# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /{usr/,}sbin/popularity-contest
profile popularity-contest @{exec_path} {
  include <abstractions/base>
  include <abstractions/perl>
  include <abstractions/nameservice-strict>

  # For popularity-contest --su-nobody
  capability setuid,
  capability setgid,

  capability sys_ptrace,
  ptrace (read),

  capability dac_read_search,

  @{exec_path} r,
  /{usr/,}bin/perl r,

  /{usr/,}bin/{,ba,da}sh  rix,
  /{usr/,}bin/env         rix,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
  /{usr/,}bin/dpkg-query  rpx,
  #
  /{usr/,}bin/dpkg        rPx -> child-dpkg,
  /{usr/,}bin/dpkg-divert rPx -> child-dpkg-divert,

  # For shell pwd
  /root/ r,

  /etc/popularity-contest.conf r,

  /etc/dpkg/origins/debian r,

  /etc/shadow r,

  /var/lib/dpkg/info/{,*.list} r,

  @{PROC}/ r,

  /var/log/ r,
  /var/log/popularity-contest.new w,

  /var/lib/ r,

  # file_inherit
  /tmp/#[0-9]*[0-9] rw,

  include if exists <local/popularity-contest>
}