# apparmor.d - Full set of apparmor profiles # Copyright (C) 2019-2021 Mikhail Morfikov # SPDX-License-Identifier: GPL-2.0-only abi , include @{exec_path} = /{usr/,}bin/ucf profile ucf @{exec_path} flags=(complain) { include include @{exec_path} r, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/basename rix, /{usr/,}bin/seq rix, /{usr/,}bin/cp rix, /{usr/,}bin/mv rix, /{usr/,}bin/rm rix, /{usr/,}bin/{,e}grep rix, /{usr/,}bin/which rix, /{usr/,}bin/md5sum rix, /{usr/,}bin/sed rix, /{usr/,}bin/getopt rix, /{usr/,}bin/mkdir rix, /{usr/,}bin/cat rix, /{usr/,}bin/id rix, /{usr/,}bin/readlink rix, /{usr/,}bin/perl rix, /{usr/,}bin/gawk rix, /{usr/,}bin/tr rix, /{usr/,}bin/dirname rix, /{usr/,}bin/stat rix, # Do not strip env to avoid errors like the following: # ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open # shared object file): ignored. /{usr/,}bin/dpkg-query rpx, # /{usr/,}bin/dpkg-divert rPx, /{usr/,}bin/sensible-pager rCx -> pager, # Think what to do about this (#FIXME#) /usr/share/debconf/frontend rPx, #/usr/share/debconf/frontend rCx -> frontend, /etc/ucf.conf r, /var/lib/ucf/** rw, owner /tmp/* rw, /etc/default/* rw, # For md5sum /etc/** r, /usr/share/*/conffiles/* r, @{run}/** r, # For writing new config files /etc/** rw, /usr/share/debconf/confmodule r, # For shell pwd / r, /root/ r, profile pager flags=(complain) { include include /{usr/,}bin/ r, /{usr/,}bin/sensible-pager mr, # For shell pwd /root/ r, } profile frontend flags=(complain) { include include include include /usr/share/debconf/frontend r, /{usr/,}bin/perl r, /{usr/,}bin/ucf rPx, /{usr/,}bin/{,ba,da}sh rix, /{usr/,}bin/stty rix, /{usr/,}bin/locale rix, /etc/debconf.conf r, owner /var/cache/debconf/{config,passwords,templates}.dat{,-new,-old} rwk, # The following is needed when debconf uses GUI frontends. include include include include capability dac_read_search, /{usr/,}bin/lsb_release rPx -> child-lsb_release, /{usr/,}bin/hostname rix, owner @{PROC}/@{pid}/mounts r, @{HOME}/.Xauthority r, } include if exists }