From 7a3016724a6a2a97e337d57187416cabb6dcdfb0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 18 May 2025 23:42:34 +0200
Subject: [PATCH] feat(profile): update linux check scripts.

---
 apparmor.d/profiles-g-l/linux-check-removal   | 40 ++++---------------
 apparmor.d/profiles-g-l/linux-update-symlinks | 25 ++++++++++++
 dists/flags/main.flags                        |  2 +
 3 files changed, 34 insertions(+), 33 deletions(-)
 create mode 100644 apparmor.d/profiles-g-l/linux-update-symlinks

diff --git a/apparmor.d/profiles-g-l/linux-check-removal b/apparmor.d/profiles-g-l/linux-check-removal
index 1c6ff2f03..2c2a8ba21 100644
--- a/apparmor.d/profiles-g-l/linux-check-removal
+++ b/apparmor.d/profiles-g-l/linux-check-removal
@@ -10,42 +10,16 @@ include <tunables/global>
 @{exec_path} = @{bin}/linux-check-removal
 profile linux-check-removal @{exec_path} flags=(complain) {
   include <abstractions/base>
-  include <abstractions/consoles>
-  include <abstractions/perl>
+  include <abstractions/common/debconf>
 
-  @{exec_path} r,
+  @{exec_path} rmix,
 
-  # Think what to do about this (#FIXME#)
-  /usr/share/debconf/frontend         rPx,
-  #/usr/share/debconf/frontend        rCx -> frontend,
+  @{sh_path}        rix,
+  @{bin}/stty       rix,
+  @{bin}/locale     rix,
+  @{bin}/whiptail   rPx,
 
-
-  profile frontend flags=(complain) {
-    include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/perl>
-    include <abstractions/nameservice-strict>
-
-    /usr/share/debconf/frontend r,
-
-    @{bin}/linux-check-removal rPx,
-
-    @{sh_path}        rix,
-    @{bin}/stty       rix,
-    @{bin}/locale     rix,
-
-    # The following is needed when debconf uses dialog/whiptail frontend.
-    @{bin}/whiptail   rPx,
-    owner @{tmp}/file* w,
-
-    /usr/share/debconf/confmodule r,
-
-    /etc/debconf.conf r,
-    owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk,
-    /usr/share/debconf/templates/adequate.templates r,
-
-    include if exists <local/linux-check-removal_frontend>
-  }
+  audit owner @{tmp}/file* w,
 
   include if exists <local/linux-check-removal>
 }
diff --git a/apparmor.d/profiles-g-l/linux-update-symlinks b/apparmor.d/profiles-g-l/linux-update-symlinks
new file mode 100644
index 000000000..b97a0305b
--- /dev/null
+++ b/apparmor.d/profiles-g-l/linux-update-symlinks
@@ -0,0 +1,25 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/linux-update-symlinks
+profile linux-update-symlinks @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/perl>
+
+  @{exec_path} mr,
+
+  /etc/kernel-img.conf r,
+
+  @{efi}/ r,
+  @{efi}/* rw,
+
+  include if exists <local/linux-update-symlinks>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index d2c57b682..edf6789c7 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -216,6 +216,8 @@ libvirt-dbus complain
 libvirtd attach_disconnected,complain
 lightdm attach_disconnected,complain
 lightdm-session complain
+linux-check-removal  complain
+linux-update-symlinks complain
 locale-gen complain
 localectl complain
 localsearch complain