# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe}
profile kmod /{,usr/}{,s}bin/{kmod,lsmod,depmod,insmod,rmmod,modinfo,modprobe}  flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/consoles>
  include <abstractions/nameservice-strict>

  capability dac_read_search,
  capability dac_override,
  capability mknod,
  capability net_admin,
  capability sys_module,
  capability syslog,

  network inet raw,

  @{exec_path} mrix,

  @{sh_path}         rix,
  @{bin}/basename    rix,
  @{bin}/false       rix,
  @{bin}/id          rix,
  @{bin}/sysctl      rPx,
  @{bin}/true        rix,

  @{lib}/modprobe.d/{,*.conf} r,
  @{lib}/modules/*/modules.* rw,

  /etc/depmod.d/{,**} r,
  /etc/modprobe.d/{,*.conf} r,

  /tmp/**/*.ko{,.zst} r,
  /usr/src/*/*.ko r,
  /var/lib/dkms/**/module/*.ko r,
  /var/lib/dpkg/triggers/* r,
  /var/lib/ebtables/lock r,

  owner /var/tmp/*modules*/{,**} rw,
  owner /var/tmp/dracut.*/{,**} rw,

  owner /boot/System.map-* r,
  owner /tmp/mkinitcpio.*/{,**} rw,

  # For local kernel build
  owner /tmp/depmod.*/lib/modules/*/ r,
  owner /tmp/depmod.*/lib/modules/*/modules.* rw,
  owner @{user_build_dirs}/**/System.map r,
  owner @{user_build_dirs}/**/lib/modules/*/ r,
  owner @{user_build_dirs}/**/lib/modules/*/modules.* rw,
  owner @{user_build_dirs}/**/lib/modules/*/kernel/{,**/} r,
  owner @{user_build_dirs}/**/lib/modules/*/kernel/**/*.ko r,

        @{run}/xtables.lock r,
  owner @{run}/tmpfiles.d/ w,
  owner @{run}/tmpfiles.d/static-nodes.conf w,

  @{sys}/module/{,**} r,

  @{PROC}/cmdline r,
  @{PROC}/modules r,

  /dev/tty@{int} rw,

  deny @{user_share_dirs}/gvfs-metadata/* r,
  deny unix (receive) type=stream,

  include if exists <local/kmod>
}
