From 8c66d39a1e64c721ebb6f6c1421922d70abc0e3c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 14 Sep 2025 20:39:38 +0200
Subject: [PATCH] feat(profile): merge dpkg-script-* profile into dpkg-scripts.

---
 apparmor.d/groups/apt/dpkg-script-apparmor | 74 ---------------------
 apparmor.d/groups/apt/dpkg-script-kmod     | 18 -----
 apparmor.d/groups/apt/dpkg-script-linux    | 56 ----------------
 apparmor.d/groups/apt/dpkg-script-systemd  | 77 ----------------------
 apparmor.d/groups/apt/dpkg-scripts         |  5 +-
 5 files changed, 4 insertions(+), 226 deletions(-)
 delete mode 100644 apparmor.d/groups/apt/dpkg-script-apparmor
 delete mode 100644 apparmor.d/groups/apt/dpkg-script-kmod
 delete mode 100644 apparmor.d/groups/apt/dpkg-script-linux
 delete mode 100644 apparmor.d/groups/apt/dpkg-script-systemd

diff --git a/apparmor.d/groups/apt/dpkg-script-apparmor b/apparmor.d/groups/apt/dpkg-script-apparmor
deleted file mode 100644
index 73a4f6c46..000000000
--- a/apparmor.d/groups/apt/dpkg-script-apparmor
+++ /dev/null
@@ -1,74 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-# TODO: merge with dpkg-scripts
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /var/lib/dpkg/info/apparmor*
-profile dpkg-script-apparmor @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/common/debconf>
-
-  capability dac_read_search,
-
-  @{exec_path} mrix,
-
-  @{bin}/{,e}grep   ix,
-  @{bin}/cat        ix,
-  @{bin}/chmod      ix,
-  @{bin}/mkdir      ix,
-
-  @{bin}/deb-systemd-helper  Px,
-  @{bin}/dpkg-maintscript-helper Px,
-  @{bin}/dpkg                Px -> child-dpkg,
-  @{bin}/deb-systemd-invoke  Px,
-  @{bin}/dpkg-divert         ix,
-  @{bin}/systemctl           Cx -> systemctl,
-  @{sbin}/apparmor_parser    Px,
-
-  /usr/share/apparmor.d/** rw,
-
-  /etc/apparmor.d/** rw,
-
-  /var/lib/dpkg/diversions rw,
-  /var/lib/dpkg/diversions-new rw,
-  /var/lib/dpkg/diversions-old rwl -> /var/lib/dpkg/diversions,
-
-  /var/lib/dpkg/info/*.list r,
-  /var/lib/dpkg/info/format r,
-  /var/lib/dpkg/status r,
-  /var/lib/dpkg/triggers/File r,
-  /var/lib/dpkg/triggers/Unincorp r,
-  /var/lib/dpkg/updates/ r,
-  /var/lib/dpkg/updates/@{int} r,
-
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    capability net_admin,
-    capability sys_resource,
-    capability dac_override,
-    capability dac_read_search,
-
-    signal send set=(cont term) peer=systemd-tty-ask-password-agent,
-
-    @{bin}/systemd-tty-ask-password-agent rix,
-
-    @{run}/user/@{uid}/systemd/ask-password/ rw,
-    @{run}/user/@{uid}/systemd/ask-password-block/{,*} rw,
-
-    owner @{run}/systemd/ask-password/ rw,
-    owner @{run}/systemd/ask-password-block/{,*} rw,
-
-    include if exists <local/dpkg-script-apparmor_systemctl>
-  }
-
-  include if exists <local/dpkg-script-apparmor>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-script-kmod b/apparmor.d/groups/apt/dpkg-script-kmod
deleted file mode 100644
index f900bba17..000000000
--- a/apparmor.d/groups/apt/dpkg-script-kmod
+++ /dev/null
@@ -1,18 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /var/lib/dpkg/info/kmod*
-profile dpkg-script-kmod @{exec_path} {
-  include <abstractions/base>
-
-  @{exec_path} mrix,
-
-  include if exists <local/dpkg-script-kmod>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux
deleted file mode 100644
index af578be50..000000000
--- a/apparmor.d/groups/apt/dpkg-script-linux
+++ /dev/null
@@ -1,56 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /var/lib/dpkg/info/linux*
-profile dpkg-script-linux @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/common/debconf>
-
-  capability dac_read_search,
-
-  @{exec_path} mrix,
-
-  @{bin}/cat         ix,
