create mode 100644 apparmor.d/groups/apt/dpkg-script-linux
 delete mode 100644 apparmor.d/groups/apt/dpkg-script-man
 create mode 100644 apparmor.d/groups/apt/dpkg-script-systemd
 create mode 100644 apparmor.d/groups/apt/dpkg-scripts

diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor
index 088fff84a..585d9c59d 100644
--- a/apparmor.d/groups/apt/dpkg-script-apparmor
+++ b/apparmor.d/groups/apt/dpkg-script-apparmor
@@ -15,12 +15,12 @@ profile dpkg-script-apparmor @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}   rix,
-  @{bin}/grep  rix,
+  @{bin}/grep   ix,
 
-  @{bin}/deb-systemd-helper  rPx,
-  @{bin}/deb-systemd-invoke  rPx,
-  @{bin}/dpkg-divert         rix,
-  @{bin}/systemctl           rCx -> systemctl,
+  @{bin}/deb-systemd-helper  Px,
+  @{bin}/deb-systemd-invoke  Px,
+  @{bin}/dpkg-divert         ix,
+  @{bin}/systemctl           Cx -> systemctl,
 
   /usr/share/apparmor.d/** rw,
 
diff --git a/apparmor.d/groups/apt/dpkg-script-udev b/apparmor.d/groups/apt/dpkg-script-kmod
similarity index 54%
rename from apparmor.d/groups/apt/dpkg-script-udev
rename to apparmor.d/groups/apt/dpkg-script-kmod
index 58840ef39..f900bba17 100644
--- a/apparmor.d/groups/apt/dpkg-script-udev
+++ b/apparmor.d/groups/apt/dpkg-script-kmod
@@ -6,16 +6,13 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /var/lib/dpkg/info/udev*
-profile dpkg-script-udev @{exec_path} {
+@{exec_path} = /var/lib/dpkg/info/kmod*
+profile dpkg-script-kmod @{exec_path} {
   include <abstractions/base>
 
-  @{exec_path} mr,
+  @{exec_path} mrix,
 
-  @{bin}/systemd-hwdb rPx,
-  @{bin}/deb-systemd-invoke rPx,
-
-  include if exists <local/dpkg-script-udev>
+  include if exists <local/dpkg-script-kmod>
 }
 
 # vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux
new file mode 100644
index 000000000..c84d6aa4b
--- /dev/null
+++ b/apparmor.d/groups/apt/dpkg-script-linux
@@ -0,0 +1,45 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /var/lib/dpkg/info/linux*
+profile dpkg-script-linux @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/debconf>
+
+  @{exec_path} mrix,
+
+  @{sh_path}        rix,
+  @{bin}/cat         ix,
+  @{bin}/locale      ix,
+  @{bin}/mkdir       ix,
+  @{bin}/mkdir       ix,
+  @{bin}/rm          ix,
+  @{bin}/run-parts   ix,
+  @{bin}/stty        ix,
+
+  @{bin}/dpkg-trigger           Px,
+  @{bin}/kmod                   Px,
+  @{bin}/linux-check-removal    Px,
+  @{bin}/linux-update-symlinks  Px,
+  @{bin}/whiptail               Px,
+
+  /usr/share/{update,reboot}-notifier/notify-reboot-required  Px,
+  /etc/kernel/{,header_}postinst.d/*                          Px,
+  /etc/kernel/postrm.d/*                                      Px,
+  /etc/kernel/preinst.d/*                                     Px,
+  /etc/kernel/prerm.d/*                                       Px,
+
+  /etc/kernel/*.d/ r,
+
+  @{lib}/linux/triggers/* w,
+  @{lib}/modules/*/.fresh-install w,
+
+  include if exists <local/dpkg-script-linux>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-script-man b/apparmor.d/groups/apt/dpkg-script-man
deleted file mode 100644
index 63f5c5c78..000000000
--- a/apparmor.d/groups/apt/dpkg-script-man
+++ /dev/null
@@ -1,27 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /var/lib/dpkg/info/man-db.*
-profile dpkg-script-man @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/nameservice-strict>
-
-  capability setgid,
-  capability setuid,
-
-  @{exec_path} mr,
-
-  @{sh_path}      rix,
-  @{bin}/setpriv  rix,
-  @{bin}/mandb    rPx,
-
-  include if exists <local/dpkg-script-man>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd
new file mode 100644
index 000000000..28f4b6e87
--- /dev/null
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@@ -0,0 +1,64 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /var/lib/dpkg/info/systemd*
+profile dpkg-script-systemd @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mrix,
+
+  @{sh_path}   rix,
+
+  @{bin}/deb-systemd-helper        Px,
+  @{bin}/deb-systemd-invoke        Px,
+  @{bin}/dpkg                      Cx -> dpkg,
+  @{bin}/dpkg-divert               Px,
+  @{bin}/dpkg-maintscript-helper   Px,
+  @{bin}/journalctl                Px,
+  @{bin}/kernel-install            Px,
+  @{bin}/systemctl                 Cx -> systemctl,
+  @{bin}/systemd-machine-id-setup  Px,
+  @{bin}/systemd-sysusers          Px,
+  @{bin}/systemd-tmpfiles          Px,
+  @{lib}/systemd/systemd-sysctl    Px,
+  @{sbin}/pam-auth-update          Px,
+
+  /etc/systemd/system/*.wants/ rw,
+  /etc/systemd/system/*.wants/* rw,
+
+  /var/lib/systemd/{,*} rw,
+  /var/log/journal/ rw,
+
+  profile dpkg {
+    include <abstractions/base>
+    include <abstractions/common/apt>
+
+    @{bin}/dpkg mr,
+
+    include if exists <local/dpkg-script-systemd_dpkg>
+  }
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_resource,
+
+    signal send set=(cont term) peer=systemd-tty-ask-password-agent,
+
+    @{bin}/systemd-tty-ask-password-agent Px,
+
+    include if exists <local/dpkg-script-systemd_systemctl>
+  }
+
+  include if exists <local/dpkg-script-systemd>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
new file mode 100644
index 000000000..d644b6c3e
--- /dev/null
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -0,0 +1,141 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = /var/lib/dpkg/**
+profile dpkg-scripts @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/app/debconf>
+  include <abstractions/disks-read>
+
+  capability chown,
+  capability dac_read_search,
+  capability fowner,
+  capability fsetid,
+  capability setgid,
+  capability setuid,
+
+  @{exec_path} mrix,
+
+  # Common program found in maintainer scripts
+  @{sh_path}                                     rix,
+  @{coreutils_path}                              rix,
+  @{bin}/run-parts                               rix,
+
+  @{bin}/setpriv                                  ix,
+  @{bin}/envsubst                                 ix,
+  @{bin}/getent                                   ix,
+  @{bin}/gzip                                     ix,
+  @{bin}/helpztags                                ix,
+  @{bin}/locale                                   ix,
+  @{bin}/tput                                     ix,
+  @{bin}/zcat                                     ix,
+  @{lib}/ubuntu-advantage/cloud-id-shim.sh        ix,
+  @{lib}/ubuntu-advantage/postinst-migrations.sh  ix,
+
+  @{bin}/dbus-send                                Cx -> bus,
+  @{bin}/dpkg                                     Px -> child-dpkg,
+  @{bin}/systemctl                                Cx -> systemctl,
+  @{sbin}/invoke-rc.d                             Cx -> rc,
+  @{sbin}/ldconfig                                Cx -> ldconfig,
+  @{sbin}/ldconfig.real                           Cx -> ldconfig,
+  @{sbin}/update-rc.d                             Cx -> rc,
+
+  # Maintainer scripts can legitimately start/restart anything
+  @{bin}/**                                       Px,
+  @{sbin}/**                                      Px,
+  @{lib}/**                                       Px,
+  /usr/share/**                                   Px,
+  /etc/init.d/*                                   Px,
+
+  /var/lib/dpkg/info/*.@{dpkg_script_ext}         ix, # dpkg-scripts-*
+  /var/lib/dpkg/tmp.ci/@{dpkg_script_ext}         Px, # dpkg-script-tmp
+
+  # Maintainer's scripts can update a lot of files
+  / r,
+  /*/ r,
+  @{bin}/ r,
+  @{lib}/ r,
+  /etc/ r,
+  /etc/** rw,
+  /usr/share/*/ r,
+  /usr/share/*/** rw,
+  /var/** rw,
+  @{run}/** rw,
+  @{efi}/grub/* rw,
+
+  /tmp/grub.@{rand10} rw,
+  /tmp/sed@{rand6} rw,
+  /tmp/tmp.@{rand10} rw,
+
+  profile bus {
+    include <abstractions/base>
+    include <abstractions/app/bus>
+    include <abstractions/bus-system>
+
+    dbus send bus=system path=/
+        interface=org.freedesktop.DBus
+        member=ReloadConfig
+        peer=(name=org.freedesktop.DBus, label="@{p_dbus_system}"),
+
+    include if exists <local/dpkg-scripts_bus>
+  }
+
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+
+    capability net_admin,
+    capability sys_ptrace,
+
+    @{run}/utmp rk,
+
+    include if exists <local/dpkg-scripts_systemctl>
+  }
+
+  profile rc {
+    include <abstractions/base>
+    include <abstractions/perl>
+
+    @{sbin}/update-rc.d     mr,
+    @{sbin}/invoke-rc.d     mr,
+
+    @{coreutils_path}      rix,
+    @{sh_path}             rix,
+    @{bin}/systemctl       rPx -> dpkg-scripts//systemctl,
+
+    /etc/ r,
+    /etc/init.d/* r,
+    /etc/rc?.d/ r,
+    /etc/rc@{int}.d/ r,
+    /etc/rc@{int}.d/* rw,
+    /etc/rc@{c}.d/* rw,
+
+    include if exists <local/dpkg-scripts_rc>
+  }
+
+  profile ldconfig {
+    include <abstractions/base>
+    include <abstractions/consoles>
+
+    @{sh_path}              rix,
+    @{sbin}/ldconfig       mrix,
+    @{sbin}/ldconfig.real   rix,
+
+    @{lib}/ r,
+    /usr/local/ r,
+    /usr/local/lib/ r,
+
+    owner /var/cache/ldconfig/aux-cache* rw,
+
+    include if exists <local/dpkg-scripts_ldconfig>
+  }
+
+  include if exists <local/dpkg-scripts>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index b710f2d94..9aa61f15b 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -88,8 +88,10 @@ dolphin complain
 downloadhelper complain
 dpkg-maintscript-helper complain
 dpkg-script-apparmor complain
-dpkg-script-man complain
-dpkg-script-udev complain
+dpkg-script-kmod complain
+dpkg-script-linux complain
+dpkg-script-systemd complain
+dpkg-scripts complain
 drkonqi complain
 drkonqi-coredump-cleanup complain
 drkonqi-coredump-processor complain