# apparmor.d - Full set of apparmor profiles # Copyright (C) 2018-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}sbin/cron-apt profile cron-apt @{exec_path} { include include # Needed? capability setgid, @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/dotlockfile rix, /{usr/,}bin/sed rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/diff rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/rmdir rix, /{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/md5sum rix, /{usr/,}bin/stat rix, /{usr/,}bin/date rix, /{usr/,}bin/cat rix, /{usr/,}bin/expr rix, /{usr/,}bin/cp rix, /{usr/,}bin/dd rix, /{usr/,}bin/cksum rix, /{usr/,}bin/gawk rix, /{usr/,}bin/sleep rix, /{usr/,}bin/mv rix, /{usr/,}bin/logger rix, /{usr/,}bin/ls rix, /{usr/,}bin/touch rix, /{usr/,}bin/uname rix, /{usr/,}bin/fold rix, /{usr/,}bin/apt-get rPx, /{usr/,}bin/apt-file rPx, /{usr/,}bin/aptitude{,-curses} rPx, /{usr/,}sbin/exim4 rPx, /usr/share/cron-apt/{,*} r, /etc/cron-apt/{,*/} r, /etc/cron-apt/config r, /etc/cron-apt/refrain r, /etc/cron-apt/action.d/[0-9]-* r, # For shell pwd / r, /etc/ r, /root/ r, /var/lib/cron-apt/ rw, /var/lib/cron-apt/** rwl -> /var/lib/cron-apt/**, # Logs /var/log/cron-apt/ r, /var/log/cron-apt/error w, /var/log/cron-apt/temp rw, /var/log/cron-apt/mail rw, /var/log/cron-apt/lastfullmessage rw, # For the "ls" command /{usr/,}lib/locale/locale-archive r, # TMP /tmp/ r, owner /tmp/cron-apt.*/ rw, owner /tmp/cron-apt.*/difftemp rw, owner /tmp/cron-apt.*/lockfile rw, owner /tmp/cron-apt.*/initlog rw, owner /tmp/cron-apt.*/status rw, owner /tmp/cron-apt.*/run{log,error,mail,syslog} rw, owner /tmp/cron-apt.*/action{log,error,mail,syslog} rw, # file_inherit owner /tmp/#[0-9]*[0-9] rw, include if exists }