# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/unattended-upgrade
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/common/apt>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.PackageKit>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>
  include <abstractions/python>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fsetid,
  capability kill,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_nice,

  network netlink raw,

  signal (send) peer=apt-methods-http,

  unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,

  @{exec_path} mr,

  @{bin}/ r,

  @{sh_path}                      rix,
  @{bin}/echo                     rix,
  @{bin}/gdbus                    rix,
  @{bin}/ischroot                 rix,
  @{python_path}                  rix,
  @{bin}/test                     rix,
  @{bin}/touch                    rix,
  @{bin}/uname                    rix,

  @{bin}/apt-listchanges          rPx,
  @{bin}/dpkg                     rPx,
  @{bin}/dpkg-divert              rPx,
  @{bin}/dpkg-preconfigure        rPx,
  @{bin}/etckeeper                rPx,
  @{bin}/lsb_release              rPx -> lsb_release,
  @{bin}/on_ac_power              rPx,
  @{bin}/sendmail                rPUx,
  @{lib}/apt/methods/http{,s}     rPx,
  @{lib}/needrestart/apt-pinvoke  rPx,
  @{lib}/update-notifier/update-motd-updates-available rPx,
  @{lib}/zsys-system-autosnapshot rPx,

  /usr/share/distro-info/* r,

  @{etc_ro}/login.defs r,
  @{etc_ro}/security/capability.conf r,
  /etc/apport/report-ignore/ r,
  /etc/apt/*.list r,
  /etc/apt/apt.conf.d/{,**} r,
  /etc/debian_version r,
  /etc/default/apport r,
  /etc/default/grub.d/* r,
  /etc/dpkg/origins/{,debian,ubuntu} r,
  /etc/fwupd/{,**} r,
  /etc/grub.d/* r,
  /etc/init.d/* r,
  /etc/issue{.net,} r,
  /etc/kernel/*.d/*grub* r,
  /etc/legal r,
  /etc/lsb-release r,
  /etc/machine-id r,
  /etc/pam.d/* r,
  /etc/pki/fwupd-metadata/{,**} r,
  /etc/pki/fwupd/{,**} r,
  /etc/profile.d/* r,
  /etc/update-manager/{,**} r,
  /etc/update-motd.d/* r,
  /etc/vmware-tools/* r,

  /var/log/unattended-upgrades/{,**} rw,

  /var/lib/apt/periodic/unattended-upgrades-stamp w,
  /var/lib/dpkg/lock rwk,
  /var/lib/dpkg/lock-frontend rwk,
  /var/lib/dpkg/updates/ r,
  /var/lib/update-notifier/dpkg-run-stamp rw,

  /var/cache/apt/{,**} rwk,
  /var/lib/apt/extended_states{,.*} rw,
  /var/lib/apt/lists/ rw,
  /var/lib/apt/lists/partial/ rw,
  /var/lib/apt/periodic/ w,
  /var/log/apt/{term,history}.log w,
  /var/log/apt/eipp.log.xz w,

        @{att}/@{run}/systemd/inhibit/@{int}.ref rw,
  owner @{run}/unattended-upgrades.lock rwk,
  owner @{run}/unattended-upgrades.pid rw,
  owner @{run}/unattended-upgrades.progress rw,

  owner @{tmp}/apt-dpkg-install-*/{,*} rw,

        @{PROC}/@{pid}/attr/current r,
        @{PROC}/@{pid}/cmdline r,
        @{PROC}/@{pid}/environ r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/@{pids}/stat r,
  owner @{PROC}/@{pids}/fd/ r,

  /dev/ptmx rw,

  include if exists <local/unattended-upgrade>
}

# vim:syntax=apparmor