felipe/apparmor.d
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
apparmor.d/apparmor.d/groups/apt/unattended-upgrade
Alexandre Pujol 4609595c26
refractor(abs): common/apt -> apt.
2025-09-14 15:34:04 +02:00

143 lines
4 KiB
Text
Raw Blame History

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only
abi <abi/4.0>,
include <tunables/global>
@{exec_path} = @{bin}/unattended-upgrade
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
include <abstractions/base>
include <abstractions/apt>
include <abstractions/bus-system>
include <abstractions/bus/org.freedesktop.login1>
include <abstractions/bus/org.freedesktop.NetworkManager>
include <abstractions/bus/org.freedesktop.PackageKit>
include <abstractions/consoles>
include <abstractions/nameservice-strict>
include <abstractions/perl>
include <abstractions/python>
capability chown,
capability dac_override,
capability dac_read_search,
capability fsetid,
capability kill,
capability net_admin,
capability setgid,
capability setuid,
capability sys_nice,
network inet dgram,
network inet6 dgram,
network netlink raw,
signal send peer=apt-methods-http,
unix type=stream addr=@@{udbus}/bus/unattended-upgr/system,
#aa:dbus own bus=system name=com.ubuntu.UnattendedUpgrade
@{exec_path} mr,
@{bin}/ r,
@{sh_path} rix,
@{python_path} rix,
@{bin}/echo ix,
@{bin}/gdbus ix,
@{bin}/md5sum ix,
@{bin}/tar ix,
@{bin}/test ix,
@{bin}/touch ix,
@{bin}/uname ix,
@{bin}/apt-listchanges Px,
@{bin}/df Px,
@{bin}/dmesg Px,
@{bin}/dpkg Px,
@{bin}/dpkg-deb px,
@{bin}/dpkg-divert Px,
@{bin}/etckeeper Px,
@{bin}/ischroot Px,
@{bin}/lsb_release Px,
@{sbin}/dpkg-preconfigure Px,
@{sbin}/on_ac_power Px,
@{sbin}/sendmail Px,
@{lib}/apt/methods/http{,s} Px,
@{lib}/needrestart/apt-pinvoke Px,
@{lib}/update-notifier/update-motd-updates-available Px,
@{lib}/zsys-system-autosnapshot Px,
/usr/share/distro-info/* r,
/usr/share/dbus-1/interfaces/*UnattendedUpgrade*.xml r,
@{etc_ro}/login.defs r,
@{etc_ro}/security/capability.conf r,
/etc/apport/report-ignore/{,**} r,
/etc/apt/*.list r,
/etc/apt/apt.conf.d/{,**} r,
/etc/debian_version r,
/etc/default/{,**} r,
/etc/dpkg/origins/{,debian,ubuntu} r,
/etc/fwupd/{,**} r,
/etc/grub.d/* r,
/etc/init.d/* r,
/etc/issue{.net,} r,
/etc/kernel/*.d/*grub* r,
/etc/legal r,
/etc/lsb-release r,
/etc/machine-id r,
/etc/pam.d/* r,
/etc/pki/fwupd-metadata/{,**} r,
/etc/pki/fwupd/{,**} r,
/etc/profile.d/* r,
/etc/ssh/moduli r,
@{etc_ro}/ssh/sshd_config r,
@{etc_ro}/ssh/sshd_config.d/{,*} r,
/etc/ufw/{,**} r,
/etc/update-manager/{,**} r,
/etc/update-motd.d/{,**} r,
/etc/vim/{,**} r,
/etc/vmware-tools/{,**} r,
/var/log/unattended-upgrades/{,**} rw,
/var/crash/*.crash rw,
/var/lib/apt/periodic/unattended-upgrades-stamp w,
/var/lib/dpkg/info/{,*} r,
/var/lib/dpkg/lock rwk,
/var/lib/dpkg/lock-frontend rwk,
/var/lib/dpkg/updates/ r,
/var/lib/update-notifier/dpkg-run-stamp rw,
/var/cache/apt/{,**} rwk,
/var/lib/apt/extended_states{,.*} rw,
/var/lib/apt/lists/ rw,
/var/lib/apt/lists/partial/ rw,
/var/lib/apt/periodic/ w,
/var/log/apt/*.log* rw,
@{att}/@{run}/systemd/inhibit/@{int}.ref rw,
owner @{run}/unattended-upgrades.lock rwk,
owner @{run}/unattended-upgrades.pid rw,
owner @{run}/unattended-upgrades.progress rw,
owner @{tmp}/apt-dpkg-install-*/{,*} rw,
@{PROC}/@{pid}/attr/current r,
@{PROC}/@{pid}/cmdline r,
@{PROC}/@{pid}/environ r,
@{PROC}/@{pid}/mounts r,
@{PROC}/@{pids}/mountinfo r,
@{PROC}/@{pids}/stat r,
owner @{PROC}/@{pids}/fd/ r,
/dev/ptmx rw,
include if exists <local/unattended-upgrade>
}
# vim:syntax=apparmor
Reference in a new issue View git blame Copy permalink