# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/cgrulesengd
profile cgrulesengd /{,usr/}{,s}bin/cgrulesengd flags=(complain) {
  include <abstractions/base>
  include <abstractions/nameservice-strict>

  # For creating Unix domain sockets/IPC sockets:
  #  socket(AF_NETLINK, SOCK_DGRAM, NETLINK_CONNECTOR) = 3
  #  ...
  #  bind(3, flags=(complain) {sa_family=AF_NETLINK, nl_pid=13284, nl_groups=0x000001}, 12) = -1 EPERM (Operation
  #   not permitted)
  capability net_admin,

  # To remove the following errors:
  #  readlink("/proc/12/exe", 0x7ffc9fa85cd0, 4096) = -1 EACCES (Permission denied)
  capability sys_ptrace,

  # To be able to read the /proc/ files of all processes in the system.
  capability dac_read_search,

  network netlink dgram,

  ptrace (read),

  @{exec_path} mr,

  @{sys}/fs/cgroup/**/tasks w,

        @{PROC}/ r,
        @{PROC}/@{pids}/cmdline r,
        @{PROC}/@{pids}/task/ r,
  owner @{PROC}/@{pid}/mounts r,
        @{PROC}/cgroups r,

  @{sys}/fs/cgroup/unified/cgroup.controllers r,

  owner @{run}/cgred.socket w,

  /etc/cgconfig.conf r,
  /etc/cgrules.conf r,
  /etc/cgconfig.d/ r,


  include if exists <local/cgrulesengd>
}