-  @{bin}/mkdir       ix,
-  @{bin}/rm          ix,
-  @{bin}/run-parts   ix,
-  @{bin}/stty        ix,
-
-  @{bin}/deb-systemd-helper       Px,
-  @{bin}/deb-systemd-invoke       Px,
-  @{bin}/dpkg-maintscript-helper  Px,
-  @{bin}/dpkg-trigger             Px,
-  @{bin}/kmod                     Px,
-  @{bin}/linux-check-removal      Px,
-  @{bin}/linux-update-symlinks    Px,
-  @{bin}/systemctl                Cx -> systemctl,
-
-  /usr/share/{update,reboot}-notifier/notify-reboot-required  Px,
-  /etc/kernel/{,header_}postinst.d/*                          Px,
-  /etc/kernel/postrm.d/*                                      Px,
-  /etc/kernel/preinst.d/*                                     Px,
-  /etc/kernel/prerm.d/*                                       Px,
-
-  /etc/kernel/*.d/ r,
-
-  @{lib}/linux/triggers/* w,
-  @{lib}/modules/*/.fresh-install w,
-
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    capability net_admin,
-
-    include if exists <local/dpkg-script-linux_systemctl>
-  }
-
-  include if exists <local/dpkg-script-linux>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd
deleted file mode 100644
index 6c76e6f70..000000000
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ /dev/null
@@ -1,77 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/4.0>,
-
-include <tunables/global>
-
-@{exec_path} = /var/lib/dpkg/info/systemd*
-profile dpkg-script-systemd @{exec_path} {
-  include <abstractions/base>
-  include <abstractions/common/debconf>
-
-  capability dac_read_search,
-
-  @{exec_path} mrix,
-
-  @{coreutils_path}               rix,
-  @{bin}/bootctl                   Px,
-  @{bin}/deb-systemd-helper        Px,
-  @{bin}/deb-systemd-invoke        Px,
-  @{bin}/dpkg                      Cx -> dpkg,
-  @{bin}/dpkg-divert               Px,
-  @{bin}/dpkg-maintscript-helper   Px,
-  @{bin}/journalctl                Px,
-  @{bin}/kernel-install          mrPx,
-  @{bin}/systemctl                 Cx -> systemctl,
-  @{bin}/systemd-machine-id-setup  Px,
-  @{bin}/systemd-sysusers          Px,
-  @{bin}/systemd-tmpfiles          Px,
-  @{lib}/systemd/systemd-sysctl    Px,
-  @{sbin}/pam-auth-update          Px,
-
-  /etc/systemd/system/*.wants/ rw,
-  /etc/systemd/system/*.wants/* rw,
-
-  /etc/pam.d/sed@{rand6} rw,
-  /etc/pam.d/common-password  rw,
-
-  @{efi}/ r,
-
-  /var/lib/systemd/{,*} rw,
-  /var/log/journal/ rw,
-
-  profile dpkg {
-    include <abstractions/base>
-    include <abstractions/consoles>
-    include <abstractions/common/apt>
-
-    capability dac_read_search,
-
-    @{bin}/dpkg mr,
-
-    /etc/dpkg/dpkg.cfg r,
-    /etc/dpkg/dpkg.cfg.d/{,*} r,
-
-    include if exists <local/dpkg-script-systemd_dpkg>
-  }
-
-  profile systemctl {
-    include <abstractions/base>
-    include <abstractions/app/systemctl>
-
-    capability net_admin,
-    capability sys_resource,
-
-    signal send set=(cont term) peer=systemd-tty-ask-password-agent,
-
-    @{bin}/systemd-tty-ask-password-agent Px,
-
-    include if exists <local/dpkg-script-systemd_systemctl>
-  }
-
-  include if exists <local/dpkg-script-systemd>
-}
-
-# vim:syntax=apparmor
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
index acde577de..2434c9db9 100644
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -63,8 +63,10 @@ profile dpkg-scripts @{exec_path} {
   /*/ r,
   @{bin}/ r,
   @{bin}/* w,
+  @{sbin}/ r,
+  @{sbin}/* w,
   @{lib}/ r,
-  @{lib}/** w,
+  @{lib}/** wl -> @{lib}/**,
   /opt/*/** rw,
 
   #aa:lint ignore=too-wide
@@ -80,6 +82,7 @@ profile dpkg-scripts @{exec_path} {
   /tmp/grub.@{rand10} rw,
   /tmp/sed@{rand6} rw,
   /tmp/tmp.@{rand10} rw,
+  /tmp/updateppds.@{rand6} rw,
 
   @{PROC}/@{pid}/fd/ r,
   @{PROC}/@{pid}/mountinfo r,