From 7f684ee5ddd420231cf92381e3e86b9f52468456 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 29 May 2025 23:29:52 +0200
Subject: [PATCH] feat(profile): integrate fsp with apt and ubuntu.

---
 apparmor.d/groups/apt/apt-methods-http         | 5 +++--
 apparmor.d/groups/apt/dpkg-script-apparmor     | 1 +
 apparmor.d/groups/apt/dpkg-script-systemd      | 3 +++
 apparmor.d/groups/apt/dpkg-scripts             | 3 +++
 apparmor.d/groups/apt/unattended-upgrade       | 2 ++
 apparmor.d/groups/ubuntu/cron-ubuntu-fan       | 8 +-------
 apparmor.d/groups/ubuntu/update-notifier-crash | 9 +++++++++
 7 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http
index 0b375c8f8..7fb3a2cc4 100644
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@@ -8,7 +8,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{lib}/apt/methods/http{,s}
-profile apt-methods-http @{exec_path} {
+profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -23,10 +23,11 @@ profile apt-methods-http @{exec_path} {
   network inet6 stream,
   network netlink raw,
 
+  signal receive peer=@{p_apt_news},
+  signal receive peer=@{p_packagekitd},
   signal receive peer=apt-get,
   signal receive peer=apt,
   signal receive peer=aptitude,
-  signal receive peer=@{p_packagekitd},
   signal receive peer=role_*,
   signal receive peer=synaptic,
   signal receive peer=ubuntu-advantage,
diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor
index 73b14390a..e9a03f282 100644
--- a/apparmor.d/groups/apt/dpkg-script-apparmor
+++ b/apparmor.d/groups/apt/dpkg-script-apparmor
@@ -30,6 +30,7 @@ profile dpkg-script-apparmor @{exec_path} {
   /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
 
   /var/lib/dpkg/info/*.list r,
+  /var/lib/dpkg/info/format r,
   /var/lib/dpkg/status r,
   /var/lib/dpkg/triggers/File r,
   /var/lib/dpkg/triggers/Unincorp r,
diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd
index 4acafd139..8ca92515c 100644
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@@ -32,6 +32,9 @@ profile dpkg-script-systemd @{exec_path} {
   /etc/systemd/system/*.wants/ rw,
   /etc/systemd/system/*.wants/* rw,
 
+  /etc/pam.d/sed@{rand6} rw,
+  /etc/pam.d/common-password  rw,
+
   /var/lib/systemd/{,*} rw,
   /var/log/journal/ rw,
 
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
index 4fb4d04c4..3102b23bb 100644
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -47,6 +47,7 @@ profile dpkg-scripts @{exec_path} {
   @{sbin}/update-rc.d                             Cx -> rc,
 
   # Maintainer scripts can legitimately start/restart anything
+  # PU is only used as a safety fallback.
   @{bin}/**                                       PUx,
   @{sbin}/**                                      PUx,
   @{lib}/**                                       PUx,
@@ -75,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
     include <abstractions/app/bus>
     include <abstractions/bus-system>
 
+    capability dac_read_search,
+
     dbus send bus=system path=/
          interface=org.freedesktop.DBus
          member=ReloadConfig
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index 95b8b2760..c2d94e25a 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -30,6 +30,8 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   capability setuid,
   capability sys_nice,
 
+  network inet dgram,
+  network inet6 dgram,
   network netlink raw,
 
   signal send peer=apt-methods-http,
diff --git a/apparmor.d/groups/ubuntu/cron-ubuntu-fan b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
index 8f5952d9b..3ca55909d 100644
--- a/apparmor.d/groups/ubuntu/cron-ubuntu-fan
+++ b/apparmor.d/groups/ubuntu/cron-ubuntu-fan
@@ -15,20 +15,14 @@ profile cron-ubuntu-fan @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path}         rix,
-  @{sbin}/fanctl     rix,
-  @{bin}/flock       rix,
+  @{sbin}/fanctl     rPx,
   @{bin}/grep        rix,
-  @{bin}/id          rix,
   @{sbin}/ip         rix,
   @{bin}/mkdir       rix,
   @{bin}/sed         rix,
-  @{bin}/touch       rix,
 
   /etc/network/fan r,
 
-  @{run}/ubuntu-fan/ rw,
-  @{run}/ubuntu-fan/.lock rwk,
-
   include if exists <local/cron-ubuntu-fan>
 }
 
diff --git a/apparmor.d/groups/ubuntu/update-notifier-crash b/apparmor.d/groups/ubuntu/update-notifier-crash
index b3cbf7f07..3ad03eb05 100644
--- a/apparmor.d/groups/ubuntu/update-notifier-crash
+++ b/apparmor.d/groups/ubuntu/update-notifier-crash
@@ -12,8 +12,17 @@ profile update-notifier-crash @{exec_path} {
 
   @{exec_path} mr,
 
+  @{bin}/systemctl Cx -> systemctl,
+
   /usr/share/apport/apport-checkreports Px,
 
+  profile systemctl {
+    include <abstractions/base>
+    include <abstractions/app/systemctl>
+  
+    include if exists <local/update-notifier-crash_systemctl>
+  }
+
   include if exists <local/update-notifier-crash>
 }