From 4ada6f5879198d597ea167ca4eb73b7611dbd721 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Tue, 7 May 2024 16:12:29 +0100
Subject: [PATCH] feat(profile): improve dpkg deb & split.

---
 apparmor.d/groups/apt/dpkg-deb   | 19 +++++++------------
 apparmor.d/groups/apt/dpkg-split |  4 ++--
 2 files changed, 9 insertions(+), 14 deletions(-)

diff --git a/apparmor.d/groups/apt/dpkg-deb b/apparmor.d/groups/apt/dpkg-deb
index a463d54e..b702eded 100644
--- a/apparmor.d/groups/apt/dpkg-deb
+++ b/apparmor.d/groups/apt/dpkg-deb
@@ -21,22 +21,17 @@ profile dpkg-deb @{exec_path} {
   @{bin}/tar rix,
   @{bin}/rm  rix,
 
+  /var/cache/apt/archives/*.deb r,
+
   owner /var/lib/dpkg/tmp.ci/ w,
   owner /var/lib/dpkg/tmp.ci/* w,
 
-  # For creating deb packages
-  owner @{tmp}/dpkg-deb.* rw,
+  owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
+  owner @{user_pkg_dirs}/** r,
 
-  owner @{tmp}/dpkg-deb.*/ rw,
-  owner @{tmp}/dpkg-deb.*/* rw,
-
-  # For extracting deb packages to /tmp/
-  owner @{tmp}/** rw,
-
-  /var/cache/apt/archives/*.deb r,
-
-  # For package building
-  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
+  audit owner @{tmp}/dpkg-deb.* rw,
+  audit owner @{tmp}/dpkg-deb.*/ rw,
+  audit owner @{tmp}/dpkg-deb.*/* rw,
 
   include if exists <local/dpkg-deb>
 }
diff --git a/apparmor.d/groups/apt/dpkg-split b/apparmor.d/groups/apt/dpkg-split
index 81439817..78e19897 100644
--- a/apparmor.d/groups/apt/dpkg-split
+++ b/apparmor.d/groups/apt/dpkg-split
@@ -26,8 +26,8 @@ profile dpkg-split @{exec_path} {
 
   /var/cache/apt/archives/*.deb r,
 
-  # For package building
-  @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
+  owner @{user_build_dirs}/** rwkl -> @{user_build_dirs}/**,
+  owner @{user_pkg_dirs}/** r,
 
   include if exists <local/dpkg-split>
 }