# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/udevadm @{lib}/systemd/systemd-udevd
@{att} = /att/systemd-udevd/
profile systemd-udevd /{{,usr/}bin/udevadm,{,usr/}lib{,exec,32,64}/systemd/systemd-udevd} flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
  include <abstractions/attached/base>
  include <abstractions/common/systemd>
  include <abstractions/attached/consoles>
  include <abstractions/attached/nameservice-strict>
  include <abstractions/perl>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability mknod,
  capability net_admin,
  capability perfmon,
  capability sys_admin,
  capability sys_module,
  capability sys_ptrace,
  capability sys_rawio,
  capability sys_resource,

  ptrace read,

  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  unix bind type=dgram  addr=@@{udbus},
  unix bind type=stream addr=@@{udbus}/bus/udevadm/,

  @{exec_path} mrix,

  @{sh_path}                               rix,
  @{coreutils_path}                        rix,
  @{bin}/logger                            rix,
  @{bin}/ls                                rix,
  @{bin}/mknod                             rix,
  @{bin}/nfsrahead                         rix,
  @{sbin}/partx                            rix,
  @{bin}/setfacl                           rix,
  @{bin}/sg_inq                            rix,
  @{bin}/systemd-run                        cx -> run,
  @{bin}/unshare                           rix,
  @{sbin}/ethtool                          rix,
  @{sbin}/kpartx                           rix,

  @{bin}/ddcutil                            px,
  @{bin}/input-remapper-control            pux,
  @{bin}/pktsetup                          pux,
  @{bin}/kmod                               cx -> kmod,
  @{bin}/nvidia-modprobe                    px -> child-modprobe-nvidia,
  @{bin}/set-wireless-regdom               pux,
  @{bin}/snap                               px,
  @{bin}/systemctl                          cx -> systemctl,
  @{bin}/vmmouse_detect                     pux,
  @{pager_path}                             px -> child-pager,
  @{sbin}/alsactl                           px,
  @{sbin}/dmsetup                           px,
  @{sbin}/issue-generator                   px,
  @{sbin}/kdump-config                      px,
  @{sbin}/lvm                               px,
  @{sbin}/multipath                         px,
  @{sbin}/sysctl                            px,
  @{sbin}/tlp                               px,
  @{sbin}/u-d-c-print-pci-ids               px,

  @{lib}/crda/*                             pux,
  @{lib}/gdm-runtime-config                 px,
  @{lib}/nfsrahead                          pux,
  @{lib}/open-iscsi/net-interface-handler   px,
  @{lib}/pm-utils/power.d/*                 pux,
  @{lib}/snapd/snap-device-helper           px,
  @{lib}/switcheroo-control-check-discrete-amdgpu  pux,
  @{lib}/systemd/systemd-*                  px,
  @{lib}/udev/*                             pux,
  /usr/share/hplip/config_usb_printer.py    pux,

  /etc/console-setup/*.sh                   pux,
  /etc/network/cloud-ifupdown-helper        pux,

  /etc/default/* r,
  /etc/machine-id r,
  /etc/nfs.conf rk,

  /etc/udev/{,**} r,
  /etc/udev/.#hwdb.bin{@{hex16},@{rand6}} rw,
  /etc/udev/hwdb.bin rw,

  /etc/modprobe.d/ r,
  /etc/modprobe.d/*.conf r,

  /etc/systemd/network/ r,
  /etc/systemd/network/@{int2}-*.link r,

  / r,
  /usr/ r,

  @{run}/credentials/systemd-udev-load-credentials.service/ r,
  @{run}/modprobe.d/ r,
  @{run}/systemd/network/ r,
  @{run}/systemd/network/*.link rw,
  @{run}/systemd/private rw,
  @{run}/systemd/seats/seat@{int} r,
  @{run}/systemd/sessions/{,*} r,
  @{run}/u-d-c-card@{int}-is-simpledrm w,

  @{att}@{run}/udev/control rw,

  @{run}/udev/ rw,
  @{run}/udev/** rwk,

  @{sys}/** rw,

        @{PROC}/@{pid}/mountinfo r,
        @{PROC}/@{pids}/cgroup r,
        @{PROC}/asound/cards r,
        @{PROC}/devices r,
        @{PROC}/driver/nvidia/gpus/ r,
        @{PROC}/driver/nvidia/gpus/*/information r,
        @{PROC}/driver/nvidia/params r,
        @{PROC}/pressure/* r,
        @{PROC}/sys/fs/nr_open r,
        @{PROC}/sys/vm/swappiness rw,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/loginuid r,
  owner @{PROC}/@{pid}/oom_score_adj rw,

  /dev/ rw,
  /dev/** rwk,

  profile kmod flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/app/kmod>

    capability sys_module,

    @{sh_path} rix,
    @{bin}/kmod ix,

    @{sys}/module/*/initstate r,
    @{sys}/module/compression r,

    include if exists <local/systemd-udevd_kmod>
  }

  profile systemctl flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/app/systemctl>

    capability net_admin,
    capability sys_ptrace,

    ptrace read peer=@{p_systemd},

    include if exists <local/systemd-udevd_systemctl>
  }

  profile run flags=(attach_disconnected,attach_disconnected.path=@{att},complain) {
    include <abstractions/attached/base>
    include <abstractions/bus-system>

    capability net_admin,
    capability sys_ptrace,

    ptrace read peer=@{p_systemd},

    unix bind type=stream addr=@@{udbus}/bus/systemd-run/,

    @{bin}/systemd-run  mr,
    @{sbin}/lvm r,

    @{att}@{run}/systemd/private rw,

    @{PROC}/@{pid}/stat r,

    include if exists <local/systemd-udevd_run>
  }

  include if exists <local/systemd-udevd>
}

# vim:syntax=apparmor
