# apparmor.d - Full set of apparmor profiles # Copyright (C) 2020-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}sbin/update-ca-certificates profile update-ca-certificates @{exec_path} { include include include @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, /{usr/,}bin/cat rix, /{usr/,}bin/chmod rix, /{usr/,}bin/mktemp rix, /{usr/,}bin/mv rix, /{usr/,}bin/readlink rix, /{usr/,}bin/rm rix, /{usr/,}bin/sed rix, /{usr/,}bin/sort rix, /{usr/,}bin/wc rix, /{usr/,}bin/find rix, /{usr/,}bin/ln rix, /{usr/,}bin/test rix, /{usr/,}bin/openssl rix, /etc/ca-certificates/update.d/ r, /etc/ca-certificates/update.d/jks-keystore rCx -> jks-keystore, /{usr/,}bin/run-parts rCx -> run-parts, /etc/ r, /etc/ca-certificates.conf r, /etc/ssl/certs/ca-certificates.crt rw, /etc/ssl/certs/*.pem rw, /etc/ssl/certs/[0-9a-f]*.[0-9] rw, /{usr/,}lib/locale/locale-archive r, /tmp/ r, owner /tmp/ca-certificates{,.crt}.tmp.* rw, # For shell pwd /root/ r, /usr/local/share/ r, @{PROC}/filesystems r, profile run-parts { include /{usr/,}bin/run-parts mr, /etc/ca-certificates/update.d/ r, # file_inherit owner /dev/pts/[0-9]* rw, } profile jks-keystore { include include include include /etc/ca-certificates/update.d/jks-keystore mr, /{usr/,}lib/ r, /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/jre/bin/java rix, /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/bin/java rix, /{usr/,}lib/jvm/java-[0-9]*-openjdk-*/lib/server/classes.jsa mr, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/sed rix, /{usr/,}bin/head rix, /{usr/,}bin/mountpoint rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. /{usr/,}bin/dpkg-query rpx, # /{usr/,}bin/dpkg rPx -> child-dpkg, /usr/share/ca-certificates-java/ca-certificates-java.jar r, /usr/share/java/java-atk-wrapper.jar r, /etc/default/cacerts r, /etc/ssl/certs/java/cacerts rw, /etc/java-[0-9]*-openjdk/{,**} r, owner @{PROC}/@{pid}/coredump_filter rw, owner @{PROC}/@{pid}/coredump rw, owner @{PROC}/@{pid}/cgroup r, owner @{PROC}/@{pid}/mountinfo r, @{sys}/fs/cgroup/** r, owner /tmp/hsperfdata_*/ rw, owner /tmp/hsperfdata_*/@{pid} rw, } include if exists }