From 99384e651373eb4d52db22ac3b581f43f2c90371 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 25 May 2025 23:47:44 +0200
Subject: [PATCH] feat(profile): improve the upgrade stack.

---
 apparmor.d/groups/cron/cron                 | 18 ++++++------------
 apparmor.d/groups/snap/snapd                |  2 +-
 apparmor.d/profiles-m-r/needrestart         |  8 ++++----
 apparmor.d/profiles-m-r/needrestart-hook    |  2 +-
 apparmor.d/profiles-m-r/needrestart-notify  |  9 ++++++---
 apparmor.d/profiles-m-r/needrestart-restart |  2 +-
 apparmor.d/profiles-m-r/pam-auth-update     |  2 ++
 7 files changed, 21 insertions(+), 22 deletions(-)

diff --git a/apparmor.d/groups/cron/cron b/apparmor.d/groups/cron/cron
index 778dd2be8..eba78ac82 100644
--- a/apparmor.d/groups/cron/cron
+++ b/apparmor.d/groups/cron/cron
@@ -25,20 +25,14 @@ profile cron @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  ptrace (read) peer=unconfined,
-
-  unix bind type=stream addr=@@{udbus}/bus/cron/system,
-
   @{exec_path} mr,
 
-  @{sh_path}         rix,
-  @{bin}/nice        rix,
-  @{bin}/ionice      rix,
-  @{bin}/exim4       rPx,
-  @{bin}/run-parts   rCx -> run-parts, # could even be rix, as long as we are not
-                                       # using the  run-parts profile we are good
-
-  @{lib}/sysstat/debian-sa1            rPx,
+  @{sh_path}                 rix,
+  @{bin}/exim4               rPx,
+  @{bin}/ionice              rix,
+  @{bin}/nice                rix,
+  @{bin}/run-parts           rCx -> run-parts,
+  @{lib}/sysstat/debian-sa1  rPx,
 
   /etc/cron.d/{,*} r,
   /etc/crontab r,
diff --git a/apparmor.d/groups/snap/snapd b/apparmor.d/groups/snap/snapd
index b65283987..0eb3adb8c 100644
--- a/apparmor.d/groups/snap/snapd
+++ b/apparmor.d/groups/snap/snapd
@@ -50,7 +50,7 @@ profile snapd @{exec_path} {
   ptrace read peer=@{p_systemd},
   ptrace read peer=snap{,.*},
 
-  signal send set=kill peer=journalctl,
+  signal send set=kill peer=snapd//journalctl,
 
   dbus send bus=system path=/org/freedesktop/
          interface=org.freedesktop.login1.Manager
diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
index 9b731fd64..f9e2c6ebc 100644
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@@ -14,7 +14,6 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
 
   capability checkpoint_restore,
   capability dac_read_search,
-  capability kill,
   capability sys_ptrace,
 
   ptrace read,
@@ -27,13 +26,14 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{bin}/systemctl                         rCx -> systemctl,
   @{bin}/systemd-detect-virt               rPx,
   @{bin}/udevadm                           rCx -> udevadm,
+  @{bin}/who                               rPx,
   @{lib}/needrestart/*                     rPx,
   @{python_path}                           rix,
   @{sbin}/unix_chkpwd                      rPx,
 
-  /etc/needrestart/hook.d/*                rPx,
-  /etc/needrestart/notify.d/*              rPx,
-  /etc/needrestart/restart.d/*             rPx,
+  @{etc_ro}/needrestart/hook.d/*           rPx,
+  @{etc_ro}/needrestart/notify.d/*         rPx,
+  @{etc_ro}/needrestart/restart.d/*        rPx,
 
   /etc/init.d/* r,
   /etc/needrestart/{,**} r,
diff --git a/apparmor.d/profiles-m-r/needrestart-hook b/apparmor.d/profiles-m-r/needrestart-hook
index fa77834e8..c8c9a12c4 100644
--- a/apparmor.d/profiles-m-r/needrestart-hook
+++ b/apparmor.d/profiles-m-r/needrestart-hook
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /etc/needrestart/hook.d/*
+@{exec_path} = @{etc_ro}/needrestart/hook.d/*
 profile needrestart-hook @{exec_path} {
   include <abstractions/base>
   include <abstractions/consoles>
diff --git a/apparmor.d/profiles-m-r/needrestart-notify b/apparmor.d/profiles-m-r/needrestart-notify
index dc4a30c69..41fa96c4c 100644
--- a/apparmor.d/profiles-m-r/needrestart-notify
+++ b/apparmor.d/profiles-m-r/needrestart-notify
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /etc/needrestart/notify.d/*
+@{exec_path} = @{etc_ro}/needrestart/notify.d/*
 profile needrestart-notify @{exec_path} {
   include <abstractions/base>
 
@@ -18,8 +18,11 @@ profile needrestart-notify @{exec_path} {
   @{exec_path} mr,
 
   @{sh_path} r,
-  @{bin}/gettext.sh r,
-  @{bin}/sed ix,
+  @{bin}/fold         ix,
+  @{bin}/gettext.sh    r,
+  @{bin}/mail         Px,
+  @{bin}/notify-send  Px,
+  @{bin}/sed          ix,
 
   /etc/needrestart/notify.conf r,
 
diff --git a/apparmor.d/profiles-m-r/needrestart-restart b/apparmor.d/profiles-m-r/needrestart-restart
index 2fc79b70c..b9e648602 100644
--- a/apparmor.d/profiles-m-r/needrestart-restart
+++ b/apparmor.d/profiles-m-r/needrestart-restart
@@ -6,7 +6,7 @@ abi <abi/4.0>,
 
 include <tunables/global>
 
-@{exec_path} = /etc/needrestart/restart.d/*
+@{exec_path} = @{etc_ro}/needrestart/restart.d/*
 profile needrestart-restart @{exec_path} {
   include <abstractions/base>
 
diff --git a/apparmor.d/profiles-m-r/pam-auth-update b/apparmor.d/profiles-m-r/pam-auth-update
index 5e0cbaaf4..90cc6a4ba 100644
--- a/apparmor.d/profiles-m-r/pam-auth-update
+++ b/apparmor.d/profiles-m-r/pam-auth-update
@@ -20,7 +20,9 @@ profile pam-auth-update @{exec_path} flags=(complain) {
   /usr/share/pam{,-configs}/{,*} r,
 
   /etc/pam.d/* rw,
+  /etc/shadow r,
 
+  /var/lib/dpkg/info/libpam-runtime.templates r,
   /var/lib/pam/* rw,
 
   include if exists <local/pam-auth-update>