From 9c55d62b85c4d806b33813993d5831c8c3d3b72b Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 25 Jul 2025 00:56:31 +0200
Subject: [PATCH] fix: small ci fixes.

---
 Justfile                                      | 2 +-
 apparmor.d/groups/apt/dpkg-preconfigure       | 2 +-
 apparmor.d/groups/apt/dpkg-script-linux       | 2 ++
 apparmor.d/groups/apt/dpkg-scripts            | 6 ++----
 apparmor.d/profiles-g-l/gtk-update-icon-cache | 2 ++
 apparmor.d/profiles-s-z/ucf                   | 2 +-
 apparmor.d/profiles-s-z/ucfr                  | 9 +++++----
 7 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/Justfile b/Justfile
index db23ad587..e640a5a98 100644
--- a/Justfile
+++ b/Justfile
@@ -344,7 +344,7 @@ init:
 [group('tests')]
 [doc('Run the integration tests')]
 integration:
-	TERM=xterm bats --recursive --pretty --timing --print-output-on-failure tests/integration
+	bats --recursive --timing --print-output-on-failure tests/integration
 
 [group('tests')]
 [doc('Install dependencies for the integration tests (machine)')]
diff --git a/apparmor.d/groups/apt/dpkg-preconfigure b/apparmor.d/groups/apt/dpkg-preconfigure
index 66131c6e7..2e32af979 100644
--- a/apparmor.d/groups/apt/dpkg-preconfigure
+++ b/apparmor.d/groups/apt/dpkg-preconfigure
@@ -36,7 +36,7 @@ profile dpkg-preconfigure @{exec_path} {
   @{bin}/stty                  ix,
   @{bin}/tr                    ix,
   @{bin}/uniq                  ix,
-  @{bin}/which{,.debianutils}  ix,
+  @{bin}/which{,.debianutils} rix,
 
   @{bin}/apt-extracttemplates      Px,
   @{bin}/dpkg                      Px -> child-dpkg,
diff --git a/apparmor.d/groups/apt/dpkg-script-linux b/apparmor.d/groups/apt/dpkg-script-linux
index 24c6c74df..b294b928b 100644
--- a/apparmor.d/groups/apt/dpkg-script-linux
+++ b/apparmor.d/groups/apt/dpkg-script-linux
@@ -43,6 +43,8 @@ profile dpkg-script-linux @{exec_path} {
     include <abstractions/base>
     include <abstractions/app/systemctl>
 
+    capability net_admin,
+
     include if exists <local/dpkg-script-linux_systemctl>
   }
 
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
index 5743ab904..b262040f7 100644
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -62,10 +62,8 @@ profile dpkg-scripts @{exec_path} {
   @{bin}/ r,
   @{bin}/* w,
   @{lib}/ r,
-  @{lib}/@{python_name}/**/__pycache__/ w,
-  @{lib}/@{python_name}/**/__pycache__/**.pyc w,
-  @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,
-  @{lib}/modules/*/.fresh-install w,
+  @{lib}/** w,
+  /opt/*/** rw,
 
   /etc/ r,
   /etc/** rw,
diff --git a/apparmor.d/profiles-g-l/gtk-update-icon-cache b/apparmor.d/profiles-g-l/gtk-update-icon-cache
index b1a6779ae..b709511e2 100644
--- a/apparmor.d/profiles-g-l/gtk-update-icon-cache
+++ b/apparmor.d/profiles-g-l/gtk-update-icon-cache
@@ -12,6 +12,8 @@ profile gtk-update-icon-cache @{exec_path} flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
 
+  capability fowner,
+
   @{exec_path} mr,
 
   @{system_share_dirs}/icons/{,**/} r,
diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf
index 9e459f261..59f2d40aa 100644
--- a/apparmor.d/profiles-s-z/ucf
+++ b/apparmor.d/profiles-s-z/ucf
@@ -14,7 +14,7 @@ profile ucf @{exec_path} {
   include <abstractions/consoles>
   include <abstractions/perl>
 
-  @{exec_path} r,
+  @{exec_path}          rix,
   @{sh_path}            rix,
 
   @{bin}/{,e}grep       rix,
diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr
index add5c5b64..4cc149a28 100644
--- a/apparmor.d/profiles-s-z/ucfr
+++ b/apparmor.d/profiles-s-z/ucfr
@@ -9,18 +9,19 @@ include <tunables/global>
 @{exec_path} = @{bin}/ucfr
 profile ucfr @{exec_path} {
   include <abstractions/base>
+  include <abstractions/consoles>
 
   @{exec_path} mr,
 
   @{sh_path}                     r,
-  @{bin}/basename               ix,
-  @{bin}/{m,g,}awk              ix,
-  @{bin}/getopt                 ix,
   @{bin}/{,e}grep               ix,
+  @{bin}/{m,g,}awk              ix,
+  @{bin}/basename               ix,
+  @{bin}/dirname                ix,
+  @{bin}/getopt                 ix,
   @{bin}/id                     ix,
   @{bin}/readlink               ix,
   @{bin}/sed                    ix,
-  @{bin}/dirname                ix,
 
   /usr/share/ucf/{,**} r,