# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/3.0>,

include <tunables/global>

@{BUILD_DIR} = /media/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/file
profile apt-methods-file @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
  # used by APT to download packages, package list, and other things using APT methods as an
  # unprivileged user/group (_apt/nogroup).
  capability setgid,
  capability setuid,

  signal (receive) peer=apt,
  signal (receive) peer=apt-get,
  signal (receive) peer=aptitude,
  signal (receive) peer=synaptic,

  @{exec_path} mr,

  # apt-helper gets "no new privs" so "rix" it
  /{usr/,}lib/apt/apt-helper rix,

  # For shell pwd
  / r,
  /etc/ r,
  /root/ r,

  /etc/apt/apt.conf.d/{,*} r,
  /etc/apt/apt.conf r,

  /usr/share/dpkg/cputable r,
  /usr/share/dpkg/tupletable r,

        /var/lib/apt/lists/{,**} r,
  owner /var/lib/apt/lists/* rw,
  owner /var/lib/apt/lists/partial/* rw,

  # For package building
  @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

  # file_inherit
  owner /dev/tty[0-9]* rw,
  /var/log/cron-apt/temp w,

  include if exists <local/apt-methods-file>
}