From 18d5ce6a21864cb47d2e9e52be312955326df65a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Franc=CC=A7ois=20Bonelle?= <francois.bonelle@gmail.com>
Date: Fri, 25 Aug 2023 18:19:20 +0200
Subject: [PATCH] fix

---
 promtail/apparmor.txt | 41 +++++++++++++++++++----------------------
 1 file changed, 19 insertions(+), 22 deletions(-)

diff --git a/promtail/apparmor.txt b/promtail/apparmor.txt
index 4148c6d..8835319 100644
--- a/promtail/apparmor.txt
+++ b/promtail/apparmor.txt
@@ -26,31 +26,28 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
   # S6-Overlay
   /init                                   rix,
   /bin/**                                 rix,
-  /usr/bin/**                             rix,
-  /usr/sbin/**                            rix,
+  @{do_usr}/bin/**                        rix,
+  @{do_usr}/sbin/**                       rix,
+  @{do_etc}/*                             rw,
   @{do_etc}/s6*/**                        r,
   @{do_etc}/fix-attrs.d/{,**}             r,
   @{do_etc}/cont-{init,finish}.d/{,**}    rwix,
   @{do_etc}/services.d/{,**}              rwix,
-  @{do_run}/{s6,s6-rc*,service}/**        rix,
-  /command/**                             rix,
-  /package/**                             rix,
-  @{do_run}/{,**}                         rwk,
-  /dev/tty                                rw,
-  @{do_usr}/lib/locale/{,**}              r,
   @{do_etc}/ssl/openssl.cnf               r,
   @{do_etc}/{group,hosts,passwd}          r,
   @{do_etc}/{host,nsswitch,resolv}.conf   r,
-  /dev/null                               k,
-
-  # https://github.com/hassio-addons/addon-debian-base/blob/main/base/rootfs/etc/cont-init.d/02-set-timezone.sh
-  # Wants to link /etc/localtime but apparmor sees a random hash so * it is.
-  @{do_etc}/*                             rw,
+  @{do_run}/{s6,s6-rc*,service}/**        rix,
+  @{do_run}/{,**}                         rwk,
+  @{do_usr}/lib/locale/{,**}              r,
   @{do_usr}/share/{,**} r,
+  /dev/tty                                rw,
+  /dev/null                               k,
   /var/cache/{,**} rw,
+  /command/**                             rix,
+  /package/**                             rix,
 
   # Bashio
-  /usr/lib/bashio/**                      ix,
+  @{do_usr}/lib/bashio/**                 ix,
   /tmp/**                                 rw,
 
   # Options.json & addon data
@@ -64,11 +61,11 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
   @{journald}                             r,
 
   # Programs
-  /usr/bin/promtail                       cx -> promtail,
-  /usr/bin/yq                             Cx,
-  /usr/sbin/dpkg-reconfigure              Cx,
+  @{do_usr}/bin/promtail                  cx -> promtail_profile,
+  @{do_usr}/bin/yq                        Cx,
+  @{do_usr}/sbin/dpkg-reconfigure         Cx,
 
-  profile promtail flags=(attach_disconnected,mediate_deleted) {
+  profile promtail_profile flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
 
     # Receive signals from s6
@@ -94,13 +91,13 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
     @{journald}                           r,
 
     # Runtime usage
-    /usr/bin/promtail                     rm,
+    @{do_usr}/bin/promtail                rm,
     @{do_etc}/{hosts,passwd}              r,
     @{do_etc}/{resolv,nsswitch}.conf      r,
     @{PROC}/sys/net/core/somaxconn        r,
     @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
     /dev/null                             k,
-    @{do_etc}/ssl/certs/**    r,
+    @{do_etc}/ssl/certs/**                r,
   }
 
   profile /usr/bin/yq flags=(attach_disconnected,mediate_deleted) {
@@ -112,7 +109,7 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
     /share/**                             r,
 
     # Runtime usage
-    /usr/bin/yq                           rm,
+    @{do_usr}/bin/yq                      rm,
     @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
     /dev/null                             k,
   }
@@ -120,6 +117,6 @@ profile hassio_promtail flags=(attach_disconnected,mediate_deleted) {
   profile /usr/sbin/dpkg-reconfigure flags=(attach_disconnected,mediate_deleted) {
     include <abstractions/base>
 
-    /** rwlkmix,
+    /**                                   rwlkmix,
   }
 }
\ No newline at end of file