felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/apt/unattended-upgrade
Alexandre Pujol 00327dfae1
feat(profile): minor improvements.
2025-05-17 18:38:48 +02:00

129 lines
3.5 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/unattended-upgrade
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.PackageKit>
include <abstractions/common/apt>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/python>
capability chown,
capability dac_override,
capability dac_read_search,
capability fsetid,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
capability sys_nice,
network netlink raw,
signal (send) peer=apt-methods-http,
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
@{exec_path} mr,
@{bin}/ r,
@{sh_path} rix,
@{bin}/echo rix,
@{bin}/gdbus rix,
@{bin}/ischroot rix,
@{python_path} rix,
@{bin}/test rix,
@{bin}/touch rix,
@{bin}/uname rix,
@{bin}/apt-listchanges rPx,
@{bin}/dpkg rPx,
@{bin}/dpkg-divert rPx,
@{sbin}/dpkg-preconfigure rPx,
@{bin}/etckeeper rPx,
@{bin}/lsb_release rPx -> lsb_release,
@{sbin}/on_ac_power rPx,
@{sbin}/sendmail rPUx,
@{lib}/apt/methods/http{,s} rPx,
@{lib}/needrestart/apt-pinvoke rPx,
@{lib}/update-notifier/update-motd-updates-available rPx,
@{lib}/zsys-system-autosnapshot rPx,
/usr/share/distro-info/* r,
@{etc_ro}/login.defs r,
@{etc_ro}/security/capability.conf r,
/etc/apport/report-ignore/{,**} r,
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r,
/etc/default/apport r,
/etc/default/grub.d/* r,
/etc/dpkg/origins/{,debian,ubuntu} r,
/etc/fwupd/{,**} r,
/etc/grub.d/* r,
/etc/init.d/* r,
/etc/issue{.net,} r,
/etc/kernel/*.d/*grub* r,
/etc/legal r,
/etc/lsb-release r,
/etc/machine-id r,
/etc/pam.d/* r,
/etc/pki/fwupd-metadata/{,**} r,
/etc/pki/fwupd/{,**} r,
/etc/profile.d/* r,
/etc/update-manager/{,**} r,
/etc/update-motd.d/* r,
/etc/vmware-tools/* r,
/var/log/unattended-upgrades/{,**} rw,
/var/crash/*.crash w,
/var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/info/ r,
/var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/updates/ r,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/cache/apt/{,**} rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/ rw,
/var/lib/apt/lists/partial/ rw,
/var/lib/apt/periodic/ w,
/var/log/apt/{term,history}.log w,
/var/log/apt/eipp.log.xz w,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/unattended-upgrades.lock rwk,
owner @{run}/unattended-upgrades.pid rw,
owner @{run}/unattended-upgrades.progress rw,
owner @{tmp}/apt-dpkg-install-*/{,*} rw,
@{PROC}/@{pid}/attr/current r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/fd/ r,
/dev/ptmx rw,
include if exists <local/unattended-upgrade>
}
# vim:syntax=apparmor
Reference in a new issue View git blame Copy permalink