# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # Copyright (C) 2022 Alexandre Pujol # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/dpkg profile dpkg @{exec_path} { include include # To set proper ownership/permissions of installed files. capability chown, capability fowner, capability fsetid, # These are needed because dpkg wants to read/write files from/to directories owned by different # users than root, for instance files in the /usr/share/polkit-1/ dir , which is owned by the # "polkitd" user with the "drwx------" permissions. capability dac_read_search, capability dac_override, # Needed? (##FIXME##) capability setgid, @{exec_path} mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/cat rix, /{usr/,}bin/rm rix, /{usr/,}bin/dpkg-deb rpx, /{usr/,}bin/dpkg-query rpx, /{usr/,}bin/dpkg-split rPx, /{usr/,}lib/needrestart/dpkg-status rPx, /usr/share/debian-security-support/check-support-status.hook rPx, /{usr/,}bin/pager rCx -> diff, /{usr/,}bin/less rCx -> diff, /{usr/,}bin/more rCx -> diff, /{usr/,}bin/diff rCx -> diff, /etc/dpkg/dpkg.cfg.d/{,*} r, /etc/dpkg/dpkg.cfg r, # Run the package maintainer's scripts # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#) # Move it to a child profile once more transitions will be available /var/lib/dpkg/ r, /var/lib/dpkg/** rwkl -> /var/lib/dpkg/**, /var/lib/dpkg/info/*.{config,templates} rPUx, /var/lib/dpkg/info/*.{preinst,postinst} rPUx, /var/lib/dpkg/info/*.{prerm,postrm} rPUx, /var/lib/dpkg/info/*.control r, /var/lib/dpkg/tmp.ci/{config,templates} rPUx, /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx, /var/lib/dpkg/tmp.ci/{prerm,postrm} rPUx, /var/lib/dpkg/tmp.ci/control r, #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts, #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts, #/var/lib/dpkg/info/*.{prerm,postrm} rCx -> scripts, #/var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts, #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts, #/var/lib/dpkg/tmp.ci/{prerm,postrm} rCx -> scripts, /var/log/dpkg.log w, /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw, # For shell pwd /root/ r, # Basically, dpkg needs R/W permissions to the following files since it installs them. # It also needs the L permission when a package is reinstalled. / r, /usr/ r, /usr/** rwl -> /usr/**, /lib/ r, /lib/** rwl -> /lib/** , # Fixme when more transitions will be available (#FIXME#) /lib{,32,64,x64}/ r, /lib{,32,64,x64}/** rwl, /bin/ r, /bin/* rwl -> /bin/*, /sbin/ r, /sbin/* rwl -> /sbin/*, /etc/ r, /etc/** rwl -> /etc/**, /boot/ r, /boot/** rwl -> /boot/**, /opt/ r, /opt/** rwl -> /opt/**, # Without backups/, cache/, log/, mail/, opt/, tmp/ . /var/lib/ r, /var/lib/** rwl -> /var/lib/**, /var/local/ r, /var/local/** rwl -> /var/local/**, /var/spool/ r, /var/spool/** rwl -> /var/spool/**, # Fixme when more transitions will be available (#FIXME#) /var/www/ r, /var/www/** rwl, # To create log and cache dirs /var/log/**/ rw, /var/cache/**/ rw, # To create dirs under var /var/*.dpkg-new/ rw, /var/*/ rw, owner /tmp/apt-dpkg-install-*/ r, @{run}/systemd/userdb/ r, owner @{PROC}/@{pid}/fd/ r, @{PROC}/sys/kernel/random/boot_id r, owner /dev/tty[0-9]* rw, profile diff { include include /{usr/,}bin/ r, /{usr/,}bin/pager mr, /{usr/,}bin/less mr, /{usr/,}bin/more mr, /{usr/,}bin/diff mr, /etc/** r, # Diff changed config files /root/ r, # For shell pwd owner @{HOME}/.lesshs* rw, } profile scripts { include /{usr/,}{s,}bin/ r, /{usr/,}{s,}bin/* rPUx, /var/lib/dpkg/info/*.config r, /var/lib/dpkg/info/*.{preinst,postinst} r, /var/lib/dpkg/info/*.{prerm,postrm} r, /var/lib/dpkg/tmp.ci/config r, /var/lib/dpkg/tmp.ci/{preinst,postinst} r, /var/lib/dpkg/tmp.ci/{prerm,postrm} r, } include if exists }