From 83b5b08c7e9c6e7456a314342648dbcec3fe6ca0 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 25 May 2025 15:07:27 +0200
Subject: [PATCH] feat(profile): add debconf-escape, update dpkg-scripts.

---
 apparmor.d/groups/apt/debconf-escape | 19 +++++++++++++++++++
 apparmor.d/groups/apt/dpkg-scripts   | 15 ++++++++++++++-
 dists/flags/main.flags               |  1 +
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/groups/apt/debconf-escape

diff --git a/apparmor.d/groups/apt/debconf-escape b/apparmor.d/groups/apt/debconf-escape
new file mode 100644
index 000000000..c64401bb0
--- /dev/null
+++ b/apparmor.d/groups/apt/debconf-escape
@@ -0,0 +1,19 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/debconf-escape
+profile debconf-escape @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/perl>
+
+  @{exec_path} mr,
+
+  include if exists <local/debconf-escape>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
index f1c56bd49..e18ab78de 100644
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -26,11 +26,12 @@ profile dpkg-scripts @{exec_path} {
   @{coreutils_path}                              rix,
   @{bin}/run-parts                               rix,
 
-  @{bin}/setpriv                                  ix,
   @{bin}/envsubst                                 ix,
+  @{bin}/file                                     ix,
   @{bin}/getent                                   ix,
   @{bin}/gzip                                     ix,
   @{bin}/helpztags                                ix,
+  @{bin}/setpriv                                  ix,
   @{bin}/tput                                     ix,
   @{bin}/zcat                                     ix,
   @{lib}/ubuntu-advantage/cloud-id-shim.sh        ix,
@@ -97,6 +98,18 @@ profile dpkg-scripts @{exec_path} {
     capability sys_ptrace,
     capability sys_resource,
 
+    @{bin}/systemd-tty-ask-password-agent  Px,
+    @{pager_path}                          Px -> child-pager,
+
+    /{run,var}/log/journal/ r,
+    /{run,var}/log/journal/@{hex32}/ r,
+    /{run,var}/log/journal/@{hex32}/system.journal* r,
+    /{run,var}/log/journal/@{hex32}/system@@{hex}-@{hex}.journal* r,
+    /{run,var}/log/journal/@{hex32}/system@@{hex32}-@{hex16}-@{hex16}.journal* r,
+    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* r,
+    /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex}-@{hex}.journal* r,
+    /{run,var}/log/journal/@{hex32}/user-@{uid}@@{hex32}-@{hex16}-@{hex16}.journal* r,
+
     @{run}/utmp rk,
 
     include if exists <local/dpkg-scripts_systemctl>
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index c0af4fc77..6c29eba15 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -77,6 +77,7 @@ cupsd attach_disconnected,complain
 ddcutil complain
 deb-systemd-helper complain
 deb-systemd-invoke complain
+debconf-escape complain
 decibels complain
 dino attach_disconnected,complain
 discord complain