feat(profiles): rewrite dpkg profile.

apparmor.d/groups/apt/apt-cdrom

@@ -29,7 +29,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
   @{sys}/class/ r,
   @{sys}/class/*/ r,
   @{sys}/devices/**/uevent r,
-  @{run}/udev/data/* r,
+  # @{run}/udev/data/* r,
 
   # For cd-roms
   /media/cdrom[0-9]/ r,
@@ -64,6 +64,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
 
     /media/cdrom[0-9]/ r,
 
+    include if exists <local/apt-cdrom_mount>
   }
 
   profile umount flags=(complain) {
@@ -81,6 +82,7 @@ profile apt-cdrom @{exec_path} flags=(complain) {
     umount /media/*/,
     umount /media/*/*/,
 
+    include if exists <local/apt-cdrom_umount>
   }
 
   include if exists <local/apt-cdrom>

apparmor.d/groups/apt/apt-forktracer

@@ -22,17 +22,16 @@ profile apt-forktracer @{exec_path} {
   /usr/share/apt-forktracer/{,**} r,
   /usr/share/distro-info/debian.csv r,
 
-  /var/lib/dbus/machine-id r,
+  /etc/debian_version r,
+  /etc/dpkg/origins/debian r,
   /etc/machine-id r,
+  /var/lib/dbus/machine-id r,
 
   /var/lib/apt/lists/ r,
   /var/lib/apt/lists/*_InRelease r,
 
   /var/cache/apt/pkgcache.bin{,.*} rw,
 
-  /etc/dpkg/origins/debian r,
-  /etc/debian_version r,
-
   owner @{PROC}/@{pid}/fd/ r,
 
   include if exists <local/apt-forktracer>

apparmor.d/groups/apt/apt-methods-gpgv

@@ -71,7 +71,6 @@ profile apt-methods-gpgv @{exec_path} {
   /root/ r,
 
         /var/lib/apt/lists/{,**} r,
-        /var/lib/ubuntu-advantage/apt-esm/{,**} r,
         /var/lib/dpkg/arch r,
         /var/lib/extrepo/keys/*.{gpg,asc} r,
   owner /var/lib/apt/lists/{,**} rw,

apparmor.d/groups/apt/apt-methods-store

@@ -1,5 +1,6 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2019-2021 Mikhail Morfikov
+# Copyright (C) 2021-2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 
 abi <abi/3.0>,
@@ -30,29 +31,29 @@ profile apt-methods-store @{exec_path} {
   # apt-helper gets "no new privs" so "rix" it
   @{lib}/apt/apt-helper rix,
 
+  /usr/share/dpkg/cputable r,
+  /usr/share/dpkg/tupletable r,
+  /usr/share/doc/*/changelog.* r,
+
+  /etc/apt/apt.conf.d/{,*} r,
+  /etc/apt/apt.conf r,
+
   # For shell pwd
   / r,
   /etc/ r,
   /root/ r,
 
-  /etc/apt/apt.conf.d/{,*} r,
-  /etc/apt/apt.conf r,
-
-  /usr/share/dpkg/cputable r,
-  /usr/share/dpkg/tupletable r,
-
         /var/lib/apt/lists/{,**} r,
   owner /var/lib/apt/lists/* rw,
   owner /var/lib/apt/lists/partial/* rw,
-
+  owner /var/lib/ubuntu-advantage/apt-esm/{,**} rw,
-  /usr/share/doc/*/changelog.* r,
-
-        /tmp/ r,
-  owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
 
   # For package building
   @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
 
+        /tmp/ r,
+  owner /tmp/apt-changelog-*/*.changelog{,.*} rw,
+
   # file_inherit
   owner /dev/tty@{int} rw,
   owner /var/log/cron-apt/temp w,

apparmor.d/groups/apt/dpkg

@@ -25,34 +25,27 @@ profile dpkg @{exec_path} {
   @{bin}/cat         rix,
   @{bin}/rm          rix,
 
+  @{bin}/deb-systemd-helper rix,
   @{bin}/dpkg-deb    rpx,
   @{bin}/dpkg-query  rpx,
   @{bin}/dpkg-split  rPx,
-  @{bin}/deb-systemd-helper rix,
+  @{bin}/systemctl   rPx -> child-systemctl,
   @{lib}/needrestart/dpkg-status rPx,
   /usr/share/debian-security-support/check-support-status.hook rPx,
 
-  @{bin}/pager       rCx -> diff,
+  @{bin}/pager       rPx -> child-pager,
-  @{bin}/less        rCx -> diff,
+  @{bin}/less        rPx -> child-pager,
-  @{bin}/more        rCx -> diff,
+  @{bin}/more        rPx -> child-pager,
-  @{bin}/diff        rCx -> diff,
+  @{bin}/diff        rPx -> child-pager,
 
