# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/popularity-contest
profile popularity-contest @{exec_path} {
  include <abstractions/base>
  include <abstractions/perl>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability setgid,
  capability setuid, # For popularity-contest --su-nobody
  capability sys_ptrace,

  ptrace (read),

  @{exec_path} r,

  @{sh_path}         rix,
  @{bin}/env         rix,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
  @{bin}/dpkg-query  rpx,
  @{bin}/dpkg        rPx -> child-dpkg,
  @{bin}/dpkg-divert rPx -> child-dpkg-divert,

  /etc/popularity-contest.conf r,
  /etc/dpkg/origins/debian r,
  /etc/shadow r,

  /root/ r, # For shell pwd

  /var/lib/ r,
  /var/lib/dpkg/info/{,*.list} r,
  /var/log/ r,
  /var/log/popularity-contest.@{int} w,
  /var/log/popularity-contest.new w,

  owner @{tmp}/#@{int} rw,

  @{PROC}/ r,

  include if exists <local/popularity-contest>
}

# vim:syntax=apparmor