From d1c7051086c9b4b26263c0391ca86babecc38292 Mon Sep 17 00:00:00 2001
From: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
Date: Sat, 16 May 2026 18:34:03 +0200
Subject: [PATCH] Update AppArmor profile

sync with distribution changes:
- allow ergo to execute ergo-ldap as a subprocess to allow for LDAP
  authentication
- allow ergo to create backup files to allow for autoupgrade
- consolidate and sort some lines for easier maintenance

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
---
 distrib/apparmor/ergo | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/distrib/apparmor/ergo b/distrib/apparmor/ergo
index 3a5f13d4..8b3a1e6e 100644
--- a/distrib/apparmor/ergo
+++ b/distrib/apparmor/ergo
@@ -9,14 +9,15 @@ profile ergo /usr/bin/ergo {
   include <abstractions/nameservice>
 
   /etc/ergo/ircd.{motd,yaml} r,
-  /etc/ssl/irc/{crt,key} r,
-  /etc/ssl/ergo/{crt,key} r,
-  /usr/bin/ergo mr,
+  /etc/ssl/{ergo,irc}/{crt,key} r,
   /proc/sys/net/core/somaxconn r,
   /sys/kernel/mm/transparent_hugepage/hpage_pmd_size r,
+  /usr/bin/ergo mr,
+  /usr/bin/ergo-ldap Px -> ergo-ldap,
   /usr/share/ergo/languages/{,*.lang.json,*.yaml} r,
   owner /run/ergo/ircd.lock rwk,
   owner /var/lib/ergo/ircd.db rw,
+  owner /var/lib/ergo/ircd.db.*.bak w,
 
   include if exists <local/ergo>
 
@@ -25,7 +26,7 @@ profile ergo /usr/bin/ergo {
 profile ergo-ldap /usr/bin/ergo-ldap {
   include <abstractions/openssl>
   include <abstractions/ssl_certs>
-  
+
   /usr/bin/ergo-ldap rm,
   /etc/ergo/ldap.yaml r,