From 5858de80af4680b131550161aa57845cd3d0ed87 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 25 May 2025 01:23:26 +0200
Subject: [PATCH] feat(profile): add profile for more update-* tools.

---
 apparmor.d/profiles-s-z/update-catalog  | 26 ++++++++++++++++++
 apparmor.d/profiles-s-z/update-info-dir | 24 +++++++++++++++++
 apparmor.d/profiles-s-z/update-shells   | 36 +++++++++++++++++++++++++
 dists/flags/main.flags                  |  3 +++
 4 files changed, 89 insertions(+)
 create mode 100644 apparmor.d/profiles-s-z/update-catalog
 create mode 100644 apparmor.d/profiles-s-z/update-info-dir
 create mode 100644 apparmor.d/profiles-s-z/update-shells

diff --git a/apparmor.d/profiles-s-z/update-catalog b/apparmor.d/profiles-s-z/update-catalog
new file mode 100644
index 000000000..feac2d3c5
--- /dev/null
+++ b/apparmor.d/profiles-s-z/update-catalog
@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{sbin}/update-catalog
+profile update-catalog @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/perl>
+
+  @{exec_path} mr,
+
+  /etc/sgml/ r,
+  /etc/sgml/* r,
+
+  /var/lib/sgml-base/*catalog rw,
+  /var/lib/sgml-base/*catalog.new rw,
+  /var/lib/sgml-base/*catalog.old w,
+
+  include if exists <local/update-catalog>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/update-info-dir b/apparmor.d/profiles-s-z/update-info-dir
new file mode 100644
index 000000000..7c835023f
--- /dev/null
+++ b/apparmor.d/profiles-s-z/update-info-dir
@@ -0,0 +1,24 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{sbin}/update-info-dir
+profile update-info-dir @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{sh_path} r,
+  @{bin}/install-info  Px,
+  @{bin}/find          ix,
+  @{bin}/rm            ix,
+
+  include if exists <local/update-info-dir>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/update-shells b/apparmor.d/profiles-s-z/update-shells
new file mode 100644
index 000000000..46b6699c8
--- /dev/null
+++ b/apparmor.d/profiles-s-z/update-shells
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{sbin}/update-shells
+profile update-shells @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sh_path}           r,
+  @{bin}/basename      ix,
+  @{bin}/chmod         ix,
+  @{bin}/chown         ix,
+  @{bin}/dirname       ix,
+  @{bin}/dpkg-realpath ix,
+  @{bin}/mv            ix,
+  @{bin}/sync          ix,
+
+  /usr/share/debianutils/shells r,
+  /usr/share/debianutils/shells.d/{,**} r,
+
+  /etc/shells r,
+  /etc/shells.tmp w,
+
+  /var/lib/shells.state r,
+  /var/lib/shells.state.tmp w,
+
+  include if exists <local/update-shells>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index e88409583..9d0857ad3 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -380,8 +380,11 @@ udev-probe-bcache complain
 udisksctl complain
 udisksd attach_disconnected,complain
 ufw complain
+update-catalog complain
 update-grub complain
+update-info-dir complain
 update-secureboot-policy complain
+update-shells complain
 userdbctl complain
 utempter attach_disconnected,complain
 veracrypt complain