feat(profile): improve dpkg-scripts.

2025-07-06 21:54:49 +02:00 · 2025-07-06 21:54:49 +02:00 · 3b040aa5ca
commit 3b040aa5ca
parent 13680be0a6
2 changed files with 7 additions and 1 deletions
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@ -11,6 +11,7 @@ profile dpkg-scripts @{exec_path} {
  include <abstractions/base>
  include <abstractions/common/debconf>
  include <abstractions/disks-read>
+  include <abstractions/python>

  capability chown,
  capability dac_read_search,
@ -24,6 +25,7 @@ profile dpkg-scripts @{exec_path} {
  # Common program found in maintainer scripts
  @{sh_path}                                     rix,
  @{coreutils_path}                              rix,
+  @{python_path}                                 rix,
  @{bin}/run-parts                               rix,

  @{bin}/envsubst                                 ix,
@ -51,8 +53,8 @@ profile dpkg-scripts @{exec_path} {
  @{bin}/**                                       PUx,
  @{sbin}/**                                      PUx,
  @{lib}/**                                       PUx,
+  /etc/**                                         PUx,
  /usr/share/**                                   PUx,
-  /etc/init.d/*                                   PUx,

  # Maintainer's scripts can update a lot of files
  / r,
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@ -20,6 +20,10 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {

  @{bin}/ischroot  Px,

+  @{lib}/@{python_name}/**/__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,
+
  /usr/share/unattended-upgrades/{,*} r,

  owner /var/log/unattended-upgrades/*.log* rw,