# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2026 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Allow reading CPU and memory limits from cgroup hierarchy

  abi <abi/4.0>,

  @{sys}/fs/cgroup/cgroup.controllers r,

        @{sys}/fs/cgroup/user.slice/memory.high r,
        @{sys}/fs/cgroup/user.slice/memory.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.high r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/memory.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.high r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/memory.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.high r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/memory.max r,

        @{sys}/fs/cgroup/cpu.max r,
        @{sys}/fs/cgroup/user.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/session-@{int}.scope/cpu.max r,
        @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/cpu.max r,
  owner @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/**/cpu.max r,

  owner @{PROC}/@{pid}/cgroup r,

  include if exists <abstractions/cgroup-limits.d>

# vim:syntax=apparmor
