# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2019-2021 Mikhail Morfikov
# Copyright (C) 2021-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh}
profile spectre-meltdown-checker /{,usr/}{,local/}bin/spectre-meltdown-checker{,.sh} flags=(complain) {
  include <abstractions/base>
  include <abstractions/consoles>

  # Needed to read the /dev/cpu/@{int}/msr device
  capability sys_rawio,

  # Needed to read system logs
  capability syslog,

  # Used by readlink
  capability sys_ptrace,
  ptrace (read),

  @{exec_path} r,

  @{bin}/           r,
  @{bin}/{,@{multiarch}-}objdump rix,
  @{bin}/{,@{multiarch}-}readelf rix,
  @{bin}/{,@{multiarch}-}strings rix,
  @{sh_path}        rix,
  @{bin}/{,e}grep   rix,
  @{bin}/{,g,m}awk  rix,
  @{bin}/base64     rix,
  @{bin}/basename   rix,
  @{bin}/bunzip2    rix,
  @{bin}/cat        rix,
  @{bin}/ccache     rCx -> ccache,
  @{bin}/cut        rix,
  @{bin}/date       rix,
  @{bin}/dd         rix,
  @{bin}/dirname    rix,
  @{bin}/dmesg      rix,
  @{bin}/find       rix,
  @{bin}/gunzip     rix,
  @{bin}/gzip       rix,
  @{bin}/head       rix,
  @{bin}/id         rix,
  @{bin}/iucode_tool rix,
  @{bin}/kmod       rCx -> kmod,
  @{bin}/lzop       rix,
  @{bin}/mktemp     rix,
  @{bin}/mount      rix,
  @{bin}/nproc      rix,
  @{bin}/od         rix,
  @{bin}/perl       rix,
  @{bin}/pgrep      rCx -> pgrep,
  @{bin}/rdmsr      rix,
  @{bin}/readlink   rix,
  @{bin}/rm         rix,
  @{bin}/sed        rix,
  @{bin}/seq        rix,
  @{bin}/sort       rix,
  @{bin}/stat       rix,
  @{bin}/tail       rix,
  @{bin}/tr         rix,
  @{bin}/uname      rix,
  @{bin}/unzip      rix,
  @{bin}/xargs      rix,
  @{bin}/xz         rix,
  @{bin}/zstd       rix,

  # To fetch MCE.db from the MCExtractor project
  @{bin}/wget       rCx -> mcedb,
  @{bin}/sqlite3    rCx -> mcedb,
  owner /tmp/mcedb-* rw,
  owner /tmp/smc-* rw,
  owner /tmp/{,smc-}intelfw-*/ rw,
  owner /tmp/{,smc-}intelfw-*/fw.zip rw,
  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/ rw,
  owner /tmp/{,smc-}intelfw-*/Intel-Linux-Processor-Microcode-Data-Files-{master,main}/** rw,

  owner @{HOME}/.mcedb rw,

        /tmp/ r,
  owner /tmp/{config,kernel}-* rw,

  owner /dev/cpu/@{int}/cpuid r,
  owner /dev/cpu/@{int}/msr rw,
  owner /dev/kmsg r,

  /boot/ r,
  /boot/{config,vmlinuz,System.map}-* r,

  @{sys}/devices/system/cpu/vulnerabilities/* r,
  @{sys}/module/kvm_intel/parameters/ept r,

  @{PROC}/ r,
  @{PROC}/config.gz r,
  @{PROC}/cmdline r,
  @{PROC}/kallsyms r,
  @{PROC}/modules r,

  # find and denoise
  @{PROC}/@{pids}/{status,exe} r,
  @{PROC}/@{pids}/fd/ r,
  @{PROC}/*/ r,

  /var/lib/dbus/machine-id r,
  /etc/machine-id r,

  # For shell pwd
  /root/ r,
  /etc/ r,

  profile ccache flags=(complain) {
    include <abstractions/base>

    @{bin}/ccache mr,

    @{lib}/llvm-[0-9]*/bin/clang      rix,
    @{bin}/{,@{multiarch}-}gcc-[0-9]* rix,
    @{bin}/{,@{multiarch}-}g++-[0-9]* rix,

    /media/ccache/*/** rw,

    /etc/debian_version r,

    include if exists <local/spectre-meltdown-checker_ccache>
  }

  profile pgrep flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    @{bin}/pgrep mr,

    # The /proc/ dir and the cmdline file have to be radable to avoid pgrep segfault.
         @{PROC}/ r,
         @{PROC}/@{pids}/cmdline r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/uptime r,

    include if exists <local/spectre-meltdown-checker_pgrep>
  }

  profile mcedb flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>
    include <abstractions/nameservice-strict>
    include <abstractions/ssl_certs>

    deny capability net_admin,

    network inet dgram,
    network inet6 dgram,
    network inet stream,
    network inet6 stream,
    network netlink raw,

    @{bin}/wget mr,
    @{bin}/sqlite3 mr,

    /etc/wgetrc r,
    owner @{HOME}/.wget-hsts rwk,
    owner @{HOME}/.mcedb rw,

          /tmp/ r,
    owner /tmp/{,smc-}mcedb-* rwk,
    owner /tmp/{,smc-}intelfw-*/fw.zip rw,

    /usr/share/publicsuffix/public_suffix_list.* r,

    include if exists <local/spectre-meltdown-checker_mcedb>
  }

  profile kmod flags=(complain) {
    include <abstractions/base>
    include <abstractions/consoles>

    capability sys_module,

    owner @{sys}/module/cpuid/** r,
    owner @{sys}/module/msr/** r,

    @{bin}/kmod mr,

    /etc/modprobe.d/ r,
    /etc/modprobe.d/*.conf r,

    @{PROC}/cmdline r,

    include if exists <local/spectre-meltdown-checker_kmod>
  }

  include if exists <local/spectre-meltdown-checker>
}
