From c2633c2fae895e0863afe5c5c369b4026d30ca6c Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 13 Mar 2025 19:15:22 +0100
Subject: [PATCH] feat(profile): update apt profiles.

---
 apparmor.d/groups/apt/apt               | 12 ++++++++-
 apparmor.d/groups/apt/command-not-found |  9 ++++---
 apparmor.d/groups/apt/dpkg              | 36 ++++++++++---------------
 apparmor.d/groups/children/child-dpkg   |  2 +-
 4 files changed, 31 insertions(+), 28 deletions(-)

diff --git a/apparmor.d/groups/apt/apt b/apparmor.d/groups/apt/apt
index cbf1c4f9f..b207c7ec2 100644
--- a/apparmor.d/groups/apt/apt
+++ b/apparmor.d/groups/apt/apt
@@ -13,7 +13,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/apt>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.PackageKit>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -37,11 +36,22 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
   unix bind type=stream addr=@@{udbus}/bus/apt/system,
 
+  unix                 type=stream peer=(label=snap),
   unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
   unix (send, receive) type=stream peer=(label=snapd),
 
   #aa:dbus own bus=system name=org.debian.apt
 
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.freedesktop.PackageKit),
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.PackageKit
+       member=StateHasChanged
+       peer=(name=org.freedesktop.PackageKit),
+
   dbus send bus=system path=/org/freedesktop/DBus/Bus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}
diff --git a/apparmor.d/groups/apt/command-not-found b/apparmor.d/groups/apt/command-not-found
index ee8e3bcb5..e48ff12b6 100644
--- a/apparmor.d/groups/apt/command-not-found
+++ b/apparmor.d/groups/apt/command-not-found
@@ -17,15 +17,16 @@ profile command-not-found @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
+  capability dac_read_search,
+
   @{exec_path} r,
   @{python_path} r,
 
-  @{bin}/lsb_release rPx -> lsb_release,
-  @{bin}/snap rPx,
-
-  @{lib}/@{python_name}/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
+  @{bin}/lsb_release  rPx -> lsb_release,
+  @{bin}/snap         rPx,
 
   @{lib}/ r,
+  @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} w,
 
   /usr/share/command-not-found/{,**} r,
 
diff --git a/apparmor.d/groups/apt/dpkg b/apparmor.d/groups/apt/dpkg
index 6d47e748b..1a01a72f6 100644
--- a/apparmor.d/groups/apt/dpkg
+++ b/apparmor.d/groups/apt/dpkg
@@ -21,34 +21,26 @@ profile dpkg @{exec_path} {
 
   @{exec_path} mr,
 
-  @{sh_path}         rix,
-  @{bin}/cat         rix,
-  @{bin}/rm          rix,
+  @{sh_path}                 rix,
+  @{bin}/cat                 rix,
+  @{bin}/deb-systemd-helper  rix,
+  @{bin}/deb-systemd-invoke  rix,
+  @{bin}/rm                  rix,
 
-  @{bin}/deb-systemd-helper rix,
-  @{bin}/deb-systemd-invoke rix,
-  @{bin}/dpkg-deb    rpx,
-  @{bin}/dpkg-query  rpx,
-  @{bin}/dpkg-split  rPx,
-  @{bin}/systemctl   rCx -> systemctl,
-  @{lib}/needrestart/dpkg-status rPx,
+  @{bin}/dpkg-deb                  rpx,
+  @{bin}/dpkg-query                rpx,
+  @{bin}/dpkg-split                rpx,
+  @{bin}/systemctl                 rCx -> systemctl,
+  @{lib}/needrestart/dpkg-status   rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
   @{pager_path}      rPx -> child-pager,
 
   # Package maintainer's scripts
-  /var/lib/dpkg/info/*.{config,templates} rPUx,
-  /var/lib/dpkg/info/*.{preinst,postinst} rPUx,
-  /var/lib/dpkg/info/*.{prerm,postrm}     rPUx,
-  /var/lib/dpkg/tmp.ci/{config,templates} rPUx,
-  /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx,
-  /var/lib/dpkg/tmp.ci/{prerm,postrm}     rPUx,
-  #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts,
-  #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts,
-  #/var/lib/dpkg/info/*.{prerm,postrm}     rCx -> scripts,
-  #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts,
-  #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
-  #/var/lib/dpkg/tmp.ci/{prerm,postrm}     rCx -> scripts,
+  /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx,
+  /var/lib/dpkg/info/*.control            r,
+
+  /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx,
 
   # For shell pwd
   /root/ r,
diff --git a/apparmor.d/groups/children/child-dpkg b/apparmor.d/groups/children/child-dpkg
index 24df581f9..0a97bacd2 100644
--- a/apparmor.d/groups/children/child-dpkg
+++ b/apparmor.d/groups/children/child-dpkg
@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/dpkg
-profile child-dpkg {
+profile child-dpkg flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>