# vim:syntax=apparmor
# ------------------------------------------------------------------
#
#    Copyright (C) 2019-2021 Mikhail Morfikov
#
#    This program is free software; you can redistribute it and/or
#    modify it under the terms of version 2 of the GNU General Public
#    License published by the Free Software Foundation.
#
# ------------------------------------------------------------------

abi <abi/3.0>,

include <tunables/global>

@{exec_path} = /etc/cron.{hourly,daily,weekly,monthly}/debsums
profile cron-debsums @{exec_path} {
  include <abstractions/base>

  @{exec_path} mr,

  /{usr/,}bin/{,ba,da}sh rix,
  /{usr/,}bin/true       rix,
  /{usr/,}bin/logger     rix,
  /{usr/,}bin/sed        rix,
  /{usr/,}bin/{,e}grep   rix,

  /{usr/,}bin/ionice     rix,

  /{usr/,}bin/debsums    rPx,
  /{usr/,}bin/tee        rCx -> tee,

  /etc/ r,
  /etc/default/debsums r,
  /etc/debsums-ignore r,

  # For shell pwd
  / r,


  profile tee {
    include <abstractions/base>
    include <abstractions/consoles>

    # Needed to write to /proc/self/fd/3
    capability dac_override,

    /{usr/,}bin/tee mr,

    owner @{PROC}/@{pid}/fd/3 rw,

  }

  include if exists <local/cron-debsums>
}