From cd619d280a5ba23537114e74ed8fa4c294e00559 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Sat, 21 Jun 2025 19:44:43 +0200
Subject: [PATCH] feat(profile): update apt profiles.

---
 apparmor.d/groups/apt/apt-methods-http    |  3 ++-
 apparmor.d/groups/apt/dpkg-script-systemd |  5 +++++
 apparmor.d/groups/apt/dpkg-scripts        | 11 +++++++++++
 apparmor.d/groups/apt/dpkg-statoverride   |  1 +
 apparmor.d/groups/apt/unattended-upgrade  |  2 +-
 5 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/apparmor.d/groups/apt/apt-methods-http b/apparmor.d/groups/apt/apt-methods-http
index 7fb3a2cc4..61be160dc 100644
--- a/apparmor.d/groups/apt/apt-methods-http
+++ b/apparmor.d/groups/apt/apt-methods-http
@@ -71,7 +71,8 @@ profile apt-methods-http @{exec_path} flags=(attach_disconnected) {
   owner @{tmp}/aptitude-root.*/aptitude-download-* rw,
   owner @{tmp}/apt-changelog-*/*.changelog rw,
 
-  @{run}/ubuntu-advantage/aptnews.json rw,
+        @{run}/ubuntu-advantage/aptnews.json rw,
+  owner @{run}/ubuntu-advantage/apt-news/aptnews.json rw,
 
   @{PROC}/1/cgroup r,
   @{PROC}/@{pid}/cgroup r,
diff --git a/apparmor.d/groups/apt/dpkg-script-systemd b/apparmor.d/groups/apt/dpkg-script-systemd
index 8ca92515c..722e72c53 100644
--- a/apparmor.d/groups/apt/dpkg-script-systemd
+++ b/apparmor.d/groups/apt/dpkg-script-systemd
@@ -42,8 +42,13 @@ profile dpkg-script-systemd @{exec_path} {
     include <abstractions/base>
     include <abstractions/common/apt>
 
+    capability dac_read_search,
+
     @{bin}/dpkg mr,
 
+    /etc/dpkg/dpkg.cfg r,
+    /etc/dpkg/dpkg.cfg.d/{,*} r,
+
     include if exists <local/dpkg-script-systemd_dpkg>
   }
 
diff --git a/apparmor.d/groups/apt/dpkg-scripts b/apparmor.d/groups/apt/dpkg-scripts
index 3102b23bb..e16d25bf2 100644
--- a/apparmor.d/groups/apt/dpkg-scripts
+++ b/apparmor.d/groups/apt/dpkg-scripts
@@ -58,7 +58,12 @@ profile dpkg-scripts @{exec_path} {
   / r,
   /*/ r,
   @{bin}/ r,
+  @{bin}/* w,
   @{lib}/ r,
+  @{lib}/@{python_name}/**/__pycache__/ w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc w,
+  @{lib}/@{python_name}/**/__pycache__/**.pyc.@{u64} w,
+
   /etc/ r,
   /etc/** rw,
   /usr/share/*/{,**} rw,
@@ -71,6 +76,8 @@ profile dpkg-scripts @{exec_path} {
   /tmp/sed@{rand6} rw,
   /tmp/tmp.@{rand10} rw,
 
+  @{PROC}/@{pid}/fd/ r,
+
   profile bus {
     include <abstractions/base>
     include <abstractions/app/bus>
@@ -104,6 +111,10 @@ profile dpkg-scripts @{exec_path} {
     @{bin}/systemd-tty-ask-password-agent  Px,
     @{pager_path}                          Px -> child-pager,
 
+    /etc/machine-id r,
+
+    /var/lib/systemd/catalog/database r,
+
     /{run,var}/log/journal/ r,
     /{run,var}/log/journal/@{hex32}/ r,
     /{run,var}/log/journal/@{hex32}/system.journal* r,
diff --git a/apparmor.d/groups/apt/dpkg-statoverride b/apparmor.d/groups/apt/dpkg-statoverride
index 34d6412c1..d2e02f613 100644
--- a/apparmor.d/groups/apt/dpkg-statoverride
+++ b/apparmor.d/groups/apt/dpkg-statoverride
@@ -9,6 +9,7 @@ include <tunables/global>
 @{exec_path} = @{bin}/dpkg-statoverride
 profile dpkg-statoverride @{exec_path} flags=(complain) {
   include <abstractions/base>
+  include <abstractions/nameservice-strict>
 
   @{exec_path} mr,
 
diff --git a/apparmor.d/groups/apt/unattended-upgrade b/apparmor.d/groups/apt/unattended-upgrade
index c2d94e25a..fa6929f35 100644
--- a/apparmor.d/groups/apt/unattended-upgrade
+++ b/apparmor.d/groups/apt/unattended-upgrade
@@ -101,7 +101,7 @@ profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
   /var/crash/*.crash w,
 
   /var/lib/apt/periodic/unattended-upgrades-stamp w,
-  /var/lib/dpkg/info/ r,
+  /var/lib/dpkg/info/{,*} r,
   /var/lib/dpkg/lock rwk,
   /var/lib/dpkg/lock-frontend rwk,
   /var/lib/dpkg/updates/ r,