feat(profile): update apt profiles.

apparmor.d/groups/apt/apt

@@ -13,7 +13,6 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   include <abstractions/common/apt>
   include <abstractions/bus-system>
   include <abstractions/bus/org.freedesktop.login1>
-  include <abstractions/bus/org.freedesktop.PackageKit>
   include <abstractions/bus/org.freedesktop.PolicyKit1>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>
@@ -37,11 +36,22 @@ profile apt @{exec_path} flags=(attach_disconnected) {
   unix bind type=stream addr=@@{udbus}/bus/apt-get/system,
   unix bind type=stream addr=@@{udbus}/bus/apt/system,
 
+  unix                 type=stream peer=(label=snap),
   unix (send, receive) type=stream peer=(label=apt-esm-json-hook),
   unix (send, receive) type=stream peer=(label=snapd),
 
   #aa:dbus own bus=system name=org.debian.apt
 
+  #aa:dbus talk bus=system name=org.freedesktop.PackageKit label=packagekitd
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.DBus.Introspectable
+       member=Introspect
+       peer=(name=org.freedesktop.PackageKit),
+  dbus send bus=system path=/org/freedesktop/PackageKit
+       interface=org.freedesktop.PackageKit
+       member=StateHasChanged
+       peer=(name=org.freedesktop.PackageKit),
+
   dbus send bus=system path=/org/freedesktop/DBus/Bus
        interface=org.freedesktop.DBus
        member={GetConnectionUnixProcessID,GetConnectionUnixUser}

apparmor.d/groups/apt/command-not-found

@@ -17,15 +17,16 @@ profile command-not-found @{exec_path} {
   include <abstractions/nameservice-strict>
   include <abstractions/python>
 
+  capability dac_read_search,
+
   @{exec_path} r,
   @{python_path} r,
 
   @{bin}/lsb_release  rPx -> lsb_release,
   @{bin}/snap         rPx,
 
-  @{lib}/@{python_name}/dist-packages/CommandNotFound/**/__pycache__/*.cpython-@{int}.pyc.@{int} w,
-
   @{lib}/ r,
+  @{lib}/@{python_name}/dist-packages/CommandNotFound/{,**/}__pycache__/*.cpython-@{int}.pyc.@{int} w,
 
   /usr/share/command-not-found/{,**} r,
 

apparmor.d/groups/apt/dpkg

@@ -23,13 +23,13 @@ profile dpkg @{exec_path} {
 
   @{sh_path}                 rix,
   @{bin}/cat                 rix,
-  @{bin}/rm          rix,
-
   @{bin}/deb-systemd-helper  rix,
   @{bin}/deb-systemd-invoke  rix,
+  @{bin}/rm                  rix,
+
   @{bin}/dpkg-deb                  rpx,
   @{bin}/dpkg-query                rpx,
-  @{bin}/dpkg-split  rPx,
+  @{bin}/dpkg-split                rpx,
   @{bin}/systemctl                 rCx -> systemctl,
   @{lib}/needrestart/dpkg-status   rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
@@ -37,18 +37,10 @@ profile dpkg @{exec_path} {
   @{pager_path}      rPx -> child-pager,
 
   # Package maintainer's scripts
-  /var/lib/dpkg/info/*.{config,templates} rPUx,
+  /var/lib/dpkg/info/*.@{dpkg_script_ext} rPUx,
-  /var/lib/dpkg/info/*.{preinst,postinst} rPUx,
+  /var/lib/dpkg/info/*.control            r,
-  /var/lib/dpkg/info/*.{prerm,postrm}     rPUx,
+
-  /var/lib/dpkg/tmp.ci/{config,templates} rPUx,
+  /var/lib/dpkg/tmp.ci/@{dpkg_script_ext} rPUx,
-  /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx,
-  /var/lib/dpkg/tmp.ci/{prerm,postrm}     rPUx,
-  #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts,
-  #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts,
-  #/var/lib/dpkg/info/*.{prerm,postrm}     rCx -> scripts,
-  #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts,
-  #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
-  #/var/lib/dpkg/tmp.ci/{prerm,postrm}     rCx -> scripts,
 
   # For shell pwd
   /root/ r,

apparmor.d/groups/children/child-dpkg

@@ -14,7 +14,7 @@ abi <abi/4.0>,
 include <tunables/global>
 
 @{exec_path} = @{bin}/dpkg
-profile child-dpkg {
+profile child-dpkg flags=(attach_disconnected) {
   include <abstractions/base>
   include <abstractions/consoles>
   include <abstractions/nameservice-strict>