# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}bin/update-manager
profile update-manager @{exec_path} flags=(attach_disconnected) {
  include <abstractions/base>
  include <abstractions/apt-common>
  include <abstractions/consoles>
  include <abstractions/dbus-network-manager-strict>
  include <abstractions/dbus-session-strict>
  include <abstractions/dbus-strict>
  include <abstractions/dconf-write>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/nameservice-strict>
  include <abstractions/openssl>
  include <abstractions/python>
  include <abstractions/ssl_certs>
  include <abstractions/wayland>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  signal (send) peer=apt-methods-http,

  dbus (send,receive) bus=system path=/org/debian/apt{,/transaction/*}
       interface={org.debian{,.apt*},org.freedesktop.DBus.{Introspectable,Properties}}
       member={CommitPackages,Run,PropertyChanged,Introspect,Set,GetAll,UpdateCache},

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member=StartServiceByName,

  dbus send bus=system path=/org/freedesktop/NetworkManager{,/ActiveConnection/[0-9]*,/Devices/[0-9]*}
       interface=org.freedesktop.DBus.{Properties,Introspectable}
       member={Introspect,Get},

  dbus send bus=system path=/org/freedesktop/UPower
       interface=org.freedesktop.DBus.{Properties,Introspectable}
       member={Get,Introspect},

  dbus send bus=system path=/org/freedesktop/login[0-9]
       interface=org.freedesktop.login[0-9].Manager
       member=Inhibit,

  dbus receive bus=system path=/org/freedesktop/NetworkManager
       interface=org.freedesktop.NetworkManager
       member=StateChanged,

  @{exec_path} mr,

  /{usr/,}bin/dpkg                     rPx -> child-dpkg,
  /{usr/,}bin/hwe-support-status       rPx,
  /{usr/,}bin/ischroot                 rix,
  /{usr/,}bin/lsb_release              rPx -> lsb_release,
  /{usr/,}bin/snap                    rPUx,
  /{usr/,}bin/software-properties-gtk  rPx,
  /{usr/,}bin/uname                    rix,
  /{usr/,}lib/apt/methods/http{,s}     rPx,

  /usr/share/distro-info/{,**} r,
  /usr/share/themes/{,**} r,
  /usr/share/ubuntu-release-upgrader/{,**} r,
  /usr/share/update-manager/{,**} r,
  /usr/share/X11/{,**} r,

  /etc/gtk-3.0/settings.ini r,
  /etc/machine-id r,
  /etc/update-manager/{,**} r,

  /boot/ r,

  /var/lib/dpkg/info/*.list r,
  /var/lib/dpkg/updates/ r,
  /var/lib/snapd/desktop/applications/{,mimeinfo.cache} r,
  /var/lib/snapd/desktop/icons/{,*} r,
  /var/lib/update-manager/{,**} rw,

  owner @{user_cache_dirs}/update-manager-core/{,**} rw,

  @{run}/systemd/inhibit/*.ref w,

  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/@{pids}/mountinfo r,

  /dev/ptmx rw,

  deny owner @{user_share_dirs}/gvfs-metadata/{,*} r,

  include if exists <local/update-manager>
}