# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2022 Mikhail Morfikov
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# Copyright (C) 2022 Jeroen Rijken
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/mkinitramfs
profile mkinitramfs /{,usr/}{,s}bin/mkinitramfs flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>

  capability syslog,
  capability chown,
  capability fowner,
  capability fsetid,

  @{exec_path} r,
  @{sh_path}        rix,

  @{bin}/       r,
  @{lib}/           r,
  @{lib}64/         r,

  @{bin}/{,e}grep   rix,
  @{bin}/basename   rix,
  @{bin}/bzip2      rix,
  @{bin}/cat        rix,
  @{bin}/chmod      rix,
  @{bin}/cp         rix,
  @{bin}/cpio       rix,
  @{bin}/dirname    rix,
  @{bin}/env        rix,
  @{bin}/getopt     rix,
  @{bin}/gzip       rix,
  @{bin}/id         rix,
  @{bin}/ln         rix,
  @{bin}/lzma       rix,
  @{bin}/lzop       rix,
  @{bin}/mkdir      rix,
  @{bin}/mktemp     rix,
  @{bin}/readlink   rix,
  @{bin}/rm         rix,
  @{bin}/rmdir      rix,
  @{bin}/sed        rix,
  @{bin}/sort       rix,
  @{bin}/touch      rix,
  @{bin}/tr         rix,
  @{bin}/tsort      rix,
  @{bin}/xargs      rix,
  @{bin}/xz         rix,
  @{bin}/zstd       rix,
  @{lib}/dracut/dracut-install rix,

  @{bin}/find                 rCx -> find,
  @{bin}/kmod                 rCx -> kmod,
  @{bin}/ldconfig             rCx -> ldconfig,
  @{bin}/ldd                  rCx -> ldd,
  @{lib}/ld-linux.so.2        rCx -> ldd,

  @{bin}/dpkg          rPx -> child-dpkg,
  @{bin}/linux-version rPx,

  # What to do with it? (#FIXME#)
  /usr/share/initramfs-tools/hooks/*     rPUx,
  /usr/share/initramfs-tools/scripts/*/* rPUx,
  /etc/initramfs-tools/hooks/*           rPUx,
  /etc/initramfs-tools/scripts/*/*       rPUx,

  /usr/share/initramfs-tools/{,**} r,
  /etc/initramfs-tools/{,**} r,

  # For shell pwd
  / r,
  /etc/ r,
  /root/ r,

  /etc/modprobe.d/{,*.conf} r,

        /boot/ r,
  owner /boot/initrd.img-*.new rw,
  owner /boot/config-* r,

        /var/tmp/ r,
  owner /var/tmp/mkinitramfs_*/ rw,
  owner /var/tmp/mkinitramfs_*/** rwl -> /var/tmp/mkinitramfs_*/**,
        /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.{order,builtin} rw,
  owner /var/tmp/mkinitramfs-* rw,

  owner @{PROC}/@{pid}/fd/ r,
        @{PROC}/cmdline r,
        @{PROC}/modules r,

  profile ldd flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>

    @{bin}/ldd mr,

    @{sh_path}        rix,
    @{bin}/kmod mr,
    @{lib}/initramfs-tools/bin/* mr,

    @{lib}/@{multiarch}/ld-*.so*  rix,
    @{lib}/ld-*.so{,.2}           rix,

    include if exists <local/mkinitramfs_ldd>
  }

  profile ldconfig flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    capability sys_chroot,

    @{bin}/ldconfig  mr,

    @{sh_path}               rix,
    @{bin}/ldconfig.real     rix,

    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf r,
    owner /var/tmp/mkinitramfs_*/etc/ld.so.conf.d/{,*.conf} r,

    owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/ r,
    owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/ r,
    owner /var/tmp/mkinitramfs_*/{usr/,}lib/@{multiarch}/*.so* rw,
    owner /var/tmp/mkinitramfs_*/{usr/,}lib{,32,x32}/*.so* rw,

    owner /var/tmp/mkinitramfs_*/etc/ld.so.cache{,~} rw,

    owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/ rw,
    owner /var/tmp/mkinitramfs_*/var/cache/ldconfig/aux-cache{,~} rw,

    include if exists <local/mkinitramfs_ldconfig>
  }

  profile find flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    @{bin}/find mr,

    # pwd dir
    / r,
    /etc/ r,
    /root/ r,

    /usr/share/initramfs-tools/scripts/{,**/} r,
    /etc/initramfs-tools/scripts/{,**/} r,

    owner /var/tmp/mkinitramfs_*/{,**/} r,

    include if exists <local/mkinitramfs_find>
  }

  profile kmod flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    @{bin}/kmod mr,

    @{PROC}/cmdline r,

    /etc/depmod.d/ r,
    /etc/depmod.d/*.conf r,
    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,

    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/ r,
    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/modules.* rw,
    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/updates/{,**} r,
    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/{,**/} r,
    owner /var/tmp/mkinitramfs_*/usr/lib/modules/*/kernel/**/*.ko r,

    include if exists <local/mkinitramfs_kmod>
  }

  include if exists <local/mkinitramfs>
}
