From 3848838e53a5824417590f97c43ad0135a50e6a1 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 24 May 2025 17:35:16 +0200
Subject: [PATCH] feat(profile): merge dpkg-scripts and dpkg-script-tmp.

---
 apparmor.d/groups/apt/dpkg-preconfigure   |  2 +
 apparmor.d/groups/apt/dpkg-script-systemd |  2 +
 apparmor.d/groups/apt/dpkg-script-tmp     | 57 -----------------------
 apparmor.d/groups/apt/dpkg-scripts        | 17 +++++--
 dists/flags/main.flags                    |  1 -
 5 files changed, 16 insertions(+), 63 deletions(-)
 delete mode 100644 apparmor.d/groups/apt/dpkg-script-tmp

diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure
index 8a9ea568e..4dbfae0a8 100644
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@@ -15,6 +15,8 @@ profile dpkg-preconfigure @{exec_path} {
   include <abstractions/perl>
   include <abstractions/ssl_certs>
 
+  capability dac_read_search,
+
   @{exec_path} r,
 
   @{sh_path}                  rix,
diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd
index cb652108d..713f2981f 100644
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@@ -16,6 +16,8 @@ profile dpkg-script-systemd @{exec_path} {
 
   @{sh_path}   rix,
 
+  @{coreutils_path}               rix,
+  @{bin}/bootctl                   Px,
   @{bin}/deb-systemd-helper        Px,
   @{bin}/deb-systemd-invoke        Px,
   @{bin}/dpkg                      Cx -> dpkg,
diff --git a/apparmor.d/groups/apt/dpkg-script-tmp b/apparmor.d/groups/apt/dpkg-script-tmp
deleted file mode 100644
index 65e63d076..000000000
--- a/apparmor.d/groups/apt/dpkg-script-tmp
+++ /dev/null
@@ -1,57 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /var/lib/dpkg/tmp.ci/@{dpkg_script_ext}
-profile dpkg-script-tmp @{exec_path} flags=(attach_disconnected) {
-  include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/perl>
-
-  @{exec_path} mrix,
-
-  @{sh_path}                      rix,
-  @{coreutils_path}               rix,
-  @{bin}/run-parts                rix,
-  @{bin}/deb-systemd-invoke        Px,
-  @{bin}/dpkg                      Px,
-  @{bin}/dpkg-divert               Px,
-  @{bin}/dpkg-maintscript-helper   Px,
-  @{bin}/kmod                      Cx -> kmod,
-  @{bin}/systemctl                 Cx -> systemctl,
-  /usr/share/debconf/frontend      Px,
-
-  /usr/share/debconf/confmodule r,
-
-  /etc/kernel/preinst.d/*-microcode ix,
-
-  @{lib}/modules/*/.fresh-install w,
-
-  profile kmod {
-    include <abstractions/base>
-    include <abstractions/app/kmod>
-
-    include if exists <local/dpkg-script-tmp_kmod>
-  }
-
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    capability net_admin,
-    capability sys_ptrace,
-    capability sys_resource,
-
-    @{bin}/systemd-tty-ask-password-agent Px,
-
-    include if exists <local/dpkg-script-tmp_systemctl>
-  }
-
-  include if exists <local/dpkg-script-tmp>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
index 32063f5c5..e765b334c 100644
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -38,6 +38,7 @@ profile dpkg-scripts @{exec_path} {
   @{lib}/ubuntu-advantage/postinst-migrations.sh  ix,
 
   @{bin}/dbus-send                                Cx -> bus,
+  @{bin}/kmod                                     Cx -> kmod,
   @{bin}/dpkg                                     Px -> child-dpkg,
   @{bin}/systemctl                                Cx -> systemctl,
   @{sbin}/invoke-rc.d                             Cx -> rc,
@@ -52,9 +53,6 @@ profile dpkg-scripts @{exec_path} {
   /usr/share/**                                   Px,
   /etc/init.d/*                                   Px,
 
-  /var/lib/dpkg/info/*.@{dpkg_script_ext}         ix, # dpkg-scripts-*
-  /var/lib/dpkg/tmp.ci/@{dpkg_script_ext}         Px, # dpkg-script-tmp
-
   # Maintainer's scripts can update a lot of files
   / r,
   /*/ r,
@@ -85,12 +83,20 @@ profile dpkg-scripts @{exec_path} {
     include if exists <local/dpkg-scripts_bus>
   }
 
+  profile kmod {
+    include <abstractions/base>
+    include <abstractions/app/kmod>
+
+    include if exists <local/dpkg-scripts_kmod>
+  }
+
   profile systemctl {
     include <abstractions/base>
     include <abstractions/app/systemctl>
 
     capability net_admin,
     capability sys_ptrace,
+    capability sys_resource,
 
     @{run}/utmp rk,
 
@@ -99,6 +105,7 @@ profile dpkg-scripts @{exec_path} {
 
   profile rc {
     include <abstractions/base>
+    include <abstractions/consoles>
     include <abstractions/perl>
 
     @{sbin}/update-rc.d     mr,
@@ -110,10 +117,10 @@ profile dpkg-scripts @{exec_path} {
 
     /etc/ r,
     /etc/init.d/* r,
-    /etc/rc?.d/ r,
+    /etc/rc@{c}.d/ r,
+    /etc/rc@{c}.d/* rw,
     /etc/rc@{int}.d/ r,
     /etc/rc@{int}.d/* rw,
-    /etc/rc@{c}.d/* rw,
 
     include if exists <local/dpkg-scripts_rc>
   }
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d139c7622..b1bd2fa0e 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -93,7 +93,6 @@ dpkg-script-apparmor complain
 dpkg-script-kmod complain
 dpkg-script-linux complain
 dpkg-script-systemd complain
-dpkg-script-tmp complain
 dpkg-scripts complain
 drkonqi complain
 drkonqi-coredump-cleanup complain