# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2022-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

abi <abi/4.0>,

include <tunables/global>

@{exec_path} = @{bin}/wg-quick
profile wg-quick /{,usr/}{,s}bin/wg-quick flags=(complain) {
  include <abstractions/base>

  capability net_admin,

  network netlink raw,

  @{exec_path} mr,

  @{sh_path}                rix,
  @{bin}/cat                rix,
  @{bin}/ip                 rPx,
  @{bin}/nft                rix,
  @{bin}/readlink           rix,
  @{bin}/resolvectl         rPx,
  @{bin}/sort               rix,
  @{bin}/stat               rix,
  @{bin}/sysctl             rix,
  @{bin}/wg                 rPx,
  @{bin}/xtables-nft-multi  rix,

  /usr/share/terminfo/** r,

  /etc/iproute2/group  r,
  /etc/iproute2/rt_realms r,
  /etc/resolvconf/interface-order r,
  /etc/wireguard/*.conf r,

  @{sys}/module/wireguard r,

  @{PROC}/sys/net/ipv4/conf/all/src_valid_mark w,

  /dev/tty rw,

  # Force the use as root
  deny @{bin}/sudo x,

  include if exists <local/wg-quick>
}