# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/hw-probe
profile hw-probe /{,usr/}{,s}bin/hw-probe flags=(complain) {
  include <abstractions/base>
  include <abstractions/perl>

  capability sys_admin,

  network inet dgram,
  network inet6 dgram,

  @{exec_path} rm,
  @{bin}/perl r,

  @{sh_path}         rix,
  @{bin}/{,e}grep    rix,
  @{bin}/{m,g,}awk   rix,
  @{bin}/dd          rix,
  @{bin}/efibootmgr  rix,
  @{bin}/efivar      rix,
  @{bin}/md5sum      rix,
  @{bin}/pwd         rix,
  @{bin}/sleep       rix,
  @{bin}/tar         rix,
  @{bin}/uname       rix,

  @{bin}/lsb_release rPx -> lsb_release,
  @{bin}/dpkg        rPx -> child-dpkg,

  @{bin}/acpi        rPx,
  @{bin}/amixer      rPx,
  @{bin}/aplay       rPx,
  @{bin}/biosdecode  rPx,
  @{bin}/cpuid       rPx,
  @{bin}/cpupower    rPx,
  @{bin}/df          rPx,
  @{bin}/dkms        rPx,
  @{bin}/dmesg       rPx,
  @{bin}/dmidecode   rPx,
  @{bin}/edid-decode rPx,
  @{bin}/fdisk       rPx,
  @{bin}/glxgears    rPx,
  @{bin}/glxinfo     rPx,
  @{bin}/hciconfig   rPx,
  @{bin}/hdparm      rPx,
  @{bin}/hwinfo      rPx,
  @{bin}/i2cdetect   rPx,
  @{bin}/inxi        rPx,
  @{bin}/lsblk       rPx,
  @{bin}/lscpu       rPx,
  @{bin}/lspci       rPx,
  @{bin}/lsusb       rPx,
  @{bin}/memtester   rPx,
  @{bin}/rfkill      rPx,
  @{bin}/sensors     rPx,
  @{bin}/smartctl    rPx,
  @{bin}/upower      rPx,
  @{bin}/uptime      rPx,
  @{bin}/usb-devices rPx,
  @{bin}/xdpyinfo    rPx,
  @{bin}/xinput      rPx,
  @{bin}/xrandr      rPx,

  @{bin}/curl            rCx -> curl,
  @{bin}/ethtool         rCx -> netconfig,
  @{bin}/find            rCx -> find,
  @{bin}/ifconfig        rCx -> netconfig,
  @{bin}/iw              rCx -> netconfig,
  @{bin}/iwconfig        rCx -> netconfig,
  @{bin}/journalctl      rCx -> journalctl,
  @{bin}/killall         rCx -> killall,
  @{bin}/kmod            rCx -> kmod,
  @{bin}/systemctl       rCx -> systemctl,
  @{bin}/systemd-analyze rPx,
  @{bin}/udevadm         rCx -> udevadm,

  /usr/share/X11/xorg.conf.d/{,*.conf} r,

  /etc/modprobe.d/{,*.conf} r,
  /etc/X11/xorg.conf.d/{,*.conf} r,

  /var/log/Xorg.[0-9].log{,.old} r,

  owner /root/HW_PROBE/{,**} rw,

  owner /tmp/*/ rw,
  owner /tmp/*/cpu_perf rw,

  @{sys}/class/drm/ r,
  @{sys}/class/power_supply/ r,

  @{sys}/devices/virtual/dmi/id/* r,
  @{sys}/devices/@{pci}/drm/card@{int}/*/edid r,
  @{sys}/devices/**/power_supply/*/uevent r,

  @{sys}/firmware/efi/efivars/ r,
  @{sys}/firmware/efi/efivars/* r,

  @{PROC}/bus/input/devices r,
  @{PROC}/interrupts r,
  @{PROC}/ioports r,
  @{PROC}/scsi/scsi r,

  profile find flags=(complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability dac_read_search,

    @{bin}/find mr,

    /root/ r,

    /dev/{,**} r,

    include if exists <local/hw-probe_find>
  }

  profile journalctl flags=(complain) {
    include <abstractions/base>

    @{bin}/journalctl mr,

    /var/lib/dbus/machine-id r,
    /etc/machine-id r,

    @{run}/log/ rw,
    /{run,var}/log/journal/ rw,
    /{run,var}/log/journal/@{hex32}/ rw,
    /{run,var}/log/journal/@{hex32}/user-@{hex}.journal* rw,
    /{run,var}/log/journal/@{hex32}/system.journal* rw,
    /{run,var}/log/journal/@{hex32}/system@@{hex}.journal* rw,

    owner @{PROC}/@{pid}/stat r,

    include if exists <local/hw-probe_journalctl>
  }

  profile killall flags=(complain) {
    include <abstractions/base>

    capability sys_ptrace,

    ptrace (read),

    signal (send) set=(int, term, kill),

    @{bin}/killall mr,

    # The /proc/ dir is needed to avoid the following error:
    #  /proc: Permission denied
    @{PROC}/ r,
    @{PROC}/@{pids}/stat r,

    include if exists <local/hw-probe_killall>
  }

  profile udevadm flags=(complain) {
    include <abstractions/base>
    include <abstractions/common/systemd>

    @{bin}/udevadm mr,

    /etc/udev/udev.conf r,

    @{sys}/bus/ r,
    @{sys}/bus/*/devices/ r,
    @{sys}/class/ r,
    @{sys}/class/*/ r,
    @{sys}/devices/**/uevent r,

    include if exists <local/hw-probe_udevadm>
  }

  profile kmod flags=(complain) {
    include <abstractions/base>

    @{bin}/kmod mr,

    @{sys}/module/*/ r,
    @{sys}/module/*/{coresize,refcnt} r,
    @{sys}/module/*/holders/ r,

    @{PROC}/cmdline r,
    @{PROC}/modules r,

    include if exists <local/hw-probe_kmod>
  }

  profile netconfig flags=(complain) {
    include <abstractions/base>

    # Not needed
    deny capability net_admin,
    deny capability net_raw,

    network inet dgram,
    network inet6 dgram,
    network ipx dgram,
    network ax25 dgram,
    network appletalk dgram,
    network netlink raw,

    @{bin}/iw       mr,
    @{bin}/ifconfig mr,
    @{bin}/iwconfig mr,
    @{bin}/ethtool  mr,

    owner @{PROC}/@{pid}/net/if_inet6 r,
    owner @{PROC}/@{pid}/net/dev r,

    include if exists <local/hw-probe_netconfig>
  }

  profile systemctl flags=(complain) {
    include <abstractions/base>
    include <abstractions/app/systemctl>
  
    include if exists <local/hw-probe_systemctl>
  }

  include if exists <local/hw-probe>
}
