From af74cfd2cab96c13fcf024b7687b1edb073786ae Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sun, 25 May 2025 01:21:12 +0200
Subject: [PATCH] feat(profile): update ucf profiles.

---
 apparmor.d/profiles-s-z/ucf  | 11 ++++++++++-
 apparmor.d/profiles-s-z/ucfq | 26 +++++++++++++++++++++++++
 apparmor.d/profiles-s-z/ucfr | 37 ++++++++++++++++++++++++++++++++++++
 dists/flags/main.flags       |  2 ++
 4 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 apparmor.d/profiles-s-z/ucfq
 create mode 100644 apparmor.d/profiles-s-z/ucfr

diff --git a/apparmor.d/profiles-s-z/ucf b/apparmor.d/profiles-s-z/ucf
index 86d94c7a1..0a7b992b6 100644
--- a/apparmor.d/profiles-s-z/ucf
+++ b/apparmor.d/profiles-s-z/ucf
@@ -39,7 +39,7 @@ profile ucf @{exec_path} {
   @{bin}/dpkg-divert    rPx,
   @{pager_path}         rCx -> child-pager,
 
-  /usr/share/debconf/frontend     rPx, # TODO: rCx -> debonc-frontend,
+  /usr/share/debconf/frontend  Cx -> debconf,
 
   # For md5sum
   /usr/share/** r,
@@ -55,6 +55,15 @@ profile ucf @{exec_path} {
 
   owner /tmp/tmp.@{rand10} r,
 
+  deny capability sys_admin, # optional: no audit
+
+  profile debconf {
+    include <abstractions/base>
+    include <abstractions/common/debconf>
+
+    include if exists <local/ucf_debconf>
+  }
+
   include if exists <local/ucf>
 }
 
diff --git a/apparmor.d/profiles-s-z/ucfq b/apparmor.d/profiles-s-z/ucfq
new file mode 100644
index 000000000..b6ca3e7b1
--- /dev/null
+++ b/apparmor.d/profiles-s-z/ucfq
@@ -0,0 +1,26 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ucfq
+profile ucfq @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{bin}/md5sum         rix,
+
+  /etc/ r,
+  /etc/default/ r,
+  /etc/default/grub r,
+
+  /var/lib/ucf/* r,
+
+  include if exists <local/ucfq>
+}
+
+# vim:syntax=apparmor
diff --git a/apparmor.d/profiles-s-z/ucfr b/apparmor.d/profiles-s-z/ucfr
new file mode 100644
index 000000000..b38f8aae4
--- /dev/null
+++ b/apparmor.d/profiles-s-z/ucfr
@@ -0,0 +1,37 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/ucfr
+profile ucfr @{exec_path} {
+  include <abstractions/base>
+
+  @{exec_path} mr,
+
+  @{sh_path}                     r,
+  @{bin}/basename               ix,
+  @{bin}/{m,g,}awk              ix,
+  @{bin}/getopt                 ix,
+  @{bin}/grep                   ix,
+  @{bin}/id                     ix,
+  @{bin}/readlink               ix,
+  @{bin}/sed                    ix,
+  @{bin}/dirname                ix,
+
+  /usr/share/ucf/{,**} r,
+
+  /etc/ucf.conf r,
+
+  / r,
+
+  /var/lib/ucf/ r,
+  /var/lib/ucf/registry r,
+
+  include if exists <local/ucfr>
+}
+
+# vim:syntax=apparmor
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 592b681e5..e88409583 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -368,6 +368,8 @@ telegram-desktop complain
 totem attach_disconnected,complain
 tracker-writeback complain
 ucf complain
+ucfq complain
+ucfr complain
 udev-ata_id complain
 udev-bcache-export-cached complain
 udev-cdrom_id complain