# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/bootctl
profile bootctl /{,usr/}{,s}bin/bootctl flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/disks-read>
  include <abstractions/common/systemd>

  capability mknod,
  capability net_admin,

  signal (send) peer=child-pager,

  ptrace (read) peer=unconfined,

  @{exec_path} mr,

  @{bin}/less  rPx -> child-pager,
  @{bin}/more  rPx -> child-pager,
  @{bin}/pager rPx -> child-pager,

  /{boot,efi}/ r,
  /{boot,efi}/EFI/{,**} r,
  /{boot,efi}/EFI/BOOT/.#BOOT*.EFI@{hex} rw,
  /{boot,efi}/EFI/BOOT/BOOTX64.EFI w,
  /{boot,efi}/EFI/systemd/.#systemd-boot*.efi@{hex} rw,
  /{boot,efi}/EFI/systemd/systemd-boot*.efi w,
  /{boot,efi}/loader/.#bootctlrandom-seed@{hex} rw,
  /{boot,efi}/loader/.#entries.srel* w,
  /{boot,efi}/loader/{,**} r,
  /{boot,efi}/loader/entries.srel w,
  /{boot,efi}/loader/random-seed w,

  /etc/machine-id r,
  /etc/machine-info r,

  @{run}/host/container-manager r,

  @{sys}/class/tpmrm/ r,

  @{sys}/devices/virtual/dmi/id/{board_vendor,bios_vendor} r,
  @{sys}/devices/virtual/dmi/id/{sys_vendor,product_version,product_name} r,

  @{sys}/firmware/dmi/entries/*/raw r,
  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/AuditMode-@{uuid} r,
  @{sys}/firmware/efi/efivars/Boot@{hex}-@{uuid} r,
  @{sys}/firmware/efi/efivars/BootOrder-@{uuid} r,
  @{sys}/firmware/efi/efivars/DeployedMode-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderDevicePartUUID-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderEntries-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderEntrySelected-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFeatures-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFirmwareInfo-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderFirmwareType-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderImageIdentifier-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderInfo-@{uuid} r,
  @{sys}/firmware/efi/efivars/LoaderSystemToken-@{uuid} r,
  @{sys}/firmware/efi/efivars/OsIndications-@{uuid} r,
  @{sys}/firmware/efi/efivars/OsIndicationsSupported-@{uuid} r,
  @{sys}/firmware/efi/efivars/SecureBoot-@{uuid} r,
  @{sys}/firmware/efi/efivars/SetupMode-@{uuid} r,
  @{sys}/firmware/efi/fw_platform_size r,

       @{PROC}/sys/kernel/random/poolsize r,
 owner @{PROC}/@{pid}/cgroup r,

  # Inherit silencer
  deny network inet6 stream,
  deny network inet stream,

  include if exists <local/bootctl>
}