-  /etc/dpkg/dpkg.cfg.d/{,*} r,
+  # Package maintainer's scripts
-  /etc/dpkg/dpkg.cfg r,
-
-  # Run the package maintainer's scripts
-  # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
   # Move it to a child profile once more transitions will be available
-  /var/lib/dpkg/ r,
-  /var/lib/dpkg/** rwkl -> /var/lib/dpkg/**,
   /var/lib/dpkg/info/*.{config,templates} rPUx,
   /var/lib/dpkg/info/*.{preinst,postinst} rPUx,
   /var/lib/dpkg/info/*.{prerm,postrm}     rPUx,
-  /var/lib/dpkg/info/*.control            r,
   /var/lib/dpkg/tmp.ci/{config,templates} rPUx,
   /var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx,
   /var/lib/dpkg/tmp.ci/{prerm,postrm}     rPUx,
-  /var/lib/dpkg/tmp.ci/control            r,
   #/var/lib/dpkg/info/*.{config,templates} rCx -> scripts,
   #/var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts,
   #/var/lib/dpkg/info/*.{prerm,postrm}     rCx -> scripts,
@@ -60,89 +53,27 @@ profile dpkg @{exec_path} {
   #/var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
   #/var/lib/dpkg/tmp.ci/{prerm,postrm}     rCx -> scripts,
 
-  /var/log/dpkg.log w,
-  /var/log/unattended-upgrades/unattended-upgrades-dpkg.log rw,
-
   # For shell pwd
   /root/ r,
 
-  # Basically, dpkg needs R/W permissions to the following files since it installs them.
+  # Install/update packages
-  # It also needs the L permission when a package is reinstalled.
   / r,
-  /usr/    r,
+  /*{,/} rw,
-  /usr/**  rwl -> /usr/**,
-  /lib/    r,
-  /lib/**  rwl -> /lib/** ,
-  # Fixme when more transitions will be available (#FIXME#)
-  /lib{,32,64,x64}/ r,
-  /lib{,32,64,x64}/** rwl,
-  /bin/    r,
-  /bin/*   rwl -> /bin/*,
-  /sbin/   r,
-  /sbin/*  rwl -> /sbin/*,
-  /etc/    r,
-  /etc/**  rwl -> /etc/**,
-  /boot/   r,
   /boot/** rwl -> /boot/**,
-  /opt/    r,
+  /etc/** rwl -> /etc/**,
   /opt/** rwl -> /opt/**,
-  # Without backups/, cache/, log/, mail/, opt/, tmp/ .
+  /srv/** rwl -> /srv/**,
-  /var/lib/      r,
+  /usr/** rwlk -> /usr/**,
-  /var/lib/**    rwl -> /var/lib/**,
+  /var/** rwlk -> /var/**,
-  /var/local/    r,
-  /var/local/**  rwl -> /var/local/**,
-  /var/spool/    r,
-  /var/spool/**  rwl -> /var/spool/**,
-  # Fixme when more transitions will be available (#FIXME#)
-  /var/www/      r,
-  /var/www/**    rwl,
-  # To create log and cache dirs
-  /var/log/**/   rw,
-  /var/cache/**/ rw,
-  # To create dirs under var
-  /var/*.dpkg-new/ rw,
-  /var/*/ rw,
 
   owner /tmp/apt-dpkg-install-*/ r,
 
   @{run}/systemd/userdb/ r,
 
-  owner @{PROC}/@{pid}/fd/ r,
         @{PROC}/sys/kernel/random/boot_id r,
+  owner @{PROC}/@{pid}/fd/ r,
 
   owner /dev/tty@{int} rw,
 
-  profile diff {
-    include <abstractions/base>
-    include <abstractions/consoles>
-
-    @{bin}/       r,
-    @{bin}/pager mr,
-    @{bin}/less  mr,
-    @{bin}/more  mr,
-    @{bin}/diff  mr,
-
-    /etc/** r,  # Diff changed config files
-    /root/ r,   # For shell pwd
-
-    owner @{HOME}/.lesshs* rw,
-
-  }
-
-  profile scripts {
-    include <abstractions/base>
-
-    @{bin}/    r,
-    @{bin}/*   rPUx,
-
-    /var/lib/dpkg/info/*.config             r,
-    /var/lib/dpkg/info/*.{preinst,postinst} r,
-    /var/lib/dpkg/info/*.{prerm,postrm}     r,
-    /var/lib/dpkg/tmp.ci/config             r,
-    /var/lib/dpkg/tmp.ci/{preinst,postinst} r,
-    /var/lib/dpkg/tmp.ci/{prerm,postrm}     r,
-
-  }
-
   include if exists <local/dpkg>
 }