From 3960f20f00a0e53bada503210f6809e0caff247a Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Thu, 21 Nov 2024 19:39:55 +0000
Subject: [PATCH] feat(profile): add needrestart-vmlinuz-get-version & tests
 for needrestart.

---
 apparmor.d/profiles-m-r/needrestart           | 11 ++++--
 .../needrestart-vmlinuz-get-version           | 30 ++++++++++++++++
 tests/bats/needrestart.bats                   | 34 +++++++++++++++++++
 3 files changed, 73 insertions(+), 2 deletions(-)
 create mode 100644 apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version
 create mode 100644 tests/bats/needrestart.bats

diff --git a/apparmor.d/profiles-m-r/needrestart b/apparmor.d/profiles-m-r/needrestart
index 37a1c90a..f5722ed3 100644
--- a/apparmor.d/profiles-m-r/needrestart
+++ b/apparmor.d/profiles-m-r/needrestart
@@ -35,11 +35,11 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
   @{bin}/stty                              rix,
   @{bin}/systemctl                         rCx -> systemctl,
   @{bin}/systemd-detect-virt               rPx,
-  @{bin}/udevadm                           rPx,
+  @{bin}/udevadm                           rCx -> udevadm,
   @{bin}/unix_chkpwd                       rPx,
   @{bin}/whiptail                          rPx,
   @{bin}/who                               rix,
-  @{lib}/needrestart/iucode-scan-versions  rPx,
+  @{lib}/needrestart/*                     rPx,
   /usr/share/debconf/frontend              rix,
 
   @{bin}/networkd-dispatcher r,
@@ -88,6 +88,13 @@ profile needrestart @{exec_path} flags=(attach_disconnected) {
     include if exists <local/needrestart_systemctl>
   }
 
+  profile udevadm {
+    include <abstractions/base>
+    include <abstractions/app/udevadm>
+
+    include if exists <local/needrestart_udevadm>
+  }
+
   include if exists <local/needrestart>
 }
 
diff --git a/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version
new file mode 100644
index 00000000..f7e9d76a
--- /dev/null
+++ b/apparmor.d/profiles-m-r/needrestart-vmlinuz-get-version
@@ -0,0 +1,30 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/4.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{lib}/needrestart/vmlinuz-get-version
+profile needrestart-vmlinuz-get-version @{exec_path} {
+  include <abstractions/base>
+  include <abstractions/consoles>
+
+  @{exec_path} mr,
+
+  @{sh_path}                   rix,
+  @{bin}/grep                  rix,
+  @{bin}/mktemp                rix,
+  @{bin}/rm                    rix,
+  @{bin}/tr                    rix,
+  @{bin}/which{,.debianutils}  rix,
+
+  /boot/vmlinuz* r,
+
+  owner @{tmp}/tmp.@{rand10} rw,
+
+  include if exists <local/needrestart-vmlinuz-get-version>
+}
+
+# vim:syntax=apparmor
diff --git a/tests/bats/needrestart.bats b/tests/bats/needrestart.bats
new file mode 100644
index 00000000..4676b36a
--- /dev/null
+++ b/tests/bats/needrestart.bats
@@ -0,0 +1,34 @@
+#!/usr/bin/env bats
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2024 Alexandre Pujol <alexandre@pujol.io>
+# SPDX-License-Identifier: GPL-2.0-only
+
+load common
+
+@test "needrestart: List outdated processes" {
+    needrestart
+}
+
+@test "needrestart: Interactively restart services" {
+    sudo needrestart
+}
+
+@test "needrestart: List outdated processes in verbose mode" {
+    needrestart -v
+}
+
+@test "needrestart: Check if the kernel is outdated" {
+    needrestart -k
+}
+
+@test "needrestart: Check if the CPU microcode is outdated" {
+    needrestart -w
+}
+
+@test "needrestart: List outdated processes in batch mode" {
+    needrestart -b
+}
+
+@test "needrestart: Display help" {
+    needrestart --help
+}