# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{lib}/packagekitd
profile packagekitd /{,usr/}lib{,exec,32,64}/packagekitd  flags=(attach_disconnected,complain) {
  include <abstractions/base>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.login1>
  include <abstractions/bus/org.freedesktop.NetworkManager>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>
  include if exists <abstractions/common/apt>

  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability kill,
  capability mknod,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_chroot,
  capability sys_nice,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  signal send set=int peer=apt-methods-*,

  dbus bind bus=system name=org.freedesktop.PackageKit{,.*},
  dbus receive bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.PackageKit{,.*}
       peer=(name=":1.@{int}"),
  dbus receive bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name=":1.@{int}"),
  dbus receive bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name=":1.@{int}"),
  dbus send bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.PackageKit{,.*}
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.DBus.Properties
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus send bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.DBus.ObjectManager
       peer=(name="{:1.@{int},org.freedesktop.DBus}"),
  dbus receive bus=system path=/org/freedesktop/PackageKit{,/**}
       interface=org.freedesktop.DBus.Introspectable
       member=Introspect
       peer=(name=":1.@{int}"),

  dbus send bus=system path=/org/freedesktop/DBus
       interface=org.freedesktop.DBus
       member={GetConnectionUnixUser,GetConnectionUnixProcessID}
       peer=(name=org.freedesktop.DBus, label=dbus-system),

  @{exec_path} mr,

  @{bin}/gpg{,2}  rCx -> gpg,
  @{bin}/gpgconf  rCx -> gpg,
  @{bin}/gpgsm    rCx -> gpg,

  @{sh_path}            rix,
  @{bin}/cp             rix,
  @{bin}/echo           rix,
  @{bin}/gdbus          rix,
  @{bin}/gzip           rix,
  @{bin}/ischroot       rix,
  @{bin}/ldconfig       rix,
  @{bin}/repo2solv      rix,
  @{bin}/tar            rix,
  @{bin}/test           rix,
  @{bin}/touch          rix,

  @{bin}/appstreamcli                rPx,


  @{bin}/fc-cache                    rPx,
  @{bin}/glib-compile-schemas        rPx,
  @{bin}/install-info                rPx,
  @{bin}/rpmdb2solv                 rPUx, #aa:only opensuse
  @{bin}/systemd-inhibit             rPx,
  @{bin}/update-desktop-database     rPx,

  @{lib}/cnf-update-db               rPx,
  @{lib}/update-notifier/update-motd-updates-available  rPx,
  @{lib}/zypp/plugins/appdata/InstallAppdata rPUx, # TODO: write the profile
  /usr/share/libalpm/scripts/*       rPx,

  # Install/update packages
  / r,
  /*{,/} rw,
  /boot/** rwl -> /boot/**,
  /etc/** rwl -> /etc/**,
  /opt/** rwl -> /opt/**,
  /srv/** rwl -> /srv/**,
  /usr/** rwlk -> /usr/**,
  /var/** rwlk -> /var/**,

        /tmp/apt-changelog-@{rand6}/ w,
        /tmp/apt-changelog-@{rand6}/*.changelog rw,
  owner /tmp/alpm_*/{,**} rw,
  owner /tmp/apt-changelog-@{rand6}/.apt-acquire-privs-test.@{rand6} rw,
  owner /tmp/packagekit* rw,

        @{run}/systemd/inhibit/*.ref rw,
  owner @{run}/systemd/users/@{uid} r,

  #aa:only opensuse
        @{run}/zypp.pid rwk,
  owner @{run}/zypp-rpm.pid rwk,
  owner @{run}/zypp/packages/ r,

  owner /dev/shm/AP_0x@{rand6}/{,**} rw,
  owner /dev/shm/ r,

  @{sys}/**/ r,
  @{sys}/devices/**/modalias r,

        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/mountinfo r,
        @{PROC}/sys/kernel/random/uuid r,
        @{PROC}/@{pid}/cmdline r,
  owner @{PROC}/@{pid}/fd/ r,
  owner @{PROC}/@{pid}/mounts r,

  /dev/tty rw,

  profile gpg flags=(attach_disconnected,complain) {
    include <abstractions/base>
    include <abstractions/nameservice-strict>

    capability dac_read_search,

    @{bin}/gpg{,2}  mr,
    @{bin}/gpgconf  mr,
    @{bin}/gpgsm    mr,

    @{bin}/gpg-agent rix,
    @{bin}/scdaemon  rix,
    @{lib}/{,gnupg/}scdaemon rix,

    /etc/gcrypt/hwf.deny r,

    @{HOME}/@{XDG_GPG_DIR}/*.conf r,

    #aa:only opensuse
    owner /var/tmp/zypp.*/*/ r,
    owner /var/tmp/zypp.*/*/** rwkl -> /var/tmp/zypp.*/zypp-trusted-*/**,

    owner @{run}/user/@{uid}/gnupg/ r,
    owner @{run}/user/@{uid}/gnupg/ rwkl -> @{run}/user/@{uid}/gnupg/**,

    owner @{PROC}/@{pid}/fd/ r,
    owner @{PROC}/@{pid}/task/@{tid}/comm rw,

    include if exists <local/packagekitd_gpg>
  }

  include if exists <local/packagekitd>
}
