You already did the right thing with error checking.
if ! [ -e "${file}" ]; then
echo "ERROR: File '${file}' does not exist!"
break
fi
if ! seq -w 000 4777 | grep -qw "${mode}"; then
echo "ERROR: Mode '${mode}' is invalid!"
break
fi
Just change from break
to “continue
” (meaning “continue the loop with the next iteration” rather than “break this loop right now”).
No strong opinion. Could be there.
Or own file maybe better? Otherwise the existing apparmor profile needs too many changes?
/usr/lib/security-misc/permission-lockdown currently works on folders inside /home.
The new script is more for files outside of /home.
I am not worried much since we can always refactor the code after testing it a bit.
/usr/lib/security-misc/permission-lockdown is currently only run by debian/security-misc.postinst but other hooks could call it too. (Such as a systemd unit file which runs it before sysinit.target.)