# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/hwinfo
profile hwinfo /{,usr/}{,s}bin/hwinfo flags=(complain) {
  include <abstractions/base>
  include <abstractions/disks-read>

  # Without the sys_admin CAP, some information, for instance the reserved I/O port address range
  # in the /proc/ioports, will be hidden.
  capability sys_admin,

  # For the kernel log entries to be shown in the output
  capability syslog,

  # To remove the following errors:
  #  eth0: socket failed: Operation not permitted
  capability net_raw,

  # Needed when passed disk related options (--block, --partition, --floppy)
  capability sys_rawio,

  network inet dgram,
  network inet6 dgram,
  network packet raw,

  @{exec_path} mr,

  @{sh_path}        rix,

  @{bin}/kmod       rCx -> kmod,
  @{bin}/udevadm    rCx -> udevadm,

  @{bin}/dmraid rPUx,

  @{PROC}/version r,
  @{PROC}/cmdline r,
  @{PROC}/dma r,
  @{PROC}/interrupts r,
  @{PROC}/modules r,
  @{PROC}/tty/driver/serial r,
  @{PROC}/ioports r,
  @{PROC}/bus/input/devices r,
  @{PROC}/partitions r,
  @{PROC}/driver/nvram r,
  @{PROC}/sys/dev/cdrom/info r,

  /dev/mem r,
  /dev/nvram r,
  /dev/psaux r,
  /dev/console rw,
  /dev/ttyS@{int} r,
  /dev/fb@{int} r,

  @{sys}/bus/{,**/} r,
  @{sys}/class/*/ r,
  @{sys}/devices/@{pci_bus}/** r,
  @{sys}/devices/**/input/**/dev r,
  @{sys}/devices/**/{modalias,uevent} r,
  @{sys}/devices/virtual/net/*/{type,carrier,address} r,
  @{sys}/firmware/dmi/tables/DMI r,
  @{sys}/firmware/dmi/tables/smbios_entry_point r,
  @{sys}/firmware/edd/{,**} r,

  /var/lib/hardware/udi/ r,

  # For a log file
  owner /tmp/hwinfo*.txt rw,


  profile kmod flags=(complain) {
    include <abstractions/base>

    @{bin}/kmod mr,

    /etc/modprobe.d/{,*.conf} r,

    @{PROC}/cmdline r,

    # file_inherit
    /dev/ttyS@{int} r,
    owner /tmp/hwinfo*.txt rw,
    @{sys}/devices/@{pci}/drm/card@{int}/ r,

  }

  profile udevadm flags=(complain) {
    include <abstractions/base>

    @{bin}/udevadm mr,

    /etc/udev/udev.conf r,

    owner @{PROC}/@{pid}/stat r,
          @{PROC}/cmdline r,
          @{PROC}/1/sched r,
          @{PROC}/1/environ r,
          @{PROC}/sys/kernel/osrelease r,

    @{sys}/** r,
    @{run}/udev/data/* r,

    # file_inherit
    owner /tmp/hwinfo*.txt rw,

  }

  include if exists <local/hwinfo>
}
