#!/bin/bash
sudo service execguard stop
sudo apt update
apt list --upgradable 2>/dev/null | tail -n +2 | cut -d/ -f1 | while read pkg; do
    dpkg -L "$pkg" | grep --color=never -E '^\.?/usr/bin|^\.?/bin|^\.?/usr/sbin' >> sys-updates.list
done
# Check if file exists
if [[ ! -f sys-updates.list ]]; then
  echo "Error: sys-updates.list not found."
  exit 1
fi
sudo apt upgrade -y
# Loop through each line
while IFS= read -r line; do
  # Trim whitespace
  line="${line#"${line%%[![:space:]]*}"}"
  line="${line%"${line##*[![:space:]]}"}"
  # Skip empty lines and comments
  [[ -z "$line" || "$line" == \#* ]] && continue
  # Skip exact matches to base binary directories
  case "$line" in
    "/usr/bin" | "/usr/sbin" | "/bin")
        continue
      ;;
  esac
  echo "Updating: $line"
  sudo execguard --update "$line"

done < sys-updates.list
rm sys-updates.list
echo "You may want to run, for a while: sudo execguard --init"
echo "Then re-enable it: sudo service execguard start"