update apparmor profiles

Co-authored-by: Mikhail Morfikov <mmorfikov@gmail.com>
Signed-off-by: Alexandre Pujol <alexandre@pujol.io>

apparmor.d/groups/apt/apt-listbugs

@@ -23,21 +23,25 @@ profile apt-listbugs @{exec_path} {
   network netlink raw,
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
-  /{usr/,}bin/{,ba,da}sh   rix,
-  /{usr/,}bin/logname      rix,
+  /{usr/,}bin/{,ba,da}sh       rix,
+  /{usr/,}bin/logname          rix,
 
-  /{usr/,}bin/apt-config   rPx,
+  /{usr/,}bin/apt-config       rPx,
   # Do not strip env to avoid errors like the following:
   #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
   #  shared object file): ignored.
-  /{usr/,}bin/dpkg-query   rpx,
+  /{usr/,}bin/dpkg-query       rpx,
 
   /usr/local/lib/site_ruby/[0-9].[0-9].[0-9]/**.rb r,
 
   /usr/share/rubygems-integration/*/specifications/ r,
-  /usr/share/rubygems-integration/*/specifications/* r,
+  /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
+
+  /{usr/,}lib/ruby/gems/*/specifications/ r,
+  /{usr/,}lib/ruby/gems/*/specifications/** r,
+  /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
 
   /etc/apt/listbugs/{,*} r,
 

apparmor.d/groups/apt/apt-listbugs-migratepins

@@ -13,10 +13,14 @@ profile apt-listbugs-migratepins @{exec_path} {
   include <abstractions/ruby>
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
   /usr/share/rubygems-integration/*/specifications/ r,
-  /usr/share/rubygems-integration/*/specifications/* r,
+  /usr/share/rubygems-integration/*/specifications/*.gemspec rwk,
+
+  /{usr/,}lib/ruby/gems/*/specifications/ r,
+  /{usr/,}lib/ruby/gems/*/specifications/** r,
+  /{usr/,}lib/ruby/gems/*/specifications/**.gemspec rwk,
 
   /etc/apt/preferences r,
 

apparmor.d/groups/apt/apt-listbugs-prefclean

@@ -13,7 +13,7 @@ profile apt-listbugs-prefclean @{exec_path} {
   include <abstractions/ruby>
 
   @{exec_path} r,
-  /{usr/,}bin/ruby2.[0-9]* rix,
+  /{usr/,}bin/ruby[0-9].[0-9]* rix,
 
   /{usr/,}bin/date rix,
   /{usr/,}bin/cat rix,

apparmor.d/groups/apt/apt-listchanges

@@ -79,6 +79,7 @@ profile apt-listchanges @{exec_path} {
     include <abstractions/base>
     include <abstractions/consoles>
 
+    capability dac_read_search,
     #capability sys_tty_config,
 
     /{usr/,}bin/sensible-pager mr,

apparmor.d/groups/apt/querybts

@@ -18,7 +18,6 @@ profile querybts @{exec_path} {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
   include <abstractions/apt-common>
-  include <abstractions/deny-root-dir-access>
 
   network inet dgram,
   network inet6 dgram,

apparmor.d/groups/apt/reportbug

@@ -19,8 +19,6 @@ profile reportbug @{exec_path} {
   include <abstractions/enchant>
   include <abstractions/python>
   include <abstractions/apt-common>
-  include <abstractions/deny-root-dir-access>
-  include <abstractions/deny-dconf>
 
   network inet dgram,
   network inet6 dgram,
@@ -65,6 +63,10 @@ profile reportbug @{exec_path} {
   /{usr/,}bin/run-parts        rCx -> run-parts,
   /{usr/,}bin/gpg              rCx -> gpg,
 
+  include <abstractions/dconf>
+  owner @{run}/user/@{uid}/dconf/ rw,
+  owner @{run}/user/@{uid}/dconf/user rw,
+
   # For sending additional information
   /etc/** r,
 

apparmor.d/groups/apt/synaptic

@@ -16,7 +16,6 @@ profile synaptic @{exec_path} {
   include <abstractions/freedesktop.org>
   include <abstractions/apt-common>
   include <abstractions/nameservice-strict>
-  include <abstractions/deny-dconf>
 
   # To remove the following errors:
   #  W: chmod 0700 of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory