# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{BUILD_DIR} = /media/debuilder/

@{exec_path} = /{usr/,}lib/apt/methods/ftp
profile apt-methods-ftp @{exec_path} {
  include <abstractions/base>
  include <abstractions/consoles>

  # The "_apt" user is created by the postinst script of the "apt" package. It's the owner of the
  # dirs "/var/cache/apt/archives/partial/" and "/var/lib/apt/lists/partial/" . The "_apt" user is
  # used by APT to download packages, package list, and other things using APT methods as an
  # unprivileged user/group (_apt/nogroup).
  capability setgid,
  capability setuid,

  signal (receive) peer=apt,
  signal (receive) peer=apt-get,
  signal (receive) peer=aptitude,
  signal (receive) peer=synaptic,

  @{exec_path} mr,

        /var/lib/apt/lists/{,**} r,
  owner /var/lib/apt/lists/* rw,
  owner /var/lib/apt/lists/partial/* rw,

  # For shell pwd
  / r,
  /etc/ r,
  /root/ r,

  # For package building
  @{BUILD_DIR}/** rwkl -> @{BUILD_DIR}/**,

  # file_inherit
  owner /dev/tty[0-9]* rw,

  include if exists <local/apt-methods-ftp>
}