# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2022 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = @{bin}/ucf profile ucf @{exec_path} flags=(complain) { include include @{exec_path} r, @{bin}/{,ba,da}sh rix, @{bin}/{,e}grep rix, @{bin}/basename rix, @{bin}/cat rix, @{bin}/cp rix, @{bin}/dirname rix, @{bin}/{m,g,}awk rix, @{bin}/getopt rix, @{bin}/id rix, @{bin}/md5sum rix, @{bin}/mkdir rix, @{bin}/mv rix, @{bin}/perl rix, @{bin}/readlink rix, @{bin}/rm rix, @{bin}/sed rix, @{bin}/seq rix, @{bin}/stat rix, @{bin}/tr rix, @{bin}/which{,.debianutils} rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. @{bin}/dpkg-query rpx, # @{bin}/dpkg-divert rPx, @{bin}/sensible-pager rCx -> pager, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, #/usr/share/debconf/frontend rCx -> frontend, /etc/ucf.conf r, /var/lib/ucf/** rw, owner /tmp/* rw, /etc/default/* rw, # For md5sum /etc/** r, /usr/share/** r, @{run}/** r, # For writing new config files /etc/** rw, /usr/share/debconf/confmodule r, # For shell pwd / r, /root/ r, profile pager flags=(complain) { include include @{bin}/ r, @{bin}/sensible-pager mr, # For shell pwd /root/ r, } profile frontend flags=(complain) { include include include include /usr/share/debconf/frontend r, @{bin}/perl r, @{bin}/ucf rPx, @{bin}/{,ba,da}sh rix, @{bin}/stty rix, @{bin}/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, # The following is needed when debconf uses GUI frontends. include include include include capability dac_read_search, @{bin}/lsb_release rPx -> lsb_release, @{bin}/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, } include if exists }