# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = @{bin}/check-support-status
profile check-support-status @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

  @{exec_path} rix,
  @{bin}/{,ba,da}sh rix,

  @{bin}/           r,
  @{bin}/gettext.sh r,
  @{bin}/cat        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/cut        rix,
  @{bin}/date       rix,
  @{bin}/getopt     rix,
  @{bin}/fold       rix,
  @{bin}/mktemp     rix,
  @{bin}/rm         rix,
  @{bin}/comm       rix,
  @{bin}/mkdir      rix,
  @{bin}/mv         rix,
  @{bin}/find       rix,
  @{bin}/wc         rix,
  @{bin}/basename   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/sort       rix,
  @{bin}/head       rix,
  @{bin}/gettext    rix,
  @{bin}/sed        rix,
  @{bin}/envsubst   rix,
  @{bin}/dirname    rix,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
  @{bin}/dpkg-query rpx,

  @{bin}/dpkg       rPx -> child-dpkg,

  @{bin}/debconf-escape rCx -> debconf-escape,

  /etc/debian_version r,

  # For shell pwd
  / r,
  owner @{HOME}/ r,

        /tmp/ r,
  owner /tmp/debian-security-support.*/{,**} rw,
        /tmp/debian-security-support.postinst.*/output w,

        /var/lib/debian-security-support/ r,
  owner /var/lib/debian-security-support/security-support.semaphore rw,
  owner /var/lib/debian-security-support/tmp.* rw,

  /usr/share/debian-security-support/ r,
  /usr/share/debian-security-support/* r,


  profile debconf-escape {
    include <abstractions/base>
    include <abstractions/perl>

    @{bin}/debconf-escape r,
    @{bin}/perl r,

    owner /tmp/debian-security-support.postinst.*/output r,

  }

  include if exists <local/check-support-status>
}