feat(profile): update apt profiles.

2025-06-21 19:44:43 +02:00 · 2025-06-21 19:44:43 +02:00 · cd619d280a
commit cd619d280a
parent ea45cec24d
5 changed files with 20 additions and 2 deletions
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@ -71,7 +71,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
  owner @{tmp}/aptitude-root.*/aptitude-download-* rw,
  owner @{tmp}/apt-changelog-*/*.changelog rw,

-  @{run}/ubuntu-advantage/aptnews.json rw,
+        @{run}/ubuntu-advantage/aptnews.json rw,
+  owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw,

  @{PROC}/1/cgroup r,
  @{PROC}/@{pid}/cgroup r,
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} {
    include <abstractions/base>
    include <abstractions/common/apt>

+    capability dac_read_search,
+
    @{bin}/dpkg mr,

+    /etc/dpkg/dpkg.cfg r,
+    /etc/dpkg/dpkg.cfg.d/{,*} r,
+
    include if exists <local/dpkg-script-systemd_dpkg>
  }

--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} {
  / r,
  /*/ r,
  @{bin}/ r,
+  @{bin}/* w,
  @{lib}/ r,
+  @{lib}/@{python_name}/**/__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,
+
  /etc/ r,
  /etc/** rw,
  /usr/share/*/{,**} rw,
@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
  /tmp/sed@{rand6} rw,
  /tmp/tmp.@{rand10} rw,

+  @{PROC}/@{pid}/fd/ r,
+
  profile bus {
    include <abstractions/base>
    include <abstractions/app/bus>
@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} {
    @{bin}/systemd-tty-ask-password-agent  Px,
    @{pager_path}                          Px -> child-pager,

+    /etc/machine-id r,
+
+    /var/lib/systemd/catalog/database r,
+
    /{run,var}/log/journal/ r,
    /{run,var}/log/journal/@{hex32}/ r,
    /{run,var}/log/journal/@{hex32}/system.journal* r,
--- a/apparmor.d/groups/apt/dpkg-statoverride
+++ b/apparmor.d/groups/apt/dpkg-statoverride
@ -9,6 +9,7 @@ include <tunables/global>
@{exec_path} = @{bin}/dpkg-statoverride
 profile dpkg-statoverride @{exec_path} flags=(complain) {
  include <abstractions/base>
+  include <abstractions/nameservice-strict>

  @{exec_path} mr,

--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  /var/crash/*.crash w,

  /var/lib/apt/periodic/unattended-upgrades-stamp w,
-  /var/lib/dpkg/info/ r,
+  /var/lib/dpkg/info/{,*} r,
  /var/lib/dpkg/lock rwk,
  /var/lib/dpkg/lock-frontend rwk,
  /var/lib/dpkg/updates/ r,