# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{bin_dirs} = @{bin}/ /snap/{snapd,core}/@{int}@{bin}
@{lib_dirs} = @{lib}/ /snap/{snapd,core}/@{int}@{lib}

@{exec_path} = @{lib_dirs}/snapd/snapd
profile snapd /{{,usr/}lib{,exec,32,64}//snapd/snapd,snap/{snapd,core}/[0-9]{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}{[0-9],}/{,usr/}lib{,exec,32,64}/snapd/snapd} flags=(complain) {
  include <abstractions/base>
  include <abstractions/authentication>
  include <abstractions/bus-system>
  include <abstractions/bus/org.freedesktop.PolicyKit1>
  include <abstractions/bus/org.freedesktop.timedate1>
  include <abstractions/disks-write>
  include <abstractions/fontconfig-cache-write>
  include <abstractions/fonts>
  include <abstractions/nameservice-strict>
  include <abstractions/ssl_certs>

  capability audit_write,
  capability chown,
  capability dac_override,
  capability dac_read_search,
  capability fowner,
  capability fsetid,
  capability net_admin,
  capability setgid,
  capability setuid,
  capability sys_admin,
  capability sys_ptrace,
  capability sys_resource,

  network inet stream,
  network inet6 stream,
  network inet dgram,
  network inet6 dgram,
  network netlink raw,

  mount fstype=squashfs /dev/loop@{int} -> /tmp/syscheck-mountpoint-@{int}/,
  umount /tmp/syscheck-mountpoint-@{int}/,
  umount /snap/*/*/,

  ptrace (read) peer=snap,
  ptrace (read) peer=@{systemd},

  unix (bind) type=stream addr=@@{hex}/bus/systemctl/,

  dbus send bus=system path=/org/freedesktop/
         interface=org.freedesktop.login1.Manager
         member={SetWallMessage,ScheduleShutdown}
         peer=(name=org.freedesktop.login1, label=systemd-logind),

  dbus send bus=system path=/org/freedesktop/timedate1
       interface=org.freedesktop.DBus.Properties
       member=Get
       peer=(name=org.freedesktop.timedate1, label="{systemd-timedated,@{systemd}}"),

  @{exec_path} mrix,

  @{bin}/adduser                  rPx,
  @{bin}/groupadd                 rPx,
  @{bin}/hostnamectl              rPx,
  @{bin}/ssh-keygen               rPx,
  @{bin}/useradd                  rPx,

  @{sh_path}                      rix,
  @{bin}/apparmor_parser          rPx,
  @{bin}/cp                       rix,
  @{bin}/gzip                     rix,
  @{bin}/journalctl               rPx,
  @{bin}/kmod                     rPx,
  @{bin}/mount                    rix,
  @{bin}/runuser                  rCx -> runuser,
  @{bin}/sync                     rix,
  @{bin}/systemctl                rix,
  @{bin}/systemd-detect-virt      rPx,
  @{bin}/tar                      rix,
  @{bin}/udevadm                  rPx,
  @{bin}/umount                   rix,
  @{bin}/unsquashfs               rix,
  @{bin}/update-desktop-database  rPx,

  @{bin_dirs}/fc-cache-*              mr,
  @{bin_dirs}/snap                  rPUx,
  @{bin_dirs}/xdelta3                rix,
  @{lib_dirs}/@{multiarch}/**         mr,
  @{lib_dirs}/@{multiarch}/ld-*.so   rix,
  @{lib_dirs}/snapd/apparmor_parser  rPx,
  @{lib_dirs}/snapd/snap-discard-ns  rPx,
  @{lib_dirs}/snapd/snap-seccomp     rPx,
  @{lib_dirs}/snapd/snap-update-ns   rPx,

  /usr/share/bash-completion/{,**} r,
  /usr/share/dbus-1/{system,session}.d/{,snapd*} r,
  /usr/share/dbus-1/services/*snap* r,
  /usr/share/polkit-1/actions/{,**/} r,

  /etc/apparmor.d/*snapd.snap* r,
  /etc/dbus-1/system.d/{,**/} r,
  /etc/environment r,
  /etc/fstab r,
  /etc/mime.types r,
  /etc/modprobe.d/{,**/} r,
  /etc/modules-load.d/{,**/} r,
  /etc/modules-load.d/*snap* rw,
  /etc/systemd/system/{,**/} r,
  /etc/systemd/system/snap* rw,
  /etc/systemd/user/{,**/} r,
  /etc/systemd/user/**/*snap* rw,
  /etc/systemd/user/*snap* rw,
  /etc/udev/rules.d/{,*snap*} rw,

  /snap/{,**} rw,
  /var/cache/snapd/{,**} rwlk,
  /var/lib/snapd/{,**} rwlk,
  /var/snap/{,**} rw,

  /var/cache/apparmor/{,*/} r,
  /var/cache/apparmor/*/snap* rw,

  /tmp/ r,
  /tmp/syscheck-mountpoint-@{int}/{,**} rw,
  /tmp/syscheck-squashfs-@{int} rw,
  /tmp/read-file@{int}/{,**} rw,

  /boot/ r,
  /boot/grub/grubenv r,

  / r,
  /home/ r,
  @{HOME}/ r,
  @{HOME}/snap/{,**} rw,
  @{HOME}/.snap*/{,**} rw,

  owner @{run}/mount/ rw,
  owner @{run}/mount/utab{,.*} rw,
  owner @{run}/mount/utab.lock wk,

  @{run}/user/ r,
  @{run}/user/@{uid}/ r,
  @{run}/user/@{uid}/snapd-session-agent.socket rw,
  @{run}/user/snap.*/{,**} rw,

  @{run}/snapd*.socket rw,
  @{run}/snapd/{,**} rw,
  @{run}/snapd/lock/*.lock rwk,
  @{run}/systemd/notify rw,
  @{run}/systemd/private rw,

  @{sys}/fs/cgroup/{,*/} r,
  @{sys}/fs/cgroup/system.slice/{,**/} r,
  @{sys}/fs/cgroup/user.slice/ r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/{,**/} r,
  @{sys}/kernel/kexec_loaded r,
  @{sys}/kernel/mm/transparent_hugepage/hpage_pmd_size r,
  @{sys}/kernel/security/apparmor/features/ r,
  @{sys}/kernel/security/apparmor/profiles r,

  @{sys}/fs/cgroup/system.slice/snap*.service/cgroup.procs r,
  @{sys}/fs/cgroup/user.slice/user-@{uid}.slice/user@@{uid}.service/app.slice/snap*.service/cgroup.procs r,

        @{PROC}/@{pids}/cgroup r,
        @{PROC}/@{pids}/stat r,
        @{PROC}/cgroups r,
        @{PROC}/cmdline r,
        @{PROC}/sys/kernel/seccomp/actions_avail r,
        @{PROC}/version r,
  owner @{PROC}/@{pids}/cmdline r,
  owner @{PROC}/@{pids}/mountinfo r,

  /dev/loop-control rw,

  profile runuser flags=(complain) {
    include <abstractions/base>

    @{bin}/runuser mr,

    include if exists <local/snapd_runuser>
  }

  include if exists <local/snapd>
}