119 lines
3.2 KiB
Text
119 lines
3.2 KiB
Text
# apparmor.d - Full set of apparmor profiles
|
|
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
|
|
# Copyright (C) 2022 Jeroen Rijken
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
|
|
|
abi <abi/3.0>,
|
|
|
|
include <tunables/global>
|
|
|
|
@{exec_path} = @{bin}/unattended-upgrade
|
|
profile unattended-upgrade @{exec_path} flags=(attach_disconnected) {
|
|
include <abstractions/base>
|
|
include <abstractions/common/apt>
|
|
include <abstractions/bus-system>
|
|
include <abstractions/bus/org.freedesktop.login1>
|
|
include <abstractions/bus/org.freedesktop.NetworkManager>
|
|
include <abstractions/bus/org.freedesktop.PackageKit>
|
|
include <abstractions/consoles>
|
|
include <abstractions/nameservice-strict>
|
|
include <abstractions/python>
|
|
|
|
capability chown,
|
|
capability dac_override,
|
|
capability dac_read_search,
|
|
capability fsetid,
|
|
capability kill,
|
|
capability net_admin,
|
|
capability setgid,
|
|
capability setuid,
|
|
capability sys_nice,
|
|
|
|
network netlink raw,
|
|
|
|
signal (send) peer=apt-methods-http,
|
|
|
|
unix type=stream addr=@@{hex16}/bus/unattended-upgr/system,
|
|
|
|
@{exec_path} mr,
|
|
|
|
@{bin}/ r,
|
|
|
|
@{sh_path} rix,
|
|
@{bin}/echo rix,
|
|
@{bin}/gdbus rix,
|
|
@{bin}/ischroot rix,
|
|
@{bin}/python3.@{int} rix,
|
|
@{bin}/test rix,
|
|
@{bin}/touch rix,
|
|
@{bin}/uname rix,
|
|
|
|
@{bin}/apt-listchanges rPx,
|
|
@{bin}/dpkg rPx,
|
|
@{bin}/dpkg-preconfigure rPx,
|
|
@{bin}/etckeeper rPx,
|
|
@{bin}/lsb_release rPx -> lsb_release,
|
|
@{bin}/on_ac_power rPx,
|
|
@{bin}/sendmail rPUx,
|
|
@{lib}/apt/methods/http{,s} rPx,
|
|
@{lib}/needrestart/apt-pinvoke rPx,
|
|
@{lib}/update-notifier/update-motd-updates-available rPx,
|
|
@{lib}/zsys-system-autosnapshot rPx,
|
|
|
|
/usr/share/distro-info/* r,
|
|
|
|
/etc/apt/*.list r,
|
|
/etc/apt/apt.conf.d/{,**} r,
|
|
/etc/debian_version r,
|
|
/etc/default/grub.d/* r,
|
|
/etc/dpkg/origins/{,debian,ubuntu} r,
|
|
/etc/fwupd/{,**} r,
|
|
/etc/grub.d/* r,
|
|
/etc/init.d/* r,
|
|
/etc/issue{.net,} r,
|
|
/etc/kernel/*.d/*grub* r,
|
|
/etc/legal r,
|
|
/etc/lsb-release r,
|
|
/etc/machine-id r,
|
|
/etc/pam.d/* r,
|
|
/etc/pki/fwupd-metadata/{,**} r,
|
|
/etc/pki/fwupd/{,**} r,
|
|
/etc/profile.d/* r,
|
|
/etc/security/capability.conf r,
|
|
/etc/update-manager/{,**} r,
|
|
/etc/update-motd.d/* r,
|
|
/etc/vmware-tools/* r,
|
|
|
|
/var/log/unattended-upgrades/{,**} rw,
|
|
|
|
/var/lib/apt/periodic/unattended-upgrades-stamp w,
|
|
/var/lib/dpkg/lock rwk,
|
|
/var/lib/dpkg/lock-frontend rwk,
|
|
/var/lib/dpkg/updates/ r,
|
|
/var/lib/update-notifier/dpkg-run-stamp rw,
|
|
|
|
/var/cache/apt/{,**} rwk,
|
|
/var/lib/apt/extended_states{,.*} rw,
|
|
/var/lib/apt/lists/ rw,
|
|
/var/lib/apt/lists/partial/ rw,
|
|
/var/lib/apt/periodic/ w,
|
|
/var/log/apt/{term,history}.log w,
|
|
/var/log/apt/eipp.log.xz w,
|
|
|
|
@{run}/systemd/inhibit/@{int}.ref rw,
|
|
owner @{run}/unattended-upgrades.lock rwk,
|
|
owner @{run}/unattended-upgrades.pid rw,
|
|
owner @{run}/unattended-upgrades.progress rw,
|
|
|
|
owner @{tmp}/apt-dpkg-install-*/{,*} rw,
|
|
|
|
@{PROC}/@{pids}/mountinfo r,
|
|
@{PROC}/@{pids}/stat r,
|
|
owner @{PROC}/@{pids}/fd/ r,
|
|
|
|
/dev/ptmx rw,
|
|
|
|
include if exists <local/unattended-upgrade>
|
|
}
|
|
|
|
# vim:syntax=apparmor
|