# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2020-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/check-support-status
@{att} = ""
profile check-support-status /{,usr/}bin/check-support-status flags=(complain) {
  include <abstractions/base-strict>
  include <abstractions/consoles>

  @{exec_path} rix,
  @{sh_path}        rix,

  @{bin}/           r,
  @{bin}/gettext.sh r,
  @{bin}/cat        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/cut        rix,
  @{bin}/date       rix,
  @{bin}/getopt     rix,
  @{bin}/fold       rix,
  @{bin}/mktemp     rix,
  @{bin}/rm         rix,
  @{bin}/comm       rix,
  @{bin}/mkdir      rix,
  @{bin}/mv         rix,
  @{bin}/find       rix,
  @{bin}/wc         rix,
  @{bin}/basename   rix,
  @{bin}/{m,g,}awk  rix,
  @{bin}/sort       rix,
  @{bin}/head       rix,
  @{bin}/gettext    rix,
  @{bin}/sed        rix,
  @{bin}/envsubst   rix,
  @{bin}/dirname    rix,

  # Do not strip env to avoid errors like the following:
  #  ERROR: ld.so: object 'libfakeroot-sysv.so' from LD_PRELOAD cannot be preloaded (cannot open
  #  shared object file): ignored.
  @{bin}/dpkg-query rpx,

  @{bin}/dpkg       rpx -> child-dpkg,

  @{bin}/debconf-escape rcx -> debconf-escape,

  /etc/debian_version r,

  # For shell pwd
  / r,
  owner @{HOME}/ r,

        /tmp/ r,
  owner @{tmp}/debian-security-support.*/{,**} rw,
        /tmp/debian-security-support.postinst.*/output w,

        /var/lib/debian-security-support/ r,
  owner /var/lib/debian-security-support/security-support.semaphore rw,
  owner /var/lib/debian-security-support/tmp.* rw,

  /usr/share/debian-security-support/ r,
  /usr/share/debian-security-support/* r,

  profile debconf-escape flags=(complain) {
    include <abstractions/base-strict>
    include <abstractions/perl>

    @{bin}/debconf-escape r,

    owner @{tmp}/debian-security-support.postinst.*/output r,

    include if exists <local/check-support-status_debconf-escape>
  }

  include if exists <local/check-support-status>
}

# vim:syntax=apparmor
