From 41c38b7645bf2c9c3ae117f5481602cfd94d77f8 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 18 May 2025 20:34:05 +0200
Subject: [PATCH] feat(profile): update unattended upgrade profiles.

---
 apparmor.d/groups/apt/unattended-upgrade      | 52 +++++++++++--------
 .../groups/apt/unattended-upgrade-shutdown    |  4 +-
 apparmor.d/groups/apt/update-apt-xapian-index | 14 +++--
 3 files changed, 37 insertions(+), 33 deletions(-)

diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 8413d9975..95b8b2760 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -32,7 +32,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  signal (send) peer=apt-methods-http,
+  signal send peer=apt-methods-http,
 
   unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
 
@@ -41,26 +41,29 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   @{bin}/ r,
 
   @{sh_path}                      rix,
-  @{bin}/echo                     rix,
-  @{bin}/gdbus                    rix,
-  @{bin}/ischroot                 rix,
   @{python_path}                  rix,
-  @{bin}/test                     rix,
-  @{bin}/touch                    rix,
-  @{bin}/uname                    rix,
+  @{bin}/echo                      ix,
+  @{bin}/gdbus                     ix,
+  @{bin}/md5sum                    ix,
+  @{bin}/tar                       ix,
+  @{bin}/test                      ix,
+  @{bin}/touch                     ix,
+  @{bin}/uname                     ix,
 
-  @{bin}/apt-listchanges          rPx,
-  @{bin}/dpkg                     rPx,
-  @{bin}/dpkg-divert              rPx,
-  @{sbin}/dpkg-preconfigure       rPx,
-  @{bin}/etckeeper                rPx,
-  @{bin}/lsb_release              rPx -> lsb_release,
-  @{sbin}/on_ac_power             rPx,
-  @{sbin}/sendmail               rPUx,
-  @{lib}/apt/methods/http{,s}     rPx,
-  @{lib}/needrestart/apt-pinvoke  rPx,
-  @{lib}/update-notifier/update-motd-updates-available rPx,
-  @{lib}/zsys-system-autosnapshot rPx,
+  @{bin}/dpkg-deb                  px,
+  @{bin}/apt-listchanges           Px,
+  @{bin}/dpkg                      Px,
+  @{bin}/dpkg-divert               Px,
+  @{bin}/etckeeper                 Px,
+  @{bin}/ischroot                  Px,
+  @{bin}/lsb_release               Px -> lsb_release,
+  @{sbin}/dpkg-preconfigure        Px,
+  @{sbin}/on_ac_power              Px,
+  @{sbin}/sendmail                 Px,
+  @{lib}/apt/methods/http{,s}      Px,
+  @{lib}/needrestart/apt-pinvoke   Px,
+  @{lib}/update-notifier/update-motd-updates-available Px,
+  @{lib}/zsys-system-autosnapshot  Px,
 
   /usr/share/distro-info/* r,
 
@@ -70,8 +73,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/apt/*.list r,
   /etc/apt/apt.conf.d/{,**} r,
   /etc/debian_version r,
-  /etc/default/apport r,
-  /etc/default/grub.d/* r,
+  /etc/default/{,**} r,
   /etc/dpkg/origins/{,debian,ubuntu} r,
   /etc/fwupd/{,**} r,
   /etc/grub.d/* r,
@@ -85,9 +87,13 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /etc/pki/fwupd-metadata/{,**} r,
   /etc/pki/fwupd/{,**} r,
   /etc/profile.d/* r,
+  /etc/ssh/moduli r,
+  /etc/ssh/ssh_config r,
+  /etc/ufw/{,**} r,
   /etc/update-manager/{,**} r,
-  /etc/update-motd.d/* r,
-  /etc/vmware-tools/* r,
+  /etc/update-motd.d/{,**} r,
+  /etc/vim/{,**} r,
+  /etc/vmware-tools/{,**} r,
 
   /var/log/unattended-upgrades/{,**} rw,
   /var/crash/*.crash w,
diff --git a/apparmor.d/groups/apt/unattended-upgrade-shutdown b/apparmor.d/groups/apt/unattended-upgrade-shutdown
index cd35bb5ae..f36505e7a 100644
--- a/apparmor.d/groups/apt/unattended-upgrade-shutdown
+++ b/apparmor.d/groups/apt/unattended-upgrade-shutdown
@@ -12,15 +12,15 @@ profile unattended-upgrade-shutdown @{exec_path} flags=(attach_disconnected) {
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
   include <abstractions/bus/org.freedesktop.NetworkManager>
+  include <abstractions/common/apt>
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
   @{exec_path} mr,
 
-  @{bin}/ischroot  rix,
+  @{bin}/ischroot  Px,
 
   /usr/share/unattended-upgrades/{,*} r,
-  /etc/apt/apt.conf.d/{,*} r,
 
   owner /var/log/unattended-upgrades/*.log* rw,
 
diff --git a/apparmor.d/groups/apt/update-apt-xapian-index b/apparmor.d/groups/apt/update-apt-xapian-index
index 5da82090f..f829ab3ff 100644
--- a/apparmor.d/groups/apt/update-apt-xapian-index
+++ b/apparmor.d/groups/apt/update-apt-xapian-index
@@ -10,6 +10,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/update-apt-xapian-index
 profile update-apt-xapian-index @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
   include <abstractions/common/apt>
   include <abstractions/python>
 
@@ -17,10 +18,13 @@ profile update-apt-xapian-index @{exec_path} {
   @{python_path} r,
 
   @{bin}/ r,
-  @{bin}/dpkg rPx -> child-dpkg,
+  @{bin}/dpkg  Px -> child-dpkg,
 
   /usr/share/apt-xapian-index/{,**} r,
 
+  /var/lib/dbus/machine-id r,
+  /etc/machine-id r,
+
   /var/cache/apt-xapian-index/ rw,
   /var/cache/apt-xapian-index/** rwk,
 
@@ -30,15 +34,9 @@ profile update-apt-xapian-index @{exec_path} {
   /var/cache/apt/ r,
   /var/cache/apt/** rwk,
 
-  owner @{PROC}/@{pid}/fd/ r,
-
   /var/lib/debtags/package-tags r,
 
-  /var/lib/dbus/machine-id r,
-  /etc/machine-id r,
-
-  # file_inherit
-  owner /dev/tty@{int} rw,
+  owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/update-apt-xapian-index>
 }