# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /usr/share/debconf/frontend
profile frontend /usr/share/debconf/frontend flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/fontconfig-cache-read>
  include <abstractions/fonts>
  include <abstractions/freedesktop.org>
  include <abstractions/gtk>
  include <abstractions/nameservice-strict>
  include <abstractions/perl>

  capability dac_read_search,

  @{exec_path} r,
  @{bin}/perl r,

  @{sh_path}         rix,
  @{bin}/hostname    rix,
  @{bin}/locale      rix,
  @{bin}/lsb_release rPx -> lsb_release,
  @{bin}/stty        rix,
  @{bin}/update-secureboot-policy rPx,

  # debconf apps
  @{bin}/adequate                     rPx,
  @{bin}/aspell-autobuildhash         rPx,
  @{bin}/debconf-apt-progress         rPx,
  @{bin}/linux-check-removal          rPx,
  @{bin}/pam-auth-update              rPx,
  @{bin}/ucf                          rPx,
  @{bin}/whiptail                     rPx,
  @{lib}/tasksel/tasksel-debconf      rPx -> tasksel,
  /usr/share/debian-security-support/check-support-status.hook rPx,

  # Grub
  @{lib}/grub/grub-multi-install           rPx,
  /usr/share/grub/grub-check-signatures    rPx,

  # Run the package maintainer's scripts
  # What to do with it? Maintainer scripts can use lots of tools. (#FIXME#)
  #/var/lib/dpkg/info/*.{config,templates} rPUx,
  #/var/lib/dpkg/info/*.{preinst,postinst} rPUx,
  #/var/lib/dpkg/info/*.{prerm,postrm}     rPUx,
  /var/lib/dpkg/info/*.control            r,
  #/var/lib/dpkg/tmp.ci/{config,templates} rPUx,
  #/var/lib/dpkg/tmp.ci/{preinst,postinst} rPUx,
  #/var/lib/dpkg/tmp.ci/{prerm,postrm}     rPUx,
  /var/lib/dpkg/tmp.ci/control            r,
  /var/lib/dpkg/info/*.{config,templates} rCx -> scripts,
  /var/lib/dpkg/info/*.{preinst,postinst} rCx -> scripts,
  /var/lib/dpkg/info/*.{prerm,postrm}     rCx -> scripts,
  /var/lib/dpkg/tmp.ci/{config,templates} rCx -> scripts,
  /var/lib/dpkg/tmp.ci/{preinst,postinst} rCx -> scripts,
  /var/lib/dpkg/tmp.ci/{prerm,postrm}     rCx -> scripts,

  # DKMS scipts
  # What to do with it? (#FIXME#)
  @{lib}/dkms/common.postinst        rPUx,
  @{lib}/dkms/dkms-*                 rPUx,
  @{lib}/dkms/dkms_*                 rPUx,

  /usr/share/debconf/{,**} r,

  /etc/debconf.conf r,
  /etc/inputrc r,
  /etc/shadow r,

  owner /tmp/file* w,
  owner /var/cache/debconf/* rwk,

  @{HOME}/.Xauthority r,

  @{run}/user/@{uid}/pk-debconf-socket rw,

  owner @{PROC}/@{pid}/mounts r,

  profile scripts flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    capability dac_read_search,

    /var/lib/dpkg/info/*.config             r,
    /var/lib/dpkg/info/*.{preinst,postinst} r,
    /var/lib/dpkg/info/*.{prerm,postrm}     r,
    /var/lib/dpkg/tmp.ci/config             r,
    /var/lib/dpkg/tmp.ci/{preinst,postinst} r,
    /var/lib/dpkg/tmp.ci/{prerm,postrm}     r,

    /               r,

    @{bin}/   r,
    @{bin}/*  rPUx,

    @{lib}/    r,
    @{lib}/**  rPUx,

    /usr/share/     r,
    /usr/share/**   rPUx,

    /etc/init.d/    r,
    /etc/init.d/*   rPUx,

    /etc/           r,
    /etc/**         rw,
    /var/           r,
    /var/**         rw,
    @{sys}/         r,
    @{sys}/**/      r,
    @{run}/         r,
    @{run}/**       rw,
          /tmp/     r,
    owner /tmp/**   rw,

  }

  include if exists <local/frontend>
}
